A chronic complaint of industrial control system (ICS) security practitioners is under-funding, and funding decisions for security programs are frequently made by business decision-makers with a limited understanding of cybersecurity and cyber risk issues. Waterfall Security Solutions has just released a new report proposing a methodology for evaluating and communicating risk to decision makers with a limited understanding of cyber-security concepts and technologies.
Communicate Examples, Not Scores
How is the risk of a cyber attack most commonly evaluated today? We generally consider the level of technical sophistication of the attackers we are concerned about, their level of industrial process knowledge, the financial and other resources available to them, the attack’s consequences, our defenses, and we then quantify these factors into a risk score.
When expert cyber practitioners use this risk score as a means to explain risk to a non-technical audience, such as executives or board members, the score by itself means very little to these decision-makers, making it very hard to convince them of the validity of cyber threats.
At Waterfall, we have learned that concrete and solid examples work better than risk scores when communicating with business decision-makers.
The Top 20 ICS Cyberattacks Methodology
Over the years, and after having discussed cyber sabotage risks to a wide array of professionals in different industries, we have concluded that a very good way to communicate risk is by relying on real, concrete example attacks. Reviewing these examples helps our audience, whether from a technical background or not, to better understand threats and the relative benefits of different types of security programs.
To support this approach to communicating and assessing risk, Waterfall practitioners have proposed twenty useful examples of cyber attacks on industrial control system networks. These top 20 attacks represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication, and include both attacks that are reliably defeated by common cyber defenses as well as attacks that are not so reliably defeated. Individual practitioners can use the list as-is, or adapt it to the circumstances of specific sites, industries or enterprises.
The Top 20 attacks, sorted loosely from least to most sophisticated are:
Raising the Bar for Design Basis Threat
Design Basis Threat (DBT) is a tool from physical security that can be used to agree on an organization’s tolerance for risk. DBT is a line drawn through a representative set of attacks. Attacks below the line are those that a site is confident of defeating reliably using an existing or proposed security posture. The set above the line represent attacks the site has no such confidence in defeating.
When communicating with business decision-makers, it is the simplest example attacks that we do not defeat reliably that we use to begin our dialog. We describe the simplest attacks not reliably defeated, and consequences, and ask if this situation is acceptable. If not, we begin a discussion of where we should draw the DBT line, what security measures might be required to bring about these changes, and what these measures will cost.
To Defeat Reliably
An essential DBT concept is “to defeat reliably.” To defeat an attack reliably means to prevent the physical consequence of the attack essentially every time this class of attack is launched. For example: the following are examples of security measures that do not reliably defeat cyber sabotage:
- Anti-virus systems (AV) do not defeat common malware reliably, because attacks are most often launched into the wild before anti-virus signatures are available for the attacks. If common malware reaches a vulnerable system between the time of launch and the time that AV signatures are applied, the control system is compromised, even though an AV system is deployed.
- Security updates do not defeat exploits of known vulnerabilities reliably because, again, it takes time for a vendor to create and for end users to install security updates, leaving systems vulnerable in this time interval. In addition, security updates are occasionally erroneous and not effective in eliminating the vulnerabilities, were intended address.
- Intrusion detection systems (IDS) are detective measures, not preventative. Many cybersecurity best practice documents hold up an IDS as the pinnacle of a security program, but detective measures such as an IDS do not defeat attacks reliably, especially in an industrial environment. After all, intrusion detection and incident response take time to report an attack, and responders take time to evaluate those reports, decide to respond, and in fact respond. In that time, compromised equipment is being operated either manually by a remote attacker, or automatically by autonomous malware, which may be enough to bring about the consequences we seek to prevent.
In contrast, the following are examples of attacks and security measures that do reliably defeat the indicated class of attack:
- Phishing attack for password theft – two-factor authentication based on RSA-style password dongles reliably defeats remote password phishing attempts. One could postulate an attack that physically steals the password dongle, but that would no longer be a “phishing” attack. A distant attacker only able to forge email and produce look-alike websites is not able to defeat this kind of two-factor protection system.
- Encryption key scraping software – trusted platform modules (TPMs) reliably defeat attempts to search compromised equipment’s memory and persistent storage to steal encryption keys. TPM hardware is designed such that encryption keys never leave the hardware modules, or appear in memory in the computer running the TPM. More sophisticated attacks, such as physically dismantling the hardware modules or stolen computers, might succeed in retrieving these encryption keys. Such attacks though, are no longer the indicated attack – i.e. software searching a machine’s memory and hard drive for keys.
- Internet-controlled malware – unidirectional security gateways reliably defeat Internet-controlled malware. The gateways are physically able to send information in only one direction – from an ICS network to an IT/corporate/Internet network, with no ability to send information back. In unidirectionally-protected networks, no control signal is physically able to be sent from the Internet to malware on a compromised ICS network, no matter how many intervening networks have been compromised.
In short, determining that a given security posture defeats a particular attack reliably can be challenging. “Defeats reliably” is a high standard.
To understand more about the Top 20 attacks, their level of sophistication and their consequences, click here to view the full whitepaper from Waterfall Security.
- The OT Security Revolution - March 13, 2023
- ISO 27001 – OT Confusion - January 4, 2023
- NERC CIP Tricky Bits – Active Directory Servers - January 3, 2023