Last month, ESET researchers confirmed the
discovery of a new type of sophisticated malware now known as Industroyer,
highlighting the threat posed to industrial control systems. Indeed, this is
considered to be the first-ever designed to affect
ICS industrial control systems directly, and is thought to be
behind the December 2016 cyberattack on Ukraine’s power grid.
Further research from
the SANS Institute, the “global leader in information security training and
certification”, confirms that security of industrial control systems is
increasingly seen and understood to be a serious issue.
Their recent paper, Securing Industrial Control
Systems—2017, is based on polling hundreds of professionals in the field of ICS
security. Its goal is to gather related information and map the attitudes of
industrial control security practitioners in regard to the security of their
systems, threats and attack vectors, and defense measures.
The research shows that, predictably, the
respondents’ highest priority is keeping their operational technology running.
Answering the question “What are your primary business concerns when it comes
to the security of your control systems?”, nearly a quarter put “Ensuring
reliability and availability of control systems” first; among the top three
priorities is this one for over 50% of respondents.
To measure the real scope of ICS security, the
question “Have your control systems been infected or infiltrated in the past 12
months?” was included in the survey. The most common response, “Not that we
know of,” was selected by 40%, while less than a half of respondents, 19%,
chose “No, we’re sure we haven’t been infiltrated”.
“The SANS survey shows that
ICS security experts seriously worry about security.”
As for the overall security, the respondents
answered the same key question as in the previous years: “How serious does your
organization consider the current threats to control system cybersecurity to
be?” 69% of respondents rated the perceived level of threat as severe/critical
or high – a two percentage point increase compared to last year’s survey.
The biggest three threats cited by the respondents
were one, devices and “things” (that cannot protect themselves) added to
networks; two, internal threats (accidental); and three, external threats
(hacktivism, nation states). Extortion, ransomware and other financially
motivated crimes came in fourth place, while external threats, via a supply
chain or partnerships was far behind at number eight (out of 10 options offered
to the respondents).
As for the defense measures that the respondents
currently have in use, anti-malware technologies emerged as the most
relied-upon measure, followed by access control solutions. The top three wanted
technologies or solutions were industrial intrusion detection, control system
network security monitoring and security awareness training for staff,
contractors and vendors.
For interpreting the survey’s results, it should be
noted that the responses were collected in February-March of 2017 (as its
editors told WeLiveSecurity). This means that the respondents’ attitudes were
not influenced by the news about the discovery of Industroyer – arguably the
most important recent news story that is related to ICS security, which
appeared in the industry’s media in May.
“The SANS survey shows that ICS security experts
seriously worry about security,” commented Robert Lipovský, Senior Malware
Researcher at ESET. “It will be interesting to see if the discovery of
Industroyer pushes these worries to an even higher level – future reports will
show.”
Industroyer was first analyzed by ESET researchers
who discovered
its capability to disrupt industrial processes – in the case investigated,
precisely targeting a particular energy transmission infrastructure.
As a highly configurable tool, Industroyer can be
easily refitted to attack similar energy infrastructures and even re-purposed
to attack industrial control systems in other industries such as transportation
or manufacturing.
“It is a reminder to all those responsible for
critical systems around the world, many of which were designed without security
in mind. Now’s the time to take measures for securing them – and the SANS
research shows that security experts are taking this issue seriously,”
concludes Lipovský.