Ultra Intelligence & Communications

Defending ICS: How Are We Doing?

August 11th, 2016 / By

Seven months have passed since the Department of Homeland Security issued Seven Strategies to Defend ICSs and the time seems ripe to consider the state of control system cybersecurity.

As we in the industry well know, the past 16 years have marked nearly 2000 publicly disclosed vulnerabilities and intrusions of varying degrees of severity to the systems that drive our power and water supplies, production lines and more. The vulnerabilities most threatening to ICS are firewall-indifferent for the most part, afflicting the sensors, programmable logic controllers (PLC) and networks that automate and monitor, for example, climate control, lighting, perimeter security and water flow.

Too many vulnerabilities remain in place, still, due to outdated technology that renders them impossible to patch. Other vulnerabilities persist for reasons that seem to be based on perceptions of low risk, or balance-sheet priorities.

Let’s take a look at some interesting measures as we consider how we approach the year’s final quarter. According to one recent study[1]:

  • More than a third of ICS vulnerabilities are zero days
  • Most disclosed vulnerabilities will continue to affect SCADA systems
  • Of more than 1500 vulnerabilities reviewed, 516 lacked an available patch or correction when the vulnerability was reported publicly.

We join our fellow specialists in ICS cybersecurity, throughout the public and private sectors, in calling for greater attention to what is wrong and what can be fixed in the near term. With the increasingly watchful eye of the media on the bad news of yet another hacked system, failure to act will be posted far and wide. Moreover, it would seem that the cost to mitigate represents a bargain compared to the costs involved after the fact. Data breaches, alone, cost an average of $3.8 million, according to Ponemon Institute[2].

At the very least, the control industry must better identify and safeguard the vulnerable products across their networks. They must also take remediation for more seriously, recognizing the ease with which these endpoints can be compromised.

[1] Report: “Overload – Critical Lessons from 15 Years of ICS Vulnerabilities | 2016 Industrial Control Systems (ICS) Vulnerability Trend Report,” FireEye iSight Intelligence, August 2016.

[2] Study: Ponemon Institute, paid for by International Business Machines Corp., 2015, reported by Reuters: http://www.reuters.com/article/us-cybersecurity-ibm-idUSKBN0OC0ZE20150527.