Industrial Control Systems (ICS) ISAC Vision for Security Information Sharing
At first, the Industrial Control System Information Security and Analysis Center (ICS-ISAC) was just a notion Chris Blask got in 2006 that ICS facilities needed situational awareness of computerized systems at the facility level, and that better regional, national and international cybersecurity awareness could arise from facility awareness.
ICS-ISAC – Real-time Information Sharing
Six years later, Stuxnet was in the news and the world knew that the infrastructures which run our water, keep the lights on and so much more are Internet-connected, exposed and vulnerable to cyber-attack. Some pundits predicted a “Digital Pearl Harbor.” Sean McGurk founded ICS CERT.
Others now shared Chris Blask’s view that the virtual elements of IT were converging with the physical systems across multiple industry sectors. Their combined complexity and interconnectedness juxtaposed with the global networks of both threats and supply chains create an imperative for security information sharing. Blask also felt that a horizontal sharing network was needed across all the vertical sector ISACs where control systems are deployed: oil and gas, electrical power, waterworks, manufacturing, any industry with a cyber/physical component. And so ICS-ISAC was founded as a virtual group in 2012 with Chris Blask as the Chair.
As if to heighten ICS importance, 2014 saw Target’s point of sale (POS) systems attacked through a third-party HVAC systems vendor with access to the stores, compromising millions of credit card numbers.
In September, 2014 also saw the first-ever ISC-ISAC face to face meeting in Atlanta: the #SARACON conference. I had the privilege of attending to participate in a panel on cyber-insurance. However, ISC-ISAC has been active as a virtual group for three years.
ICS Facilities Sharing Today
Chris Blask says the components for situational awareness are in place today, but in most are not utilizing these capabilities. However, awareness of the need for sharing – or, as I’ve also called it, community-based defense, is growing. Sharing technologies and practices are implemented between ISACs and organizations. For example, the Financial Services ISAC (FS-ISAC) and ICS-ISAC share real-time TLP-Green data. Vendors, integrators, researchers and public sector organizations are connecting their services to sharing centers. ICS-ISAC also announced a relationship with Cyber IQ, a threat intelligence service for the community to use.
Situational awareness comes naturally to the ICS space. Industrial facilities use sensors, cameras and other monitoring devices in all areas of operation, and have processes in place to manage them. However, the historical separation of industrial operations and IT operations caused cybersecurity monitoring to lag behind in the physical plant control systems. But bringing the two together is now a no-brainer given their increasing logical and physical inter-dependence.
While some traditional IT approaches to cybersecurity (such as frequent patching) are problematic to apply to control systems, situational awareness capabilities fit well into industrial environments. Hardware, software and network traffic pattern changes occur much less frequently in operational manufacturing, power-generating and other ICS-hosting environment than for IT in general, making ICS facilities ideal places in some cases to use whitelisting, strict change management/monitoring and anomaly detection. Some things have to done differently, however: One presentation at the ICS-ISAC featured a cyber-physical modeling application for electrical substations designed to emulate the effects of control signals and commands on physical devices; the goal is to block malicious or destructive activity originating from computer networks.
The ICS-ISAC Vision
To people who say security information sharing is just too complicated, its been tried in the past and encountered too many challenges ever work, Blask’s rejoinder is: “Sure its complicated. But years ago people said internal combustion engines were too complicated; you can’t just throw a lighted match into a tank of gasoline and drive a car. And on November 11 we’re going to land on the surface of a comet with the Rosetta orbiter…this proves we can do complex things. We just have to understand the processes, business drivers, technologies, and sharing structures required.”
The ICS-ISAC vision, on the other hand, is simple.
“Getting you information you can use.”
ICS-ISAC Members aren’t pressed to reveal information about their companies or stretch their comfort zones, and because of that, stringent NDAs and membership restrictions aren’t required. All the ISAC asks is that participants be interested in a working on ICS security issues together. Often it will be in participants enlightened self-interest to share information; for example, service providers that support multiple customers in the space may share aggregated and anonymized information to demonstrate their ability to serve customers and the community.
The Case for Optimism
Chris Blask asserts you don’t need massive numbers of up-bound information feeds to dramatically improve all levels of situational awareness. In the financial industry, only 15% of financial institutions share their own information with others through the FS-ISAC, but virtually all utilize information shared with them. He said: “If only 1% of members shared information, we’d have tremendous ICS insight into threats, vulnerabilities and practices. Insight we lack today. If 10% shared up-bound data, we’d be done.”
In his view, sharing is not only desirable, but inevitable. For what is the alternative? Fix all the vulnerabilities? Not possible. Vulnerabilities are a problem, but fixing all of them isn’t the answer, it can never happen. What’s needed is a better understanding of the interplay of threats, vulnerabilities and consequences to create risks, and the effective practices for reducing risk.
Already, the ICS-ISAC has made significant progress. Belides the FS-ISAC and CyberIQ interconnects, ICS-ISAC and sharing in general have many other pieces falling into place:
Forces driving business alignment
- Facilities, security vendors, service providers, supply chain management, liability concerns, cyber-insurance…
Standard languages driving interoperability
- STIX (Structured Threat Information eXpression language) – an emerging standard to describe cyber threat intelligence. TAXII – a protocol service that allows STIX XML instances to be exchanged.
- Others including IODEF, OpenIOC, CIF, Veris, CIQ.
Tools available to facilities for real-time sharing
- Avalanche (per Blask’s blog and this Threatconnect blog entry) is an open source product created by the FS-ISAC to exchange STIX via TAXII between organizations. It combines a STIX repository and a TAXII server.
Intelligence sources and aggregators to outsource some of the analysis, and gain even more visibilityThreat intelligence services
- Managed security services
- Cloud-based reputation systems
Local state, national and global structures to extend sharing networks
- NIST Cybersecurity Framework
- Federal Sector Coordinating Committees and National Infrastructure Protection Plan
Organizations in the ICS space should consider participating in the ICS-ISAC even if they are also involved in related vertical industry sector ISACs such as automotive, electrical or oil and gas. But they should also follow the ancient adage – “know thyself” to get the most value out of sharing from any source by understanding their own:
Identity – Who are we?
- Model the business, create a risk management program
Inventory – What do we have?
- Conduct plant surveys, inventory ICS’s and deploy tracking systems to maintain an up to date list of facilities, assets and network connections
- Model the business, create a risk management program
Activity – What are our assets doing?
- Deploy software, security and change monitoring technologies to baseline normal activities and staff to observe them
Sharing – How do we communicate with others?
- Review the presentations and other information from the #SARACON conference website and other freely available sources
- Seek out sharing partners
- Participate directly in ISACs, or through service providers
Security information sharing is a crucial practice for planning and organizing the ongoing defense of organizations with IT assets. It is especially critical for organizations with network-connected ICSs whose safe and secure operation cannot be left to chance. The good news is that getting value from security information sharing not that complicated. Sometimes, you only have to listen. The pieces are falling into place and the ICS-ISAC is making solid progress.