PRACTITIONER EXPERIENCE – BETWEEN SANS TRAINING EVENTS

With my firm ICS Defense Force, I perform industrial control system (ICS) security assessments, incident response tasks, and incident response tabletops across multiple critical infrastructure sectors as defined by the UK Government. As a Certified SANS Instructor, this experience in the field between my classes allows me to meet with security teams, engineering staff, and those leading the charge of cybersecurity risk management and defense. Including the decision makers, who are seeking technical solutions and tactical training to address their identified cybersecurity challenges for the protection of critical infrastructure.

THE 1st EVER SANS ICS SUMMIT IN LONDON

We. Are. Excited! For the 1^st time ever, SANS ICS will be hosting an ICS Summit in London. The SANS ICS UK Summit 2024 will take place on Tuesday 5th March at etc.venues Monument in London. The summit is set to deliver relevant cyber security knowledge and skills through panel discussions and presentations while bringing together the industry’s top practitioners and leading experts from across the UK region. The summit will be available to attend in-person only where you can expect to hear from and network with prominent experts and leaders in the ICS/OT industry. More information, and on how to register to reserve your spot at this inaugural event, can be found here: SANS ICS UK Summit 2024.

Below is the reason why we will be in the region speaking specifically on the protection of control systems and critical infrastructure in the there.

MODERN ATTACKS AGAINST CRITICAL INFRASTRUCTURE

Modern adversaries have illustrated brazen steps to defeat traditional security controls. They have placed the safety of people, and reliability of engineering industrial control systems, at high risk. With this, adversaries have sent a clear message to facility owners, operators, and leadership responsible for industrial control system (ICS) and operational technology (OT) environments. That is, critical infrastructure is a target. The protection and defense? Safe and resilient critical infrastructure requires dedicated ICS/OT specifically trained defenders, using purpose-built ICS/OT-aware technology, how embrace the defined differences between IT and ICS/OT.

ICS THREAT LANDSCAPE IN THE UK REGION

Recent threat landscape analysis for the UK region, and surrounding area, indicates attacks against critical infrastructure are increasing in volume and sophistication. Energy, Food, Water, and Transport, are just some of the critical national infrastructure (CNI) that adversaries, including nation-state offensive teams, continue to target in the region. The NCSC (National Cyber Security Centre), has warned of significant threat to UK's critical infrastructure in recent reports through the 2022 and 2023 Annual Reviews. These outline the importance of cyber resilience for UK critical national infrastructure, as the region has observed the emergence of a new class of cyber adversary. Adversaries who include cyber-attacks against critical infrastructure as a legitimate component of cyber and physical warfare.

In alignment to this, modern ICS/OT adversary groups have illustrated capabilities ranging from external and internal industrial control system network reconnaissance to system shutdowns and safety impacts. All of which can be mapped to Stage 1 and Stage 2 of the ICS Kill Chain. Additionally, they have up skilled their capabilities which has become more difficult to detect inside control system networks.

Many of their attack techniques, including their disruptive attack capabilities do not even need to rely on exploits or zero-day vulnerabilities. Instead, such groups leverage legitimate and already installed engineering systems, program libraries, and hardware features, but used for nefarious purposes. This dangerous attack tradecraft effectively turns the control systems against itself. This, now a common adversary attack technique called “Living off the land”, is difficult or impossible for traditional security controls to detect or respond to. Living off the land and the related countermeasures can be found in a recent ICS cyber security blog here: Living Off the Land Attacks and Countermeasures in Industrial Control Systems.

Ransomware has also been increasing, globally. IT Ransomware that makes its way into ICS networks can have impacts on traditional operating system components. However, ICS/OT purpose-built Ransomware, such as EKANS, can have more of an impact on the monitoring and controls over engineering operations.

ICS Attack Framework for ANY sector

The discovery and analysis of the ICS/OT attack framework PIPEDREAM/Incontroller provides capabilities to target engineering equipment inside ICS facilities in nearly any sector, and any region. It can impact a wide variety of vendor equipment including PLCs (programmable logic controllers), which effectively run entire plant floors. This dangerous scalable attack framework can abuse already installed legitimate industrial automation software, and legitimate ICS network protocols, including but not limited to OPC-UA, Modbus, and some proprietary protocols.

STARTLING FINDINGS IN 2023 ICS/OT SECURITY

Taken from the recent SANS 2023 ICS/OT Cybersecurity Survey data, nearly 40% of ICS/OT facilities indicate the initial attack vector of compromises to their ICS/OT come from IT networks that allow threats into the ICS network.

Additionally, from the recent SANS 2023 ICS/OT Cybersecurity Survey data, about only half of ICS facilities have an ICS/OT-specific incident response plan that is documented, tested using engineering driven tabletop exercises, and is kept up to date. 17% are unsure whether they have such a dedicated ICS incident response plan.

A COPY & PASTE OF IT SECURITY INTO ICS/OT WILL KILL SAFETY

It is imperative top facility leadership, and engineering teams know the differences between traditional IT security and industrial control system security. ICS/OT assets are often incorrectly compared to traditional IT assets. Traditional IT assets focus on data at rest or data in transit, user data and user applications. Whereas ICS/OT are engineering assets, equipment, that focus on real-time systems for physical input values and controlled output physical action that have an effect in the real-world. It is this primary difference between IT and ICS/OT that drive differing cybersecurity design, security assessment approaches, risk surface understanding, safety, strategy, support, cyber tactical defense, and industrial incident response practices.

“Standard cyber incident remediation actions deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents, if prior thought and planning specific to operational ICS is not done.”

While in the region training at our SANS ICS events, during the breaks and networking sessions it gives everybody a wonderful opportunity to share experiences from the field. Also, insights into recent trends and practical engineering ways to address cybersecurity challenges in facilities looking to mature their ICS/OT security programs.

Tactical Training for ICS-Specific Cyber Defense

The SANS course, ICS515: ICS Visibility, Detection, and Response meets several modern ICS security challenges head-on. ICS515 teaches students how to perform tactical ICS incident response by leveraging hands-on labs. Labs include assembling and running a programmable logic controller (PLC) like you’d see on a plant floor. Students keep the PLC kit for continued learning after class is over. Students from IT, ICS, engineering, etc., will detect and defend against threats in several realistic ICS environments.

ICS Tactical Defense Take-Away Resources

Those who are technical and assigned to industrial control system cyber defense can leverage these freely available resources to help kick-start and mature their ICS dedicated cybersecurity program:

Industrial Control System Cyber Incident Response

This poster offers guidance on preparing for and performing cyber–Incident Response (IR) for Industrial Control System (ICS) environments. For the most effective industrial IR and established industrial NSM (Network Security Monitoring) program an updated ICS Asset Inventory is best. See related ICS NSM Poster to assist with this control system network security monitoring and proactive defense. Download here.

ICS Leadership Take-Away Resources

Leaders responsible for industrial control system cyber defense best build strong relationships with engineering staff, always prioritize safety, and can leverage this ICS Leadership poster if they are new to an ICS/OT leadership role.

ICS Cybersecurity Leadership

This industrial control systems (ICS) and operational technology (OT) cybersecurity leadership poster reveals the key elements to building and leading an industrial cybersecurity team. Several critical points are included in this poster for ICS security leaders, such as how to build a dedicated ICS cybersecurity team, with specific roles, tasks and job descriptions. Additional elements of this poster provide ICS/OT risk managers with possible training and development paths and how to build and maintain strong relationships with engineering teams. Furthermore, this poster guides those responsible for ICS/OT cybersecurity around The ICS Cybersecurity Leadership Cycle and offers both tactical and strategic defense moves ready to be applied to any sector to further the protection of critical infrastructure environments.

The content of this poster supports ICS418: ICS Security Essentials for Managers. Download here.

Leadership Training for ICS-Specific and Engineering Management

The SANS course, ICS418: ICS Security Essentials for Managers course empowers leaders responsible for securing ICS/OT environments. The course addresses the need for dedicated ICS security programs, the teams that run them, and the skills required to map industrial cyber risk to business objectives to prioritize safety. ICS418 will help leaders manage the people, processes, and technologies necessary to create and sustain lasting ICS cyber risk programs while promoting a culture of safety, reliability, and security, for any ICS/OT environment, across any sector or region.

CONCLUSION

Mature ICS facilities in the region realize and embrace the differences between IT and ICS/OT. They hire, train, and retrain people trained in ICS specific security who prioritize safety. Who have an engineering-driven mindset to ensure preparedness for the eventuality of responding to industrial-grade incident against their engineering and critical infrastructure operations.

On behalf of myself and the SANS ICS, we thank you for taking the time to review this crucial topic and related actionable take-aways for the further protection of critical systems in the UK region. We look forward to seeing you all at the 1^st ever SANS ICS UK Summit 2024 in London!

Be safe from industrial cyber incidents!