Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender

Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge. Communities rely on small ICS organizations to provide critical services like electricity and clean water. IT and ICS teams are managed separately and have distinct cultures within many small ICS organizations. Traditional ICS defense strategies primarily focus on monitoring the ICS network for threats.

However, once the attacker is inside the ICS network, defenders’ opportunities to prevent an incident become more limited. By looking for malicious activity across the wider attack chain, the SANS ICS Cyber Kill Chain provides the defender more opportunities to block and detect threats earlier in the attack chain.

Using the SANS ICS Cyber Kill Chain, the research implemented a representative ICS network to evaluate the effectiveness of security controls for use by small ICS defenders. Complementing typical ICS security controls like firewalls and secure remote access, the research identified three high-leverage deception tactics that are simple to implement and add high-confidence opportunities to detect threats of any sophistication. This research seeks to reinforce that “Defense is doable.”