In the past few years we have heard a lot about the rising tide of attacks and vulnerabilities against Industrial Control Systems (ICS) such as those deployed in electric grids. There has been much angst emoted about the risks the US grid and other critical systems face. While there is reason for concern, it is important to note that progress has been made as well.
In my work at the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) and elsewhere, I’ve learned the following things:
1. We cannot remediate all security vulnerabilities
2. Knowledge is power
3. Knowledge shared is exponentially powerful
4. Realtime knowledge sharing leads to systemic immune systems
1. We have looked deeply into the vulnerabilities found in control systems in the past few years. Every device researchers look at has weaknesses. The conversation has rightly enough therefore focused on the source of these vulnerabilities and the methods for addressing them.
This, however, only leads to systems which are as secure as the last known vulnerability. Since unpublished vulnerabilities are consistently used to successfully attack systems, better patch development and application will not produce reliability in the face of active cybersecurity threats.
2. Industrial Control Systems are designed to provide operators knowledge of the state of the managed industrial process. This fundamental characteristic points the way to securing these systems. Asset owners need to adopt tools and techniques which will give them knowledge of the state of the cyber portions of their processes as well.
3. When researchers, integrators, vendors, asset owners and knowledge centers share the knowledge they have, it increases in value dramatically. As the channels for communication between interested parties continue to become more efficient and multi-directional, each party is more able to perform their part in securing systems.
4. The Research and Education ISAC (REN-ISAC) has demonstrated realtime knowledge sharing among academia which is today saving many millions of dollars and actively stopping attacks in progress. The ICS-ISAC is leveraging this and related development to implement similar realtime sharing among ICS stakeholders. When a single node in a realtime knowledge sharing network can inform all others of new active threats, a distributed immune system develops.
The effort on behalf of all stakeholders in industrial cybersecurity has produced knowledge which will be used to further the goal of maintaining and improving the reliability of critical infrastructure systems for modern society. While there is no room for complacency in this effort, those concerned are well served to take note of the progress made and the direction it is leading.
Asset owners should look to the strengths they have in maintaining awareness of the state of their grid assets and apply these same processes to creating and maintaining awareness of the state of their cyber assets. As appropriate they should take part in and/or build communities which share the knowledge of this awareness with each other, allowing each to benefit from the experiences of others. And given the speed at which attacks can occur, asset owners as well as the service providers and vendors they rely on should look to make these sharing relationships realtime, thus benefiting from emergent auto-immune structures. See more information on our findings here.