by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2015
The Obama Administration published an overarching policy document in 2011 that federal agencies are supposed to follow as a guideline. The President’s executive order—Improving Critical Infrastructure Cybersecurity— called the cyber threat to critical infrastructure “one of the most serious challenges we must confront.” And that challenge only continues to grow. ADVERSE EVOLUTION Many of the security weaknesses in current ICS environments stem from the evolution and automation of the industrial control sector over the years. There has been movement toward ensuring those environments could run for a long time without requiring much human intervention. Reliability and stability were the overarching industry standards. That led to such things as default passwords being hard coded into Ethernet cards and other parts of the environment. This allowed for fast remote login by administrators. Also, given the stable nature of many of the systems, there was very little patching for operating systems and applications required over time. That’s fine for a closed legacy environment, but it becomes a glaring vulnerability once COTS enters the picture and communications open to the Internet. Also, many ICS systems and control devices have been installed using factory settings, or with preset standard configurations. Those factors make legacy ICS an easy mark for hackers and thieves. They introduce malware into the environment via COTS vulnerabilities. “Having such things as embedded passwords just can’t be tolerated anymore, it’s only a matter of time before they are exposed,” says Prem Jadhwani, chief technology officer at Government Acquisitions, Inc. (GAI). “We have to take this very seriously and use the same best practices that are deployed in the non-ICS world, everything from file integrity monitoring to end-to-end encryption, dynamic white listing, memory protection and so on.” The sooner these kinds of controls are adopted, he says, the better off the ICS/SCADA environments will be. Sufficient security controls are not the only problem. COTS and Internet-related threats are a new phenomenon ICS organizations know they must tackle. However, there is major cultural resistance from workforces that haven’t faced these issues before. They push back against disruptions to the kinds of business flows they’ve been using to get their work done. Training employees to understand the problems posed by concepts such as spear phishing, zero day attacks and APTs—now common practices in many on-ICS environments—is still foreign to them. That lack of awareness is exacerbated by the fact that there is still a lack of trained manpower and skilled people within the ICS industry who understand the problems. Therefore, various tools are often thrown at the problem as point solutions in an attempt to plug security holes. They often don’t work together, and the skills needed to know how to select the right ones and make them effective don’t exist. Many ICS/SCADA facilities in the U.S. are also run by local authorities. Faced with persistent budget constraints, many of these also don’t have the money to hire the extra personnel needed to deal with these advanced security issues. None of this is conducive to building the kind of infrastructure—an inte- grated end-to-end platform, processes that allow for automated systems, all overseen by skilled and motivated em- ployees—required for an ICS environ- ment that can react to security threats proactively and in real time. The origins of threats now faced by ICS environments will be familiar to non-ICS IT organizations. They include: • Contractors • Corporate intelligence • Criminals/organized crime • Disgruntled staff • Foreign intelligence services • Hackers • Internal attackers/bystanders • Protestors and activists • Staff undertaking unauthorized actions • Terrorists Potential attackers also have rela- tively easy ways to find ICS targets. SHODAN, for example, is a Google-like search engine designed to find Inter- net-connected devices. It indexes Web message header information. This easily locates devices such as routers, servers, traffic lights—and industrial control equipment. It contains a wealth of information that can be useful to potential attackers, including IP addresses, geographic location, service port header information, firmware details and so on. It’s also freely available on the Web for use by anyone. As of January 2014, a 20-month academic research program called Project SHINE (SHodan Intelligence Extraction) identified more than 2 million ICS/SCADA devices connected to the Internet. Many of these devices are thought to be completely unprotected. ASSESS AND EXECUTE The first thing all ICS environments should do to improve security, says Jadhwani, is conduct a full risk assessment. The goal is to identify the level of actual risk to the organization and establish the “risk appetite.” Some may be willing to expose themselves to a higher risk if the return is justified. Sponsored Content