Browsing Tag


Three Takeaways from the State of Security in Control Systems Survey

July 7, 2015

This was first posted on the SANS ICS blog here.


The State of Security in Control Systems Today was a SANS survey conducted with 314 ICS community members and was released on June 25th. The whitepaper can be found here and the webcast here. A few things stuck out from the survey that I felt it appropriate to highlight in this blog.

  1. Energy/Utilities Represent

Energy/Utilities made up the most of the respondents with 29.3% in total. While the variables impacting this cannot be narrowed down it is likely that pressure from organizations such as NERC, heavy focus on energy protection in the U.S. in national media and politics, and market interest has at least driven security awareness. We also see an energy bias in other metrics on reporting such as the ICS-CERT’s quarterly reports. This is a both a good thing and an area for improvement. It is great to see the energy sector get heavily involved in events such as this survey, in training conferences, and major events like the electric sector’s GridEx. Personally, I’ve interacted with groups such as the ES-ISAC and been extremely impressed. Getting data from this segment of the community helps understand the problem better so that we can all make the appropriate investments in security.

Takeaway: We really need to do more to reach the other communities. Energy tends to be a hot topic item but it is far from the only industry that has security issues. Each portion of the ICS community from water to pharmaceuticals face similar issues. In the upcoming years hopefully reports like this SANS survey will be able to capture more of those audiences. I feel this is likely given the increased awareness in other industries I have seen even in the last few years.


  1. IT/OT Convergence Seen as 2nd Most Likely Threat

The number one vector the respondents felt was the most significant threat to their ICS was external threats. This makes sense given the increased understanding in the community regarding external actors and the cyber security of operations. However, interestingly the second top threat identified as the integration of IT into control system networks. I really liked seeing this metric because I too believe it presents one of the largest threat vectors to operations. ICS targeted nation state malware tends to get the most media attention. BlackEnergy2, Stuxnet, and Havex were all very concerning. However, it is far more likely on a day to day basis that not architecting and maintaining the network correctly will lead to decreased or stopped operations. The integration of OT and IT also presents a number of challenges with incidental malware that, while non-targeted, presents a significant risk as has been documented numerous times when important systems halt due to accidental malware infections such as Conficker.

Takeaway: The ICS community needs to be aware of external threats and realize that they pose the most targeted threat to operations. However, it was great seeing that issues revolving around the integration of IT and OT is accurately seen as a concern. Architecting and maintaining the OT network correctly to include safe and segmented integration, structuring such as the Purdue model, and ultimately reducing the risks associated with IT/OT convergence will go a long way for the security of the environment. The type of efforts required to reduce the risk of IT/OT convergence is also the same foundational efforts that help identify, respond, and learn from external threats and threat vectors.


  1. Lack of Visibility is Far Reaching

A significant portion of the group, 48.8%, stated that they simple did not have visibility into their environment. This could mean a number of things to include IT and OT not having visibility into each other’s processes and environment, lack of understanding of the networked environment, inability to collect data such as network traffic or logs, and a lack of a plan to pull together all stakeholders when appropriate. Each of these has been observed and continually documented as problems in the ICS community. What is interesting about this single metric though is that it impacts most of the other metrics. For example, respondents who do not have visibility into their environment will not be able to fully identify threats in their environment; 48.8% stated that they were not aware of any infiltration or infection of their control systems. Additionally, when a breach occurs it is difficult to respond correctly without visibility; 34% of the participants who had identified breaches stated that they had been breached multiple times in the last 12 months.

Takeaways: Nearly half of the respondents to the survey indicated that they did not have visibility into the environments. This makes it incredibly difficult to know if they have been impacted by breaches. It also makes it difficult to scope a threat and respond appropriately. I would bet that a significant portion of those participants who indicated they were breached multiple times had links between the breaches that they were unaware of due to a lack of visibility. Re-infections that occur due to not fully cleaning up after a breach are common in the IT and OT communities. ICS community members need to ensure that they are developing plans to increase their visibility. That means including all stakeholders (in both IT and OT), ensuring that at least sampling from the environment can be taken in the form of logs and network traffic, and talking with vendors to plan better visibility into system upgrades and refreshes. For example, a mirrored port on a network switch is a great resource to gain invaluable network traffic data from the OT environment that can help identify threats and reduce time and cost of incident response.

Follow on: To help with the discussion of visibility into the environment I will post two entries to the SANS ICS blog in the upcoming weeks. They will be focused on two of the beginning labs in SANS ICS515 — Active Defense and Incident Response. The first will cover using Mandiant’s free incident response tool: Redline and how to use it in an ICS to gather critical data. The second will cover using some basic features in Wireshark to sample network traffic and identify abnormalities.

Final Thoughts

I was very impressed with the participants of the SANS survey. Their inputs help give a better understanding into the community and its challenges. While the takeaways above focus on areas for improvement it is easy to look at the past few years and realize that security is increasing overall. Security awareness, trained security professionals, and community openness are all increasing. We have a long way to go in the community but we are getting better. However, there are many actions that can and should be taken today to drastically help security. First, we must be more open with data and willing to participate in spot checks, like surveys, on the community. Secondly, wherever there is a lack of a plan forward, such as IT/OT convergence strategies, the appropriate stakeholders need to meet and discuss with the intent to act. Thirdly, incidents are happening whether or not the community is ready for it. Appropriate visibility into the environments we rely on, incident response plans, and identified personnel to involve are all requirements. We can move the bar forward together.

Barriers to Sharing Cyber Threat Information Within the Critical Infrastructure Community

June 28, 2015

This was first posted on the Council of Foreign Relations’ blog Net Politics here.


The sharing of cyber threat data has garnered national level attention, and improved information sharing has been the objective of several pieces of legislation and two executive orders. Threat sharing is an important tool that might help tilt the field away from adversaries who currently take advantage of the fact that an attack on one organization can be effective against thousands of other organizations over extended periods of time. In the absence of information sharing, critical infrastructure operators find themselves fighting off adversaries individually instead of using the knowledge and experience that already exists in their community. Better threat information sharing is an important goal, but two barriers, one cultural and the other technical, continue to plague well intentioned policy efforts. Failing to meaningfully address both barriers can lead to unnecessary hype and the misappropriation of resources. Continue Reading

Closing the Case on the Reported 2008 Russian Cyber Attack on the BTC Pipeline

June 27, 2015

This was first posted on the SANS ICS blog here.


An article released today in Sueddeutsche (the largest German national daily newspaper) by Hakan Tanriverdi revealed new information that further cast doubt on a report of a 2008 Russian cyber attack which caused the Baku-Tbilisi-Ceyhan (BTC) pipeline explosion. The Sueddeutsche article can be found here.


The original report of the attack was released on December 14th, 2014 with the title “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar” by Bloomberg. The article referenced an explosion that occurred in 2008 along the BTC pipeline that had previously been attributed to a physical attack by Kurdish extremists in the area. The Bloomberg report cited four anonymous individuals familiar with the incident and claimed the explosion was actually due to a cyber attack. The attribution to the attack was pointed at Russia. Continue Reading

Cyber Intelligence Part 5: Cyber Threat Intelligence

June 27, 2015

This was first published on Tripwire here.


In the previous blog posts in this series, we looked at cyber intelligence and some of its different focus areas, including intelligence collection operationsand counterintelligence. In the final post of the series, we will take a look at threat intelligence and discuss some of its elements.

First and foremost, we need to answer the question – what is threat intelligence? Gartner has defined threat intelligence as: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

In its entirety, this is a good definition but what does it all mean? How can threat intelligence benefit us? Continue Reading

Cyber Intelligence Part 4: Cyber Counterintelligence From Theory to Practices

June 27, 2015

This was first published on Tripwire here.


In the previous article, Cyber Intelligence Collection Operations, the types of collection and the types of data that could be obtained were discussed. At the end of the discussion I pointed out that analysts must be critical of the data they evaluate as at any time it could be compromised.

Specifically, adversary actors could employ counterintelligence or deception type techniques to push analysts to draw wrong conclusions or discount the data entirely. In this article we will cover this topic of Cyber Counterintelligence (CCI) and discuss its two main branches: Offensive CCI and Defensive CCI. Continue Reading

Cyber Intelligence Part 3: Cyber Intelligence Collection Operations

June 27, 2015

This was first published on Tripwire here.


In the previous article in this series I talked about developing your cyber intelligence analyst skills. The approach largely relied on becoming tool agnostic and developing a strong base through education. As the analyst it is your opinion and expertise that matters most.

I also highlighted three of the more talked about sub-disciplines of cyber intelligence which are Intelligence Collection Operations, Cyber Counterintelligence, and Threat Intelligence. In this blog we will cover Cyber Intelligence Collection Operations.

The topic of Intelligence Collection Operations sounds inherently military or government based in nature especially with the use of the word “operations.” The term here though is meant to invoke the concept of a prolonged process and not just a single action. Continue Reading

Cyber Intelligence Part 2: Developing Your Cyber Intelligence Analyst Skills

June 27, 2015

This was first published on Tripwire here.


In the previous blog in this series, An Introduction to Cyber Intelligence, I gave an overview which primarily focused on defining and discussing some of the fundamentals of intelligence work in general. In this edition we will cover more in depth what it means to be a cyber intelligence analyst in terms of understanding intelligence products, skills to develop, and an introduction to the sub-disciplines of cyber intelligence.

First we need to start with the end goal in mind – intelligence products. An intelligence product is that final evaluation of the data that you provide in a polished and easy to understand format to the customer.

In some cases the customer may just be yourself, your organization, or customers of your organization. There are no set formats and standards for the intelligence product, but technical writing is definitely a skill that needs to be developed properly. The focus should be presenting intelligence that satisfies the original goal or intelligence need. Continue Reading

Cyber Intelligence Part 1: An Introduction to Cyber Intelligence

June 27, 2015

This was first published on Tripwire here.


This is the beginning of a short blog series on the topic of cyber intelligence, its sub-disciplines, and its uses. As an Adjunct Lecturer at Utica College, I teach graduate students in the M.S. Cybersecurity program on topics including cyber intelligence and cyber counterintelligence.

One of my observations while building the course syllabus and instructing the students is that there is a general lack of information on what cyber intelligence is and how to appropriately use it. There are a few resources out there but cyber intelligence is more often thrown around as a buzz word for company statements and contracts than it is actually defined and used.

I would argue that every good analyst working in information technology or “cyber” type roles uses intelligence; although I would readily admit that having encountered plenty of people in this field I know that some use it more than others.

The first step to understanding cyber intelligence is to realize that intelligence tactics, techniques, and procedures (TTPs) as well as various types of operations existed long before cyberspace was conceived. Intelligence is most often seen as offensive in nature when viewed from the lens of spying and collection operations but its ultimate purpose is also equally rooted in defense. Continue Reading