There are many paths to pursue in improving cyber defenses for industrial control systems (ICS). At the 2017 Ovation Users Group conference, Emerson’s Tom Kizer presented on applying threat intelligence for system defense.
Tom opened by acknowledging that identifying effective threat intelligence is difficult. Threat intelligence is data collected, organized, analyzed and refined about potential or current attacks such as indicators of compromise, zero-day threats, advanced persistent threats (APTs) and exploits. Threat intelligence helps users understand the risks of the most common and severe external threats.
With control system software, the amount of software is limited which helps with the task. External sources such as McAfee has rule sets and policies that are one source of gathering threat intelligence. Tom noted that the SureService program for Ovation users puts out notices on relevant threats which might impact the software loaded on these systems. Other external sources include SANS, Threatstop.com, AlienVault and Anomali STAXX.
Indicators to monitor include accounts: lockouts by asset and user, activity in accounts of former staff, activity on the same asset with different user names in a short time frame, outside of hours’ logins, privilege account changes, repeated unsuccessful logins, and the creation and deletion of assets.
More indicators include configuration changes at the system and application level that no one can explain, external activity on commonly hacked network ports, login and access logs, intrusion detection system (IDS) events and traffic between test and development or live environments.
The tools Tom and team normally use are security information and event management (SIEM) and Intrusion Detection systems.
Once gathered, the learnings from the threat intelligence should be applied to firewalls, IDS, vulnerability management, SIEM, host security systems, application security systems, identity and access management and analytics platforms other than SIEM. These tools provide data but not necessarily the intelligence to make decisions. Intelligence requires analysis by people, perhaps augmented with advanced analytics applied by software.
ICS-CERT is a good source of cyber threat data related to control systems. Tom recommended you aggregate this data from all possible sources and correlate this aggregated data. Developed policies and procedures need to address regular updating of supplier feeds, reviewing and analyzing the data on a regular basis, regular tuning of monitoring rules and incidence response. There is an internal team that regularly monitoring the ICS-CERT, EnergySec and many others and evaluate what should be sent on to Ovation users as an alert.
Tom wrapped his presentation with a discussion of SHODAN, a search engine for the Internet of Things. This search engine targets specific ports—HTTP, HTTPS, SSH, FTP, Telnet, SNMP and RTSP. Performing regular searches for your organization is good practice.
Threat intelligence is about collecting, organizing and analyzing the data and refining your technology and work practices to contend with potential and current cyber threats.