lolloj - Fotolia

Industrial control systems top threat to UK cyber security

Most organisations understand cyber security readiness, but lack response and resilience capabilities – especially regarding industrial control systems in the UK, says RSA cyber defence expert Azeem Aleem

This article can also be found in the Premium Editorial Download: Computer Weekly: Industrial control systems pose big risk to security

Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security, according to a cyber defence expert.

“Industrial control systems (ICS) in Europe and particularly the UK are based on legacy systems, which is creating opportunities for attackers as we move to a process control network environment,” said Azeem Aleem, director of advanced cyber defence practice for Europe, Middle East and Africa (Emea) at RSA.

“We are seeing evidence of attacks on ICS in things like StuxnetShamoon, and Black Energy linked to the attacks on the Ukrainian power grid,” he told Computer Weekly.

According to RSA researchers, there is a sophisticated surge in the attack domains across industrial control systems. At the same time, many organisations are not aware of the device connectivity patterns inside and outside their ICS environment.

Shamoon 2, for example, triggers the wiper component for wiping hard drives only at weekends when no-one is in the office, which shows the attackers are being more creative, said Aleem.

“From Stuxnet to Shamoon 2 there is a distinct evolution to more advanced malware being targeted at ICS, which means there is a lot of work to be done in the UK in terms of defending critical national infrastructure,” he said.

According to Aleem, who is based in London, one of the biggest initial challenges is assessing the true size and nature of the problem across water utilities, oil and gas suppliers, and electrical power distribution networks.

“The UK cyber security community and the government really need to focus on this issue in the face of increasingly sophisticated attacks by nation state actors,” he said. “In the US, we have seen attempts to influence the outcome of the presidential elections, and those same actors could start manipulating industrial control systems within suppliers of critical national infrastructure as well.”

Read more about incident response

Although there is some work being done in this area in the UK, Aleem said in the light of recent developments and emerging trends, this work needs to be expanded and expedited.

“There is a growing recognition of the risk, but the government needs to be more aggressive in efforts to understand what is happening and in developing a robust framework to mitigate the risks,” he said.

The RSA Advanced Cyber Defense Practice, which was set up in the wake of the RSA breach in 2011 to help other organisations deal with similar breaches based on the company’s own experience, recommends a framework of questions to assess the threat.

These questions include:

  • Is the ICS network attached or separated from the IT network?
  • Are there plans within the timeline of the engagement to separate / join the ICS and IT network?
  • If the ICS network is separated from the IT network, is it fully air gapped?
  • If the ICS network is air gapped from the IT network, is it managed via ICS Wi-Fi or otherwise?
  • Is the ICS network is managed remotely?
  • How feasible would ad-hoc manual collection of logs and/or deployment of a packet capture device on to the network be?
  • Can a high-level network map be produced for review?

Typically, Azeem said that when his team does an assessment in this way, they discover that the organisations is unaware of around 70% of connections to the industrial control systems.

“The problem with legacy systems is that they often custom-built systems with little or no documentation and organisations that operate them have no idea what is happening,” he said.

Attacks through cloud service providers on the rise

According to RSA researchers, attacks through cloud service providers within ICS are also on the rise, and there is a dire need of intelligence correlations and reporting mechanisms around such attacks, through behavioural analytics.

RSA’s advanced cyber defence practice is the consulting arm of RSA and is focussed on cyber security readiness, resilience and response.

“Readiness is about assessing how proactive organisations are in terms of detecting an APT [advanced persistent threat] attack. We look at their people, processes and technology to assess their ability to pre-empt an attack,” said Aleem.

There is a growing awareness among organisations that there is no such thing as 100% security, he said, and as a result are investing in understanding what their critical data assets are, how to define and assess risk, how to priortise risk, and how to do cost-benefit analysis.

Response can be reactive, in terms of assessing the scope of an attack that has already happened to help limit the damage. Proactive response is about developing capabilities to minimise the breach exposure time, including developing threat intelligence relating to an organisation’s critical data assets.

“Response is typically less well understood than readiness, and capabilities are often lacking, especially when it comes to proactive capabilities to achieve actionable intelligence by filtering out the noise to identify the threats that are specific to the organisation,” he said.

The RSA Soc, for example, tracks 50-60 million events an hour, which are filtered down to just 110 to 120 incidents being tracked each day, with 98% being resolved in the same day.

Keeping organisations running during an attack

Resilience is about helping organisations keep operations running during an attack and to maintain that capability as the threat environment changes, which typically involves helping organisations to develop, operationalise and run security operations centres [Socs].”

Where organisations already have an established Soc, Aleem said his team works in a product agnostic way as a trusted advisor to refine the security intelligence across the Soc as well as develop incident response capabilities, which includes innovating to develop a proactive hunting capability. In return, RSA uses data gathered on attacks to improve its products and services.

“Like response, resilience is less well understood and capabilities are lacking, but the biggest problem is often the lack of talent to maintain the evolution of cyber defence knowledge and capabilities,” he said. “There is also the problem of organisations still investing in prevention only, and not in response and resilience.”

Where organisations are lacking in response and resilience capabilities, Aleem said the standard advice is to identify key data assets and top business risk.

“Step two is to identify and assess the effectiveness of what the organisation is doing to protect those assets and mitigate those risks, and then to look at the incident response plan,” he said.

But according to Aleem, many organisations either lack an incident response plan and/or adequate and consistent processes across the organisations to support one.

“Having an actionable threat intelligence capability is the next key element,” he said, which involves looking at the tools, tactics and procedures of the most likely attackers and adjusting an organisation’s defences accordingly.

“The goal here is to take the fight back to the criminals by obstructing the way they work in the hope they will go after other targets rather than going to the trouble of finding an alternative way to come after your organisation,” said Aleem.

Visibility essential to developing readiness

The final key element, he said, is visibility, which is essential in developing readiness, response and resilience capabilities.

“And by visibility I do not just mean visibility in the network, but also in endpoints, netflows, and at the organisation’s perimeter to be able to identify patterns of cyber criminal activity, which relies not only on products but skilled professionals with hunting capability,” said Aleem.

Read more on Data breach incident management and recovery