There is a pressing need to improve security in Industrial Control Systems, and technical security testing has a part to play, according to CREST, a not-for-profit accreditation body for information security.
The CREST paper presents the findings from a CREST project on the Technical Security Assurance of Industrial Control Systems (ICS), such as those that make up the Critical National Infrastructure (CNI).
The document claims that owners of ICS are caught between wanting assurances that cyber risk is being managed but they fear the potentially damaging consequences of poorly executed tests. The paper points out that such control systems are deeply embedded in many industry sectors and play a vital role in utilities and transport, for example. As such systems become more connected with the internet and conventional IT, this has led to an increase in the ‘attack surface’ and an increased likelihood of malicious activity, the paper warns. Another challenge is that these systems, as in power stations, are so sensitive – typically they must work without interruption – that caution must be exercised when making technical security tests.
For the paper in full visit the CREST website.
Comment
Ian Glover, president of CREST, pictured, said: “Research on the project has helped to identify the high-level characteristics of a practical technical security testing approach and organisations should consider how this could add value and protection. It is clear that ICS environments are more sensitive than conventional IT environments and any penetration testing of systems needs to be planned and undertaken with a high degree of trust, skill and caution.
“This position paper is supporting the work CREST is doing in many parts of the critical national infrastructure in the roll out of intelligence led penetration testing.”
Edgard Capdevielle, CEO at Nozomi Networks, said: “This report encapsulates perfectly the need for ICS cyber-security. This is evidenced by the string of malware and ransomware attacks, with reported impact on industrial system operations, in recent months.
“While there are cyber-criminals looking to liberate sensitive data for financial gain, that’s not always the case and we’re starting to see attacks that target systems to cause damage – with the motivation a little less obvious. For example, the recent discovery of Industroyer malware that is believed to have been specifically built to attack power grids. This is the second malware designed purely to disrupt physical infrastructure – the first being Stuxnet. Destructive malware is being developed, and tested, and critical infrastructure operators need to be able to identify and close down anomalous behavior before damage is done.
“Fortunately technology for detection is advancing in parallel to the escalating threats. ICS operators can now install advanced monitoring and anomaly detection that will enable them to identify intrusions and take immediate steps to ensure uptime and resilience of there critical operational technology (OT) environments.”
