Over the past year significant discoveries in the areas of adversarial capabilities have identified that many companies across the 18 critical infrastructure and key resources (CIKR) are struggling to cope with the growing threat toward their industrial assets.
Significant efforts have been taken in industry and government to improve awareness and capability to defend critical assets from cyber intrusions and potential attacks.
The Department of Homeland Security Control Systems Security Program (CSSP), along with standards organizations, has provided baseline standards and approaches to securing industrial assets.
The amount of information generated makes it difficult to know where to start. The following strategies are recommended to aid asset owners and operators with getting started.
The first step to understanding the organization’s overall security posture is to fully understand the current state. ICS-CERT recommends the CSET Assessment tool, available at http://www.us-cert.gov/control_systems/satool.html.
Onsite assessment assistance is available through the CSSP. This will help the organization understand the current security posture in relation to industry standards and to develop a gap analysis result.
The next step is to develop your knowledge base on recommended practices and related industry standards. ICS-CERT recommends reviewing the CSSP Introduction to Recommended Practices available at http://www.us-cert.gov/control_systems/practices/.
Develop a work plan and procurement plan that enables closing the gap and implementing sound practices toward securing control system networks. For procurement, ICS-CERT recommends the Cyber Security Procurement Language for Control systems available at http://www.us-cert.gov/control_systems/csdocuments.html.
The references and standards available to asset owners and operators are there to aid in establishing a baseline level of security that is widely acceptable by industry experts operating in the cyber security fields with existing and available technology and strategies.
In no way do they ensure that the strategies and technology will be resilient against emerging threats that may work to defeat the accepted strategies and technology. Threat actors commonly focus on defeating existing security features and strategies and develop sophisticated means to do so.
Because of sophisticated attack strategies by threat actors, companies should adopt a cybersecurity improvement program that focuses on emerging threats and employee training. A reliance on the standards and recommended practices alone will not afford adequate protection against emerging threats as the threats are dynamic and changing.
The Standards and references are snap shot moments in time addressing known threats and at-time known emerging threats. References and standards will contain some level of uncertainty and error depending on available information, time from publishing, and will always lag the threat capabilities.