(SecurityWeek / Ed Kovacs) – Overblown media reports describing critical infrastructure incidents can have a negative impact on cybersecurity in the industrial control systems (ICS) sector, experts have warned.
The number of attacks aimed at ICS has reportedly increased in the past year and several incidents have been disclosed to the public. However, some of the mainstream media reports covering these attacks have been sensationalized or inaccurate.
For instance, reports of an incident involving the Burlington Electric Department in Vermont initially led the public to believe that the electric grid was breached, when in reality only a computer that was not connected to the grid was affected. In some cases, such as the attack targeting a small dam in New York, overhyped reports are fueled by statements made by representatives of the government.
SecurityWeek has reached out to several industrial security companies and some believe that media reports can have a positive impact on ICS security, especially when it comes to raising awareness, but only if the reports are accurate.
“Reporting on these types of incidents is a very good thing, if and only if the reporting is accurate and objective,” said Lane Thames, software development engineer and researcher at Tripwire. “Awareness is very important here. However, there is too much reporting hype in our industry, so sensationalized reporting is a very bad thing.”
Robert M. Lee, CEO and founder of Dragos, Inc., is also convinced that overblown reports can have a negative effect.
“It is common for folks to want to believe that a bit of hype or sensationalism will help encourage folks to invest more in security, but it often has one of two negative impacts,” Lee said. “Either the company invests resources in security to fight off the hyped threat, which means that the resources are not focused on the real threats, or the company gets fatigue from the hyped stories and decides to not invest at all.”
Eddie Habibi, CEO of PAS, agrees and believes there is a “quiet desperation” to report on incidents disclosed to the public.
“Unfortunately, when we cry wolf on minor incidents, such as the Vermont laptop infection, it becomes harder and harder for critical infrastructure companies to discern what the real threats are. Focusing on real, confirmed risks allows industry to make better, more targeted investment decisions,” the expert said.
Stephen Ward, senior director at Claroty, believes the key is collaboration between the media and the industry.
“Raising awareness of ICS security is always a good thing – especially given how far behind ICS security is in comparison to IT…that said, when these conflations occur it has the dual effect of raising awareness on the one hand and then ‘writing off’ the seriousness when the conflation is realized,” Ward said. “Better understanding across the board is required – we’re happy to be helping drive that with our friends in the media.”
Related: Exploring Risks of IT Network Breaches to Industrial Control Systems
Overhyped Media Reports Bad For ICS Security, Experts Say
(SecurityWeek / Ed Kovacs) - Overblown media reports describing critical infrastructure incidents can have a negative impact on cybersecurity in the industrial control systems (ICS) sector, experts have warned. The number of attacks aimed at ICS has reportedly increased in the past year and several incidents have been disclosed to the public. However, some of the mainstream media reports covering these attacks have been sensationalized or inaccurate. For instance, reports of an incident involving the Burlington Electric Department in Vermont initially led
Exploring Risks of IT Network Breaches to Industrial Control Systems (ICS)
(SecurityWeek / Eduard Kovacs) - There have been several incidents recently where a critical infrastructure organization’s IT systems were breached or became infected with malware. SecurityWeek has reached out to several ICS security experts to find out if these types of attacks are an indicator of a weak security posture, which could lead to control systems also getting hacked. Security incidents involving critical infrastructure organizations There are only a few publicly known examples of cyberattacks targeting an organization’s industrial control systems (ICS), including
Kaspersky Launches Industrial Control Systems CERT
Kaspersky Lab has launched a new global computer emergency response team (CERT) focusing on industrial control systems (ICS). Through the Kaspersky Lab ICS-CERT, the security firm wants to share its knowledge and experience in securing industrial systems and coordinate the exchange of information between stakeholders. Officially launched last month, the new initiative aims to provide information on the latest threats, vulnerabilities, security incidents, mitigation strategies, incident response, compliance and investigations. Since it’s a non-commercial project, the Kaspersky Lab ICS-CERT will offer information and
Siemens Fixes Vulnerabilities in SIMATIC, License Manager Products
(SecurityWeek) - Siemens has released software updates to address several vulnerabilities in its SIMATIC and Automation License Manager (ALM) products. According to advisories published last week by both ICS-CERT and Siemens, the ALM, which allows customers to centrally manage licenses for their Siemens products, is affected by three vulnerabilities. The security holes, including one rated high severity and one rated critical, were reported to the vendor by researchers from Kaspersky Lab’s critical infrastructure team. The critical vulnerability, tracked as CVE-2016-8565, is a
Live Demo: Destructive Cyber Attack on “Air-gapped” Systems
By: Joe Weiss All too often, people claim their systems are air-gapped, and therefore have no cyber vulnerability. But Alternating Current (AC) power cords cross the ostensible “air gap”, and power supplies for laptops, servers, ICSs, etc. have rarely been addressed for cyber security vulnerabilities. On October 26, Alex McEachern from Power Standards Laboratory will provide a hands-on demonstration of two types of attack-to-failure of a real, air-gapped ICS at SecurityWeek's 2016 ICS Cyber Security Conference. McEachern’s demonstration will remotely cyber attack and
Demo: Hacking a Protective Relay and Taking Control – the Grid is at Risk
By: Joe Weiss Protective relays are critical to the operation of the electric grid and the protection of large electric equipment in many industries including electric, nuclear, manufacturing, etc. Protective relays were originally electro-mechanical switches but have progressed to complex networked digital devices with enormous computing capabilities making them intelligent electronic devices (IEDs). Consequently, IEDs are now cyber vulnerable from both IT network and control system issues. In March 2007, the Idaho National Laboratory (INL) demonstrated the Aurora vulnerability by using
Control Systems Don’t Have to be Industrial
Control Systems are Used in Applications Beyond Just Industrial Control and Automation By: Joe Weiss Control systems are used to monitor and control physical processes. Measured variables include pressure, temperature, level, flow, voltage, current, resistance, power, weight (mass), speed, distance, direction, chemical composition, strain, size, color, radiation, etc. Control systems compare the measured variables to a setpoint. For example, a control system can check the temperature to see if it is too high or too low and automatically adjust conditions so the temperature returns
Inside the CRIT-EX 16.2 Cyberattack Readiness Exercise
We are pleased to add the following talk to the agenda of SecurityWeek's 2016 ICS Cyber Security Conference. (Conference registration is still available - with registrations up more than 100% for 2016, we encourage you to register now to reserve a spot) Cyber Stone Soup: Complex Training for Cyber Exercises This presentation will cover the importance of training cybersecurity for industrial control systems in a complex environment. While using lessons learned as examples, the presenter will provide a roadmap to plan and execute
Dragos Raises $1.2 Million to Counter ICS Cyber Threats
(SecurityWeek) - Dragos, a startup focused on protecting industrial control systems (ICS) from cyber threats, has raised $1.2 million from startup studio DataTribe. Founded by a small group of former NSA intelligence officers with experience in ICS security,Dragos offers a network asset discovery and visualization tool called CyberLens. The tool was developed specifically for control systems environments, which often require deep packet inspection through passive network scanning or data collection. However, CyberLens will not be the primary focus of the company as it
ICS Components Are Increasingly Vulnerable and Web Accessible: Report
Over the past few years, industrial control systems (ICS) components have proven to be increasingly vulnerable and more frequently accessible from the Internet, which significantly amplifies the risk they are exposed to, Kaspersky Lab researchers warn. According to numbers from Kaspersky, 189 vulnerabilities were discovered in ICS components last year, a ten-fold increase compared to 2010, when only 19 were published. Sophisticated attacks on ICS are on the rise as well, such as the Ivano-Frankivsk, Ukraine, incident last year, just one of the multiple attacks that