Thursday, February 6, 2014

Industrial Control Security -- More Awareness Needed

I am an active reader of various blogs, e-magazines, websites, etc. regarding industrial control system (ICS) security.  This week I came across a rather disturbing survey that indicates more work is needed in the ICS security domain to raise awareness of the availability of useful ICS security resources.

This week I was looking at Control Engineering e-magazine and noted that they had a survey on ICS security.  The question posed was:

Do you follow cyber security resources to check for security vulnerabilities in the devices in your industrial networks, such as PLCs, RTUs, Ethernet switches, HMIs, DCSs, etc.?

The poll result is shown in the graphic below and you can add your own vote at Link.




What disturbs me about the poll results is the majority of those responding to this unscientific survey have "...no idea such a resource was available."  This tells me that the ICS security community needs to do more work publicizing its resources in order to help the field engineers make their ICS systems more secure.

So, to help in this regard, here are some resources you will find extremely useful in helping to better understand the current ICS security vulnerabilities and how to better defend your ICS networks:

Excellent "Textbooks" and Desk References:

Excellent Resources on ICS Security Vulnerabilities, Protective Actions

** ICS-CERT encourages U.S. asset owners and operators to join the Control Systems compartment of the US-CERT secure portal. Send your name, e-mail address, and company affiliation to ics-cert@hq.dhs.gov.

What Else?

There are many other resources that include vendor notifications and alerts as well as other resources from standards organizations such as ISA but the above list of links is an excellent starting point for you to gather references and subscribe to data feeds from ICS-CERT.

Overall, though, it is our job in the Security Community to help everyone realize what resources exist in the world to provide guidance on securing critical infrastructure and industrial control systems.

###