{"id":7472,"date":"2014-11-25T06:00:44","date_gmt":"2014-11-25T14:00:44","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=7472"},"modified":"2015-10-07T15:23:53","modified_gmt":"2015-10-07T22:23:53","slug":"2015-predictions-securing-industrial-control-systems","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2014\/11\/2015-predictions-securing-industrial-control-systems\/","title":{"rendered":"2015 Predictions: Securing Industrial Control Systems"},"content":{"rendered":"

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here<\/a>.)<\/em>\u00a0<\/strong><\/p>\n

\"2015<\/span><\/div><\/p>\n

Recent years have made Industrial Control Systems (ICS) cybersecurity a very dynamic area, and 2014 was no different. While much progress is left to be made, some milestones like the announcement of the release of version 1.0 of the NIST Framework, show the encouraging progress industry has made in making critical infrastructure protection top of mind.<\/p>\n

Other milestones, such as the new and sophisticated APT campaigns targeting ICS, remind us that the bad guys are constantly expanding their capabilities in going after critical infrastructure assets. \u00a0We have also seen more IT-OT integration around mobility and virtualization, technologies that in the past were typically considered too unproven for OT environments.<\/p>\n

With the year almost behind us, it is interesting to peer into 2015 to anticipate if and how some of the trends will persist and evolve. Hopefully organizations will consider what kind of security capabilities might be needed to improve control systems security posture as well as operational efficiency. \u00a0Here then are three predictions I think end users will want to pay attention to in 2015:<\/p>\n

1.\u00a0Projects to Virtualize OT Datacenters Pick Up Steam<\/strong><\/p>\n

Up until early 2014, most OT information systems managers I informally surveyed knew of plans to virtualize the corporate datacenter, but had no plans of their own to do the same for operational data centers.\u00a0 In fact, most organizations were vehement in their position to never virtualize these environments, which house critical applications such as MES, EMS, Historians, SCADA Masters and similar automation servers.<\/p>\n

There was quite a bit of nervousness around the stability and performance of\u00a0 applications sitting on multiple virtual machines sharing a hypervisor and hardware resources. But starting in the early part of 2014 I started to hear a different view where virtualization became something organizations were \u201clooking at\u201d and for which they even had pilot programs in the works. To be sure, there are already organizations that have virtualized servers in the automation environment.\u00a0 Manufacturing, for example, where the cost pressures are very extreme, has already begun the transformation and started to reap cost and efficiency advantages. But in 2015, I expect more use of this technology even in critical infrastructure environments such as utilities and transportation.<\/p>\n

Many organizations segment their operational datacenters off from other networks\/zones within the control center or PCN. With virtualized environments security architects need to now also consider the traffic between virtual machines -- the so-called east-west traffic. \u00a0Maintaining security for virtualized environments could also be quite a burden and organizations need to find solutions that reduce the administrative effort around securing VMs particularly in the effort to ensure that security implementations maintain their integrity as virtual machines get moved around. What\u2019s more, the solution for the virtualized environment should also follow the same framework and management platform as devices for securing the non-virtualized assets.<\/p>\n

2. Growing Use of Mobility for HMI and Big-data Applications<\/strong><\/p>\n

Earlier in November, I saw a really cool demo from a vendor of solutions for \u201cDigital Oilfields.\u201d\u00a0 The demo involved the use of augmented reality glasses and a tablet device by onsite field personnel to identify assets in the oil field, monitor processes and adjust the control systems, e.g. tuning set points on PLCs. The immediate access to information and the process was very compelling. It made workers more efficient and reduced the risk of errors.<\/p>\n

Besides Oil and Gas, mobility solutions are also appearing in other industries such as manufacturing and utilities.\u00a0 Some service providers are also increasing their push of mobility solutions. While there are some valid security risks, the benefits of mobility in terms of providing on-demand access to important information and the ability to apply controls while on the go are just so compelling that it is only a matter of time before these technologies become widely used.<\/p>\n

With mobile technologies on hand several new security considerations come to the surface.\u00a0 Are these mobile devices configured properly and are they being used only in business-related ways?\u00a0 Can threats, even zero day threats, introduced via mobile devices be detected and stopped? These are just a couple of considerations when organizations introduce mobility to the automation environment.\u00a0 A solution must be able to not only extend the fixed-environment security to the mobile environment but also be able to secure the new risk vectors that come with a mobile use model.<\/p>\n

3.\u00a0The Emergence of General Purpose ICS Exploit Kits with Programming Capabilities<\/strong><\/p>\n

Stuxnet already showed that ICS components, e.g. centrifuges, can be damaged via cyberattacks, but that was a very targeted campaign tailored for a specific environment.<\/p>\n

But consider the trajectory of a couple of 2014 APTs targeting ICS, including Energetic Bear which used trojanized malware and common ICS protocols, and even Black Energy which used exploits specific to HMI software, and I believe 2015 will bring availability of a general-purpose and commercially-available ICS exploit kit that can be used to control processes, essentially lowering the hurdle for cyberphysical attacks. This will result in some headlines; such a kit would no doubt be used by actors to successfully manipulate an industrial process.\u00a0 As usual, the attack will rely on social engineering techniques and a zero day exploit or two to be successful. With that in place it will then enumerate, monitor and control ICS assets using ICS protocols.<\/p>\n

I won\u2019t not feel bad if that prediction doesn\u2019t come to fruition -- I certainly hope I\u2019m wrong. The main message here is the bad guys are getting more sophisticated and organizations need to up their game when it comes to defending industrial control systems against these advanced threats. \u00a0Many operators I talk to still have nothing in place to combat advanced threats and are just not aware of the options.\u00a0 Asset owners really need to revisit their posture to not only detect but also prevent advanced attacks.<\/p>\n

Securing ICS in 2015 and Beyond with a Platform<\/strong><\/p>\n

As organizations look to revamp their cybersecurity programs for the new year and beyond, an important question is what kind of capabilities are required to better secure ICS and why?\u00a0 We\u2019ve touched on several requirements already, but there are other important ones not covered.\u00a0 In speaking with Mario Chiock, former CISO of Schlumberger and current executive advisor for next generation security and technology Executive, we felt this question to be so important that we decided to collaborate on a white paper titled \u201cDefining the 21st<\/sup> Century Cybersecurity Platform for ICS\u201d.\u00a0 You can access the whitepaper here today.\u00a0 Here we take a look at several important topics including:<\/p>\n