In January 2016, the U.S. Department of Homeland Security issued an Intelligence Assessment, prepared by the Office of Intelligence and Analysis (I&A) and Coordinated with the Industrial Control Systems Computer Emergency Response Team (ICS-CERT). The report concluded:
Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector.
Energy Sector readers beware!
The intelligence Assessment conclusions are based on reported incidents. However, the type of intrusions of greater concern would be more like “sleeper agents," difficult to detect and unnoticed until activated. In his 2012 book CYBERWAR, Richard C. Clarke wrote: “In anticipation of hostilities, nations are already “preparing the battlefield.” They are hacking into each other’s networks and infrastructures, laying in trapdoors and logic bombs - now, in peacetime.”
The ICS-CERT identifies the following as Seven Strategies to Defend ICS Systems which align very well with the SANS Critical Security Controls:
- Application Whitelisting
- Proper Configuration/Patch Management
- Reduce your Attack Surface Area (Isolation) – a recent separate report identified ICS connections to corporate system as a critical point of vulnerability.
- Build a Defendable Environment (Network Segmentation)
- Manage Authentication (Privileged Account Management
- Monitor and Respond (monitor actively; respond rapidly)
- Implement Secure Remote Access (Strong Authentication; Least Privilege Access)
These are all good, but none would find those “sleeper agents.” Isolation can help you focus your efforts. Computer forensic inspections would be another good step. But, if Richard Clarke is correct, then the best step is to inventory all of your executables (another SANS Top 20 CSC). Yes, this is very “heavy lifting”. Understand what is there, what it does, and whether it should be present on the system. Establish and maintain an executables benchmark. Subsequently, monitor for anomalous executables.