Education & training: Key to mitigate ICS security risks

SecurityMEA speaks with Doug Wylie, Director of SANS Institute’s Industrials & Infrastructure Practice Area about the security environment in Industrial Control Systems (ICS) and the benefits that SANS Institute ICS curriculum offers in this space.

What is ICS Security and how is it different from cyber security? What is the state of ICS Security in the region?

The primary difference stems from the evolution of ICS systems. Traditionally the focus of ICS has been on the physical processes and components such as switches, gauges and valves. As these became more automated, critical components were connected to isolated networks which kept them relatively protected from conventional cyber threats. However, we now see attackers circumventing these barriers and posing a direct threat to ICS systems. Of course, with SCADA networks being deployed in critical facilities such as oil and gas, and manufacturing plants, the range of potential threats is far wider and carries far more severe consequences.

The oil and gas industry is a fundamental pillar of the economy for many countries in the Middle East. Cyber criminals are aware of this and attacks such as the Shamoon malware were specifically created to disrupt industrial facilities. According to the Repository of Industrial Security Incidents (RISI), cyberattacks against oil and gas organisations in the Middle East make up more than half of the recorded instances, in comparison to under 30 per cent in the US and other Western countries.

Do ICS security professionals need a separate set of skill sets when compared to cyber security?

Currently, the IT professionals in-charge of ICS systems are rarely dedicated security experts. That being said, SANS Institute’s recent Securing Industrial Control Systems 2017 report showed that many of the professionals responsible for today’s industrial control systems do at least recognise current cyber security risks. However, they aren’t always in a position to overcome them since governance is often seen as a lower priority when it comes into conflict with the objectives of the business which revolve around efficiency and productivity. Many ICS practitioners aren’t interested in becoming cyber security experts themselves, but they do realise that their organisation needs to plan to manage the threats.

In your opinion, are regional enterprises well equipped to tackle ICS security threats?

Security threats are constant and continue to evolve. So too must companies in order to try to protect against these threats.  In some cases, threats come from unintentional misconfigurations or non-targeted malware that doesn’t necessarily direct itself to a specific company or system. Threats can also be highly sophisticated and carefully coordinated as targeted attacks, many with particular intent to cause disruption or damage.

With such a spectrum, regional enterprises are challenged to develop capabilities to detect and identify ICS threats, but it’s imperative these same companies remain agile. Ongoing investments in people for education and training, as well as process and technology-driven solutions are all necessary to develop effective countermeasures and to constantly exercise and make improvements to company plans for response and recovery capabilities should ICS threats have success.

Are these organisations forthcoming in upgrading the skill sets of their workforce to match today’s requirements to deal with the issue of security and what needs to be done going forward?

Fortunately, the oil and gas industry has a long history of investing in risk management programs to address safety risks that have also expanded to include security risk management. Employee workforce development programs focused on security education, training and awareness continue to mature within many organizations. For the most progressive companies, their training budgets reflect ongoing personnel development investments to help ensure security skills align with emerging risks and evolving threats.

It is also important for companies to recognize that their risks extend beyond just their employees.  Companies benefit greatly from expanding their education and awareness programs to reach their suppliers, consultants and the variety of service and maintenance personnel that similarly comes in contact with critical aspects of their OT systems. Building a comprehensive, diverse and agile cyber security education and training program that also includes capabilities to test and verify competence is an essential element to successful cyber security risk management programs that help mitigate risks today and in the future.

What role does SANS Institute play in ICS Security market?

Trained cyber security professionals are key to solving the security problems of ICS, as is the continuous education of all employees that come into contact with the ICS, in best practice and security.

Weaknesses in IT systems can sometimes be the cause of a cyber-breach. However, people pose a greater risk, with almost 90% of cyber-attacks caused by human error or behaviour. This can either be the result of malicious action by staff, but equally many will simply be employees who have not received adequate training, and lack the knowledge on how to operate and maintain IT systems securely, or even spot there is an issue.

This is where SANS Institute steps in to address the challenge. As the most trusted and by far the largest source for information security training and security certification in the world, we are perfectly positioned to help organizations ramp up their cyber security skill sets and awareness.

What kind of courses do you offer in this domain?

We offer ICS410: ICS/SCADA Security Essentials which provides a foundational set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending ICS is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats. The training includes hand-on lab learning, incident response and governance models.

As a follow up to this course, we offer the more in-depth ICS515: ICS Active Defence and Incident Response which helps attendees deconstruct ICS cyber-attacks, leverage an active defence to identify and counter threats in ICS, and use incident response procedures to maintain the safety and reliability of operations.

What are the bare minimum qualifications required to be join such courses?

The SANS Industrial Control System (ICS) curriculum is relevant for students with responsibilities in the design, operation and maintenance of networked Operational Technology (OT) systems. It is also a good fit for Information Technology (IT) students that interact with OT systems or hold dual-responsibility for managing IT/OT systems.

The SANS ICS410 course covers many of the core areas of ICS security and helps a student build greater skills to identify and manage risks that can affect OT systems. It is helpful for students to have a basic understanding of networking and system administration concepts, TCP/IP, networking design/architecture, vulnerability assessment, and risk management methodologies.

The SANS ICS515 course explores the concepts and practical application of Active Defence measures that can be applied to ICS systems to enhance protection and safeguard against known and unknown threats.  Students for SANS ICS515 will benefit from first taking ICS410, or a similar essential cybersecurity class such as SEC401 to first build fundamental cyber security skills. It is also helpful for ICS515 students to have some prior basic knowledge of ICS architectures and be comfortable with ICS terminology such as PLC, DCS, SCADA, RTU and some proprietary and open communication technologies including Modbus TCP, OPC, DNP3.0, IEC 61850 and the like.