Highlights of the spring conference:
- The plant security working group of the WIB International Instrument User’s Association (www.wib.nl) has published report “M 2784 X10″ entitled “Process Control Domain – Security Requirements for Vendors”. Shell was a driving force behind this standard available for download here (note: WIB permission is needed to redistribute). Shell is starting to require their vendors to certify against M-2784 and Wurldtech is putting the first batch of vendors through the certification program now.
- The RISI (Repository of Industrial Security Incidents) presentation was the most animated. The new statistic I heard was that of the 161 incidents in the database since 1982, 55 were un-targeted virus infestations and 36 were targeted attacks of one sort or another. The remainder are errors, omissions, debunked urban legend and others. Of the targeted attacks, 50% were insider attacks.
- My presentation on network anomaly detection will be posted here in a couple of days. Jim Davidson of INL had a methodology presentation that used a network anomaly detection tool as an example. He drew some of the same conclusions I did about anomaly detection, though that wasn’t the focus of his talk.
And it was good to see the Invensys / McAfee presentation. Invensys has integrated all of the McAfee host security suite, including the new whitelisting/application control system, into the new versions of their Windows-based control system components. For a good five years now, vendors have routinely supported one or more AV products in their new versions. It’s good to see a wider variety of host intrusion prevention technologies being adopted.
That said, technology is only a piece of the puzzle. Security risks and mitigation’s both include elements of technology, people and the physical environment. In addition, ICS security needs to address thorny issues like safety implications and long life-cycle deployments / obsolescence. Security is a continuous process of examining your risks and mitigating them with a defense-in-depth strategy.