The staff at the Christian Science Monitor (CSM) Passcode just published an article titled: Quest for Knowledge and there was one sentence that caught my eye: “Instead, there’s a growing sentiment in the industry that knowing as much as possible about the attackers – and how they strike – is the key to good defense.”

There is no suggestion that the folks down at the CSM got it wrong in the way they characterized the industry trend. I am suggesting that those who follow threat’s siren song may end up with their hopes dashed against the rocks.

I am not dismissing the value of threat intelligence or suggesting it does not help to know more about your attacker. And, based on the sheer number of threat reports coming out, it is easy to see how one might reach the conclusion that threat intelligence is the latest bandwagon that must be jumped on. Taking a contrarian position I would say that knowing as much as possible about the threat is not the key. It may be nice to know or it may give a sense of being on top of the situation, but it never has been and it never will be the key to a good defense (at least for ICS environments).

My perspective:

  • What I see in the market is the desire to do as little as possible. Wanting to know about the threat and then shaping your defense based on that information is similar to risk management; it simply codifies a method for not doing what you ought to do to ensure the security of your systems.
  • Even if you had real-time threat intelligence, the maneuver speed of most ICS environments would not allow the asset owner to do much about it. Unless, of course, your threat intel could project what was coming 5 years down the road. For example, the U.S. NRC published their new cyber rule (10 CFR 73.54) in 2009 and not one single nuclear power plant in the U.S. has fully implemented the program and it’s 2015.
  • A reasonably good security posture can be achieved and maintained without knowing squat about the threat:
  • Get a complete and accurate inventory
  • Get accurate and complete system architecture information
  • Understand the details of the data flow and process dependencies
  • Develop, deploy, validate, and enforce good polices & procedures
  • Enable procurement people so they understand the plant’s security requirements in terms of available products on the market
  • Manage changes
  • Manage contractors/vendors
  • Mange mobile devices and media
  • Train, train, train (not just awareness, but technical skills)
  • Measure and verify all the above

This is not rocket science. The bottom line is that reasonable cyber security for ICS is not impossible, but it is not easy. It requires work. It is not convenient and it is not sexy because there are no blinking lights on a black box sitting on your network that is somehow able to identify and thwart the next threat that nobody imagined.

So, put down that threat report and back slowly away. The threat report won’t save you. The next black box won’t save you. Encryption won’t save you. Information sharing won’t save you. Standards won’t save you. What you need is not the latest gadget, but some hard and well understood engineering and analysis with a cross-disciplinary team. This is something that most plants can do already with what they have. What they lack is the organizational will (i.e., budget, manpower, resources, commitment), which has been long understood as the basic requirement for the success of any internal business project; management buy-in.

Just my .02