ENISA Offers Incident Response Advice

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/enisa-offers-incident-response-advice-a-6139/op-1

Industrial control systems, used in a variety of sectors, including
financial services, healthcare, public utilities and manufacturing, are
increasingly vulnerable to cyber-attacks. Security professionals can follow
recommendations outlined in a new white paper from the European Union's
cybersecurity agency to help secure these systems and prepare incident
response plans.

The document from the European Union Agency for Network and Information
Security outlines the process responders should follow after a breach to
analyze the incident and specifies the type of information that should be
collected and analyzed.

"The ability to respond to critical incidents and be able to analyze and
learn from what happened is crucial," the white paper states.

J.D. Sherry, a vice president of technology and solutions at Trend Micro, a
security software company, notes: "Incident response planning is critical
in ICS because it documents what kind of information the investigator will
need."

Industrial control systems are designed to perform repetitive automated
tasks, such as opening and closing valves, collecting data from sensors and
monitoring the environment to issue an alarm when necessary. They're widely
used in manufacturing; water and electric grids; medical devices and
automated systems in healthcare; banking systems; and transportation
systems, among others.

Systems Under Attack

The systems frequently have software vulnerabilities and have little
built-in security, lacking code signing or basic authentication, making
them highly vulnerable to attack, says Billy Rios, managing director of
global consulting at ICS security company Cylance. Targeting these systems
could disrupt critical operations, such as cause a water pump at a
treatment plant to fail, or destroy centrifuges as the Stuxnet malware did
in Iran's Natanz nuclear facility.

Since the industrial control systems are often used in sectors that are
part of a nation's critical infrastructure, they are an attractive
potential target for cyber-attacks from disgruntled insiders, dissident
groups and nation-states, says Udo Helmbrecht, the executive director of
ENISA.

ENISA's white paper focuses on attacks against embedded systems,
supervisory control and data acquisition (SCADA) devices, programmable
logic controllers (PLC), and distributed control systems (DCS) that may be
deployed within the organization.

These systems should be "operated in a manner which allows for the
collection and analysis of digital evidence to identify what happened
during a security breach," Helmbrecht says.

Planning Before Deployment

The ENISA report emphasizes breach prevention and response planning when
deploying industrial control systems. For example, those implementing the
systems should make sure they're collecting all the data that would be
needed to conduct an investigation in case of an attack.

Many network monitoring tools, such as log management and intrusion
detection systems, can be used in the ICS environment to monitor the
management and support systems that are connected to the actual embedded
systems and components, Rios says.

But monitoring the SCADA and PLC devices is challenging because they
generally have their own firmware, specifications and custom protocols,
Rios says. The documentation for these devices may be incomplete, and the
vendors generally do not offer any tools to provide an easy way to view
what is actually on the device, Rios says.

"If you haven't done your homework beforehand, you won't survive the
attack," Rios says.

When deploying new systems, controllers and sensors into an ICS
environment, organizations have to make sure all the logic, specifications
and programs loaded onto the hardware is backed up and securely stored
somewhere else, Rios says.

As part of deployment, the organization needs to consider what kind of
built-in logging the industrial control system has; identify other ways to
collect more evidence, such as deploying a network monitoring agent; and
document how to extract each type of data during the investigation, ENISA
writes in its paper.

"The cornerstone of effective security management is the implementation of
appropriate and well-measured controls able to balance the risk and provide
mechanisms to counter and follow-up incidents," the paper says.

Forensics Analysis

The ENISA report highlights the importance of in-depth ex-post incident
analysis to learn from the attack. The forensics analysis should focus on
identifying the target of the attack, inferring the attacker's intended
goal and target, itemizing the vulnerabilities on that system and
discovering the source of the attack, according to the white paper. With
this information, the organization can take steps to defend against similar
attacks.

The first step in incident response within the ICS infrastructure is to
examine the system and identify all the impacted components, according to
the paper. This way, the investigator will understand which firmware
version the device had, how it was deployed and how it fit in within the
overall network architecture. If industrial control systems are deployed
with proper planning, the investigator will know where to find the
necessary forensics data, such as network traffic data and operating system
and transaction logs.

Important Steps

Because industrial control systems are highly customized and have their own
unique firmware, an analysis after a breach is time-consuming, Rios says. A
thorough understanding of what each process does, and knowing where to find
forensics data, can help with post-incident investigation, he says.

ENISA says improving the quality and amount of data collected to analyze
incidents will help organizations understand how to prevent similar
attacks. The insights gained from investigations can also be used to deploy
similar systems in a far more secure manner. More important, the
information can be shared with others globally to strengthen overall
defenses as well as develop a comprehensive and up-to-date view of what
attacks on ICS infrastructure look like, according to the paper.

"Enabling inter-state collaboration is critical, as attacks may be targeted
across a number of sites, from a number of foreign jurisdictions," ENISA
writes in the paper.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.