Boundary Protection a Headache: ICS-CERT

Wednesday, January 17, 2018 @ 11:01 AM gHale


Boundary protection remains the biggest problem in critical infrastructure organizations, according to assessments conducted by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

ICS-CERT conducted 176 assessments last year, which represents a 35 percent increase compared to the previous year.

RELATED STORIES
ICS Alert: USB Malware Attack
Safety System, DCS Attacked
Advancing to IIoT Means Back to Security Basics
Cyber Adds to Downtime Costs: ARC-SANS

The agency analyzed organizations in eight critical infrastructure sectors, but more than two-thirds of the assessments targeted the energy and water and wastewater systems sectors.

The highest number of assessments were conducted in Texas (27), followed by Alaska (20), Nebraska (15), New York (14), Washington (13), Idaho (12), Nevada (10) and Arizona (10).

ICS-CERT identified 753 issues as part of 137 architecture design reviews and network traffic analyses.

The six common weaknesses ended up related to network boundary protection, identification and authentication, allocation of resources, physical access controls, account management, and least functionality.

Improper network boundary protection, which includes inadequate boundaries between enterprise and ICS networks and the inability to detect unauthorized activity on critical systems, has been the most common type of weakness since 2014.

Identification and authentication issues can include the lack of mechanisms for tracing user actions if an account gets compromised, and increased difficulty in securing accounts belonging to former employees, particularly ones with administrator access.

Identification and authentication issues was the second most common security weakness last year.

Of all the identification and authentication issues, shared and group accounts are particularly concerning.

“A growing concern identified in many assessments this year is the use of shared and group accounts. These make it difficult to identify the actual user and they allow malicious parties to use them with anonymity. Accounts used by a shared group of users typically have poor passwords that malicious actors can easily guess and that users do not change frequently or when a member of the group leaves,” said researchers in the report.

Allocation of resources for cybersecurity is also a problem in many critical infrastructure organizations. ICS-CERT’s assessment teams noticed that many sites are short-staffed and in many cases there is no backup personnel.

“Although some sites had started planning for attrition of staff, many did not have a plan to address loss of key personnel. One site had seven key personnel, four of whom would be eligible for retirement next year,” the agency said.

While its assessments do not focus on physical access controls, ICS-CERT has often noticed that organizations fail to ensure ICS components are physically accessible only to authorized personnel.

“Overall, the ICS-CERT assessment team is still seeing many of the same vulnerabilities as in previous years, with the largest areas of concern still being the protection of the sensitive control system environment. Concerns of the attrition of skilled staff and the use of shared accounts are a growing trend. While the main issues observed this year seem largely the same, the assessment team has noted increasing attention from asset owners to control system security,” ICS-CERT said.



Leave a Reply

You must be logged in to post a comment.