Just the other day Symantec published an article about the recent ‘re-discovery’ of a group known as ‘Dragonfly’. Now the article itself is a decent analysis of the threat/attack vectors this group uses and even has a handy chart displaying their ‘progress’ since the last time they were discovered. My only real critique is the fact that Symantec says twice in this article that “Symantec customers are protected against the activities of the Dragonfly group.” This I have a problem with. On many fronts. Symantec is a good company that does good things. They even have the ability with their suite of products to likely prevent or minimize damage to their clients’ assets. But this statement provides a false sense of security because in an ICS network you cant deploy all the tools a product like Symantec has to offer with the level of automatic updating and intervention it provides. In reality you are maybe able to use half of its features (AV but not end point or end point but limited to specific systems or scaled down functions like alert but don’t block, etc). This is not the fault of Symantec but rather a consequence of the reality of OT equipment and OEM vendor control/support.
What would provide an appropriate level of security comfort is something that very few currently have and that is a detailed, up to date profile of their asset fleet. There are a few qualifiers to that statement so lets walk through them.
When I say asset list I don’t mean a list of IP addresses. That is just a base level ‘head count’. I mean detail. Like what is the device (relay, controller, PLC, engineering station….)? What is running on it (hardware, firmware, serial number, software, OS, etc). And where is it located physically and functionally in your plant or where along the process? I am talking about the sort of detail that lets you truly understand what is really out there and how it is configured.
Too many times we see an ‘asset list’ from a client and they are pretty sure it is ‘reasonably’ accurate. Like 90% accurate but this is rarely the case. In the last 5 client asset lists I have seen in the last 3 months only one was 90% accurate. At the other end of the spectrum, we found there were 590% more IP enabled assets at a particular site than they thought. The only way to combat this is to be active. I don’t mean actively scanning an OT network but I do mean implementing a proactive set of data collection and asset inventory tools. They can be native to that system, they can be passive in listening (though this does lack system specific details) and/or they can make use of agents on OS based devices. More likely, however, it is a combination of multiple data profiling techniques and technologies that will provide you an accurate inventory.
Once compiled the data in this asset list/database is invaluable. It allows for you to create profiles of assets or classes of assets. These profiles then enable more accurate creation and tuning of security tools like white listing, vulnerability scanning and change management. But what is most beneficial is the ability to query the database for a specific risk. By being able to show only those devices that are in scope for a current or emerging threat you are refining your work load to only that which is truly at risk. For example the recent WannaCry threat which we wrote about as well: imagine if you could query your asset database to show just those systems with SMB ports 139 and 445 enabled? You don’t need to run around with a windows disk patching all systems, you could just disable the ports on those systems. Crisis averted!
Best in class IT tools are great for the function they provide assuming you are able to take advantage of them. However for a more robust, more accurate ability to act and react to threats to ICS networks you need to start with a much more inclusive view of what you have installed in the first place. Visibility is what lifts the veil of uncertainty and allows ICS security teams to focus their very limited resources to what is truly at risk in a way that is safe for OT.