Symantec published an article about the recent ‘re-discovery’ of a group known as ‘Dragonfly’. The article is a decent analysis of the threat/attack vectors this group uses and even has a handy chart displaying their progress since they were last discovered.
Symantec is capable of preventing and minimizing damage to their clients’ assets through their suite of products. But the statement, “Symantec customers are protected against the activities of the Dragonfly group,” provides a false sense of security. In an ICS (industrial control systems) network, it is not possible to deploy all the tools a product like Symantec has to offer with the level of automatic updating and intervention it provides.
You may use half of its features (antivirus but not endpoint, limited to specific systems or scaled down functions like alert but don’t block, etc). Symantec is not to blame, but rather a consequence of the reality of OT equipment and OEM vendor control and support.
An appropriate level of security comfort is something that very few currently have. It is a detailed, up-to-date profile of their asset fleet. There are a few qualifiers to that statement so let’s walk through them.
Asset-level details
Asset list is not referring to a list of IP addresses. That would be considered a base level head count. Asset details refer to the device components such as the relay, controller, PLC, engineering station, etc. What software is running on it (hardware, firmware, serial number, software, OS, etc)? Where is it located physically? This level of asset detail allows you to truly understand what assets you have and how it is configured.
Active data collection
Clients typically assume their asset list is reasonably accurate. But in the last five client asset lists seen in the past three months, only one was 90% accurate. On the other end of the spectrum, there were 590% more IP-enabled assets at a particular site than they knew about. The only way to combat this discrepancy is to implement a proactive set of data collection and asset inventory tools.
These tools can be native to that system, passive in listening (though this does lack system specific details) and/or make use of agents on OS based devices. More often than not, it is a combination of multiple data profiling techniques and technologies that will provide you an accurate inventory.
Benefits of asset data
Once compiled, the data in this asset list database is invaluable. It allows you to create profiles of assets or classes of assets. These profiles enable more accurate creation and tuning of security tools like whitelisting, vulnerability scanning and change management.
The biggest benefit is querying the database for specific risks. Showing devices in scope for a current or emerging threat, you refine the workload to those truly at risk. For example, in the recent WannaCry threat if you could query your asset database to show just those systems with SMB ports 139 and 445 enabled, you don’t need to use a Windows disk patching all systems. Instead, disable the ports on those systems.
Best-in-class IT tools are great for the function they provide, assuming you take advantage of them. For a more robust, accurate ability to act and react to cyber threats inICS networks, start with a more inclusive view of your assets.
Asset visibility lifts the veil of uncertainty and allows ICS security teams to focus their very limited resources on what is truly at risk in a way that is safe for OT.