In March I spoke at Cyber Intelligence Asia 2014, where CERTs from most Asians countries were presented.
The fact is that only a few CERTs are now dealing in some way with industrial security, ICS and SCADA matters. One of the best of those is CERT of Japan, which is doing a great job here, and Jack YS Lin provided a nice overview of their activities and experience. Japan has a national ICS Test Bed, somewhat similar to Idaho National Lab, and is the only country besides the US that has an ISASecure certification entity. However, not all Japanese CNIs (Critical National Infrastructures) or even Industrial Automation vendors are doing enough in the security space.
The other countries seem to me much less advanced than Japan in understanding the ICS security domain, its problems and pursuing country-wide enhancements.
During the conference, we discussed the government role in enhancing critical infrastructure protection, and found that it is not about putting more compliance toward the CNI operators (we all know that compliance is not security). Instead, it is more about educating, creating actionable awareness by using engaging techniques and tools so CNI operators will be involved in developing their own solutions for strengthening security.
My personal take is that the regulator’s role is mainly to do what business/market won’t do by itself. So in my opinion, the list includes (but surely not limited to):
Enhancing intelligence & law enforcement in the cyber space;
Following both short and long-term security strategies, targeted both for CNI operators and automation vendors;
Engaging CNI management in security decisions by raising awareness in tangible form, and not just developing cybersecurity frameworks;
Imposing the need to pass Cyber Resilience tests at ICS commissioning;
Including cyber security as a mandatory part of industrial safety/liability programs;
Investing in CNI professional trainings and certifications;
Creating ICS-CERTs, ICS honeypots and industrial cyber drills.
PS: and, as always, people at Cyber Intelligence Asia enjoyed practicing with the Kaspersky Industrial Protection Simulation. There were moderate results, compared with other security professionals we played with in north America and Europe. This might be correlated with a certain lack of understanding of ICS specifics as stated above. I hope, however, that the things will change sooner, than later.
Does your country have an ICS CERT or ICS activity in its CERT already? What’s working best in favor of Industrial Security in your area?