The information security field is full of certifications – CompTIA, GIAC, CHE, ISC2 CISSP, CISM, with a vast number of areas and directions within these families. In the industrial space, the most “unsecured” enterprise sector compared to well-established information security practice in most economies, the situation is absolutely different.
We have just a few known certifications related to Industrial (ICS/SCADA) security – IC32 from ISA99 and, recently, a GICSP, based on a SANS training course.
There were a number of hot debates recently in the Industrial Automation community about which of those two is better and whether either of them is good enough to ensure that the certified person can do a good job on Industrial Security.
In fact, I personally do not think either IC32 or GICSP is sufficient for people to be responsible for ICS cyber security.
More than that, I do not believe that one person could be fully responsible for security of a critical infrastructure, being skilled enough in both IT Security and Engineering. It takes a mixed team with enough knowledge overall to make the right decisions, and to safely walk through a “SCADA Triangle”.
What is the SCADA Triangle? The creator of the SCADA Triangle idiom is Jason Larsen from INL.
He made one of the most remarkable speeches during the latest S4x2014 conference. His talk focused on the potential staging of an attack on an industrial system, using a device with limited resources – having only 4 kilobytes of memory. This is not enough to record and replay data to fool the control room, hiding an attack from the operator. But he discussed some ways that could make such a hidden attack possible, particularly the
DSP (digital signal processing) techniques that modulate the fake signal by using triangulation.
Jason’s keynote was full of technical details, which led to the tongue-in-cheek response from the audience: “OK, so we now understand that SCADA is a triangle”. Eventually it became a recurring joke during the entire four-day conference.
Jokes aside, today on many (not all, but many) industrial sites, we have a real SCADA Triangle.
Bermuda SCADA Triangle describes people involved in the ICS security decisions, namely:
- - Engineers, who are often more afraid of security measures than of malware,
- - IT security people, most likely not allowed to go into or make decisions about industrial infrastructure,
- - CEOs, who don’t see how Cyber Security spending relates to revenues and why should they invest in it;
ICS security is typically lost in this triangle, in many cases without even clear decisions on how responsibility for ICS security has to be split between the teams and people inside the company.
Efficient ICS security is to be built by the above mentioned team of people. So there is no such thing as a single professional certification. Instead there are several things to be done:
1) Establish a common language and understanding between the decision-makers from CxO, engineers and IT. Change their perception of the problem. It’s not easy, as lectures and technical red/blue exercises are flawed: too long, too technical, boring, not for managers, failing to build “common language” at the “common sense” level.
A good example of how it gets solved is Kaspersky Industrial Protection Simulation (KIPS), a role playing game featuring a simulated water utility trying to accomplish its mission to produce and sell water to the community, while dealing with and resolving a number of unexpected cyber events.
I have seen it run at the ICS Cyber Security Conference, Cyber Security Malaysia, Security Analyst Summit (so some of you have already played it as well), feedback ranged between “It was truly eye-opening and a number of the participants asked about setting up this game at their companies” and “We have to build a network of people based on affiliation and cooperation and the KIPS is a perfect way how to kick it off.”
So it is possible to sail through a SCADA Triangle safely, but it is an enormous task to make such mutual understanding among ICS-related decision makers happen worldwide.
- 2) Educate Engineers on the basics of IT security
- 3) This is what IC32 stands for. It is somewhat weak from a security specialist point of view, but provides overall understanding to engineers.
- 4) Educate IT security professionals on ICS specifics
- 5) This is also a very important part – as we have Security teams inside the companies, security service providers, government agencies responsible for regulation/audit – but none of them understand the specifics of ICS (I run trainings on ICS/SCADA Security Basics for such entities).SANS ICS training (note that I was not able to take the course personally yet) can also be helpful for providing such basics to security people, but I would not set the goal of having certification as creating “compliant”, “ready-to-go” ICS Security experts.
And after those people have more understanding of each other’s “playgrounds”, a company should form the team including both engineering and IT security specialists, to make effective decisions on ICS security.
P.S.: After setting up the ICS security team decision-making process, there is still a big challenge on making all employees on the industrial site obey security rules so they do not become the weakest link. But that is another (big) topic to cover.
What do you think?
Vyacheslav Borilin is a business development manager at Kaspersky Lab and specializes in ICS security.