SANS and Dragos hosted a virtual conference (DISC SANS) on May 1st, 2020 that was open to the ICS community. Many folks from both IT Security and OT/ICS audiences attended this special event. 

The presenters ranged from SANS Institute instructors to Dragos Professional Services and Threat Intel team members. The content focused primarily around education, especially during a time when many folks are at home and working remotely. It was great hearing technical insights, lessons learned, and best practices for ICS/OT cybersecurity from all the speakers.

During that time we had many great questions asked from members of our engaged industrial cybersecurity community. We went through all the questions and, while it was hard to choose, these 7 were the best to include in our Top 7. Here you have it! 

Q: Rob, what would the recommendation be for more accurate architecture diagrams? e.g. more frequent architecture reviews/updates or more technical discovery such as pcaps, ARP table, etc.?

A: Network traffic monitoring will help you keep it all together and know what the “real” status looks like and then do config analysis like assessing your firewalls/switches. Asset Identification through Network Security Monitoring should provide a lot of this but also Austin Scott’s presentation this afternoon goes into a ton of easy wins that you can do, too.

Q: How do you convince executives that feel ICS security is overrated?

A: Help them understand the risk and scenarios that are real. Not vulnerabilities or malware but talk through scenarios like WannaCry in Mfg, attacks on safety systems like in 2017, grid outage like in Ukraine, etc. etc. Present the scenario and map it to the business risk like Jason Christopher discussed in his presentation.

Q: Which SIEM or tools do you recommend to centralize ICS logs?

A: Dragos Platform can do it and then for host-based logs we see Splunk and QRadar a lot – it’s not ICS-specific and not ICS-specific content but it can take the logs. For network traffic which is where most of the value is in ICS definitely the Dragos Platform; hate to be a straight shill for it but it’s awesome and is built specifically for that use case of dissecting ICS protocols and giving folks visibility with central monitoring and threat detection/response use-cases.

Q: Jason Christopher, Do you have a good format or template for quantifying risk in ICS?

A: There are some simple ways to break it down— and I gave an example you could use at S4 with AIG when talking about cyber insurance in the ICS space: https://www.youtube.com/watch?v=F-BBv0S2Mjw And this whitepaper from the SANS Reading Room can help recreate some of that analysis: https://www.sans.org/reading-room/whitepapers/cyberinsurance/incentivizing-cyber-security-case-cyber-insurance-37845

Q: What is the difference between threat intelligence vs threat hunting and incident response?

A: Threat hunting is a hypothesis driven by proactive security. It is hunting a threat beyond alerts. Incident response is responding to an incident and managing the aftermath of a breach or attack. Intelligence is knowledge about the adversary. It supports other areas such as threat hunting and incident response.

Q: Best sources for ICS threat intel?

A: The best sources for ICS threat intelligence are ICS-CERT, semi-public Information Sharing and Analysis Centers (ISACs), and Dragos’ WorldView threat intelligence reports.

Q: Just wondering what might be the difference between “Patch the vulnerability” and “Mitigate the Vulnerability.” My assumption is when we say “Mitigate the vulnerability” it means we can apply patches so that we mitigate the risk/threat. Am I missing anything?

A: Patching is a way to mitigate the risk, provided the patch works properly, and determine if it is also possible to mitigate a vulnerability without applying a patch. For cases where a patch cannot be applied, or it is ineffective, it is necessary to understand the vulnerable component better and determine what else can be done to mitigate the risk. Crippling the vulnerable component by manually changing its configuration (such as permissions on files and folders, adding Dynamic Link Library [DLL] Hijacking Protection, etc) is another way to mitigate the risk. That can only be accomplished if the risk is fully understood.

We hope you learned something new. Click here to view a recording of the full conference or the individual sessions.

 

 

Contact Us for a Demo