2016 predictions for industrial cybersecurity

The threat of terrorism is top of mind for many, and of increasing concern to those tasked with protecting industrial control systems (ICS). ISIS has issued threats against the North American electric grid, for example. While the cyber capability of ISIS is thus far unsophisticated, advanced attack capabilities are readily purchased.

Other security challenges will be the topic of heated debate. FERC has requested comments regarding supply chain integrity and remote access rules. The Industrial Internet of Things (IIoT) is gaining steam as well, especially control system vendor “remote monitoring and diagnostics” services that concentrate many control system VPN connections deep in the hands of a small number of vendors.

Part of the reason that we continue to see large amounts of malware coming out of organized crime is that those groups have developed systems to reliably monetize stolen financial credentials. Volatile oil, gas and refined goods prices are producing opportunities to reliably monetize cyber sabotage.

My top security predictions/topics for 2016:

1. ISIS will buy sophisticated attack capabilities and launch a credible attack on the North American power grid.
2. FERC will order NERC to produce additional security controls to address the threat of cyber-supply-chain and ”cloud vendor” systems able to sabotage hundreds of critical infrastructure sites in one blow.
3. There will be reports of a criminal group launching cybersabotage attacks against refineries or pipelines in order to “game” commodities markets.
4. The security focus for the Industrial Internet of Things will shift away from privacy and encryption and over to protecting the safety and reliability of large, complex, and highly-connected industrial sites.

One way or another 2016 will be a challenge for all of us.

If you’re attending Digital Bond’s S4x16 conference in Miami, January 12-14, contact us to set up a meeting.

November news roundup: Why the energy sector is at the heart of cybersecurity discussions

In the wake of the ISIS-perpetrated Paris attacks and cyber threats against the U.K., government agencies are stepping up cybersecurity in a bid to detect and defend their critical infrastructure against a cyberattack by ISIS or other hacker groups. At the top of that list is the energy sector. Cybersecurity leaders from several countries have stated their concerns about a cyberattack against the power grid, refineries and oil or gas pipelines, and many of these infrastructures show serious vulnerabilities. For more on these and other stories that captured our attention last month, see our news roundup below. 

DHS cybersecurity director on avoiding security vulnerabilities when connecting to the IIoT (Control Design, Nov. 12, 2015)

Marty Edwards, head of the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), recently spoke with Control Design about security vulnerabilities with IIoT. From unsecured Ethernet on system processors to using store-bought DSL routers to remotely monitor system remote facilities to BYOD, vulnerabilities are rampant. Edwards advises control systems designers to carefully weigh the advantages of connectivity against the potential risks.

Mixing ERP and production systems: Oil industry at risk, say infosec bods (TheRegister, Nov. 18, 2015) Security researchers from ERPScan described at Black Hat Europe how to hack into SAP systems and launch attacks at and take over industrial control systems in the oil and gas sector. “…insecure setups might be exploited to interfere with operational processes and lead to disruptions in production or even sabotage.” This is possible because there is a connection between the control system network and the ERP system through a firewall.

Cyberattacks on infrastructure a 'major threat,' says CSIS chief (CBCNews Canada, Nov. 19, 2015)

Michel Coulombe, director the Canadian Security Intelligence Service (CSIS), revealed his view that a cyberattack by ISIS or other extremist groups on the country's "critical infrastructure" is "a major threat;” however, others point to major gaps in Canada’s cybersecurity strategy, specifically related o critical infrastructure, such as pipelines.

Feds lack method to grade critical infrastructure cybersecurity (The Hill, Nov. 20, 2015)

According to a new report by the Government Accountability Office (GAO), of the 15 critical infrastructures examined, 12 were overseen by agencies without proper cybersecurity metrics or formal methods to essential to protect networks from cyberattacks. These findings may add fuel to the argument that critical infrastructure industries should be required to share cybersecurity data with the government.

DARPA wants early warning system for power-grid cyberattacks (NetworkWorld, Nov 24. 2015)

The Defense Advanced Research Projects Agency (DARPA) announced the development of a new system designed to support the nation’s electric grid defenses. Called Rapid Attack Detection, Isolation and Characterization (RADICS), the system will detect and automatically respond to cyberattacks on U.S. critical infrastructure. Exact details of what the RADICS system will entail were not disclosed, but the agency will hold a Proposers Day on Dec. 14 to detail it further.

If we’ve learned nothing else in this business, it’s that cyber capabilities evolve slowly. Motive, however, can change in an instant. For organizations like ISIS, motive is in strong supply and the cyberattack capabilities necessary to wreak real havoc can be bought. We cannot sit idle while ISIS or other groups plot against our most critical infrastructures. Our very way of life depends on them.

For more on how our better-than-firewalls unidirectional gateway technology can improve critical infrastructure security, visit our resources page.

Frost & Sullivan recognizes Waterfall Security Solutions for Customer Value Excellence through Technology Convergence for 4th consecutive year

For the fourth year in a row, Frost & Sullivan has recognized Waterfall with a Customer Value Excellence through Technology Convergence award.

This honor is awarded to a company that exhibits exceptional technology convergence impact and customer impact, proving the company’s ability to have consistent growth potential, ROI benefits and a significant impact on the security industry.

Ashay Abbhi, senior analyst at Frost & Sullivan, said, “Frost & Sullivan considers Waterfall’s pioneering solution to potentially become the standard in cybersecurity across industries, brought about by its disruptive technological convergence to secure the most vulnerable and sensitive point of attack – the data.”

Highlighted in the solution assessment is Waterfall’s Application Data Control (ADC) solution, which provides fine-grained policy controls for data in motion through Waterfall’s Unidirectional Security Gateway and FLIP products. The ADC add-on provides in-line controls for data movement, content restrictions, in-line anti-virus scanning and other/custom scanning and verification of files, BLOBs and any suspect or sensitive content. ADC controls can be applied to support data exfiltration prevention as well as powerful controls over data permitted back into critical networks.

“Waterfall enables safe IT/OT integration while ensuring the amalgamation of data from these silos is secured and the vulnerability removed by moving the data in only one direction instead of the customary bidirectional movement,” Abbhi added.

We’re honored to have earned Frost & Sullivan’s recognition once again. This award is testament to the needs for stronger-than-firewall security solutions for industrial control systems and further validates our product and commitment to safeguarding these important assets.

To learn more about our technology and how it protects ICS, visit our Resources page.