The modern world is managed by way of industrial control systems (ICS), including supervisory control and data acquisition (SCADA) technologies that are used to control nearly every facet of modern industry and utility operations. But how does any factory, utility or government know that its SCADA systems and processes are secure and not vulnerable to exploitation?
While SCADA security has been somewhat of a mysterious art in the past, security vendor FireEye is aiming to help make it easier with a new service called the ICS Gap Assessment. The goal is to provide industry with a way to understand security and identify areas where more defenses and processes are needed.
Dan Scali, manager of Strategic Solutions at FireEye, explained to eSecurityPlanet that the ICS Security Gap Assessment includes a thorough evaluation of an organization's existing policies, incident response readiness and ICS architecture.
"We'll model a network diagram, which in many cases doesn't exist for the ICS, and we'll identify the threats," Scali said. "Then we'll walk through the prioritization and figure out what security controls can be put in place."
Understanding how ready an organization is to respond to threats and security incidents is another key part of the solution, Scali added.
Scali, who once worked for leading ICS vendor General Electric (GE), said that while the product is primarily meant for asset owners, "On the product security side, the vendors need a lot of help as well."
Looking for SCADA Anomalies
From a technology perspective, FireEye takes packet captures from the industrial network to look at the traffic, which sometimes yields surprising results.
"It's sort of like moving the couch in your home, and you find change and things that you lost," Scali said. "With ICS, you'll see connectivity paths that you didn't know were there and maybe a firewall that you thought was configured but that's not really the case."
ICS systems have been the target of attackers at multiple points in the past. Perhaps the most famous incident is the Stuxnet worm which took aim at Iran's nuclear reactors back in 2011.
"By its nature an ICS attack is going to be low frequency and high-impact," Scali said. "I would venture to say that as an industry, we still don't really know what a full-scale ICS attack looks like."
Stuxnet is one of the few ICS attacks that have ever been publicly reported and analyzed. Scali said that it's important to both monitor and understand ICS networks in order to understand what a compromise will look like.
"That's what's behind our strategy; it is about understanding what is normal and being able to find anomalies and hunt for indicators of compromise before something happens," he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.