The security of industrial control systems (ICS) were battered in 2017 by a series of high-profile and powerful malware attacks, exposing their increasing vulnerability according to a report from industrial cybersecurity firm Dragos.
The company said it tracked 193 vulnerability advisories that impacted ICS products. Among them, 61 percent made it possible for hackers to both inflict loss of view and loss of control of the asset that was impacted.
“This means that a large percentage of ICS-related vulnerabilities will cause severe operational impact if exploited,” the report noted.
Said an industry media review of the report:
One of the perennial problems with vulnerabilities in ICS products is the great difficulty organizations face in patching them. The touchy and critical nature of these systems tends to delay patch cycles – sometimes indefinitely. Dragos believes that to get over this hump organizations need to work harder to develop better test systems that can reliably vet patches so that impacted organizations can roll them out more quickly with confidence.
Convincing executives to buy into such test platforms is the hard part, according to Reid Wightman, senior vulnerability analyst for Dragos and author of the report.
“Engineers are likely to benefit from it in that they can test new setups prior to a maintenance window, and it can really speed up the time that it takes to repair software systems during that maintenance window,” Wightman explains. “A test system can really boost profit in a lot of ways, it isn’t just a cost sink.”
What’s more, the problem isn’t just limited to patches and reducing the time it takes to get them issued and installed. “One of the more startling statistics from this report is that of the crop of ICS-related vulnerabilities last year, 64% impacted components that were insecure by design. In other words, the patch wouldn’t fully eliminate the risk of compromise,” the industry media report noted. [source]
Analysis: It is beginning to look more and more like it will take a major cybersecurity incident that causes massive damage, loss of revenue, and/or major disruption to convince the private sector that spending money to better protect resources and infrastructure is worth the initial cost. I get the dollars-and-cents profit aspect of capitalist ventures, but in the era of hacking, if you can’t protect your systems your company is a sitting duck. Why risk it?
Perhaps the answer is better buy-in from the federal government, which is, of course, struggling to protect its own systems. Cyber is a problem for both public and private entities; neither can solve them alone.