Industrial control systems were traditionally shielded from security threats due to their lack of external connectivity and the proprietary nature of their hardware and software. Today, however, ICSes, which oversee manufacturing processes and support key infrastructures, such as transportation systems and energy distribution networks, are isolated no longer.
Indeed, these systems now run on standards-based architectures and technologies and use the internet to connect with other ICS, IT and IoT systems. This interconnectivity has led to innovation and reduced costs as it enabled companies to remotely manage, monitor and control their ICSes.
But it has also dramatically increased ICSes' exposure to cyber attacks.
Why ICS threat intelligence is key
Strong, effective ICS security is a must. Any compromise could result in loss of life and environmental disaster. The high availability requirements of ICSes mean security measures must not only be able to detect attacks, but, more importantly, they must prevent any attack from causing disruption.
Threat intelligence, therefore, must be part of any ICS security strategy. This lets companies mitigate threats to operational continuity before they lead to downtime. Not surprisingly, one of the key metrics to evaluate the effectiveness of ICS threat intelligence is mean time to recovery -- the time between an attack's first operational disruption and the time when operations return to normal.
ICSes have a different threat landscape than traditional IT networks, and the consequences of a successful attack on an ICS can be much more severe. Generic threat intelligence, while useful, can't inherently help security teams improve their organizations' overall ICS security.
Instead, organizations need ICS threat intelligence -- that is, threat intelligence specifically tailored to ICS equipment and processes. This enables organizations to gain an in-depth understanding of an attacker's motives and capabilities, past activities and the potential effects on their operations.
Types of threat intelligence
Actionable information and insights into how adversaries compromise and disrupt systems can help predict and prepare for future attacks, stop active attacks and improve incident response plans. The three main types of threat intelligence are the following:
- Strategic threat intelligence. This encompasses high-level, big-picture reports that detail the threat landscape, trends and potential effects. With this data, organizations can assess current and emerging risks and threats. Strategic intelligence is also valuable in making senior management aware of the overall threat environment, thus helping executives make more informed risk management decisions, security strategies and infrastructure changes aimed at strengthening the continuity and resilience of operations.
- Tactical threat intelligence. This incorporates observed patterns, tactics, techniques and procedures associated with an attack lifecycle, the particular ICS technology being targeted, and the technical goals and consequences of the attack. This type of intelligence is used by SIEM systems and other analytical tools to link and analyze data points associated with a type of attack so security controls, such as firewalls and intrusion detection systems (IDSes), can be more effectively configured before an attack occurs.
- Operational and technical threat intelligence. This entails detailed threat behavior and technical indicators, as well as signatures of emerging or active malicious activities, such as IP addresses and domains being used by suspicious endpoints, phishing email headers and hash checksums of malware. These indicators of compromise (IOCs) help organizations identify and stop incoming attacks and can be used to automatically block similar incidents in the future.
How to gather ICS threat intelligence
Threat intelligence can be acquired from both internal and external sources.
Internal ICS threat intelligence sources
Events and alerts logged by internal monitoring systems can be aggregated and analyzed in a SIEM system to turn unrelated and simple events into enterprise intelligence by comparing them to a baseline of typical activity to highlight unusual activity.
Analyzing suspicious activity can provide additional information that can be used to stop future attacks. For example, collecting IOCs and signatures of attack activity -- among them IP addresses and protocols used, file names and hashes, along with details of security control settings that failed to spot and stop the attack -- can all be used to better protect systems against similar attempts to compromise or disrupt operations.
External ICS threat intelligence sources
External sources of ICS threat intelligence can broaden the range and depth of information security teams base their decisions on. External sources include commercial and open source subscription services, security vendor reports and information shared within the industry and from government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA).
Look for quality third-party threat intelligence that is relevant, accurate and timely. It should describe the threat and explain its effect and the actions necessary to prevent or reduce the risk of the vulnerability affecting operations. Relevance is especially important as certain threats may only affect specific industries, verticals and geographic regions or particular technologies. Case in point: Spear phishing attacks target specific industries and individuals.
Avoid too much ICS threat intelligence
The main challenge with incorporating threat intelligence into a security program is information overload. To that end, it's important to be selective when choosing which sources of intelligence to use. Strategic intelligence should be collected only from evidence-based reports and white papers originating from well-respected security, industry and government agency leaders. Security teams should review these reports and present the results to stakeholders whenever an evolving threat is discovered or when significant changes to the threat landscape warrant a review of perceived risks and mitigation strategies.
Use ICS threat intelligence to make it tougher for hackers
Tactical intelligence should be shared with security, operations and network teams so they can join forces to prioritize efforts to monitor and strengthen areas likely to come under attack. To extract important and usable intelligence in a timely manner, machine learning technology is required to filter and prioritize the quantity of information. This is also true of operational and technical threat data, which should be fed straight into active security controls, such as firewalls, IDSes and monitoring tools.
An important goal of any security initiative is to increase the cost and time it takes cybercriminals to mount a successful attack. ICS threat intelligence meets this objective by improving the effectiveness of real-time prevention and detection, which, in turn, makes security systems more proactive in combating a potential attack. At the same time, response and recovery efforts become more efficient, which lets enterprises withstand cyber incidents with minimal affect.
Incorporating threat intelligence into ICS security is not an easy task. It requires specialized workers to fully understand and react to the flow of information. Mission-critical systems and services are coming under increasing attack from nation-states and other sophisticated bad actors. Having a better understanding of how, why and when attacks will occur can only help ICSes become more resilient.
To help others defend against infrastructure attacks, consider sharing internally collected threat intelligence, if possible, via initiatives such as CISA's Automated Indicator Sharing community and the Cyber Threat Alliance.