Hunting and responding to ICS intrusionsIn a series of reports, specialist cybersecurity vendor Dragos has published data on the cybersecurity risks facing industrial control systems (ICS). One of the three reports is titled Hunting and Responding to Industrial Intrusions (registration required).

In this report Dragos provides advice for security researchers and teams on how to deal with ICS attacks.

Ben Miller, Director of Threat Operations Center, Dragos commented: “2017 has shown that industrial attacks are being commoditized through new malware with real-world impacts to reliability and safety. Many are reacting to these threats when they should be looking instead (to) prepare against the next threats.”

Miller points out that IT connections to ICS systems might not be managed by IT departments. Instead, they are often managed by the ICS provider or their partners. This means that security teams often have little view of what is going on. Worryingly, it also limits the ability of IT to improve security.

The use of phishing attacks to steal security credentials is also on the increase. If a supplier is attacked then they may not see the downstream attacks on its clients. If it does, there is no guarantee it will realise that stolen security credentials from its staff were used.

What do you need to protect an ICS network?

Ben Miller, Director of Threat Operations Center, Dragos
Ben Miller, Director of Threat Operations Center, Dragos

Miller lists a number of things that organisations needs to have to protect their ICS networks. In reality, these are little different from what companies are using to protect their normal IT networks. It includes:

Visibility of equipment, networks and systems: If you cannot see them, you cannot monitor them. For ICS this is not as simple as it is for general IT. Many ICS networks use older and not easily recognised protocols. To counter this, security teams need to hunt for and identify any ICS devices and networks. IT might not know what is being used to manage and control the ICS devices. They may also have no direct experience of patching and maintaining devices. A lot of older ICS networks were installed as point solutions unlike most IT networks. This means that data on the installations is missing.

Data: IT systems generate lots of log files. These are swept up by security systems and then analysed. The same data from ICS systems has to be gathered. Without it, security teams have no visibility into attacks. They are also unable to trace back through an attack to see where it happened and how.

Intelligence and analysis: There is a substantial investment in AI solutions to speed up the analysis of large amounts of security data. Techniques such as behavioural analysis rely on the security solutions knowing what is normal and what isn’t. Having the right data from ICS to train those systems is important. Without it, AI and machine learning cybersecurity solutions are unlikely to spot attacks or worse, report too many false positives.

Testing: As always, this is a major challenge for many organisations. Software testing is improving as the tools and methodologies make it part of the development process. Hardware is rarely tested when it arrives in a company. The assumption is that the vendor has done all that. Network testing is designed to detect weaknesses or unexpected traffic from devices and software. ICS networks need to be tested not just before they are deployed but also tested throughout their lifecycle. The rationale for this is that the longevity of ICS networks means that they can quickly fall prey to an attack that wasn’t understood when they were designed and deployed.

What does this mean?

Many ICS networks are invisible to IT departments. There is an urgent need for them to identify what ICS networks and devices are spread across the business. Without this, it is not possible for security teams to protect ICS networks. However, this is easier said than done as there is a significant lack of skills around ICS networks and cybersecurity in general.

Industrial businesses and anyone involved in critical national infrastructure (CNI) especially need to up their game. Miller’s report provides a means by which they can start to do this.


  1. It is better to install new monitoring systems on the ICS side and DMZ the IT side. The further IT is from OT the better both will get along and the safer/securer each will be. Don’t just start scanning all ICS equipment without understanding why those systems are configured the way they are and what impact your scanning will have to the system. ICS is sensitive to bandwidth, availability, etc.


Please enter your comment!
Please enter your name here