There's growing awareness among corporate board members of the cyber risks to industrial control systems. That's one of the relatively positive outcomes of the pain inflicted by last year's NotPetya infestations. Symposiasts at SecurityWeek's ICS Security Conference in Atlanta expressed some gratification at the extent to which traditional Risk Management Framework practices are increasingly being adopted. Unsurprisingly, they think there's more work to be done.
In particular they see asset management as a widespread deficiency. Organizations continue to scramble, improvising asset management even in the course of incident response. Sound configuration management can't be taken for granted, especially when industrial plants use equipment they acquired years ago, and for which documentation may be sadly lacking. And knowing your attack surface, Rockwell Automation's Umair Masud said, was likely to be at least as important as, and arguably more important than, detailed intelligence of particular threats.
While there may be an approaching convergence of IT and OT, the two worlds remain farther apart, culturally and technically, than one might wish. Indegy's Barak Perelman emphasized the informal modes of information transmission still found in OT (that system was inherited, there were lots of changes made along the way, it's been around for years, and there's no documentation) and a lack of IT appreciation for the realities of industrial systems ("No, I can't just restart the turbine").
Dragos, in a presentation on Xenotime, the threat actor behind the Trisis malware that hit safety systems in an unnamed Saudi energy production facility, emphasized the disturbing news that cyberattacks were now designed to kill. Trisis was intended to be lethal, and other such attacks can be expected. Dragos CEO Robert M. Lee did offer some encouragement when he cautioned people against forming a picture of the attacker as hyper-competent and effectively invincible. Instead, he argued, remember that they make mistakes. They certainly did with Trisis—their attack on safety systems shut the facility down, twice, which wasn't their intention. Lee suggested an alternative picture of the ICS hacker: they're 18 to 30 years old, in their first government job, and dealing with management and PowerPoint "just like you."