​Attacks Test Cyber Resilience

Two studies highlight threats to key systems and the need to assess the organization’s defenses.

Comments Views

​The world's industrial control systems are prime targets for cyberattacks. Blame it on the Internet of Things (IoT).

Three-fourths of 320 industrial system decision-makers who responded to a Kaspersky Lab survey say their organization's operational technology/industrial control systems (OT/ICS) are a likely target. More than half say the IoT's connectivity is a major cybersecurity challenge, according to the State of Industrial Cybersecurity 2018 report. Nearly two-thirds say the IoT is more likely to cause OT/ICS risk events to occur.

Such concerns are why most respondents' organizations are prioritizing management of connected devices as they become more tightly integrated into their networks. "The good news is that we are seeing more and more businesses improving their cybersecurity policies to include dedicated measures toward safeguarding their industrial control networks," says Georgy Shebuldaev, brand manager at Kaspersky Industrial Cybersecurity.

Perception vs. Reality

Beyond IoT, most respondents are concerned about the impact of advanced persistent threats (APTs) and targeted attacks on industrial systems. Yet, those fears may not reflect the actual threats they face.

Specifically, only 16 percent of respondents say their organization experienced a targeted attack in the past 12 months. That's down from 36 percent in 2017.

Meanwhile, almost two-thirds of respondents' organizations suffered a conventional malware or virus attack against their industrial systems. Thirty percent had a ransomware attack.

Anticipating Risks

Conventional attacks may be more common, but the threats keep changing as attack methods become more sophisticated. Being able to anticipate risks through controls testing and monitoring can strengthen security and resilience.

Yet, only 12 percent of respondents to a recent Baker Tilly Virchow Krause LLP poll say their organization has a holistic cybersecurity testing program. Such integrated testing seeks to understand the organization's current risk profile and assess the design and effectiveness of its cybersecurity program, according to a Baker Tilly webinar.

Combining "cyber intelligence" techniques and traditional testing methods can give an organization "a better grasp on its potential risks," says Dan Argynov, a manager with the advisory firm's cybersecurity and IT risk practice.

Testing Techniques

The integrated testing approach described in the Baker Tilly webinar centers on an assessment of the organization's cybersecurity risk management. Speakers advocated documenting the organization's current state using a framework such as the International Organization for Standardization's ISO27001, ISACA's COBIT, or the U.S. National Institute of Standards and Technology's Cybersecurity Framework. This approach covers four parts.

Reconnaissance. At this stage, testers should build an organizationwide profile and identify targets. Testers should define the network footprint and identify worthy assets, whether they are data and network assets or people. Moreover, they should identify vulnerabilities and analyze potential motivations for attacks.

Network assessment. Testers should analyze the network for internal and external risks and vulnerabilities. They should identify network components such as services, points of access, and access controls. Also, they should scan the network and look for vulnerabilities in the current infrastructure. To test the network's resilience, they should review the organization's disaster recovery capability to restore key functions.

Threat modeling. This stage is about modeling how potential threats could occur. Specifically, testers should view threats from the attacker's perspective, looking for approaches that require less effort or could yield a greater reward. This gives the organization a profile of potential attackers and enables it to prioritize its efforts accordingly.

Attack simulations. The objective here is to simulate high-threat scenarios identified at the modeling stage. For example, testers could simulate an attack through external system access by trying to gain remote access to an internet-connected application or system using vulnerabilities discovered during earlier stages of testing.

Tim McCollum
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Tim McCollumTim McCollum<p>​​​​Tim McCollum is <em>Internal Auditor</em> magazine's associate managing editor.​​</p>https://iaonline.theiia.org/authors/Pages/Tim-McCollum.aspx


Comment on this article

comments powered by Disqus
  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3