ICS in VUCA：Insights from the world‘s biggest ICS security event – S4
Feb 03, 2020
Smart Factory Security
S4 is the world's largest event dedicated to ICS security. At the venue, the ICS community’s top researchers, thought leaders and influencers gathered to discuss advanced topics in cyber security and OT technology. In total, 719 people from all over the world participated this year. It has grown significantly since last year's 534, indicating the growth of the industry as a whole. Today, let’s think about ICS security from a business perspective.
Why a leadership team is needed for ICS security
Sessions this year had a lot of topics for leadership teams, focusing on topics like law, risk management and DevOps. But why do we need new messages targeting executives? Because the environment surrounding the ICS community is in the VUCA world - short for volatility, uncertainty, complexity and ambiguity - and the VUCA world requires strong leadership to drive changes.
The ICS community has long been focused on safety and the avoidance of physical damage, and that will not change due to the nature of ICS. However, with the digitalization of the environment, cyber factors have had a significant effect on the physical environment. For example, Stuxnet had brought serious physical impact on plants, and a ransomware attack could stop the operation of a factory. The research of a realistic factory honeypot announced by Stephen Hilt on the main stage also reported that their factory environment was down for four days due to a commodity cyberattack. It is feasible that cyber factors can seriously affect the physical world. The ICS community, which has been focusing on the physical for a long time, is facing a new common sense of cyber-physical.
When the new norm emerges, confusion could result in the field. The current scene is full of uncertainty. It's hard to predict if your factories will or will not be attacked tomorrow, and if so, what kind of attack it will be. In such an environment, the system needs to be flexible and resilient rather than robust. In other words, the ICS environment, which has not seen any major updates for 20 years, is about to change. One example of this direction was Kelly Shortridge's DevOps-Infosec Marriage session. I felt in her message something that led to Nassim Taleb's concept of Anti-Fragile. In the VUCA world, the idea is that measuring the fragility of a system is easier than predicting what would harm the system. It can be said that the leadership team needs to drive the reevaluation of their systems in the cyber-physical environment. In that context, Dale Perterson mentioned in his keynote the importance of risk management and executive involvement for any company.
Start ICS security with "Why"
ICS security is in the phase of embracing change and taking action. To do so, leaders in the ICS community need to show their followers why to change. As Simon Sinek says, good leaders always start with why.
One answer to “Why” demonstrated in S4 2020 is Pwn2Own Miami. This hacking contest has had a significant impact on the ICS community in two ways. First, witnessing the hacking of industrial control systems helps to dispel the traditional perception that critical infrastructure software is inherently secure. Unlike the IT environment, the ICS community, which has been described as a closed and unique environment, is less likely to feel the threat of cyberattacks. However, the story would be totally different if remote code was executed by exploiting the bug of the HMI used in your company.
Second, industrial equipment manufacturers have joined the field of vulnerability countermeasures, which have spotlighted on browsers and operating systems for more than a decade. As announced on the ZDI’s blog, the manufacturers who participated in Pwn2Own Miami received specific insights for making their products more secure. The fact that the hacking contest focused solely on ICS software and was held during S4 is proof that cybersecurity is closely related to safety. It is a place to show why ICS needs security by demonstrating feasible hacks.
ICS supports factories and critical infrastructures such as power plants and dams. And with great power comes great responsibility. Being a part of the problem is the best way to understand the nature of the problem. S4 Miami 2021 will be held once again in South Beach, Miami from January 26-28. More participants are expected next year, and with more power and responsibility, the ICS community will be more active and secure.
Trend Micro Incorporated.
Global IoT Marketing Office
Marketing Communication Manager
Yohei is responsible for global marketing communication in IoT threats to offer his insights about enterprise IoT security. With his experience in sales and marketing in hard/software technologies and bachelor of social science in Criminology, he gives security insights not only from technical but also business/social perspectives.