Robert M. Lee at 4SICS 2016
Robert M. Lee at 4SICS 2016

Opening his Keynote speech at the third edition of 4SICS in Stockholm, Robert M. Lee, CEO of ICS security company Dragos Security, said that “ICS threats are currently mostly unknown.”

Lee said that “because of this, everyone should be exploring their own threat landscape, which should yield a stronger but more tailored defence.”

Highlighting the distinct lack of information in the industry, Lee said that according to reports from ICS CERT, most threats to ICS environments are largely unknown. The big threats that we do know of are spear-phishing which shows generally when an attack happens it is targeted and network scanning, presumably looking for ports which have been left open.

Pointing the finger at larger threat intelligence vendors - Lee said that although you can easily find threat intelligence for a normal IT environment - this unfortunately doesn't really exist for ICS environments.  “This means we simply don't have the visibility we need,” he said.

Lee encouraged information sharing within  the industry. Discussing a small amount of actual real-world incidents, such as the Black Energy incident in Ukraine, and even those which are misreported such as the attack on the power regulation board in Israel, he said, “we simply don't have a lot to go by.”

“There is a distinct lack of case studies in the industry,  and often because of lack of reporting we're left in the dark in what happened,” said Lee.

Lee then discussed where the big vendors are currently failing us - they fail at detecting most threats - Lee gave the example of the Irongate malware which went undiscovered for two years before being discovered by FireEye.

Even worse, Lee said, “I would pontificate that we have malware out there which hasn't been discovered yet.” Lee says this is because vendors historically haven't, “understood ICS systems.”

Concluding, Lee said that, “we need to be taking a threat hunting approach to hunt down the threats.” He said, “when we do this we will be secure.”

Lee also  advises to ignore the aspect of attribution in investigations, as it is simply causes biases which means when investigating it causes you to miss things when conducting an investigation.