Motley Moose – Archive

Since 2008 – Progress Through Politics

Shining LIGHTS on ICS Cybersecurity

(Crossposted from Infosec Island)

As we wrestle through our critical infrastructure cybersecurity conundrum we talk a lot about Big Electricity, Big Oil and other Big Asset Owners.

Certainly these asset owners play a crucial part in providing the services of modern society, and keeping them secure is very important. However, these asset owners are not all – or even most – of the problem.

In the US Electric Sector, for example, there are around 3,200 utilities keeping the lights on. Less than 1% of these would be considered Big Electric companies. Drinking and waste water is supplied by over 50,000 US utilities, almost none of which are large operations. Manufacturing, Transportation, Chemical and other sectors are similarly bottom-heavy in terms of demographics.

Obviously, achieving reliable security in large facilities – and none at small ones – only moves us so far towards securing the nation.

The other factor in the equation is the effort needed to address cybersecurity at each organization. Large asset owners have vastly complex operations and accordingly stringent requirements. The process of assessing their current security status and doing anything about it is similarly resource-intensive. Making a significant improvement in realized security at these organizations often occurs over the long term.

Small facilities on the other hand are in most cases relatively simple operations. These facilities require much less resource to achieve much greater improvement in security. As well, unlike large organizations which require significantly customized solutions, solutions for smaller facilities can be highly portable and consistent.

The LIGHTS program was created as a means of addressing security for this large number of small industrial operations. LIGHTS is a non-profit membership program run under Energysec that sets a consistent open-source-baseline approach to securing smaller industrial facilities.

LIGHTS members are provided an Open Source LIGHTS Sensor appliance which installs on a network tap along with options for outsourced management and/or commercial products and services.

LIGHTS aims to raise the bar attackers must hurdle by implementing visibility into the cyber activity on the Industrial Control System (ICS) networks that control physical processes at member facilities. The LIGHTS Advisory Board maintains the composition of the Open Source LIGHTS Sensor to deliver the optimal open source tools for that purpose. The current LIGHTS Sensor is based on the Open Source SIEM (OSSIM), which includes integrated vulnerability assessment, IDS and SIEM.

The LIGHTS program leverages MSSPs to deliver membership services. After joining the program new members are contacted by a LIGHTS Approved MSSP who walks them through their options under the program and may also offer other products or services appropriate to the member’s specific needs.

At a minimum the MSSP will send a technician on-site for one day to install the Open Source LIGHTS Sensor and train the member in its operation, all of which is included in the initial membership fee.

Since most smaller facilities may not have the resources or expertise to effectively manage their security operations, LIGHTS MSSPs provide reduced-rate management services to members. For less than $1,000/month per Sensor, MSSPs provide continuous monitoring for malware or any other deviation from normal operations.

An additional benefit to both the member and the broader community is the option to share anonymized metadata characterizing their experience with analysis centers such as the NESCO Tactical Analysis Center (TAC). NESCO TAC and other private and public centers use anonymized metadata to identify trends and active threats to regions, sectors and the nation as a whole.

These centers provide strategic perspectives of the combined threatscape and inform MSSPs and asset owners with the “wide-angle lens” visibility that allows them to plan and react effectively.

LIGHTS also provides a means for solution providers to reach the large market of smaller facilities in a mutually beneficial environment. Members can choose commercial solutions as part of their implementation which have been approved by the LIGHTS Advisory Board as being interoperable and providing measurable value.

The LIGHTS program was founded by Energysec, ICCT Corp, ICS Cybersecurity, Rochester Institute of Technology and Trusted Metrics.  The LIGHTS Advisory Board consists of representatives from academia, industry organizations, asset owners and solution providers.