Who exactly benefits from Kaspersky’s ICS-CERT?
Russian cybersecurity company Kaspersky launched a new, free service this week aimed exclusively at the owners and operators of computerized industrial machinery.
The Kaspersky Lab Industrial Control Systems – Computer Emergency Response Team, or ICS-CERT, will offer regular briefings via email about ICS threats and vulnerabilities — systems which are used in factories, power plants, train tracks, dams, sewage systems and refineries — and control just about every kind of industrial process in the modern world.
Many cybersecurity companies offer such basic aggregation services for free, but Kaspersky also promises free penetration testing and vulnerability analysis for companies that use ICS programs, a subset of which are more precisely known as supervisory control and data acquisition (SCADA) software.
For enterprises of any size, the cost of testing of ICS/SCADA systems — which involve a team of technical specialists and the deployment of a variety of software tools — can be a major expense.
“As a non-commercial project, the Kaspersky Lab ICS-CERT will share information and expertise to its members free of charge,” the company says in a statement.
The full extent of the company’s commitment to the project wasn’t immediately clear. Asked how many employees would be working for the lab’s ICS-CERT, Clint Bodungen, a Kaspersky Lab senior researcher, told CyberScoop it was “a bit early to give exact figures: the number of dedicated employees will depend on demand.”
He said a virtual team based principally in Moscow, but with outposts scattered “throughout many of Kaspersky Lab’s locations across the world,” would deal with ICS users that asked for help via their website.
“We have experienced vulnerability researchers, penetration testers, developers, data scientists, and ICS engineers,” he said.
The team would also leverage the years of research Kaspersky had put into ICS security, he said.
“If necessary,” he added, “we will be able to draw upon additional resources” from other parts of the company.
ICS/SCADA software controls physical machinery and feeds data about the industrial process back to the operator. Cyberattacks on this technology aren’t like those targeting email systems or databases which only affect information — ICS attacks can cause real damage in the physical world.
The Stuxnet cyberweapon that Israel and the U.S. used to cripple the Iranian nuclear program attacked ICS — making centrifuges designed to purify uranium spin themselves apart — while telling the operators everything was fine.
And even before Stuxnet, ICS/SCADA was identified as a particular problem by cybersecurity mavens. Unlike IT software, much ICS software can’t be patched or updated — because the machinery it controls has to be running 24 hours a day.
Worse, ICS was typically designed to operate on a closed network, on which any communication could be trusted and treated as authentic.
As far back as 2009, a McAfee survey of critical infrastructure owners and operators found that more than three-quarters had connected their ICS “to an IP network or the Internet.” Nearly half of those connected admitted that the connection created an “unresolved security issue.”
Kaspersky’s Bodungen says DHS’ ICS-CERT “is widely respected in the U.S. and abroad,” but adds that when it comes to work on vulnerability discovery and cataloging “it is largely focused on U.S.-based companies.”
He said Kaspersky wanted to “offer a global option,” pledging to be “more complimentary … rather than competitive,” to DHS ICS-CERT.
Kaspersky is acting because some ICS users don’t have an authoritative source for information about threats. “Different sources offer different and often conflicting information about threats, information about vulnerabilities is published months or even years after they are detected, while information about some incidents is not published at all,” he said.
Just before Christmas last year, attackers using malware developed by Russian state-sponsored hacking groups shut down power to about one sixth the population of Ukraine, by successfully attacking the ICS software that power engineers used to keep the grid running.
Bodungen says “From my perspective, we are a cyberspace company without geo or political boundaries … [and with] an excellent reputation in the cyber security community overall … regardless of borders and/or geo-political circumstances (to include Ukraine and Estonia.)”