Kaspersky Lab ICS CERT: A year on duty

Its one-year anniversary is the perfect time for a detailed explanation of why our ICS CERT is needed, what it does, and how it differs from others.

We decided that after one year of successful operation, now is the perfect time to offer a detailed explanation of why the center is needed, what it does, and how it differs from others.

A year ago, we introduced our own response center for cyberincidents affecting industrial and critical infrastructure facilities: Kaspersky Lab ICS CERT. We decided that after one year of successful operation, now is the perfect time to offer a detailed explanation of why the center is needed, what it does, and how it differs from others.

Why Kaspersky Lab ICS CERT?

The main task of ICS CERT is to coordinate the activities of manufacturers of industrial control systems (ICS), owners and operators of industrial facilities, and researchers in information security. Despite our center’s youth, it has already established successful working relations with major players in the ICS market, with regional coordinating centers (e.g., US ICS-CERT in the United States and JPCERT/CC in Japan), and with international and state regulators.

How does Kaspersky Lab ICS CERT differ from other centers?

First, all other computer emergency response teams (CERTs) in the field of industrial cybersecurity are either state structures or divisions of ICS manufacturers. The former are limited by the (mostly territorial) interests of their states, and the latter are focused on resolving issues related solely to their own products. No such restrictions apply to us.

Second, other CERT operations are generally less likely to do their own vulnerability research and deep analysis of the threat landscape. Their efforts are concentrated on processing information about threats received externally, for example, from third-party researchers and ICS manufacturers. Our situation is not like that: As a division of the world’s leading information security vendor, we possess the resources, technologies, and expertise to independently search for vulnerabilities and detect threats. And most important, we have the experience. After all, Kaspersky Lab has led the fight against cyberthreats for more than two decades, and for several years now has paid particular attention to industrial threats.

We process big data on current and potential threats from sources around the globe and analyze it with machine-learning tools and algorithms. Our team of experts fine-tunes the results. As a result, our ICS CERT identifies threats that target industrial control systems specifically.

What exactly does Kaspersky Lab ICS CERT do?

Our CERT operates in multiple areas, covering a wide range of tasks. Its key functions are sharing expertise with the community, demonstrating technical capabilities to partners, and promoting the project to ICS security professionals, engineers, and operators.

Search for vulnerabilities inside industrial systems. Our experts are constantly investigating all kinds of industrial control systems and industrial Internet of Things (IIoT) devices, assessing their security level, and discovering new vulnerabilities. In the past year, we have detected more than 100 zero-day vulnerabilities and informed system manufacturers about them. Thanks to our efforts, by October of this year, 54 of the vulnerabilities we found had been patched by manufacturers, making the world a bit safer.

The results of our research and work to uncover vulnerabilities were noted by US ICS-CERT in its annual report. Recently, MITRE recognized our company as an authority in the field of vulnerabilities (CVE Numbering Authority, or CNA). As a result, Kaspersky Lab joined the list of CNAs as a security researcher. We became the sixth organization in the world with this status.

Identify and analyze threats, keep the industry informed. We identify and analyze attacks on industrial companies (both targeted attacks and widespread ones, which affect ICS systems incidentally), investigate the sources of infection of SCADA systems, and search for malware intended for industrial systems. And we issue warnings about detected threats to subscribers and partners. Our CERT website has already published two semiannual reports on the ICS threat landscape, and it regularly posts warnings about identified threats and reports about detected attacks on industrial companies.

Investigate incidents. In investigating cyberincidents at industrial enterprises, we track down the causes, examine the tools and techniques used by the attackers, assist with remediation, and help prevent new incidents. Over the past year, we have helped enterprises across various industries (metallurgy, petrochemicals, building materials) in countries worldwide.

Assess the protection level of industrial systems. Our CERT specializes in assessing the level of protection of industrial control systems. Moreover, we develop tools to allow companies to independently test their systems for particular vulnerabilities. In the near future, we plan to increase the number of such tools.

Cooperate with industry and state regulators. Our experts are part of the process of framing requirements for state and industry regulators with a view to ensuring the information security of industrial facilities. Over the past year we have worked productively with the IIC, the IEEE, the ITU, and the OPC Foundation— the standards and technologies they produce are heavily influenced by our experts.

Educate. Our CERT develops and holds training sessions for ICS operators and engineers, as well as information security specialists employed by industrial companies. We also work with educational institutions. In early 2017, for example, our experts held a one-week ICS security workshop for students, postgrads, and teachers at MIT. Preparations are under way for the next workshop at MIT, slated for January–February 2018, and we hope to hold another one in November 2017 at the University of California, Berkeley. What’s more, we are developing a joint training program with the Fraunhofer Society and working to create a full-fledged master’s course at the request of Russian universities.

Capture the flag. Information security contests involving simulated hacks of various industrial control systems offer a unique experience and improve understanding of how to protect critical facilities. Therefore, we periodically organize competitions for information security specialists under the banner Industrial CTF (Capture the Flag). The first such event was held in the fall of 2016 and was a predominantly Russian affair. However, the qualifying round of the second Industrial CTF saw more than 180 teams from Russia, China, India, Europe, and Latin America flex their cybermuscles. Industrial CTF 2017 drew the most participants yet, nearly 700 teams from all corners of the world. The final was held on October 24, 2017, in Shanghai within the framework of the GeekPwn International Conference. Taking part were teams from Japan, Korea, and China.

To sum up, we can say for sure that Kaspersky Lab ICS CERT’s first year has been intense but productive. Congratulations to all employees on their first anniversary, and may the already impressive results get even better!