Skip to content ↓ | Skip to navigation ↓


Discussions around industrial control systems (ICS), such as supervisory and control data acquisition (SCADA) systems, often focus on how vulnerable the systems are.

A key aspect of President Obama’s information sharing acts have been designed to encourage threat sharing to help protect the organizations and networks involved in critical infrastructure. However, while there are many advancements that still need to be made, there are strengths these networks have that can give defenders a strong footing.

One of these strengths is unique knowledge of the systems. A significant portion of adversaries’ efforts against victims has always focused around information gathering and reconnaissance. In critical infrastructure, this is particularly true as adversaries need to understand precisely how to impact these systems to have their desired outcomes. ICS networks often contain unique assets, or at least unique configurations, that increase the time and effort required by adversaries.

This is not to say that the lone-person or terrorist organization is not a threat to highly vulnerable systems, such as those directly connected to the Internet, but it does mean that with proper security fundamentals even advanced adversaries can be fought against.

Once an ICS network is properly architected to remove the low-hanging fruit, the unique knowledge that OT (operations technology) personnel have gives them a head start on the adversary. Defenders who understand what assets they have and understand what constitutes normal network communications in these smaller and more static environments pose a significant challenge to adversaries who want to remain unnoticed.

This focus on understanding and monitoring the network is not new but its impact on ICS networks is certainly gaining momentum. Previously this month, Chris Sistrunk and Rob Caldwell, consultants at the incident response company Mandiant, presented at the 10th Annual SANS ICS/SCADA Summit on this topic.

The presentation discussed Network Security Monitoring and that while it is useful in IT environments, it excels in ICS due to the relatively static nature of the environments. Multiple tools were presented to help with this process, including the open source Linux distribution Security Onion, which combines tools such as ELSA, Snort and Bro to help monitor abnormalities in network communications.

It’s important to note that active defense has nothing to do with hack-back. It has to do with identifying, responding to, and learning from threats inside your networked infrastructure. There are many strengths the ICS community has that when applied to a security mindset make defense doable. Yet, while assistance from the government through legislation and increased attention helps, it can often be slow moving.

However, faced with a consistent and real threat today, the ICS community is largely starting to take matters into their own hands. As the ICS security community continues to grow and its members become more innovative with tools and strategies – it is apparent that taking advantage of the community’s strength does actually mean that defense is doable.


About the Author: Robert  M. Lee (@RobertMLee) is an Adjunct Lecturer at Utica College and an instructor at SANS. He is also Co-Founder of Dragos Security LLC, a cybersecurity company. Additionally, Robert is an active-duty U.S. Air Force Cyberspace Operations Officer – his views and this article are his own and do not represent or constitute an opinion by the U.S. Government, DoD or USAF. Lee is completing his PhD in control system cybersecurity at Kings College London and recently launched CyberLens™ – a tool that identifies and visualizes ICS and IT assets, enables historical data, timeline analysis, and network communication data.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of