Mandiant ICS IR

The ICS security community is still tiny, so when a large vendor recruits five or so names in the industry it gets some attention. They are placing at least a small bet that there is enough business to scale to a size worth pursuing. Security vendors have tried this before, most notably Symantec, only to quietly walk away or deemphasize the effort in ICS security.

About the same time that FireEye was purchasing Mandiant, Mandiant was building their ICS security team. Dan Scali from GE and Chris Sistrunk from Entergy (and DNP3 hacking fame) were two of the hires near the start of 2014. They have since added Anthony Persi from INL/DHS, Kyle Wilhoit from Trend Micro (and ICS honeypot fame), and Rob Caldwell from GE.

What is Mandiant going to do with this new ICSsec talent? Dan Scali responded to my tweet with:

@digitalbond We think ICS should be monitored for indicators of compromise. We’ll see if the industry agrees with us…

— Dan Scali (@dan_scali) June 16, 2014

Without reading too much into a tweet, let’s evaluate the possibility of selling IOC’s as a service. There is a market for ICS IOC just like there is a market for ICS IDS signatures, ICS malware and ICS threat intelligence. It just has not proven to be large enough for a vendor the size of the Mandiant to find interesting. Add to this the insecure by design ICS protocol and PLC issue, non-patching, poor configuration, and minimal ICS attack data, and it is hard to imagine an IOC feed that would be of value to many asset owners. Many ICS asset owners are very large companies, so perhaps the addition of ICS IOC in concept is appealing. Still I would rate selling ICS IOC’s as a loser for Mandiant.

Incident Response is where the Mandiant play begins to make sense. We have had clients that have used Mandiant’s IR for suspected corporate network compromises, but told Mandiant to stop at the ICS security perimeter. Mandiant could not, or chose not to try to, convince the client that they had the ICS expertise to move the IR into the ICS. The addition of the ICS talent to the Mandiant team could solve this problem.

The additional revenue provided by extending the IR into the ICS is one benefit, but likely not the win Mandiant wants. In a competitive situation, Mandiant now can promote this ICS IR capability to the very large companies that also have ICS that are the drivers of running critical infrastructure, generating product, … the items the company is in business to do.

ICS IR is a challenge. When features can be used to compromise the ICS, it is harder to identify IOCs. It is not impossible, but new techniques are required.

I’m looking forward to seeing some Mandiant presentations on this in the future.

Image by Norfolk Fire Service