Modern network and asset defense require far greater visibility into the industrial control system threat landscape than in years past. The threat environment is highly dynamic, and adversaries who invest in the problem are outpacing defenders who do not. Threat intelligence is knowledge of adversaries and their malicious behaviors through which defenders gain better visibility. Threat Intelligence reduces harm by improving decision making before, during, and after cybersecurity incidents reducing operational mean time to recovery, reducing adversary dwell time, and enabling root cause analysis. It is a necessary component of any modern cybersecurity program that significantly improves the efficacy of all existing elements.
However, there is no “universal” threat intelligence product, so, organizations must match threat intelligence products to their threat profile. Generic threat intelligence developed around traditional information technology (IT) environments will not satisfy the unique requirements for industrial control. Therefore, industrial control system (ICS) owners and operators and IT groups that have ICS in their environment should seek out and obtain an ICS threat intelligence product, regardless of whether they are already receiving generic threat intelligence.
Threat intelligence must include both context and action and be delivered in a way to maximize its value to the consumer. Threat intelligence provides three critical elements: describe the threat, illustrate the impact, and recommend action. But, not all threat intelligence is equal, and consumers must be careful about consuming poor threat intelligence so as not to waste precious time and resources (e.g., indicator feeds without context). Good threat intelligence satisfies four primary properties: completeness, accuracy, relevance, and timeliness (CART). An organization consuming high-quality threat intelligence will be able to leverage it across their cybersecurity program to improve detection, response, and prevention informing the most technical defenders and operators to the most strategic decision makers. High-quality threat intelligence applied diligently, can differentiate mediocre cybersecurity programs from great programs. For industrial control networks where the impact of a cybersecurity incident can mean millions in business losses, reputational damage, an environmental disaster, or loss of life, the diligent application of high-quality threat intelligence is now an absolute necessity.