Protect Your Assets From Cyber Attack
EP Editorial Staff | April 22, 2014
Cyber attacks hit the news again over Christmas when Target revealed it was hacked. This could happen to manufacturing, too.
By Gary Mintchell, Executive Director
Headlines about Stuxnet have receded into distant memory. Now, headlines focus on password and login theft and credit-card information downloading by hackers. This cannot be good, right? As a trend, no, but as a daily reminder of this issue, they can prevent management complacence about the impact of cyber intrusions into their control systems.
The immediate problem may not be what you think. Most hackers probably are not trying to pollute the water supply or cause an explosion. However, plant management teams may not always appreciate that they sit on significant intellectual property (IP) that is housed within their control systems and historians.
“Most people think the majority of hackers are out to disrupt or cause general mayhem on various systems, such as the traffic-sign hacking and similar incidents that can be seen on YouTube,” writes Jim Toepper, Product Marketing Manager at industrial Ethernet suppler Moxa, Inc., in his white paper, Industrial Networking Security Best Practices. “Although such incidents are a cause for concern, there is something much more valuable worth protecting on your industrial network: your IP.”
Bradford Hegrat, Director of Industrial Services for security consulting firm IOActive, agrees that stealing IP is a cyber-attack motivator. He offers an example of an operation that uses machinery from several suppliers. With access to this operation’s network and machinery, one such supplier might be able to “hack into a competitor’s machine and steal the intellectual property within it,” he says, if appropriate security measures are absent.
The keys to security
“There are two keys to network security in industrial environments,” says Roman Arutyunov, Vice President of Product Development at ABB Tropos. “First, implement a multi-layer, defense-in-depth cybersecurity architecture. Second, extend that architecture to the edge of the network.”
Creating the proper defense requires understanding the cyber attacker. Not all cyber actors are the same for every vertical, nor do they share the same motivation. “Hacktivists,” as Hegrat calls them, have their own goals, which vary by focus and industry. Environmental activists, for example, typically pursue forestry and mining/metals industries. Though they have been more inclined to physical vandalism, they do include cyber attacks.
Next higher up is cybercrime, which may or may not impact manufacturing. The big news here is usually about attackers who target the credit-card industry, but could also include manufacturers or service industries. In the large Target theft, for example, entry was made through the control system of the HVAC contractor.
Cyberterrorism, the next level, is more ideological. The goal is to affect through asymmetric violence the political stance of an organization or government. Cyberterrorists choose high-value targets, which are abundant in industrial companies. Any pasteurization process with chillers, for example, could be a target. Many are ammonia-based, and could cause accidents at great harm. Many of the explosions we hear about could have been accidents, but could also have been caused by someone.
The final tier is cyber warfare. Wikipedia defines this level as countries and sovereign states at war. This occurs when political problems escalate into kinetic warfare. To win, they must remove the ability or desire to fight. In digital space, Stuxnet may be at this level. This has not been officially attributed, but many analysts suggest it was an example of one government targeting another. This tier remains more theoretical, but could likely happen in the future.
One of the biggest cyber threats is from insiders, says Hegrat. This occurs when an organization has granted authorized access to individuals who betray the trust. Insider threats happen more often than anyone can imagine, and are the most difficult type of threat to control. “We have lots of technology to throw into the mix” against insider threats, says Hegrat, “but the only defense is system design, backed by policies and procedures.” Insurance underwriters are not insuring certain critical infrastructure for cyber security in the UK [see NIST sidebar], he adds, because of the lack of criteria for implementing and enforcing policies and procedures.
“An industrial control-system cybersecurity program (such as one that IOActive provides) brings structure both technical and non-technical,” adds Hegrat. “It includes firewalls, anti-virus and other features. The policy and procedure side does its best to mirror technology by not allowing surfing the Web from HMI. On the flip side, there should be a technical control that blocks it. If you don’t have both, what’s to prevent a smart operator from saying, ‘No one said I couldn’t run a cable to the other side of the plant so I could get Web access.’ We’ve seen tons of vulnerabilities on the Web, and if the operator just stumbles on one, it could give remote access to a hostile attacker.”
Hegrat offers five cybersecurity tips:
1. Create a cybersecurity program. It puts a general plan in front of people about what they need to do.
2. Figure out what’s in your process system. Perform an asset inventory. Everything is coded and there for a purpose. It’s shocking how little people know about what’s in the process. Ensure the assessment considers every digital device.
3. Harden your inputs. When you know all the assets, address security problems with those devices. The best first thing is to turn on existing security, such as security within Microsoft Windows.
4. Audit the environment. Know what’s there. Make sure documentation is updated. Know what the new things are.
5. Monitor your systems. Watch the packets flow into and out of the equipment.
“Configuration management of industrial control systems is the last line of defense for control-system security,” says Rich Powell, Cyber Security Solutions Manger at PAS, Inc. “The proprietary nature of control-system devices and the critical issue of availability for a control system precludes the use of traditional cybersecurity tools within a control system. Companies are left with securing the perimeter of the control system and monitoring traffic to and from the control system. The flaw in this approach,” he says, “is that it does nothing to protect against a USB drive or laptop from bypassing the firewall and connecting directly inside the controls network. There is no protection at this point to stop an attack.”
Powell adds that monitoring the controls device configuration is made more difficult because each vendor provides its own configuration management tool. “What’s needed is a way to bring all the configuration and change monitoring within a single application,” he says. “Cyber Integrity from PAS performs this essential task for over 50 different control system types from the various vendors in this space. Cyber Integrity performs inventory, configuration baselining, configuration change monitoring and change-workflow management.”
The Cyber Integrity product has been designed to meet the security and compliance requirements for industrial control systems. Its workflows and reports meet the electric-industry NERC CIP version-5 requirements, and use a risk-based approach to handling changes and reporting to configuration. Configuration changes are reconciled to management of change cases. “The change workflow depends on the risk level of the asset/configuration item being modified,” says Powell. “Higher risk changes require more verification before the change is implemented. Configuration changes not reconciled to a change case initiate response workflows that trigger a review of unauthorized changes.” All workflows, he adds, are built for security best practice, but are customer-customizable to ensure maximum accuracy. MT&AP
The NIST Framework: A Common Language to Address Cyber Risk
In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The order calls for development of a voluntary, risk-based Cybersecurity Framework, a set of existing standards, guidelines and practices to help organizations manage cyber risks. The result—the Framework for Improving Critical Infrastructure Cybersecurity (www.nist.gov/cyberframe
work/upload/cybersecurity-framework-021214.pdf)—was created through public/private collaboration, and provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.
Overseen by the Commerce Department’s National Institute of Standards and Technology (NIST), the Framework is designed to help the nation’s financial, energy, healthcare and other critical systems protect their information and physical assets. It provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
“The Framework reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk,” says Undersecretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher. “It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.” Size of the organization, degree of cyber risk or cybersecurity sophistication do not matter, he says. “It can help determine any organization’s current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity.”
The Framework addresses three main elements: the core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover—that, taken together, allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the framework and “range from informal, reactive responses to agile and risk-informed,” says Gallagher. The profiles help organizations progress from a current level of cybersecurity sophistication to a target-improved state that meets business needs.
“A key aspect of the Framework is that it is not intended to replace an organization’s existing business or cybersecurity risk-management process and cybersecurity program,” writes Ernie Hayden, a Certified Information Systems Security Professional (CISSP), on the Tofino Security blog (www.tofinosecurity.com/blog). “Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cybersecurity risk management” or help them create one if no cybersecurity program is in place.
Hayden offers three suggestions for action. “First, review the critical infrastructures [core, tiers, profiles] listed above. Does your company fall into any of those categories? If not, is your company substantially reliant on any of those key infrastructures for your success and even existence? If the answer to either is YES, then read the draft Framework as it stands and figure out how you can apply it to your current cybersecurity risk management.
“Second, acquaint your management and board members with the Framework. Give them a sense of how your company stands today relative to the Framework implementation tiers. Use this as a way to highlight your organization’s cybersecurity ‘maturity level.’ If you aren’t near the top, use it to highlight the resources you need to raise your game.
“Third, take a hard look at the Framework and test-drive it as it stands. Then provide comments back to NIST.”
Hayden adds that it’s important to recognize that the Framework “is not a ‘checklist’ or a ‘compliance’ item to be fulfilled. Nor is it a ‘how-to’ on building a security program (see ISA/IEC-62443.02.01 for that). Instead, the Framework provides a set of performance objectives for your cybersecurity risk program to achieve against your prioritized list of key assets.”
Patrick Coyle, a chemical-industry QA manager who writes the Chemical Facility Security News blog (chemical-facility-security-news.blogspot.com), says the Framework’s biggest benefit is that it uses language most business executives understand. But there are shortcomings, he says, the first of which is that it is voluntary. The President does not have the legislative mandate to create a critical infrastructure cybersecurity program, so he does not have the authority to mandate that the Framework be implemented.
A second drawback, according to Coyle, is that the Framework is a management document, not a technical document. Even the six standards listed among its Informative References are more cybersecurity management documents than detailed technical descriptions of how to implement the specific controls that will secure an organization’s cyber assets. This is also by design, as no single document could identify the technical details and be of useable size or remain up-to-date past the time it was drafted, much less published.
The final problem with the Framework, says Coyle, is that it exists in an informational vacuum. There are no mechanisms in place for the sharing of operational information or intelligence information that would allow organizations to adapt to the changing cybersecurity environment. This is also due to the lack of congressionally provided authority to establish and maintain the information-sharing mechanisms that would make such an adaptation process viable.
Hegrat’s advice is to view the Framework as a first step. “You can’t get too prescriptive in any standard,” he says. “Sometimes the restrictive doesn’t work for every sector. The key is for each sector to implement. It is not meant to be audited against initially. If secondary organizations decide to implement and audit, that would be OK.”
In one last warning for industrial managers, Hegrat cites a BBC news article (www.bbc.com/news/technology-26358042) reporting that power companies are being refused insurance cover for cyber attacks, because their defenses are perceived as weak. Hegrat notes that if the companies implemented the NIST Framework or one similar to it, they would have a defense against such denial.
The International Society of Automation (ISA) has developed a knowledge-based industrial cybersecurity certificate program—the ANSI/ISA99, Industrial Automation and Control Systems Security standards (known internationally as ISA99/IEC 62443)—through the work of its Committee on Security for Industrial Automation & Control Systems (ISA99). A new certificate program—the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate—is designed to help professionals involved in IT and control systems security improve their understanding of ISA99/IEC 62443 principles and acquire a command of industrial cybersecurity terminology.
The exam that leads to the above certification covers the following areas:
- Understanding the Current Industrial Security Environment
- How Cyber Attacks Happen
- Creating a Security Program
- Risk Analysis
- Addressing Risk with Security Policy, Organization and Awareness
- Addressing Risk with Selected Security Countermeasures
- Addressing Risk with Implementation Measures
- Monitoring and Improving the CSMS
- Designing/Validating Secure Systems