Taking a ‘joined up' approach to factory, plant or utility security can help significantly reduce your risk, explains Bradford H Hegrat, CISSP, CISM, senior principle security consultant, Rockwell Automation
Whether your company is considered part of the UK's ‘critical infrastructure' or not, the consequences of a malicious security breach could reach catastrophic proportions. When investigating the potential repercussions of a successful attack for a cement company we learned a miniscule change to the batch – minor enough in fact for it still to pass two levels of testing - could result in a concrete application that was inherently unusable for its intended application. If this concrete was intended for a large building foundation, for example, the forces involved by the time you reached the fifth floor of construction may be enough to bring the whole lot down.
Such an example is not uncommon - we all know how much of our world depends on products or processes that are managed by control systems of some kind. Pasteurisation is another good example, and one which is highly pertinent to the UK's large food and beverage sector. The temperature at which pasteurisation occurs is precise and lowering the temperature at which the control system requires the process to operate at could result in the whole process providing the ideal environment for dangerous bacteria to grow, rather than the intended environment which kills bacteria and helps make the product safe for consumption. The threat to utilities is also well publicised- a malicious cyber-attack could destabilise and possibly bring down power to a city, choke off a water supply or cause problems at an oil refinery or underground mine.
It is now a year since the world first heard the word Stuxnet. During that year it has become the most talked about and studied piece of malware ever. Stuxnet combined the two principle methods of compromising and traversing a computer system in such a way as to harness both methods for maximum effect. The first of those methods is ‘pivoting,' which is the act of compromising a networked machine, then using that machine's authorised position on the network to attempt to compromise other systems. Essentially the malicious threat actor uses the compromised system as a pivot point from which they can use the network access of that machine to retrieve data or infect other systems. The second method is that of being semi-autonomous: traditional viruses look for a single vulnerability in every system they touch and once identified that malcode will pass exploit code to compromise the vulnerability and deliver its payload. Stuxnet effectively and elegantly blended these two very distinct methods resulting in a semi-autonomous, disconnected attack using traditional network penetration techniques such as target analysis and pivoting to reach, compromise and ultimately physically destroy its intended target. Using these methods in conjunction with a well-engineered attack framework, Stuxnetproved to be rightly frightening - especially to those who work in utilities and industrial environments. A Stuxnet style attack has raised the bar from a malcode development standpoint through its employment of that framework based, disconnected and semi-autonomous method to seek out and compromise a very distinct and specific target. That is why Stuxnet is and will be studied for years to come.
However, despite the undoubted sophistication of the malicious codebase, it followed the traditional threat model for attacking systems - it used an easily attainable point of entry- Windows software - and infected by networking from this entry point until it found its target, where it set the control system against itself to sabotage a particular process. The fact even Stuxnet followed the traditional threat model means that companies that properly audit the security threat to their systems are far less vulnerable to similar attacks in the future.
There is much written about the vulnerability of industrial systems to attack - unfortunately, the same fear, uncertainty and doubt which makes a good headline is also used to sell equipment and services. The unwelcome fear, uncertainty and doubt elements are a disservice to industrial security as there are many things that asset owners can action to improve security against a Stuxnet type attack, and vastly reduce the negative effects of any security breach without the need to invest large sums in new products. Governance is a key aspect of this - from keeping up to date with security patches from the companies that designed your software and firmware, to understanding the nature of risks to your specific application from your own engineers and IT specialists and taking appropriate action to reduce your vulnerability, asset owners can improve and manage security more tightly.
Many of the vulnerabilities of industrial security systems, whether ‘critical infrastructure' or not, originate from a distinct disconnect between engineering and IT elements of system design and implementation. This comes from their inherently different perspectives and applications of technology and also in the culture of operatives. The goals of most IT designed systems are for full network access at every possible point (node) in order to create a seamless system. From the IT cultural standpoint sharing of knowledge is less natural as it is associated with a loss of power or value. The traditional engineer, on the other hand, comes from the culture of mentorship and sharing of knowledge associated with the scientific approach which is concerned with variable reduction, reassessment and repetition until the fewest possible points of fault are achieved. In an industrial application these distinctions are important.
Owners and operators of control systems should be aware of their equipment to the extent that they can define which devices need to speak to which other devices in order to achieve the necessary connectivity to perform the functions required. Once identified, this information can be used to disallow any communications that are outside those identified as necessary to perform the task, but within the capability of the equipment. This is often referred to as the ‘Principle of Least Privilege', and also falls within the ‘Principle of Least Route' which is similar but goes on to add a further layer of security by including the ‘reachability' and ‘Zone segmentation' of the equipment via small sub-networks and access control limits (ACLs) (subnet = /29 or /28).
For example, if a manufacturer has five process lines with two PLCs on each line that need to be able to communicate with one another, but not the PLCs on other lines, it is important that authorisation on the network limits the connectivity of the PLCs in order to reduce the risk to the system. Effectively, this approach is ‘engineering out' risk at a network level, by reducing the privileges of the machine to those required to perform its function and no more; the capability of the machine or its operator to cause a fault or be a security risk is thus reduced.
Engineering out risks is one example of a range of tactics to reduce vulnerability. Other ways to reduce risks is by including security technologies such as anti-malware, host intrusion detection and prevention systems, and strong firewall-type products (i.e. Unified Threat Management (UTM) devices) in industrial control systems.
There are four steps that I would advise every asset owner or manager to take to helpreach the necessary security levels for your company and the people who rely on your outputs:
• Understand what you have: Whether you work with nuclear power or cheddar cheese, you must understand your environment and the equipment, including connectivity capability.
• Understand the devices that you have and how they need to interact: This should happen from a process perspective (your engineers can help with this) and a network perspective (IT can help with this). Identify any gaps between the two in your existing infrastructure. Typically there is a gap caused by the builders of the information system not knowing the process environment. This can be thought of as two technology groups that don't talk to one another properly. Stuxnet and similar threats use one against the other.
• Assess who has access and to what: This is about the human environment- technical and non-technical controls that can be used to strengthen the security. What levels of physical security exist between staff and access to mission critical systems? What access local control HMIs have to the network?
• Instil a security culture: Approach security training from a risk perspective. What are the risks of employees breaching security protocols, or failing to maintain appropriate software or equipment? Most people understand the risk involved in double clicking an email attachment on their home computer when it comes from an unknown or unsolicited source and won't do it. Understanding the risk to the industrial control systems and networks of their workplace and taking appropriate steps to avoid exposing the company through carelessness, human error or breaks with protocol is the responsibility of everyone in the company.
Of course there are network security service providers that can offer a complete service which will incorporate all of the above steps and help you to identify, design, implement, monitor and manage your security. Using a ‘vendor agnostic' service is advisable, especially if you have equipment from various vendors and wish to take a fully ‘joined up' approach. The precise nature of service offered will vary, but certain elements are vital and you should expect to be involved in every aspect of the process from the outset as it should be bespoke to your organisation's needs. Here are some key services to look out for in an external network security service offering:
• Existing policy assessment.
• Existing design assessment
• Onsite assessment (including operational, risk and vulnerability assessments)
• Security policy development
• Security design development
• Business continuity planning
• Disaster recovery planning and incident response planning
• Security configuration implementation
• Non production penetration testing
• Security policy training
• There are accepted security standards and government standards that may apply to your company which you can be evaluated against, for example NERC CIP standards, IEC 62443, ISA-99, NIST 800-53, NIST 800-82, etc.
• Remote monitoring
• Incident response services
• Disaster recovery services
It seems simplistic to point out the nature of the risk to staff, business, consumer and community is specific to the business in question and the nature of the security incident, yet it remains one of the key principles for creating the most robust security environment. The security processes, protocols and management for your business should be unique to the risks inherent in your system and the requirements of the equipment in place. A year on from the first Stuxnet news stories the fact this new and powerful malware entered systems according to a traditional threat model often goes unmentioned but highlights the need to approach security with renewed vigour. By using tried and tested techniques alongside continuous governance and applying a holistic view of the industrial facility or utility in question to close known or predictable vulnerabilities, asset owners/managers can drastically improve their defences and help protect their business and those who rely on its safe management.