5 industrial control system cyber security mistakes

From spear phishing to encryption errors, there are many ways to let bad guys into your networks.

04/15/2013


Recently, I attended ICS Cyber Security (301) Training at the U.S. DHS CERT facility in Idaho Falls, Id. The five-day event featured hands-on training in discovering who and what is on the network, identifying vulnerabilities, learning how those vulnerabilities may be exploited, and learning defensive and mitigation strategies for ICSs (industrial control systems). Here are five key takeaways from that training.

1. Spear phishing attacks

Do you know how most computer networks are compromised? By employees that can’t resist an email with a subject line: “Click here to get free gas for a year.” Literally, that is the subject line. This is called phishing and it's the most prevalent way that a hacker gets through a company’s initial network defenses. Phishing emails go to large volumes of addressees and use a generic offer, such as free gas or an error from a bank. Spear phishing is more specifically directed at a particular company or other smaller group of individuals using a more tailored offer. Either way, this technique uses a malicious email that effectively plants a tiny program, known to most people as a virus or malware but functionally different, that grants access to the victim’s computer from outside the network. The difference is that, instead of implanting a virus, the attacker uses this access to explore the network secretly. There are easy, generally available tools that can be used to find further weaknesses which allow additional access deeper into the network, and ultimately to the industrial control system.

2. Wi-Fi weaknesses

You may be enjoying the convenience of using Wi-Fi on your control network. However, if your wireless networking equipment was installed before 2006, it is likely other people can also enjoy using it to get access to your equipment! The only safe way to go wireless is with WEP2 encryption. This is standard on all new COTS (commercial off the shelf equipment) and is considered safe, at least for now.

3. Hard drive encryption

If you have a strong laptop password but choose not to encrypt your hard drive, if your laptop is stolen, the thief can have full access to your company’s network. This access is generally gained through Microsoft machines’ connectivity—the feature that allows you to move from office to office while still maintaining connection to your network. Connectivity works because Microsoft stores a “token” or “hash” on your computer that says “Hey, this is a trusted company laptop with a correct password.” Attackers can use your token or hash to spoof a system to think that another laptop is your trusted company laptop and then they can gain access to your network. The only way to prevent this is to encrypt your hard drive. This process is actually fairly simple, so ask your network administrator how to do this if you travel a lot with your laptop.

4. Remote access

Since many PLCs and other industrial controllers now have web browsers, many people like to log in from home to keep up with what’s happening at the plant. However, they don’t realize that a few extra steps are needed to make sure an attacker can’t also enjoy that convenience. Embedded web browsers in PLCs assume that they are for internal use only, so they have little or no security features. Did you know that there are systems that actually search for PLCs on the Internet? Check out shodanhq.com to see if your PLC has been found yet. Do you want a bored 15-year-old to shut off your cooling tower, or something more important? Don’t be tempted to add external access to your control network without the proper layered security, or you might be the next Internet hacking headline.

5. Software patching

There is no clear answer to the “to patch or not to patch” question. Many software companies recommend, or explicitly state, that systems should receive software updates and patches to prevent them from being exploited by known vulnerabilities. But what if a patch causes your HMI (human machine interface) to crash? What is worse, a possible exploit or an unplanned outage caused by a failed software update? To the technician who anticipates being the person receiving the blame when the system crashes because of the patch, that answer is clear. So what is a technician to do? The only solution is to know what vulnerabilities exist in your system. Maybe some extra care and protection are required for you HMI’s running Windows 2000. For example maybe you need an extra firewall. You might find that less attention is needed for new Windows 7 HMI computers when they are regularly updated by IT.

Security takes time and effort, and properly prioritizing your response can give you the best protection for the lowest cost. For more visit the ICS-CERT overview of cyber vulnerabilities.

This post was written by Bruce Billedeaux, PE. Bruce is a senior consultant at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support, and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offers industrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.