Address the weak link in a cyber security plan

There is no unplanned cyber attack. Before an attack happens, the hackers know exactly what to take and what to do with the results. End-users should have a serious security plan in place and understand the weakest link and address it.


A malicious and largely unknown targeted attack focused on oil tankers emerged and has been going on since August 2013. First discovered in January 2014, the motive in the ongoing attack is to steal information and credentials scamming oil brokers, according to researchers at Panda Security. Despite suffering a compromise in this cyber attack, which Panda called "The Phantom Menace" after the 1999 Star Wars film, none of the dozens of affected companies have been willing to report the invasion and risk global attention for vulnerabilities in their IT security networks, the researchers said.

Questions then arise that could affect any industry, especially manufacturing automation. Could this happen in any industry and are end-users that reluctant to report details?

"I haven't seen this (type of attack) in any other industry, but I have to admit that they are not likely to report it for so many reasons," said Joel Langill, an independent security researcher, consultant, and creator of "I was recently with a client who was actually hit with a destructive targeted industrial control system (ICS) malware and they chose not to report it to anyone. Just shows that things are actually a lot worse than many perceive."

Langill added the attackers knew exactly what they were doing. "The vectors of 'Menace' are not that sophisticated and with numerous open-sourced tools, fairly easy to execute. In terms of ISA 62443, this makes the attacker profile in line with Security Level 1," he said. "So, given the fact that the attack was successful means these companies must have lacked some pretty basic countermeasures. In other words, it appears there was little defense-in-depth used to correct for the fact the primary controls (mail filters and anti-virus) were unable to detect the threat.

"The skill in Phantom Menace comes from the knowledge of 'what to take' and 'what to do with it'—an attribute many people fail to accept and include in their security risk analysis," he said. "In other words, many fail to admit their adversaries may know as much, or even more, about their business than they themselves do. These attackers used what I consider simple means to exfiltrate data and then knew what data to use and how to use it to make it of value."

With technologies available today, getting in and nosing around a system while lulling the watchdog AV detectors to sleep is very possible.

"There is a lot of very powerful stuff you can do with remote execution privileges on a laptop where the user has admin rights," said Dan Schaffer, business development manager, networking & security at Phoenix Contact. "And the less overtly-malicious you are, (searching files and ftp'ing them for example, versus deleting, modifying or corrupting them) the less likely that an AV or IPS software is going to flag you."

Langill said, "Many fail to admit their adversaries may know as much, or even more, about their business than they themselves do. These attackers used what I consider simple means to exfiltrate data and then knew what data to use and how to use it to make it of value."

While the amount of money pilfered in the oil tanker scam is not available, each attack brought in between $50,000 and $100,000, Panda Security research showed. With monetary levels rising, that means bad guys will continue to step up their efforts.

"The sophistication of attack will only increase as the motives and benefits offensively trump the defensive capability," said George Wrenn, cyber security officer (CSO) and vice president cyber security at Schneider Electric. "The other component is also manifest in the banking and financial industry where cyber intrusions are often not reported as the brand damage and negative press can exceed the value of the damage quickly. This is true even in the case of insider attacks, they prefer to 'dismiss' without stated cause individuals thought to be involved."

Wrenn continued, "It is a safe bet that similar scams are happening in other industries but they are likely related to ransomware on supervisory control and data acquisition (SCADA) systems as a primary lever against the company under duress. As long as we have a 'code of silence' around these incidents we as a society will continue to remain vulnerable and victimized by these types of attacks, only when a few strong companies lead with disclosures will this start to get others to report and stop these attacks."

In terms of victims reporting the incident, "The 'embarrassment' factor can be pretty high," Schaffer said. "And it would absolutely have commercial ramifications for the victim. Even more so, if the victim figures out they've been hit—as well as some of their competition—they may choose to stay quiet and uncooperative as a way to gain a competitive advantage. That is, if they figured out how to stop the theft of their documents and the other maritime transporters haven't."

It comes down to end-users having a serious security plan in place and understanding the weakest link and addressing it.

"Companies need to have a defense in depth strategy that should have a comprehensive employee awareness part," said Graham Speake, vice president and chief product architect at NexDefense, Inc. "People are the weakest link in this and must be continually informed about different ways attackers and malware can be propagated. Security control will never be perfect and attacks will become more sophisticated over time."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource. Edited by Joy Chang, Digital Project Manager, CFE Media,

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me