Belden: Protect against yourself

If a manufacturer can protect itself against an inside attack, then that line of defense should be strong enough to withstand a chunk of outside attacks.

10/13/2014


"I will ask what are the top threats: Terrorists, hacktivists or control engineers?" Joel Langill of RedHat Cyber, an independent ICS security researcher, asked during his keynote address entitled "Improving System Resilience using Advanced Defenses" Tuesday at the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX. "The answer is control engineers. When you go into a site assessment, no one ever protects against the guy working inside. That is not to say he is a bad guy, he may just not know the right thing to do."

"The control engineer is the greatest risk against the system," Langill said. "The threat should not be running around with administrative privileges."

The concept of protecting against the inside attack is a little bit different because what grabs the most headlines are the outside attacks like Stuxnet or the more recent Havex/Dragonfly. What most companies rely upon is short term or reactionary defense compared to a thought out comprehensive security program. "Security right now is about short term tactical measures like patch management or installing antivirus," Langill said. "Security has to get to thinking about strategic controls or long term planning." One example he talked about along those lines is patch management.

"I am not a big supporter of patch management. There are other things that can help solve the issues," he said. Instead, Langill said, there are other approaches that can ensure a secure environment that will protect the user against bad code until a patch can end up installed.

"I look at systems and I don't bring standards with me, I just use common sense," he said. Part of the common sense also falls in line with a standard: IEC 62443, which talks about segmentation through zones and conduits. Zones and conduits is part of a defense in depth model that helps lock down a network. Using this model, a user should only allow minimum required traffic into zones and when threats do come through alarms sound. A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection. Segmenting and protecting against inside attacks is part of a strong security program, but sometimes there are assaults on the system from the outside.

Attack vector

Langill talked about a few of the well-known attacks.

"Stuxnet was bad, but Havex is far, far worse," he said. "Havex, or Dragonfly, is a lot more damaging for more people. In both cases basic security controls people are putting in today, the attacks would not be stopped. The problem is people are thinking tactically, but not strategically."

Stuxnet was an attack created by the U.S. and Israel that sought to damage an uranium enrichment facility in Natanz, Iran, according to an ISSSource report.

Havex/Dragonfly is malware that targeted the pharmaceutical sector, not the energy sector as previously believed, according to a white paper written by Langill for Belden.

"I believe that the pharma companies are under an active attack," Langill said in a previous report. "This conclusion was reached based on the information disclosed in reference to the Epic Turla campaign that is active at this time against the pharma industry. There are many similarities between Dragonfly and Epic Turla that allowed me to reach this conclusion."

The consequences of Havex/Dragonfly:

  • Unauthorized code execution
  • Information disclosure
  • Unauthorized remote access
  • Unauthorized write access to control functions
  • Denial of service/loss of view

"We are having to deal with problems today that we didn't have to deal with yesterday," Langill said. "These are the attacks we will have to deal with. Securing against tomorrow's events means users must improve access control, gain situational awareness, and plan for a cyber incident."

Attacks against industrial sites is continuing. While he said he could not get into specifics, Langill mentioned a South American refinery that had a malware breach that affected 3000 nodes and went through their PLCs.

Targeted Attacks

The moral of the story is you can protect your company against inside and outside attacks, but if you have a target painted on your back, you better have a series of layers that can help slow down any kind on onslaught. "No matter what, a targeted attack will be successful," Langill said. "What we have learned over the years is, if someone has a specific target, they will get in. If you are targeted, you will be compromised."

After an attack, it is just a matter of what kind of security program a user has and how vigilant they remain. While that may sound daunting and kind of scary, in today's environment users need to look at and focus on creating a security program. Fear and uncertainty should not stop people from moving into a stronger security posture. "When you talk about security, people start to get that glazed over look in their eyes," he said. "The reality of cyber security is we are constrained with time and money."

The end results, though, are when a security program ends up implemented, uptime and productivity can increase. "If you design a system to protect your system against the inside engineer," Langill said, "you will protect yourself against most all attacks."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on the ISSSource website. ISSSource is a CFE Media content partner. Edited by Joy Chang, Digital Project Manager, Control Engineering, jchang@cfemedia.com 



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me