Cyber security essentials: Part III
The third and final installment of the Cyber Security Essentials series identifies best practices for protecting your internal and external networks, components of well-secured networks, and other dangers to be aware of.
In Parts I & II of this article, we outlined some of the most common cyber attacks, and got some great feedback from an ethical hacker on system architecture that can protect your network. In this final section we’ll finish the interview with a discussion about the weakest link in most networks.
The weakest link
As was mentioned in Part I of this article, the weakest link of any network is the end user. Humans are generally easier to manipulate and exploit than networks themselves. As one of the authors behind the Stuxnet virus so aptly put it, “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.” Ouch! Employees—or anyone with network access for that matter—need to be educated to avoid security threats.
Tim Garrity, an information security analyst for TraceSecurity Inc., said this includes recognizing social engineering, e-mail scams, viruses, etc. Social engineering involves a deceptive infiltration, even something as simple as a believable story about a pizza delivery or utility maintenance service can fool some people into granting access to places they shouldn’t. If your plant doesn’t currently enforce these next few items, it’s probably worth implementing:
- Clean desk policies help ensure sensitive information isn’t readily available to be exploited.
- Hardware disposal, such as hard drive shredding, is a good practice. Not to mention, locked containers for document shredding, for that matter.
- Mobile device management also helps ensure that people with access from their smartphones have the proper locks in place.
And about that thumb drive? It’s a great idea to stage mock-attacks. Much like a fire drill, leaving USB drives around that report the computer used to check it is a great way to see how vulnerable your plant is to malware delivered in this format. Also, some IT departments send phishing e-mails that mimic real ones, but link to a page that captures the user’s profile and contains information about phishing scams. Any way operators can be educated about smart browsing and possible attacks will pay dividends in security.
Beyond the system architecture you’ve already described, what are some other components of a well-secured network?
The administrators should ensure logging and reporting of anyone on the network side. That way anyone who is trying to gain access to a device or system, or leaving files on the server, is logged. A common best practice would be basing everything on least privilege, ensuring people only have the level of administrative rights they should. On that note, administrators should ensure there’s an employee account review periodically to make sure everyone’s account access is appropriate and current. Keeping track on a master security checklist when people are hired, fired, or change jobs will help this. Oh, and as any e-mail-savvy person knows, complex passwords are crucial.
What other dangers should we be aware of?
We’re starting to find viruses hidden in .JPEG images, but recently the exploits (e.g. Heartbleed, Poodle, etc.) have been a big problem. And while the program updates are important, Heartbleed and Poodle were the result of legacy technologies being exploit. Thus, having a migration strategy is crucial if you’re running a legacy system. Sorry XP users. This should probably be a given at this point, but securing the plant’s exterior network (with access to e-mail and the Internet) is important, but will always be somewhat vulnerable. Equally, if not more crucial, is strictly limiting the points of contact between the plant’s control system network and the exterior one.
We’re starting to see more wireless use in plants, with mobile operator interfaces and third-party skids that come bundled with wireless transmitters, whether or not you choose to configure them or even request them. Is this another potential area of concern?
Using multi-factor authentication in place, like RSA SecurID tokens and radius servers, are important to keep unauthorized users off a wireless network. At any rate, you want to have a way to detect and deny rogue devices. Still, determined hackers will use a variety of tricks to gain access to a network. One such method uses a brute force attack to “bump off” (de-authorize) legitimately connected to the network. The hacker can then intercept network data and potentially capture information about the wireless network’s password (this is referred to as a “password-hash”), which will make it simpler for the hacker to crack the password using several free resources on the Web. With technical controls in place, you can mitigate that risk, but never want to neglect your security for convenience.
Well, we’ve laid out some central concepts to cyber security and specified the crucial components in preventing an unwanted intrusion to plant data. Hopefully your site covers most of the bases laid out here. If none of this sounds remotely reminiscent of your plant, and the password “12345” gains access to any process equipment out there, you may be playing with fire. But what’s the worst that could happen, right?
For more information, check out SANS top 20 or NIST, and special thanks to Tim Garrity at TraceSecurity, Inc. for the great insight.
This post was written by Josh Bozeman. Josh is a Proposal and Estimating Specialist at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.
MAVERICK Technologies is a CSIA member as of 3/5/2015