Cyber security protection enters a new era

Watch for a backdoor cyber security assault. The Juniper Networks incident in December 2015 changed how industry looks at device security as hackers exploit deliberate weaknesses being installed into software. End users, integrators, and device manufacturers need to adapt and prepare for this new reality. Follow these cyber security steps.


Example of a Juniper device. Courtesy: YokogawaA software engineer is trying to complete a major block of code, but his boss cut out a large section including some open-source routines downloaded from the Internet. Replacing those routines will add days to the project. He runs to his boss' office and pleads: "I need to use that software in the system."

"You can't use it. It's been compromised."

The engineer nods, having anticipated that reply. "Yes, it's open-source and came from the Web, but we've used it before. I also talked with the software engineers, and they will do a line-by-line review of the source and object code."

The boss looks up and glances at his award for years of service at an undisclosed location. "You can never be sure something isn't in there," he says.

That brief scene might sound like something from a suspense movie, but the situation could be very real given recent events in the cyber security community. Most think of software as something that does what it's supposed to most of the time and therefore sometimes neglect lurking danger.

Software engineers trying to write code for devices and industrial systems want to avoid re-inventing the wheel. If someone has already written code to do a certain job, and it works, they don't want to write it again. They'd rather save time by downloading freeware and open-source code off the Web. Or, they could pick up existing code from earlier products with a proven track record. All of this gets cobbled together and loaded into a new device. As long as it does what it's supposed to, nobody needs to know or care where it came from.

This has been the working assumption for quite a while, but the landscape is changing. The cyber security world is becoming more confusing with nation-states, hacktivists, and cyber criminals making their presence known. Hackers and their efforts reflect a wide spectrum of skill levels. Some are clumsy and easy to spot. Others are more insidious and undetectable by all except the most sophisticated forensic cyber specialists.

While the engineer looking to streamline the project means well, his boss is correct: unsecure code can lurk within such software. Sometimes it can be found and removed, but a recent example of a cyber security breach proves that the threat can be well camouflaged.

The Password is "<<< %s(un='%s') = %u"

Those of us old enough can remember hearing the "Password" game show announcer whispering the key word for viewers at home. Nobody would guess this one, but it will become prevalent to the casual user because it is changing the threat landscape.

In December 2015, Ars Technica published a stunning report: "On Dec. 17 [2015], Juniper Networks issued an urgent security advisory about 'unauthorized code' found within the operating system (OS) used by some of the company's NetScreen firewalls and secure service gateway (SSG) appliances. A patch was issued to the affected device OS, and forensic investigation determined the unauthorized code acted as a backdoor into the device" (see Figure 1). 

What makes this stunning is the way the password was hidden. Forensic investigations determined the administrator password used to evade normal authentication was "<<< %s(un='%s') = %u." Security researchers looking at this bit of gibberish might recognize that it was crafted to appear as debugging or test code within a software source code file. This suggests two conclusions:

  1. The unauthorized backdoor was put there intentionally.
  2. It was carefully designed to evade detection.


This is the beginning of a new era of cyber criminal threats. We are all used to the notion of attackers exploiting vulnerabilities caused by software flaws. It is a common tactic, and everyone is aware of it. Software patches are supposed to fix these flaws and address these vulnerabilities.

Now we seem to be moving into an era where vulnerabilities are built into software deliberately and then carefully hidden. Attackers aware of the hidden code's function can use such planted vulnerabilities when they like.

Naturally, some companies are taking this threat very seriously. Cisco, for example, undertook an effort to see if similar backdoors exist in its products and discovered that they do. Like Juniper, Cisco is developing patches to prevent breaches

Fortinet has also acknowledged that a backdoor exists in a variety of its products. The hard-coded password has been characterized as a feature for remote management. 

Other companies have not always been so quick to respond. Before Juniper, there was also RuggedCom, which included a backdoor in products with its Rugged Operating System. However, they did not inform purchasers of this. A user discovered it in 2011, but the company was reluctant to address the situation. This backdoor was also apparently installed deliberately. 

Returning to the Juniper case, the purpose of the backdoor was apparently to gain access to the network device's configuration and its seed parameters for virtual private network (VPN) encryption routines. Juniper used a nonstandard set of parameters to initialize encryption, and the only way to obtain the encryption parameters was to gain administrator access. There has been much speculation as to who did this, but the "why" question is easy to answer. A backdoor's purpose is to create an entrance to a network.

A door to the network

Network device vendors are targeted in this manner because their products are entry points to networks. Access to a router or gateway provides entry to an industrial or enterprise system. Network device security thus often proves to be the soft underbelly of many organizations' defensive strategies. The value of such a backdoor secretly placed in a device, hidden with normal-looking code, is huge, and the larger implications are frightening.

Many organizations view their network devices simply as infrastructure; specifically, waypoints in their information distribution systems. The thought of information switches being accessed in an undetectable way is truly disturbing. The larger and more alarming message is that much of the last 20 years of network security best practices have now been rendered obsolete.

Best practices are no longer best

Why? Let's consider some examples of how this new network device threat will change security best practices:

  • Using network switches to implement virtual local area network (VLAN) separation between industrial control and business networks is no longer adequate. No organization can design networks with VLAN separation and expect them to be secure. If devices can be compromised at the administrative level, then any virtual separation cannot be guaranteed. It will be time to return to physical separation, creating huge communication problems.
  • Depending on VPN encryption as a magic bullet to protect confidentiality is no longer adequate. An organization will need to start looking at how deeply it depends on VPN techniques as their "go to" solution to move information on secured networks. A VPN tunnel is no longer safe across any network-particularly for long-distance communication within global organizations.
  • Assuming all is well with network device configuration isn't safe anymore. Many organizations follow a basic practice: if nobody touches a device, it has the same configuration it had before. That is no longer true. Companies will need to ramp up configuration control and auditing to account for the possibility of device configurations being changed by unauthorized means.

These are obvious security threats, and more will emerge as the full effect of this situation is realized. With the Pandora's Box of suspect code in networking devices now open, no one really knows how far the trail goes into rethinking cyber security. With this new reality in mind, there are some tips that end users, integrators, and device manufacturers, respectively, should follow.

Learn more about the tips that could benefit end users, integrators, and device manufacturers.

<< First < Previous 1 2 Next > Last >>

James , , 03/30/16 11:02 AM:

So the best practise is to develop all of your code in-house. The problem is where do the vulnerabilities stop; are compilers using open source code?
Phil , United States, 03/30/16 12:26 PM:

the boss does indeed have a point. so why is he not demanding a line-by-line security review of all the software from all of his vendors?

it is foolish to think that proprietary software is any safer than open-source software. yes, it is somewhat more difficult for the cracker to obtain and corrupt the source for proprietary software, but how does one know how good the security of that proprietary code is? unless you're a government or an extremely large customer of the vendor, good luck trying to get access to any reviews. it would be even harder to review, say, the source for Windows 10. or to Siemens Step7 CPU firmware.

if U're serious about security, you'll have to accept that most proprietary software is unvettable because of lack of access to the source code, and your only recourse if you can't at least sign an NDA for your programmers to examine the code is to add boilerplate to the software sales contract to make sure that the vendor is accountable in at least some situations.

as for open-source software, download the canonical software and pay a security firm for a thorough review. that code can then become part of your code base and be subjected to the same reviews on the same schedule to which all of your inhouse software is subject.

with all the reports of cracked commercial software, it would be foolish to think that proprietary software is immune to attack.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me