Ensuring network cybersecurity
Good cybersecurity requires understanding network risks, threats, and the technical safeguards that can prevent unwanted plant data intrusions.
"What's the worst that could happen?" This question is at the heart of many plantwide discussions. Deliberations on safety interlocks, alarm rationalization, hazard analyses, job safety plans, and process equipment design routinely center on this premise. Why, then, do some facilities have a lackadaisical approach to the layout and protection of their network security?
We've seen a few examples of the "worst that could happen" in recent years. Retail giant Target was hit by a massive phishing email attack in 2014 that cost the company between $1.4 and $2.2 billion. Also in 2014, Sony took some heat for the hack that leaked a major motion picture and some damaging executive-level emails. An attack at Anthem, the second largest health insurer in the U.S., exposed records of up to 80 million customers.
Do you think your plant is immune? Not so fast. Symantec reported that the U.S. energy sector is the second most often attacked group, only exceeded by the government. Yes, that refers to the IRS breach that exposed the personal information of about 300,000 Americans, as well as the breaches at the U.S. Office of Personnel Management that led to 22 million federal employees' data being stolen.
Speaking of governments, one of the slickest examples of nerd warfare was the U.S.-Israeli attack on an Iranian nuclear uranium-enrichment facility with the Stuxnet virus. This brilliant little bug mapped out an electronic blueprint of the plant's network architecture, then later varied the speed of the centrifuges enough to wear them out—all while replaying recorded values to the operators so that everything looked fine inside. According to an article in the New York Times, 20% of Iran's nuclear centrifuges were destroyed.
Some plants do well from a cybersecurity standpoint. Other sites have used such stringent security measures as the cryptic "text Billy for the wireless password" method. Seriously. Different plants run the gamut, from requiring a Transportation Worker Identification Credential card upon entry to requiring the driver of a vehicle to roll down the window and shout a number to the guard that supposedly corresponds to a vehicle pass list somewhere. Where does your plant fall in this spectrum? Is your network password written on a whiteboard in the control room or emailed in halves to two trusted supervisors?
Understanding the threat
Before discussing strategies to isolate and protect plant networks, consider the most common cyber attacks and the simplest guards against them.
As mentioned earlier, an email phishing scam was the entry point for the Target attackers. After the email was opened by a vendor with corporate network access, the attacker stole the vendor's network credentials. The "e-thief" was able to pull credit card data for approximately 40 million customers over the next few weeks.
There are ways individuals/companies can protect themselves from phishing emails, and most of them revolve around the ability to recognize a bogus email link or attachment. If the sender is from an external entity or is simply someone unfamiliar to the user, that should immediately warrant extra scrutiny. For example, if "Jane from purchasing," whom you've never heard of, sends you a highly generalized paragraph, then urges you to open an attachment or hyperlink, it's probably best to delete that one.
Hovering over the hyperlink in an email should display the Internet address it contains, and if anything "smells phishy," such as an altered company name or references to ads, it's probably best to leave it alone. Setting up rules in your inbox to flag emails from external senders is another simple way to draw attention to suspicious messages, especially the easy-to-miss ones that mimic common addresses by inserting a dash or substituting a numeral "1" or uppercase "I" for a lowercase "L," for example. PayPal did a good presentation on phishing scams.
Malware, such the Stuxnet virus or the Home Depot attack of 2014, may be a bit tougher to spot. It can enter via attachments, bad URLs, a thumb drive, or even embedded in the code of a jpeg image. Typically, one computer will get hit with malware, which then collects data or information about the user or network. Later, the malware attack will launch with a variety of possible effects, but usually corrupting software or compromising sensitive information. The safe email guidelines mentioned earlier can help weed out some of this, but more stringent measures, such as Website blockers and policies limiting the use of removable storage devices, may be necessary, although they're often unpopular with users. Notice the trend: Most cyber attacks prey on people. The human element is typically the weakest link in any network's "security chain."
The weakest link
Humans are easier to manipulate and exploit than the actual networks. As one of the authors behind the Stuxnet virus so aptly put it, "It turns out there are always idiots around who don't think much about the thumb drive in their hand." Employees—or anyone with network access for that matter—must be educated to avoid security threats.
That includes recognizing social engineering, email scams (phishing), viruses, and so on. Social engineering involves a deceptive infiltration, even something as simple as a believable story about a pest control inspection or utility maintenance service can fool some people into granting access to places they shouldn't be. If your plant doesn't enforce the following items, perhaps it should:
- Clean-desk policies that help ensure sensitive information isn't readily available to be exploited
- Hardware disposal, such as hard drive shredding and locked containers for document shredding
- Mobile device management that helps ensure people with access from their smart phones have the proper locks in place.
And about that thumb drive? It's a great idea to stage mock attacks. Much like a fire drill, leaving USB drives around that report the computer used to check it is a great way to see how vulnerable your plant is to malware delivered that way. In addition, some IT departments send phishing emails that mimic real ones, but link to a page that captures the user's profile and contains information about phishing scams. Any way that operators can be educated about smart browsing and possible attacks will pay dividends in security.
These cybersecurity concepts can help prevent unwanted intrusions and access to critical plant data, and hopefully your site has put most of them in place. If none of the information provided here sounds remotely reminiscent of your plant and the password "12345" gains access to any process equipment out there, you may be playing with fire. But what's the worst that could happen, right?
Josh Bozeman is a project manager at Maverick Technologies. Maverick Technologies is a CFE Media content partner, CSIA Level 1 member, the Control Engineering System Integrator of the Year in 2011, and was inducted into the Control Engineering System Integrator Hall of Fame in 2012. Edited by Jack Smith, content manager, CFE Media, Control Engineering, email@example.com.
See interview with Tim Garrity to learn more about cybersecurity networks and what users can do to protect themselves.