If you cannot afford an Einstein to protect the network, try a canary

By using what is known as a “canary,” companies can take an active defense against cyber attackers. The canary will alert IT when there have been changes to the system and actions can be taken to shore up the system and block the attackers. The time between system compromise and detection is more than seven months, too long to know that the manufacturing IT system has been hacked.


With attacks on cyber systems becoming more sophisticated, it is only a matter of time before manufacturing IT systems will be hacked. The worst part about the hack will be that IT may not even know about it until the damage has been done. The average time from system compromise to detection is more than seven months. In addition to Internet and intranet attacks, attacks can come from any attached device in the system. Even devices that had formally been considered "safe," such as mice, keyboards, printers, scanners, and hard disk drives, have been used to stealthily steal secrets. Most experts concede that it is impossible to provide absolute protection against attacks, and the best thing to do is detect when an attack is happening and respond quickly.

The U.S. Dept. of Homeland Security uses a set of tools called "Einstein" to protect the ".gov" websites. Einstein is a set of intrusion detection systems developed by the U.S. Computer Emergency Readiness Team. Einstein monitors network traffic in real time, looking at both the type of data being exchanged and the content of the data. The ".gov" websites and networks are under consistent attack from amateurs, thieves, and state-sponsored organizations, so the U.S. government needs a sophisticated, expensive and all-encompassing system like Einstein to protect itself. Unfortunately, few companies can afford to allocate similar resources to protect internal systems.

One large, purposely unnamed, pharmaceutical company has developed a low-cost alternative to Einstein. It does require a bit of programming effort, but it sends an alert immediately if a system has been compromised. It is better to know right away, than to discover months later, that data and systems have been open to potential competitors or data thieves. The low-cost Einstein alternate is called a "canary" system. Like the proverbial canary in the coal mine [before instrumentation, death of a caged canary would signal miners that oxygen was being displaced by explosive gases], the cyber security software tool detects a problem before it would be normally detected by security and network scans.

The canary concept is simple. Add a computer on every network segment that is protected by the same patch and version level as the least protected system. This means if a company is still running a Microsoft Windows 95 system with no safeguards or virus protection, then it should install another Windows 95 system without safeguards or virus protection. Name the canary system something that looks like it would be part of the environment, maybe the name of a commonly used vendor's product. If possible, install but do not execute a copy of the vendor's software in the canary system. The goal is to make the canary system a tempting target for attacks.

Write and install a simple application in the canary system that checks, every few minutes:

  • DLL file lengths
  • Executable file lengths
  • Changes to the registry
  • Network access rate
  • Disk access rate
  • CPU load
  • Disk space used.

If the canary program is the only application running on the canary system, then any-out-of-normal value means that something is going on and needs to be investigated. For example, if network traffic starts to spike, or CPU load goes from less than 1% to 5%, then something may have infected the network segment. The canary program can write out-of-normal conditions to a shared file, send a message to a monitoring system, or even set values in the data historian. The canary program also should generate a heartbeat message, to know if it stops checking. A key element of a canary program is to be hard to detect, which is why it is better to write a custom canary program that cannot be detected using automated attack tools. To be even more secure, have a canary system for every class of system in the protected network. There may be Microsoft Windows 7, Microsoft Windows Server 2003, Microsoft Windows 8.1, and Linux canary systems all on the same protected network segment, all at the same patch level as the protected systems.

If a company can't afford an Einstein to protect manufacturing IT assets, and most companies can't, then a canary system should be installed on every protected network segment. Once the canary starts "singing" (or stops singing its heartbeat), IT personnel should be ready to take action.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, CFE Media, eeissler@cfemedia.com.

ONLINE extra

This posted version contains more information than the print/digital edition issue of Control Engineering.

At www.controleng.com, search Brandl for more on related topics.

See other 2015 articles at www.controleng.com/archive.

See other Control Engineering Manufacturing IT articles

See other Control Engineering cyber security articles

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me