Inspiring cyber-physical security into design

Visualizing the relevance of cyber-physical systems in applications provides background for why new approaches to security are required.

By Gregory Hale, ISSSource October 17, 2015

It wasn’t that long ago when a well-known industrial control system (ICS) security professional was feeling down because of the influx of IT security people invading the industrial sector.

"There are just too many people in here now that don’t know a PLC [programmable logic controller] from a solenoid trying to offer advice to people who want to do the right thing. But these people don’t know how to separate fact from fiction," the pro said.

Who could disagree?

While the IT-OT schism remains an immediate cause for concern, after attending the mainly IT-centric Blackhat USA 2015 security conference a couple of weeks ago, it appears the IT side of the house wants to start understanding the importance and differences of what industrial security is all about. The level of importance for securing the critical infrastructure keeps rising every day, and the more intelligence the IT environment gets about the OT side, the better off all manufacturing automation companies will be. After all, IT does have an excellent track record for security, and they have been at it for quite a while, albeit from a different angle.

Yes, IT security professionals need to know the importance of availability. They need to know the system cannot go down for a couple of hours to work on a few things. They have to stay up and running for years at a time in some cases.

There was a glimmer of hope, though. At the preconference event by Invincea, Kim Zetter, author of Countdown to Zero Day, and Vikram Thakur, a senior researcher from Symantec, discussed the importance of the Stuxnet attack and what it all meant. Granted the talk had an IT slant and didn’t really get into the importance of breaking into a nuclear plant’s control system, but the panelists did have a long discussion about the attack.

Whether anyone agreed or disagreed with the panelists, it was clearly a shout out for the industrial control system environment.

Chemical plant hack

Then there was a talk on how to break into a chemical plant.

Marina Krotofil, senior security consultant at the European Network for Cyber Security, gave a talk before a packed room titled, "Rocking the Pocketbook: Hacking Chemical Plants for Competition and Extortion." The interesting thing is Krotofil gave a quick basics course on the manufacturing automation industry and the importance of keeping systems up and running because of the dangerous possibilities of a successful hack.

Understanding the future of cyber-physical systems security will pay off in terms of keeping a plant safe, Krotofil said.

Another talk focused on Globalstar satellite transmissions used to monitor water pipelines and drilling applications for oil and gas that can end up compromised to alter messages.

"Hackers can inject data into systems. These are 20-year-old systems built before security was thought of," said Colby Moore, a security researcher at Synack. Sound familiar?

In these old systems, "There is no encryption and everything is done in plain text," Moore said. "That may have been the case years ago, but there is no excuse today."

From oil and gas devices to tracking fleets to consumer products, there are millions of devices deployed, Moore said.

Shamoon revisited

Another talk focused on Shamoon, the brutal attack that took down 35,000 computers at oil giant Saudi Aramco in 2012.

For those that don’t remember, Shamoon was a computer virus that attacked computers running Microsoft Windows. Shamoon was capable of spreading to other computers on the network, through exploitation of shared hard drives. Once a system suffered infection, the virus continued to compile a list of files from specific locations on the system, erased files, and then sent information about the files back to the attacker. Finally, the virus overwrote the master boot record of the system to prevent it from booting. Saudi Aramco, RasGas, and SAFCO all fell victim to the attack. It was a two-pronged attack during Ramadan, Christina Kubecka said. Over half of Microsoft Windows systems were affected, and the virus corrupted 35,000 systems.

Kubecka, who gave the Shamoon talk titled, "How to Implement IT Security after a Meltdown," really focused on the IT side, but also understood the differences between IT and OT.

"What IT doesn’t understand is a power plant can’t do a quick reboot to start the system," she said. "ICS was separated (during the attack), and that was fantastic."

While Saudi Aramco’s production did not suffer from the attack, the aftermath was a problem for the entire country.

"Tanker trucks were lined up for miles waiting to get refined gasoline," Kubecka said. "Seventeen days after the attack there were gasoline shortages around Saudi Arabia. ICS and IT networks remained isolated. There were no e-mails, no phones, and no fax machines."

Are IT and OT on the same page? No way. But they are in the same book. That is a positive that came out of the conference. While there will still be doubters and naysayers about IT working in the ICS space—and it will take years to get on the same page—there remains hope IT and OT will be able to forge a good working relationship.

Talk to me.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource). This article originally appeared on ISSSource. ISSSource is a CFE Media content partner. Edited by Joy Chang, digital project manager, CFE Media, jchang@cfemedia.com.

Original content can be found at www.isssource.com.