Plausible deniability is not a security strategy

Beware, you may have been instructed by a lawyer to not read this article.

12/30/2013


Recently I became aware of several attorneys and legal departments advising managers to stay unaware of control system cyber vulnerabilities outside of specific information provided by their vendors. Why? If the vendor states that a system is secure, then the asset owner and operator may be able to claim ignorance and avoid legal liabilities associated with loss of life or the unavailability of a critical asset.

This plausible deniability approach is not a security strategy for several reasons. First, many ICS (industrial control system) protocols (e.g., Modbus/TCP, DNP3, Profinet, EtherNet/IP, BACnet, etc.) are highly vulnerable due to no authentication, poor authentication, the owner’s chosen implementation, and poor vendor implementation within the cyber asset. Consider recent vulnerabilities identified by Adam Crain and Chris Sistrunk with DNP3 (ICSA-13-291-01 and others), and expectations of more to come with Modbus/TCP. Second, a quick Google search of “control system vulnerabilities” yields 2.4 million hits. Third, new ICS cyber asset vulnerabilities are coming to light with ICS-CERT notices increasing rapidly.

So ask yourself, are you better off pursuing due diligence and trying to build adequate levels of protection, or should you hope to hide behind the plausible deniability defense? Your vendor might not help you with the latter. Many now issue disclaimers pushing responsibility back on you. They warn that their system must be placed within a secure zone of your facility and point at standards and organizations like NIST 800-82, ISA 99 / IEC 62443, IEEE, NEI, AGA, NNSA, ISO 27001, API, ChemITC, individual governments, and several more that I probably missed.

Hide, or defend yourself?

Think about your role at your facility. Most companies want to ensure a level of profitability through a safe, reliable, and available operation. Your personal desire is food, shelter, and a safe environment for you and maybe a family. The world has changed with threat agents increasing in number and capabilities. Some are sponsored by major military powers. You may have to be the change agent that brings about a cultural shift toward a serious defensive strategy.

I recall when that responsibility fell on me many years ago. My early attempts to sell cyber security at a U.S. Department of Energy National Laboratory failed horribly. I did not connect my efforts to the mission of the laboratory or convince our Nobel Prize-winning scientists. The scientists wanted high availability of their research so that they could collaborate with the world, and my firewalls were interfering. Eventually, we put security in terms they understood. Instead of just focusing on cyber attacks, we explained, “What if someone were to manipulate your data, release your data early, or under a different brand?”

The thought of personal discrediting got their attention and they asked for security controls. The lesson: Every control system environment is different based upon corporate motives and ownership. You need to identify what will sell security in to your organization. Don’t wait for somebody else—you do it, and do it now.

This very minute, somebody is preparing cyber attacks against control systems. Your company and your livelihood may be at risk if someone does not step up. Seek out an opportunity to start a change, if not at your work, maybe where you live. Many control systems impact your environment: fresh water, natural gas, electricity, traffic control, your automobile, and the food supply. Attend a city council meeting and ask what is being done to protect your local water supply. Ask your auto mechanic about the latest firmware update to your ECU or ABS.

Cyber space is now a battlefield, and there is no plausible way to deny that ICSs are vulnerable. Take steps to protect yours: inventory your assets, document their communication patterns and the logic operating them. Look at the people accessing and managing them. Are there reasonable restrictions to operational, cyber, and physical activity? Establishing baselines of normal operation helps you determine when there is something unusual.

Basic security principles apply whether you’re dealing with physical or cyber security. Once you have the tools, you will begin to develop a sixth sense about what’s happening in your networks. Overcoming budgetary restrictions and political resistance may take some doing, but you might be the thing that makes a difference.

Matt Luallen is founder of Cybati, a security training and consulting organization. 

ONLINE

Control Engineering has extended the time available to access Matt Luallen’s 13-part cyber security training course at no charge, including PDHs

https://cybati.org

Follow security vulnerability announcements at http://ics-cert.us-cert.gov/standards-and-references 



GREGORY , TX, United States, 12/30/13 02:03 PM:

Burying one's head in the sand and denying the existance of potential vulnerability has never been a viable approach. Leave it to the "legal eagles" and "bean counters" to turn a deaf ear to reasoning. I guess action plan is to file lengthly litigation and feather their financial coffers. A proactive approach in dealing with cyber threats is always the best course of action.
Tim , TX, United States, 12/30/13 04:07 PM:

Thanks Matt, and thanks for the link to the 13 part series. I didn't need another reason to dislike lawyers but thanks for that also. Looking forward to the course.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.