Developing security from the inside out
Spear phishing campaigns used in advanced persistent threat (APT) attacks and social engineering are gaining a foothold into enterprise systems these days, which is providing a pivot point for assaults into the industrial control network.
In one case, a spear-phishing campaign by APT attackers targeted multiple sectors, including chemical, critical manufacturing, energy, and government facilities.
"The information technology (IT) space is often used as a vector to get into the operations technology (OT) networks," said George Wrenn, cybersecurity officer (CSO) and vice president cybersecurity at Schneider Electric. "Attackers will use any and all methods, tools and tactics to get access to industrial control systems (ICS). The rule is, ‘there are no rules.’"
The spear phishing attack involved emails with links that redirected to web sites hosting malicious files that exploited a Zero Day vulnerability (since then patched) in Adobe Flash Player, according to a report in the July-August ICS Monitor.
The IT case is just one scenario showing if an attacker wants to get in, the attacker will get in. That means end users’ approach to cybersecurity has to evolve from hardening the perimeter to securing from the inside out, beginning with core infrastructure and going out to the devices. That change could boost added productivity and ward off inside and outside attacks.
"Several times we have walked into a site and we saw a great deal of resources being allocated to the perimeter, like intrusion prevention systems, outside firewalls, and boundary protection," said Jay Abdallah, director of cybersecurity, EMEA, at Schneider Electric. "The company was also spending a significant amount of money on physical security, operational security, access control methodologies, man-in-the-middle traps, and other controls like deep packet inspection. The industry is spending millions on the perimeter and we are pretty convinced we are not going to get an attack from the outside world, meanwhile our USBs are completely unlocked and people don’t realize just charging your smartphone could introduce a vulnerability or a weakness in the operating system that could allow for exploitable code. While it is a great idea on spending to protect the outside, it is just as critical to protect from the inside."
For the end user, understanding what they have on the system and knowing the main area they need to protect remains the vital concern and always has to be top of mind.
"That goes back to the importance of the assessment process," said John Cusimano, director of industrial cybersecurity at aeSolutions. "You can’t design protection until you know what it is you are protecting. So, step one is assessing what is currently in place."
In quite a few cases, the user really doesn’t know what they have in terms of documentation or drawings on what is installed. Or if they do have the paper work, in quite a few cases the documents are out of date.
To solve that issue, the integrator or user needs to roll up his or her sleeves and get a full understanding of what is on the system, and then document it.
Once the user figures that out, the next step in the process is to take the system and partition it using the zones-and-conduits model, Cusimano said. Stemming from the IEC 62443 standard, the zones-and-conduits model is part of a defense-in-depth approach that helps lock down a network. Using this model, a user creates a focused zone on the system that segments specific critical assets in a part of the ICS network. The zone should only allow minimum required traffic in, and when threats do come through, alarms sound. A conduit is a pathway of communications that enters and exits a zone.
"What you do is partition the system into zones and conduits and then you can do your risk assessment because it is impossible to risk assess a large system at once," Cusimano said. "You have to break it down. That is one of the big benefits of the zones and conduits approach."
Protecting from within is becoming a clearer message. A majority (62%) of security professionals said insider threats have become more frequent in the last 12 months, according to a SpectorSoft report.
The report also found fewer than 50% of organizations have appropriate controls to prevent insider attacks. Insider threats are difficult to detect, the report said, since the majority of security budgets and efforts end up directed at defending the perimeter.
"If we can show how the perimeter of a particular system can be breached, it is game over. Once an attacker has breached the physical boundary, he or she should be able to do anything they want," Abdallah said.
That is where a new way to think about security comes into play.
"I would hope that everyone will start to realize the importance of moving beyond traditional tactical security controls to more strategic controls like using application control and whitelisting methods," said Joel Langill, an independent security researcher, consultant, and creator of the website SCADAhacker.com. "Strategic controls offer more resilience to evolving threats that are coming through sophisticated threat actors by not depending on knowledge that originates external to your security perimeter. By identifying a safe and secure baseline fingerprint, that can be used to detect anomalies very quickly within the secure industrial networks."
Understanding what to do
Once the user understands that protecting from the inside is just as important as protecting the perimeter, they then have to rely on training to set everyone straight.
"Now that the threats are in the industrial control spaces, users, operators and engineers are going through safety training, and part of that training is cybersecurity," said Joshua Carlson, industrial automation manager for cybersecurity in North America at Schneider Electric. "That has to continue to happen on a regular cadence. If you don’t invest in and train those people, they are going to forget. They will slip up."
Attack methods are evolving and so, too, should security approaches so end users don’t end up protecting one area and end up watching attackers race through another.
"We are trying to stress you don’t just update your technology, you have to update your people with training so they can continue to understand that threats are evolving," Carlson said.
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, email@example.com.
See additional stories from ISSSource about the IIoT linked below.