Ensuring network cybersecurity
"What’s the worst that could happen?" This question is at the heart of many plantwide discussions. Deliberations on safety interlocks, alarm rationalization, hazard analyses, job safety plans, and process equipment design routinely center on this premise. Why, then, do some facilities have a lackadaisical approach to the layout and protection of their network security?
We’ve seen a few examples of the "worst that could happen" in recent years. Retail giant Target was hit by a massive phishing email attack in 2014 that cost the company between $1.4 and $2.2 billion. Also in 2014, Sony took some heat for the hack that leaked a major motion picture and some damaging executive-level emails. An attack at Anthem, the second largest health insurer in the U.S., exposed records of up to 80 million customers.
Do you think your plant is immune? Not so fast. Symantec reported that the U.S. energy sector is the second most often attacked group, only exceeded by the government. Yes, that refers to the IRS breach that exposed the personal information of about 300,000 Americans, as well as the breaches at the U.S. Office of Personnel Management that led to 22 million federal employees’ data being stolen.
Speaking of governments, one of the slickest examples of nerd warfare was the U.S.-Israeli attack on an Iranian nuclear uranium-enrichment facility with the Stuxnet virus. This brilliant little bug mapped out an electronic blueprint of the plant’s network architecture, then later varied the speed of the centrifuges enough to wear them out—all while replaying recorded values to the operators so that everything looked fine inside. According to an article in the New York Times, 20% of Iran’s nuclear centrifuges were destroyed.
Some plants do well from a cybersecurity standpoint. Other sites have used such stringent security measures as the cryptic "text Billy for the wireless password" method. Seriously. Different plants run the gamut, from requiring a Transportation Worker Identification Credential card upon entry to requiring the driver of a vehicle to roll down the window and shout a number to the guard that supposedly corresponds to a vehicle pass list somewhere. Where does your plant fall in this spectrum? Is your network password written on a whiteboard in the control room or emailed in halves to two trusted supervisors?
Understanding the threat
Before discussing strategies to isolate and protect plant networks, consider the most common cyber attacks and the simplest guards against them.
As mentioned earlier, an email phishing scam was the entry point for the Target attackers. After the email was opened by a vendor with corporate network access, the attacker stole the vendor’s network credentials. The "e-thief" was able to pull credit card data for approximately 40 million customers over the next few weeks.
There are ways individuals/companies can protect themselves from phishing emails, and most of them revolve around the ability to recognize a bogus email link or attachment. If the sender is from an external entity or is simply someone unfamiliar to the user, that should immediately warrant extra scrutiny. For example, if "Jane from purchasing," whom you’ve never heard of, sends you a highly generalized paragraph, then urges you to open an attachment or hyperlink, it’s probably best to delete that one.
Hovering over the hyperlink in an email should display the Internet address it contains, and if anything "smells phishy," such as an altered company name or references to ads, it’s probably best to leave it alone. Setting up rules in your inbox to flag emails from external senders is another simple way to draw attention to suspicious messages, especially the easy-to-miss ones that mimic common addresses by inserting a dash or substituting a numeral "1" or uppercase "I" for a lowercase "L," for example. PayPal did a good presentation on phishing scams.
Malware, such the Stuxnet virus or the Home Depot attack of 2014, may be a bit tougher to spot. It can enter via attachments, bad URLs, a thumb drive, or even embedded in the code of a jpeg image. Typically, one computer will get hit with malware, which then collects data or information about the user or network. Later, the malware attack will launch with a variety of possible effects, but usually corrupting software or compromising sensitive information. The safe email guidelines mentioned earlier can help weed out some of this, but more stringent measures, such as Website blockers and policies limiting the use of removable storage devices, may be necessary, although they’re often unpopular with users. Notice the trend: Most cyber attacks prey on people. The human element is typically the weakest link in any network’s "security chain."
The weakest link
Humans are easier to manipulate and exploit than the actual networks. As one of the authors behind the Stuxnet virus so aptly put it, "It turns out there are always idiots around who don’t think much about the thumb drive in their hand." Employees—or anyone with network access for that matter—must be educated to avoid security threats.
That includes recognizing social engineering, email scams (phishing), viruses, and so on. Social engineering involves a deceptive infiltration, even something as simple as a believable story about a pest control inspection or utility maintenance service can fool some people into granting access to places they shouldn’t be. If your plant doesn’t enforce the following items, perhaps it should:
- Clean-desk policies that help ensure sensitive information isn’t readily available to be exploited
- Hardware disposal, such as hard drive shredding and locked containers for document shredding
- Mobile device management that helps ensure people with access from their smart phones have the proper locks in place.
And about that thumb drive? It’s a great idea to stage mock attacks. Much like a fire drill, leaving USB drives around that report the computer used to check it is a great way to see how vulnerable your plant is to malware delivered that way. In addition, some IT departments send phishing emails that mimic real ones, but link to a page that captures the user’s profile and contains information about phishing scams. Any way that operators can be educated about smart browsing and possible attacks will pay dividends in security.
These cybersecurity concepts can help prevent unwanted intrusions and access to critical plant data, and hopefully your site has put most of them in place. If none of the information provided here sounds remotely reminiscent of your plant and the password "12345" gains access to any process equipment out there, you may be playing with fire. But what’s the worst that could happen, right?
Josh Bozeman is a project manager at Maverick Technologies. Maverick Technologies is a CFE Media content partner, CSIA Level 1 member, the Control Engineering System Integrator of the Year in 2011, and was inducted into the Control Engineering System Integrator Hall of Fame in 2012. Edited by Jack Smith, content manager, CFE Media, Control Engineering, firstname.lastname@example.org.
See interview with Tim Garrity to learn more about cybersecurity networks and what users can do to protect themselves.
The interview: He’s a hacker, but it’s okay
Tim Garrity is a security services manager for TraceSecurity LLC. Companies often hire IT security firms such as TraceSecurity to hack their facilities using a variety of methods. The idea is that finding out about a security gap from a friendly consultant is far more favorable than finding out from someone with nefarious intentions.
During a recent interview with Garrity, I asked him about how to ensure that a network security system is robust and how to avoid the weakest link in most networks.
Josh Bozeman: What is cyber security?
Tim Garrity: It’s a buzzword. Essentially, it’s the overall view of technical controls that should be in place to help prevent sensitive company data systems from being breached. Technical security and physical security should work together for network security. Multiple layers of defense should be in place in case one layer is compromised.
Bozeman: Multiple layers?
Garrity: If an intrusion protection system (IPS) or an intrusion detection system (IDS) device is compromised, there should be a separate solution or device in place, such as a perimeter firewall, to catch it. Additional controls include antivirus software and host-based intrusion prevention/detection (locally installed firewall on the workstation).
Bozeman: What would a well-guarded system look like?
Garrity: Ideally, an IPS/IDS should be in place as the perimeter of defense. Often, the IPS/IDS is monitored by a third party to supervise network activity and alert the company when suspicious activity is discovered. Next, firewalls should contain a rule set, which acts as a barrier to unauthorized network traffic. These rules include allowing specific inbound and outbound network traffic while blocking everything else that does not comply with these rules. Beyond that, biometric technology is currently pretty expensive to implement, but RFIDs, such as smart cards, are more reasonably priced. These are typical hardware safeguards.
Bozeman: What software safeguards do you suggest?
Garrity: First, antivirus software should be centrally managed (i.e., a central server pushes out the latest updates and ensures devices are updated correctly). In addition, it’s important to ensure an end user cannot disable this. Similarly, a centralized patch-management system is a necessity. It doesn’t make for a thrilling topic to talk about security updates for your operating system or firmware updates for any routers, switches, or firewalls, but it can get pretty exciting for everyone if one of these is exploited by an unethical hacker. Even those annoying Adobe Flash and Java updates are important.
Bozeman: Beyond the system architecture you’ve already described, what are some other components of a well-secured network?
Garrity: The administrators should ensure logging and reporting of anyone on the network side. That way, anyone who is trying to gain access to a device or system, modifying files, or stopping critical system services on the server is logged. A common best practice would be basing everything on least privilege, ensuring people have only the level of administrative rights they should. On that note, administrators should ensure there’s an employee account review periodically to ensure everyone’s account access is appropriate and current. Keeping track on a master security checklist when people are hired, fired, or change jobs will help this. And as any email-savvy person knows, complex passwords are crucial. Another security control to consider is the username itself.
Bozeman: What’s in a name?
Garrity: If a user account contains words such as "admin" in the username, it is an easy tip-off that the account likely has administrative access. Armed with this information, a malicious individual can perform a variety of password attacks with the hope of compromising the account and gaining administrative access on the network. A recommendation to consider is using a generic naming convention for accounts that have administrative access. This also includes renaming the global "Administrator" account as this is also a well-known attack vector.
Bozeman: What other dangers should we be aware of?
Garrity: We’re starting to find viruses hidden in jpeg images, but recently the exploits (e.g., Heartbleed, Poodle, etc.) have been a big problem. And while the program updates are important, Heartbleed and Poodle were the result of legacy technologies being exploited. Thus, having a migration strategy is crucial if you’re running a legacy system. Sorry XP users. This should probably be a given at this point, but securing the plant’s exterior network (with access to email and the Internet) is important, though it will always be somewhat vulnerable. Strictly limiting the points of contact between the plant’s control system network and the exterior network is equally, if not more, crucial.
Bozeman: We’re starting to see more wireless use in plants, with mobile operator interfaces and third-party skids that come bundled with wireless transmitters-whether or not you choose to configure them or even request them. Is this another potential area of concern?
Garrity: Using multifactor authentication, such as RSA SecurID tokens, radius, and TACUS+ servers, is important to keep unauthorized users off a wireless network. At any rate, you want to have a way to detect and deny rogue devices. There are automated tools available to help you with this. However, determined hackers can still use a variety of tricks to gain access to a wireless network. One such method uses a brute force attack to "bump off" (deauthorize) a legitimately connected device on the wireless network. The hacker can then use tools to mimic the actual wireless network broadcast signal. In turn, an unknowing user will attempt to authenticate to the compromised wireless network and the malicious individual can potentially capture information, such as the wireless network’s password (this is referred to as a "password-hash"). This will make it easier for the hacker to crack the password using several free resources on the Web. With technical controls in place, you can mitigate that risk. But you never want to neglect your security for the sake of convenience. Resources
Real World Engineering blog is written by engineers at Maverick Technologies. Refer to these resources for more cyber security information:
- TraceSecurity LLC
- The SANS Institute
- The National Institute of Standards and Technology cyber security framework
– See other articles from the supplement below.