If you cannot afford an Einstein to protect the network, try a canary

By using what is known as a “canary,” companies can take an active defense against cyber attackers. The canary will alert IT when there have been changes to the system and actions can be taken to shore up the system and block the attackers. The time between system compromise and detection is more than seven months, too long to know that the manufacturing IT system has been hacked.

By Dennis Brandl April 27, 2015

With attacks on cyber systems becoming more sophisticated, it is only a matter of time before manufacturing IT systems will be hacked. The worst part about the hack will be that IT may not even know about it until the damage has been done. The average time from system compromise to detection is more than seven months. In addition to Internet and intranet attacks, attacks can come from any attached device in the system. Even devices that had formally been considered "safe," such as mice, keyboards, printers, scanners, and hard disk drives, have been used to stealthily steal secrets. Most experts concede that it is impossible to provide absolute protection against attacks, and the best thing to do is detect when an attack is happening and respond quickly.

The U.S. Dept. of Homeland Security uses a set of tools called "Einstein" to protect the ".gov" websites. Einstein is a set of intrusion detection systems developed by the U.S. Computer Emergency Readiness Team. Einstein monitors network traffic in real time, looking at both the type of data being exchanged and the content of the data. The ".gov" websites and networks are under consistent attack from amateurs, thieves, and state-sponsored organizations, so the U.S. government needs a sophisticated, expensive and all-encompassing system like Einstein to protect itself. Unfortunately, few companies can afford to allocate similar resources to protect internal systems.

One large, purposely unnamed, pharmaceutical company has developed a low-cost alternative to Einstein. It does require a bit of programming effort, but it sends an alert immediately if a system has been compromised. It is better to know right away, than to discover months later, that data and systems have been open to potential competitors or data thieves. The low-cost Einstein alternate is called a "canary" system. Like the proverbial canary in the coal mine [before instrumentation, death of a caged canary would signal miners that oxygen was being displaced by explosive gases], the cyber security software tool detects a problem before it would be normally detected by security and network scans.

The canary concept is simple. Add a computer on every network segment that is protected by the same patch and version level as the least protected system. This means if a company is still running a Microsoft Windows 95 system with no safeguards or virus protection, then it should install another Windows 95 system without safeguards or virus protection. Name the canary system something that looks like it would be part of the environment, maybe the name of a commonly used vendor’s product. If possible, install but do not execute a copy of the vendor’s software in the canary system. The goal is to make the canary system a tempting target for attacks.

Write and install a simple application in the canary system that checks, every few minutes:

  • DLL file lengths
  • Executable file lengths
  • Changes to the registry
  • Network access rate
  • Disk access rate
  • CPU load
  • Disk space used.

If the canary program is the only application running on the canary system, then any-out-of-normal value means that something is going on and needs to be investigated. For example, if network traffic starts to spike, or CPU load goes from less than 1% to 5%, then something may have infected the network segment. The canary program can write out-of-normal conditions to a shared file, send a message to a monitoring system, or even set values in the data historian. The canary program also should generate a heartbeat message, to know if it stops checking. A key element of a canary program is to be hard to detect, which is why it is better to write a custom canary program that cannot be detected using automated attack tools. To be even more secure, have a canary system for every class of system in the protected network. There may be Microsoft Windows 7, Microsoft Windows Server 2003, Microsoft Windows 8.1, and Linux canary systems all on the same protected network segment, all at the same patch level as the protected systems.

If a company can’t afford an Einstein to protect manufacturing IT assets, and most companies can’t, then a canary system should be installed on every protected network segment. Once the canary starts "singing" (or stops singing its heartbeat), IT personnel should be ready to take action.

– Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, CFE Media, eeissler@cfemedia.com.

ONLINE extra

This posted version contains more information than the print/digital edition issue of Control Engineering.

At Home, search Brandl for more on related topics.

See other 2015 articles at www.controleng.com/archive.

See other Control Engineering Manufacturing IT articles

See other Control Engineering cyber security articles