Plausible deniability is not a security strategy
Beware, you may have been instructed by a lawyer to not read this article.
Recently I became aware of several attorneys and legal departments advising managers to stay unaware of control system cyber vulnerabilities outside of specific information provided by their vendors. Why? If the vendor states that a system is secure, then the asset owner and operator may be able to claim ignorance and avoid legal liabilities associated with loss of life or the unavailability of a critical asset.
This plausible deniability approach is not a security strategy for several reasons. First, many ICS (industrial control system) protocols (e.g., Modbus/TCP, DNP3, Profinet, EtherNet/IP, BACnet, etc.) are highly vulnerable due to no authentication, poor authentication, the owner’s chosen implementation, and poor vendor implementation within the cyber asset. Consider recent vulnerabilities identified by Adam Crain and Chris Sistrunk with DNP3 (ICSA-13-291-01 and others), and expectations of more to come with Modbus/TCP. Second, a quick Google search of “control system vulnerabilities” yields 2.4 million hits. Third, new ICS cyber asset vulnerabilities are coming to light with ICS-CERT notices increasing rapidly.
So ask yourself, are you better off pursuing due diligence and trying to build adequate levels of protection, or should you hope to hide behind the plausible deniability defense? Your vendor might not help you with the latter. Many now issue disclaimers pushing responsibility back on you. They warn that their system must be placed within a secure zone of your facility and point at standards and organizations like NIST 800-82, ISA 99 / IEC 62443, IEEE, NEI, AGA, NNSA, ISO 27001, API, ChemITC, individual governments, and several more that I probably missed.
Hide, or defend yourself?
Think about your role at your facility. Most companies want to ensure a level of profitability through a safe, reliable, and available operation. Your personal desire is food, shelter, and a safe environment for you and maybe a family. The world has changed with threat agents increasing in number and capabilities. Some are sponsored by major military powers. You may have to be the change agent that brings about a cultural shift toward a serious defensive strategy.
I recall when that responsibility fell on me many years ago. My early attempts to sell cyber security at a U.S. Department of Energy National Laboratory failed horribly. I did not connect my efforts to the mission of the laboratory or convince our Nobel Prize-winning scientists. The scientists wanted high availability of their research so that they could collaborate with the world, and my firewalls were interfering. Eventually, we put security in terms they understood. Instead of just focusing on cyber attacks, we explained, “What if someone were to manipulate your data, release your data early, or under a different brand?”
The thought of personal discrediting got their attention and they asked for security controls. The lesson: Every control system environment is different based upon corporate motives and ownership. You need to identify what will sell security in to your organization. Don’t wait for somebody else—you do it, and do it now.
This very minute, somebody is preparing cyber attacks against control systems. Your company and your livelihood may be at risk if someone does not step up. Seek out an opportunity to start a change, if not at your work, maybe where you live. Many control systems impact your environment: fresh water, natural gas, electricity, traffic control, your automobile, and the food supply. Attend a city council meeting and ask what is being done to protect your local water supply. Ask your auto mechanic about the latest firmware update to your ECU or ABS.
Cyber space is now a battlefield, and there is no plausible way to deny that ICSs are vulnerable. Take steps to protect yours: inventory your assets, document their communication patterns and the logic operating them. Look at the people accessing and managing them. Are there reasonable restrictions to operational, cyber, and physical activity? Establishing baselines of normal operation helps you determine when there is something unusual.
Basic security principles apply whether you’re dealing with physical or cyber security. Once you have the tools, you will begin to develop a sixth sense about what’s happening in your networks. Overcoming budgetary restrictions and political resistance may take some doing, but you might be the thing that makes a difference.
Matt Luallen is founder of Cybati, a security training and consulting organization.
Control Engineering has extended the time available to access Matt Luallen’s 13-part cyber security training course at no charge, including PDHs.
Follow security vulnerability announcements at https://ics-cert.us-cert.gov/standards-and-references