Siemens: Security lifecycle plan a must
Sophisticated attackers remain a challenge for manufacturing automation security professionals, but staying one step ahead is a stronger approach than sitting back waiting to get hit.
"Protecting our control systems is more important now than ever before," said Jay Williams, business development for cyber security at Siemens during a webcast entitled Cyber Security for Industrial Control Systems. "The changing landscape for cyber threats is more dynamic than ever. CEOs now recognize the importance for a holistic approach to cyber security."
When it comes to security, the first real attack people remember these days is the Stuxnet attack in 2010 where the U.S. and Israel worked together to infiltrate the Natanz nuclear enrichment facility in Iran. They were able to infiltrate a system that showed workers the system was running normally, while centrifuges were cascading wildly out of control. However, in 2008 there was a pipeline blast in Turkey that fell under the cyber security radar a bit. The attack started through a video surveillance computer and attackers were able to get in and hit the control system, cause an over pressurization and explosion, Williams said. In addition, later on, in 2014, there was a spear phishing campaign that infiltrated a Chinese steel factory that resulted in massive damage. Also look at the Sony attack where the company is still not totally functioning.
In the 1990s, there was no real need to worry about security, but the movement to more open, standard off the shelf technology that relied more on Ethernet and Internet connections allowed for a changing environment. The changes were very effective and allowed for greater business mobility, connectivity and productivity. The problem is the connectivity and open software opened manufacturers up for security breaches.
"There were lots of holes put into industrial control systems that weren’t there in the 90s," said Ken Keiser, practice leader for plant security at Siemens.
The catch is now users are getting to the point where they understand the need for security, but they are just evolving to take it to the next level and create a lifecycle for cyber security that most plants have to go through. Keiser said the issue is most manufacturers have not even started that process yet.
Look at firewalls, anti-virus, whitelisting and patch management to name a few. "All of them have a similarity and that is management. You can’t put it in and forget about it. You have to look at what risk you want and look at what risk you have. You need to know what you have and have a good baseline before you get to the maintain level. You need to establish a baseline." Keiser said.
These are areas to focus on to create a baseline:
- Network assessment
- Policies and procedures
- Awareness training
- Technical security training
- OS hardening: Group/local policy design and deployment
- OS hardening: One-time validated patch deployment
- Anti-virus: One-time agent deployment
- Whitelisting: One-time agent deployment
- Perimeter protection: Design, implementation and integration
- Segmentation/Zoning: Design and implementation
Once a plant goes through the assessment and implementation phases and reaches the maintain level, then the hard work begins.
"One of the most difficult aspects of cyber security lifecycle for ICS engineers is the maintain phase," Keiser said. That is because of the changing, dynamic landscape where a process may be running for two or three years straight, but a constant barrage of attacks could compromise the system and bring down the process.
Safety vs. security
While safety and security have similarities, they do also have differences.
"With safety you are working with a physical law of nature. Yes, you have to maintain and update safety systems, but the physics of the plant will not change," Keiser said. "With security, you have a very sophisticated adversary out there. There are people out there that want to get into your plant. The environment is changing constantly. You need to know what is happening on a real time basis. One thing you can do is look at logs on a daily basis where you have reports coming out."
Security is an entity unto itself and it can become very easy to end up bogged down in the minutiae of the bits and bytes. But it doesn’t have to be that way. Once a lifecycle plan is down on paper and manufacturers get it up and running, it will start to evolve into a force that becomes very difficult to penetrate and the plant can stay up and running.
One of the things Keiser said people, "Have to remember is to understand the priority of the plant is to make product. You don’t want to worry about security."
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on the ISSSource website. Edited by Joy Chang, Digital Project Manager, CFE Media, firstname.lastname@example.org