Cybersecurity experts recommend a different approach

The cybersecurity mindset is still mired in the past, said expert Joel Langill at ICSJWG 2016, and companies need to take an approach that includes cyber and wireless security as well as physical.

10/30/2016


While security experts talk about changes needed to adjust for the advancing cybersecurity threat the industry is experiencing, the mindset remains mired in the past.

"If we look at security in 2016, we really aren't seeing the step change we thought," said Joel Langill, industrial control system (ICS) cybersecurity subject matter expert at AECOM during his keynote at the ICSJWG 2016 Fall Meeting in Ft. Lauderdale, FL, Wednesday. "The industry has to move toward a resilient architecture by creating a security risk model."

The thinking has to be more along the lines of if a machine went away, what could happen and how to function without it.

That can occur by creating zones to establish trust boundaries based on:

  • Ability to protect legacy software
  • Consequences of a breach
  • Security of ingress/egress communications.

Conduits, which provide the ability to communicate between zones, will be the step change in security.

"You have to manage your scope of loss," Langill said. "If you are compromised, there should be limited opportunity to compromise other nodes. If you rob a bank you haven't won unless you can leave with the loot."

With today's attack sophistication, it is inevitable hackers will get in, the issue is all about containing and mitigating. So, if an attacker gets in, you want to be able to block any egress. The idea is to contain the attack and not allow it to propagate.

"Everything has to be risk-based and you have to have a risk factor against your assets. Security is all about risk management."

Converged resilience

Langill based his new and different way of thinking about security not just on the cyber side, or what he calls logical security, which includes cyber and wireless, but also physical security. That is what he called converged resilience.

"It is about physical security. If you are not physically secure, then you may not be cyber secure," he said.

Langill talked about the evolution of a physical threat in today's world. He said it all started with box cutters on planes which led to flying into buildings and that created the Transportation Security Administration (TSA) that now searches all people catching a flight. Add on top of that, the capability to create a bomb from a sports drink and some hydrogen peroxide, which led to the 3-1-1 rule on airplanes.

Those were physical attacks that had a cause and effect.

But in the cyber environment, we are seeing attacks, but no real change in how the industry approaches the issue.

"Antivirus is dead. Malware is able to get through it to attack a system," Langill said. "That is not to say, a user does not need it, they just have to understand it does not have the stopping capability it had 10 years ago. The same is true of firewalls. Yes, there are some good ones out there, but they can be averted. The way of thinking is the same as it was in 1996. The way we fight threats in 2016 has to be different than the way we did it in 1996."

With that in mind, Langill talked about some big industry cyber attacks like Stuxnet. That 2010 attack targeted ICS vendor products and system configurations. It inhibited operators from viewing the actual process and it altered PLC logic to sabotage physical process.

There are tools today that can find an attack like Stuxnet, he said, but the key to that is increasing network visibility.

Langill also mentioned the 2014 DragonFly attack which compromised the support portal of multiple ICS product vendors. In that attack, attackers were able to install a Trojan on the vendors' software configurations, which users would then download and then end up a victim. That attack was able to exfiltrate sensitive local data, gain access to remote industrial networks via VPN and network enumeration.

The DragonFly attack showed the importance of protecting and securing the supply chain. "The supply chain is key," he said. "They went after the supply chain."

User reaction

The issue behind the Stuxnet and DragonFly attacks was these were assaults against ICS companies, but most end users did nothing. The massive power outage in the Ukraine is another example of an ICS cyber incident.

On December 23, 2015, power went out for a high number of customers (reports range from 80,000 customers to 700,000 homes) in the Western region of the Ukraine served by regional power distribution companies. A picture has become clear that a coordinated attack involving multiple components took place.

That incident, Langill said, did not take advantage of any Zero Days in software, but rather leveraged weaknesses in configurations along the system.

They were able to login via remote connections and disconnect breakers along with installing destructive malware to disable selected assets.

After this blatant attack in the ICS sector, again while awareness of the assault is high, end users still did nothing.

The mindset "attacks will hit someone else and not me" has got to change along with the archaic approach the industry continues to take toward security.

"People are trying to do the same thing they have been doing in the past," Langill said, but with a new risk-based model could give end users a fighting chance to ward off any type of attack.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See related stories on cybersecurity linked below.



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me