Cybersecurity experts recommend a different approach

The cybersecurity mindset is still mired in the past, said expert Joel Langill at ICSJWG 2016, and companies need to take an approach that includes cyber and wireless security as well as physical.

10/30/2016


While security experts talk about changes needed to adjust for the advancing cybersecurity threat the industry is experiencing, the mindset remains mired in the past.

"If we look at security in 2016, we really aren't seeing the step change we thought," said Joel Langill, industrial control system (ICS) cybersecurity subject matter expert at AECOM during his keynote at the ICSJWG 2016 Fall Meeting in Ft. Lauderdale, FL, Wednesday. "The industry has to move toward a resilient architecture by creating a security risk model."

The thinking has to be more along the lines of if a machine went away, what could happen and how to function without it.

That can occur by creating zones to establish trust boundaries based on:

  • Ability to protect legacy software
  • Consequences of a breach
  • Security of ingress/egress communications.

Conduits, which provide the ability to communicate between zones, will be the step change in security.

"You have to manage your scope of loss," Langill said. "If you are compromised, there should be limited opportunity to compromise other nodes. If you rob a bank you haven't won unless you can leave with the loot."

With today's attack sophistication, it is inevitable hackers will get in, the issue is all about containing and mitigating. So, if an attacker gets in, you want to be able to block any egress. The idea is to contain the attack and not allow it to propagate.

"Everything has to be risk-based and you have to have a risk factor against your assets. Security is all about risk management."

Converged resilience

Langill based his new and different way of thinking about security not just on the cyber side, or what he calls logical security, which includes cyber and wireless, but also physical security. That is what he called converged resilience.

"It is about physical security. If you are not physically secure, then you may not be cyber secure," he said.

Langill talked about the evolution of a physical threat in today's world. He said it all started with box cutters on planes which led to flying into buildings and that created the Transportation Security Administration (TSA) that now searches all people catching a flight. Add on top of that, the capability to create a bomb from a sports drink and some hydrogen peroxide, which led to the 3-1-1 rule on airplanes.

Those were physical attacks that had a cause and effect.

But in the cyber environment, we are seeing attacks, but no real change in how the industry approaches the issue.

"Antivirus is dead. Malware is able to get through it to attack a system," Langill said. "That is not to say, a user does not need it, they just have to understand it does not have the stopping capability it had 10 years ago. The same is true of firewalls. Yes, there are some good ones out there, but they can be averted. The way of thinking is the same as it was in 1996. The way we fight threats in 2016 has to be different than the way we did it in 1996."

With that in mind, Langill talked about some big industry cyber attacks like Stuxnet. That 2010 attack targeted ICS vendor products and system configurations. It inhibited operators from viewing the actual process and it altered PLC logic to sabotage physical process.

There are tools today that can find an attack like Stuxnet, he said, but the key to that is increasing network visibility.

Langill also mentioned the 2014 DragonFly attack which compromised the support portal of multiple ICS product vendors. In that attack, attackers were able to install a Trojan on the vendors' software configurations, which users would then download and then end up a victim. That attack was able to exfiltrate sensitive local data, gain access to remote industrial networks via VPN and network enumeration.

The DragonFly attack showed the importance of protecting and securing the supply chain. "The supply chain is key," he said. "They went after the supply chain."

User reaction

The issue behind the Stuxnet and DragonFly attacks was these were assaults against ICS companies, but most end users did nothing. The massive power outage in the Ukraine is another example of an ICS cyber incident.

On December 23, 2015, power went out for a high number of customers (reports range from 80,000 customers to 700,000 homes) in the Western region of the Ukraine served by regional power distribution companies. A picture has become clear that a coordinated attack involving multiple components took place.

That incident, Langill said, did not take advantage of any Zero Days in software, but rather leveraged weaknesses in configurations along the system.

They were able to login via remote connections and disconnect breakers along with installing destructive malware to disable selected assets.

After this blatant attack in the ICS sector, again while awareness of the assault is high, end users still did nothing.

The mindset "attacks will hit someone else and not me" has got to change along with the archaic approach the industry continues to take toward security.

"People are trying to do the same thing they have been doing in the past," Langill said, but with a new risk-based model could give end users a fighting chance to ward off any type of attack.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See related stories on cybersecurity linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me