Find cybersecurity vulnerabilities, analyze, then fix: See examples

Once a cybersecurity researcher finds vulnerabilities and provides analysis behind the problem, the next level is to create a secure environment where the user needs can put the issue into perspective.

10/26/2016


A cybersecurity researcher focuses on finding vulnerabilities and then providing analysis behind the problem, but once that issue ends up discovered, the next level to create a secure environment means the user needs to be able to put it into perspective.

"If you want to show how vulnerabilities bring effect, that is difficult (from a researcher's perspective)," said Billy Rios, founder of security research firm WhiteScope during his Tuesday keynote at the ICSJWG 2016 Fall Meeting in Ft. Lauderdale, FL. "When you bring vulnerabilities to an operator they need to see what could happen. They need to know what the effect is with all the vulnerabilities. We understand the analysis very clearly. We understand the vulnerabilities very clearly. We may even know some of the effects, but do we know how it works within the system? What effect would it have on the total operation.

A case in point was in 2010 when officials lost communications with nuclear weapons. In a very quick manner, the top Air Force officer notified the chairman of the joint chiefs of staff, who then notified the secretary of defense who then informed the president. At that time, "the president asked a simple question: Could this have been caused by a cyber attack? No one knew the answer," Rios said.

At that point, Rios ended up assigned to the cyber security mission of finding that answer. "After months of work, we learned a lot; we learned a lot about how the world works. We did an analysis of the vulnerabilities. But in the end, the mission was not about the vulnerabilities or any kind of analysis, it was about the effects of what could happen."

POTUS perspective

That mission, or project, led to a greater awareness of what could happen from our Commander in Chief.

"We never heard the President of the United States (POTUS) talking about cybersecurity to other countries (before)."

That was just the beginning.

In another case to point out perspective, Rios found 1,418 vulnerabilities in a medical device in a research project.

Rios and fellow researcher Mike Ahmadi in collaboration with CareFusion discovered the vulnerabilities. They obtained the Pyxis SupplyStation through a third-party that resells decommissioned systems from healthcare systems, and the vulnerabilities ended up discovered using an automated software composition analysis tool.

Of those vulnerabilities, 715 fell in the CVSS range of 7 to 10, indicating a severe vulnerability; 606 were in the 4 to 6.9 range, indicating a moderate vulnerability, and 97 in the 0 to 3.9 range, indicating a low level.

Whatever the vulnerability score of 7 or higher, what do you do when there is an issue in medical? Numbers may not help you understand risk.

"You cannot put cyber security on a Bell Curve," Rios said. "It is an "extremistan" incident. It is not naturally occurring. It is hard to plot."

The term "extremistan" comes from a book entitled "The Black Swan," where the author, Nassim Nicholas Taleb, writes about the differences between the "tyranny of the collective, the routine, the obvious, and the predicted" or "mediocristan" and "the tyranny of the singular, the accidental, the unseen and the unpredicted" or "extremistan."

"You have to understand when you can plot something on a curve or when you can't," Rios said. "Know when you are doing one or the other."

Proper outlook

What also comes into play is what happens when you find a flaw in something like a medical device or even something in a critical part of a process. Yes, you need to know there is a flaw and you need to know what you have to do to fix it, but you just can't stop using the device if somebody's life depends on it, or if it is part of a critical aspect of a continuing process.

Another case is with voting machines.

Rios said he was able to purchase a used voting machine on eBay for $100.

"I have two voting machines in my office," Rios said. "I can do whatever I want with these machines. I can learn how they work. I can learn their creases. We can take the software off the device and learn about the machine."

Rios said while he can learn the vulnerabilities and analyze the machine, he does not know the impact of what a hacked machine could bring, that is more for the voting experts. "We don't know (the effect), but if you are an operator of that system, you know."

That is how an operator can help pull together information from a researcher. They need to work together to give complete context to the situation.

In the end, whether it is a discussion between IT and OT or the President of the United States, perspective needs to end up communicated in the proper language of who you are trying to inform.

"We need to learn how to talk to one another. (In the nuclear weapons mission), we didn't know how to shape our talks in terms POTUS should understand. We need to be able to talk in the language of people we are working with."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See related stories on cybersecurity linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me