Posted by: Katherine Brocklehurst on September 13, 2017
Have you been feeling "cyber security breach fatigue?" We don't blame you. Cyberattacks or employee errors that cause disruption and revenue losses to industrial and critical infrastructure organizations are particularly popular in news media today. That's partly because a successful disruption within critical infrastructures can cause physical consequences that get the public's attention.
Industrial automation and process control engineers often feel that cyber risk is overplayed because there are safety instrumented systems (SIS) designed specifically to take over when unsafe conditions occur. Unfortunately, as outlined in our last blog on "CRASHOVERRIDE" (aka "Win32/Industroyer" or "Industroyer"), sophisticated malware designers have demonstrated the capability of using the power grid's own SIS protections to cause power outages, and this framework is extensible to many industries, not just power.
There are hazards and risks with any industrial application, making the protection of personnel, processes and the surrounding environment a significant part of any industrial automation strategy. Many authoritative organizations have said for some time that cyber security and safety are interrelated; a system cannot be safe if it is not secure.
Are you already convinced of the need to improve industrial cybersecurity at your site? Would you like to move beyond the heavy drumbeat of concern over inevitable cyber threats? But are you still not sure where to start? The likelihood of experiencing a disruptive incident, like a systems outage, is high by many metrics – even if you don't think you're a target. While challenging, proactively preparing for incidents in your functioning industrial plan is vitally important.
Here is a prioritized "short list" of what to do now to avoid significant business disruption and lost revenues derived from commonly seen incidents, forensics review, risk assessment findings and typical gaps. These are all things you can do something about.
This list is derived from multiple industrial standards, experts and governance bodies and is oriented toward proactive steps to take before an incident occurs. These steps are non-disruptive and will shorten your time-to-recovery and minimize the business impact of a cyber incident in the plant, regardless of your industry.
Note: This list also makes three assumptions – that you have 1) some degree of perimeter defense in place with firewalls 2) a DeMilitarized Zone (DMZ) separating the plant from corporate assets, and 3) a plant that has fully embraced network segmentation
Identify the most important systems to your plant/business functions and where they're located. This is not an exhaustive list of all assets – it should be the most highly prioritized subset, without which the business immediately begins to feel the impact and lose revenues. You might be surprised to find how difficult it is to determine the locations of assets, both physical and virtual. It also usually takes a bigger group than just plant operations to discuss and agree upon the prioritization – but that's a different blog.
This table from an Emerson white paper shows a simplified view of associated average potential revenue lost if a 500MW generator was down due to a forced outage. The revenue impact from disruption, outages and ransomware-locked systems across many industries can hit the bottom line.
At a minimum, monitoring your critical assets is now a business cyber security essential. Just like monitoring your industrial automation and process controls, industrial security requires continuous monitoring to assure the cyber health and hygiene (yes, health and hygiene!) of the systems within your plant operations.
This is a sample placement of technology from Tripwire, a Belden brand, for monitoring industrial and plant site-critical assets. Tripwire's solutions can monitor industrial security from within the plant DeMilitarized Zone (DMZ), down to Level 2. Tripwire also detects and alerts to threats and changes (authorized or unauthorized) to industrial assets.
If you have servers, databases and other systems running on Windows or Linux, you should prioritize these inherently weak and unpatched systems for monitoring by Tripwire, one of Belden's brands. They can help you know when those systems' configurations and services need to be hardened against typical and often highly ranked cyber risks. (Highly ranked would mean they have high vulnerability scoring, such as 9.5 out of 10, for both "likely to be exploited" and "if exploited, likely to be very bad" risks.)
One service of particular note is remote access. Most experts recommend you discontinue remote access to any critical asset, especially your control systems. Sometimes this can be done, other times it won't be possible. One valuable capability Tripwire has is it can discover and profile wireless access points and also identify systems that have remote access software loaded where you didn't expect it. Plants are continuously surprised in these areas. Tripwire can find and help you fix these common areas of weakness.
"Almost every risk assessment or forensics review of an incident that I have ever seen in my career points to a common theme – lack of understanding of what systems are important, and proper network segmentation of these mission critical Operational Technology (OT) systems from other enterprise systems such as corporate Information Technology (IT) systems.
You will be attacked or infected... it is only a matter of time – and only by acting now can you minimize the resulting damage and reduce the spread of infection."
- Marty Edwards, Managing Director, Automation Federation and former Director of ICS-CERT, U.S. Department of Homeland Security
You also should consider a log and event monitor. Think of this passive security device as your "security-centric data historian." Use it to non-invasively gather and correlate logs and event activity from servers, asset management systems, databases, firewalls, routers and even HMIs – since HMIs are one of the many assets within the plant typically targeted for compromise. If an adversary owns (or "powns" – in threat parlance) your HMI or FTP servers, he or she can cause disruption and potentially impact the ICS and the I/O they control, causing physical damage. Even just introducing latency in many environments can disrupt processes and impact manufacturing.
As a forensic tool (when the day comes that you need it), logs are the first thing investigators ask for and most sites? facilities? operators? don't have them enabled or attackers turned them off without the target organization realizing it. Having a correlation tool that automatically brings the logs together and flags events of interest with the entire context required can be invaluable toward piecing things back together and understanding how an incident may have occurred. Tripwire's Log Center is one example of this type of tool and is being widely deployed within industrial environments for security, as well as analytics value, as the data gathered can be easily forwarded to analytics tools, such as Splunk.
For these critical and prioritized systems, be certain that you have implemented a disaster recovery plan inclusive of regular, recent and tested backups and critical hardware spares. Backups should include all physical and virtualized critical assets, operating systems (OS), documented and "known good" configuration files and all application and system software, including integrations and customizations, if applicable.
Current ransomware typically spreads automatically across networks and system-to-system, and many organizations discover after an attack hits that their backups were encrypted too. Therefore, keep these backups in a safe location that is not "online" – in other words, don't just copy to a file server and forget about it. Have a controlled and limited list of personnel (with contact information) who know where these backups and spares are kept, and preferably have documented details for recovery.
There are obviously many other steps to take along the path toward improved industrial cyber security, and every organization approaches the topic with its own priorities. However, these three steps will significantly lower cyber risk in the plant from external and internal sources. If undertaken now, you can be far better prepared for recovery activities when an incident does occur. Knowing your most critical assets, monitoring them for security and system state, and having reliable and tested backups can help. This "Industrial Cyber Security Short List" will ultimately shorten your time-to-recovery and reduce business and revenue losses when an incident does strike within your plant.
For those interested in additional and more advanced steps to take, consider Tofino Xenon security appliances to help you with painless network segmentation à la ISA99/IEC 62443. Tofino Xenons sit in front of critical assets in your plant or field locations and deeply inspect industrial protocol frames (Modbus TCP, EtherNet/IP, OPC, DNP3 and IEC 104) for malicious payloads or inappropriate access. Tofino Xenons have no IP address and can protect against known and unknown malicious activity and ingress, as well as egress. In other words, they can "contain" the threat for you and disable its ability to spread. And Tripwire can also monitor these non-IP-addressed devices and their configurations for you.