This week's contributing Blog Author is David Meltzer, Chief Research Officer at Tripwire.
Risks to the control levels of industrial networks have been on the rise – and yet many are not aware of the many vulnerabilities and weaknesses these environments have. The SANS 2016 State of ICS Security Survey indicates this is a growing concern of those surveyed.
This blog is the third part of a series expanding on industrial cyber security approaches from Belden (part 1) and Tripwire (part 2). This article will address the importance of securing industrial controllers in an ICS operations environment (also referred to as OT by some) to reduce risk. Belden has built a simple, 1-2-3 approach to industrial cyber security to help answer the question of how should companies be thinking about the different steps to take when working towards improving the security of these highly specialized environments.
Belden’s approach simplifies the steps into easily identified categories and then helps organizations identify priorities based on their own unique environments and risk tolerance.
What is an industrial controller?
First, let’s clarify what we mean by industrial controllers. In a typical industrial environment, there will be the physical systems – things like robots, sensors, pumps, actuators, and motors to name a few. As these are the systems that actually interact with the physical world, when it comes to the priorities of cyber security in these environments – first safety and then availability, these are ultimately the systems we need to protect. However, something like a motor is not often going to be a system that can or will be directly attacked or exploited.
Instead, these physical systems are connected back to a type of specialized computer that actually controls it. It is these specialized computers that make the bridge between controlling the physical systems and receiving programming or instructions from a network. These are the industrial controllers, and they are the systems being targeted to create physical damage or disrupt a revenue generating industrial process in cyber attacks. Industrial controllers come in different varieties, but you will hear terms such as PLC (programmable logic controllers) and DCS (distributed control systems) used commonly to refer to different types of these.
Common Ways Controllers Can Be Attacked
There are a few different attack vectors (ways an outside adversary or malicious insider would approach breaking into a system) we worry about when it comes to industrial controllers.
The first and simplest would be a denial of service attack. By overwhelming a system with a large number of frames in network traffic, or malformed packets that create load on a system, it may be possible to create latency and downtime on a controller, which could interrupt physical systems. There may be some physical processes where disruption could create damage. Although safety is potentially a concern here, the reality is most safety systems have been built to handle these situations - a well-designed safety environment would not compromise safety by an increase in latency or lack of availability of a single controller.
ICS Misconfigurations and Vulnerabilities
Another attack vector is to exploit vulnerabilities or misconfigurations in the controller. By attacking a vulnerability that has not been patched with upgraded firmware, a malicious attacker could potentially disrupt, gain access to, or take over control of a system. Similarly, although modern controllers have added security features like authentication and logging, if these are not setup properly those checks and balances may be disabled and allow an attacker to easily modify the system without detection.
“During cyber security assessments,” Tony Gore, CEO at Red Trident comments, “We find that there has to be a pivot point the attacker has gained access to. Taking advantage of weak configurations or known and exploitable vulnerabilities is one of the easiest ways to gain access to engineering workstations, HMIs, servers, third parties and other systems. Another is through stolen credentials, jointly shared credentials, or a lack of authentication methods.
Once unrestricted access is gained at Level2 devices this becomes the adversary’s pivot point. We don’t always see PLCs directly connected to the Internet, but will use Shodan to see what shows up for our customer’s Internet-facing systems. It’s always a surprise.”
Malware, USBs, and Firmware
A third and most dangerous attack would be uploading a malicious program to the controller, overwriting the valid program that already existed on it. On some controllers, physical access to the device can be used to accomplish this (i.e. plugging a USB drive into it or making a serial connection), and on more modern ones programs are uploaded across the network – requiring various forms of authentication, which is often not setup at time of PLC deployment.
Older networked controllers may have no authentication at all required, a major issue, while newer ones almost certainly will. Even with proper authentication, a malicious insider, such as a disgruntled employee or a consultant, or an outside attacker who has stolen credentials (ie the password to the system) can go make these changes.
Additional ICS Attack Vectors
Additional vectors of attack can exist in the form of trusted computer systems operating on levels inside the ICS environment that have unrestricted and unmonitored access to various levels of the control environment. Malicious programs have been used in industrial attacks to create subtle or not so subtle changes to physical processes, causing physical damage. Almost equally damaging are pivot points and attackers toolkits modifying set points in a non-monitored and poorly engineered security architecture. This allows for ample time of reconnaissance as well as the trial and error to successfully compromise but ultimately maliciously modify the environment.
Our next industrial security blog will address suggestions of how to secure the controllers in a way that helps to prevent attacks such as those described earlier, and what types of strategies are essential for reducing the attack surface within ICS, detecting and responding to unexpected and unplanned changes that could indicate an attack, malicious insider activity, or even simple human error – all sources of cyber security risk.
In the meantime, for helpful reading to understand the state of ICS security from the annual SANS Institute’s survey of ICS professionals, download the report here:
Network Segmentation Use Cases
- Presentation: Cyber Security for Oil and Gas Applications
- Electricity-today.com: Deep Packet Inspection Firewalls
- White Paper: Best Practices in Substation Communication Design
- Iiconsortium.org: PLC Security for Water/Wastewater Systems
- Blog: Water System Breach Highlights Need for Better ICS Security
Other Cybersecurity Resources
- White Paper: Construction Kit for Secure Wireless Network Design
- Blog: ICS Security: Highlights of the SANS 2016 Survey
About the Author
David is Chief Research Officer at Tripwire where he is responsible for working with customers, partners, and industry experts to imagine, innovate, and deliver on advancing the state of the art in protecting Tripwire’s customers from the most sophisticated attackers in the world. David previously served as VP/Engineering at Tripwire, joining in 2013 through its acquisition of nCircle where he served as Chief Technology Officer and VP/Engineering. David has been an entrepreneur, leader, software developer, security researcher, and generally obsessed with network security for the last two decades.