Recently we looked at the state of ICS security according to the 2016 SANS survey and commented on how a broader set of tools is becoming available to secure industrial automation systems. Many industrial engineers will likely not be familiar with these new-to-ICS technologies, which include things like configuration compliance monitoring and threat intelligence engines.
It’s important to know about the universe of available industrial security solutions, however. And, if new solutions are being considered for use, plant staff need to contribute expertise to their selection and deployment so that mission-critical operations are protected.
Thus, with the goal of informing you about some of the newer industrial security products and approaches now available for manufacturing and process control systems, this article looks at Belden’s partnership with FireEye. In particular it brings forward the highlights of a widely popular webinar conducted by the companies in July 2016. Read on to find out what so many were eager to learn about and its relevance for ICS professionals.
PCs are the systems most likely to be the target of cyberattacks. Hardening them using basic security hygiene has a significant impact as they are often the jumping off points for disrupting controllers.
Belden + FireEye: Securing ICS Against Sophisticated Cyber Attacks
FireEye is a major cybersecurity company that offers threat intelligence technology and services. Its Mandiant group, for example, provides an ICS Healthcheck service that documents ICS networks and analyzes them for risk to cybersecurity threats and attacks. Its iSight Intelligence group has services to advise or investigate if you’re concerned your systems may have been breached.
They also have a virtual machine-based security platform; some of the products that make up this platform can be connected to Hirschmann or GarrettCom switches at the IT/plant DMZ boundary. These machines passively (or non-invasively) collect packet flows, without impacting network operations, and analyze them for anomalous or undesirable connectivity to the Internet or business network. They can also analyze log sources and apply intelligence and rules to identify malicious / anomalous activity (FireEye TAP).
The reason that Belden, Tripwire and FireEye have become partners is that the combination of our products and services makes it easier to protect ICS systems from the rising tide of cyberattacks. Adding to the FireEye capabilities mentioned above are:
- Belden Industrial Networking & Firewall Devices: Ruggedized switches and routers from GarrettCom and Hirschmann control network traffic and have many built-in security features that add to a “Defense-in-Depth” security strategy. A range of industrial firewalls from Hirschmann and Tofino provide many types of filtering capabilities, including Deep Packet Inspection of industrial protocols, suitable for protecting manufacturing and process control applications.
- Belden Tripwire Threat, Security and Compliance Solutions: Tripwire Compliance Configuration Manager (CCM) utilizes a “no-touch” non-invasive and agentless architecture to check for security misconfigurations and compliance with standards such as IEC 62443. In addition, since 2008 Tripwire has helped more than 100 utilities, achieve, maintain and prove NERC CIP compliance.
A trend to be aware of is that more and more IT security vendors are migrating to the ICS security space. What you need to be wary of is that their offerings may “protect” with an IT-centric approach that includes frequent patching, short lifespans, mainstream and vulnerable operating systems and lack of industrial protocol and networking support.
Belden, on the other hand, has a 100+ year history of serving industrial customers, has deep industrial cybersecurity and networking knowledge and has a product portfolio designed for industry from the ground up. Combining our solutions with those of Tripwire and FireEye brings enterprise-grade security tools into the industrial space in relevant and safe ways.
We’ve talked about IT and OT convergence before -- vendor integration across networks is another aspect of it. Just make sure that the high reliability and safety needs of industrial networks are addressed with any solution.
FireEye ICS Security Threat Update
Part of FireEye’s threat intelligence offering is its iSIGHT Intelligence service for critical infrastructure organizations. Besides breach investigations, this service conducts primary research about current threats, analyzes the information and then briefs clients about them. It is headed up by Sean McBride, someone with very impressive ICS security credentials.
A good part of the July webinar was devoted to Sean explaining the current state (Q1 2016) of ICS security threats from his team’s perspective. This part of the presentation was fascinating and is not to be missed. Here are some of the highlights:
- ICS-specific Vulnerabilities: There were 1,552 vulnerability disclosures from January 2000 through April 2016, with 90% of these (1,403 disclosures) occurring since Stuxnet was revealed in mid-2010. 1 Of the 1,552 analyzed, 516 (33% - one third) had no vendor fixes available at the time of disclosure – leaving those systems even more vulnerable to exploit.
- Ransomware: This type of attack is impacting ICS organizations, with one example masquerading itself as a legitimate ICS vendor (Allen-Bradley) file.
- ICS Attack Research: Conference presentations have shown examples of malware that sets VFDs to skip frequencies, reveals default ICS passwords and exploits vulnerabilities in PLCs leading to a loss of process control. These types of attacks may be executed against live control networks in the future.
- ICS Threat Developments: Entities active on dark web forums are trying to sell or purchase access to SCADA systems.
Sean’s recommendations for reducing cyber risks to your operation are summarized in the image below.
ICS security expert Sean McBride suggests the measures shown above to reduce cyber risks to ICS.
The Belden 1-2-3 Approach to Industrial Security
In addition to presenting FireEye’s solutions and how they complement Belden’s industrial cybersecurity portfolio, the webinar also discussed a new “1-2-3” industrial security model that Belden has developed. It simplifies the complexity associated with ICS security and helps companies prioritize protection measures and programs.
In the webinar, David Meltzer, Chief Research Officer at Tripwire/Belden explained how, for some organizations, the right priority order of this approach might actually be 1-2-3. But security is a journey and organizations can prioritize as appropriate for their unique environment. If the biggest risk point is the controllers, then focus on securing the controllers first. Start where it makes sense for you. But do get started was his message.
Belden's customers find the 1-2-3 model of ICS security risk mitigations shown above useful. Depending on the organization and its biggest risks, the order of measures tackled varies.
Part 1 is to secure the industrial network with a well-architected and segmented design. Sean also mentioned this in his tips. The design should have resiliency as a priority and should incorporate the IEC 62443 best practice of defining zones and conduits. Remote access and wireless are two important areas beyond segmentation to also factor in.
Part 2 is to secure the endpoints or industrial PCs. The systems most likely to be attacked are standard Windows PCs running applications such as HMIs on older operation systems. They should undergo the same kind of basic security hygiene that exists in the IT world, but using solutions that won’t disrupt industrial systems. Windows PCs are most frequently the jumping off point for actually disrupting controllers, so hardening them has a real impact.
Part 3 is to secure the industrial systems themselves – PLCs, RTUs, HMIs etc. Usually this doesn’t need to get all the way to the robot, motor or sensor level, if the controller for those systems can be secured. (This may change in the future, however, as the Industrial Internet of Things becomes more pervasive.) Consider how you can detect vulnerabilities, attacks and malicious or inadvertent changes to industrial devices.
Embrace New Approaches to ICS Security
Hopefully this article has introduced you to some new technologies and approaches for industrial security. As we move forward cyber threats are likely to continue to grow in importance as risks to reliability and safety. Ongoing education is key and in this regard don’t miss the Belden / FireEye July 2016 webinar “Industrial Control Systems: Are ICS Threats Hype or Real?”
Also, don’t miss the Tripwire blog about the same webinar “Lessons Learned and Recommendations for Protecting Against ICS Security Threats.”
1 Although the webinar presentation slides indicate “as of April 2016 we are tracking nearly 1600” that is the total number of vulnerabilities found since 2000. See the FireEye report: "Overload Critical Lessons from 15 Years of ICS Vulnerabilities" for clarification.
Relevant Blog Articles
- Related Tripwire Blog: Lessons Learned and Recommendations for Protecting Against ICS Security Threats
- Tripwire Blog: FireEye 2016 ICS Vulnerabilities Trend Report: Missed Warnings, Exposed Industrial Environments
- Blog: Expand Your ICS Security Toolkit with Tripwire CCM
Belden and FireEye Information
- Webpage: Belden’s Industrial Cyber Security Solution Portfolio
- Press Release: Belden and FireEye Join Forces to Secure Industrial Control Systems Against Sophisticated Cyber Attacks
- PDF: ICS Reference Architecture for Cyber Security
- PDF: ICS Threat Intelligence Lifecycle with Belden and FireEye
- FireEye webpage: Mandiant ICS HealthCheck
- FireEye webpage: Threat Analytics Platform (TAP)
- Fireeye webpage: iSIGHT Intelligence Services