Security for any process plant has always been an issue. Before there was connectivity, there were threats of physical damage, and then the security of data from physical attacks. However, there had to be actual physical access to a device or hard copy of information.
Now, hackers can remotely access one device and take over an entire eco-system. According to Sean Peasley of Deloitte in a presentation at VMA’s 2018 Market Outlook Workshop, this is partly due to the fact that the internet was not built with security in mind; it was built for speed and availability.
Peasley noted that one-third of enterprises report using the Internet of Things (IoT), with another third planning to do so, primarily to enable predictive maintenance and to track asset condition and operating performance. Close to 50% of manufacturers use mobile apps to do this, and 75% of manufacturers use Wi-Fi networks to transmit data to/from connected products. Many companies even use sensor-equipped wearables to ensure worker safety and improve labor efficiency and utilization.
This interconnectivity extends beyond the operating systems and industrial control networks to the business networks and back again. The result is that there are potentially thousands of people with direct and indirect access to critical systems, and literally tens of thousands of ways for attackers to get into those systems. Additionally, many industrial systems have been around for a long time, with a patchwork of new and old equipment, controls and networks that have been created over time. As a result, shop floors are increasingly vulnerable, but according to a survey conducted by Deloitte, a full 50% of respondents in a process control survey said they only test the security of their system once a month. Hackers can launch a denial of service attack (DOS) or even cause a major accident by taking over an entire process control system.
Recognizing that the threat to industrial controls could impact domestic security, The Department of Homeland Security recently released a protocol called “Seven Steps to Effectively Defend Industrial Control Systems”. They include:
1. Implement application whitelisting to protect your application at end points. Developing a list of applications that are allowed to run on your system is much more effective against malware than trying to block those that cannot, because new malware comes out almost daily. The static nature of ICS systems makes them ideal candidates to run whitelisted applications, and operators are encouraged to work with their vendors to baseline and calibrate those deployments.
Peasley pointed out that it’s important to know exactly how secure these apps are. Where is the information stored? How was that system designed in terms of security? “We must employ a secure software development lifecycle. Design it securely, right from the beginning. If you fit it after the fact, it will cost more and not be as effective.”
2. Ensure proper configuration and patch management. DHS recommends you begin with a complete inventory and systems baseline of software. Validate downloaded software with digital signatures and vendor-supplied hashes. A truly effective program would ideally eliminate or limit connection of external laptops to your control network.
There is no doubt that taking inventory of software and hardware is going to be time consuming, but it is a crucial step. If you don’t know where your vulnerabilities are, how can you form a defensive strategy?
Once you understand your system and vulnerabilities, you must be vigilant to safeguard sensitive data throughout the lifecycle. What type of security controls should you put on your data? The nature of the data tells you what type of security controls to use.
Beyond this, all data must be backed up, and make sure you can access those backups. Steve Mustard, co-author of the ISA’s whitepaper “Industrial Cybersecurity for Small and Medium Sized Businesses,” said in an interview that people often don’t worry much about backing up information, or if they do, they don’t remember where it is. “If it’s backed up and it’s not in a place where it can be used, it's no good. Or it could be corrupted. You must look after the backups, too. The backup and recovery go hand-in-hand.”
3. Reduce your attack surface. DHS recommends you isolate ICS networks, especially from the internet. Review connectivity to business networks based on defined business requirements. Only allow real-time connectivity to external networks where there is a defined business requirement. An example would be for supply management, but make sure it is only for specific periods to specific machines. Lock down all unused ports and disable all unused services.
4. Build a defendable environment by having a strong, solid physical perimeter. By segmenting networks, you can limit damage from a network perimeter breach if malware is somehow introduced into either the control or business system. It is important to trap any attacks to one location.
5. Manage authentication. DHS recommends removing and/or changing default accounts. Only allow certain people to use specific systems, and log-in must be from proper levels of access. Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. “Want Least Privilege” gives you the opportunity to vette how people use, when, etc.
Implement secure password policies—don’t have the same authentications for business and process systems. Require separate credentials for corporate and control network zones. Never share Active Directory or other trust stores between corporate and control networks.
6. Monitor and respond. DHS recommends that you monitor the network for suspicious activity. Have an intrusion detection/prevention system. Baseline your network to learn your “normal.” What does an attack look like? What will you see or how will the system indicate it if an adversary is getting access to your data, even without an obvious DOS incident?
Peasley warns that probably all U.S. companies with valuable engineering data have been compromised in some way. “Between $200 and $300 billion is lost in the U.S. per year. China is stealing it,” he said. “China has been very successful at getting the crown jewels of U.S. data; probably all of your [valve manufacturing] companies have already been hacked.”
Mustard said the most important thing any company, big or small, must do, is take the attitude that everyone is at risk. “Many companies will focus on technical solutions, but forget about the people. The first thing is to make people aware that EVERYBODY in the organization has some part to play in good cybersecurity management—not just the people that deal with the IT issues. That includes everybody who has contact with you or the company. They can unwittingly send you something that is infected.”
The DHS paper also recommends SIEM—Security Information and Event Monitoring—which is login monitoring. Be sure to monitor use or misuse of administrative privileges.
7. Implement secure remote access. Do not allow persistent connections for vendors or business users. It’s important not to let people get into the middle of the conversation between the control and business side of your operation. The preferred methodology is to use an operator- controlled connection and two-factor authentication.
Mustard pointed out there are also risks when employees have to use a public, unsecured Wi-Fi network while traveling. “You can’t avoid it necessarily, but if you have a VPN (Virtual Private Network), there is a private channel for communications so it’s very hard for people to get into it. It’s not difficult to set one up. It’s slightly more inconvenient because you have to log in to yet another thing to use it. Your machine is like a node on this virtual network, and when you’re connecting on the wi-fi, over the top of that, you connect to your own VPN with another password and then once you’re in there, all the communications are then secured with encryption so that no one can be a man in the middle.”
However, even with all these systems in place, hacks can and do happen.
Have a Recovery Plan
It is essential to have a recovery plan in place, including backups and exercises to know what to do if an attack takes place. Everyone in the company must understand how to recognize an attack and what happens when you can’t get data or use a particular machine or process, and know what to do if that happens.
If you have followed the recommendations and have readily accessible, uncorrupted backups, you will have whatever you need to run the business.
When asked what should be done if your company is hit with ransomware, Peasley said, “The key thing with ransomware is that your machine gets locked up and you have to pay to use the machine again. The best solution is to have in place procedures so that you can wipe your machine(s) and restore with a good clean backup. If you pay it once, you are a candidate for paying it again in the future.”
There are useful protocols to follow and excellent products that can help prevent most cyber-attacks. However, even if you dedicate huge financial resources to firewalls and Virtual Private Networks (VPNs), if your personnel are not adequately trained to prevent breaches, cyber-attacks are likely to happen.