Supervisory Control and Data Acquisition (SCADA) systems are used for remote monitoring and control in the delivery of essential services products such as electricity, natural gas, water, waste treatment and transportation. SCADA software runs on regular computers, but is used by owners of critical infrastructure and other various types of industrial facilities to monitor and control industrial processes.
This blog post will introduce SCADA systems fundamentals that will help analyze security considerations.
Remote monitoring is widely considered one of the most difficult applications to do in a cost-effective way. Remote monitoring using SCADA systems has traditionally been a very difficult and expensive task. SCADA systems have traditionally used their own communications networks, and the security has been largly based on keeping the SCADA network separate from public networks and fact that not many people know the special protocols used on those systems (=security by obscurity).
Internet technologies have made the remote monitoring easier and more cost effective in many applications, but on the other hand has created new set of risks related to hacking. If you connect a remote monitoring system that uses insecure communications protocol to Internet, sooner or later somebody can figure out how to hack into your system. If your system is just doing monitoring, somebody hacking can stop our communications or worse can feed you with false data. If your remote monitoring system is also used to control something, then risks are far greater.
There isn’t a single security solution capable of addressing all existing and future risks. It’s necessary to implement a series of different defenses across the system. Deploy safeguards throughout the platform to provide a robust protection against the vast majority of attacks.
Modern SCADA systems are typically designed for security using platforms similar to typical networked clients, such as laptops and workstations. There are also some specific considerations. Security systems easily become complicated. Unfortunately as the complexity of securing devices increases, so does the risk of vulnerabilities slipping past equipment manufacturers and IT organizations. Industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) have all been around for decades, but thanks to Stuxnet, DuQu and other major incidents, these systems have recently began receiving serious security consideration.
Cyber security is war. You have to defend your systems from all sorts of outside attackers, and if one that’s skilled and determined gets you in his sights, defending yourself may be tougher than you think. Once an attacker breaks through a hardened perimeter, moving around inside is usually pretty easy. That’s why defense in depth with incident detection, response, and attribution is so important.
Security is all about layers. You can’t ever block everything on one place so you need layers of security to protect yourself. The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.
Want it Secure? Target Both Design and Data Security article says that in today’s increasingly connected world, security applies to servers as well as mobile and remote embedded devices. The latter are often exposed to physical tampering while data travelling over networks is exposed to compromise and hacking. Security depends on securing the complete connected universe.
How safe is your network? Is Your Network Safe? article tells that just a few years ago, plants didn’t have to worry about the safety of their networks. From an IT point of view, plants were silos — succinct and secure. That changed over the past decade. To improve efficiency, plants connected out to the company’s back office and beyond to suppliers and customers. Most of the connectivity runs along Internet connections. This extended network prompted a battle between the organization’s IT team and the control folks on the factory floor. If your plant is running 24/7, you can’t add patches and reboot without shutting down the plant. In addition, the plant is now vulnerable to hacking (terrorists, hackers, competitors and disgruntled employees).
Six Ways to Improve SCADA Security blog article tells that when it comes to securing SCADA networks, we are usually years or even decades behind when compared to securing typical IT networks. The article presents some of the SCADA security’s most daunting challenges along with some recommendations to secure SCADA networks.
1. A SCADA network is inadvertently connected to a company’s IT network or even to the internet
2. ‘Data presentation and control’ now runs off-the-shelf software
3. Control systems not patched
4. Authentication and authorization
5. Insecure ‘datacommunication’ protocols
6. Long life span of SCADA systems
Understanding cyberspace is key to defending against digital attacks article tells that in recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.
Growing numbers of other kinds of machines and “smart” devices are also linked in to Internet: security cameras, elevators and CT scan machines; global positioning systems and satellites; jet fighters and global banking networks; commuter trains and the computers that control power grids and water systems. “We have built our future upon a capability that we have not learned how to protect,” former CIA director George J. Tenet has said.
“Companies want to make money” “They don’t want to sit around and make their software perfect.” Many of vulnerabilities are related to errors in code designed to parse data sent over the Internet. The software makers often failed to heed the warnings from security researchers and some vulnerabilities remained for a long time. And even in cases where the manufacturer has a fix, the customer might hot apply it any time soon because in many cases you can’t add patches and reboot without shutting down the plant.
Want it Secure? Target Both Design and Data Security article says that adding robust security features to a design can substantially impact the complexity, power consumption and cost of a system. These challenges include supporting the computational complexity required to run advanced cryptographic algorithms; providing secure insertion and storage of encryption keys, and authenticating and encrypting data exchanged over public network connections.
344 Comments
Tomi Engdahl says:
Industrial cyber security: It’s best to learn from the mistakes of others
http://www.controleng.com/single-article/industrial-cyber-security-its-best-to-learn-from-the-mistakes-of-others/3a2d2437277b61ed8437f7b47cc1fe56.html
Engineering and IT Insight: When we don’t learn from past mistakes, we are forced to repeat them, and true to form, it has happened again. An outsourced IT department–unaware of the manufacturing elements of IT–recently shutdown production in a multi-billion dollar manufacturing company.
Devices, networks, no rules
The corporate IT response, when confronted with the problem, responded with: “Well, what are you going to do to protect against these types of attacks?” This pointed out the problem: there were no formal policies or rules for the division of responsibilities between the IT organization and the control department.
The IT organization “owned” the networks and switches; the control department “owned” the end devices. The control networks were not considered part of the control systems by IT but were by the control department. The control department had no way to fix the problem, and the IT department had no way to fix the embedded devices. There was corporate guidance for separation of networks but no monitoring of compliance.
The lesson to be learned is that corporate policies and rules for the separation of control and IT networks through DMZs are necessary, along with the need for procedures and checks to monitor sites for compliance. This company was lucky—no personnel were injured, no equipment was damaged, and they learned their lesson before a real attack happened. However, the lesson only cost millions of dollars.
Tomi Engdahl says:
ICS security trends
http://www.controleng.com/single-article/ics-security-trends/26dc9301d0bf6121782e1e7b18ecee92.html
As the Industrial Internet of Things (IIoT) becomes more prevalent, there is a greater risk for intentional and unintentional cyber security breaches. Industrial control system (ICS) security should focus on advanced security-focused products; security as an attribute of all Ethernet devices; and further adoption of defense-in-depth as major trends going forward.
More IIoT-related entry points to industrial communications infrastructure means more cyber risk from not only intentional attacks but also from unintentional sources such as device failure, operator error, and malware. In manufacturing and process control environments this means higher risk to physical devices and processes and the possibility of physical, not just digital, damage.
What does this imply for industrial control system (ICS) security going forward? There are three trends to consider: advanced security-focused products; security as an attribute of all Ethernet devices; and further adoption of defense-in-depth.
Security built-in to Ethernet networking devices
Ethernet networking devices such as industrial routers, switches, and firewalls are at every connection point of the ICS network. This makes them ideal security sentinels to identify and control traffic entering and leaving at all points of the communications infrastructure. However, studies show most industrial cyber incidents are unintentional. These incidents occur due to human error, a software or device flaw, or an inadvertent introduction of malware infection. This means ICS security needs to protect from “friends and neighbors” as well as “enemies.” A focused effort to evolve all Ethernet devices to play an active role in their own security can help mitigate some of these risks.
Tomi Engdahl says:
NIST Special Publication 800-82
Revision 2 Final
Public Draft
Guide to Industrial Control Systems (ICS) Security
http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf
Tomi Engdahl says:
What we learned about engineering communication
http://www.controleng.com/single-article/what-we-learned-about-engineering-communication/c7ceea0da46166146f04cf311e182f27.html
Think again about engineering communication and advice: Listening attentively is a learned skill; key phrases such as “what we learned” provide clues about where special attention is needed. Heed this advice on knowledge creation, automation investments, and cyber security from automation and control experts.
Sharing what we hear from others would be difficult without filtering and summarizing. When an engineering expert does that for you by saying, “Here’s what we learned” or “Key takeaways are … ” be sure to listen attentively, take careful notes, and underline key points.
When data becomes information, ensure appropriate context and intelligence are included to create value.
Invest in your future. The average age of U.S. industrial equipment is the highest it’s been since 1938, explained Raj Batra, president, digital factory division, Siemens Industry Inc., citing Morgan Stanley figures. “If you cannot keep an iPhone a year, why have automation on the plant floor for 40 years?”
Protecting connections
Protect your assets. While weaknesses will always exist, secure networking protocols are a key element of defense-in-depth strategy, explained David Doggett, on the ODVA Task Force for Cybersecurity. “All entities on a network should be considered untrusted until authenticated, access to devices should not be allowed until authorized by the device, and physical access to a device should be limited to trusted individuals,” Doggett noted at the ODVA annual conference, Frisco, Texas, in October 2015. Secure devices should reject altered data, reject messages sent by unknown or untrusted people or devices, and reject messages that request things not allowed by that source.
Tomi Engdahl says:
Wireless sensor network streamlines semiconductor fabrication facility operations
http://www.controleng.com/single-article/wireless-sensor-network-streamlines-semiconductor-fabrication-facility-operations/93d3b706b4312d630863681879ba76fd.html
Wireless mesh networks offer a viable workaround to traditional wired systems. They can be deployed without costly construction or downtime. In addition, the networks can provide data in real time and increase production. A semiconductor company takes the plunge and solves its challenges with the mesh network technology.
Tomi Engdahl says:
Quantified benefits of Industrial Internet of Things implementations
http://www.controleng.com/single-article/quantified-benefits-of-industrial-internet-of-things-implementations/cf97117a0f62c2a4e04d4ddd9290ed02.html
Automation experts already have been implementing Industrial Internet of Things (IIoT) architectures for years, prior to calling it IIoT; benefits of digital manufacturing including less downtime, fewer defects, and more new product introductions, as explained by Douglas Bellin, Cisco Systems Inc., at the A3 Business Forum, the day after the Cisco spent $1.4 billion for a cloud-based service company, Jasper Technologies Inc.
Implementations of Industrial Internet of Things (IIoT) architectures and the benefits of digital manufacturing deliver real benefits, including 48% less downtime, 49% fewer defects, and 23% increase in new product introductions, according to Douglas Bellin, senior manager, industry lead, Cisco Systems Inc. Bellin made the comments at the A3 Business Forum Feb. 4 in Orlando, the day after Cisco spent $1.4 billion for a cloud-based service company, Jasper Technologies Inc.
Bellin offered other pieces of advice about the IIoT and what it means for engineers.
The connected journey for the IIoT starts with proprietary serial islands and expands to connected machines, machine integration, machine as a service, and advanced machine automation. Courtesy: Mark T. Hoske, Control Engineering, CFE Media”Okay, a show of hands. Who likes their IT department?” Bellin asked. Just a few raised their hands in a room with more than 100 attendees, and one was from the information technology (IT) department. Operational technology (OT) and IT personnel will need to work together more closely, Bellin suggested, as migration and changes continue to develop.
Reducing pain points
The IIoT resolves pain points that we all have suffered with for years, such as rising energy costs, aging and remotely located workers, globally distributed operations, customer support across time zones, world competition, product proliferation, asset optimization, and others.
The Internet of Everything (IoE) brings people, processes, data, and things together to make better business decisions. While almost every machine has a controller with a lot of data available, data driven manufacturing is not the norm, Bellin said, citing that 86% of 64 million U.S. machines are completely unconnected.
Some say 40% of businesses won’t be the same or exist as we move forward if they don’t do IoT.
Disruptive trends
Disruptive trends are changing manufacturing in many ways such as:
IT and OT are converging
Industrie 4.0 and Industrial Internet Consortium (IIC) are advocating IoT
Original equipment manufacturers (OEMs) have an increased focus on services, such as offering machines as a service, similar to software as a service (SaaS)
An increase in data-driven manufacturing
There are more secure operations and machines.
Implementations of digital manufacturing have delivered benefits including:
48% less downtime
49% fewer defects
23% increase in new product introductions
16% gain in overall equipment effectiveness
35% improved inventory
18% less energy use.
Cisco, Fanuc, and Rockwell Automation are working together in the robot space capturing stranded data and pushing it into the cloud (remote servers) in a capable form. This provides predictive maintenance with a two-week lead-time on failures. Bearings failures and resulting unplanned downtime and related costs and fines are falling dramatically as a result. The goal is to have 3 to 5 weeks of failure prediction.
Where’s the IoT going?
Bellin discussed the five waves of connectivity, which are: Connectivity foundation, business, people, things, and convergence, which are designed to be the framework of the IIoT. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaThe connected journey means rapid commissioning of machines, greater security, start-up templates, a machine integration platform, OEE monitoring, data offload via MTC and OPC interfaces, scaled factory data acquisition, and advanced security.
Then IIoT will enable machines as a service, a security framework, machine-to-cloud communications, secure bi-directional communications, and remote access.
Finally, IIoT will deliver advanced machine automation, time-sensitive networks (TSN), high-speed standards, advanced controls, and human-machine interface (HMI) integration with analytics.
Digitization creates foundation of new applications and outcomes. Fanuc has found tremendous savings with problem prediction.
This accelerated the journey to value-added services. If softer U.S. economy results in 2019, as some economists predict, offering services will keep machine builders ahead of the curve.
“Manufacturing is moving from product-centric to services-centric, led by a digital transformation where services and the digital journey converge. This delivers deeper insights into product and customer needs,” Bellin said.
Tomi Engdahl says:
IEC 61131-3: What’s the acceptance rate of this control programming standard?
http://www.controleng.com/single-article/iec-61131-3-whats-the-acceptance-rate-of-this-control-programming-standard/c2ecca95605d8ea2b8d1cf0dc80e9e61.html
Cover story, automation upgrades: Although the IEC 61131-3 standard for control programming languages has been around for nearly 25 years, limited awareness of its scope and features has kept it from becoming a requirement in North America.
Tomi Engdahl says:
IT, OT experts having trouble tracking ICS threats
http://www.controleng.com/single-article/it-ot-experts-having-trouble-tracking-ics-threats/57087155cc7c681925caa2ca0f48eec2.html
A survey of IT and OT professionals indicated that the is a lack of preparation for a potential cyber security attack against industrial control systems (ICSs), particularly in the energy industry, which faces more cyber attacks than any other industry.
Almost two-thirds of operational technology (OT) security professionals do not have to ability to accurately track all the threats targeting their networks, a new survey said.
On top of that, 82% of the respondents said a cyber attack on the OT side of the organization could cause physical damage, according to the survey by Tripwire Inc. Then when asked if their organization has the ability to accurately track all the threats targeting their OT networks, 65% replied, “no.”
The survey was conducted for Tripwire by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The study occurred in November 2015, and respondents included over 150 information technology (IT) professionals in the energy, utilities, and oil and gas industries.
Additional findings include:
More than three out of four respondents (76%) believe their organizations are targets for cyber attacks that could cause physical damage
Seventy-eight percent of respondents said their organizations are potential targets for nation-state cyber attacks
One hundred percent of energy executive respondents believe a kinetic cyber attack on operational technology would cause physical damage.
Oriental Motor
“The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security,”
“We’ve already seen the reality of these responses in the Ukraine mere months after this survey was completed,” Erlin said. “There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today”
Tomi Engdahl says:
Hackers Modify Water Treatment Parameters By Accident
https://tech.slashdot.org/story/16/03/22/1728210/hackers-modify-water-treatment-parameters-by-accident
Verizon’s RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times.
The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design
Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.
Hackers Modify Water Treatment Parameters by Accident
http://news.softpedia.com/news/hackers-modify-water-treatment-parameters-by-accident-502043.shtml
A group of hackers, previously involved in various hacktivism campaigns, have accidentally made their way into an ICS/SCADA system installed at a water treatment facility and have altered crucial settings that controlled the amount of chemicals used to treat tap water.
This strange hacking incident is described in Verizon’s 2016 Data Breach Digest (page 38, Scenario 8), a collection of case studies that the company’s RISK team was brought in to investigate.
The victim of the hack is a company that Verizon identified under the generic name of Kemuri Water Company (KWC). As the RISK team explains, the company noticed that, for a couple of weeks, its water treatment center was behaving erratically, with chemical values being modified out of the blue.
Suspecting something was wrong – and something that its IT staff wasn’t able to spot – the company brought in Verizon’s RISK team to investigate.
irst off, KWC was using extremely outdated computer systems, some of which were running ten-year-old operating systems.
Additionally, the entire IT network revolved around a single equipment, an AS400 system, which would interconnect the company’s internal IT network and the SCADA systems that managed the water treatment facility (a big no-no in terms of security).
Even worse, the same AS400 was also exposed to the Internet because it was routing traffic to a Web server where KWC’s customers could check their monthly water bill, their current water consumption level, and even pay bills via a dedicated payments application.
RISK team discovered that the hackers first breached the system via the Web-accessible payments application, looking for sensitive information about the company’s clients.
Curious as they were, the hackers accessed the AS400 system, from where they also ended up on the SCADA system and started modifying parameters at random, unknowingly changing water treatment values.
Secondary security measures allowed KWC to detect abnormalities in the levels of released chemicals, and aborted the hackers’ instructions, but this happened often enough to arouse suspicions that this had to be more than a glitch.
Data breach digest.
Scenarios from the field
http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Tomi Engdahl says:
IT, OT experts having trouble tracking ICS threats
http://www.controleng.com/single-article/it-ot-experts-having-trouble-tracking-ics-threats/57087155cc7c681925caa2ca0f48eec2.html
A survey of IT and OT professionals indicated that the is a lack of preparation for a potential cyber security attack against industrial control systems (ICSs), particularly in the energy industry, which faces more cyber attacks than any other industry.
Almost two-thirds of operational technology (OT) security professionals do not have to ability to accurately track all the threats targeting their networks, a new survey said.
On top of that, 82% of the respondents said a cyber attack on the OT side of the organization could cause physical damage, according to the survey by Tripwire Inc. Then when asked if their organization has the ability to accurately track all the threats targeting their OT networks, 65% replied, “no.”
The survey was conducted for Tripwire by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The study occurred in November 2015, and respondents included over 150 information technology (IT) professionals in the energy, utilities, and oil and gas industries.
Additional findings include:
More than three out of four respondents (76%) believe their organizations are targets for cyber attacks that could cause physical damage
Seventy-eight percent of respondents said their organizations are potential targets for nation-state cyber attacks
One hundred percent of energy executive respondents believe a kinetic cyber attack on operational technology would cause physical damage.
Oriental Motor
“The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “These threats are not going away. They are getting worse.”
Tomi Engdahl says:
Pay attention: Industrie 4.0 and ICS cyber security
http://www.controleng.com/single-article/pay-attention-industrie-40-and-ics-cyber-security/6c925223d4d92e29f0cd22464adca7bb.html
Industrie 4.0 is propelling organizations and their production and service delivery capabilities far beyond steam power and factory electrification, and industrial control systems (ICSs) can provide a vital layer of protection to keep networks safe.
Greater attention to industrial control system (ICS) cyber security is required with greater connectivity and information flow in manufacturing and in process plants. The Internet of Things (IoT), perhaps the most popular buzzword to hit the tech mainstream since “tweeting,” refers to the billions of smart connected devices that range from simple sensors to complex machines that affect business on a local, regional, and global scale, and personal behavior. So many devices are connecting, that International Data Corp. (IDC) predicts the worldwide IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020.
While most people currently associate the IoT with connected consumer devices such as fitness trackers, smart thermostats, and feature-rich light bulbs, much of the same communications capabilities in these products are being used in more specialized devices that run critical infrastructure systems such as those in the energy, water, transportation, and chemical sectors that serve the needs of citizens and countries alike. In fact, 35% of manufacturers already use devices categorized as smart sensors in their process and manufacturing operations, and an estimated 5.4 million IoT devices will be used on oil and gas extraction sites around the world by 2020. Likewise, energy companies will be installing 1 billion smart meters on homes, businesses, and factories by 2020.
According to PricewaterhouseCoopers (PWC), the Industrie 4.0 movement is characterized by the increasing digitization and interconnection of products, value chains, and business models. It is the industrial sector’s version of IoT-aptly named the Industrial Internet of Things (IIoT). This modern technology that is blanketing industry enables even greater amounts of automation and remote management of system assets. It also is providing visibility into operations designed to help system owners and operators improve productivity and facilitate healthier returns on investment for the products and services their systems provide.
Most manufacturing and process systems, such as an oil pipeline, power plant, water treatment facility, transportation network, and even building automation systems (BAS), are undergoing the same transformation where old, simple assets are replaced with smarter, more connected devices. With these new devices come new network infrastructures designed to create even greater connectivity and data interactions between the devices and previously disparate systems.
Usually, it’s not until an incident occurs, such as a loss of communication, failed device, product misconfiguration, or a security breach, that an industrial network is brought into focus. Events like these quickly lead to safety impacts, expensive downtime, lost production, and potentially far-reaching financial impacts. While such consequences are no secret to asset owners and operators, investments made to counteract them are often limited and often overlook a key opportunity to further reduce latent risks. One glaring omission often seen in many of the most progressive industrial control systems is the absence of a clear view and understanding of what critical network communications actually look like inside these mission-critical systems.
Many popular control system configuration and monitoring tools only provide a window to program and configure parameters and logic control, to monitor status, or provide operators with status of the process control system itself.
ICSs have evolved to become connected with business information systems and often include remote management capabilities. They are no longer isolated independent systems, which were previously thought of as islands of automation.
This level of connectivity and accessibility goes to show that the IIoT is not a future state for industry. If anything, the IIoT is in many ways already here, and if all of the new device and system connectivity aren’t properly built and maintained, most every cyber-physical systems will be vulnerable to threats that could have grave consequences.
The IIoT and Industrie 4.0 platforms are comprised of cyber-physical systems with connected devices that collectively make up the Smart Factory-a facility or operation with the technical advantages of self-prediction and self-awareness in the processes used to make and move products and services.
Tomi Engdahl says:
Cyber security protection enters a new era
http://www.controleng.com/single-article/cyber-security-protection-enters-a-new-era/3d3c1ba515930f89646e36e6078a96c4.html
Watch for a backdoor cyber security assault. The Juniper Networks incident in December 2015 changed how industry looks at device security as hackers exploit deliberate weaknesses being installed into software. End users, integrators, and device manufacturers need to adapt and prepare for this new reality. Follow these cyber security steps.
A software engineer is trying to complete a major block of code, but his boss cut out a large section including some open-source routines downloaded from the Internet. Replacing those routines will add days to the project. He runs to his boss’ office and pleads: “I need to use that software in the system!”
“You can’t use it. It’s been compromised.”
The engineer nods, having anticipated that reply. “Yes, it’s open-source and came from the Web, but we’ve used it before. I also talked with the software engineers, and they will do a line-by-line review of the source and object code.”
The boss looks up and glances at his award for years of service at an undisclosed location. “You can never be sure something isn’t in there,” he says.
Bosch Rexroth
That brief scene might sound like something from a suspense movie, but the situation could be very real given recent events in the cyber security community.
Software engineers trying to write code for devices and industrial systems want to avoid re-inventing the wheel. If someone has already written code to do a certain job, and it works, they don’t want to write it again. They’d rather save time by downloading freeware and open-source code off the Web. Or, they could pick up existing code from earlier products with a proven track record. All of this gets cobbled together and loaded into a new device. As long as it does what it’s supposed to, nobody needs to know or care where it came from.
This has been the working assumption for quite a while, but the landscape is changing. The cyber security world is becoming more confusing with nation-states, hacktivists, and cyber criminals making their presence known. Hackers and their efforts reflect a wide spectrum of skill levels. Some are clumsy and easy to spot. Others are more insidious and undetectable by all except the most sophisticated forensic cyber specialists.
While the engineer looking to streamline the project means well, his boss is correct: unsecure code can lurk within such software. Sometimes it can be found and removed, but a recent example of a cyber security breach proves that the threat can be well camouflaged.
In December 2015, Ars Technica published a stunning report: “On December 17 [2015], Juniper Networks issued an urgent security advisory about ‘unauthorized code’ found within the operating system used by some of the company’s NetScreen firewalls and secure service gateway (SSG) appliances. A patch was issued to the affected device OS, and forensic investigation determined the unauthorized code acted as a backdoor into the device”
This suggests two conclusions:
1. The unauthorized backdoor was put there intentionally.
2. It was carefully designed to evade detection.
This is the beginning of a new era of cyber criminal threats. We are all used to the notion of attackers exploiting vulnerabilities caused by software flaws. It is a common tactic, and everyone is aware of it. Software patches are supposed to fix these flaws and address these vulnerabilities.
Network device vendors are targeted in this manner because their products are entry points to networks. Access to a router or gateway provides entry to an industrial or enterprise system. Network device security thus often proves to be the soft underbelly of many organizations’ defensive strategies. The value of such a backdoor secretly placed in a device, hidden with normal-looking code, is huge, and the larger implications are frightening.
Why? Let’s consider some examples of how this new network device threat will change security best practices:
1. Using network switches to implement virtual local area network (VLAN) separation between industrial control and business networks is no longer adequate. No organization can design networks with VLAN separation and expect them to be secure.
2. Depending on VPN encryption as a magic bullet to protect confidentiality is no longer adequate. An organization will need to start looking at how deeply it depends on VPN techniques as their “go to” solution to move information on secured networks. A VPN tunnel is no longer safe across any network-particularly for long-distance communication within global organizations.
3. Assuming all is well with network device configuration isn’t safe anymore. Many organizations follow a basic practice: if nobody touches a device, it has the same configuration it had before. That is no longer true. Companies will need to ramp up configuration control and auditing to account for the possibility of device configurations being changed by unauthorized means.
Researchers confirm backdoor password in Juniper firewall code
“Unauthorized code” included password disguised to look like debug code.
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/
Tomi Engdahl says:
Virtualization benefits and challenges
http://www.controleng.com/single-article/virtualization-benefits-and-challenges/f5ea0eced393a44f963e678518c8a4fd.html
Virtualization has significant benefits in computing and in networking and that is why both have been accepted so readily. This is especially true in operational technology (OT) networking and control systems, where the rest of the system is intended to live for 30 years, and the life of the computer and network components is less than two years.
Virtualization also permits rapid changes and agile re-deployment, which are necessary in the Internet of Things (IoT) environment.
Virtualizing computers and servers, as well as network components, can add a significant measure of safety and robustness to the network. Virtualization has significant benefits in computing and in networking and that is why both have been accepted so readily. This is especially true in operational technology (OT) networking and control systems, where the rest of the system is intended to live for 30 years, and the life of the computer and network components is less than two years.
Virtualization also permits rapid changes and agile re-deployment, which are necessary in the Internet of Things (IoT) environment.
Virtualizing computers and servers, as well as network components, can add a significant measure of safety and robustness to the network.
Storing images of the virtual machines off-site, in the cloud, or at another location means that if the site has an accident, or the site network ends up destroyed by weather (like Hurricane Katrina did to many petrochemical plants), it will be easy to re-construct the systems, re-use the disk images, and be back in business. In addition, virtual systems have a failover mode, where a defective disk simply switches to a backup on the fly, and the failed component can end up repaired while the system continues to run.
There is, however, a fundamental issue with lifecycle. This is especially true with OT systems such as building automation, factory automation, and process control system networks.
The control system, its input/output (I/O), and the final control elements (valves, etc.) are built to last the life of the project-easily 30 years. Unfortunately, through the action of the market and Moore’s Law, computer, server, and network components have a lifecycle of about 18 months.
Virtualization solves this problem by creating virtual machines that run on operating systems that would otherwise be obsolete and no longer maintained.
More secure environment
Completely virtualizing the servers and networks provides a measure of security that wasn’t there before. Virtualization by itself won’t necessarily make the system secure, but it will get rid of much of the chance for hardware to be compromised by, say, inserting a USB stick or a CD-Rom or DVD with malware on it. Virtualization severely reduces the number of physical devices that the user needs to control as well.
Network segmentation is also easier, and there’s more direct control with policies and procedures.
Virtualization challenges
While there are great benefits from virtualization, there can also be serious challenges. One of the challenges is that the IT staff, OT staff, or system administrators must truly know their servers and network. Especially in a virtualization overlay on an existing physical network, the administrator must know exactly what the system is doing, what it needs to do, and how it will grow for future expansion.
The user can’t just throw another managed switch on a line and call it good. The data center that is being virtualized needs to have adequate and appropriate electric power and backup generation in case of power outages
Virtualization technology is in thousands of devices and systems already, and with the huge growth of IoT and cloud computing, engineers’ lives in the demanding and intense manufacturing automation environment will become smoother, more efficient, and profitable.
Virtualization has significant benefits in computing and in networking, but the IT staff, OT staff, or system administrators must truly know their servers and network so they can be ready for challenges or potential cyber security breaches.
Tomi Engdahl says:
Industrial Automation Is Seeing Modular Application Software Grow
http://www.designnews.com/author.asp?section_id=1386&doc_id=278513&itc=dn_analysis_element&dfpPParams=ind_182,industry_auto,industry_aero,industry_alt,industry_consumer,industry_gov,industry_machinery,industry_medical,kw_robotics,kw_4,kw_6,kw_12,kw_19,kw_29,kw_30,kw_31,kw_33,kw_34,kw_43,kw_49,aid_278513&dfpLayout=blog&dfpPParams=ind_182,industry_auto,industry_aero,industry_alt,industry_consumer,industry_gov,industry_machinery,industry_medical,kw_robotics,kw_4,kw_6,kw_12,kw_19,kw_29,kw_30,kw_31,kw_33,kw_34,kw_43,kw_49,aid_278513&dfpLayout=blog
Transitions in automation control programming over the years from relay ladder logic, to PLC ladder logic, to even today’s use of IEC 61131-3 PLC languages have maintained a fundamental connection with ladder logic programming and the use of graphical circuit diagrams from its relay logic roots.
Even with modern programming methods taking center stage, ladder diagram (LD) still has its place as one of the six IEC 61131-3 programming languages. LD has a significant user base, especially among plant service and support personnel who understand how ladder technology works and how to use its tools to troubleshoot sophisticated systems on the plant floor.
But now, new programming technology called mapp (for “modular application”), which emphasizes the configurability of automation software objects and requires less structured programming than in the past, is putting ladder programming more into the forefront. Following a mantra of “configure more and program less,” the goal is to reduce the need for service engineers to delve into PLC code. They can deploy diagnostics remotely with simple connectivity tools like onboard web servers and VNC connections.
Web Browser Interface
Another basic innovation integral to mapp is a web interface that enables use of a web browser to view the same function blocks and status information that a user would see in B&R’s Automation Studio development tools at a specific web address for a controller.
Basics of mapp Technology
Since any automation software project starts with the system configuration, there is a general trend to tools that allow engineers to configure more and program less to make a system operational. Using mapp, each component is represented by a mapp link, which can be used to configure that single component, but normally a set of default parameters work immediately out-of-the-box.
The technology includes motion function blocks for indexing, electronic gearing, camming, and other motion requirements for implementing master/slave functionality. But it also adds in technologies such as advanced kinematics, CNC, and tools for connectivity, plus data and file handling.
Typical mapp Functions
Single- and multi-axis synchronized motion are provided through single function blocks instead of the dozen or more user-defined function blocks that users may be used to. It provides 25 built-in functions, such as gearing, camming, offset, phase handling, recovery, error, and recipe handling.
Robotic features offer users an ability to directly configure the mechanical properties of a robot and each joint for each robotic component.
PackML Functionality
Implementing Packaging Machine Language requires a minimum of two function blocks. One provides the core functionality handling mode transitions, and the other is a function block per mode where, for example, one block handles all production state transitions.
Tomi Engdahl says:
Data analysis: a key requirement for IIoT
http://www.plantengineering.com/single-article/data-analysis-a-key-requirement-for-iiot/54a8711882555c97b394bdf4fb898d31.html
Industrie 4.0 data analytics: A proliferation of data analysis solutions are designed to help industry benefit from the Industrial Internet of Things (IIoT), explained Suzanne Gill, editor-in-chief for Control Engineering Europe, from the 27th Honeywell User Group EMEA event in Madrid.
The dramatic change in fortunes of the oil and gas sector in the past few years has had a wide-ranging impact across many industry sectors, resulting in an increasing requirement for engineers to show a good return on any technology investment. This has led many to consider doing things differently, with automated solutions becoming more relevant and much easier to justify.
At the annual Honeywell User Group (HUG), which was held in Madrid in November 2015, Honeywell placed a heavy emphasis on data analysis solutions. “Knowledge is the theme of this HUG event because our customers run some of the most complex industrial operations in the world, and they require better knowledge to improve process safety, reliability, security, and sustainability,” said Vimal Kapur, president of Honeywell Process Solutions (HPS).
Technology change
“The pace of technology change is much faster today,” continued Kapur. “Systems traditionally would have become obsolete every 5 to 10 years. However, the underlying operating system technology used today is changing much more rapidly so there is a need to update systems more regularly.”
There is also increasing interest in cyber security issues and the IIoT. “At this point the IIoT is throwing up more questions than answers,” said Kapur. “Customers will not be throwing away their existing systems to implement IIoT, so we need to help them unleash the power that they already have. I believe that control systems will become the heart of the IIoT, which will rely on process data for operation, maintenance, and optimization—and that data comes from the control system.”
Kapur said the IIoT will give engineers the ability to host applications in a more centralized environment. With different source applications becoming centralized in the cloud, it will no longer be necessary to maintain the same application multiple times, and upgrades will be much easier to achieve. It will also allow less skilled engineers to manage applications. “I believe that the IIoT will allow for greater efficiencies and increased uptime. It offers nothing new, just a way of doing things differently,” he said.
Tomi Engdahl says:
Data analysis: a key requirement for IIoT
http://www.plantengineering.com/single-article/data-analysis-a-key-requirement-for-iiot/54a8711882555c97b394bdf4fb898d31.html
Industrie 4.0 data analytics: A proliferation of data analysis solutions are designed to help industry benefit from the Industrial Internet of Things (IIoT), explained Suzanne Gill, editor-in-chief for Control Engineering Europe, from the 27th Honeywell User Group EMEA event in Madrid.
The dramatic change in fortunes of the oil and gas sector in the past few years has had a wide-ranging impact across many industry sectors, resulting in an increasing requirement for engineers to show a good return on any technology investment. This has led many to consider doing things differently, with automated solutions becoming more relevant and much easier to justify.
At the annual Honeywell User Group (HUG), which was held in Madrid in November 2015, Honeywell placed a heavy emphasis on data analysis solutions. “Knowledge is the theme of this HUG event because our customers run some of the most complex industrial operations in the world, and they require better knowledge to improve process safety, reliability, security, and sustainability,” said Vimal Kapur, president of Honeywell Process Solutions (HPS).
Technology change
“The pace of technology change is much faster today,” continued Kapur. “Systems traditionally would have become obsolete every 5 to 10 years. However, the underlying operating system technology used today is changing much more rapidly so there is a need to update systems more regularly.”
There is also increasing interest in cyber security issues and the IIoT. “At this point the IIoT is throwing up more questions than answers,” said Kapur. “Customers will not be throwing away their existing systems to implement IIoT, so we need to help them unleash the power that they already have. I believe that control systems will become the heart of the IIoT, which will rely on process data for operation, maintenance, and optimization—and that data comes from the control system.”
Kapur said the IIoT will give engineers the ability to host applications in a more centralized environment. With different source applications becoming centralized in the cloud, it will no longer be necessary to maintain the same application multiple times, and upgrades will be much easier to achieve. It will also allow less skilled engineers to manage applications. “I believe that the IIoT will allow for greater efficiencies and increased uptime. It offers nothing new, just a way of doing things differently,” he said.
Tomi Engdahl says:
Ensuring network cyber security
http://www.controleng.com/single-article/ensuring-network-cyber-security/795ff533f8c4d3713399e2e49a5f8197.html
Good cyber security requires understanding network risks, threats, and the technical safeguards that can prevent unwanted plant data intrusions.
“What’s the worst that could happen?” This question is at the heart of many plantwide discussions. Deliberations on safety interlocks, alarm rationalization, hazard analyses, job safety plans, and process equipment design routinely center on this premise. Why, then, do some facilities have a lackadaisical approach to the layout and protection of their network security?
At risk
Some plants do well from a cyber security standpoint. Other sites have used such stringent security measures as the cryptic “text Billy for the wireless password” method. Seriously. Different plants run the gamut, from requiring a Transportation Worker Identification Credential card upon entry to requiring the driver of a vehicle to roll down the window and shout a number to the guard that supposedly corresponds to a vehicle pass list somewhere. Where does your plant fall in this spectrum? Is your network password written on a whiteboard in the control room or emailed in halves to two trusted supervisors?
Before discussing strategies to isolate and protect plant networks, consider the most common cyber attacks and the simplest guards against them.
Tomi Engdahl says:
Financial benefits of combining automation and safety projects
http://www.controleng.com/single-article/financial-benefits-of-combining-automation-and-safety-projects/b693ad4fd0c863e2aeab956d94260eea.html
Collaborating on seemingly disparate projects could help companies save money by having the different departments focus on areas where their interests and agendas overlap.
Almost every mid- to large-sized manufacturer has dedicated engineering and environment, health, and safety (EH&S) departments. Since the purpose, goals, and objectives of these departments have traditionally had very little overlap it’s not too uncommon to find these departments working with no knowledge of what the other is doing. Engineers constantly work with operations to find new ways to improve productivity and efficiency. Safety professionals are assessing, reducing, and managing risks while juggling regulatory requirements. So it’s not a big surprise that these two departments rarely cross paths throughout a given year. As more advanced technologies continue to hit the marketplace, especially technologies designed to provide a safer and more productive work environment, the importance of cross functional collaboration between these departments becomes critical for survival.
Many companies don’t realize how much money the company could be saving by collaborating-even on seemingly disparate projects. One of the biggest areas of financial impact for collaboration between EH&S and engineering can be on everyday projects that involve machinery and equipment. Chances are projects involving machinery and processes consume a majority of the company’s capital budgets. Not collaborating could be costing the company money when it isn’t necessary.
Until recently, the primary method to reducing risk was to add physical guards to equipment to prevent employee access to hazardous conditions. Over the years, the industry has slowly progressed into developing risk reduction measures, which has allowed easier access to equipment by replacing the physical guards with intelligent safeguarding devices. These devices were typically connected to a single-purpose, safety-rated logic device that is independent of the machine’s control system to create a dedicated safety system. At the time these safety devices and systems were being installed, it really was the only cost-effective option available. However, with safety measures being integrated into standard automation devices, there are financial incentives for EH&S and engineering to collaborate on corporate strategies and future capital projects.
Tomi Engdahl says:
Simplifying Convergence of the Industrial Network: Bridging IT and Operations
https://event.webcasts.com/starthere.jsp?ei=1101929
As traditional Ethernet technologies have begun to scale broadly across application using automation and controls, companies are beginning to understand the need to take a fresh look at home-grown industrial Ethernet networks. As Ethernet moves layers down into the edge of the network, it has been embedded deeply into machine and process functions, becoming a critical asset in the automation system. This opens up a new wave of innovative possibilities for plants to drive improved operations, while also requiring that the network is built in a robust manner and with the tools for proactive maintenance.
To enable plant managers and manufacturing IT teams to effectively meet this challenge, building blocks, tools, and expertise are available to simplify the deployment and maintenance of a robust industrial Ethernet network.
Success with IoT requires IT and Operations to work collaboratively across boundaries.
Creating and Maintaining Documentation of networked automation systems are notoriously difficult, but very important to managing and expanding the plant.
Many plants are running blind to the health of their networked automation system.
Tomi Engdahl says:
2016 Cybersecurity Study: Six key findings
http://www.controleng.com/single-article/2016-cybersecurity-study-six-key-findings/8481962cad620ebb490d56cdf43d4f7d.html?OCVALIDATE&ocid=101781&[email protected]
Respondents to the Control Engineering 2016 Cybersecurity Study identified six high-level findings impacting control systems today.
Respondents to the Control Engineering 2016 Cybersecurity Study identified six high-level findings impacting control systems today:
1. Threat levels: Forty-eight percent of respondents perceive their control systems to be moderately threatened by cyber attacks, while 25% say theirs are highly threatened and 9% are at a severe threat level.
2. Most concerning threat: Malware from a random source is the most concerning control system threat for 37% of respondents. Another 21% are worried about an attack through a vulnerable device, and 17% fear theft of intellectual property or attacks as part of a larger attempt to disrupt critical infrastructure.
3. Vulnerable system components: The top most vulnerable system components within respondents’ organizations are computer assets running commercial operating systems (70%), network devices (68%), and connections to other internal systems (64%).
4. Vulnerability assessments: Twenty-six percent of respondents reported that their organizations have performed some type of vulnerability assessment within the past 3 months. The average facility has checked their vulnerabilities within the past 8 months.
5. Cyber-related incidents: Six in 10 respondents have experienced a malicious cyber incident into their control system networks and/or control system cyber assets—that they are aware of—within the past 24 months.
6. Mobile devices: Thirty-two percent of organizations do not allow mobile devices—such as smart phones and tablets—to connect to networks or enter work areas.
Tomi Engdahl says:
Developing high-performance HMIs: Evolution, improved usability
http://www.controleng.com/single-article/developing-high-performance-hmis-evolution-improved-usability/d827d5b300dcb0d91f8f419458467688.html
This two-part series examines the development of high-performance human-machine interface (HMI) methodology. Part 1 covers HMI evolution, security, improving usability, and consistent use of color.
Tomi Engdahl says:
Physical security meets OT
http://www.controleng.com/single-article/physical-security-meets-ot/1b7ce8ef6ccf3cb101727915ddf8ae41.html
In operational technology (OT) cyber security situations, the purpose is to protect the process and keep it running in high-value applications such as factories, pipelines and jets rather than protecting data.
Several years ago, the key word used by security pundits was “convergence.” And, although different marketers came up with variations of what the term meant, the primary definition covered the intersection of physical and logical security.
An example was when physical security systems such as access control devices intersected with information technology (IT) systems such as using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical infrastructure and the data infrastructure became more secure through this integration.
Meanwhile, in an industrial setting beyond the front offices and data centers and, often, miles away, were the industrial control systems (ICS) that helped create the organizations’ revenues.
Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI’s), transportation systems, manufacturing and many others, ICS, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. They could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect them from attack. And this is still very much the case.
This very fact emphasizes the difference between IT security and operational technology (OT) security. IT security lives in the context of an IT stack with tools from many vendors—networks, servers, storage, apps, and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles—in weeks or, sometimes, days—in response to expected and known cyber threats. IT security basically protects data (information), not machines.
In OT, high-value, well-defined industrial processes—such as in factories, pipelines and jets, which execute across a mix of proprietary devices from different manufacturers—need protection, not data.
Tomi Engdahl says:
Joint process needed for security framework
http://www.controleng.com/single-article/joint-process-needed-for-security-framework/4249d7ae57fde6b742ed949fecdfe0bf.html?OCVALIDATE&ocid=101781&[email protected]
A request for a joint and collaborative process was a consistent theme in the comments from NIST’s December 2015 Request for Information on the Cybersecurity Framework, which was created to improve cyber security risk management.
Tomi Engdahl says:
Seven steps to secure your industrial control network
Implementing an industrial firewall can strengthen plant reliability, safety for control networks.
http://www.plantengineering.com/single-article/seven-steps-to-secure-your-industrial-control-network/249b154bbc3309b669727615acff9ea6.html
The right industrial firewall can strengthen the safety and reliability of control systems. Industrial control networks help facilitate efficient and safe operations in vital sectors, such as utilities, oil and gas, water, transportation, and manufacturing. A resilient control network relies on a network that can effectively detect and filter unwanted traffic.
Traditionally, some industrial control networks are physically isolated or air-gapped to ensure network security. Currently, that may not be the best practice because control systems are increasingly more interconnected to exchange data and to enable smarter automation.
To address the issues of network security for industrial control systems, a clear understanding of the security challenges and effective defense measures are required. A “defense-in-depth” approach can be applied to industrial control systems for protection of critical equipment and expanding security coverage on automation networks at various locations, device cells, function zones and factory sites.
Hydracheck
Seven steps to security
Choosing the right industrial network security equipment can be the key to success. There are seven things to keep in mind when embarking on this kind of project:
1. No network change required
The first consideration is to determine the right firewall type for your network. Generally, a firewall provides two filtering options, routed and transparent (or bridged), to cater to different network topologies.
2. Filtering performance and latency
In most industrial control applications, response time is a critical factor. When firewalls are deployed in a control network, the data-filtering processes that are performed create latency.
In the real world, hundreds of firewall rules may be activated to filter traffic in a control network
3. Industrial protocol filtering
Most industrial protocols use transmission control protocol/Internet protocol (TCP/IP) or user datagram protocol (UDP) as the communication base for data transmission. General firewalls can filter data at the IP or media access control (MAC) layer to prevent any unauthorized access to critical equipment. Traditionally, firewalls deny all inbound traffic and allow only one-way or round-trip traffic with firewall whitelists
As network complexity increases, whitelisting of traffic control is inadequate to provide effective network security for industrial applications.
Well-designed firewalls that can allow or deny traffic based on protocols are needed to enable checks on control data commands at the application layer.
4. Industrial-grade design for harsh environments
For industrial applications, firewalls are often located in cabinets under harsh conditions, such as high temperatures and vibration. In this case, the firewall’s rugged design is as important as its performance
5. Firewall event logging and notification
Regardless of the type of industrial firewalls being implemented, event logging is critical to ensure that the firewall rules are implemented and functioning properly.
In addition, logs allow administrators to monitor what is happening in the control network. Equally important, a good file maintenance plan for logs allows the review of any security events or issues days, weeks and even months after they occur.
ccording to an IT expert from a major oil company in the U.S., a firewall must be capable of sending simple network management protocol (SNMP) events with an emergency severity level that requires immediate attention.
6. Easy mass deployment of firewall rules
In industrial applications, there can be up to hundreds or thousands of firewalls installed to control data traffic and protect field equipment from malicious attacks. As the most widely used method, a firewall whitelist only allows specific traffic on a network.
This raises the question of how easy it is to change the firewall rules for the many firewalls in the field once a new service is introduced into a control network. There are two ways to mass deploy firewall rules: batch command (through the command-line interface) and centralized firewall management software.
7. Intuitive configuration interface
Configuring and deploying firewalls in an industrial control network requires trained administrators who are capable of designing effective firewall rules. It is important for firewall vendors to provide intuitive and easy-to-use configuration interfaces to automate the configuration process.
Tomi Engdahl says:
Setting the standards for cybersecurity
http://www.plantengineering.com/single-article/setting-the-standards-for-cybersecurity/e3f462bd6c69d7882c8b9b89e1eef42e.html?OCVALIDATE&ocid=101781&[email protected]
Due to the current state of cybersecurity hygiene across multiple industry sectors, manufacturers often inadvertently allow for critical vulnerabilities and weaknesses in product software to go unaddressed.
UL CAP is a UL certification program, based on the UL 2900 series of standards, which allow manufacturers to demonstrate that they have met a baseline of cybersecurity hygiene by satisfying the repeatable, testable requirements of:
UL 2900-1 (Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements)
UL 2900-2-1 (Outline for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare Systems), and
UL 2900-2-2 (Outline for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Industrial Control Systems).
Fernando: Due to the current state of cybersecurity hygiene across multiple industry sectors, manufacturers often inadvertently allow for critical vulnerabilities and weaknesses in product software to go unaddressed. In some cases, they may even allow malware to exist in products coming off of production lines, unbeknownst to them. When such products are integrated into larger systems, the integrators and network managers are often unaware of these vulnerabilities within their systems until it is too late.
Fernando: Computer security (i.e. cybersecurity) is clearly a function of the capabilities afforded to products by virtue of the cost-effective availability of computing power. Therefore, as computing power continues to grow, product capabilities will be increasingly enhanced by software, and unless good cybersecurity hygiene practices start to be “baked in” to all of the software-dependent products and processes now, may very well lead to commensurate increases in vulnerabilities and attack vectors.
Tomi Engdahl says:
Air-gapping SCADA systems won’t help you, says man who knows
Faizel Lahkani sounds bleak warning over future Stuxnet-style attacks
http://www.theregister.co.uk/2016/06/03/airgaps_scada_systems_wont_prevent_attacks/
Hoping to keep industrial control systems out of reach of hackers by keeping them air-gapped is a hopeless mission that’s bound for failure, according to the inventor of the technology.
Isolating SCADA systems as a means of protection has been suggested by some as a defensive tactic after hackers briefly took out elements of the power grid in the Ukraine last December.
Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.
“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”
“Power control systems were never designed with security in mind,” Lakhani explained. “They were designed to manage regulators and voltage flow and that’s still what they do.”
SCADA started off with archaic protocols such as FDDI, Token Ring but “good luck building a network with anything other than TCP/IP now,” Lakhani added.
Many enterprise systems, much like SCADA devices, are not built to withstand today’s threats.
Tomi Engdahl says:
Air-gapping SCADA systems won’t help you, says man who knows
Faizel Lahkani sounds bleak warning over future Stuxnet-style attacks
http://www.theregister.co.uk/2016/06/03/airgaps_scada_systems_wont_prevent_attacks/
Hoping to keep industrial control systems out of reach of hackers by keeping them air-gapped is a hopeless mission that’s bound for failure, according to the inventor of the technology.
Isolating SCADA systems as a means of protection has been suggested by some as a defensive tactic after hackers briefly took out elements of the power grid in the Ukraine last December.
Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.
“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”
http://www.theregister.co.uk/2016/03/04/ukraine_blackenergy_confirmation/
Tomi Engdahl says:
Security of wireless solutions for factories
The wireless communication is growing in popularity all the time, so in industry is to replace expensive cables with wireless connections. However, the security industry is particularly important.
The dissertation is developed measures confidentiality of communications systems, and on the integrity of the attacks. It tells you how to implement a safety assessment, which covers the system protocol layer, as well as electromagnetic and physical layer.
The first part of the dissertation is utilized HIP protocol (Host Identity Protocol) transport means for ensuring internal communication system security. In addition, it describes the simulations and measurement projects, whose aim is to assess the security implications of the protocol used unhindered (line-of-sight, LOS) and obstructed (non-line-of-sight, NLOS) visual contact cases.
Electromagnetic analysis is an important step in the development process of safety systems. The systems are used more and more small integrated circuits, which can also expose them to electromagnetic fields (electromagnetic, EM) interference.
Finally, dissertation focuses on the physical layer of the communication system, and two security algorithm has been developed. Active radio frequency identification method can be used to exchange public keys secure telecommunications connection.
The Master of Science Simone Soderi dissertation ” Evaluation of industrial wireless communications systems’ security (Teollisuuden langattomien tietoliikennejärjestelmien turvallisuuden arviointi) can be read electronically via the Internet
Source: http://www.uusiteknologia.fi/2016/06/15/langattomien-ratkaisujen-turvallisuus-tehtaissa/
Dissertion:
Evaluation of industrial wireless communications systems’ security
http://jultika.oulu.fi/Record/isbn978-952-62-1246-3
Tomi Engdahl says:
The Confidence to Excel in the Digital Economy
http://www.securityweek.com/confidence-excel-digital-economy
There’s nothing more exciting than a team that seems to overcome the odds to win a championship. Is it the coaching, the training, or determination of the players? Whatever the reason, their confidence builds and allows them to push forward and excel.
Nearly every industry can gain an advantage in the game by developing a strong security posture. Here is just one example
Manufacturing. Remote maintenance sometimes requires that companies open their networks to outside vendors – an entirely new approach for many manufacturers. These vendors need to access the company’s machinery and data so they can identify and resolve issues. Providing internet-based access to machines can minimize machine downtime by allowing companies to fix problems over the network, versus having to send a repair expert to a specific location. But centralized remote maintenance systems carry high levels of risk as breaches can wreak havoc on a factory’s control and automation systems and cause significant disruption.
Tomi Engdahl says:
Solve the IT-OT conflict
http://www.edn.com/electronics-blogs/eye-on-iot-/4442244/Solve-the-IT-OT-conflict?_mc=NL_EDN_EDT_EDN_today_20160622&cid=NL_EDN_EDT_EDN_today_20160622&elqTrackId=8da661df71474c17bf6262d5132fb0a5&elq=17079c94ec1e4c1786bc6184820e94ab&elqaid=32784&elqat=1&elqCampaignId=28633
Developers applying the Internet of Things in an industrial or enterprise environment are facing a challenge. The folks installing IoT devices for monitoring of equipment and processes are typically part of operations technology (OT), tasked with making machines and processes more efficient and productive. But the folks who run the company networks the IoT devices might use are the information technology (IT) department, tasked with maintaining the efficiency of operations that depend on applications software. The two often end up in a territorial battle.
Both have reasonable claims. The OT people naturally want to keep control of their data and equipment, both for performing the types of analysis they require as well as to make changes and adjustments to their equipment as their needs evolve. The IT department, on the other hand, wants control in order to ensure that this IoT network doesn’t compromise their primary purpose maintaining the business systems.
A typical response to this conflict has been for OT teams to forego working with the enterprise networks and create their own, independent network instead. But there are some problems with this approach. For one, the synergy benefits and cost efficiency that can come with IoT properly integrated into the enterprise network are lost. Then, too, such independence requires the OT team to take on the challenges of maintaining a network infrastructure and database, which is often outside their experience or area of competence.
There are also challenges associated with storing and analyzing data from disparate IoT devices.
With a choice between cobbling together their own network or wrestling the IT department to maintain control of their sensors and data, the OT team seeking to implement IoT in an enterprise or industrial setting seem bleak. Fortunately, a new alternative is emerging.
a pre-tested system that can handle sensor data from OT applications in a way compatible with the concerns and needs of corporate IT departments.
By normalizing sensor data to NI’s universal data format, the package allows OT teams to store data from a variety of sensors into a common database that it can then access with analysis tools such as LabView. The two departments no longer need to contend for control in order to integrate OT and IT activities, but can get on with gathering, maintaining, and analyzing the kinds of data that enterprises will need from the IoT.
Tomi Engdahl says:
Cybersecurity in manufacturing: How much is needed?
http://www.controleng.com/single-article/cybersecurity-in-manufacturing-how-much-is-needed/17af9102a1473e7f8f452a1426b5c308.html?OCVALIDATE&ocid=101781&[email protected]
The cybersecurity situation for manufacturing is changing as the scale of attacks on the manufacturing sector and proportional loss to businesses has demonstrated the necessity of secure integrated control systems.
Tomi Engdahl says:
The IoT Sky is Falling: How Being Connected Makes Us Insecure
http://www.securityweek.com/iot-sky-falling-how-being-connected-makes-us-insecure
Tomi Engdahl says:
Updating process control systems
http://www.controleng.com/single-article/updating-process-control-systems/d1639c19b27fbf396ab36b9318479669.html
When legacy control systems are replaced with new technology there is a great opportunity to benefit from modern systems and advanced technology.
Updating a legacy system with new software is a valid option, but it leaves the advantages of new technology on the table. A control system upgrade should be a time to modernize and streamline to get the most value out of the investment.
Distributed control systems (DCSs), programmable logic controller (PLC), and human-machine interface (HMI) -based control systems have been around for a few decades. What was once cutting-edge technology has now been adapted for today’s mobile and information-centric world. Software development practices like object-oriented programming have been integrated into many platforms, and the opportunity for integration into systems outside of the plant floor are almost too numerous to mention. There are many advantages available by upgrading a process control system.
Control system upgrade security concerns
One of the most important aspects of a control system upgrade is to take advantage of the latest security technology available. In today’s connected world, security through obscurity is no longer a valid approach to ensuring a control system is safe from malicious access. One way to see the impacts of security vulnerabilities is to read some of the alerts from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The ICS-CERT reports detailed security vulnerabilities with control system software and hardware from many vendors and the ways people have been able to maliciously access control systems with varying results.
As technology ages, as in the case of legacy DCS, PLC, and HMI systems, the chance of a cyber attack increases as security flaws are exposed. This is one reason to maintain software updates throughout the life of the system and consider upgrades to new versions when systems reach the end of their support lifecycles.
Security becomes even more important to consider as control systems are integrated with other software and databases across an organization and are accessible from outside of the facility.
Optimizing with object-oriented programming
One of the advances with the most impact for control system technology is the use of object-oriented programming. This concept is relatively simple, yet extremely powerful.
With an object-oriented environment, one template can be created for each piece of equipment for both the operator interface and logic in the process controller. Tagging can be handled dynamically, requiring only one or two changes to create a new instance of a piece of equipment, and each device will function identically. If similar pieces of equipment have different options these can be handled in the template, no longer requiring multiple copies of the same graphics and code. Making a change down the road requires making the changes at the template, which are then propagated throughout the application. This can save a huge amount of time for development/testing and ongoing maintenance.
Integration with other systems
Integration with other business systems is another advancement that can be leveraged by installing modern systems.
Process scheduling, downtime tracking, computerized maintenance management, and statistical process control are a few of the integrations that can be used to easily improve overall performance of a system while giving full visibility into manufacturing operations.
Many vendors offer these types of integrations out-of-the-box, requiring a relatively small amount of work to move data between systems.
While migration is an option, taking advantage of a modernization will usually provide an enhanced process control system that can last for many years to come.
Tomi Engdahl says:
Siemens Patches Flaws in Industrial Automation Products
http://www.securityweek.com/siemens-patches-flaws-industrial-automation-products
Siemens has released software updates for several of its industrial automation products to address medium and high severity vulnerabilities discovered by researchers from various companies.
ICS-CERT and Siemens each published three separate advisories to describe the flaws found in SIMATIC and SINEMA products.
Siemens has also informed customers about three vulnerabilities found in some of its SIMATIC products. SIMATIC WinCC SCADA systems and PCS7 distributed control systems (DCS) are affected by two high severity improper input validation bugs.
http://www.siemens.com/cert/en/cert-security-advisories.htm
Tomi Engdahl says:
Survey finds a third of employers prioritize productivity over safety
http://www.controleng.com/single-article/survey-finds-a-third-of-employers-prioritize-productivity-over-safety/c69694d729227699562f51013660b7b4.html?OCVALIDATE&ocid=101781
The National Safety Council released survey results showing 33% of the employees surveyed believe safety takes a backseat to productivity at their organizations.
The National Safety Council released survey results showing 33% of the 2,000 employees surveyed across the nation believe safety takes a backseat to productivity at their organizations. The percentage was even higher among employees in high-risk industries.
Sixty percent of respondents in the construction industry, and 52% of those working in agriculture, forestry, fishing and hunting, felt safety was less of a priority than finishing tasks. These findings are particularly alarming because those industries are at the top when it comes to the number of occupational deaths each year.
“Every employee deserves a safe workplace,”
Tomi Engdahl says:
Securing the supply chain with cybersecurity
http://www.controleng.com/single-article/securing-the-supply-chain-with-cybersecurity/4fef25de9720fd34c178875cf5fe16c0.html?OCVALIDATE&ocid=101781
While manufacturers are becoming more aware of cybersecurity threats, they need to be aware that the organizations in their supply chain could be vulnerable and susceptible to an attack.
Security awareness is sweeping throughout the manufacturing automation sector, there is no doubt about it, and getting your house in order is the top priority, but that is hardly the end of ensuring a secure environment.
In this era of partners, suppliers, third-party vendors and open communications, it is inevitable that security in one of those organizations along the supply chain could be weak.
Tomi Engdahl says:
Securing physical security
http://www.controleng.com/single-article/securing-physical-security/386f1ff96e44c4c2090e1ebdda857e44.html?OCVALIDATE&ocid=101781
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments and there is a greater need for cybersecurity awareness as interconnectivity increases.
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments. The opportunities for physical security system manufacturers, integrators and end users to improve the cyber posture of their assets are growing.
For the physical security industry, this was a great opportunity to learn about the cyber impacts of further integration into the Internet of Things (IoT), and how physical security connects with OT assets. The expo’s core theme was ‘Bridging the Gap between Cyber and Physical Security,’ which refers to the convergence of cyber and physical environments. ISC West presented a platform to educate the physical security audience about the emerging cybersecurity landscape in OT environments that have significant links to physical security systems.
Physical, cybersecurity education
In my keynote at the event, I mentioned educating professionals in the physical security industry about cybersecurity best practices is a key element to ensuring they contribute positively to the overall security posture of the organization they protect.
Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable; every single connection and connected device is an entry point, an opportunity for a breach. As physical security practitioners remain concerned with maintaining control and protection of their assets, it is vital for them to understand the cyber-security threats that can arise with the increased implementation of connected physical security devices into their systems.
Tomi Engdahl says:
Cybersecurity in manufacturing: How much is needed?
http://www.controleng.com/single-article/cybersecurity-in-manufacturing-how-much-is-needed/17af9102a1473e7f8f452a1426b5c308.html?OCVALIDATE&ocid=101781
The cybersecurity situation for manufacturing is changing as the scale of attacks on the manufacturing sector and proportional loss to businesses has demonstrated the necessity of secure integrated control systems.
In your day-to-day routine, how focused are you on topics of cybersecurity? Do you follow exploits published by SANS, ICS-CERT, etc and relish in unique zero-day findings? Or, do you passively hear of hacks on the news and think, “I’m glad that wasn’t my company.”
For most of us, the answer would be the latter. However, the scale of attacks on the manufacturing sector and proportional loss to businesses in recent years has demonstrated the necessity of secure integrated control systems (ICSs).
The constantly shifting threat landscape can be daunting to follow—and it shows—in fact, the 2016 Vormetric Data Threat Report states that, “64% of IT execs think achieving basic compliance will stop most breaches.” With the increasing nation-state threat, breaches are becoming more sophisticated and creating advanced persistent threats (APTs) with new levels of potency.
The “script-kiddies” of yesterday, taking advantage of single exploits, have grown up to become a highly trained, educated, and government-sponsored team of professionals. This team is dedicated to stealing a target’s intellectual property (IP) and/or using that company’s weaknesses to damage an entire industry. The scale is massive, and the threat is real.
It is still true that most exploited vulnerabilities—99% in fact, according to Verizon’s 2015 Data Breach Investigations Report (DIBR) —came over a year after that exploit had been discovered and patched.
A coming of age of the cybersecurity threat landscape can be shown not only through the scale of attacks, but also through attackers’ focus, complexity, and funding. The situation is changing and the sophistication of these attacks, such as the one that hit Saudi Aramco, is evolving in ways that hadn’t been anticipated.
Tomi Engdahl says:
Ethernet as a leading machine automation protocol
http://www.controleng.com/single-article/ethernet-as-a-leading-machine-automation-protocol/5fcafa07bfb634c548e547a6d11a8de6.html?OCVALIDATE&ocid=101781
Although there are still dozens of industrial fieldbus protocols used in machine automation, Ethernet is starting to become the norm with EtherNet/IP and Modbus TCP becoming leading protocols in North America.
Fieldbus technology was a welcome advance from point-to-point wiring when it emerged during the last few decades of the 20th century, and it’s had a nice run in industry since then. Many fieldbus protocols have come and gone, but all have connected sensors, input/output (I/O) devices, and other field devices to automation systems.
For today’s industrial networks, Ethernet can be a more attractive option than competing protocols as performance can match and exceed fieldbus technologies. Setting up an Ethernet network is also typically less expensive and easier to configure than with other protocols.
A brief history of fieldbus
In the early years, there were the basic open-communication serial standards such as RS232 and RS422/485. These, among others, were the basis for better-defined standards such as Modbus, which used serial communication standards as the foundation for what became the leading industrial protocol.
Ethernet was not yet mature, and fieldbus protocols offered sufficient performance and reliability in many applications. However, fieldbus technology was often expensive and difficult to setup, and different protocols were incompatible on both the hardware and software levels.
For example, DeviceNet, Modbus, and Profibus DP each started out as proprietary protocols with Rockwell Automation, Modicon, and Siemens respectively. Each eventually became an open standard administered by an independent foundation.
While Industrial Ethernet’s growth is exceeding fieldbus growth for accessing devices and is expected to become the more dominate technology over the next 15 years according to IMS Research, other fieldbus networks have a very large installed base because they were the only option before Ethernet technology matured.
Many applications still benefit from the highly deterministic architecture that fieldbus networks such as DeviceNet and Profibus DP offer. With these and other similar protocols, it can be very convenient to add more devices using field-mounted I/O blocks to an existing network that is still satisfying the needs of the application.
Another popular fieldbus protocol is IO-Link, which is a point-to-point (P2P) network used for tying field devices to controllers, often through a converter
Although IO-Link and low-level fieldbus protocols work well for linking simple devices to controllers, more complex connections can benefit from the power, speed, and flexibility that Ethernet offers.
he case for Ethernet
An industrial Ethernet protocol may be considered instead of fieldbus communications in many new machine automation applications that require a high degree of information exchange, such as linking a vision system to a PLC. As hardware costs drop, it’s becoming more cost-effective for even simple applications such as remote I/O and for fieldbus device connectio
Many people still consider Industrial Ethernet as something different than fieldbus, but if one considers what fieldbus technology has traditionally accomplished in the past with what Ethernet can do today, they are really one in the same.
With early Ethernet networks, determinism was poor and jitter was significant,
With the advent of cost-effective, industrial Ethernet, unmanaged switches and then eventually managed switches, collisions have become a nonissue. Processing power has increased, and it has reduced data transmission days to an insignificant level in most applications.
Even with standard, off-the-shelf Ethernet chips, jitter is low enough for most applications as these can utilize scheduling mechanisms such as Class 1 I/O Messaging in EtherNet/IP. For applications that are even more time critical, protocols such as EtherCAT use precision time protocol synchronization (IEEE 1588).
Tomi Engdahl says:
Air Gap or Not, Why ICS/SCADA Networks Are at Risk
http://www.securityweek.com/air-gap-or-not-why-icsscada-networks-are-risk
The commonly held belief that ICS/SCADA systems are immune to cyber attacks because they are disconnected from the Internet and the corporate network by an “Air Gap” is no longer true or feasible in an interconnected world. While many organizations will readily admit that the traditional air gap is disappearing, some still believe this is a viable security measure.
In theory, an air gap sounds like a good strategy. In practice, things are never that simple. Even in cases where an organization has taken every measure possible to isolate their ICS network and disconnect it from the outside world, we have seen cyber threats compromise the perimeter. Meanwhile, even if it were possible to completely air gap an ICS network, insiders still pose a threat.
Whether an organization implements an air gap or not, here are several reasons why ICS networks are at risk.
The Need to Exchange Files
Compromised Personal Devices
Vulnerabilities and Human Error
The Insider Threat
Connected Technologies and IIoT
Tomi Engdahl says:
Virtualization benefits for manufacturers
http://www.controleng.com/single-article/virtualization-benefits-for-manufacturers/daa91a8399bc7c1a2c562af26f46595f.html?OCVALIDATE&ocid=101781
Virtualization growth in manufacturing is continuing as more end users are taking advantage of the cost benefits it offers such as increased efficiency, reduced costs, and better security.
The goal is to the keep the network up and running by eliminating any unplanned downtime, so that is where network monitoring comes into play as a strong tool to alert and keep end users aware of nuances and changes going on in a network. In short, increase network visibility.
Virtualization is growing in all industries, especially manufacturing
From a hardware perspective, virtualization makes it possible to run more applications on the same hardware, which translates into cost savings. If less servers are purchased, then there will be fewer capital expenditures and maintenance costs.
Virtual machines can end up centrally managed and monitored, which allows a manufacturer to more easily achieve greater process consistency across the enterprise. Benefits include ease of continuous process improvement, greater agility and less training burden as employees transfer, or leave the company, get promoted, or retire.
By separating software from hardware updates, a virtual IT environment might offer benefits to ease this management lifecycle of software and OS system updates. Hardware purchases can also occur on a regular or scheduled basis, resulting in greater consistency in system specifications.
Virtualization provides greater cost savings
As mentioned, virtualization is growing on the industrial, or OT, side. Automation’s gains over the past decade have come from the ability to connect business systems to the plant floor and drive factories based on orders received and collect data out of the plant and use that to analyze and improve performance. Knowing and understanding all that, end users are deriving great cost savings by virtualizing PCs onto fewer physical servers.
When doing that, the top benefit is cost savings and another benefit is manufacturers are protecting themselves against hardware failure.
The issue is all about knowing the network and understanding what is going on. That all can happen once the user develops a baseline of what the network should look like. Then they can find and determine discrepancies.
Defense-in-depth tool
Whether it is a virtual environment or a regular physical network, in today’s Internet-connected manufacturing environment, network monitoring becomes another strong tool in solid defense in depth program.
From a security perspective, the goal is to ensure the network stays up as much as possible, which minimizes downtime and maximizes operational return.
The biggest risk on a network is when something that impacts the business such as a distributed denial of service (DDoS) attack or when someone is trying to find an exploit and are running scanners across the network. By monitoring NetFlow traffic, it is possible to report on unusual activity on unknown ports and provide that information in real time as it is happening. NetFlow is a feature on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface.
Because it is possible to report on things connected or disconnected on the network, if there are critical connections on the network that go down which are mission critical, the network monitoring tool can immediately alert the user the second the tool receives an outage notice from a device. The tool can inform the administrator of a fault before they realize it has happened on the network.
OT growth coming
Network monitoring has been a staple in the IT industry for a decade or so and the manufacturing automation industry is just now starting to pick up on the benefits that visibility bring.
OT networks tend to be a lot smaller than IT networks, but that is in the process of changing, especially with the looming shift to the Industrial Internet of Things (IIoT). When that happens, and there are industry pundits saying it will happen en masse sooner than later, the number of network connected devices is absolutely going to mushroom. So most likely in two years, network monitoring will be as important in this industry as it already is in IT.
Tomi Engdahl says:
Dragos Raises $1.2 Million to Counter ICS Cyber Threats
http://www.securityweek.com/dragos-raises-12-million-counter-ics-cyber-threats
Dragos, a startup focused on protecting industrial control systems (ICS) from cyber threats, has raised $1.2 million from startup studio DataTribe.
Founded by a small group of former NSA intelligence officers with experience in ICS security, Dragos offers a network asset discovery and visualization tool called CyberLens. The tool was developed specifically for control systems environments, which often require deep packet inspection through passive network scanning or data collection.
“We built a TOC while in the Intel community to identify nation states targeting critical infrastructure and it was very successful, so we are doing the same thing while developing Intel, analytics and technologies to help automate analyst efforts so that small teams can scale to protect more infrastructure,” Lee told SecurityWeek.
“We will have a threat hunting team that also does incident response, malware analysis, and threat intelligence,” he said.
The company is also developing a data pipeline product that is easily managed and configured that allows customers to collect host, network and relevant ICS data that can be accessed via a single, searchable interface for events and abnormalities. “We’re giving them, in essence, a lightweight industrial SIEM,” Lee said.
Tomi Engdahl says:
Industrial Cybersecurity Firm CyberX Raises $9 Million
http://www.securityweek.com/industrial-cybersecurity-firm-cyberx-raises-9-million
Industrial cybersecurity startup CyberX announced today that it has raised $9 million in new funding to help expand its business and solutions designed to protect the Industrial IoT.
Founded in 2013 by Omer Schneider and Nir Giller, CyberX offers a platform that continuously monitors networks and collects real-time data to help detect abnormal or potentially malicious activity.
Dubbed XSense, the platform was developed to easily connect to an existing setup and act as an invisible layer that models operational technology (OT) networks using what it calls “Industrial Finite State Machine (IFSM) technology.”
The company’s technology is already being used by dozens of enterprises across a range of industries, including energy, oil and gas, transportation, manufacturing and pharmaceuticals, the company told SecurityWeek.
Tomi Engdahl says:
Tips for secure remote access
http://www.controleng.com/single-article/tips-for-secure-remote-access/1d404fa1ead37df62bc7067439d9fafc.html?OCVALIDATE&ocid=101781
Remote access will become an even more vital element as the industry becomes more open and connected and secure communications can be a constant if the right steps are taken.
As the industry continues its expansion into a more open and connected environment, remote access will become an even more vital element, but with the right strategies in place, secure communications should not be an issue.
“There is no doubt control systems have evolved,” said Marco Ayala, senior industrial cybersecurity project manager at aeSolutions, during his presentation at the Siemens 2016 Automation Summit in Las Vegas. “We look at cyber as a huge piece of information. Workers need to ensure security is top of mind at all times. Are you monitoring? Are you logging? Are we saying information technology (IT) has it? Are we saying operational technology (OT) has it?”
Ayala pointed at the attack on the Ukrainian power grid this past December as a perfect case in point about remote security.
On December 23, 2015, power went out for a high number of customers (reports range from 80,000 customers to 700,000 homes) in the Western region of the Ukraine served by regional power distribution companies. These companies end up supplied by thermal power generation stations (the Ukraine also has a large amount of power generated from nuclear facilities, though not in this region).
Attack details
Here are components of the Ukrainian power grid attack:
BlackEnergy (also known as DarkEnergy) is malware that has existed since 2008 and its modular components have morphed over time. In this incident, the third variant of BlackEnergy is a key vector that provided the attackers with access to the utilities’ computer networks and the ability to remotely communicate with them. This compromise and the resulting remote communications were probably not within the industrial control system (ICS) networks.
One BlackEnergy component, known as KillDisk, has a wiping functionality that may have denied the use of the supervisory control and data acquisition (SCADA) system, delayed restoration and covered the perpetrators’ tracks. The actual hosts affected by KillDisk have yet to be disclosed.
In addition, an attack on phone systems, possibly a denial of service (DoS) attack, prevented the utilities from receiving calls from customers reporting outages.
Also, the electricity went out and restored the same day by field staff manually reclosing breakers at affected substations.
“Attackers were on the system months before the attack,” Ayala said. “They took advantage of the SCADA systems and social engineering. (The utility) also failed to put in two-factor authentication on virtual private networks.
Remote best practices
To avoid a remote attack, consider these some best practices:
Require the use of corporate-owned laptops for remote access which are subject and maintained according to the organization’s security policies
Provide remote access users with a secure bootable image
Require and enforce contractually that third parties with remote access accept and comply with the organizations security rules
Require two-factor authentication for any remote access session
Configure the VPN such that split tunneling is not allowable by technical policy
Monitor and log user ID, time, and duration of remote access across all remote access sessions
Provide mechanisms for on-demand and automatic session termination
Encrypt all communications and untrusted networks
Configure modems and remote access software for maximum security
Restrict remote connections to special machine in the IACS demilitarized zone (DMZ), which then has access to select resources in the control system.
He stressed monitoring, logging and defense-in-depth is critical.
In short, Ayala said there should be:
Multiple layers of security are paramount
Security is baked in
Front-end engineering and design (FEED)
Security acceptance testing (SAT)
Factory acceptance testing (FAT)
Lifecycle; continuous testing and auditing.
Tomi Engdahl says:
Plant Security: The Moving Threat, the Effective Response
http://www.designnews.com/author.asp?section_id=1386&doc_id=281451&cid=nl.x.dn14.edt.aud.dn.20160902.tst004c
As manufacturers take advantage of the efficiencies of connectivity, the expanded network opens up significant threats of cyber attack. Hacking criminals are getting more sophisticated as plants are becoming more vulnerable, a bad combination. Yet cybersecurity is advancing in its ability to ward off intrusions.
Much has changed since the days when a plant network was wired. The danger of hacking existed, but the entry points were defined and protection was less complicated. The Industrial Internet of Things (IIoT) has created significantly greater exposure. “The IIoT is a significant challenge. First you do have a much larger attack surface. There is a proliferation of connected devices. Every new device brought onto the network is a target for hackers,” said Grau. “Plus, many of these devices are deployed outside of the current IT security perimeter. This creates significant new security challenges.”
Embedded systems have made cybersecurity more complicated. For one, the usual IT security solutions are not as effective with embedded devices. Plus, the potential damage from an attack is greater. “Many of the IIoT devices are embedded systems that require new security solutions. Traditional IT and PC security approaches won’t work on these specialized devices,” said Grau. “If an IT system is hacked the consequence is data loss. If an IIoT system is hacked the power grid can go down, flights can be grounded, productions lines can be shut down, and real physical damage can be done. People can die.”
Intrusion Detection
Many cyber attacks are designed to be stealth operations where the attacker hides in the system and nabs data undetected. Consequently, intrusion detection has become a new front on the cyber battleground. “Intrusion Detection Solutions (IDS) for IIoT need to be customized to the nature of the devices. Small devices with limited resources need a solution tailored to the types of attacks they are likely to experience while not overwhelming the limited resources of the device,” said Grau. “At the same time, the sophistication of the Intrusion Detection Solution must scale up to support more powerful gateway and control systems.”
Intrusion detection works from its ability to identify suspicious behavior in the network. IDS can spot cyber behavior that is outside the expected activity on the network. “The key is to monitor for, detect and report anomalous traffic,
Preventing Attacks
The backbone of effective cyber protection is knowledgeable professionals who keep abreast of new dangers as well as new prevention developments. Those professionals could be either trained employees or hired guns. “It requires a team of dedicated experts to keep up with the current attacks and cybersecurity countermeasures. Many OEMs are designating an internal cybersecurity champion to work with outside experts and cybersecurity firms to coordinate their solutions and ensure they are staying current and building the appropriate solutions,”
Attackers Are Gaining Strength
In recent years, the nature of cyber criminals has changed. Gone are the days of teenage showoffs or disgruntled employees. Hacking has become an organized criminal enterprise. “Attackers are becoming more sophisticated over time. They are learning about new vulnerabilities and developing automated attack tools to exploit those vulnerabilities,”
Tomi Engdahl says:
GAMS preview: The IT/OT convergence
http://www.plantengineering.com/single-article/gams-preview-the-itot-convergence/e0f4d7f1edfe026d8e21c9dbec250cbc.html?OCVALIDATE=
In preparation for the 2016 GAMS Conference on Sept. 14 in Chicago, CFE Media asked our panelists to discuss some of the key issues facing manufacturing. This is one in a daily series of articles.
Tomi Engdahl says:
GAMS preview: IIoT and the state of manufacturing
http://www.plantengineering.com/single-article/gams-preview-iiot-and-the-state-of-manufacturing/3c38b723f25b565bbc4238d18937a58d.html?OCVALIDATE=
In preparation for the 2016 GAMS Conference on Sept. 14 in Chicago, CFE Media asked our panelists to discuss some of the key issues facing manufacturing. This is one in a daily series of issues
CFE Media: We’ve been actively talking about the Industrial Internet of Things (IIoT) for the past two years, and it’s been looming on the horizon for years before that. Assess where manufacturing is today in both its understanding of and implementation of IIoT.
Rich Carpenter, GE: There are two main advancements:
1. With various systems having been moved to cloud infrastructures, customers are less concerned and more open than they were when IIoT discussions first started.
2. As technology has improved, it is not possible to use plant floor data for Big Data/analytics initiatives without having to disturb the plant floor control systems. This has broadened the audience within the manufacturing customer base for the data.
Rob McGreevy, Schneider Electric: Manufacturers have long been collecting production data from across operations. The number of low cost data generating sensors enabled by the Industrial Internet of Things has made it even easier to generate massive amounts of industrial data. However, data alone is not where manufacturers get value. The real value of IIoT comes converting that data and turning it into actionable information. Enterprise Asset Performance Management leveraging predictive analytics technology is one example of an application where significant improvements and savings have been achieved. Predictive analytics based on advanced pattern recognition and machine learning is uncovering opportunities to extend asset life, reduce unplanned downtime and improve reliability and performance. Our customers have seen savings up to $7 million in a single early warning catch. These types of initiatives are having a direct impact on the bottom line, helping to justify continuing investment in an IIoT strategy.
Rick Vanden Boom, Applied Manufacturing Technologies (AMT): I think manufacturing is just getting started to consider the possibilities and benefits of IIoT. Manufacturing systems typically have a high degree of connectivity, but more on a local level (within the system itself or within a plant or company) and most often geared towards enabling system functionality and basic data reporting. We are just starting to see the possibility of self-monitoring machines and systems, self-optimization, preemptive maintenance calls, and even ordering spare parts. Jose Rivera, CSIA: On one end of the spectrum you have some companies being very concerned about security and viewing IIoT as a threat. These companies have basically put a lock on their doors.
On the other end of the spectrum you have companies fully embracing it. An example often cited is ThyssenKrupp and their deployment of IIoT for doing predictive maintenance—technology guidance to technician going to the site, etc. This was an impressive development with Microsoft
In my opinion, when it comes to IIoT the proven model has been around asset management. Here is where you have a quickly growing number companies getting on the bandwagon. The model had been around decades but only for large expensive capital equipment (e.g., a turbine), long before IIoT.
In between the two ends of the spectrum of IIoT deployment you have companies deploying IIoT, but not necessarily realizing that what they are doing falls under the IIoT umbrella.
There are good examples going beyond the simple asset management of a machine to reach into operations improvement.
As prices for IIoT equipment have been coming down, experimentation is taking place in plants by curious and innovative personnel.
Tomi Engdahl says:
SCADA cybersecurity in the age of the Internet of Things
http://www.controleng.com/single-article/scada-cybersecurity-in-the-age-of-the-internet-of-things/73f8ad3f8fa8cd59f2cd17f66ebc903c.html?OCVALIDATE&ocid=101781
Supervisory control and data acquisition (SCADA) systems’ traditional role is changing as the Industrial Internet of Things (IIoT) continues to take a larger role. SCADA systems were not originally designed for cybersecurity and plants need to adjust to this new reality.
Supervisory control and data acquisition (SCADA) systems, and the broader industrial control systems (ICS) including SCADA, human-machine interfaces (HMIs), building management systems (BMS), manufacturing execution systems (MES), and computer maintenance management systems (CMMS) have roots in proprietary technology that was traditionally isolated from the enterprise information technology (IT) infrastructure. These platforms were not originally designed for cybersecurity.
The IIoT transformation is disrupting the role of the traditional control room with a trend toward mobile devices that are used for monitoring and control (Nugent, Bailliencourt, and Kaltenbacher, 2015). The emerging contextual HMI component of IIoT-enabled ICS provides great productivity gains to operations and maintenance organizations, while expanding the perimeter of the ICS. However, it adds to the scope of cyber threat management.
CFE Media
The modern ICS platform vendor incorporates the Software Engineering Institute’s Cyber Risk and Resilience Management into the ISO 9001 Quality Process for development and production. The goal is to be transparent regarding internally or externally reported vulnerabilities and to act quickly to minimize risk for customers.
Participation in standards organizations, such as the Institute of Electrical and Electronic Engineers (IEEE) and the International Electrotechnical Commission (IEC), are designed to assist in achieving the goal of transparency through open discussion and feedback. Participation is critical to rapid implementation of the recommendations coming from these organizations.
The National Institute of Standards and Technology (NIST) has provided a framework that is invaluable for systematically identifying an organization’s critical assets, identifying threats, and securing critical assets (Nugent and Hoske, SCADA cybersecurity, 2015). The framework has four elements: Identify, protect, detect, and react.
Recognize and identify suspicious behavior
Inventory and monitoring tools that are control-system aware are an important factor in establishing a reliable ICS baseline. Monitoring the ICS with technology that is capable of producing a baseline template of the communication between the ICS, the PLC, and other control elements is critical. Ideally, such systems will be able to:
Extract metadata from the network flow using passive sensors
Dynamically build a visual inventory of components and a map of connections
Learn the ICS and provide statistical and behavioral descriptions of normal operations
Recommend preventative actions
Trigger incident response upon evidence of compromise.
The IIoT devices often communicate using wireless technologies. A difference between general IT networks and ICS networks is the use of static IP. As industrial networks become connected to the broader Internet, health monitoring systems look for changing or duplicate IP and MAC addresses, device or cable movement, and unauthorized connections. This environment is greatly complicated with the addition of mobile sensors connected through wireless access points with dynamic IP connections (Robles and Kim, 2010).
Protect the dissolving perimeter
At a recent Tech Talks Summit in Massachusetts, Mike Ratte discussed today’s IT security landscape (Centrify, 2016). He said, “Identity is the new perimeter,” and his arguments for that include:
Nearly half of breaches are caused by compromised credentials
Hackers target all classes of users including privileged users
Traditional perimeter-based security is not enough
Security should be based upon context-based policies.
This strategy fits well with the dissolving perimeter of the ICS, which has embraced the benefits of open connectivity and therefore also will benefit from enterprise security professionals.
With 63% of confirmed data breaches involving weak, default, or stolen passwords (Verizon, 2016), credential management ranks high on the list of ICS cyber threats. The possibility of physical access through stolen or lost mobile devices compounds the need for strong credential management.
Tomi Engdahl says:
How to keep process facilities safe
Proper safety management can be taken to minimize risk.
http://www.controleng.com/single-article/how-to-keep-process-facilities-safe/e1cd37b8571ba13254d4d527e1ae2da1.html?OCVALIDATE&ocid=101781
Modern industrial life has its rewards, but it also comes with risks. There is no such thing as absolute safety or zero risk. When major industry accidents happen, regulations often follow.
In deciding an acceptable level of risk, some look at risks that society readily accepts, such as the 35,000 people who die in the U.S. every year in vehicle accidents. That 1 in 10,000 people-per-year risk has produced little public or government outcry, so it would appear to be a tolerable level of risk. Learn more about “how safe is safe enough,” in the American Institute of Chemical Engineers, Center for Chemical Process Safety (AIChE CCPS) book Guidelines for Developing Quantitative Safety Risk Criteria.
Modern automation and control systems are very reliable; however nothing is perfect, everything fails, and it’s just a matter of when. Process facilities need multiple, independent layers to maintain safety, including integration of alarms, safety instrumented systems, pressure relief devices, scrubbers, flare systems, and fire and gas systems, among others. Layers shown in Figure 1 are used to lower risk in a facility.
CFE Media
The first edition of ANSI/ISA 84 was released in 1996, the second edition in 2004, and a third edition may be released by the end of 2016. It is a performance-based standard. It does not mandate technologies, levels of redundancy, test intervals, functional logic, how to implement bypasses, or any other details. It does not state what levels of risk should be tolerable for the industry or any particular company. After all, the standard was written for the entire process industry; what is applicable for one facility may not be applicable for another.
ANSI/ISA 84 standard is essentially a cradle-to-grave approach. A hazard and risk assessment is performed to identify hazardous scenarios (such as, what might go wrong) and evaluate the risk of each scenario (how often and how serious). This will eventually lead to the inputs, outputs, logic, and performance required of the SIS. A safety requirement specification (SRS) needs to be written to document the more than two dozen details needed to adequately design each safety function.
Most safety system problems originate from this step not being completed properly.
Advancements in safety technology
Control systems, alarm systems, safety instrumented systems, and fire and gas systems represent technologies used to keep process facilities safe. In addition to standards and regulations, there have been many developments to these systems. Most process facilities were controlled in the past using a combination of programmable logic controllers (PLCs) and distributed control systems (DCSs), however now that terminology isn’t used by some vendors.
Modern systems are a hybrid blend of the two and have speed, processing, and communication with capabilities beyond the early generation systems (that are still running in many facilities). Electromechanical relays have been used in safety applications since before WWII. PLCs were designed specifically to replace relays, but they did not offer the same level of safety performance. Safety PLCs using very high levels of diagnostics have been available since the 1980s, and they continue to evolve.
For safety applications, there is an increasing trend for users and engineering firms to specify devices (logic solvers and field devices) that are certified for safety applications by third parties. While this does offer some benefits, certifying devices is not a requirement according to any of the standards, and it is not the proverbial silver bullet that solves all potential problems.
Tomi Engdahl says:
Network monitoring and the IIoT
http://www.controleng.com/single-article/network-monitoring-and-the-iiot/98e731d6ef2cd78c5f96066ee0aa27c3.html?OCVALIDATE&ocid=101781
The risk of a potential cyber attack is going to increase as the Industrial Internet of Things (IIoT) becomes more widely adopted. Greater awareness and cooperation is needed to head off those risks before they become a reality.
Every industry has its price point for an unplanned shutdown where some may be in the thousands of dollars per hour to others being in the millions of dollars per hour.
Any kind of unplanned shutdown—whether it is accidental or malicious—is expensive. The attack surface is about to get that much larger with the adopting of the Industrial Internet of Things (IIoT), which means security professionals and the executive suite will need to get on the same page.
That is why one of the latest trends moving through the manufacturing automation sector right now is network monitoring.
The idea of increased network visibility only makes sense with more sensors bringing in more data and more connections coming from multiple locations. IIoT adoption is going to happen sooner or later because the benefits far outweigh the negatives. Manufacturers want the business to become more productive, easier to manage and more cost-effective to operate. In addition, IIoT will allow moving ancient legacy systems into a more modern era to take advantage of all things new technology and connectivity bring to the table.
CFE Media
The negative, though, means the manufacturer could be a cyber security sitting duck if they don’t see—and understand—what is coming at them.
“The operational technology (OT) side is babes in the woods with the network of things,” said Frank Williams, chief executive at Statseeker. “With all the different devices connected to the network and the network becoming connected to the enterprise, the network today is another piece of technology.”
Williams said that there are currently around 40,000 sensors at a typical process plant. The IIoT will increase those numbers to something over 250,000 sensors per plant. Each of those sensors will produce near real-time data at an update rate of four times a minute, or 250 milliseconds per datum. That means each sensor will produce over 5,000 data points per day. That’s 1.44 billion data points per plant, per day. Each of those sensors needs to end up monitored and diagnostically checked for proper operation as part of the network.
Business enabler
“We are starting to see what could happen if you connect your industrial environment to different areas on the Internet,” said Yoni Shohet, co-founder and chief executive at SCADAfence. “Take the example of the German nuclear plant in April, where they didn’t have a direct or constant connection to the outside world, they just connected once in a while, and still malware was able to penetrate into the control systems. There is definitely a need to monitor inside all industries.
“We talk to customers and they are surprised at what they have on their networks and they quickly understand they need to monitor their facilities worldwide because they don’t really know what is running on their networks. They don’t have any real time or up to date information on the assets running inside their network.”
“More companies are seeing cyber security as an enabler for new business opportunities and new technology capabilities in the industrial environment and not as a threat to the productivity of the production,” Shohet said. “Companies must understand that to truly adopt it or else they will not invest budget in a productivity solution.
“We are seeing in general the trend of the IT-OT convergence; we are starting to see tools used in both environments in order to have some kind of a standard and similar platforms in order to integrate cyber security organization-wise and not technology-wise in the existing organizational processes. It is only natural,” Shohet said.
“I think the general, if the IT and OT teams are communicating properly, it could exist. If they are not communicating properly, they probably won’t be installing cyber security at all because the OT personnel are skeptical of it,” Shohet said.
“Hackers don’t ask permission before they take control,” said Eric Knapp, chief cybersecurity engineer at Honeywell Process Solutions (HPS) at the 2016 Honeywell Users Group (HUG) Americas conference in San Antonio. “Cyber attacks happen all the time. We need to understand how attacks work to protect (users’) networks.”