Tim Ricketts of MAC Solutions provides insight into the changing requirements of cyber security systems to protect industrial control networks.
It’s difficult to think of a phrase in the past year that brings more of a feeling of dread to an organisation than ‘cyber-attack’. Add the word ‘advanced’ to this and it all seems much more of a hopeless task of trying to defend against it. However, what’s missing from the picture is that these attacks have only become more advanced in terms of the parties that have been conducting the attacks and the targets that they are seeking to exploit or damage.
Take, for example, the attack on the Ukraine Power Station in 2016, which left 230,000 people in the dark and without power for six hours. Officially, this was the first reported cyber-attack against a nation’s power infrastructure, with the attack vector being the supervisory control and data acquisition (SCADA) system. The Ukraine attack has been an important lesson to those companies wishing to improve their cyber security systems and also acts as a stark warning for those who do not.
The following trends have emerged from the aftermath of the Ukraine attack:
* Use the data that is available to you – well before the attack occurred. Spikes in network traffic would have been seen from the updates made to device firmware. This would have been an early warning indicator that something was wrong. The success of the attack pivoted around this mistake.
* Consider the access that your engineers have to the system. For example, are all of the entry points needed? If so, have they been secured with the correct level of protection?
* Use up-to-date anti-virus definitions to catch known malware.
* Learn about your usual alarm events and monitor for abnormal events within the process and control system.
* The attacker will be persistent, conducting a large amount of reconnaissance over a period of months. Taking an evolutionary approach to your network security ensures that you will be ahead of the attacker.
The stakes have changed
The stakes have changed, but the defences have not – therein lies the problem. The typical industrial control network may appear to have the greatest of all protection – air gapping. This physical network separation is now the status quo across industry. Howver, as the defence has changed now, so has the attack vector. Malware that is created to destroy a SCADA system, for example, will lay dormant until it finds its target, moving from phone to USB stick to laptop, using its host as a means of transport, until it finally meets its end destination – your process and control equipment. The damage is now done. The dormant malware that evaded your corporate firewalls and personal device protection is now on an air gapped system – a system that will likely have an out of date firewall due to the very reason it was deemed to be secure.
If your question as a business is still “what extra training do I need for my staff to combat this threat?” then your security is already compromised, but not for the reason you might think. The key trend across all attack vectors in all industries is that people are the problem: password capture, insecure connections, phishing emails and the USB stick in the car park. These attacks play on one human instinct, curiosity. For this reason alone you cannot solely rely on the fact that your staff have been trained.
The methodology of persistent security is to assume the worst and therefore be at the forefront of the defensive evolution for your process and control system. It requires building a system in which you have full visibility of your weaknesses, so that you can be ahead of the attacker.
To do this, you must firstly contain your network, ensuring that access to critical systems is planned, logged and audited. The access that is granted must also be controlled. End device protection technology such as Sheep Dip USB Device protection must be implemented so that end devices are protected from internal tampering or accidental exposure to malware – those devices that may have already been exposed to malware can also be detected using the latest definitions, without having to ever expose them to the Internet.
Once you can be confident that your devices are secure, monitoring of your network is fundamental to understanding your weaknesses and offers the potential to expose existing breaches that may have occurred months previous. Quickly patching these insecure access points and understanding your vulnerabilities may deter the opportunistic attacker. To do this effectively, a product such as CyberX can be used to automatically gather usual network traffic, logs, control events and then use this as a basis for detecting anomalous activity.
The top ten discoveries made within weeks of using the ‘Persistent Security’ technique are as follows:
– Clear text/weak passwords.
– Illegal remote connections to OT.
– Unexpected/unknown devices in the network.
– Misconfigured PLCs.
– Operational malfunctions.
– Generic and targeted malware.
– Manufacturer vulnerabilities.
– Multiple wireless access points.
– Direct Internet connections.
– Exploitable attack vectors.