Threat Intelligence

1/10/2017
02:00 PM
David Zahn
David Zahn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

'Molecular' Cybersecurity Vs. Information Cybersecurity

When it comes to industrial processes, security begins at the molecular level.

Not all cybersecurity risk is created equal. Case in point: when Sony was hacked, information was stolen, systems were wiped, and society was temporarily deprived of a Seth Rogan movie. These were mostly bad outcomes, and Sony certainly suffered a significant financial loss.

Now, imagine a similar attack on an oil refinery where compromised systems include the proprietary industrial control systems that manage volatile processes. When I say volatile, I'm referring to processes where a boiler is heating oil by hundreds of degrees separating molecules to produce gasoline and other products. With appropriate access, a bad actor can change how hot that boiler is configured to run. If you combine that with disabled safety systems, production, environments —  even lives —  can be severely affected. A German steel mill experienced this in 2014 when a boiler exploded after an industrial control system attack; and 225,000 Ukrainians lost power in December 2015 when a hacker group shut down substation systems.

I don't want to diminish the impact that malicious attacks have on our financial industry and others. However, chemical, oil and gas, and power generation attacks can have much graver outcomes — yet, surprisingly, these industries are in some ways the most vulnerable. If you examine cybersecurity within a typical industrial process company, you find many of the same protections you find in any other company — antivirus software, firewalls, application whitelisting, and more. These security controls are focused on protecting workstations, servers, routers, and other IT-based technology. In other words, they protect the flow of information.

But systems that move and manipulate molecules (for example, oil separating into constituent parts) are not nearly as secure. Why? Because many of these systems were built and deployed before cybersecurity was even a thing. Industrial facilities rely primarily on layered defenses in front of industrial control systems, security by obscurity (think complex systems on which it takes years to become an expert), and air gapping (physical isolation from other networks).

The reality is that layered defenses and air gapping can be bypassed. Industrial facilities, for instance, periodically have turnarounds where they perform maintenance or switch production output. This requires hundreds of engineers — many of them third-party ones — working multiple shifts to get production back online. They are authorized users who could accidentally (or intentionally) introduce malicious code or configuration changes into a control system.

Relying on obscurity as a strategy only has limited effect. With the rise of nation-sponsored cyber warfare, the capability of manipulating complex control systems is also on the rise. The Ukrainian power attack, for instance, included malicious firmware updates that were believed to have been developed and tested on the hacking group's own industrial control equipment. Heck, you can even buy a programmable logic controller (a type of industrial control system) on eBay.

Potential Impact
The Obama administration's Commission on Enhancing National Cybersecurity report was released in early December. There were some good recommendations in the report, particularly around having a security rating system for Internet of Things devices. What I found disturbing was that the report stated the distinction between critical infrastructure systems (found in the industries highlighted in this post plus others, such as transportation, that also rely on industrial control systems) and other devices is becoming impractical. The point is that in a connected world, everything is vulnerable and attacks can come from any quarter. It's a fair point, but this idea diminishes the importance of impact, which is essential to driving priority, policy, and investment decisions. Protecting the systems that manipulate molecules must have priority and, in some cases, have precedence over the ones that maintain information.

So, where do you start? Where should investment flow? Most companies need to start at the beginning and simply begin to track the cyber assets they have in an industrial facility. Another fun fact: many don't track that data today, or do so in a highly manual way, which means there are data gaps and errors. Without visibility into the cyber assets in a plant, you can't effectively secure them.

And when we talk about cyber assets, any credible inventory plan must include the controllers, smart field instruments, and other systems that manage the volatile processes we've discussed (these systems, by the way, make up 80% of the cyber assets you find in an industrial facility). This can't happen in a spreadsheet, but it must happen through automation software that can pull data from the many disparate, proprietary systems that can exist in a single facility.

With an automated, detailed inventory that is updated regularly, companies can begin to do the things they know are important for securing any system — they can monitor for unauthorized changes, set security policies, and more. Doing so allows companies not only to secure information, but also secure the molecules — the lifeblood of an industrial process company.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Email, Social Media Still Security Nightmares
Dark Reading Staff 6/15/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12526
PUBLISHED: 2018-06-21
Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a default factory account. Remote attackers can obtain access to the device via TELNET using a hardcoded account.
CVE-2018-1253
PUBLISHED: 2018-06-21
RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other ...
CVE-2018-1254
PUBLISHED: 2018-06-21
RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript...
CVE-2018-12615
PUBLISHED: 2018-06-21
An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.
CVE-2016-10723
PUBLISHED: 2018-06-21
** DISPUTED ** An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurre...