Vulnerabilities / Threats
8/2/2016
10:00 AM
Dana Pasquali
Dana Pasquali
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps Towards Building Cyber Resilience Into Critical Infrastructure

The integration of asset management, incident response processes and education is critical to improving the industrial control system cybersecurity landscape.

When you purchase a car, the manufacturer boasts about the high safety ratings and state-of-the-art features. Most people don’t truly appreciate those safety features, however, until an accident occurs and they need them. Not only are safety measures built in, but after you purchase your car the VIN number helps dealers and manufacturers alert you of necessary maintenance, recalls and upgrades when they detect design or part issues. These protocols are critical to driver safety, and often taken for granted.

Industrial control systems (ICS) are just as critical to daily life yet cyber protections aren’t always built in, particularly when it comes to decades-old legacy systems. As a result, the need to maintain these older systems is critical. They also don’t have unique identification numbers to help manufacturers alert industrial organizations of new vulnerabilities or recommended upgrades. Without the ICS, operations in utilities and oil and gas would come to a halt, yet new research from RSA revealed energy organizations, alongside government, ranked lowest in cyber maturity, with only 18 percent of respondents classifying as developed or advantaged. Further, incident response (IR) capabilities were reported to be either "ad hoc" or "nonexistent."

With attacks increasingly targeting critical infrastructure, as demonstrated in Ukraine, organizations can’t afford to wait to get into an “accident” – or experience an attack – to realize how vulnerable they are. Fortunately, the status quo is changing.

Focus is shifting toward cyber resilience for industrial control and safety systems, SCADA, power and electrical systems. Increasing cyber readiness requires building in resilience from the ground up and transforming organizational culture to one that understands and embraces cybersecurity. While there are various tactics companies should consider, three important steps should be taken immediately.

Step 1: Conduct an asset inventory
While energy companies are moving towards taking advantage of the digital age through more connected, digitally-enabled machines, there is still a gap in having a full view of the assets themselves. Until you can perform asset management, you can’t perform risk management. Too frequently operators and managers don’t have a full inventory of assets on the plant floor. Asset management is critical to understanding what equipment and systems require certain patches and how machines and end points are communicating across the plant.

In IT environments, computers interact with the network every time someone logs in, making it easier to keep track of access and network traffic. In large industrial organizations, assets may be connected, but not actively communicating with other machines. This doesn’t mean they aren’t vulnerable. Operators must keep tabs on their equipment to recognize risks and appropriately scale resources for a response effort. This is why NIST Guidelines mandate asset inventory and management as an essential part of cyber response. The asset inventory is the first critical step to improving an organization’s security posture before proactive maintenance, patching and hardening of ICS and machine software.

Step 2: Develop and test incident response plans
The implementation of an enterprise IR plan facilitates effective action in case of a cyber incident. Enterprise knowledge around how to engage efficiently with vendors – meaning when to reach out and why – significantly improves responsiveness during an incident. It also helps reduce the duplication of work for both facility owners and vendors so each can individually determine and manage security services.
While many industrial organizations have an IR plan in place, very few run through a routine simulation exercise of this plan. Simulated exercises reveal any incorrect assumptions made during the IR process and identify missing contacts or protocols critical for success. The plan should include correct contact information, structured line of communication and organized roles and responsibilities, and also be tested repeatedly to ensure its effectiveness.

Step 3: Train and empower your people
Cyber readiness demands a focus on people. The talent gap is widening, and IR plans often require employees to take on roles outside the scope of their day-to-day job functions. Further, when employees understand the risk and how they potentially contribute to it, they in turn will help avoid vulnerabilities as a result of human error. Critical infrastructure organizations need to be aggressive in providing training programs and continuing education opportunities in order to develop the workforce they need. They also need to help non-technical staff understand how their actions impact security. Historically, IT and operational technology (OT) functions have looked at technology solutions as a silver bullet. This thinking fails to recognize the human factor in cyber resilience and security. Maintaining the best and brightest in this field means ensuring employees are cyber-aware. People will continue to serve as the best defense.

The integration of asset management, IR processes and educated people is critical to improving the cybersecurity landscape. Our day-to-day functions rely on critical infrastructure – electricity, water and gas. A major cyber attack could create significant disruption and damage. Increasing cyber readiness will help transform critical infrastructure from the weakest link to the most resilient.

Related Content:

Dana Pasquali is a product management leader at GE Oil & Gas. Whether it is software, data or manufactured products, Dana has a record of turning around under-performing businesses and leading fun cross-functional teams globally. Her love of problem solving and new challenges ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kwcharlie
50%
50%
kwcharlie,
User Rank: Apprentice
8/13/2016 | 7:18:26 PM
Very good Dana, thank you
But "pearls before swine" for IT; but people like Ralph Langner appreciate it.  I wish you good luck getting IT to not trample them.  But you know you're up against an IT/CEO community that thinks the balloon popping in the Zero Days movie was a good example of Stuxnet attacking a PLC, and those IT's who popped it didn't hide their face when they did it like the other's that did/said equally outrages things about ICS and Cyber Security in that movie but I digress. 

IMHO we are still very vulnerable to another Stuxnet type attack. Ukraine wasn't even close to it, they just tripped out their "Mark#/MFR" [I was GE too] type controls.  They didn't even try to auto close a generator breaker out of phase like the Aurora test; little hardware or capacity was destroyed in the Ukraine but it was tested on a real system [the Russian grid] like Stuxnet not some Matlab type simulation since it did trip the grid out.  Maybe a warning that next time they will disable the Sync Relays and allow real damage to the Ukrainian grid.

More recently: is anyone looking into the software in the "power-control module" that caused the Delta Air Server transformer fire? What better test bed for your new Stuxnet type worm imbedded in a bunch of server farm UPS Inverters/Controls than an airline where you could monitor the attack, and recovery, from any airport with a Delta terminal.  No need to go to centrifuges at Oak Ridge to test your controller code on the hardware like Stuxnet did. 

One of the few things Zero Days got right was the Iranians would have never known about Stuxnet if "they" didn't move/changed the attack up to destroying centrifuges from just making them just not work as good.  The movie got it VERY wrong about WHO those "they" were but that's another rant for someone like Langner who's above my pay grade around who did what about Stuxnet.  Did I mention that the Zero Days movie did a serious disservice to the ICS [or IACS as Ralph says to remind people, like USNUKE, that Automation systems protections are exposed too] community?  

I'm thinking what happened at Delta and SW airline servers could have been a test [or premature deployment] of an embedded worm as sophisticated as Stuxnet but is one of many other ICS reported incidents. How many are not reported?.  I wouldn't trust Delta's statement it was "when a critical power control module at a Delta data center malfunctioned, which caused a surge to the transformer and a loss of power" that's IT doing big time CYA for good reason with the redundancy they bought for their servers.

OK, I'm also thinking Occam's razor says the Delta fire was just an old UPS controller failure and the recovery was seriously delayed because poor advice/decisions by IT around Delta's server farm backup redundancy.  ICS's advice for triple redundancy was ignored I'm sure, it's only passenger inconveniences at one airline, not oil in the water.  IT says there's no need for any extensive ICS investigations here, IT has seen these UPS's fail all the time I'm told, we should have spent more money for more redundancy IT says, that's all.

If there is ever an attack advanced as Stuxnet on us we won't know it until it's too late if your advice isn't taken and we do more ICS forensics. The next Stuxnet attack won't be on a target as obscure as S7 control of inverters over 1000 Hz and I see no sign the Sheldon Cooper's of IT are any more likely to listen to us lowly Wolowitz Engineers, the Delta server farm backup transformer fire is just the most recent example. 

Did I mention Zero Days is a very misleading movie in this ramble?  
enhayden
50%
50%
enhayden,
User Rank: Strategist
8/3/2016 | 12:22:07 PM
Excellent Suggestions and Proper Order
Although a very brief article this is an excellent approach to developing resiliency in Critical Infrastructure.  Yes, you NEED to know your assets and you need to identify those assets by criticality.  Focus on the most critical assets for your plan.

Secondly, you NEED to have an incident response capability that is adequate and practiced.  It is kind of like moving into a house and the first thing you do is have a fire drill.  Why?  There's no fire...but, the chance of a fire can strike anytime (i.e., similar philosophy to "assumption of breach").

Thirdly, when you prepare your incident response, don't forget the external resources you need to have at hand.  Consider having a solid cyber security vendor at your fingertips what can respond to help immediately.  Don't forget outside counsel and the FBI/Secret Service for grave cyber attacks.  etc.

Again, well done....perfect order of priorities.

Thanks!

Ernie Hayden CISSP CEH GICSP(Gold) PSP
_thecre
100%
0%
_thecre,
User Rank: Apprentice
8/2/2016 | 1:57:59 PM
Cyber Reliance
Ms. Pasquali is right, America's infrastructure needs to be cyber reliant, our nation depends on it. For more information, please see the CircleID article, Achieving a Cyber-Reliant Infrastructure www.circleid[dot]com/posts/20120222_achieving_a_cyber_reliant_infrasructure/
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.