Vulnerabilities / Threats

8/17/2017
02:00 PM
David Zahn
David Zahn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Critical Infrastructure, Cybersecurity & the 'Devils Rope'

How hackers today are engaging in a modern 'Fence Cutter War' against industrial control systems, and what security professionals need to do about it.

The Homestead Act of 1862 promised US citizens that if they settled and farmed frontier land for five years, it was theirs to own. One of the primary challenges settlers faced was finding fencing materials to protect their crops from open-range cattle. Barbed wire was invented as an inexpensive way to secure property lines. 

The use of barbed wire exploded, and the West was quickly carved into small parcels. Unfortunately, its ubiquity disrupted the cattleman's way of life restricting free access to grazing lands, and barbed wire soon became known as the "Devil’s Rope." Eventually, the great Fence Cutter War broke out, during which bands of outlaws sponsored by cattle barons, and in some cases local governments, snipped fences and destroyed crops in the hope of taking back public land use.

Today, we are in our own Fence Cutter War. The modern outlaw, or hacker, is successfully snipping firewalls and other perimeter-based defenses. Instead of crops, critical infrastructure industries (such as refining, power generation, and chemical) see increasing attacks on endpoints that have primary responsibility for safety and production reliability. These endpoints — the industrial control systems (ICS) — are ill-prepared for any assault because they were designed, built, and implemented well before "secure by design" was a concept. 

Additionally, traditional ICS security controls, such as air gapping, security by obscurity, and complexity, have diminished in effectiveness. External attackers have learned enough about these systems, having performed reconnaissance for years and leveraged nation-state sponsorships to develop sufficient attack capabilities. CrashOverride, the sophisticated, modular malware built to attack power grids outside of Ukraine, underscores this point.

So, what should industrial process facilities do to secure systems that have both informational and physical implications? These four best practices can help reduce risk significantly.

Know What You Have
Nearly 80% of all cyber assets in a facility are opaque to security personnel. Spreadsheets, the dominant inventory tool, are prone to errors and information gaps. Due to manual data collection methods, configuration data is not captured, which makes generally accepted IT cybersecurity best practices (unauthorized change detection, for example) difficult to perform. Imagine not knowing basic configuration information on servers running financial or trading systems in a bank. This is clearly unacceptable, but it is the reality of cybersecurity in industrial facilities today.

Industrial companies must apply basic cybersecurity principles and automatically collect complete ICS information, including configuration data. The trick is doing so across the wide variety of vendor systems that typically exist in an industrial plant — each with its own proprietary architecture. Anything less provides only partial visibility into critical cyber assets.

Focus on What's Important
Change is a constant in any industrial process facility. Configuration changes easily number in the thousands within any given week for industrial systems, which is why superficial file comparisons, such as checksums, fall short as indicators of compromise. Security personnel need to understand what changed if they are to execute an effective investigatory process.

Not all changes — or cyber assets, for that matter — are created equal. It is important to monitor only a subset of available configuration data, so that asset owners and cybersecurity teams can focus primarily on the data that relates to production and safety. A risk assessment process typically defines this data set.

Reduce Attack Surfaces through Vulnerability Management
When ICS-CERT releases a vulnerability advisory on multiple models and versions of a transmitter, for instance, most companies rely on email responses from facility asset owners or managers to know whether they have affected systems. Not surprisingly, this means vulnerabilities can remain undiscovered for months or even years. Even when a vulnerability is identified, patching is not necessarily the first option if the asset owner suspects it may affect reliability. In fact, the entire patching process too often lacks transparency, and individual facilities are left to their own devices when determining whether to patch, mitigate risk, or do nothing.

Attaining visibility into all the cyber assets in an industrial facility gives sufficient detail for security teams to identify exposure to vulnerabilities and eliminate reliance on email responses. Whether systems are patched or not is still the asset owner's call, but those decisions and resulting actions require automated tracking. Internal and regulatory standards typically need these electronic breadcrumbs for audit purposes. 

Investigate Unauthorized Change
Although outsider attacks make good headlines, insider threats are just as real (but rarely publicly reported). Both can produce unauthorized changes with similar consequences. Imagine an engineer updating a field instrument's flow rate in a highly volatile chemical process, but instead of setting the high range to 1,004, it is set accidently to 1,104. Such a small change can disrupt production and would certainly require remediation.

With full configuration data on all major cyber assets collected, changes monitored, and incident response protocols defined for security-related data sets, asset owners can investigate unauthorized change armed with specifics on what changed. Automating this process drives consistent behavior and informs more-targeted training programs.

End the War
The great Fence Cutter War stopped when laws were passed enacting stiff fines and jail time for snipping fences as well as preventing access to public lands. Nearly overnight, the number of fence-cutting incidents fell to a mere trickle. All this was achieved because the attacks originated within the confines of state borders. Unfortunately for us, critical infrastructure attackers live outside of country borders, and attribution as well as prosecution are difficult at best.

Limited government deterrence policies leave critical infrastructure companies to fend for themselves in protecting their most critical cyber assets: industrial control systems. The recommendations outlined here — as obvious as they may seem to the IT cybersecurity professional — are not widely adopted today and must rise in priority if we are to ensure reliability and safety. At stake is access to products and services upon which we all rely in our daily lives, including gasoline in our cars and electricity for our homes.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
robertmcfarlane
50%
50%
robertmcfarlane,
User Rank: Author
8/18/2017 | 11:11:50 AM
People, Process, Tools
Excellent insights David.  Finding the right mix of skilled staff, disciplined processess and expert tools is a hard balancing act in cyber, especially in ICS environments.  Creating and maintaining enough friction to secure the infrastructure without too much pressure on productivity is also difficult.  I like your point about policies leaving companies to "fend for themselves" - its going to be a long and fruitless wait if we expect government to be the solution here!
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.