Vulnerabilities / Threats

8/17/2017
02:00 PM
David Zahn
David Zahn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Critical Infrastructure, Cybersecurity & the 'Devils Rope'

How hackers today are engaging in a modern 'Fence Cutter War' against industrial control systems, and what security professionals need to do about it.

The Homestead Act of 1862 promised US citizens that if they settled and farmed frontier land for five years, it was theirs to own. One of the primary challenges settlers faced was finding fencing materials to protect their crops from open-range cattle. Barbed wire was invented as an inexpensive way to secure property lines. 

The use of barbed wire exploded, and the West was quickly carved into small parcels. Unfortunately, its ubiquity disrupted the cattleman's way of life restricting free access to grazing lands, and barbed wire soon became known as the "Devil’s Rope." Eventually, the great Fence Cutter War broke out, during which bands of outlaws sponsored by cattle barons, and in some cases local governments, snipped fences and destroyed crops in the hope of taking back public land use.

Today, we are in our own Fence Cutter War. The modern outlaw, or hacker, is successfully snipping firewalls and other perimeter-based defenses. Instead of crops, critical infrastructure industries (such as refining, power generation, and chemical) see increasing attacks on endpoints that have primary responsibility for safety and production reliability. These endpoints — the industrial control systems (ICS) — are ill-prepared for any assault because they were designed, built, and implemented well before "secure by design" was a concept. 

Additionally, traditional ICS security controls, such as air gapping, security by obscurity, and complexity, have diminished in effectiveness. External attackers have learned enough about these systems, having performed reconnaissance for years and leveraged nation-state sponsorships to develop sufficient attack capabilities. CrashOverride, the sophisticated, modular malware built to attack power grids outside of Ukraine, underscores this point.

So, what should industrial process facilities do to secure systems that have both informational and physical implications? These four best practices can help reduce risk significantly.

Know What You Have
Nearly 80% of all cyber assets in a facility are opaque to security personnel. Spreadsheets, the dominant inventory tool, are prone to errors and information gaps. Due to manual data collection methods, configuration data is not captured, which makes generally accepted IT cybersecurity best practices (unauthorized change detection, for example) difficult to perform. Imagine not knowing basic configuration information on servers running financial or trading systems in a bank. This is clearly unacceptable, but it is the reality of cybersecurity in industrial facilities today.

Industrial companies must apply basic cybersecurity principles and automatically collect complete ICS information, including configuration data. The trick is doing so across the wide variety of vendor systems that typically exist in an industrial plant — each with its own proprietary architecture. Anything less provides only partial visibility into critical cyber assets.

Focus on What's Important
Change is a constant in any industrial process facility. Configuration changes easily number in the thousands within any given week for industrial systems, which is why superficial file comparisons, such as checksums, fall short as indicators of compromise. Security personnel need to understand what changed if they are to execute an effective investigatory process.

Not all changes — or cyber assets, for that matter — are created equal. It is important to monitor only a subset of available configuration data, so that asset owners and cybersecurity teams can focus primarily on the data that relates to production and safety. A risk assessment process typically defines this data set.

Reduce Attack Surfaces through Vulnerability Management
When ICS-CERT releases a vulnerability advisory on multiple models and versions of a transmitter, for instance, most companies rely on email responses from facility asset owners or managers to know whether they have affected systems. Not surprisingly, this means vulnerabilities can remain undiscovered for months or even years. Even when a vulnerability is identified, patching is not necessarily the first option if the asset owner suspects it may affect reliability. In fact, the entire patching process too often lacks transparency, and individual facilities are left to their own devices when determining whether to patch, mitigate risk, or do nothing.

Attaining visibility into all the cyber assets in an industrial facility gives sufficient detail for security teams to identify exposure to vulnerabilities and eliminate reliance on email responses. Whether systems are patched or not is still the asset owner's call, but those decisions and resulting actions require automated tracking. Internal and regulatory standards typically need these electronic breadcrumbs for audit purposes. 

Investigate Unauthorized Change
Although outsider attacks make good headlines, insider threats are just as real (but rarely publicly reported). Both can produce unauthorized changes with similar consequences. Imagine an engineer updating a field instrument's flow rate in a highly volatile chemical process, but instead of setting the high range to 1,004, it is set accidently to 1,104. Such a small change can disrupt production and would certainly require remediation.

With full configuration data on all major cyber assets collected, changes monitored, and incident response protocols defined for security-related data sets, asset owners can investigate unauthorized change armed with specifics on what changed. Automating this process drives consistent behavior and informs more-targeted training programs.

End the War
The great Fence Cutter War stopped when laws were passed enacting stiff fines and jail time for snipping fences as well as preventing access to public lands. Nearly overnight, the number of fence-cutting incidents fell to a mere trickle. All this was achieved because the attacks originated within the confines of state borders. Unfortunately for us, critical infrastructure attackers live outside of country borders, and attribution as well as prosecution are difficult at best.

Limited government deterrence policies leave critical infrastructure companies to fend for themselves in protecting their most critical cyber assets: industrial control systems. The recommendations outlined here — as obvious as they may seem to the IT cybersecurity professional — are not widely adopted today and must rise in priority if we are to ensure reliability and safety. At stake is access to products and services upon which we all rely in our daily lives, including gasoline in our cars and electricity for our homes.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EddieH77001
50%
50%
EddieH77001,
User Rank: Author
1/3/2018 | 11:33:26 PM
ICS Security
Securing the Industrial IoT, including the ICS, is a daunting task for the energy sector. These are highly complex, proprietary, heterogenous and multigenerational systems that were not designed with security in mind. Leading companies in the oil & gas and chemical industries are not waiting for the government to issue regulatory mandates; they are proactively securing their control systems because it's the right thing to do to protect their shareholders, their reputation, and the safety of their personnel and the surrounding communities.
robertmcfarlane
50%
50%
robertmcfarlane,
User Rank: Author
8/18/2017 | 11:11:50 AM
People, Process, Tools
Excellent insights David.  Finding the right mix of skilled staff, disciplined processess and expert tools is a hard balancing act in cyber, especially in ICS environments.  Creating and maintaining enough friction to secure the infrastructure without too much pressure on productivity is also difficult.  I like your point about policies leaving companies to "fend for themselves" - its going to be a long and fruitless wait if we expect government to be the solution here!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.