Vulnerabilities / Threats

8/17/2017
02:00 PM
David Zahn
David Zahn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Critical Infrastructure, Cybersecurity & the 'Devils Rope'

How hackers today are engaging in a modern 'Fence Cutter War' against industrial control systems, and what security professionals need to do about it.

The Homestead Act of 1862 promised US citizens that if they settled and farmed frontier land for five years, it was theirs to own. One of the primary challenges settlers faced was finding fencing materials to protect their crops from open-range cattle. Barbed wire was invented as an inexpensive way to secure property lines. 

The use of barbed wire exploded, and the West was quickly carved into small parcels. Unfortunately, its ubiquity disrupted the cattleman's way of life restricting free access to grazing lands, and barbed wire soon became known as the "Devil’s Rope." Eventually, the great Fence Cutter War broke out, during which bands of outlaws sponsored by cattle barons, and in some cases local governments, snipped fences and destroyed crops in the hope of taking back public land use.

Today, we are in our own Fence Cutter War. The modern outlaw, or hacker, is successfully snipping firewalls and other perimeter-based defenses. Instead of crops, critical infrastructure industries (such as refining, power generation, and chemical) see increasing attacks on endpoints that have primary responsibility for safety and production reliability. These endpoints — the industrial control systems (ICS) — are ill-prepared for any assault because they were designed, built, and implemented well before "secure by design" was a concept. 

Additionally, traditional ICS security controls, such as air gapping, security by obscurity, and complexity, have diminished in effectiveness. External attackers have learned enough about these systems, having performed reconnaissance for years and leveraged nation-state sponsorships to develop sufficient attack capabilities. CrashOverride, the sophisticated, modular malware built to attack power grids outside of Ukraine, underscores this point.

So, what should industrial process facilities do to secure systems that have both informational and physical implications? These four best practices can help reduce risk significantly.

Know What You Have
Nearly 80% of all cyber assets in a facility are opaque to security personnel. Spreadsheets, the dominant inventory tool, are prone to errors and information gaps. Due to manual data collection methods, configuration data is not captured, which makes generally accepted IT cybersecurity best practices (unauthorized change detection, for example) difficult to perform. Imagine not knowing basic configuration information on servers running financial or trading systems in a bank. This is clearly unacceptable, but it is the reality of cybersecurity in industrial facilities today.

Industrial companies must apply basic cybersecurity principles and automatically collect complete ICS information, including configuration data. The trick is doing so across the wide variety of vendor systems that typically exist in an industrial plant — each with its own proprietary architecture. Anything less provides only partial visibility into critical cyber assets.

Focus on What's Important
Change is a constant in any industrial process facility. Configuration changes easily number in the thousands within any given week for industrial systems, which is why superficial file comparisons, such as checksums, fall short as indicators of compromise. Security personnel need to understand what changed if they are to execute an effective investigatory process.

Not all changes — or cyber assets, for that matter — are created equal. It is important to monitor only a subset of available configuration data, so that asset owners and cybersecurity teams can focus primarily on the data that relates to production and safety. A risk assessment process typically defines this data set.

Reduce Attack Surfaces through Vulnerability Management
When ICS-CERT releases a vulnerability advisory on multiple models and versions of a transmitter, for instance, most companies rely on email responses from facility asset owners or managers to know whether they have affected systems. Not surprisingly, this means vulnerabilities can remain undiscovered for months or even years. Even when a vulnerability is identified, patching is not necessarily the first option if the asset owner suspects it may affect reliability. In fact, the entire patching process too often lacks transparency, and individual facilities are left to their own devices when determining whether to patch, mitigate risk, or do nothing.

Attaining visibility into all the cyber assets in an industrial facility gives sufficient detail for security teams to identify exposure to vulnerabilities and eliminate reliance on email responses. Whether systems are patched or not is still the asset owner's call, but those decisions and resulting actions require automated tracking. Internal and regulatory standards typically need these electronic breadcrumbs for audit purposes. 

Investigate Unauthorized Change
Although outsider attacks make good headlines, insider threats are just as real (but rarely publicly reported). Both can produce unauthorized changes with similar consequences. Imagine an engineer updating a field instrument's flow rate in a highly volatile chemical process, but instead of setting the high range to 1,004, it is set accidently to 1,104. Such a small change can disrupt production and would certainly require remediation.

With full configuration data on all major cyber assets collected, changes monitored, and incident response protocols defined for security-related data sets, asset owners can investigate unauthorized change armed with specifics on what changed. Automating this process drives consistent behavior and informs more-targeted training programs.

End the War
The great Fence Cutter War stopped when laws were passed enacting stiff fines and jail time for snipping fences as well as preventing access to public lands. Nearly overnight, the number of fence-cutting incidents fell to a mere trickle. All this was achieved because the attacks originated within the confines of state borders. Unfortunately for us, critical infrastructure attackers live outside of country borders, and attribution as well as prosecution are difficult at best.

Limited government deterrence policies leave critical infrastructure companies to fend for themselves in protecting their most critical cyber assets: industrial control systems. The recommendations outlined here — as obvious as they may seem to the IT cybersecurity professional — are not widely adopted today and must rise in priority if we are to ensure reliability and safety. At stake is access to products and services upon which we all rely in our daily lives, including gasoline in our cars and electricity for our homes.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EddieH77001
50%
50%
EddieH77001,
User Rank: Author
1/3/2018 | 11:33:26 PM
ICS Security
Securing the Industrial IoT, including the ICS, is a daunting task for the energy sector. These are highly complex, proprietary, heterogenous and multigenerational systems that were not designed with security in mind. Leading companies in the oil & gas and chemical industries are not waiting for the government to issue regulatory mandates; they are proactively securing their control systems because it's the right thing to do to protect their shareholders, their reputation, and the safety of their personnel and the surrounding communities.
robertmcfarlane
50%
50%
robertmcfarlane,
User Rank: Author
8/18/2017 | 11:11:50 AM
People, Process, Tools
Excellent insights David.  Finding the right mix of skilled staff, disciplined processess and expert tools is a hard balancing act in cyber, especially in ICS environments.  Creating and maintaining enough friction to secure the infrastructure without too much pressure on productivity is also difficult.  I like your point about policies leaving companies to "fend for themselves" - its going to be a long and fruitless wait if we expect government to be the solution here!
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.