Vulnerabilities / Threats

8/17/2017
02:00 PM
David Zahn
David Zahn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Critical Infrastructure, Cybersecurity & the 'Devils Rope'

How hackers today are engaging in a modern 'Fence Cutter War' against industrial control systems, and what security professionals need to do about it.

The Homestead Act of 1862 promised US citizens that if they settled and farmed frontier land for five years, it was theirs to own. One of the primary challenges settlers faced was finding fencing materials to protect their crops from open-range cattle. Barbed wire was invented as an inexpensive way to secure property lines. 

The use of barbed wire exploded, and the West was quickly carved into small parcels. Unfortunately, its ubiquity disrupted the cattleman's way of life restricting free access to grazing lands, and barbed wire soon became known as the "Devil’s Rope." Eventually, the great Fence Cutter War broke out, during which bands of outlaws sponsored by cattle barons, and in some cases local governments, snipped fences and destroyed crops in the hope of taking back public land use.

Today, we are in our own Fence Cutter War. The modern outlaw, or hacker, is successfully snipping firewalls and other perimeter-based defenses. Instead of crops, critical infrastructure industries (such as refining, power generation, and chemical) see increasing attacks on endpoints that have primary responsibility for safety and production reliability. These endpoints — the industrial control systems (ICS) — are ill-prepared for any assault because they were designed, built, and implemented well before "secure by design" was a concept. 

Additionally, traditional ICS security controls, such as air gapping, security by obscurity, and complexity, have diminished in effectiveness. External attackers have learned enough about these systems, having performed reconnaissance for years and leveraged nation-state sponsorships to develop sufficient attack capabilities. CrashOverride, the sophisticated, modular malware built to attack power grids outside of Ukraine, underscores this point.

So, what should industrial process facilities do to secure systems that have both informational and physical implications? These four best practices can help reduce risk significantly.

Know What You Have
Nearly 80% of all cyber assets in a facility are opaque to security personnel. Spreadsheets, the dominant inventory tool, are prone to errors and information gaps. Due to manual data collection methods, configuration data is not captured, which makes generally accepted IT cybersecurity best practices (unauthorized change detection, for example) difficult to perform. Imagine not knowing basic configuration information on servers running financial or trading systems in a bank. This is clearly unacceptable, but it is the reality of cybersecurity in industrial facilities today.

Industrial companies must apply basic cybersecurity principles and automatically collect complete ICS information, including configuration data. The trick is doing so across the wide variety of vendor systems that typically exist in an industrial plant — each with its own proprietary architecture. Anything less provides only partial visibility into critical cyber assets.

Focus on What's Important
Change is a constant in any industrial process facility. Configuration changes easily number in the thousands within any given week for industrial systems, which is why superficial file comparisons, such as checksums, fall short as indicators of compromise. Security personnel need to understand what changed if they are to execute an effective investigatory process.

Not all changes — or cyber assets, for that matter — are created equal. It is important to monitor only a subset of available configuration data, so that asset owners and cybersecurity teams can focus primarily on the data that relates to production and safety. A risk assessment process typically defines this data set.

Reduce Attack Surfaces through Vulnerability Management
When ICS-CERT releases a vulnerability advisory on multiple models and versions of a transmitter, for instance, most companies rely on email responses from facility asset owners or managers to know whether they have affected systems. Not surprisingly, this means vulnerabilities can remain undiscovered for months or even years. Even when a vulnerability is identified, patching is not necessarily the first option if the asset owner suspects it may affect reliability. In fact, the entire patching process too often lacks transparency, and individual facilities are left to their own devices when determining whether to patch, mitigate risk, or do nothing.

Attaining visibility into all the cyber assets in an industrial facility gives sufficient detail for security teams to identify exposure to vulnerabilities and eliminate reliance on email responses. Whether systems are patched or not is still the asset owner's call, but those decisions and resulting actions require automated tracking. Internal and regulatory standards typically need these electronic breadcrumbs for audit purposes. 

Investigate Unauthorized Change
Although outsider attacks make good headlines, insider threats are just as real (but rarely publicly reported). Both can produce unauthorized changes with similar consequences. Imagine an engineer updating a field instrument's flow rate in a highly volatile chemical process, but instead of setting the high range to 1,004, it is set accidently to 1,104. Such a small change can disrupt production and would certainly require remediation.

With full configuration data on all major cyber assets collected, changes monitored, and incident response protocols defined for security-related data sets, asset owners can investigate unauthorized change armed with specifics on what changed. Automating this process drives consistent behavior and informs more-targeted training programs.

End the War
The great Fence Cutter War stopped when laws were passed enacting stiff fines and jail time for snipping fences as well as preventing access to public lands. Nearly overnight, the number of fence-cutting incidents fell to a mere trickle. All this was achieved because the attacks originated within the confines of state borders. Unfortunately for us, critical infrastructure attackers live outside of country borders, and attribution as well as prosecution are difficult at best.

Limited government deterrence policies leave critical infrastructure companies to fend for themselves in protecting their most critical cyber assets: industrial control systems. The recommendations outlined here — as obvious as they may seem to the IT cybersecurity professional — are not widely adopted today and must rise in priority if we are to ensure reliability and safety. At stake is access to products and services upon which we all rely in our daily lives, including gasoline in our cars and electricity for our homes.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EddieH77001
50%
50%
EddieH77001,
User Rank: Author
1/3/2018 | 11:33:26 PM
ICS Security
Securing the Industrial IoT, including the ICS, is a daunting task for the energy sector. These are highly complex, proprietary, heterogenous and multigenerational systems that were not designed with security in mind. Leading companies in the oil & gas and chemical industries are not waiting for the government to issue regulatory mandates; they are proactively securing their control systems because it's the right thing to do to protect their shareholders, their reputation, and the safety of their personnel and the surrounding communities.
robertmcfarlane
50%
50%
robertmcfarlane,
User Rank: Author
8/18/2017 | 11:11:50 AM
People, Process, Tools
Excellent insights David.  Finding the right mix of skilled staff, disciplined processess and expert tools is a hard balancing act in cyber, especially in ICS environments.  Creating and maintaining enough friction to secure the infrastructure without too much pressure on productivity is also difficult.  I like your point about policies leaving companies to "fend for themselves" - its going to be a long and fruitless wait if we expect government to be the solution here!
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...