Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
David Zahn
David Zahn
Connect Directly
E-Mail vvv

Critical Infrastructure, Cybersecurity & the 'Devil’s Rope'

How hackers today are engaging in a modern 'Fence Cutter War' against industrial control systems, and what security professionals need to do about it.

The Homestead Act of 1862 promised US citizens that if they settled and farmed frontier land for five years, it was theirs to own. One of the primary challenges settlers faced was finding fencing materials to protect their crops from open-range cattle. Barbed wire was invented as an inexpensive way to secure property lines. 

The use of barbed wire exploded, and the West was quickly carved into small parcels. Unfortunately, its ubiquity disrupted the cattleman's way of life restricting free access to grazing lands, and barbed wire soon became known as the "Devil’s Rope." Eventually, the great Fence Cutter War broke out, during which bands of outlaws sponsored by cattle barons, and in some cases local governments, snipped fences and destroyed crops in the hope of taking back public land use.

Today, we are in our own Fence Cutter War. The modern outlaw, or hacker, is successfully snipping firewalls and other perimeter-based defenses. Instead of crops, critical infrastructure industries (such as refining, power generation, and chemical) see increasing attacks on endpoints that have primary responsibility for safety and production reliability. These endpoints — the industrial control systems (ICS) — are ill-prepared for any assault because they were designed, built, and implemented well before "secure by design" was a concept. 

Additionally, traditional ICS security controls, such as air gapping, security by obscurity, and complexity, have diminished in effectiveness. External attackers have learned enough about these systems, having performed reconnaissance for years and leveraged nation-state sponsorships to develop sufficient attack capabilities. CrashOverride, the sophisticated, modular malware built to attack power grids outside of Ukraine, underscores this point.

So, what should industrial process facilities do to secure systems that have both informational and physical implications? These four best practices can help reduce risk significantly.

Know What You Have
Nearly 80% of all cyber assets in a facility are opaque to security personnel. Spreadsheets, the dominant inventory tool, are prone to errors and information gaps. Due to manual data collection methods, configuration data is not captured, which makes generally accepted IT cybersecurity best practices (unauthorized change detection, for example) difficult to perform. Imagine not knowing basic configuration information on servers running financial or trading systems in a bank. This is clearly unacceptable, but it is the reality of cybersecurity in industrial facilities today.

Industrial companies must apply basic cybersecurity principles and automatically collect complete ICS information, including configuration data. The trick is doing so across the wide variety of vendor systems that typically exist in an industrial plant — each with its own proprietary architecture. Anything less provides only partial visibility into critical cyber assets.

Focus on What's Important
Change is a constant in any industrial process facility. Configuration changes easily number in the thousands within any given week for industrial systems, which is why superficial file comparisons, such as checksums, fall short as indicators of compromise. Security personnel need to understand what changed if they are to execute an effective investigatory process.

Not all changes — or cyber assets, for that matter — are created equal. It is important to monitor only a subset of available configuration data, so that asset owners and cybersecurity teams can focus primarily on the data that relates to production and safety. A risk assessment process typically defines this data set.

Reduce Attack Surfaces through Vulnerability Management
When ICS-CERT releases a vulnerability advisory on multiple models and versions of a transmitter, for instance, most companies rely on email responses from facility asset owners or managers to know whether they have affected systems. Not surprisingly, this means vulnerabilities can remain undiscovered for months or even years. Even when a vulnerability is identified, patching is not necessarily the first option if the asset owner suspects it may affect reliability. In fact, the entire patching process too often lacks transparency, and individual facilities are left to their own devices when determining whether to patch, mitigate risk, or do nothing.

Attaining visibility into all the cyber assets in an industrial facility gives sufficient detail for security teams to identify exposure to vulnerabilities and eliminate reliance on email responses. Whether systems are patched or not is still the asset owner's call, but those decisions and resulting actions require automated tracking. Internal and regulatory standards typically need these electronic breadcrumbs for audit purposes. 

Investigate Unauthorized Change
Although outsider attacks make good headlines, insider threats are just as real (but rarely publicly reported). Both can produce unauthorized changes with similar consequences. Imagine an engineer updating a field instrument's flow rate in a highly volatile chemical process, but instead of setting the high range to 1,004, it is set accidently to 1,104. Such a small change can disrupt production and would certainly require remediation.

With full configuration data on all major cyber assets collected, changes monitored, and incident response protocols defined for security-related data sets, asset owners can investigate unauthorized change armed with specifics on what changed. Automating this process drives consistent behavior and informs more-targeted training programs.

End the War
The great Fence Cutter War stopped when laws were passed enacting stiff fines and jail time for snipping fences as well as preventing access to public lands. Nearly overnight, the number of fence-cutting incidents fell to a mere trickle. All this was achieved because the attacks originated within the confines of state borders. Unfortunately for us, critical infrastructure attackers live outside of country borders, and attribution as well as prosecution are difficult at best.

Limited government deterrence policies leave critical infrastructure companies to fend for themselves in protecting their most critical cyber assets: industrial control systems. The recommendations outlined here — as obvious as they may seem to the IT cybersecurity professional — are not widely adopted today and must rise in priority if we are to ensure reliability and safety. At stake is access to products and services upon which we all rely in our daily lives, including gasoline in our cars and electricity for our homes.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
1/3/2018 | 11:33:26 PM
ICS Security
Securing the Industrial IoT, including the ICS, is a daunting task for the energy sector. These are highly complex, proprietary, heterogenous and multigenerational systems that were not designed with security in mind. Leading companies in the oil & gas and chemical industries are not waiting for the government to issue regulatory mandates; they are proactively securing their control systems because it's the right thing to do to protect their shareholders, their reputation, and the safety of their personnel and the surrounding communities.
User Rank: Author
8/18/2017 | 11:11:50 AM
People, Process, Tools
Excellent insights David.  Finding the right mix of skilled staff, disciplined processess and expert tools is a hard balancing act in cyber, especially in ICS environments.  Creating and maintaining enough friction to secure the infrastructure without too much pressure on productivity is also difficult.  I like your point about policies leaving companies to "fend for themselves" - its going to be a long and fruitless wait if we expect government to be the solution here!
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.