Even though industrial network connections keep multiplying, and accelerated even more during the COVID-19 pandemic, the vulnerabilities that go with them can still be understood and addressed as failure modes, safety issues and process interruptions.
“Industrial cybersecurity is meant to allow processes and machines to run as intended, and anything that interrupts them—malicious or not—falls under the definition of a cybersecurity event,” says Jeffrey Shearer, coauthor and cybersecurity instructor at SANS Institute and chief automation officer at Morris Thermal Solutions. “Software programs found in embedded systems like the PLC or HMI and those found on a computer system, which are connected or related to the machine or process, can be used to create a cyber-incident by simply misusing the poorly written code or misusing the network in a poorly architected system against the machines or processes.”
Shearer adds that users must ask themselves, “Did I program the machine or process to do the right thing?” and “Did I program the thing right?” This is an important difference because programmers often don’t fully understand what a machine or plant-floor process is supposed to be doing.
“They often don’t spend time with the mechanical or process engineering teams to understand use cases and especially abuse cases,” explains Shearer. “As programmers, we need to evolve to the point of asking not only how to make something work, but we should also ask how do we spot abuse cases and guard against them with the follow-up question, ‘What should we do when we’re in an abuse scenario?’ ”
Employ failure and interruption mindset
Tim Conway, industrial control system (ICS) curriculum director at SANS Institute, adds that thinking about cybersecurity as an important component in your process safety program is important, especially after some of the lessons learned from the well-known Trisis malware attack against a Triconex safety controller in 2017 at a Middle East petrochemical facility.
“Similar to traditional physical areas of concern like equipment failure, degradation, storm related impacts or animal induced problems, cybersecurity issues are also failure modes that can planned for and potentially designed around,” says Conway. “Physical faults, misconfigurations, and human error can often be the culprit behind process and system failures, but that doesn’t mean there was malicious intent behind them. Adversaries and defenders alike can learn from these failures”
Conway concedes that most process applications and plants have grown more complex and interconnected, so they can’t be manually operated as easily as 30-40 years ago. However, to maintain defense-in-depth despite their increasing connections, they must recognize that their cybersecurity tools need to access their operations environments, and that probes and intrusions will likely follow.
“Many organizations are adding two-factor authentication systems and endpoint antivirus software like Symantec, McAfee, or asset monitoring solutions like Solarwinds, but all these tools must have a pathway and two-way data access to devices that defenders care about or they wouldn’t need cybersecurity,” explains Conway. “However, these hub-and-spoke solutions can also provide the same trusted path route for potential attackers.”
To close these avenues, some users with mission-critical processes in nuclear and military settings physically isolate their equipment and networks with data diode hardware and single-strand, fiber-optic connections that can only transmit data outward. Conway reports this method is still more secure than publish-subscribe communications protocols like MQTT that utilize bidirectional digitalized pathways that can still be manipulated.
Closer connections, more IT interest
Shearer reports that SANS is seeing more IT professionals showing interest in getting educated about cybersecurity paths into ICSs and assuming more responsibility for securing those paths.
“Because the pandemic caused more connections due to more remote work, more users who aren’t as familiar with their plant-floor are realizing they need to support it,” says Shearer. “Another reason for this interest is that cloud-computing services like Amazon Web Services (AWS) and their counterparts use a lot of data processing and these data centers are dependent on ICS systems. For example, these data centers rely on cooling and power systems being always available but we find these systems are programmed and supported by ICS teams without being part of the IT cybersecurity program. When an ICS cybersecurity incident occurs and it affects IT systems, then the response to involve the IT cyber team. We need to identify these ICS and IT reliance relationships and include them into a broader cybersecurity plan.
We’re also seeing an explosion of wireless and pervasive sensors that are a dime a dozen, and they’re creating even more connections and producing more data, too. Again, this means more remote applications, more logs and managed services at the center, and more work for the cloud and the ICSs.” While not all data is sent to the cloud, nor should it be, we do need to accept that this architecture is real, it exists, companies are doing it so we, the ICS cybersecurity teams need to figure out how to support these requirements in a secure manner.
Better-tailored tools
Fortunately, cybersecurity tools for ICS have also been improving, and aren’t just relying on traditional IT based detection signatures or using active directory for basic authentication, but with available security offerings asset owners can now be tailored to the individual needs of the applications and users implementing them. These include authentication packages in Rockwell Automation’s FactoryTalk software and similar solutions from ABB and Siemens, as well as third-party software solutions from Dragos, Nozomi, Tripwire and Industrial Defender, according to Shearer.
In conjunction with these software tools, users are often told to follow cybersecurity standards such as IEC 62443 or guidelines such as the NIST Cybersecurity Framework. Unfortunately, Shearer reports these directives are mainly being adopted by large organizations, and encompass so much content that many smaller users avoid understanding how to use it effectively and simply don’t apply them. SANS suggests that users instead follow its five ICS Cybersecurity Critical Controls (see sidebar). A whitepaper on the latest version is at www.sans.org/white-papers/five-ics-cybersecurity-critical-controls/.
“All of this starts with asset owners doing an inventory and cybersecurity risk assessment (RA), and identifying what’s critical,” says Shearer. “While manipulation can some from direct physical connection, most attacks that we see come from probes and intrusions via networks. This is why the most common defense and most solid response comes from our five principles: ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk based vulnerability management. This is how to build a threat-informed defense.”