By Gregory Hale
If a manufacturer can protect itself against an inside attack, then that line of defense should be strong enough to withstand a chunk of outside attacks.
“I will ask what are the top threats: Terrorists, hacktivists or control engineers?” Joel Langill of RedHat Cyber, an independent ICS security researcher, asked during his keynote address entitled “Improving System Resilience using Advanced Defenses” Tuesday at the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX. “The answer is control engineers. When you go into a site assessment, no one ever protects against the guy working inside. That is not to say he is a bad guy, he may just not know the right thing to do.”
“The control engineer is the greatest risk against the system,” Langill said. “The threat should not be running around with administrative privileges.”
The concept of protecting against the inside attack is a little bit different because what grabs the most headlines are the outside attacks like Stuxnet or the more recent Havex/Dragonfly. What most companies rely upon is short term or reactionary defense compared to a thought out comprehensive security program.
“Security right now is about short term tactical measures like patch management or installing antivirus,” Langill said. “Security has to get to thinking about strategic controls or long term planning.” One example he talked about along those lines is patch management.
“I am not a big supporter of patch management. There are other things that can help solve the issues,” he said. Instead, Langill said, there are other approaches that can ensure a secure environment that will protect the user against bad code until a patch can end up installed.
“I look at systems and I don’t bring standards with me, I just use common sense,” he said. Part of the common sense also falls in line with a standard: IEC 62443 which talks about segmentation through zones and conduits.
Zones and conduits is part of a defense in depth model that helps lock down a network. Using this model, a user should only allow minimum required traffic into zones and when threats do come through alarms sound. A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection.
Segmenting and protecting against inside attacks is part of a strong security program, but sometimes there are assaults on the system from the outside.
Langill talked about a few of the well-known attacks.
“Stuxnet was bad, but Havex is far, far worse,” he said. “Havex, or Dragonfly, is a lot more damaging for more people. In both cases basic security controls people are putting in today, the attacks would not be stopped. The problem is people are thinking tactically, but not strategically.”
Stuxnet was an attack created by the U.S. and Israel that sought to damage an uranium enrichment facility in Natanz, Iran, according to an ISSSource report.
Havex/Dragonfly is malware that targeted the pharmaceutical sector, not the energy sector as previously believed, according to a white paper written by Langill for Belden.
“I believe that the pharma companies are under an active attack,” Langill said in a previous report. “This conclusion was reached based on the information disclosed in reference to the Epic Turla campaign that is active at this time against the pharma industry. There are many similarities between Dragonfly and Epic Turla that allowed me to reach this conclusion.”
The consequences of Havex/Dragonfly:
• Unauthorized code execution
• Information disclosure
• Unauthorized remote access
• Unauthorized write access to control functions
• Denial of service/loss of view
“We are having to deal with problems today that we didn’t have to deal with yesterday,” Langill said. “These are the attacks we will have to deal with. Securing against tomorrow’s events means users must improve access control, gain situational awareness, and plan for a cyber incident.”
Attacks against industrial sites is continuing. While he said he could not get into specifics, Langill mentioned a South American refinery that had a malware breach that affected 3000 nodes and went through their PLCs.
The moral of the story is you can protect your company against inside and outside attacks, but if you have a target painted on your back, you better have a series of layers that can help slow down any kind on onslaught.
“No matter what, a targeted attack will be successful,” Langill said. “What we have learned over the years is, if someone has a specific target, they will get in. If you are targeted, you will be compromised.”
After an attack, it is just a matter of what kind of security program a user has and how vigilant they remain.
While that may sound daunting and kind of scary, in today’s environment users need to look at and focus on creating a security program. Fear and uncertainty should not stop people from moving into a stronger security posture.
“When you talk about security, people start to get that glazed over look in their eyes,” he said. “The reality of cyber security is we are constrained with time and money.”
The end results, though, are when a security program ends up implemented, uptime and productivity can increase.
“If you design a system to protect your system against the inside engineer,” Langill said, “you will protect yourself against most all attacks.”