A Solid Defense-in-Depth Program with Added Visibility can Help Provide an Early Warning System in Effort to Defend Against Attacks
By Davinder Harcharan, Siv Hilde Houmb, Ph.D. and Erlend A. Engum
Automation using advanced industrial control systems (ICSs) has brought modern production to the point where “things are making things” and doing so in the greater context of ubiquitous connectivity, popularly known as the Internet of Things (IoT).
But for all the associated benefits of better operating visibility, lower costs, and bigger profits, these developments also have their downsides. Namely, they have provided fertile grounds for the emergence of serious cyber threats against critical infrastructure. And, it seems those threats are ever increasing in their frequency and sophistication, taking advantage of the growing trend of integrating enterprise IT networks with networks linking ICSs and operating technology (OT).
After all, industries such as energy, power generation, communications, transportation and others considered part of critical infrastructure make rich targets for threat actors of all kinds. Years ago, most were rogue individuals, but today their ranks include individuals who are more educated and professional, possibly part of criminal gangs or terrorist organizations. As such, they have the skills and means that can amplify their abilities to penetrate even the strongest cyber defenses.
One case in point is the 2016 penetration of the U.S. National Security Agency (NSA), which is arguably the world’s most advanced electronic surveillance operation. Hackers stole many of its tools and code, offering them for sale on the Dark Web for nearly $700 million. Then, a year later, the consequences of the NSA break-in appeared when WannaCry ransomware attacked an estimated 230,000 Windows PCs worldwide, disrupting operations of Britain’s National Health Service and other big-name enterprises elsewhere. It’s reported the culprits behind that virus used an NSA tool in that attack.
Not all cyber attacks may seek to disrupt operations, however. Some aim to steal data or intellectual property, like what happened in the NSA hack. Such acts of theft or industrial espionage can affect the integrity of critical infrastructure operations, not to mention the competitiveness of private enterprise. The impacts of these intrusions can be quite costly, too, and occur months or years before detection. Advanced persistent threats, for example, can hide out in networks long before their activation to give their owners time to see if they have been detected. If not, the malware can then quietly do its work while applications, systems, and networks seem to operate normally.
A layered, defense-in-depth approach is the best practice leading security experts have recommended in the past and continue to implement in security programs. This layering approach can help alleviate the pitfalls of employing incomplete point solutions for cybersecurity by preventing a single point of failure.
In addition to that layered approach, there needs to be a cybersecurity bridge bringing together the strong knowledge of IT and OT professionals, so they can work more effectively as a team to provide the protection their organizations need against threat actors.
Whereas IT professionals tend to have computer science backgrounds, OT professionals come from process and industrial engineering backgrounds. The combination of these two perspectives can go a long way in fighting cyber threats as a single, formidable force for keeping hackers at bay.
New Technology, New Vulnerabilities
Ironically, many of industry’s innovations in automation and controls have created new cyber vulnerabilities. For example, for years, industry has been using Ethernet to link ICS networks to higher-level enterprise IT networks, so management can gain better views across all of their operations. Ethernet is also being used to connect the supervisory control and data acquisition (SCADA) networks running field devices. While this far-reaching integration has enabled better automation and control across process and discrete manufacturing industries, it has also opened new doors for hackers and malware to exploit.
That’s because Ethernet is a standards-based communications protocol – the world’s most widely used – that can enable hackers to find plenty of ways to penetrate its safeguards. What’s more, many controllers and human-machine interfaces (HMIs) have web browsers to enable remote monitoring and control of plant operation via laptops, tablets, and even smartphones. While this innovation has plenty of upsides, it also provides many more avenues for malware and attackers to penetrate OT systems.
Next on the list of growing vulnerabilities is the IoT and its fast-growing subset the Industrial IoT (IIoT). These describe a larger scale of interworking between traditional enterprise IT devices – desktops, servers, storage, and switches – plus the addition of machines, buildings and other infrastructure embedded with sensors, actuators and controllers. Many of the non-traditional, IP-enabled devices that are linking to the IoT, even simple devices such as home and office electronic thermostats, are contributing to what some call, in effect, an infinite attack surface because those devices lack the necessary safeguards to prevent intrusions.
While some automation suppliers design, engineer and build in strong cybersecurity safeguards into all of the industrial components, there are quite a few third-party devices do not have those safeguards built-in. This latter fact exposes users to attack vectors they are likely unaware of. For critical infrastructure industries especially, this means that even someone wearing a smart watch or carrying a simple cell phone could unwittingly compromise the security of an ICS network.
In addition, open-source operating systems and software are greatly expanding the attack surface of critical infrastructure and industry. If these platforms are not well-maintained, monitored, or updated when weaknesses are exposed, hackers will have additional vectors for attack.
Of course, one of the most common ways to penetrate ICSs and OT networks has nothing to do with Internet connectivity. It involves internal saboteurs – disgruntled employees or ones paid to plug in removable media (e.g., a flash drive) with malware to a connected device with a USB port.
Also vulnerable are employees or contractors, who might connect to the ICS network with laptops or other devices to perform maintenance work, upgrades or even diagnostic health checks, but not know their service equipment is already infected with malware.
Enterprise IT professionals have plenty to worry about in defending against cyber attacks on non-industrial networks that link users in front- and back-offices with each other and with file servers, data centers, cloud-based resources, and the Internet. This connectivity supports email, web-based collaboration tools and voice communications, plus applications and various company databases, such as enterprise resource planning (ERP), customer relationship management (CRM) tools and so forth. Should malware, data theft, and corrupted data or devices occur, user productivity and even a company’s transactional capabilities could be seriously disrupted.
But for all that’s at stake in the enterprise IT environment, their networks differ from industrial ICS and OT networks in one profound and vital way: People are rarely, if ever, hurt or worse should IT networks get breached and disrupted. This is one of the biggest differences between enterprise network security and industrial network security. If a hacker penetrates an industrial network and disrupts critical processes or controls, especially automated life safety protections, serious consequences could occur. A catastrophic incident could cause hundreds, even thousands, of casualties.
OT networks differ from enterprise IT networks in other important ways, too.
First, ICS networks include lower-level supervisory control and data acquisition (SCADA) systems that operate at the machine level on factory floors. These ICS and SCADA networks are often linked to enterprise networks, which have external-facing vulnerabilities that can open doors for hackers. Wireless SCADA systems, often operating from remote locations using public IP addresses, are also vulnerable to attack, accessible via their wireless media, which include cellular, 900MHz radio, satellite and microwave.
In addition, industrial networks must often operate 24×7, in real- or near-real time and require 99.9 percent uptime or better (99.99 or 99.999 percent in the case of public communication networks). In contrast, enterprise IT networks typically operate on a best-effort basis (so a break in one part of the network forces routers to send data packets down alternate paths) and be available during “business hours.” Point is, the disruption risks of a security breach in an ICS or SCADA network can be much greater than for an enterprise IT network. What’s more, upgrades to anti-virus applications and other conventional IT safeguards, such as firewalls, can be disruptive to the real-time, 24×7 operating requirements of ICS and SCADA networks.
At the same time, the integration of a company’s legacy plant systems with its enterprise systems by interconnecting industrial and corporate networks can be complex. And that’s not to mention the frequent need to provide network access to external third parties, such as OEMs of plant machines, via the public Internet. Not only does external connectivity create vulnerabilities, but the integration also introduces ambiguity within companies as to which group – enterprise IT or process/industrial engineering teams – owns responsibility for overall cybersecurity.
Another set of security issues with industrial networks involves their evolution from early patchworks of electrical relays or antiquated microprocessor controllers and manually monitored indicator lights, trips and breakers. While those legacy systems might work well enough to operate relatively simple processes even today, they likely lack proper security controls.
Nonetheless, they may well be connected to modern distributed control systems (DCSs) that feature the latest programmable logic controllers (PLCs). The latter are mini-computers using Windows or Linux and are connected over industrial Ethernet to human-machine interfaces (HMIs). In turn, these HMIs are often accessible anywhere in the world via PCs or touchscreen tablets and smartphones – by legitimate plant operators or by hackers exploiting the vulnerabilities in the connections between old and new systems.
Division of Systems
A modern industrial plant can divide its common control system architectures into zones with clear boundaries to support multiple cyber-defense layers.
However, even with clear network segmentation and defense-in-depth models deployed, attacks on the ICS and OT networks of critical infrastructure and industrial plants can be quite sophisticated even on devices not directly Internet facing. Examples are the programmable logic controllers (PLCs) that provide ICSs with their operating intelligence.
The use of defense-in-depth approaches such as zone segmentation are recommended approaches and they do work. However, these countermeasures, without the inclusion of the capability to detect attacks, have their limits.
“Defense-in-Depth measures do not and cannot protect all vulnerabilities and weaknesses in an ICS environment. They are applied, primarily, to slow down an attacker enough to allow IT and OT personnel to detect and respond to ongoing threats, or to make the effort on the attacker’s side so cumbersome that they decide to put their effort toward easier prey,” said officials at the ICS-CERT.
On top of that, then you have the most insidious type of cyber threat to ICSs and OT of critical infrastructure and industry at large, which are advanced persistent threats (APTs), also known as “low-and-slow” attacks. These are hard to detect before an attack fully executes, because they operate under the radar of most conventional IT cybersecurity tools.
Without disrupting network or ICS operations, an APT will execute a series of small events that may not constitute an actual cyber attack, but these events could still be anomalous and indicate malevolent intent. Examples include the appearance of new, copycat or forked processes or forked memory usage that occur outside of normal and prior observed ICS or network behaviors.
That is also where more visibility into the network becomes paramount. Something along the lines of a network intrusion-detection system (IDS) that is non-intrusive, anomaly-based, detection software technology. The technology could provide early-warning network monitoring and sophisticated intrusion detection capabilities to identify and isolate cyber threats that may be undetectable by conventional IT security tools. It could then provide early and actionable alerts to help incident response (IR) to be managed by IT and OT teams, depending on their IR protocols and respective responsibilities.
In effect, the technology adds critical, extra hardening to the defense-in-depth cybersecurity umbrella already protecting ICS networks and any enterprise IT networks to which they’re connected.
Early Warning Essential
The growing sophistication and frequency of cyber threats will pose ever greater dangers to the world’s critical infrastructure and industry at large. A defense-in-depth approach, that includes a security mechanism providing early-warning detection tailored to the industrial infrastructure, is an essential component. It must be able to identify and contain advanced persistent threats and other malware endangering ICS and OT networks, while also respecting the operating demands of ICS and OT networks.
Davinder Harcharan is with Siemens Industry Inc., Siv Hilde Houmb, Ph.D. and Erlend A. Engum are with Secure-NOK AS.