By Gregory Hale
An oil refinery was undergoing a performance review some years ago and a team of security experts were touring the facility when they went out to a remote station a long way from the main plant.
“We were working at an oil refinery and they had a remote station control room that was a mile off in the corner, and we went out to it for an inspection. What we found was the gate was hanging wide open and even though it was locked, you could crawl under the fence and then you were in a control room,” said Eric Byres, chief executive at software security validation provider, aDolus. “None of the security in the world would have helped.”
While that situation occurred years ago, that control room was live and anyone could get in pretty much at any time and go to work. That scenario shows the growing intersection of the triangle of safety with physical and cyber security.
The distinction between digital and physical worlds is vanishing, while the risks associated with connectivity have accelerated the need for new overall security protections for all aspects of manufacturing.
Everyone must understand attackers will leverage anything they can get their digital hands on to gain access to an OT system, including those within the enterprise security system itself to potentially infiltrate a manufacturing enterprise.
“The triangle of safety, physical and cybersecurity have been acknowledged at least in the world of power utilities. After the Metcalf incident in California (where snipers drove up to a power substation and opened fire), the power utility industry was fully aware of the consequences of physical sabotage against power utility equipment,” said Dewan Chowdhury, chief executive and founder of security provider, malcrawler. “When the power utilities of America perform their GridEx exercise they include the combination of cyber-physical scenarios.”
Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable. Every connection and connected device is an entry point, a golden opportunity for a breach.
“Attacks such as Shamoon and Blackenergy, or even Stuxnet, have a component of physical access attached to them in some form, ranging from plugging a USB stick in, to physically injecting malware or signaling to previously compromised devices.”
— Dean Weber, Mocana
A case in point is deploying IP cameras with default passwords or with a lack of proper network segmentation that could serve as viable entry points into a network, which boosts the risk of attack. This is a common practice, as installers may not be aware of the cybersecurity consequences. The irony is the cameras are there to act as a security device, but it potentially could end up an breach access point.
“Without a doubt these three disciplines are converging and at record pace. Accelerating this pace is the general threat landscape and the corresponding governance trends necessary to manage this phenomenon,” said Dave Weinstein, vice president of threat research at network monitoring provider, Claroty. “There continues to be a wide skills and cultural gap between safety, physical, and cyber personnel but we are witnessing a growing adoption of cross-training and collaboration initiatives to shrink this divide. Doing so will help organizations realize much needed synergies across people, process, and technology.”
A security model needs to tie safety, physical and cyber security together, but not necessarily integrate them, said Eric Knapp, chief engineer, cyber security solutions and technology at Honeywell Industrial Cyber Security (H-ICS).
“With Triton, we saw how a digital attack could be used to target a safety system. As physical security systems become more intelligent and connected, a similar risk exists. The easiest way to mitigate such a risk is with current best practices: Keep them as isolated as possible digitally, do not use common credentials or access controls across systems, etc. so that they can be checks and balances for each other, and one does not inadvertently become the vector of attack for the other. This requires a degree of coordination (and ideally top-down support) of the three groups. This means that those in charge of physical security, cyber security, and safety all need to work together, and each should consider the other disciplines when threat modeling.
Different Types of Attacks
There are different models of physical attacks, ranging from counterfeit devices/software installed, to side channel issues like differential power analysis attacks and similar efforts, said Dean Weber, chief technology officer at security provider, Mocana.
“The manufacturing supply chain is physical issue, as is ‘embedded at manufacture time’ potential compromises such as Huawei has been accused of by western organizations,” Weber said. “The concept of waterfall attacks can also be a component of a physical breech, where systems that have been previously compromised are alerted to a trigger event by some physical activity (loss of primary system for example). So not only are attacks possible, but many are currently in play. Attacks such as Shamoon and Blackenergy, or even Stuxnet, have a component of physical access attached to them in some form, ranging from plugging a USB stick in, to physically injecting malware or signaling to previously compromised devices. All such attacks are evolving and present new danger to the industrial communities.”
“One could easily argue that certain USB attacks emanate from the physical side, Knapp said. “Only about a third of USB threats are actually malware based; the rest involve the introduction of a physical USB device that is designed to be malicious. Accidentally or intentionally carrying these devices into a network circumvents cyber defenses and instead crosses physical defenses like locked doors and inspections. The attack itself could even by physical, as in the case of USBKill devices, which fry computers electrically, or USBee attacks that use physical/electrical characteristics of the USB interface to exfiltrate data instead of using files. So in this context, we’ve already seen a physical device (USB drive) used to carry out a cyber attack (Triton) against a safety system.”
Safety and Physical
The intersection of safety and physical and cyber remains an ongoing issue.
“We were talking to a 300,00 bpd refinery (contributed to approximately 15 percent of country refining capacity) about upgrading approximately 40 legacy Triconex safety systems,” said Steve Elliott, safety expert and senior director of offer marketing for process automation at Schneider Electric. “They had an independent OT cybersecurity consultant in who determined a target Security Level 3 (SL3).
“I contend we should scrub cyber and talk about security and what that means, with cyber as a subset of the overall security posture.”
— Steve Elliott, Schneider Electric
“However, It didn’t take a rocket scientist to spot the greatest weakness to the security posture was physical protection methods. The lack of physical hygiene was seen as most obvious cyber risk. There was literally no security on the buildings, equipment rooms, equipment cabinets; you could just roll up and cause chaos.
“So, it was obvious that it was no good investing in hardening the cybersecurity measures for the safety systems and then literally leaving the ‘front door’ open to physical attack methods. We included access control as part of the upgrade plan to strengthen the physical posture as well as the SIS posture. I contend we should scrub cyber and talk about security and what that means, with cyber as a subset of the overall security posture,” Elliott said.
Cyber and Physical
Byres had a personal cyber twist on the issue.
“I purchased a high end commercial grade lock system for my house. It had some beautiful bit of engineering behind it. You could hit it with a hammer and not break it. It had infrared video cameras. It was a piece of engineering artwork. But you had to connect the controllers over the Ethernet because they were powered over the Ethernet. Unfortunately, when I set it up, I realized I could send a completely unauthenticated HTTP message to the IP address ‘/open’ or ‘/close.’ That meant anybody in our house network could send a command to open or close a gate anytime. The company subsequently changed it to HTTPS so you need authentication to open it up. This was a commercial grade product, so when it was used in a commercial setting, it would be possible to open a gate to a warehouse or a gate to a refinery using the same command. Anybody in the organization could open that at any time. It was an interesting intersection of really good lock engineers not really knowing anything about the Ethernet.”
Finding an Entry Point
Any weakness an attacker can find in the security armor could be an entry point.
“We are seeing attacks across all vectors, and the majority are still seen as transiting across the magic air gap from the enterprise into OT,” said Jason Haward-Grau, CISO at PAS Global. “The challenge is that we don’t tend to talk about the attacks that are happening unless necessary. In some cases, they aren’t even identified as cyber attacks as the outcome is safety related (this covers varied understanding of the etymology of attacks themselves, through engineering errors and malicious insiders).
“We are seeing attacks across all vectors, and the majority are still seen as transiting across the magic air gap from the enterprise into OT.”
— Jason Haward-Grau, PAS Global
“Attackers are looking to reference the optimal approach and often this is a mix of physical, psychological and virtual,” Haward-Grau said. “This in part is why almost all government advisories are extending the recommended practices to cover everything from awareness (phishing, vishing and spoofing) to the physical. Human nature is a much relied on accomplice to getting the malware into the plant. We all wonder what’s on the USB drive marked “HR Data” found in the parking lot, so we want to plug it in and see what it is.”
Standards Can Help
Some guidance can be found in standards.
“Several available standards and guidelines (most notably IEC 62443) incorporate both physical and cybersecurity in their normative requirements and recommendations,” said Eric Cosman a security expert and consultant with ARC Advisory Group. “I believe that most companies who have implemented a security program have recognized the importance of dealing with both at the same time. At my previous employer, we had a steering team that included the CSO, the head of engineering and the corporate director of safety and loss prevention. All three perspectives are necessary to address the evolving threat. Physical barriers such as access control can sometimes be effective countermeasures for cybersecurity risks.”
In keeping with IEC 62443, there is a physical security component.
“In cybersecurity one of the fundamental defensive mechanisms is to secure the perimeter, and air gap where you can. This forces attackers to gain a physical presence,” said Andrew Kling, senior director of cybersecurity and system architecture at Schneider Electric. In a reverse engineering presentation last year, we watched a skilled engineer remove the flash chips from a safety control to extract the firmware. In the latest IEC 62443-4-2 included are requirements to resist and detect physical tampering.”
With increased connectivity through digitalization and the Industrial Internet of Things (IIoT), it remains a huge issue as the attack surface continues to grow.
“While most companies isolate the networks used for IIoT applications from core control systems, the fact that they are communicating with external systems undermines the integrity of IIoT information and the security of anything that relies on the use of the IIoT data,” said Sid Snitkin, vice president at ARC Advisory Group. “Concern over IIoT security continues to constrain broader adoption of IIoT.”
Increased Attack Surface
“The more accessible devices become, the greater the attack surface from both a physical and a cyber perspective,” Weber said. “Many of the older industrial endpoints are analog, meaning voltage and/or current reliant to function. The upstream devices are where most of today’s attacks are targeted, but the ability to influence the data being generated due to the reliance on back end analytics for day-to-day efficiency of operations (AI) means a simple change to input data can have disastrous impacts on the industrial operations; ranging from simple denial of service to very advanced data poisoning designed to alter outcomes. The more connected we become, the more important it is to develop and deploy countermeasures to our highest risks.”
It is easy to start off the new year thinking there is no hope, but there are positives.
“While increased connectivity undoubtedly yields greater productivity and output, it also presents attackers with opportunities that heretofore did not exist,” Weinstein said. “For all of the doom and gloom about IIoT from a security perspective, it is a manageable risk and I expect to see more and more innovation in terms of monitoring these devices over the next few years.”