By Gregory Hale
Manufacturers should not do security for security’s sake, rather they should do it to capitalize on opportunities.
“Think about the entire cyber ecosystem from production into the enterprise,” said Pranav Saha, lead associate at Booz Allen Hamilton during his talk Tuesday at the Siemens 2016 Automation Summit in Las Vegas, NV. “We require connectivity to move the process forward.”
One of the advantages in the connected world moving forward is the ability to connect performance indicators to hike productivity and profitability.
“Analytics improves performance, but creates cyber exposure,” Saha said. “The OT world is a different world.”
For a company like Booz Allen Hamilton, manufacturing is quite a bit different from their usual IT engagements. That is why when one of their manufacturing clients needed an end-to-end security plan, they brought in Siemens to help them understand the OT environment.
“There is a need to fill the entire circle of cyber knowledge,” Saha said. “We are good at the C-suite, but Siemens is good at the production level of technical knowledge.” We are C-suite consultants where Siemens is more the technical expert.” The goal is to conduct cyber assessments from an IT environment all the way down to the plant floor.
Saha said the cyber environment has changed greatly over the years. Thirty years or so ago, it was all about the enterprise environment. “Over the past five years, things exploded with connections.” Things like the supply chain are now more connected.
Some of the reasons why cyber security has gained more notoriety is because:
• Cyber security gets front page billing
• Cyber is beyond automation
• Cyber is a different language. Not only is it a different language for process engineering, it is a business imperative.
• Cyber enables innovation for the business
The reasons Saha said companies in manufacturing automation have to employ a security program is to help ward off potential company killing attacks like the German Steel mill where a blast furnance melted down. “In this case, hackers were testing their capabilities,” he said.
In December of 2014, the German Federal Office of Information Security (BSI), a group noted for the accuracy of its reporting, released their annual findings report. In it, BSI related how a malicious actor had infiltrated a German steel mill, using a spear phishing email to invade the corporate network, according to a report in ISSSource. The virus then moved into the plant network, causing “multiple components” of the system to fail. In other words, the mill suffered severe damage.
According to the BSI report, the exploitation of the mill took place thanks to targeting on site personnel in the corporate network. The phishing emails contained a document that hosted a malicious code that would have taken advantage of vulnerabilities in the target’s system.
In the first stage, the target system would have opened a remote connection point allowing the virus access to the entire network.
The second stage of the attack would have established a foothold on the network through the compromise of small sets of work stations. Previous reconnaissance of the work stations found their weaknesses, scrutinizing keyloggers, network scanning, and compromising of systems such as Active Directory, the report said. Little is known about the second stage where the virus moved into the plant network.
Trojanized software acted as the infection vector for the Havex virus, according to sources interviewed by ISSSource. The viruses use spam email and exploit kits while Trojanized installers were able plant the virus on compromised vendor sites. The use of contaminated spam and exploit kits are very common. Of more interest is the third channel, which could be considered a form of “watering-hole attack” as the attackers chose to compromise an intermediary target — the ICS vendor site — in order to gain access to the actual targets.
While the German steel mill was a targeted attack, there are more industrial control systems out on the Internet and open to attack.
“You can go onto Shodan (a security search engine for Internet-connected devices) and find Internet facing industrial control systems and devices,” Saha said. “ICS systems are fun and interesting to hack into compared to an IT network. Yes, you might get some names, but if I can change the paint color of a Corvette from red to purple, that is fun.”
Now with the corporate IT linking to the plant IT and then to the Industrial Ethernet, companies are looking at a holistic security approach, but there are other companies just now starting up a program. Some of the first things they need to accomplish out of the chute is determine who is responsible for manufacturing security.
Here are some other first steps to get started:
1. Get a team together, including partners
2. Learn to embrace and manage your attack surface
3. Establish baseline requirements and embrace defense in depth
4. Make people a priority – especially leadership
5. Engage in a broader conversation
“People need to respect the possibilities of what a cyber incident could produce,” Saha said.