By Gregory Hale
As the industry continues its expansion into a more open and connected environment, remote access will become an even more vital element, but with the right strategies in place, secure communications should not be an issue.
“There is no doubt control systems have evolved,” said Marco Ayala, senior industrial cybersecurity project manager at aeSolutions, during his presentation at the Siemens 2016 Automation Summit in Las Vegas, NV. “We look at cyber as a huge piece of information. Workers need to ensure security is top of mind at all times. Are you monitoring? Are you logging? Are we saying IT has it? Are we saying OT has it?”
Ayala pointed at the attack on the Ukrainian power grid this past December as a perfect case in point about remote security.
On December 23, 2015 power went out for a high number of customers (reports range from 80,000 customers to 700,000 homes) in the Western region of the Ukraine served by regional power distribution companies. These companies end up supplied by thermal power generation stations (the Ukraine also has a large amount of power generated from nuclear facilities, though not in this region).
Reports about the incident in local media quickly spread to the international community by the end of the year and analysis and discussion amongst Western industrial cyber security interest groups began. While that discussion is ongoing, a picture has become clear that a coordinated attack involving multiple components took place.
Here are components of the Ukrainian power grid attack:
BlackEnergy (also known as DarkEnergy) is malware that has existed since 2008 and its modular components have morphed over time. In this incident, the third variant of BlackEnergy is a key vector that provided the attackers with access to the utilities’ computer networks and the ability to remotely communicate with them. (This compromise and the resulting remote communications were probably NOT within the ICS networks.)
One BlackEnergy component, known as KillDisk, has a wiping functionality that may have denied the use of the SCADA system, delayed restoration and covered the perpetrators’ tracks. The actual hosts affected by KillDisk have yet to be disclosed.
In addition, an attack on phone systems, possibly a Denial of Service (DoS) attack, prevented the utilities from receiving calls from customers reporting outages.
Also, the electricity went out and restored the same day by field staff manually reclosing breakers at affected substations.
“Attackers were on the system months before the attack,” Ayala said. “They took advantage of the SCADA systems and social engineering. (The utility) also failed to put in two-factor authentication on virtual private networks.
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure such as the Internet to provide remote networks or computers with secure access to another network.
Information ends up encrypted and sent to the destination network where it is decrypted upon arrival.
The encryption protects the confidentiality and integrity of the data as it travels across the untrusted network.
VPNs by themselves do not limit the protocols or detect malicious code or behavior. If the remote computer or a machine on the remote network ends up infected or compromised, then an attack can occur to devices accessible across the VPN.
To avoid a remote attack, here are some best practices:
• Require the use of corporate-owned laptops for remote access which are subject and maintained according to the organization’s security policies
• Provide remote access users with a secure bootable image
• Require and enforce contractually that third parties with remote access accept and comply with the organizations security rules
• Require two-factor authentication for any remote access session
• Configure the VPN such that split tunneling is not allowable by technical policy
• Monitor and log (log user ID, time, and duration of remote access) all remote access sessions
• Provide mechanisms for on-demand and automatic session termination
• Encrypt all communications and untrusted networks
• Configure modems and remote access software for maximum security
• Restrict remote connections to special machine in the IACS DMZ, which then has access to select resources in the control system
When talking about remote access, the fracking industry can come to mind with their remote operations needing to send data and workers needing to pull information at any time.
So, on top of all the remote best practices, there are some other details user need to pay attention to in the fracking environment. For one, “control systems must be able to withstand harsh vibrations and extended temperature ranges and also withstand blowing rain,” Ayala said. In addition, they also must have operator friendly diagnostics, must be able to log in to view the process, must be cyber security with remote access, and there also must be ingress/egress logging.
In addition, Ayala said, the system does not have the Internet running at all times, but the user must be able to get on and pull data when needed.
Symbiotic: Safety and Security
Securing the remote access connection not only protects the network, it can also allow for greater safety.
“Process safety and cyber security are number one,” Ayala said. “They are symbiotic; they go hand in hand. We have policies and procedures in place, but the human factor drives all of this.”
He stressed monitoring, logging and defense in depth is critical.
In short, Ayala said there should be:
• Multiple layers of security are paramount
• Security is baked in
• Front-End Engineering and Design (FEED)
• Security Acceptance Testing (SAT)
• Factory Acceptance Testion (FAT)
• Lifecycle; continuous testing and auditing
“We have to be smart about how we configure our systems. A system under attack means at best there is a financial loss, in a worst case it could be a catastrophic event.”