Views
This is a archive for Views.
Wednesday, December 14, 2011 @ 12:12 PM gHale
By Gregory Hale
Duqu’s botnet shut down its reconnaissance mission.
That means the first part of its mission is now complete and the next act in this real life drama is ready for deployment. The timeframe? That is anybody’s guess as the industry learned from Stuxnet, the worm silently sat for a period of time gathering information and waiting for the right moment to pounce. And, did it pounce. Centrifuges at Iran’s Natanz nuclear enrichment plant took a huge hit.
The clock’s timer is set.
RELATED STORIES
Attackers Clean Out Duqu Servers
Duqu and Rumors of War
A New and Frightening Stuxnet
Stuxnet: A Chief Executive Plan
U.S. to Israel: Don’t Hit Iran Nuclear Sites Alone
Stuxnet Report IV: Worm Slithers In
Stuxnet Report V: Security Culture Needs Work
One of the main differences between Stuxnet and Duqu is we were completely ignorant of what Stuxnet was up to. That means industrial control systems lived in blissful ignorance while the worm slithered in and stalked its targeted system. Security professionals had no inkling of where or when the worm found its nesting place. In reality, manufacturers were sitting ducks.
Now, security professionals are staying on top of their game; they know Duqu is out there. ISSSource reported in November Duqu is a perfected version of Stuxnet and American and Israeli officials are heading a team effort to bring down Iran’s entire software networks if the Iranian regime’s nuclear program gains too much traction, U.S. intelligence sources said.
Stuxnet is gone, but hardly forgotten. Its creators learned quite a bit from their first foray into industrial control systems.
“Stuxnet has not become useless in the least,” said one serving U.S. intelligence official. “It has all sorts of untapped potential.”
Another intelligence official said, “The cyber warfare potential of Stuxnet has by no means been exhausted. It hasn’t demonstrated the full damage it could cause if deployed.”
Sources in the U.S. that requested anonymity said Duqu has two parts, the first of which does reconnaissance of the target, assessing vulnerabilities. That part seems to be over. The next part, the sources said, is delivery.
Can you hear the clock ticking?
All files on the 12 known command-and-control (C&C) servers for Duqu are gone, according to Moscow-based Kaspersky Lab.
All 12 of the Duqu variants used a different compromised server to manage the PCs infected with that specific version of the malware, Kaspersky researchers said. Those servers were in Belgium, India, the Netherlands and Vietnam, among other countries.
The attackers wiped every single server they had used as far back as 2009, Kaspersky researchers said, referring to the Oct. 20 cleaning job.
The clock is ticking.
Does this mean Duqu is going after the Iranian nuclear program? Maybe. Quite of bit of evidence points that way. But it could also mean the goal of the recon mission was to look at other types of industrial control systems. One unnamed source told ISSSource Duqu code showed up at their facility not too long ago.
It would be easy to be overly dramatic and overreact. But one thing is for sure: The situation means security professionals on the plant floor or over in the IT department had better stay on top of their game and know what is coming in and going out of their systems.
If Duqu is as strong as Stuxnet – and all reports say it is even stronger and smarter – then everyone has to stay alert and ready to take action. Dust off those security plans and make sure everyone is aware of what they should and should not do. No one should just wait and see; manufacturers should forge ahead with a proactive defense. You just never know when the next attack will occur.
Tick, Tick, Tick, Tick, Tick….
Talk to me: ghale@isssource.com
Tuesday, June 7, 2011 @ 08:06 AM gHale
By Gregory Hale
The old cliché says admitting there is a problem is the first step toward any type of recovery. While people often use that phrase as a punch line at the end of some type of derisive put down, it ends up being true when it comes to a cyber security event.
Saying anything to not reveal they have been a victim of a cyber attack, companies will resort to excuses such as not wanting to alarm customers, or they fear they will reveal too much confidential information regarding intellectual property or processes.
That is, of course, all nonsense.
Simply put, companies don’t want to admit they were the victims of an attack because of the potential PR implications that will ensue. Or, they don’t want to admit they have done nothing to protect themselves against an attack.
From loss of confidential data to stolen business plans and recipes to leaked customer information, when you look at what companies could lose, it is astounding they don’t come clean and try to work together as an industry to thwart attackers to keep them out of the manufacturing space.
Cyber attacks continue to increase in sophistication. On the broad spectrum look at the break ins at Sony, Google, and defense contractors Lockheed Martin and L-3 Communications. On the manufacturing side alone, need we say more than Stuxnet? Well, we can, with all the vulnerabilities found in the SCADA software, the manufacturing industry is now in the unenviable distinction of falling into “low hanging fruit” category by would be hackers.
Manufacturers know they are under siege, but for the most part seem paralyzed by the vast area of not knowing where to start. Yes, costs also come into play. But imagine the cost if a plant just ceases to operate? The cost of a solid security risk assessment from a qualified integrator would pale in comparison.
Instead of thinking about the huge big picture, manufacturers have to start taking baby steps in terms of tackling a security program. Calling in a security expert would be the first step and then coming to the realization that security will be a moving target to which there is no final solution to clamp on to your system is another step.
Having said that, it does not mean creating a strong security posture will be a money pit. It doesn’t need to be. It does, however, need the right people in the right place working together as a team of multi-disciplined professionals from various aspects of the manufacturing process. If working properly, that team will stay on top of the system and know when there are anomalies that need checking and mitigating.
But it all starts with knowledge. Knowledge is king. Understanding the types of attacks, who is under attack and when and where attacks are occurring will allow for a very secure plant floor. Sometimes the best security is one that is right there in front of you. Transparency works.
Yes, industry needs to work closer with government in a joint effort to stave off attacks and garner more overall knowledge. But, let’s face it, the cyber security experts in government are incredibly talented, but they are not facing the daily task of keeping the plant up and running.
Not to sound the alarmist bell, but attacks will continue to occur. As a matter of fact, attacks will get more intense in sophistication, so the one way to fight back is to create a security consortium of some sort. Or, in an effort to not reinvent the wheel, use an existing concern such as the Security Incidents Organization, and you will see attacks, along with security costs, will diminish.
Having the industry work together in a non partisan manner to ensure a cyber safe manufacturing sector is the first step toward recovery.
Talk to me: ghale@isssource.com.
Tuesday, April 12, 2011 @ 07:04 PM gHale
By Gregory Hale
When it comes time to talk about security plans, it becomes so easy to cry the proverbial “Wolf!.”
“Everyone will be hit. You are playing with fire. Disaster is just around the corner.” The cries are tedious and you can do it so many times that after awhile it just becomes background noise.
But the question needs asking: Are manufacturers fully engaged in the pursuit of securing their systems – and plants – to help increase uptime, or have they let yesterday’s news just fade away?
It is easy to understand. Users could feel, “yes, Stuxnet was interesting, but that was a focused shot from the good guys firing against the bad guys. Iran’s nuclear system was a threat and someone did something about it,” a manufacturer could think.
OK, that line of thinking is fine and some will follow it. But it really doesn’t wash. What really showed in this very focused assault was the plain and simple fact industrial control systems are open to attack. Remember, when you are thinking about your risk assessment, this is all about keeping plants up and running so the company can produce product and make money.
“(Users) will have to see the shotgun approach compared to the sniper shot that happened with Stuxnet,” said Rick Kaun, director of network security solutions for Matrikon.
Now it is time for the industry to stare down both barrels of the shotgun. Just take a look at the reports of the SCADA system vulnerabilities out there.
Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products by some major players: Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).
Then another list of vulnerabilities came out. Name players: Atvise SCADA; Control Microsystems ClearScada; DataRate SCADA WebControl and RuntimeHost; Indusoft SCADA Webstudio; ITS scada; Automated Solutions Modbus/TCP OPC Server; BACnet OPC client Advantech Studio Web server; BroadWin WebAccess (also sold as Advantech); Ecava IntegraXor.
Yes, most of the companies are patching the vulnerabilities, but how quickly will that happen at the plant level and what other holes are out there from other companies that no one has even tried to crack yet?
These vulnerabilities could affect anyone at any plant. Maybe that is crying “Wolf!” once again, but it is true. Just what will it take for companies to focus on generating a thorough security plan that everyone in the organization is aware of?
That answer is difficult to answer as the mindset right now when it comes to security is very reactive and not proactive. It is kind of like the days of reacting to an incident before predictive maintenance became a force. See something happening and quickly react. That compares to seeing a trend occurring and knowing you will need to fix something in a couple of weeks. While security doesn’t really work that way, the point is the mindset has to change.
That change has to start from the top. In a study sponsored by sponsored by Q1 Labs and conducted by the Ponemon Institute entitled “State of IT Security: Study of Utilities & Energy Companies” of the 291 security practitioners who responded, 71 percent said their companies’ top executives do not understand or appreciate the value of information-technology security.
That seems like it may be an uphill fight, but in the wake of the Stuxnet attack and the recent SCADA vulnerabilities alerts, there are some companies that just seem to get it. They are now taking part in creating a full blown security solution knowing they will be ready for the next attack.
Others are just continuing along their way, not fully understanding what lies around the next corner. What else will it take to get manufacturers fully engaged?
Eric Byres, chief technology officer at Byres Security feels one approach is through the standards process like ISA99’s security standard.
“The ISA99 Gap Analysis task group is making progress in determining how the ISA and IEC (the International Electrotechnical Commission) standards will have to change to address something like Stuxnet. Better standards will probably make more of a difference than anything else over the long run.”
Standards work in one approach, but education over time also helps.
“At the end of the day, there needs to be a culture change, but it takes time,” Kaun said. “Just look at the emergence of safety cultures. It takes time to get everybody to accept changes. Look at safety belts and smoking. Until security becomes a part of the culture on a day to day basis, it will be a daily battle. Eventually over time it should become a part of the culture.”
Yes, a culture change does take time, but in the meantime let’s get to work creating a plan of attack to keep systems up and running. That will keep the wolves at bay.
Talk to me: ghale@isssource.com.
Tuesday, March 29, 2011 @ 06:03 PM gHale
By Gregory Hale
When you really think about it, typical college students lead a charmed life. They wake up in the morning, go to class, debate issues based on theory, go back to their dorm rooms, have dinner, do some homework and maybe go to the local watering hole for a few pitchers with the gang.
They live in a protective bubble. Pressure? Yes, of course there is. They need to do well in school to make sure they can get a good job, to help support themselves and be a productive member of society. But, let’s face it, real pressure? No one is going to get blown up if they do poorly on a test. No one will lose millions of dollars if they skip a few homework assignments.
Some may call it the school of hard knocks. Students learn they have to do well on all tests, not just some of them. They also learn they have to do homework and hand it in, or it will end up hurting them. The smart ones learn from those experiences and move on to successful college careers and beyond when they go out into the real world.
This past week, SCADA companies graduated into the real world. Yes, they have always worked hard at getting their systems just right for their customers. But was security part of the discussion or just an afterthought?
Just a few short days ago, Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products from four different firms. The list consists of some major players: Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).
Then another list of vulnerabilities comes out. Name players: Atvise SCADA; Control Microsystems ClearScada; DataRate SCADA WebControl and RuntimeHost; Indusoft SCADA Webstudio; ITS scada; Automated Solutions Modbus/TCP OPC Server; BACnet OPC client Advantech Studio Web server; BroadWin WebAccess (also sold as Advantech); Ecava IntegraXor.
These vulnerabilities don’t have the shock value Stuxnet brought, but make no mistake they truly point out industrial control systems are vulnerable, and they can easily fall prey to an attack. In reality, revealing these vulnerabilities may be more important to the industry because everyone now knows they are out there and primed.
Stuxnet pointed its sights directly at the Iranian nuclear program. Very targeted and effective.
These vulnerabilities are ripe for anyone to get in.
It is time to look at the positives here. Yes, these companies are most likely panic-stricken trying to get patches up and running, but at least they know about the vulnerabilities and, to date, there have been no known attacks.
This may also be another salvo to open the door for manufacturing automation companies to insist on thinking security first? Safety, yes. Security, yes. Both have to go hand in hand, or else you are living on borrowed time. That may sound a bit melodramatic, but look at what could happen. Can your company sustain an all-out Cyber assault?
In many ways Stuxnet was so targeted manufacturers could be lulled into thinking “They were after the bad guys and who would want to go after little old me?”
Wrong. This should be a wake-up call to ensure users get a solid security plan in place – and then make sure everyone is aware of it. An attacker can tap into these vulnerabilities at any time.
Charmed life? SCADA providers are now looking at the cold, hard facts of cyber security reality.
Talk to me: ghale@isssource.com.
Wednesday, February 16, 2011 @ 04:02 PM gHale
By Gregory Hale
Living and working in a vacuum can be a wonderful thing.
Just think, you don’t have to worry about anything or anybody else, because in your mind, everything is simple and easy. Nothing bad happens and life just keeps moving forward.
The problem is, this type of vacuum just doesn’t exist. Take the OPC Workshop entitled, “Business Value of Device to the Cloud Information Integration,” held at the tail end of the ARC Advisory Group Forum last week in Orlando, FL.
During a workshop presentation on security, the audience was asked if they knew if their company had any type of security plan. Of the 40 or so people in the crowd four or five sheepishly raised their hands. Then, when asked if those folks knew what was in their company’s security plan, only two raised their hands.
Two out of 40 people knew what their company’s security plan consisted of. At that point, one member of the audience said the people in attendance didn’t need to know what the company’s security plan needed to be.
Welcome to the vacuum. While the number of people that were unaware of what their company’s security program consisted of was shocking, the attitude that not everyone had to be aware of how to keep their company secure was devastating.
“That attitude is something we have to work on (in the industry),” Thomas Burke, president and executive director of the OPC Foundation and host of the workshop said a few days after the event. “People have to adjust the way they think to ensure a secure environment.”
That attitude falls in line with a survey conducted by Oracle. That company found IT people, including those close to security, appear to have little awareness of key security issues that have an impact on their organizations.
The survey, which polled 430 members of the Oracle Application Users Group (OAUG), included directors and managers of information technology, developers and programmers, database and systems administrators, systems architects and analysts and professionals from the HR and financial functions.
About 22% of respondents claimed to be extensively involved in security functions, 60% claimed a limited or supporting role, and the rest said they were not involved with security at all. About 100 respondents belonged to companies with more than 10,000 employees.
What the survey showed was a surprising lack of awareness of security issues among the respondents.
Let’s face it: Cyber attacks are not infrequent events. Researchers at the Ponemon Institute found in their research published on ISSSource.com the benchmark sample of 45 organizations experienced 50 discernible and successful cyber attacks per week, combined. That translates to an average of more than one successful attack per company per week.
With the industry losing over $20 billion in cyber and safety incidents per year, it just seems manufacturers should, first come up with a security plan and consistently update it. Management should assure all employees are aware of what the plan says and are able to help protect the enterprise.
Yes, ownership of a security plan has to come from the top on down, but everyone in the organization needs to buy in. It is imperative. Security needs to be a part of a manufacturer’s culture as much as safety already is. There is room for both.
Life and work are wonderful things, but everybody’s eyes need to be wide open.
Talk to me: ghale@isssource.com.
Wednesday, February 2, 2011 @ 06:02 PM gHale
Editor’s Note: Enrique Santacana, president and chief executive of ABB Inc. USA and regional manager of ABB North America sat down with Gregory Hale, editor and founder of Industrial Safety and Security Source (ISSSource.com) to discuss the latest trends, along with the growth in safety and security in the industry. This is the first in an occasional series in the Executive Corner.
ISSSource: Last year when we talked, we discussed the need for increased energy technology. Where do we stand with that?
Santacana: Something interesting happened over the past two years that I have to admit that I did not expect at all. For the first time in 50 to 60 years we saw a decrease in electricity demand in the U.S. You actually have to go back to the depression era to find a similar decrease. I don’t think anyone was expecting that. When we talked, we saw the beginning of the recession and it turned out to be the worst recession since the great depression. That drop in electricity demand certainly put a damper on investments by utilities.
There is no question in my mind it is a short term thing and if we are going to have economic growth, we will need electricity. They go hand in hand; you can not have one without the other. The economy is returning to growth over a period of time, but it will not be the usual type of return. Over time the aging infrastructure is still there, so investments will happen.
ABB’s Enrique Santacana
ISSSource: When do you see the economy really starting to come back?
Santacana: I think the beginning of 2011, the first half of 2011, after the economy has given more clear signals of growth; that is number one. With the new Congress in place, energy policy will come to the forefront in the U.S.
ISSSource: With government incentives in place, have they helped at all?
Santacana: They have helped in not allowing things to get worse. In some areas, if those incentives were not there, we would have seen much, much worse conditions. The incentives for renewables — for wind, solar — they are still there and are moving forward. Energy efficiency incentives have managed to put a floor on the economic debacle we had in 2009.
ISSSource: Where do we stand with the smart grid right now?
Santacana: It is moving forward; beginning to crystallize. You have a number of things going on. The smart grid began as AMI (Automated Metering Infrastructure) — smart meters, communications into the home, demand response, giving end users choice — and all of that is still there. What is happening now is the second step in the evolution of the smart grid. There is much more influence from the distribution transformer upstream, which means distribution automation, substation automation going all the way back to generation. That is beginning to get a lot of focus. We also see incentives from the federal and state governments helping.
ISSSource: What would be the time frame for the smart grid to be in play?
Santacana: This really a wild guess, but based on the kind of activity we see today and the amount of time it takes for certain products to be developed and fine-tuned, I think in 3 to 5 years will we will start seeing a real path to significant investments in this area. It is a matter of economic growth returning and utilities getting more certainty on all these issues of carbon taxation and return on investment.
There is another issue that will drive this smart grid and that is the integration of renewables into the grid. Aside from the economic issues and the policy issues, we still have the regulatory issue of transmission line siting and that deals with transmitting bulk power from renewable sources from “where the sun shines and the wind blows” to the population centers. Sometimes you have a great distance between those areas and the transmission infrastructure has to cut across several states, but the regulatory framework right now is not conducive to site transmission lines across states that will not get benefit from the power.
ISSSource: How does the smart grid environment become a secure environment?
Santacana: That is a very important issue. There has been a lot of effort placed in the area of security. The Department of Energy has a number of task forces to work together with private industries to address the issue of cyber security, for example. That is an area that has to be addressed so the integrity of the distribution and transmission networks will not be compromised. A lot of progress has been made, actually, but I would say we are mostly at the pilot stage. With some economic justifications, at some point we have to come out of the pilot stage. That means the issue of interoperability has to be addressed, so whatever type of encryption technologies are used we don’t have 50 of them. That is why I say smart grid implementation, in terms of picking up commercial volume, is 3 to 5 years away. It has to be clarified. In the meantime, there is a lot of investment going on. I think we have gone from the crib in terms of pilots to being in the child years. Very soon we will move into to adolescence and in 3 to 5 years, to adulthood.
ISSSource: With the infrastructure aging so much, how much has to be totally overhauled?
Santacana: The aging infrastructure has to do more with the issue of reliability than it has to do with the smart grid. The fundamental equipment of the grid is not going to change too much. What is going to change is what you attach to that equipment — what sensing technologies, what communications technologies — so that you can carry status information from that equipment back to a central location and make decisions based on that information. So if you have a transformer, you need to have the infrastructure around that transformer to be able to sense all the electrical parameters: If you have a breaker, a piece of switch gear, a relay, switches. It is not so much changing the overall design of the equipment that already exists. It is more about adding the sensing, communications and software tools to get the massive amounts of data from the equipment level and turn that data into valuable information on which you can make decisions.
There is a very clear evolutionary step between now and what needs to happen in that historically we have had reactive intelligent electronic devices which are deployed through the network. They measure and communicate data back. They are not proactive. They do not have the intelligence to be able make local decisions and that is where the smart grid becomes really smart. When you have the local intelligence, the equipment can make decisions. That capability already exists in the automation environment, and we now have to make it happen on the grid.
ISSSource: In the automation environment, are you finding more and more people are talking about safety and security?
Santacana: Yes, absolutely. The two main issues we hear about from our industrial customers are energy efficiency and safety and security, also safety from an employee’s standpoint, as well as security from a cyber security standpoint.
ISSSource: What brought that on? Is it an evolution of technology or are people finding out they are easy prey to attacks?
Santacana: I think it is both. The technology is now at a point where you can get more out of your safety and security systems. At the same time there is the awareness it is more of an interconnected world and you need to have your security environment much more protected and be able to react if something happens. You need to know that, if somebody breaks into the system, you have the tools in place to neutralize the situation and take corrective actions. I think from a safety standpoint, the more automated you become the more people are dependent on the equipment itself. You need a new level of awareness about becoming too comfortable when things are done for you. When you are dealing with this new infrastructure it can break down, it can cause harm if you don’t know how to use it, so people are becoming more aware of the safety environment to be able to deal with this new interconnected world. To me, that is a driver for safety.
The new level of safety we are seeing is in the proactive mode, not the reactive mode. Everywhere it is preventive, the anticipation of knowing when an accident can happen and taking care of it before it does happen.
ISSSource: Do you feel there are more safety incidents out there, do you feel there is a fundamental breakdown in safety awareness, or is it just more media coverage?
Santacana: I just think it is technologies making it more transparent. I don’t see a fundamental reason why we would have less safety today than what we had five years ago. But the speed of communications and the speed of reaction are so much higher and there is a new level of awareness. I think that is what is driving all this. That is helping push the evolution of preventive safety methods and tools that are much more intelligent than they were before.
I think we are going from the physical paradigm of safety prevention and correction to an environment where you have intelligence. That is when you start looking at data and if you connect these data points you can see this piece of equipment will have a problem in X period of time, and therefore this is what you need to do to prevent a possible explosion or an accident.
ISSSource: On the security side, we have seen Stuxnet hit. Could that worm hit anyone at anytime?
Santacana: It could happen to anybody. You give some people in society some tools that allow them to do things and some do it for good and some use it for not so good. It is inevitable that things like that will happen and it is inevitable we take security to new levels. We need to use encryption technologies and powerful software to connect the dots. At ABB, we’ve been working with the Idaho National Lab since 2003 on their National SCADA Testbed, and that has produced some excellent results in terms of hardening these vital control systems.
To me, the issue of safety and security is about trends. We now have the ability to generate trends with sophisticated algorithms that look at previous incidents that seemed to be independent of each other. We can now statistically establish possible correlations and, based on that, we can make statistical projections. That gives us a tremendously powerful way to take corrective action before an accident can happen or a security breach can happen. That is what is going on right now that is so fascinating and powerful and important.
ISSSource: You are talking about the technology side, and that is important, but there is also the human side.
Santacana: You hit the nail on the head, it is a culture change. You have the people used to the old paradigm asking, “why do we need to do this? What are the benefits?” It is an education and training process and it is an important activity that management has to undertake to effect that culture change. One doesn’t happen without the other. Technology and culture change have to go hand in hand.
ISSSource: I heard a story that one manufacturer came in and secured a system and that was going to change the way people did their job and the first thing workers did when they came in was turn off the new security so they could keep doing things the way they always did. How long does that kind of culture change take?
Santacana: It doesn’t happen overnight, and companies will have their own pace. Some will take an aggressive training, education approach. You do have to give employees incentives so that what you just described does not happen. Some incentives are financial as well as communication of the social benefit of people doing things differently for the prevention of accidents. You need to make things clear about the consequences of things that could happen. For the industry, it will probably take years.
ISSSource: How much of a factor will Baby Boomers leaving have on the safety and security culture?
Santacana: I actually think it will be less than in the past precisely because the systems and tools will be more intelligent. The technology will take a higher share of the load so the new generation coming in dealing with this new paradigm, with proper training, will feel more at ease.
In a way, that is good. Having software-driven systems in place that already have the intelligence to measure and assess things and take corrective actions automatically will ease the generational shift.
We need to take advantage of that. It doesn’t happen automatically. It needs to be recognized by the companies in the industry that it is an opportunity to allow for change.
ISSSource: At the Honeywell user group, HPS President Norm Gilsdorf said the industry was losing about $20 billion a year in safety and security incidents. In your knowledge of the industry, do you feel that number is about right? High? Low?
Santacana: I think you get up to that number pretty quickly when you translate the number of incidents into what happens with the healthcare of those injured. It is not so much the direct cost, but the cost to society. When you think about that number, then maybe $20 billion is too low.
Let’s put it this way, when you look at opportunity costs, $20 billion doesn’t seem big enough.
ISSSource: When it comes to security, do you see IT and engineering working well together?
Santacana: I don’t see how they can’t. If you don’t have the engineer working with someone in IT then you are going to miss a lot. It would be foolish not to have them strongly linked. I don’t know of any design teams at ABB today that don’t have a close link with IT experts.
ISSSource: What regions of the world are leading way in terms of safety and security?
Santacana: I think today you can’t make much of a difference between North American, Europe and Asia, particularly North and Central Asia, Malaysia, Thailand, and of course China. They are as good as anybody.
Tuesday, January 18, 2011 @ 06:01 PM gHale
By Gregory Hale
The news hit the streets this past weekend the newest and strongest clues point toward Stuxnet being an American-Israeli project to sabotage the Iranian’s nuclear program. While the U.S. and Israel were names previously bandied about, no one really knew for sure they were the masterminds behind the scheme.
Now that we know, what is scarier: not knowing who was behind the Stuxnet attack or actually knowing our government and the Israeli’s invented the nasty worm?
It would be naive to say this was the first time a government worked on this type of clandestine attack. After all, cyber warfare has been around for quite a while. However, this really hit home for the manufacturing automation sector because now any copycat across the globe worth his or her salt can pick up on the parameters of the worm and run with it.
This was more than a warning shot across the bow. It was a pure indicator of a new-age Cold War. As people, governments, and industries rely more and more on automation, more systems become open targets.
It has been a while, but surely everyone remembers what went on during the Cold War. It was the continuous state of political conflict, military tension and economic competition after World War II between the Communists and the Western World.
While military forces never officially clashed directly, they showed conflict through military coalitions, strategic conventional force deployments, extensive aid to states deemed vulnerable, the space race, proxy wars, espionage, propaganda, conventional and nuclear arms races, among others.
Along those lines Stuxnet seems to fall in line as the perfect act of sabotage because it hurt, destroyed or crippled its intended victim — in this case nuclear sites in Iran – and there were no human casualties. Very clean.
Surely The New York Times did a great job reporting on and writing the story uncovering the likely culprits behind Stuxnet. But if you want to add a little intrigue to the story, just ask yourself if you really think the Israeli or U.S. government would let the information out if they didn’t want the entire world to know they have the capability to take on anyone when it comes to cyber warfare?
Yes, this is cyber warfare and yes there will be casualties.
The blueprint is now there for others to follow and the potential for other well-funded entities like governments, corporations, interest groups or whatever else is out there to jump in and take over or hold for hostage a nuclear plant, a power grid, a water system or any other form of infrastructure.
Right now, it looks as though we know where the attack came from. Does that mean the good guys knocked off the bad guys and we can continue to move forward and not worry anymore?
To the contrary. Every manufacturer out there needs to step it up even more than they already have. They need to know their systems inside and out. They need to watch and understand all points of entry. A solid and evolving cyber plan needs to be in place. This wasn’t a case of good conquering evil. It is a case of the public learning how any automation system can fall victim to an attack.
The Iranian nuclear program may have suffered a setback, but that does not mean others won’t pick up on this attack and launch something of their own.
The Stuxnet story is now coming to a close, but there is great potential for plenty of more sequels to come.
Talk to me: ghale@isssource.com.
Thursday, January 6, 2011 @ 08:01 AM gHale
There was a time almost 40 years ago when the ideal of journalism was to hold fast to a standard that said nobody was above the laws of the land. An honorable and noble goal. The profession looked at wrong, pointed it out, and then sought avenues to fix the injustice.
The profession helped bring down a President who felt he was above the law. During the entire Watergate investigation, it became clear the President broke laws and the country had a right to know about the ensuing cover up.
Journalists found details, researched and confirmed those details and then wrote stories reporting those details. They didn’t just jump at the first detail and write a story about it; they had to truly research every aspect of the story. Their editors insisted all facts get confirmation by more than one source.
They had a responsibility to their readers and to the person they were writing about to get the story right. They kept advancing the story. They didn’t end up rehashing everything over and over again. Every story was a stepping stone to the next story. The good old days.
Did stories ruffle feathers? Of course. They should. The object is to raise questions and find a solution to problems. Did the government try to stop the media from publishing stories? Yes. Did the story end up hurting the U.S.? Maybe in the short term, but over all, it made the country stronger because the world understood no one was above the law here in the U.S.
The news was important and the American people had a right to know. The President’s office did not want information released and The Washington Post and The New York Times leading the pack fought against the political pushback, threats and lawsuits to champion the cause of freedom of the press.
The reporters and editors back then had an ethical concern to make sure they had the story right and then put it all in perspective.
Why take this trip down memory lane? While the media is evolving in this digital era, the tried and true principals still remain: Uncover injustice wherever it exists. How about exposing police brutality in Kenya or learning about innocent victims of war gunned down by the military? The public has a right to know. Dirty secrets cannot, and should not, stay hidden.
But how far is too far? Take a look at Wikileaks. This new era of journalism helped uncover the police brutality in Kenya and the gunning down of innocent victims of war in Iraq. Once again, a news outlet informed people of wrongdoing.
Now the government is up in arms over the release of their diplomatic cables in November, and is going after them. There was top secret information released that may cause irreparable harm. But will the released information hurt the U.S. over the long haul, or will it cause the government to blush and move ahead? Only time will tell on that one.
Yes, government and companies alike do need to operate in some form of secrecy. But where do you draw that line?
Transparency works. For a democracy to function correctly; it cannot veil itself in secrecy. The United States’ founding fathers were well aware of this, and one of the tenants they operated on was a transparent system of government, where citizens could comprehend the actions of the nation.
But the catch here is Wikileaks should practice responsible journalism. That organization, or any other for that matter, cannot and should not release information for the sake of releasing it. Rather, there needs to be a full-scale solid reason to run with it.
It remains troubling when you see and hear reports from organizations that promise they will not talk about any subject relating to security.
If the government and companies dealing with critical infrastructure want to keep the bad guys out and systems up and running and profitable, there needs to be an open discourse discussing best practices. Secrecy plays into the hands of the bad guys, since they know what attack vector they are going to take.
Advanced technology and open discussion about the subject will keep the critical infrastructure secure.
Talk to me: ghale@isssource.com.
Wednesday, November 10, 2010 @ 04:11 PM gHale
By Gregory Hale
There is not one end user in the industry that does not want to make sure he or she has a secure system, device, or procedure. It is a constant dance making sure everything is secure and keeping the bad guys out, while also running at full tilt to generate as much product as possible.
End users need their suppliers to knock out any kinks in the process before it hits their system.
But the challenging part is how to tell the device is secure or just something the supplier will tap dance around thinking it will be able to hold off the barrage of cyber attacks that can hit a device, or system, each day.
Yes, some day there will be a bevy of standards out there, but depending on which part of the world you are sitting in, that may not be a while. End users need to insist now their systems have a cyber secure certification.
There is at least one organization now certifying devices to ensure they are cyber protected.
Achilles certifications went over the 25-device level this past week and for this industry that is a milestone. Wouldn’t you want to make sure devices you latch onto your system are protecting you?
Peter Mainz thinks so.
The president and chief executive of Raleigh, NC-based Sensus, a solutions provider in the utilities industry, wants to make sure his users, the power companies, know his product, the Sensus FlexNet 2.2 Advanced Metering Infrastructure (AMI) communications system achieved the smart grid industry’s first Achilles security certification.
“Our utility customers recognize that independently verified and repeatable assurances of security are critical for defining a reliable standard of security for the entire Smart Grid industry,” Mainz said. Security is a relatively new concept in the industry, so security certifications and standards remain fragmented in the utility sector – much more so than in manufacturing automation where the bulk of those 25 certifications landed over the past three years.
The funny thing is, this is not a rubber stamp thing here. Tyler Williams, president and co-founder of Wurldtech Security Technologies, the creators of Achilles certification program, said. Of all the companies that submitted their devices for certification, “just one passed on the first go around.” That means the testing is rigorous and companies have to work hard for certification.
The catch is, however, users have to become better educated on security, and they have to be knowledgeable enough to demand their suppliers build in security.
“We need the help of the vendor community and the user community to demand better security in their products,” said Frank Staples, the National Security Agency’s chief of the control systems unit during the Safety Automation Forum last week at Rockwell’s Automation Fair.
“Every customer has something to lose; every customer has something to protect,” said Doug Wylie, Rockwell business development manager, Networks & Security Networks Business Group during Automation Fair last week. “Everybody has the responsibility to educate others on security.”
In this manufacturing environment where boosting productivity remains a top priority, users need to push the envelope, and keeping systems chugging full steam ahead. Downtime means lost revenue and potentially lost jobs.
These folks just do not have the time to test and then retest new products coming on line. They need to understand and trust their devices are safe and secure and ready to go right from the beginning. If not, that ends up being lost time not focused on the main priority producing product.
In the end, it all comes down to the end user making sure their supplier understands how important certification is to keep a system as productive as possible.
“There has to be a lot of communication between end users and vendors,” said Peter Kwaspen, Strategy & Development Manager, EMEA Control & Automation Systems at Shell Projects & Technology. “It is all about dancing; you need a good partner. If you do not have a good partner and you step on each other’s toes, it will hurt after a while. Good dancers communicate and anticipate each other’s moves.”
Talk to me: ghale@isssource.com.
Wednesday, November 3, 2010 @ 11:11 PM gHale
By Gregory Hale
There was a period this past summer when the news broke about Stuxnet. While alarming, it didn’t necessarily have the industry shuttering in their knickers.
The initial news reports came and went, a lull set in, but in just over a month that came to a screeching halt. Stuxnet was a weapon. One that could potentially take out a plant in fairly quick manner if it went totally undetected. The industry was quaking. After all, if the reports about the worm’s goal of taking out Iranian nuclear plants were true, it could be a full-fledged disaster.
Some would ask, “Why would anyone want to hit our industry?” While others would just matter of factly say, “It was just a matter of time.”
RELATED STUXNET STORIES
Stuxnet Mitigation 1.1
New Video Shows Stuxnet Infecting System
Safe From Stuxnet? Think Again
Stuxnet Aftermath: Cyber Warfare Already Here
The industry is now in another calm period. Security experts are still analyzing the details of this very nasty worm. Now all the news reports that have anything to do with the power industry suffering any kind of shut down refers to Stuxnet.
On one hand you have the Iranian Defense Minister Brig.-Gen. Ahmad Vahidi saying the Stuxnet worm is “internet terrorism,” Iranian news service ISNA reported Wednesday.
Vahidi also said the worm, which infected computers controlling important Iranian infrastructure, did not have any impact on Iran’s nuclear program, the Iranian news agency reported.
On the other hand, a British nuclear power station that suffered an “unplanned outage” this week categorically denied any link to Stuxnet.
One of two reactors at Heysham 1, owned by French energy giant EDF, went offline. Parts of the site use the Siemens S7 systems, prompting speculation the sophisticated worm is to blame for the shutdown. The Stuxnet worm targeted the Siemens system for the attack.
Meanwhile Microsoft Tuesday released a record high number of software patches aimed at countering computer threats including the Stuxnet “worm” attacking industrial networks.
Microsoft ranked the 49 fixes released in importance from “critical” to “moderate” and addressed vulnerabilities in an array of Microsoft programs used in personal computers.
“Users should apply these patches ASAP,” said Trend Micro threat researcher Ivan Macalintal. “It should be a top priority.”
The unprecedented number of fixes promised to make installing the patches a chore for technology workers managing business networks.
A report on Microsoft’s patch Tuesday is usually not very big news, but when Stuxnet is involved it remains on top of everybody’s radar.
Analyzing the details behind the attack is something the experts have to do and reporting on little things related to Stuxnet is interesting, but the real key is for the industry to not sit back and wait for reports from the experts. Every manufacturer out there, big or small, needs to have a plan of attack. They need to have something on paper and then they have to go to their partners and make sure they have a plan ready to go just in case. We can’t fall asleep on this one. We have to stay one step ahead of the next Stuxnet because sure as the rain falls in an afternoon in Florida, there will be a next time.
Talk to me: ghale@isssource.com
