Industrial Control’s ‘Subversive Six’

Tuesday, November 1, 2016 @ 06:11 PM gHale


By Katherine Brocklehurst
Self-described “Mr. Potatohead,” aka Sean McBride, gave a keynote at Belden’s annual Industrial Ethernet Infrastructure Design Seminar (IEIDS) in October.

Sean is the lead analyst for critical infrastructure at iSight, specialists in securing industrial control systems (ICS) and operations environments. FireEye acquired iSight in January this year.

Sean gave an exceptional keynote drawn from his life experiences in the Idaho potato industry and from his years in forensic and analyst work to help secure critical infrastructure and industrial control systems.

RELATED STORIES
Securing Industrial Controllers
Strengthening Energy Security Posture
New Approach to Secure Networks
ICS Security: Threats, Visibility, Convergence

Sean masterfully wove his talk from the fields of Idaho to the control floor of industrial businesses we can all relate to. He highlighted the potentially “unseen” risks within potato farming and harvesting processes.

Subversive Six
The “Subversive Six” is a name he uses to describe the unseen risks within our own industrial infrastructures. For each of these he shared current trends and what risks iSight/FireEye can see from their world of surveillance and analysis.
Unauthenticated protocols – Many of the most commonly used industrial protocols for communications with ICS are unauthenticated. He said groups and hacker communities his organization tracks around the world have invested a lot of time to learn the inner workings of these protocols and the equipment using them. Since the protocols and equipment were not designed with security in mind, this is an often “unseen” area of vulnerability that can cause disruption (such as modifying set points or function codes, altering firmware and even having the capacity to start or stop the PLC).
Outdated Hardware – Many ICS are not built to handle the volume and traffic types coming across industrial networks today. Sean noted the reasonably well-known incident related by the U.S. Nuclear Regulatory Commission (NRC) where in 2006 PLCs and VFDs at Brown’s Ferry Nuclear Generating Station malfunctioned as a result of excessive network traffic.
Weak Password Management – What ICS talk would be complete without this topic? This is an area every single industrial organization could take action on today to identify and mitigate. Sean highlighted a well-known group of Russian security researchers who maintain the website www.scadastrangelove.org and have made it a study to document all default and hard-coded passwords within ICS/SCADA equipment. One vendor’s PLCs have 7 hardcoded passwords. Sean asked – at what point do vendors and developers need to take some ownership?
Weak File Integrity Checks – In March 2016, researchers demonstrated a PLC worm that spread from one Siemens PLC to another by simply modifying control logic. Other PLCs using unencrypted protocols are susceptible to similar attacks and firmware updates have become a favorite target of outsiders.
Vulnerable Windows Operating Systems – This one is relevant from the standpoint that two of the most widely used Microsoft Windows versions – XP and 2003 Server have been dropped from Microsoft support. Those “end-of-life/no more patches or alerts” dates were April 2014 for Microsoft Windows XP and April 2015 for Microsoft Windows 2003 Server. Sean’s point here is just because you’re not receiving alerts, don’t think there aren’t weaknesses or vulnerabilities that can be easily exploited in these OS.
Undocumented Third Party Relationships – This is important. You hear about “Supply Chain” vulnerabilities and “you’re only as secure as your weakest link” but Sean highlighted if a vulnerability exists or surfaces against Windows 7, you can bet that it may have applicability to older OS. You’re just not getting notified because those older system OS – Windows XP, embedded versions and Windows 2003 aren’t sending notifications. Further, there are targeted exploit kits available and in widespread use that heavily leverage a multiple of the known CVEs (Common Vulnerabilities and Exposures).

Mr. Potatohead brought a highly relatable talk that created industrial cyber security awareness, gave details to back it up and urged the listeners to take action. Belden’s IEIDS engineering attendees felt compelled to learn more and the attendees mobbed him after the event with questions.
Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. Click here to view Katherine’s full blog.



Leave a Reply

You must be logged in to post a comment.