IT Getting an OT Education

Wednesday, August 19, 2015 @ 06:08 PM gHale

By Gregory Hale
It wasn’t that long ago when a well-known ICS security professional was feeling down because of the influx of IT security people invading the industrial sector.

“There are just too many people in here now that don’t know a PLC from a solenoid trying to offer advice to people who want to do the right thing. But these people don’t know how to separate fact from fiction,” the pro said.

Who could disagree?

Blackhat: Hacking a Chemical Plant
Blackhat: Recovering from Shamoon
Blackhat: Satellite Hack has ICS Connection
Blackhat: Free, Open Internet Dying

While the IT-OT schism remains an immediate cause for concern, after attending the mainly IT-centric Blackhat USA 2015 security conference a couple of weeks ago, it appears the IT side of the house wants to start understanding the importance and differences of what industrial security is all about. The level of importance for securing the critical infrastructure keeps rising every day and the more intelligence the IT environment gets about the OT side, the better off all manufacturing automation companies will be. After all, IT does have an excellent track record for security and they have been at it for quite a while, albeit from a different angle.

Yes, IT security professionals need to know the importance of availability. They need to know the system cannot go down for a couple of hours to work on a few things. They have to stay up and running for years at a time in some cases.

There was a glimmer of hope, though. Whether it was the preconference event by Invincea where Kim Zetter, author of Countdown to Zero Day, and Vikram Thakur, a senior researcher from Symantec, kicked off the event with a pre conference discussion about the importance of the Stuxnet attack and what it all meant. Granted the talk had an IT slant and didn’t really get into the importance of breaking into a nuclear plant’s control system. They did have a long discussion about the attack.

Whether anyone agreed or disagreed with the panelists, it was clearly a shout out for the industrial control system environment.

Chemical Plant Hack
Then there was a talk on how to break into a chemical plant.

Marina Krotofil, senior security consultant at the European Network for Cyber Security, gave a talk before a packed room entitled, “Rocking the Pocketbook: Hacking Chemical Plants for Competition and Extortion.” The interesting thing is Krotofil gave a quick basics course on the manufacturing automation industry and the importance of keeping systems up and running because of the dangerous possibilities of a successful hack.

Understanding the future of cyber-physical systems security will pay off in terms of keeping a plant safe, Krotofil said.

Yet another talk focused on Globalstar satellite transmissions used to monitor water pipelines and drilling applications for oil and gas that can end up compromised to alter messages.

“Hackers can inject data into systems. These are 20-year-old systems built before security was thought of,” said Colby Moore, a security researcher at Synack. Sound familiar?

In these old systems, “there is no encryption and everything is done in plain text,” Moore said. “That may have been the case years ago, but there is no excuse today.”

From oil and gas devices to tracking fleets to consumer products, there are millions of devices deployed, Moore said.

Shamoon Revisited

Then another talk focused on Shamoon, the brutal attack that took down 35,000 computers at oil giant Saudi Aramco back in 2012.

For those that don’t remember, Shamoon was a computer virus that attacked computers running Microsoft Windows. Shamoon was capable of spreading to other computers on the network, through exploitation of shared hard drives. Once a system suffered infection, the virus continued to compile a list of files from specific locations on the system, erase and then send information about these files back to the attacker. Finally, the virus overwrote the master boot record of the system to prevent it from booting.

Saudi Aramco, RasGas and SAFCO all fell victim to the attack. It was a two-pronged attack during Ramadan, Kubecka said. Over 50 percent of Windows systems ended up affected and the virus corrupted 35,000 systems.

Christina Kubecka who gave the Shamoon talk entitled, “How to Implement IT Security after a Meltdown,” really focused on the IT side, but also understood the differences between IT and OT.

“What IT doesn’t understand is a power plant can’t do a quick reboot to start the system,” she said. “ICS was separated (during the attack) and that was fantastic.”

While Saudi Aramco’s production did not suffer from the attack, the aftermath was a problem for the entire country.

“Tanker trucks were lined up for miles waiting to get refined gasoline,” Kubecka said. “Seventeen days after the attack there were gasoline shortages around Saudi Arabia. ICS and IT networks remained isolated. There were no emails, no phones, and no fax machines.”

Are IT and OT on the same page? No way. But they are in the same book. That is a positive that came out of the conference. While there will still be doubters and naysayers about IT working in the ICS space – and it will take years to get on the same page – there remains hope IT and OT will be able to forge a good working relationship.

Talk to me.

Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (