More Than Discussion, Security is Vital

Wednesday, May 1, 2013 @ 06:05 PM gHale


Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Thomas Nuth
Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February is just one indication of the importance attached to this issue.

What’s also interesting is the change in focus of this discussion. The key question has changed from an interested “Why do we need to secure our industrial network?” to a frantic “How do we do it?”

RELATED STORIES
Securing SCADA: Compensating Controls
Making Patching Work for SCADA, ICS
Good, Bad and Ugly of SCADA, ICS Patching
SCADA Security: Open Phishing Season

U.S. intelligence chiefs have said cyber attacks have replaced terrorism as the primary security threat. And they are taking these threats very seriously. For example, on March 12, U.S. General Keith Alexander testified to Congress regarding an announcement made by the Pentagon Cyber Command. This announcement outlined a plan to create 13 teams, by the fall of 2015, charged with the national defense against large scale cyber attacks that could knock out domestic electric power infrastructures.

Paying the Price
So who are the cyber-attackers targeting?

To answer this question, we can refer to the Mandiant Report, an annual report compiled from hundreds of advanced threat investigations.

According to the Mandiant Report, transportation, energy and manufacturing are in the top ten most targeted industries for cyber attacks. If there was any deliberation about it before, industrial cyber security is now without a doubt an international security topic.

The costs of these cyber attacks are staggering — and difficult to estimate.

For example, the 2012 Cost of Cyber Crime Study from the Ponemon Institute put the cost of cyber attacks within the USA at $8.9 billion in 2012. However, according to the Foreign Policy National Security Newsletter, “more recent estimates have put the cost of theft as high as $338 billion per year.” We think the second number is high, but the fact remains — poor security is getting expensive. And a large portion of this total loss is incurred within the industrial automation and energy sectors.

Over a Year of Access
Built for reliability and stability rather than security, industrial infrastructure networks have long been easy targets for malware attacks. City and regional infrastructures depend on reliable access to energy and sound transportation systems. In a very real sense, all infrastructures are built upon the industrial infrastructure base. The concept of the ‘network of everything’ that futurists and city-planning commissions have spoken about optimistically for years has arrived.

But they forgot one thing: Industrial security.

According to Mandiant, 416 days is the median number of days advanced attackers have access to networks before they are detected. Yes, you read that correctly. 416 days. Imagine the damage that can be done in 416 days.

This much is certain then –there are current cyber threats that are yet undiscovered.

Industrial infrastructures are growing in size and complexity. And it’s all too clear traditional enterprise IT solutions have not been successful at safeguarding them from cyber attack. They do not meet the best-practice deep-packet inspection capability in the field, nor do they place an emphasis on zone protection network segmentation. As well, they tend to focus on preventing loss of confidential information, rather than what really matters in the industrial world – reliability and integrity of the system.

In the process automation sector alone, we typically find six to eight auxiliary networks outside of the central distributed control system (DCS). These auxiliaries can include the Safety Instrumented System (SIS), Sequence of Events (SOE), Analysis Management Data Acquisition Systems (AMDAS), Plant Information Management Systems (PIMS), Vibration Monitoring Systems, Position Location Systems, Alarm Management Systems, Fire and Gas Systems, and Building Automation Systems. As well, most companies now have some form of remote support for each of these systems.

The reach and scope of industrial IT networking has increased mobility, efficiency and operational safety. However, without proper security considerations, these growing networks only increase the vulnerability to cyber threats.

Securing SCADA, ICS
It’s evident there’s no simple solution to securing our critical infrastructure. It’s going to take time and careful planning. A combination of best practices, utilizing technologies designed for industrial security, and focused effort is the only way to mitigate the risk of attacks on industrial systems.

It is important that staff is familiar with industrial security standards. We recommend the ISA/IEC 62443 (formerly ISA99) standard. Major oil and gas and chemical companies such as Exxon, Dow and DuPont are using it and we have repeatedly seen its strategies used successfully in the field.

Particular industries also have their own standards – the North American power industry’s NERC CIP, for example.

At Tofino Security, we have developed, in partnership with exida, our own best practice for ensuring good security. To read the details about this process, download the “7 Steps to ICS and SCADA Security” white paper.

Look for technology solutions designed specifically for the plant floor, rather than for standard IT systems. Seek robust technologies that integrate with industrial network management systems. Deploy firewalls that secure industrial protocols, and practice Defense in Depth with zone-level security.

Last but not least, let’s not forget the importance of teamwork. IT and engineering teams must collaborate to ensure that best practices are in place and that innovative advances to security are developed and deployed.

Regardless of whether your organization is a critical infrastructure provider, or whether your enterprise has one or many industrial networks, securing your networks has never been more important.
Thomas Nuth, BA and MBA is a product manager at Hirschmann Automation and Control. Click here to read the full version of the Practical SCADA Security blog.



Leave a Reply

You must be logged in to post a comment.