PSUG: Designing a Security Program

Wednesday, November 9, 2016 @ 12:11 PM gHale


By Gregory Hale
Huhtamaki knew it had a security problem when a virus traversed the enterprise and ended up on the process system and almost shut the company down.

“We just make containers, not heavy critical infrastructure, but we need to keep our system up and running,” said Stewart Whitlow, corporate manufacturing systems manager for the Espoo, Finland-based Global food packaging specialist during a presentation Monday at the Rockwell Automation Process Solutions User Group meeting in Atlanta, GA.

RELATED STORIES
IoT Attack Scare: Is Industry Ready?
Network Visibility with New Platform
ICSJWG: Security in Perspective
ICSJWG: Different Approach to Security

Huhtamaki decided to get off the bench and not be blown away by the enormity of creating a cybersecurity solution, but they also knew they couldn’t do it alone.

“We knew we couldn’t design the perfect system,” Whitlow said. “It is like an elephant; you can’t eat it all at once. You just have to go piece by piece.”

Huhtamaki Industries started up in 1920 in Kokkola, Finland, as a candy maker, but as the company evolved over the years it moved away from candy and developed into a packaging enterprise with 86 manufacturing plants in 34 countries.

Hardly a company operating in the critical infrastructure, they still knew they were vulnerable to an attack from the outside or from the inside. They also started working with a system integrator, Premier System Integrators.

Larry Grate, Premier’s director of technology came in and pointed out why any company should be security conscious.

Noteworthy Attacks
He discussed the Stuxnet attack. Stuxnet was a highly complex control system virus the U.S. and Israel created to shut down Iran’s nuclear program. The virus attacked centrifuges in Iran’s Natanz uranium enrichment facility. The 2010 attack targeted ICS vendor products and system configurations. It inhibited operators from viewing the actual process and it altered PLC logic to sabotage physical process.

The system operated with an air gap approach where there were no connections from the operating system to the enterprise.

“A lot of people think if you are air gapped you are OK, that doesn’t work out so well,” Grate said.

Grate also mentioned the Ukraine power grid attack last December where attackers were able to get into a control system via spear phishing attack. At least 225,000 lost power, he said.

“Operators watched helplessly while someone remotely operated the grid,” Grate said. The one saving grace was “because of how old the infrastructure was, it helped. They were able to manually bring the grid back up.” Power ended up restored after about eight hours.

A year or so after the Stuxnet attack Whitlow started moving toward creating a security plan.

“In 2011 we started separating our process network from the business network,” Whitlow said. They also developed a defense in depth strategy.

“We had to go in and do a risk assessment,” Grate said. Part of the plan included creating awareness, an organization for security, and scope.

In addition, Grate said, they had to create a counter measure to risk by eliminating security by obscurity and understanding personal security, physical security and network segmentation.

“You have got to isolate these things,” Grate said. “You want to do something to prevent giving easy access from one level to another.”

Enforcing Decisions
Part of that strategy included forcing themselves to enforce decisions they made, Whitlow said. They locked down their firewalls with stricter rules. When other vendors came in and wanted easier ways to get in the system, the OT folks had to say no. They also had to document their rules so everyone can be on the same page.

They also found they had a problem where networks did not scale well. Some plants had small networks, while some were large. We came up with a plan to scale everything to the same size.

They created a security document policy and got it down to a draft form, which they will take to senior management by the end of the year.

“It helps in getting management’s approval for when we go to plants and tell them about our plan,” said Whitlow, who oversees 17 plants in the U.S.

When they go to management and let them know their plan, they have to define potential threats, show what are you trying to protect, who are you trying to protect against and what could happen.

This program is prime example of IT-OT convergence as both sides had to sit down and hash out differences.

“IT looked at the confidentiality, integrity and availability (CIA) model, while we had to turn that around to availability first,” Grate said. “I had one incident where we talked with IT and said if you shut down a system we can’t make product.”

One other area showing how to resolve the differences between IT and OT is blacklisting and whitelisting. Grate said the IT side remains interested in blacklisting or using antivirus. On the OT side, whitelisting works better as there is a limited amount of programming going on so keeping an eye on what is running and protecting that is much easier.

“Reality is you are never going to prevent an attack. You have to design the entire network with that in mind,” Grate said. “The goal is to slow the attacker down.”



Leave a Reply

You must be logged in to post a comment.