Chemical Safety Incidents
SANS: ‘Take Cyber Off the Table’
Thursday, March 23, 2017 @ 03:03 PM gHale
By Gregory Hale
Today’s digital age has gotten to the point where the benefits continue to outweigh the negatives, but as more manufacturing automation organizations continue to expand connections, the security message needs to get smarter.
That is why Marty Edwards, director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security (DHS) said during his presentation at the SANS ICS Security Summit in Orlando, FL, Monday, users need to find the most critical element in their process and eliminate the cyber aspects.
“Any system is penetrable and if an adversary can find the weaknesses, they will get in,” Edwards said. “I think we need to go through ICS (Industrial Control Systems) and we need to find the critical functions and take cyber off the table.”
“A skilled and determined threat actor with adequate resources can cause a cyber incident,” he said. “Make the function non-cyber.”
With that in mind think about safety systems. With safety systems becoming more digitized there are shut down functions that once you push it, it stays shut down. That could be good or bad, depending on the process and the situation. Because once the process shuts down, a reboot is in order.
That is why, he said, the user needs to look at functions and find the one or two areas that could be a problem. Users need to take care of those life safety functions so they don’t fall into the wrong hands.
“I have seen the convergence of process control and safety systems and they can be breached,” Edwards said. “We need a separation of duties.”
By taking those functions off line, it still means users need a security program. There will still need to be basic cyber security functions. The user just needs to find out the vital parts of the process and protect it.
One thing they should consider is “think about removing any and all field programmable logic from the equation. Yes, it will cost more, but for those one or two functions, it is worth it.”
The security discussion the industry is having today is much different than what Edwards heard a decade ago.
“I stood before audiences 10 years ago saying this could be something that happens,” he said. “There are attacks happening now. We are in a new cold war. We are in a new age of espionage.”
That means manufacturers should learn from what is happening in the industry, but sadly, they are not.
Edwards pointed out the 2015 attack in the Ukraine. “In the Ukraine attacks, protection was just not there. This was a significant event. This was the first attack against civilian infrastructure.”
Growing Attack Surface
That attack is one thing, but the attack surface will continue to grow as the Internet of Things continues to prosper as experts are saying there will be 50 billion devices connected by 2020.
Along those lines, he said, “OT deals with vulnerabilities. IT handles vulnerabilities, but what about consumer devices?”
Attacks these days are becoming common place, he said.
“Malware is a business. You can buy an attack kit with a money back guarantee and a 24-hour a day services operation,” Edwards said. “I am really worried about ransomware. It is only a matter of time before bad guys know where the money is.”
That means users need to prepare because an attack can happen any time.
Along those lines, Edwards said users should be logging everything that is leaving the facility and security needs to take a layered approach and do some fine tuning.
“If you don’t set up technologies properly, you are potentially adding more vulnerabilities,” he said.
Some of the areas Edwards sees lacking are:
• Improper use of virtual machines
• Improper application of VLAN
• Emergence of BYOD
• Issues of ICS use of cloud
• Lack of network monitoring
In short, this cyber informed engineering becomes even more important today than ever as more companies join in on the digital age.