Security: Ease the Pain …

Wednesday, January 6, 2016 @ 04:01 PM gHale

EDITOR’S NOTE: This is the first in a series of stories looking forward to the new year and beyond for safety and security in the manufacturing automation sector. This week, ISSSource looks at security, next week safety.
By Gregory Hale
The fear of security can be a painful experience. Now it is time to finally ease that pain.

Last year clearly was the year of stronger awareness. While the security world became aware of the threat a long time ago, a general understanding of the potential for attack from the rank and file and from the executive suite became abundantly clear over the past 365 days.

Awareness, however, does not always mean action. This coming year has the potential to see more knee-jerk reactions to security incidents that battle weary security veterans will continue to ward off. But it doesn’t have to be that way. These ICS security professionals will continue to stress the importance of building a solid security program.

… Experts See ‘More of the Same’
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
German Steel Mill Attack: Inside Job
IT Getting an OT Education

Much to the chagrin of experts analyzing the industry, users think of security purely as a technology issue, and it is to a certain degree. But it is so much more. The idea of people, process and technology truly comes into play.

People continue to be the weakest link in security, but have the potential to be the strongest asset. But for that to happen manufacturers have to train and force workers to think of security much like safety.

That scenario leads to creating a security process that leans on the various security standards out in the industry like IEC 62443. Manufacturers need to focus on making sure everyone remains vigilant and on top of their games at all times.

Obviously, there is solid technology out there that can reduce any kind of attack, but providers need to understand what they need to protect and then apply the proper technology. Users cannot just throw technology at the problem and expect results. There needs to be a well thought out plan that can’t take on the enormity of the issue all at once, but rather tackle the problem on a project by project basis that keeps growing.

Safety AND Security
During this past year more manufacturing automation professionals understood the idea that safety and security do play hand-in-hand. While some principals do differ, the idea of understanding risk and mitigating that risk are the same.

Differences come into play when you look at the constant change evolving in security where countermeasures need to change almost on a daily basis, which flies in the face of the set and forget mentality that prevails in the industry. Add on top of that, the maturity level on the security front is not as evident as it is for safety.

On the other hand, safety has well-defined standards and practices where safety professionals have a greater degree of confidence the system as it stands should provide a degree of safety for the process and the facility. Safety and security need to provide a united front where one area can learn and share expertise from the other.

Changing Mindset
As mentioned, security does fly in the face of conventional thinking. That only makes sense. Bad guys don’t live by the rules, where as manufacturing automation professionals live by rules or standards. What worked yesterday will surely work today and tomorrow. That thinking has to change.

That all means understanding the system and knowing when things are out of whack and not looking right remains a key factor moving forward. With the potential for advanced persistent threats (APT) infiltrating systems and taking up residence for a period of time to learn the ins and outs of a system, knowing the system and understanding what should and should not be going on is vital. That is where one technology, application whitelisting, can really pay dividends. Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown programs, including malware.

One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden reduces in control systems environments, because the set of applications that run in those systems is essentially static.

Yes, whitelisting is not the only answer, but it is one solution to add to the arsenal needed to boost protection.

Experts See ‘More of the Same’
By Gregory Hale
When you hear the phrase “more of the same” it can connote the “same old thing,” which can conjure up thoughts of boring, or rote kinds of security.

But to security expert Eric Byres, as he adroitly points out, “more of the same” means much, much more.

“I think 2016 will bring us ‘more of the same’ with a big emphasis on ‘More.’ More publicly disclosed vulnerabilities, more published ICS exploits, more sophisticated attacks directed at control systems, more insecure IP devices connected to the control network, more interconnections from the outside world to the control system and of course, more hand wringing and gnashing of teeth about the sad state of the industry,” Byres said.

Byres is not the only expert to feel that way.

“I believe that 2016 will continue the trend of attacks against automation and control infrastructure,” said Joel Langill, operational security professional and founder of “Events that have occurred over the past 3-5 years have shown the sophistication of these attacks is increasing, indicating the opponent is gaining more industry- and system-specific knowledge. My observations and analysis show more and more of these attacks will succeed due to the lack of a cyber security program based on operational security principles. The influx of organizations into the industrial sector that lack these OpSec principles has caused many organizations to focus too much of their attention and budgets to externally-originated threats leaving them extremely vulnerable to numerous inside vectors.”
Click here for more

Building Security from Within
In keeping with the changing mindset refrain, security needs to focus on protecting from within compared to ensuring a hardened perimeter. The concept of the hard exterior worked years ago, but as the industry learned from Stuxnet, if someone wants to get into a system, it doesn’t matter if they have a hardened perimeter or an air gap, they will get in.

That means conducting a true system assessment becomes paramount to understanding what and where you have to protect. After all, you cannot design in security until you know what it is you are protecting. Documenting what users have installed is vital because they often don’t even know what they have on their systems. That can lead to building in zones and conduits, which can break the system down and partition it. It is then possible to do a risk assessment on each individual zone.

Threats: Inside, Outside
Using the zones and conduits model also shows it doesn’t really matter if the attack is coming from the outside or the inside. The idea is locating the attack and mitigating it within the partitioned zone.

One misconception that ended up debunked over 2015 is more threats come from the outside. It became clear the inside threat was much more prevalent and caused much more discord for manufacturers.

The insider threat has become so much of a problem the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center created a guide to help organizations guard against malicious insider activity.

The guide – “Combating the Insider Threat” – includes an expansive list of behavioral characteristics of insiders that could become a threat to the integrity of networks and information security.

Here’s what to watch out for: Introverts, greed or financial need, compulsive behavior, reduced loyalty, a penchant for minimizing one’s mistakes or faults, intolerance to criticism, moral flexibility, a lack of empathy and a pattern of frustration or disappointment.

An insider threat is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems.

IT/OT Convergence
Like it or not, IT and OT need to work closer to ensure a secure enterprise and plant floor. IT has been in the security game quite a bit longer than the plant floor so understanding them and correctly applying their knowledge is important. On the flip side of the coin, IT has to understand what the plant floor is all about and keeping the system up and running is job one.

There are two sides to the firewall, which means IT operates on one side and OT the other. That does not mean the two sides are individual islands, it just means their expertise is predominant on the individual areas. Stronger emphasis on communications, and understanding the true end result of keeping the system up and running and producing product, remains vital moving forward.

IIoT Increases Attack Vector
The IT/OT convergence also plays into the increase in connectivity moving forward. So when you talk about increased connectivity, the phrase Industrial Internet of Things (IIoT) comes leaping forward.

While IIoT is the marketing phrase right now, whatever its moniker, the idea of increased connectivity is here to stay and has the potential to wreak havoc on the entire enterprise from the business side to the manufacturing front. The increase in potential attack vectors just ratchets up many times over.

Greater connectivity means more knowledge which means increased opportunities and it all revolves around security. It also means security needs to have a stronger presence than it currently has.

While the industry talks about IIoT, few have really moved forward on how they could reap the benefits. The good part is the movement is going to happen and if the manufacturer is smart, it can incorporate security in from the beginning.

Experts have said the impact from IoT, which is IIoT’s big brother, could reach over $11 trillion by 2025. The following are five steps that could lead to a security IIoT implementation:
1. Assess
2. Migrate/update
3. Proper design
4. Protection
5. Monitor

When it comes to the assess stage, users must know what they have, where it is, what it does and who owns and manages it.

In the mitigate/update stage, users should make Ethernet their foundation.

In creating the proper design, end users need to focus on the network and create a zones and conduit segmentation model.

In the protection stage there are internal and external risks, which means there should be overlapping security.

The fifth stage talks about monitoring the network, which means users need to make a plan that calls for regular maintenance, constantly monitoring the network, system failure alerts and establish response protocols.

Cloud Coverage
Cloud usage is continuing its growth curve, but that doesn’t mean there are not growing pains in the process.

Critical applications like collaboration, storage, CRM and ERP are moving to the cloud. This means the critical mass of corporate data will eventually migrate to the cloud.

The cloud offers numerous benefits, but fears of a not so secure cloud are keeping company leaders up at night because they have major IP they could lose if there is a breach.

The growth of the cloud and the corresponding expansion of the perimeter create a huge challenge for IT professionals looking to protect their enterprises from emerging attacks. An analysis of what data is truly important, added to an increase in user education and empowerment, will ensure security can keep up with the tremendous growth of the cloud.

Cyber Insurance
Cyber risk is a major and fast-increasing threat to businesses with cyber crime alone costing the global economy $445 billion a year, with the world’s largest 10 economies accounting for half this total, one report said.

Almost 15 years ago, cyber attacks were fairly rudimentary and typically the work of hacktivists, but with increasing interconnectivity, globalization and the commercialization of cyber crime there has been an increase in frequency and severity of cyber attacks.

Cyber insurance is no replacement for robust security but it creates a second line of defense to mitigate cyber incidents.

Increasing awareness of cyber exposures as well as regulatory change will propel the growth of cyber insurance. With fewer than 10 percent of companies currently purchasing cyber policies, one forecast is calling for cyber insurance premiums to grow globally from $2 billion per year today to over $20 billion over the next decade.

To show the growth of costs, with an increase of attacks on U.S. companies over the past two years, insurers are now hiking cyber premiums.

While the issue crosses industry borders, the manufacturing automation sector has been keeping an eye on the topic for years. On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million. While that number may seem large, that actually could leave companies exposed to the huge costs an attack could incur.

One of the challenges for insurers has always been to identify the scope of potential financial liabilities when it comes to a data breach. Much of that has been because of a lack of information to understand the potential financial impact of a breach. However, with the rise in breaches, insurers have data they need to assess risk and the results are staggering.

That means insurers see the financial risks of a breach go beyond initial clean up. The price of cyber coverage, which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements, varies widely, depending on the strength of a company’s security.

Boomers Departing

The issue of Baby Boomers getting ready to leave the industry has been a topic of concern for years, but the exodus is continuing and the remedy put forth by most manufacturers has been ad hoc at best.

One thing that will help is to have more automation to replace empty seats, but it also helps to standardize and make sure everyone has training and understands standard operating procedures.

With Boomers retiring and taking their knowledge with them, that could hurt, but with younger more computer-savvy engineers coming in, there could be a boost in the initial understanding of the importance of thinking about security.

To say security in the manufacturing automation sector is top of mind for company leaders is an understatement, the catch is for the companies, big, medium or small, to start moving forward with a plan, which can cut down on any pain from an attack.
Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (