Posts Tagged ‘cyber security’
Tuesday, January 7, 2014 @ 06:01 PM gHale
In a move to expand is security portfolio, Palo Alto Networks dealt for Morta Security, a Silicon Valley-based cyber security company operating since 2012.
Morta Security brings to Palo Alto Networks a team experienced at protecting national infrastructure as well as technologies that enhance the proven detection and prevention capabilities of the Palo Alto Networks WildFire offering, which has over 2,400 users.
“The Morta team brings additional valuable threat intelligence experience and capabilities to Palo Alto Networks” said Mark McLaughlin, president and chief executive of Palo Alto Networks. “The company’s technology developments align well with our highly integrated, automated and scalable platform approach and their contributions will translate into additive threat detection and prevention benefits for our customers.”
“Palo Alto Networks has a successful history of disrupting the network security landscape with its unique offerings” said Raj Shah, chief executive of Morta Security. “The Morta team is excited to work with the clear leaders in this space and we look forward to joining the company and contributing to future highly innovative technology leadership.”
Financial terms of the deal were not immediately available.
Monday, January 6, 2014 @ 02:01 PM gHale
By Eric D. Knapp
Digital segmentation and separation are fundamental components of basic cyber security, yet they remain difficult to implement in industrial control environments.
This is partly due to an industry-wide focus on perimeter security, a carryover from the days of air gap protection. The thinking is, “if we can recreate the air gap digitally, we will once again be secure.” However, this is fundamentally flawed thinking.
As industrial systems continue to evolve, they become more distributed, and there are more and more legitimate interconnections between internal systems within that distributed environment. The number of valid reasons for interconnectivity requires that more traffic be allowed through the perimeter, and if perimeter access isn’t denied outright, it isn’t really a gap. With that said, a more flexible approach becomes required.
Anyone who has wrestled with this conundrum understands the challenge: There are many systems that make up a distributed industrial automation system; within these systems are devices that must communicate with each other, and in some cases with devices in other subsystems. Some of these connections are purely between control devices, some are between operations and business systems, some are diagnostic in nature, but they are all very real and they’re not going away. The trick is getting the right connections in place, so that only necessary information flows occur. The necessary flows can then be secured, and the unnecessary flows prevented outright.
Purdue Reference Model
This is well defined by the Purdue Reference Model for CIM, which is crowded with flow diagrams, (appropriately) resembling neurons. These diagrams map information flow against logical device groups according to zones and conduits—each zone representing a specific group of devices that work together and require interconnectivity, and each conduit representing connectivity between zones. These concepts are ingrained into the industry’s thinking, and are a foundation for industrial cyber security. Perhaps most notably, this model is used within ISA99 and IEC 62443, where it is presented in terms of security levels, zones and conduits. So, if there are defined zones and levels, what’s wrong with existing perimeter security techniques to protect these levels and zones?
Primarily it’s an issue of semantics, but the flaw here is the term perimeter implies one big shell around an entire system, within which many devices, residing within many zones, with different security levels and conduits could all go unmanaged. In other words, what we think of as perimeter security doesn’t infer the same level of granular access controls that a properly enforced conduit provides. Of course, perimeter security is able to properly secure zones: Every zone has a logical perimeter that defines it; if all information flows are forced to cross this boundary via appropriate cyber security measures, each conduit is made more secure.
1. Many such perimeters need to be created
2. Appropriate security controls need to be put in place around each, so flows can be inspected
3. These controls need to be able to map different policies to different information flows, so each flow or conduit can be adequately protected
Using these criteria, it becomes obvious that, while there are many ways to segment zones and to enforce perimeter security, they are not always feasible or adequate.
For example, traditional segmentation mechanisms that use VLANs and/or routing would either prohibit the amount of zone separation (by using too few devices), or it would become unduly complex (requiring massive network redesign to accommodate VLANs and IP subnetting). Too simple, and the right security isn’t implemented in the right places; too complex, and the risk of misconfiguration can result in less effective security and unintentional vulnerability. The complexity of highly sub-networked or VLAN-separated systems also requires administrative overhead to operations teams, who are already strapped for IT skills and resources. Last, and certainly not least, the ICS vendors may dictate specific designs, with specific layer-2 and layer-3 configurations, making the implementation of new network segmentation contractually impossible. In other words, traditional segmentation is not feasible for deep segmentation of industrial systems.
Routing can enforce the security of information flows, as can VLANs. However, this security is not absolute, and these paths remain susceptible to attack. Generally, the higher up the OSI stack you go, the more difficult the attack will be. VLAN ‘hopping’ is a relatively simple task that renders VLANs inherently insecure; routers are more difficult to circumvent; while application layer controls are hardest to overcome. Therefore, while VLAN and network segmentation can be effective, it is not entirely adequate for use in industrial systems.
The necessity for a secure segmentation of the network is the crux of the issue: Zones and conduits exist because of a need to restrict access to and between systems, in an effort to improve the security and reliability of the overall system(s). If the information flow isn’t secure, the zone is moot. If the logical perimeter doesn’t adequately control access to the devices it contains, the system remains vulnerable.
To deploy an enterprise-class IT security device within a control environment to separate two discrete control zones, would be to pound a square peg into a round hole. It would also be difficult to justify: The device would be costly, cumbersome, and may in many cases disrupt industrial communications (typically due to latency and other performance characteristics that simply aren’t tuned for sensitive industrial networks). There is also, typically, undue complexity to help products differentiate themselves in the highly competitive enterprise security market.
The answer isn’t to develop entirely new tools, but rather to make existing cyber security tools more relevant. To do so, we must first look at the tools that are available and then determine how to make them more appropriate to industrial control systems.
The basic requirement is simple: Limit the network traffic allowed into and out of any given zone. It is a task that could be easily accomplished with a firewall, using bi-directional traffic filters to prune out unwanted traffic on unwanted ports. It is a good idea, and many cases it’s a necessary one — due to industry mandates that require the use of a firewall or similar technology for this purpose. Because firewalls filter IP traffic, they can also filter industrial control traffic running atop IP. However, while this will narrow the scope of legitimate traffic to what is authorized, even legitimate traffic needs to be inspected more closely.
Network based exploits, denial of service attacks, and insider attacks from disgruntled employees all utilize legitimate traffic in illegitimate ways. Deep packet inspection can help, by looking into packets for an indication of malicious intent. Content filtering (a feature in next generation firewalls) looks at the application contents rather than simply matching packet contents, to determine if an application is being misused. For example, to prevent access to a specific URL instead of blocking all web traffic. This provides additional granularity, but commercial content filters aim primarily at filtering web content and email, and not industrial applications. However, most application-layer firewalls lack the ability to make decisions upon the specialized application-layer protocols used within industrial systems, which ride atop TCP/IP but which establish their own application sessions, enact their own controls, and carry their own payloads.
To become relevant, the firewall must be able to understand these industrial applications, track application-layer sessions, and make decisions accordingly. To become highly relevant, the firewall should allow unwanted or unnecessary features to be disabled by default, so that they are more easily deployed and maintained in an environment staffed by operations managers and not IT managers.
Firewalls with Context
By utilizing existing firewall technology with the necessary relevance, context, and policy enforcement to filter industrial traffic and enterprise traffic; the device can adequately protect an industrial system and effectively secure zones. If the firewall can act transparently (i.e., it does not alter or impact IP communications) then it becomes feasible for deployment, by enabling zone-level separation (separation of systems by logical grouping and function) without the need for network reconfiguration. Such a firewall is much more practical for OT managers and staff because it will not interfere with approved control system designs.
Using relevant cyber security mechanisms, the complex network access policies required can finally be enforced. Through extensive filtering (using next generation firewalls that understand the nature of ICS application-layer protocols), the control network can be essentially “whitelisted.” By filtering the contents of industrial protocols, control can be highly granular and effective by defining which protocols are acceptable, which devices are authorized to communicate, and which tasks they are authorized to perform.
What this means is that zoning can finally be well defined and implemented by operators, using readily available and easy-to-use technology. This very basic and necessary first step toward a mature cyber security profile — the separation of systems into functional groups — will do more for security, reliability and safety than almost any other available security measure. Properly established zones and conduits will make unauthorized access to (and exploitation of) critical devices more difficult; they will help to isolate functional systems to minimize the impact of an incident; and perhaps most importantly, they create a strong architecture foundation upon which more sophisticated security controls can be built.
Eric D. Knapp (@ericdknapp) continues to drive the adoption of new security technology for a safer and more reliable automation infrastructures. Eric is the director of strategic alliances for Wurldtech Security Technologies. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems,” and the co-author of “Applied Cyber Security for Smart Grids.”
Tuesday, December 17, 2013 @ 08:12 AM gHale
What is worse, not knowing you have a security weakness and not doing anything about it or knowing you have a security issue and not doing anything about it? The answer is both are worse.
One federal agency knew it had a weakness with its cyber security, but they did nothing about it and ended up hacked to the point where private information of employees, their dependents and contractors ended up compromised, federal auditors said.
In a report released Wednesday, Department of Energy (DoE) Inspector General Gregory Friedman said the DoE breach last summer affected over 104,000 people, providing access to names, Social Security numbers, dates of birth and other information from a human-resources network.
The end result was confusion over who was in charge of making the fixes, poor communication among responsible officials and pressure to keep systems running to maintain productivity all contributed to the problems, according to the report. Sound familiar?
DoE is not the first agency to have issues with cyber security as the Inspector General had issues with the Department of Homeland Security for having a difficult time protecting itself.
The agency for months failed to patch its systems regularly against known cyber security threats or scan its networks consistently, in real time, to keep out digital malefactors, according to a report released by the DHS inspector general.
In fact, the federal government as a whole is failing to lead when it comes to cyber security best practices, said an advisory council to President Obama. The council recommended a real-time threat intelligence-sharing among private-sector entities.
A new, unclassified report to the Obama administration, the President’s Council of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes.
Along those lines, auditors found DoE did not implement accepted standards for protecting its networks and failed to ensure its security controls were working effectively in many cases.
DoE has been hacked three times since May 2011, according to auditors. DoE acknowledged two incidents this year alone, telling employees in an August memo it would offer one year of free credit monitoring for impacted personnel and assistance in protecting them from identity theft.
The inspector general said those efforts, along with paid leave allowed for individuals needing to correct issues associated with the breaches, could cost the government up to $3.7 million, all of which could have been avoided.
The report said the department used complete Social Security numbers contrary to federal guidance, allowed direct Internet access to a highly sensitive system without adequate protections and failed to take action on known network vulnerabilities.
“In spite of a number of early warning signs that certain personnel-related information systems were at risk, the department had not taken action necessary to protect the [information],” Friedman said in a summary.
Despite the recent breaches, the department said in August no classified government information ended up compromised. However, hackers could use stolen employee data to access other agency systems, potentially leading to future intrusions.
Wednesday, November 6, 2013 @ 06:11 AM gHale
By Gregory Hale
Security can be that big bad all encompassing and confusing quagmire that can consume a user, or you can have Johan Nye break it down to make is seem simple and understandable.
Cyber security is a shared responsibility between suppliers, integrators and asset owners,” said Nye, senior engineering advisor at ExxonMobil Research and Engineering, co-chairman of the ISA99 Working Group 4 Subcommittee, which is developing technical requirements for the Security of Industrial Automation and Control Systems and chairman of the ISA Security Compliance Institute Governing Board, which is developing the ISASecure certification program for Industrial Automation and Control Systems cyber security. “It is a supply chain problem. It starts with suppliers where products have to be security by design and by default.
“We have a good track record with safety, but now we have to pick up security,” he said during his talk Wednesday at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France.
There are methodologies to secure industrial automation and control systems, Nye said. There is the NIST Cybersecurity Framework; there is the ISA99/IEC 62443 standard, and the ISA Security Compliance Institute.
The NIST Cybersecurity Framework is a voluntary framework to improve critical infrastructure. It can be a high level framework within your company where you can go to the executive level and talk security without having to get into the technical details. “If you start talking about things like buffer overflows you lose the executive within five minutes,” Nye said. The framework talks about risk and that is something executives can understand. What is important is how you are going to respond if the worst happens.
The ISA99/IEC 62443 standard has been in development for quite a while and has four components: General, policies and procedures, system and components. While there are subsections within those four areas, Nye said they apply to certain segments of the industry.
“What is good about having a standard is there ends up being a common terminology,” Nye said. “The standard allows everyone to talk to each other and they are on the same page.”
Standards can be intimidating at first, but after you break them down, they can become very understandable, Nye said.
“Cyber security is mainly an art. There are not enough cyber security gurus out there to secure all the critical infrastructure. What we have to do is turn an art into an engineering discipline.”
Within the standard there are areas that can make security a bit more understandable, like security zones and conduits. A zone is a grouping of logical or physical assets that share common security requirements. A Conduit is simply the connection between zones.
There is also the idea of security levels, which are somewhat similar to safety integrity levels. Security level one would simply cover an employee having an accidental or casual introduction of malware. Where security level 4 would be an attack from a nation state that could focus on an advance persistent threat.
After the user understands and implements a standard, then there is compliance and that is where the ISA Security Compliance Institute (ICSI) comes into play.
ICSI introduced ISASecure a little while ago and that is an internationally accredited conformance scheme that ensures the certification process is open, fair, credible and robust, Nye said. It provides global recognition for ISASecure conformance.
“It is important that security is thought of throughout the lifecycle,” Nye said. “Security is not like an M&M where it is hard on the outside, but soft on the inside. It has to be like a hard candy: Hard on the outside and hard on the inside.”
Wednesday, November 6, 2013 @ 05:11 AM gHale
By Gregory Hale
It is very easy to take a fatalistic approach to security because it seems attackers have the upper hand, but it doesn’t have to be that way.
“The bottom line is the bad guys are winning and we must take action,” Jeff Zindel, cyber security business leader at Honeywell Process Solutions said Wednesday during his keynote address at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France. “We must take a proactive approach to cyber security.”
With all the successful attacks and intrusions that have covered all or parts of the industry over the past three years or so, it could be easy to get lost in the hype and hysteria.
The big name attacks were Stuxnet, Shamoon, Flame, Duqu, Night Dragon, Operation Aurora, Red October and Gauss to name a few.
Industrial control systems (ICS) attacks have had a compounded annual growth rate of 54 percent, Zindel said.
Some of the drivers behind attacks are technology costs have decreased; network connections are multiplying, information sharing has grown and people are learning they can make money with attacks. While the better known cyber bad guys — like nation states, hacktivists, and cyber spies – make up a strong list of perpetrators, there is also the inside threat that provides a twist on the attack scenario.
“Inside threats represent a tremendous threat,” Zindel said. “I call them the Snowden affect. They are very hard to catch and detect.” In addition, Zindel talked about the insider risks, where trusted resources suffered a compromise where malware may have landed in a home computer and these people download that virus and unwittingly introduce it into the workplace.
With threats coming from the inside and from the outside, manufacturers have to build a solid security program.
“Building a fortress is not enough,” Zindel said. “A hard shell is not enough; air gapped islands are not enough. We need to protect from the inside out as well as from the outside in.”
“We have a path to fight the problems, a dedicated services program, a program to run just as you would run your safety program. Cyber security must be treated as a dedicated continuous program, not an event.”
There needs to be more than just one aspect of security. “Embedded security is good, but it is not enough,” Zindel said. There has to be more with ongoing solutions, systems, tools and services. No solution fits everyone’s needs, so an integrator and end user need to work together to find the right answers, he said.
Whether getting started with a security program or after you have one installed, there are some questions you need to ask to ensure you have the right focus:
• Do you know your current security risk?
• Have you identified your high value targets in systems and operations?
• What measures are you taking to protect those targets?
• Assume you have been attacked and are you aware?
“The final question you have to ask is are you ready because the attackers are coming,” Zindel said.
Tuesday, November 5, 2013 @ 08:11 PM gHale
By Gregory Hale
Safety and security or security and safety; either way, users should treat them the same.
“Take cyber security seriously as you do safety,” said Jason Urso, vice president and chief technology officer at Honeywell Process Solutions, during his technology keynote Tuesday at the Honeywell Users Group (HUG) EMEA meeting in Nice, France. “They are becoming one and the same.”
Urso added with Microsoft discontinuing support for Windows XP this coming April, there could be an extra added security issue when that happens. Since support will not be there, and the possibility of attackers learning new exploits, users could feel the security pinch.
Whether it is at the HUG Americas or here in Nice at the EMEA HUG, Urso went over a slew of new product introductions and enhancements. One of key product introduction that is not out yet, but will release shortly is the DynAMo alarm management suite.
The new suite, Urso said, can give users better visibility on how you handle alarms. “You can turn noise into knowledge.” The more users can get a grasp on the important alarms, the more that increases plant safety. In theory, it can reduce alarms by 80 percent, he said.
Urso also said 42 percent of process incidents occur because of improper operation or actions. That is where the Unisim operating training solution can come into play.
When operators are in critical moments and have to make decisions, they are overwhelmed by alarms, so the simulator can teach how to figure out which are the important alarms and which ones can wait.
One of the key products Urso talked about was Honeywell’s whitelisting solution they launched late last year.
Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown executables, including malware.
One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden reduces in control systems environments, because the set of applications that run in those systems is essentially static.
Application whitelisting is a solid tool to help slow down or thwart a bad guy from getting into your system. “Malware can get stopped dead in its tracks,” Urso said.
Honeywell also is adding encrypted and authenticated communications to boost its security portfolio, he said.
He also introduced Honeywell’s control room of the future where operators have a completely different view of the process and it is much easier to understand what is and is not working in the process.
In addition, Urso talked about virtualization. By “virtualizing” devices, one server can run multiple operating systems and applications simultaneously. Cutting down on the amount of servers needed and also reducing costs.
As a part of the virtualization initiative, Honeywell released a blade solution optimized for virtualization. The Experion Virtualization Solutions package allows offshore oil and gas, refining and petrochemical customers to increase operations availability and reduce costs.
Tuesday, November 5, 2013 @ 11:11 AM gHale
By Gregory Hale
The manufacturing automation industry has to take cyber security more seriously than it currently does.
“I really hope it doesn’t take a major incident to have the industry take security more seriously than it currently does,” said Darius Adamczyk, president and chief executive at Honeywell Process Solutions during his keynote address today at the EMEA Honeywell User Group (HUG) in Nice, France. “I hope this doesn’t happen to me is not a viable defense.”
The idea the industry is aware they need to understand cyber security, but doesn’t know where to start is not surprising – and believe it or not it is a sign of moving forward. It is a slow movement, but it is movement nonetheless.
How serious is the problem?
Adamczyk quoted Former Homeland Security Department Director Michael Chertoff, who spoke at an executive summit Honeywell conducted last month, saying “The single biggest threat we face is not terrorist activity, it is cyber security.”
“Cyber security is one of the most interesting areas and one we don’t take seriously enough,” he said.
Adamczyk also talked about how security can be a safety issue also.
“Safety is the single most important thing we do, whether providing safety for the process or preventing intruders on the site, cyber security is another part of safety.”
Adamczyk also talked about other initiatives and industry trends in the industry.
In terms of energy production, he said we are going through transformational times.
There has been a spike in production in the U.S. with unconventional energy. In addition, he said the North Sea is declining in production, but with some new innovations he said there could be a rebound.
In terms of regions producing energy, he said Western Europe closed 14 refineries since 2008. He said the former Soviet Union saw an increase in capacity. Middle East saw a substantial increase in capacity and national oil companies are getting more aggressive in investments. “There has been quite a change in who is making the investments.”
Mining is going through a rough time and the main reason for that is the slowdown in China. Pulp and paper, he said, has some interesting developments going on with negative growth rates predicted for North America, Western Europe and Japan, but positive growth rates in India and China.
Safety, just looking at some UK numbers which Adamczyk said is a good indicator, “safety is improving; fatalities have dropped. That is the good news. The bad news is safety has plateaued and that is a troubling trend.”
When talking about safety, the number one cause of safety incidents is operator error, Adamczyk said. That is where training and simulation programs come into play.
“It is paramount to us to provide a safe work environment,” he said.
There is one fundamental difference between safety and security and that is users can place a safety system in and know it will be working over a period of time. Yes, there has to be maintenance, but the system will be in and running. Security, though, is a very dynamic environment.
“Cyber threats change daily, monthly, and yearly,” Adamczyk said. “If you think you can put something in and you will be safe, think again.”
Monday, November 4, 2013 @ 09:11 AM gHale
Eric Byres, chief technology officer with Belden’s Tofino Security, will receive the 2013 International Society of Automation (ISA) Excellence in Leadership Award at a ceremony today in Nashville, TN.
In only its second year, this award recognizes an individual who has made significant contributions to the industry, including advancements in automation. “When considering nominations, we look for someone whose vision has fostered a paradigm shift, whose leadership has profoundly impacted the profession, and whose contributions have enhanced social value,” said Terrence G. Ives, ISA president. “This award is a way to express our appreciation for Eric’s outstanding achievements to the industry.”
Byres received the ISA Fellow in 2009 for his outstanding achievements in science and engineering. Now, his ISA peers have elected to recognize him for his leadership in developing best practices in industrial cyber security.
“Eric brings a unique combination of deep technical knowledge, combined with practical field experience to his role at Belden,” said Dhrupad Trivedi, president of Belden’s Industrial IT business. “We’re extremely proud of his efforts and that he’s being recognized as a leader by his peers. He is a key driver of Belden’s security strategy, which is focused on the unique needs of our industrial customers.”
Byres’ vision centers around two key pillars to protecting SCADA (supervisory control and data acquisition) and industrial control systems: Robust security tailored for industrial requirements and simple deployment.
Byres’ innovative approach helped invent the Tofino Industrial Security Solution – a system that protects industrial networks from external threats and internal network incidents. Its plug-and-play design allows facilities to easily implement robust security without operational downtime. This approach is a foundational piece of Belden’s Industrial IT strategy.
Frost & Sullivan named Byres’ company – at the time known as Byres Security – the 2010 World Award Winner for Industrial Network Security Solutions. This honor marked recognition for the Tofino Industrial Security Solution as the product that best enhanced customer value in the industrial automation and electronics industries in 2010.
Byres chairs several groups that are working to establish industry standards (ISA99), assess current risks and develop a framework to protect facilities from cyber attacks. He also serves as one of the industry’s go-to subject matter expert.
Thursday, October 31, 2013 @ 06:10 PM gHale
Security is becoming mainstream as 93 percent of companies globally are maintaining or increasing their investment in cyber security to combat the ever increasing threat from attacks, a new survey said.
Under cyber-attack, EY’s (Ernst & Young) 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally.
This year’s results show as companies continue to invest heavily to protect themselves against cyber attacks, the number of security breaches is on the rise and it is no longer a question of if, but when, a company will be the target of an attack.
Thirty-one percent of respondents report the number of security incidents within their organization has increased by at least 5 percent over the last 12 months. Many have realized the extent and depth of the threat posed to them; resulting in information security now being “owned” at the highest level within 70 percent of the organizations surveyed.
“This year’s survey shows that organizations are moving in the right direction, but more still needs to be done – urgently. There are promising signs that the issue is now gaining traction at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives – in 2013 this jumped to 35 percent,” said Paul van Kessel, EY Global Risk Leader.
Despite half of the respondents planning to increase their budget by 5 percent or more in the next 12 months, 65 percent cite an insufficient budget as their number one challenge to operating at the levels the business expects; and among organizations with revenues of $10 million or less this figure rises to 71 percent.
Of the budgets planned for the next 12 months, 14 percent ended up ear-marked for security innovation and emerging technologies. As current technologies become further entrenched in an organization’s network and culture, organizations need to be aware of how employees use the devices, both in the workplace and in their personal lives. This is especially true when it comes to social media, which respondents identified as an area where they continue to still feel unsure in their capability to address risks.
Although information security is focusing on the right priorities, in many instances, the function doesn’t have the skilled resources or executive awareness and support needed to address them.
In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50 percent of respondents citing a lack of skilled resources as a barrier to value creation. Similarly, where only 20 percent of previous survey participants indicated a lack of executive awareness or support, 31 percent now cite it as an issue.
Click here to download the full report.