Posts Tagged ‘cyber security’
Wednesday, November 6, 2013 @ 06:11 AM gHale
By Gregory Hale
Security can be that big bad all encompassing and confusing quagmire that can consume a user, or you can have Johan Nye break it down to make is seem simple and understandable.
Cyber security is a shared responsibility between suppliers, integrators and asset owners,” said Nye, senior engineering advisor at ExxonMobil Research and Engineering, co-chairman of the ISA99 Working Group 4 Subcommittee, which is developing technical requirements for the Security of Industrial Automation and Control Systems and chairman of the ISA Security Compliance Institute Governing Board, which is developing the ISASecure certification program for Industrial Automation and Control Systems cyber security. “It is a supply chain problem. It starts with suppliers where products have to be security by design and by default.
“We have a good track record with safety, but now we have to pick up security,” he said during his talk Wednesday at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France.
There are methodologies to secure industrial automation and control systems, Nye said. There is the NIST Cybersecurity Framework; there is the ISA99/IEC 62443 standard, and the ISA Security Compliance Institute.
The NIST Cybersecurity Framework is a voluntary framework to improve critical infrastructure. It can be a high level framework within your company where you can go to the executive level and talk security without having to get into the technical details. “If you start talking about things like buffer overflows you lose the executive within five minutes,” Nye said. The framework talks about risk and that is something executives can understand. What is important is how you are going to respond if the worst happens.
The ISA99/IEC 62443 standard has been in development for quite a while and has four components: General, policies and procedures, system and components. While there are subsections within those four areas, Nye said they apply to certain segments of the industry.
“What is good about having a standard is there ends up being a common terminology,” Nye said. “The standard allows everyone to talk to each other and they are on the same page.”
Standards can be intimidating at first, but after you break them down, they can become very understandable, Nye said.
“Cyber security is mainly an art. There are not enough cyber security gurus out there to secure all the critical infrastructure. What we have to do is turn an art into an engineering discipline.”
Within the standard there are areas that can make security a bit more understandable, like security zones and conduits. A zone is a grouping of logical or physical assets that share common security requirements. A Conduit is simply the connection between zones.
There is also the idea of security levels, which are somewhat similar to safety integrity levels. Security level one would simply cover an employee having an accidental or casual introduction of malware. Where security level 4 would be an attack from a nation state that could focus on an advance persistent threat.
After the user understands and implements a standard, then there is compliance and that is where the ISA Security Compliance Institute (ICSI) comes into play.
ICSI introduced ISASecure a little while ago and that is an internationally accredited conformance scheme that ensures the certification process is open, fair, credible and robust, Nye said. It provides global recognition for ISASecure conformance.
“It is important that security is thought of throughout the lifecycle,” Nye said. “Security is not like an M&M where it is hard on the outside, but soft on the inside. It has to be like a hard candy: Hard on the outside and hard on the inside.”
Wednesday, November 6, 2013 @ 05:11 AM gHale
By Gregory Hale
It is very easy to take a fatalistic approach to security because it seems attackers have the upper hand, but it doesn’t have to be that way.
“The bottom line is the bad guys are winning and we must take action,” Jeff Zindel, cyber security business leader at Honeywell Process Solutions said Wednesday during his keynote address at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France. “We must take a proactive approach to cyber security.”
With all the successful attacks and intrusions that have covered all or parts of the industry over the past three years or so, it could be easy to get lost in the hype and hysteria.
The big name attacks were Stuxnet, Shamoon, Flame, Duqu, Night Dragon, Operation Aurora, Red October and Gauss to name a few.
Industrial control systems (ICS) attacks have had a compounded annual growth rate of 54 percent, Zindel said.
Some of the drivers behind attacks are technology costs have decreased; network connections are multiplying, information sharing has grown and people are learning they can make money with attacks. While the better known cyber bad guys — like nation states, hacktivists, and cyber spies – make up a strong list of perpetrators, there is also the inside threat that provides a twist on the attack scenario.
“Inside threats represent a tremendous threat,” Zindel said. “I call them the Snowden affect. They are very hard to catch and detect.” In addition, Zindel talked about the insider risks, where trusted resources suffered a compromise where malware may have landed in a home computer and these people download that virus and unwittingly introduce it into the workplace.
With threats coming from the inside and from the outside, manufacturers have to build a solid security program.
“Building a fortress is not enough,” Zindel said. “A hard shell is not enough; air gapped islands are not enough. We need to protect from the inside out as well as from the outside in.”
“We have a path to fight the problems, a dedicated services program, a program to run just as you would run your safety program. Cyber security must be treated as a dedicated continuous program, not an event.”
There needs to be more than just one aspect of security. “Embedded security is good, but it is not enough,” Zindel said. There has to be more with ongoing solutions, systems, tools and services. No solution fits everyone’s needs, so an integrator and end user need to work together to find the right answers, he said.
Whether getting started with a security program or after you have one installed, there are some questions you need to ask to ensure you have the right focus:
• Do you know your current security risk?
• Have you identified your high value targets in systems and operations?
• What measures are you taking to protect those targets?
• Assume you have been attacked and are you aware?
“The final question you have to ask is are you ready because the attackers are coming,” Zindel said.
Tuesday, November 5, 2013 @ 08:11 PM gHale
By Gregory Hale
Safety and security or security and safety; either way, users should treat them the same.
“Take cyber security seriously as you do safety,” said Jason Urso, vice president and chief technology officer at Honeywell Process Solutions, during his technology keynote Tuesday at the Honeywell Users Group (HUG) EMEA meeting in Nice, France. “They are becoming one and the same.”
Urso added with Microsoft discontinuing support for Windows XP this coming April, there could be an extra added security issue when that happens. Since support will not be there, and the possibility of attackers learning new exploits, users could feel the security pinch.
Whether it is at the HUG Americas or here in Nice at the EMEA HUG, Urso went over a slew of new product introductions and enhancements. One of key product introduction that is not out yet, but will release shortly is the DynAMo alarm management suite.
The new suite, Urso said, can give users better visibility on how you handle alarms. “You can turn noise into knowledge.” The more users can get a grasp on the important alarms, the more that increases plant safety. In theory, it can reduce alarms by 80 percent, he said.
Urso also said 42 percent of process incidents occur because of improper operation or actions. That is where the Unisim operating training solution can come into play.
When operators are in critical moments and have to make decisions, they are overwhelmed by alarms, so the simulator can teach how to figure out which are the important alarms and which ones can wait.
One of the key products Urso talked about was Honeywell’s whitelisting solution they launched late last year.
Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown executables, including malware.
One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden reduces in control systems environments, because the set of applications that run in those systems is essentially static.
Application whitelisting is a solid tool to help slow down or thwart a bad guy from getting into your system. “Malware can get stopped dead in its tracks,” Urso said.
Honeywell also is adding encrypted and authenticated communications to boost its security portfolio, he said.
He also introduced Honeywell’s control room of the future where operators have a completely different view of the process and it is much easier to understand what is and is not working in the process.
In addition, Urso talked about virtualization. By “virtualizing” devices, one server can run multiple operating systems and applications simultaneously. Cutting down on the amount of servers needed and also reducing costs.
As a part of the virtualization initiative, Honeywell released a blade solution optimized for virtualization. The Experion Virtualization Solutions package allows offshore oil and gas, refining and petrochemical customers to increase operations availability and reduce costs.
Tuesday, November 5, 2013 @ 11:11 AM gHale
By Gregory Hale
The manufacturing automation industry has to take cyber security more seriously than it currently does.
“I really hope it doesn’t take a major incident to have the industry take security more seriously than it currently does,” said Darius Adamczyk, president and chief executive at Honeywell Process Solutions during his keynote address today at the EMEA Honeywell User Group (HUG) in Nice, France. “I hope this doesn’t happen to me is not a viable defense.”
The idea the industry is aware they need to understand cyber security, but doesn’t know where to start is not surprising – and believe it or not it is a sign of moving forward. It is a slow movement, but it is movement nonetheless.
How serious is the problem?
Adamczyk quoted Former Homeland Security Department Director Michael Chertoff, who spoke at an executive summit Honeywell conducted last month, saying “The single biggest threat we face is not terrorist activity, it is cyber security.”
“Cyber security is one of the most interesting areas and one we don’t take seriously enough,” he said.
Adamczyk also talked about how security can be a safety issue also.
“Safety is the single most important thing we do, whether providing safety for the process or preventing intruders on the site, cyber security is another part of safety.”
Adamczyk also talked about other initiatives and industry trends in the industry.
In terms of energy production, he said we are going through transformational times.
There has been a spike in production in the U.S. with unconventional energy. In addition, he said the North Sea is declining in production, but with some new innovations he said there could be a rebound.
In terms of regions producing energy, he said Western Europe closed 14 refineries since 2008. He said the former Soviet Union saw an increase in capacity. Middle East saw a substantial increase in capacity and national oil companies are getting more aggressive in investments. “There has been quite a change in who is making the investments.”
Mining is going through a rough time and the main reason for that is the slowdown in China. Pulp and paper, he said, has some interesting developments going on with negative growth rates predicted for North America, Western Europe and Japan, but positive growth rates in India and China.
Safety, just looking at some UK numbers which Adamczyk said is a good indicator, “safety is improving; fatalities have dropped. That is the good news. The bad news is safety has plateaued and that is a troubling trend.”
When talking about safety, the number one cause of safety incidents is operator error, Adamczyk said. That is where training and simulation programs come into play.
“It is paramount to us to provide a safe work environment,” he said.
There is one fundamental difference between safety and security and that is users can place a safety system in and know it will be working over a period of time. Yes, there has to be maintenance, but the system will be in and running. Security, though, is a very dynamic environment.
“Cyber threats change daily, monthly, and yearly,” Adamczyk said. “If you think you can put something in and you will be safe, think again.”
Monday, November 4, 2013 @ 09:11 AM gHale
Eric Byres, chief technology officer with Belden’s Tofino Security, will receive the 2013 International Society of Automation (ISA) Excellence in Leadership Award at a ceremony today in Nashville, TN.
In only its second year, this award recognizes an individual who has made significant contributions to the industry, including advancements in automation. “When considering nominations, we look for someone whose vision has fostered a paradigm shift, whose leadership has profoundly impacted the profession, and whose contributions have enhanced social value,” said Terrence G. Ives, ISA president. “This award is a way to express our appreciation for Eric’s outstanding achievements to the industry.”
Byres received the ISA Fellow in 2009 for his outstanding achievements in science and engineering. Now, his ISA peers have elected to recognize him for his leadership in developing best practices in industrial cyber security.
“Eric brings a unique combination of deep technical knowledge, combined with practical field experience to his role at Belden,” said Dhrupad Trivedi, president of Belden’s Industrial IT business. “We’re extremely proud of his efforts and that he’s being recognized as a leader by his peers. He is a key driver of Belden’s security strategy, which is focused on the unique needs of our industrial customers.”
Byres’ vision centers around two key pillars to protecting SCADA (supervisory control and data acquisition) and industrial control systems: Robust security tailored for industrial requirements and simple deployment.
Byres’ innovative approach helped invent the Tofino Industrial Security Solution – a system that protects industrial networks from external threats and internal network incidents. Its plug-and-play design allows facilities to easily implement robust security without operational downtime. This approach is a foundational piece of Belden’s Industrial IT strategy.
Frost & Sullivan named Byres’ company – at the time known as Byres Security – the 2010 World Award Winner for Industrial Network Security Solutions. This honor marked recognition for the Tofino Industrial Security Solution as the product that best enhanced customer value in the industrial automation and electronics industries in 2010.
Byres chairs several groups that are working to establish industry standards (ISA99), assess current risks and develop a framework to protect facilities from cyber attacks. He also serves as one of the industry’s go-to subject matter expert.
Thursday, October 31, 2013 @ 06:10 PM gHale
Security is becoming mainstream as 93 percent of companies globally are maintaining or increasing their investment in cyber security to combat the ever increasing threat from attacks, a new survey said.
Under cyber-attack, EY’s (Ernst & Young) 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally.
This year’s results show as companies continue to invest heavily to protect themselves against cyber attacks, the number of security breaches is on the rise and it is no longer a question of if, but when, a company will be the target of an attack.
Thirty-one percent of respondents report the number of security incidents within their organization has increased by at least 5 percent over the last 12 months. Many have realized the extent and depth of the threat posed to them; resulting in information security now being “owned” at the highest level within 70 percent of the organizations surveyed.
“This year’s survey shows that organizations are moving in the right direction, but more still needs to be done – urgently. There are promising signs that the issue is now gaining traction at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives – in 2013 this jumped to 35 percent,” said Paul van Kessel, EY Global Risk Leader.
Despite half of the respondents planning to increase their budget by 5 percent or more in the next 12 months, 65 percent cite an insufficient budget as their number one challenge to operating at the levels the business expects; and among organizations with revenues of $10 million or less this figure rises to 71 percent.
Of the budgets planned for the next 12 months, 14 percent ended up ear-marked for security innovation and emerging technologies. As current technologies become further entrenched in an organization’s network and culture, organizations need to be aware of how employees use the devices, both in the workplace and in their personal lives. This is especially true when it comes to social media, which respondents identified as an area where they continue to still feel unsure in their capability to address risks.
Although information security is focusing on the right priorities, in many instances, the function doesn’t have the skilled resources or executive awareness and support needed to address them.
In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50 percent of respondents citing a lack of skilled resources as a barrier to value creation. Similarly, where only 20 percent of previous survey participants indicated a lack of executive awareness or support, 31 percent now cite it as an issue.
Click here to download the full report.
Friday, October 11, 2013 @ 05:10 PM gHale
Smart grid is a catch all buzz phrase to talk about the future of the power industry, but the fact remains the topic of security still seems a bit nebulous.
The smart grid provides a network for consumers and energy providers to better regulate the flow and demand of energy, allowing real-time data analysis and the remote control of energy use down to the device level. But are they secure? They are not immune to attack, and while utilities can benefit from improving the efficiency of energy flow, they are also responsible for keeping hackers out of the network.
If cyber attackers strike and infiltrate the network, they may be able to shut down core services in a city.
“In this data-rich, ultra-connected digital world, with breaches on the rise fueled by hacktivism targeting specific companies and high profile brands, security naturally becomes a greater concern particularly for ICS environments in critical infrastructure such as utility companies,” said Leslie Nemitoff, with security services at Verizon Enterprise Solutions.
The smart grid market should grow from $33 billion in 2012 to $73 billion by the end of 2020, according to Verizon. In order to protect this expanding market, Verizon said there are four key layers utilities and developers need to consider in order to protect smart grids:
• Physical layer: How are the smart grid components protected physically?
• Cyber security layer: How are the smart grid components and systems protected from cyber hack and attack?
• Privacy: How does the smart meter data end up protected so a customer’s privacy remains intact?
• Storage: Just what do you do with all the data generated by the smart grid and how do you protect it?
“When it comes to securing assets, a one-sized fits all security posture may result in some organizations under-protected from targeted attacks while others potentially over-spend on defending against simpler opportunistic attacks,” Nemitoff said.
“By understanding and interpreting complex customer requirements through a risk-based approach, we can create customized assessment packages and help owners and operators of industrial control systems for utilities both define and manage the risk that often accompany the deployment of multifaceted technologies like the smart grid.”
Wednesday, September 25, 2013 @ 06:09 PM gHale
Learning how to put the deep freeze on attackers trying to hack into an industrial control system takes on new meaning as a new course focused on “blue teaming” an industrial control system (ICS) is taking place at historic Lambeau Field in Green Bay, WI, October 7-11.
“Understanding and Securing Industrial Control Systems” is a new course offered by security provider, SCADAhacker, focused on securing or “blue teaming” the industrial control system (ICS) architecture and the setting is a VIP suite overlooking the football field used by the 13-time world champion Green Bay Packers.
The course will include hands-on labs, but also extensive demonstrations to reinforce the selection and implementation of security controls relating specifically to ICS. Many of those individuals responsible for auditing, installing, or operating industrial control systems are aware of the need for cyber security, yet are confused on exactly what to implement, and how to verify the resulting solution. This course provides a solid foundation on how to address those concepts.
The course agenda:
• Understanding the Unique Threat Landscape of Industrial Control Systems
o What is an Industrial Control System
o Simplifying the ICS Architecture
o Why is ICS Security different from traditional IT Security
o Why ICS are more vulnerable to cyber threats than other IT assets
• Understanding Current Standards and Best Practices from a Security and Compliance Point of View
o ISA-99, IEC-62443, ISO-27000, NERC-CIP R3-R5, CFATS, NIST 800-53/800-82, SANS, CPNI
• Understanding Risk in terms of Threats, Vulnerabilities, and Consequences
o Threats to the ICS and Operational Integrity
o Typical ICS Vulnerabilities
o Consequences of an ICS Attack
o Risk Identification and Classification
• Understanding and Identifying ICS Vulnerabilities
• Selecting and Implementing Security Controls
o Administrative Security Controls
o Technical Security Controls
o Network Considerations
o Compensating Controls
o Allocating Security Controls to ICS Architecture Resources
• Auditing and Assessing ICS Security
o Security Audits
o Security Assessments (“Theoretical” versus “Physical”)
o Vulnerability Assessments, which includes Nessus Home Feed versus Professional Feed, Nessus SCADA Plugins, Compliance Audit Files for Nessus (including Bandolier), Creating Custom Audit Files for Nessus
• A Hands-On Look at Key New Emerging Technologies
o Industrial Firewalls with Stateful Deep Packet Inspection (DPI) of ICS Protocols
o Personal/Portable Firewalls / VPNs
o Unidirectional Security Appliances (aka Data Diodes)
o Layer 2 Encryption Technologies
o Intrusion Detection and Prevention Systems (IDS/IPS)
o Security Incident and Event Monitoring (SIEM)
o Application Whitelisting / Host-based Intrusion Prevention System (HIPS)
• Case Studies
o Using Chained Exploits to Gain Access to Trusted Internal Networks and Attack an ICS from the “Inside-Out”
o Implementing a Network Behavior-based Intrusion Detection System for Industrial Control Systems
o Network Segmentation and IP Addressing
o Network Architectures and Active Directory Considerations
o Network Communications and ICS Protocols
o A detailed look at Stuxnet – how it infects and spreads, and what could be done to stop similar attacks (actual live Stuxnet worm will be used for this study)
o Working with Firewalls: Analysis, Testing and Validation
o Using Vulnerability Scanners (Nessus Home/Pro Feeds, OpenVAS)
o Assessing the Current Security Posture of an ICS Architecture
o Improving the Security Posture of a Vulnerable ICS Architecture
All students will receive their own modified Chromebook laptop computer to use during the course. This environment has been preloaded with a variety of security related applications that will be used during the course, as well as the extensive SCADAhacker Reference Library and catalog of software for creating security testing environments on other computing platforms. Students will also receive a library of virtual machines that can be used to reinforce the hands-on portion of the course, and help in developing a local security testing lab.
There will be labs that utilize physical ICS equipment providing a realistic scenario to what is out there in the field. This will include not only ICS equipment, but also associated security components as well. Some of the technologies covered in this advanced course include:
• Industrial Protocols such as Modbus/TCP, TSAP, Ethernet/IP and Common Industry Protocol (CIP)
• Industrial Firewalls such as Tofino Security Appliance, mGuard, Zenwall and others
• Unidirectional Security Gateways and Data Diodes (Waterfall Security Solutions)
• Application Whitelisting such as Microsoft Software Restriction Policies and McAfee Application Control
• Security Event and Incident Management solutions such as McAfee Enterprise Security Manager and AlienVault OSSIM
• Network Encryptors (Certes Networks CEP)
• Firewalls and Firewall Evaluation Tools (Cisco, pfSense, Vyatta, Athena, Firewalker, FWBuilder)
• Vulnerability Scanners from Tenable Networks (Nessus)
Due to the material presented, the course size will be limited to a maximum of 12 students. Each course will begin at 8:00am on Monday morning and conclude by 2:00pm Friday afternoon. The fee for the course is $3,850. A deposit of $500 is required in advance, with the balance due on the first day of training. Registration is fully refundable (less any processing fees levied by the credit card company), up to 7 days prior to the start of the course. Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course.
The course dates for the remainder of 2013 have been finalized and are:
October 7 – 11, Lambeau Field – Green Bay, WI
November 11 – 15 (The Hague, Netherlands)
November 18 – 22 (The Hague, Netherlands)
Click here for more information.
Wednesday, September 25, 2013 @ 04:09 PM gHale
While everyone ends up assured wireless devices are secure, doubts always tend to linger.
That is one reason why the University of Arkansas at Little Rock (UALR) is working on effective solutions to security threats on wireless devices. And that is why the National Science Foundation provided a $150,000 grant to help them.
The grant’s principal investigator is Dr. Shucheng Yu, an expert in cyber security and assistant professor in UALR’s Computer Science Department.
Yu said the two-year grant addresses a paramount issue in an era in which billions of wireless devices are in use throughout critical sectors of American life.
“Imagine if medical wireless devices, such as pacemakers, are wirelessly hacked? Or if a vehicle’s wireless device is controlled by malicious attackers via radio?” Yu asked.
“These scenarios were previously seen only on television dramas, but researchers have discovered hundreds such attacks, or even more severe, against real-world wireless devices.”
Yu’s idea is to enhance security using the first line of defense with wireless channel fingerprinting.
Analyzing “fingerprints” of wireless channels, Yu said researchers today can study the specific characteristics of a device to identify a unique cyber signature in much the same way detectives can identify a criminal by analyzing the patterns of an actual fingerprint.
Built on this foundation of fingerprinting available on all wireless devices, the project could lead to a game-changing security solution that will be compatible with billions of devices, Yu said.
The NSF grant comes through a branch of the foundation dedicated to supporting untested but potentially transformative work. Early-concept Grants for Exploratory Research (EAGER) funding is a “high risk-high payoff” because it involves radically different approaches, applies new expertise, or engages novel disciplinary or interdisciplinary perspectives, according to the NSF website.
“This significant research project will provide a unique opportunity for students to learn techniques to defend against wireless cyber-attacks,” said UALR Chancellor Joel E. Anderson. “This is another way students are learning to provide innovative solutions for growing challenges.”