ISSSource White Papers

Posts Tagged ‘cyber security’

Friday, August 21, 2015 @ 05:08 PM gHale

By Gregory Hale
Ernie Rakaczky would just laugh and shrug his shoulders if he heard this, but he truly was a pioneer in the industrial security sector.

I can remember to the day where we were when I broached the subject of starting up a news web site focused on safety and security to Ernie. He was quick to point out where the industry was, where it was headed and who are some of the leaders. His passion for security was unparalleled.

At a user group conference back in the Invensys days after the ISSSource site launched, a few years before Schneider Electric bought the process control giant, Ernie was sitting with a few editors and he was talking about some event that shed more light on why security was so important and you could just see how he was ready to take on the fight of raising awareness throughout the industry. It was a fight he fought for a long time and he kept pushing, knowing how important the battle was. And even after an illness started taking control, he was still making calls and answering emails.

After a big management change at Invensys years ago, he called up one time knowing I had just ended an interview with one of the top executives. Ernie just started off the conversation asking if I had mentioned to the exec the importance of cyber security in the industry. He was always fighting the battle.

Ernie also talked about how the IT world needed to work with OT and his work with the IT companies like McAfee (know Intel Security) helped get both genres involved in the game to help end users remain secure, whether they knew they had to or not.

Security industry Pioneer, Ernie Rakaczky.

Security industry Pioneer, Ernie Rakaczky.

He truly was a security evangelist in the days at Invensys and throughout the industry when security was a foreign subject. He knew, however, it was going to be top of mind and an important factor for all users moving forward.

In the work world, you meet people, but you are always thinking about getting the job done. Deadlines, deals, innovating, whatever the task at hand, and the people aspect often ends up forgotten. That is wrong and everyone needs to understand there are some quality people that help run businesses and they make an impact on our lives every day.

Ernie Rakaczky died Wednesday after a long illness, but his legacy in the industry will continue on forever.

Ernie Rakaczky: Job well done.

Wednesday, August 19, 2015 @ 02:08 PM gHale

By Heather MacKenzie
It is often the case when you don’t know how to do something, you avoid or delay doing it. That means taking on a new challenge or learning best practices about a new topic is often put on the back burner.

If cyber security is a new area for you, there are three important basic concepts that once you know, you can start putting into practice right away.

Think of it this way, cyber security is a topic of high concern at the top levels for all companies.

IT, OT Must Adapt for IoT: Experts Share How
Duqu 2.0: Defend Against APTs
Industrial Security: A CEO’s Perspective
Realize IIoT Benefits

Plus, the Industrial Internet of Things (IIoT) is connecting more devices and systems to the control network, increasing the likelihood of cyber incidents. It’s more important now than ever before to understand the principles of cyber security.

1. Start with a Risk Assessment
A risk assessment is a best practice recommended by any solid security consulting firms and standards groups. You need to understand your network’s level of risk and rate the state of cyber defenses at your facilities.

This might sound like a big project, or a costly consulting engagement. However, it is possible to do it internally and at no cost. While this may not be for everyone, it could be a viable option if a third-party assessment is not in your budget right now. It is also a heck of a lot better than doing nothing about improving the security of your Industrial Control System (ICS) network.

The steps for implementing a zero-cost industrial security risk assessment include the following:
• Determine who should help with the risk assessment (consider IT personnel, an executive and a person from each type of job in your company)
• Identify critical assets
• Prioritize and list the largest risks for each asset
• Prioritize the list of industrial security assets
• Determine and rate existing protection measures

Learning this process is important and it is not a one-time exercise. Good security requires monitoring, evaluating and improving your plans regularly in order to ensure current measures are working effectively. This will also help you to recognize new or developing risks to the network.

2. Plan a “Defense in Depth” Strategy
After completing the risk assessment, you need to create a plan to secure your network. The approach you want to take is called Defense in Depth (DiD), which includes multiple layers of defense distributed throughout the control network.

A well-developed DiD strategy includes:
• Multiple layers of defense instead of relying on a single point of security
• Differentiated layers of defense, ensuring an attacker can’t access all subsequent layers after getting past the first
• Context and threat-specific layers of defense, meaning each layer is optimized to deal with a specific class of threats

If your network is protected by a DiD strategy, the impact of an accidental security incident or a malicious attack will be limited to the zone where the problem began. You want to set up your systems so the right people or teams receive an alarm and the work to identify the issue begins in a timely fashion.

3. Protect the Crown Jewels First
Lastly, you must prioritize the crown jewels. What are the crown jewels? Think of the systems that would cause a complete disaster for your network if they were shut down (either unintentionally or maliciously).

These might be the safety integrated system (SIS) in a refinery, the programmable logic controller (PLC) managing chlorine levels in a water filtration plant, or the remote terminal unit (RTU) in an electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is greatly reduced.

Control systems have become complex and difficult to protect at all times, so focus your resources on securing those assets that really matter to the survival of the company.

Don’t let the complications brought on by the IIoT’s increased connectivity or the high cost of formal risk assessments keep you from protecting your network effectively. By taking the right steps to understand your risks, choosing a layered approach to your ICS security, and prioritizing your most important assets, you can successfully protect your network in our increasingly connected world.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s blog.

Friday, June 19, 2015 @ 03:06 PM gHale

Cyber security is definitely on the minds of boards of directors, but the jury is out on just how far that goes.

In a snapshot of what boards and executives are thinking in the UK, Tripwire conducted a survey on the attitudes of executives as they relate to cyber security risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from private and public U.K. organizations.

Malware Injection Prevalent on eCommerce Sites
Malware May: Most Threats Recorded in ‘15
Breach Detection, Mitigation Still Slow
SaaS Breaches Very Costly

Despite the increasing number of successful attacks against UK organizations, the study found 54 percent of C-level executives at organizations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is cyber security literate and actively engaged in routine security.

IT professionals from the same organizations are less confident in their board’s cyber security knowledge, with 26 percent stating their boards only step in when there is a serious incident.

While the results of the Tripwire study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,” almost one-third of IT professionals either answered “no” or “not sure.” However, 84 percent of C-level executives said “yes” to the same question.

“There’s a big difference between cyber security awareness and cyber security literacy,” said Dwayne Melancon, CTO for Tripwire. “If the vast majority of executives and boards were really literate about cyber security risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cyber security are business critical, but it would appear the executives either don’t understand how much they have to learn about cyber security, or they don’t want to admit that they that they don’t fully understand the business impact of these risks.”

Other key findings include:
• 28 percent of IT professionals “don’t have visibility” into what the board is told about cyber security, and 47 percent were “not concerned” about their board’s knowledge of cyber security.
• In the event of a cyberattack, respondents would be most concerned about customer data (62 percent), damage to brand and reputation (50 percent), and financial damage or stock price (40 percent).
• 35 percent of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cyber security awareness, while other respondents felt that Heartbleed (19 percent) had a bigger impact than the Target or Sony breach and the Snowden leaks (17 percent and 8 percent, respectively)

“Most organizations are not struggling with communication tools,” Melancon said. “They are instead struggling with finding the right vocabulary and information to accurately portray cyber security risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk.”

Monday, June 1, 2015 @ 09:06 AM gHale

What Leaders Need to Know and Ask to Ensure a Strong Security Profile
By Marc Ayala and Jeff Jensen
Among phrases sure to catch the attention of most all oil and gas executives: Enhanced asset utilization, production optimization, accelerated resource recovery and capital efficiency. Keep these moving in the right direction and greater profitability and market capitalization will surely grow. But one phrase that might escape their concern could endanger any initiative: Network security.

In fact, executives could be doing a grave disservice to their shareholders and their own fortunes if they choose to ignore this threat or to delegate their understanding of how it can undermine the safety of people, production and property at the core of a thriving oil and gas enterprise. What they need is the knowledge to evaluate the nature of this risk and to ask informed questions about their companies’ defenses against it.

Oil and gas industry executives must stay informed of cyber security threats for two reasons: The energy sector is by far hackers’ top target and a cyber attack on their own facilities can potentially have serious impacts on operations and profitability as well as grave consequences for the life safety of personnel and nearby communities.

How important is network security? Consider this: Of the top 16 security targets designated as critical by the U.S. Department of Homeland Security (DHS), cyber attacks on the energy sector in 2013 were 59 percent of 256 total attacks deemed serious enough for its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to investigate. That was three times the number of attacks on critical manufacturing facilities, the runner-up, and 30 times the number of attacks on government facilities.

Industrial networks must often operate 24x7, in real or near-real time and require 99.9 percent uptime or better.

Industrial networks must often operate 24×7, in real or near-real time and require 99.9 percent uptime or better.

And how frequent are those attacks? With hackers automating their network assaults, one can occur every few minutes until a penetration occurs. During one session on network security led by a Siemens expert, he prefaced his presentation by opening a new, working web server connected to the Internet with its Modbus TCP/IP port 502 exposed. At the end of his remarks, he checked the web server’s security monitoring software and found 35 attacks had occurred from all over the world – all in just one hour.

OT vs. IT Security
IT professionals have plenty to worry about in defending against cyber attacks on their companies’ enterprise networks. These are what connect people with each other, via email, web collaboration tools and even voice communications, and also with information, via various company databases, customer relationship management (CRM) tools and so forth. After all, malware, data theft and corrupted data or devices can disrupt user productivity and even a company’s transactional capabilities.

But in that environment, no one ever suffers an injury or worse.

This is one of the biggest differences between enterprise network security and industrial network security. If a hacker, whether a deliberate saboteur or a teenage malcontent, penetrates an industrial network and disrupts critical processes or controls, especially automated life safety protections, someone could get seriously or even mortally hurt. That’s why DHS set up ICS-CERT to reduce risks associated with control systems-related incidents and mitigation measures.

Industrial Network Realities
Aside from the critical life-safety security distinction of industrial networks, they differ from non-industrial enterprise networks. First, industrial control systems (ICSs), which include supervisory control and data acquisition (SCADA) systems, are by definition connected to networks. These ICS and SCADA networks are often linked to enterprise networks, which have external-facing vulnerabilities that can open doors for hackers. Wireless SCADA systems, often operating from remote locations using public IP addresses, are also vulnerable to attack, accessible via their wireless media, including cellular, 900MHz radio, satellite and microwave.

Industrial networks must often operate 24×7, in real or near-real time and require 99.9 percent uptime or better (99.99 or 99.999 percent in the case of public communication networks). In contrast, enterprise IT networks typically must operate on a best-effort basis (so a break in one part of the network forces routers to send data packets down alternate paths) and be available during “business hours.” Point is, the disruption risks of a security breach in an ICS or SCADA network can be much greater than for an enterprise IT network.

Technical Vulnerabilities
In the past 20 years, industrial automation and control systems have become more vulnerable to cyber security intrusions, primary among them are:
• The increasing mobility of workers, which has created greater demands for 24×7 remote network access for engineering, operations and technical support personnel, sometimes leading to less secure network connections and security practices.
• Growing use and integration of commercial and open source technologies, such as Windows and Linux operating systems, SQL databases and Ethernet protocols, all of which a hacker can exploit by opening back doors for the same malware that can infect enterprise IT systems.
• Proliferation of “how-to” documentation and actual code on the Internet, which has lowered the bar for the technical competencies needed to hack industrial control systems.
• Integration of a company’s legacy plant systems with its enterprise systems by interconnecting industrial and corporate networks – and external third parties via the public Internet. Not only does external connectivity create vulnerabilities, but the integration also introduces ambiguity within companies as to which group – enterprise IT or process engineering – owns responsibility for overall cyber security.

Another set of security issues with industrial networks involves their evolution from early patchworks of electrical relays or antiquated microprocessor controllers and manually monitored indicator lights, trips and breakers. While those legacy systems might work well enough to operate relatively simple processes even today, they likely lack proper security controls. Nonetheless, they most likely end up connected to modern distributed control systems (DCSs) that feature the latest programmable logic controllers (PLCs), which are micro-computers using Windows or Linux which connect over industrial Ethernet to human-machine interfaces (HMIs). In turn, these HMIs are often accessible anywhere in the world via PCs or touchscreen tablets and smartphones – by legitimate DCS operators or by hackers exploiting the vulnerabilities in the connections between old and new systems.

With modern ICS, SCADA and DCS networks, infiltrations can occur from any of three sources:
1. Top-down from the corporate and data zones (Zones 4, 3 and 2)
2. Bottom-up from the field and safety/control zones (Zones 0 and 1); and
3. “Sideways” from external sources, either via the Internet, remote operations and facilities or remote

Lower Security Risks
Companies can find plenty of information to help guide their efforts to harden and secure their industrial control systems. Three internationally recognized ICS security standards, which can provide excellent starting points and guidance, are IEC 62443 / ISA99, NIST 800-82, and NERC-CIP.

These standards boil down to three steps: A current state assessment; hardening the environment, physical and logical; and ongoing vigilance.

Graphic of the defense-in-depth model.

Graphic of the defense-in-depth model.

They incorporate what’s known in security as the “defense-in-depth” model. This involves dividing a security deployment strategy into layers, with the most critical systems protected by multiple levels of security.

Every security risk mitigation effort for an industrial control system must start by evaluating the current state of its security by conducting an assessment. Here are some questions to consider:

Does a network’s borders correspond to its physical borders? They should. For example, if the user locked down the SCADA server and its software in an effort to prevent tampering with its configurations and data, is the server itself securely located to prevent unauthorized access to its network ports, removable media drives, keyboard and mouse?

Where are the network’s security zones and conduits? An industrial control system should have distinct functional zones that separate the field device control layer from the SCADA remote monitoring layer. In turn, these should end up separated from the DCS control layer – and more importantly, separated from any layer of safety-critical systems. Finally, the DCS and safety-critical system layers must end up separated from the enterprise IT layer. All those layers should communicate with each other only via carefully prescribed and secure conduit connections. And all those layers need to be separate from all external connections, each of which should also end up carefully prescribed and secured.

What and where is each connection within the industrial control network? This step helps identify what’s known as the network attack interface. Look for internal local area network (LAN) connections and wide area network (WAN) connections; remote connections with distant sensors and operating facilities; internal wireless connections, including Internet connections; modem or dial-up connections (yes, they do still exist); and external connections to third-parties, such as business partners, vendors and regulatory agencies. All connections should end up catalogued in detail and their current security measures noted, especially their firewall protection and update status.

What devices and software applications have connections, and what are their functions? This step helps identify what’s known as the software attack interface. Similar to the step above, all hardware devices – HMIs, PCs, servers, wireless access points, phones, even printers and video surveillance cameras – must end up catalogued along with all their operating system versions, software applications and the port numbers that each device uses to communicate. All current security measures should end up noted as well as their status regarding updates and patches.

Who is in charge of securing the industrial control network? For quite a few companies this might not be clear – yet it’s critically important. ICS, SCADA, DCS and safety systems typically evolved with industrial and process engineering teams in charge. During that time frame, enterprise IT teams had their hands full with rationalizing the corporate IT landscape. That left a large gray area of unclear responsibilities and sometimes adversarial relationships between the two groups. It can be a classic human story of in-fighting going on while the barbarians are tearing down the city gates. Executives – especially CEOs, CIOs and CISOs (chief information security officers) – need to recognize this phenomenon and put one qualified company person or team in charge of securing the industrial control system, in concert with enterprise IT and plant or production management. This person or individuals should have clear cyber security roles, responsibilities and authority to formulate and enforce well-defined security governance policies for managers, system administrators and end-users.

How vulnerable are the network and software attack fabrics? After identifying all the elements subject to cyber attack, the next step is to conduct penetration testing, to determine each one’s vulnerability. This can be a time-consuming, tedious task for large systems comprising hundreds of connections and components or more, but it’s necessary to fully assess the strengths and weaknesses of ICS, SCADA, DCS and safety networks, which are only as strong as their weakest component.

Due to the nature of these critical, real-time production systems, it’s vitally important that any penetration testing occur in a lab environment and not on the production system itself. With extreme care, caution and coordination, production, operations and process safety management will need to conduct a risk analysis and develop contingency plans – with executive management sign-off – before doing any penetrating testing or modification of a live control system. Failure to do so could have grave consequences not only for the personnel and property of a plant or production site, but also for the people and property in surrounding communities. This is why any third-parties selected to help with ISC, SCADA, DCS and safety system security testing or modification must be exceptionally well qualified and experienced in the engineering and workings of your system(s).

Hardening the Environment
A thorough assessment will reveal all existing and potential security holes and everything that needs strengthening. In effect, the list of all a system’s security shortcomings will become its punch list for action. Depending on how long that list is, levels of prioritization can come into play to close the worst vulnerabilities as soon as possible.

Assigning Security Access Levels (SALs) to each element can help with prioritization. Next steps in this stage would include:

Remove, disable or disconnect anything not needed. An assessment will probably uncover elements never needed but ended up installed as part of bigger installation or became unnecessary over time. If you find any unnecessary connections, disconnect them. If any unnecessary software applications or default network services end up discovered, remove or disable them.

Establish a security strategy based on a layered “defense-in-depth” model. After eliminating unnecessary connections, and software, what’s left needs protection. Ensure physical and logical security coincide, with strict access privileges for all users, providing access only to what they need to do their jobs. Logs should be kept for all accesses and video surveillance placed on the locked-down physical confines of network elements – HMIs, servers, routers and switches. All firewalls should be up-to-date. Full security features should be turned on in all hardware devices, operating systems, software and hardware devices.

Document, document, document. The catalog of a system’s network and software attack surfaces should be the start of a full documentation of its security. This should include “as-built” system architecture diagrams showing all elements, their locations, their functions, their governance and their connections with other elements.

Add to that written policies and procedures for: establishing, updating and terminating user accounts; upgrade and patch management policies, procedures and assigned responsibilities for all firewalls, devices and software applications; and scope, frequency and procedures for conducting security audits and penetration testing. All this documentation itself should have version and access controls, plus always be backed up to an offsite location, so it’s available by alternative means if the system goes down due to a cyber attack or some unrelated disaster.

Communicate, communicate, communicate. During the hardening stage, many employees and other stakeholders will become aware of what’s going on, so it’s important to communicate with them the reasons for doing so, let them know who is in charge of the effort, advise them of any changes in their day-to-day work as a result, and set proper expectations for their roles in supporting the effort.

Ongoing Vigilance
After hardening a company’s ICS, SCADA, DCS and safety networks, the heightened protection will begin degrading over time without ongoing efforts to maintain security levels. To watch for and respond to apparent and actual attacks, and to conduct periodic security audits and tests, a user should:

Establish response teams to identify and evaluate potential attack scenarios. The designated person or team in charge of industrial network security should identify potential attack scenarios and then convene the core stakeholders into a rapid response team. Each team member needs to imagine, describe and document the potential impact on his or her function should a security attack succeed, as well as what mitigation measures to take. Roles and responsibilities need to be assigned and contact information shared in a central place. The team should meet at least annually to reacquaint themselves with each other and with their risk and mitigation scenarios. It’s a good idea to conduct exercises that assume the worst-case scenario has occurred, which can provide the team with practice.

Conduct periodic audits and penetration testing. The frequency of audits and penetration testing depends on how critical an industrial control system is to a company’s functioning or the life-safety of personnel and surrounding communities. Obviously a nuclear plant would require much more frequent audits and systems testing than a dairy products plant. Any industrial facility, however, should conduct an audit and systems testing no less frequently than once a year. Notably, audits often overlook evaluating the currency and relevancy of existing documentation. That’s why it’s important to review and update documentation. If production lines are frequently reconfigured, with consequent changes made to their control systems, then mini-audits should then end up conducted to avoid introducing any unintended system vulnerabilities.

The ultimate goal of securing industrial control systems and networks against cyber attacks is to ensure their reliable and safe operation.

Oil and gas industry executives can make tremendous progress in reaching this goal by initiating a thorough systems assessment and needed hardening, then putting in place a formal watchdog process governed by designated, well-qualified people with the knowledge and authority to create and enforce policies and procedures.

Doing so will cost money and time, but it will be one of the most important investments that oil and gas operators can make in the safety and well-being of their people, production and property.

Marc Ayala is the former senior technical advisor at system integrator, Cimation and Jeff Jensen is an application engineer at Siemens Industry, Inc.

Wednesday, May 20, 2015 @ 01:05 PM gHale

Insurance issues related to cyber security claims is generating more interest around the industry these days and if manufacturers do not follow all their procedures and policies strictly, they could find themselves out in the cold when it comes to collecting on any claim.

While this report from the Privacy and Security Matters web site relates to the health industry, it could very well fall in the manufacturing arena:

“Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions. This is beginning to change as disputes arise and make through way through the judicial system.

Breach: Subsea Cable Operator’s IT Network
Oil Industry Under Attack
Financial Institution Attacks Uncovered
Warding Off EU’s Sophisticated Attacks

“One such suit came last week when (insurance giant) CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy. In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the Internet. Cottage allegedly stored such records on an Internet-accessible system but failed to install encryption or use other safeguards. The California court granted approval of the $4.125 million settlement fund in December 2014. CNA, which had reserved rights, filed this action.

“In the action, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.” In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures. CNA asserts that this representation in the application was false.

“Insureds and insurers in the cyber space would do well to watch this matter unfold. The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides. Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies. Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week.”

Wednesday, May 13, 2015 @ 05:05 PM gHale

By Gregory Hale
Cyber security issues continue to grow throughout the manufacturing automation sector and that is becoming clearer with new players trying to capitalize on the latest buzzwords to garner a foothold, but sometimes the answer to a problem has been in front of you all along.

At least that is what PAS believes as the Houston-based asset reliability provider today launched a new cyber security business unit focused on configuration management for vulnerable assets deep within the control domain.

Security Co. Deals for Whitelisting Firm
Belden Deals for Tripwire
BAE Deals for SilverSky
Schneider Deals for InStep Software

“Bad guys know the real place to go to wreck havoc,” said Eddie Habibi, founder and chief executive of PAS. “The real place to go to cause damage and leave a hole in the ground, you go to the DCS.”

Securing the soft underbelly of the manufacturing enterprise is the focus of the new unit.

“Configuration management for security is much like alarm management for safety,” Habibi said. “The industrial cyber security challenge consists of several layers that go over IT and OT. We see configuration management is where the bad guy needs to go to hack into the plant. (We focus on) anything in the proprietary domain of the control system like control configuration, ladder logic, proprietary programs, unique communication protocols. They are not like the open Windows or SAP, they are closed and proprietary.”

The security challenge ratchets up every day and that means users need to know what and where to protect.

“Sophistication has increased. Viruses have been productized and they are learning how to go after control systems,” said David Zahn, chief marketing officer at PAS and general manager of the new cyber security business unit. “The first thing you do to protect your castle is to build a moat around it. But if you don’t know the assets you have, you don’t know what you have to protect.”

Like the moat analogy, as it stands right now, there is strong perimeter protection in the industrial control market with firewalls, intrusion prevention and anti malware, Habibi said. But at the levels 1 and 0 there is no real protection at the core. For any supplier’s DCS, this is where the proprietary areas of control systems reside, he said.

The need to understand and know what to protect is paramount.

“Proprietary systems don’t have IP addresses, so unless you have visibility into those systems, you can’t really have a total solution,” Habibi said. “Users need to baseline what good looks like and understand what the normal running conditions are.”

By understanding what the user has and ensuring a safer and secure environment, that will mean the system will be operating smoother and more efficiently.

“If you focus on safety and security that will improve reliability,” Habibi said. “We have been doing configuration management for a long time, we are adding cyber security capabilities to round it out.”

PAS has worked in the cyber security space for years, so this new unit and the Cyber Integrity release is the next step in their evolution in that area.

PAS implemented a multi-layered security architecture that includes its Cyber Integrity software to protect critical control assets and address compliance requirements. It automates internal and regulatory compliance reporting while reducing associated efforts by up to 90 percent.

Cyber Integrity enables industrial companies to:
• Gather and maintain an accurate inventory of cyber assets
• Establish a cyber security configuration management policy
• Manage change by monitoring for unauthorized updates to cyber asset configurations
• Implement a program for system backup and recovery

Understanding and achieving a secure environment means end users have to start thinking about new ways to approach security because the old ways, while effective at one point, just won’t cut it anymore.

“Cyber awareness is there,” Habibi said, “but the solution approach needs education.”

Wednesday, February 11, 2015 @ 05:02 PM gHale

By Gregory Hale
Cyber security permeates every part of your company and it is a must that it is on everybody’s agenda.

That was the message that came from Gregory Touhill, Air Force Brig Gen (ret), CISSP and Deputy Assistant Secretary for Cybersecurity Operations and Programs at the Department of Homeland Security during his keynote address at the ARC Industry Forum 2015 in Orlando, FL, Tuesday.

As he started off his keynote with a “Happy Patch Tuesday morning,” Touhill continued by saying the industry is just facing more attacks then every before and it doesn’t look like it will let up any time soon.

Chinese Hacking: Ineptitude, Confusion
Solar Companies Under Attack
Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15
Sony: Risk Management in Real Time

“Cyber security is misunderstood by many folks,” he said. “People think it is a technology issue. I say it is a risk management issue for companies and individuals. Risk management is something we all need to look at as we conduct business on a daily basis.”

He likened his job to being the captain of the neighborhood cyber watch for the entire country.

Some of the duties of the neighborhood watch include:
• Share information about bad actors
• Do things about attribution. We anonymize data

“There is a myth out there that we are all knowing and all seeing. That is a myth. We are as transparent as we can be. We are the champion of declassification. We are dedicated to maintain privacy, civil rights and civil liberties.

Touhill said the threat environment continues to grow and there are three types of attackers out there:
• Nation state actors who are very capable adversaries
• People trying to get a competitive advantage and steal your IP to gain as much information as possible
• Hacktivists, who are people that don’t agree with your company’s activities

And then the final threat environment Touhill said was on his personal list but not the official DHS stance and that is people being “just plain stupid. Your IT staff is not stupid, but sometimes they do stupid things. They miss things.”

Security, he said, remains more than just a technology issue; it is also a people and physical issue.

“If we just look at technology security will fail. We also have to look at the physical side.” He mentioned the substation in California that ended up attacked a year or so ago by bad guys who shot out the facility and then took off.

Looking at the cyber security environment, Touhill knows the origin of control systems and why they are vulnerable to attack.

“As we look at industrial control systems, they are not designed with security in mind,” he said. “They are old and security is bolted on. Sometimes we find owners and operators have decided to take the risk and not pay for security. As we go out into the sector, we have to bake in security.”

Touhill said there are five key best practices to think about when it comes to an attack:
• ID what you have
• Protect it
• Detect it
• Respond
• Be able to recover

“I contend there are very few companies doing that,” he said. “They are not doing asset valuation. It is important to protect appropriately. Identify what you have and make sure you protect the proper things in the most appropriate way.”

Vigilance remains a key aspect because as he said, the average time from penetration to detection is 240 days.

“That is unacceptable,” Touhill said. “I want to know when they are coming through the gate and have a response plan in place.”

“Cyber security permeates every part of your company,” he said. “It has to be a part of everybody’s agenda. Each one of us in this room has a responsibility to cyber security. We all have a stake in cyber security.”

Wednesday, December 17, 2014 @ 11:12 AM gHale

The supply chain ends up being the focal point for too many breaches. Your organization may very well be secure, but how about your partners and suppliers?

Hackers just prey on weaker vendors that have remote access to a larger company’s global IT systems, software and networks.

One case in point is the classic 2013 Target breach where the attackers infiltrated a vulnerable link: A refrigeration system supplier connected to the retailer’s IT system. After that breach, all bets were off.

Deploying IPS to Secure ICS
API: ‘Threat is Bad,’ Solutions Available
Dragonfly: Offense in Depth
Dragonfly: Pharma Industry Targeted

But it doesn’t have to be that way. A counter-measure, via a user-ready online portal, is in development by researchers in the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business.

The portal comes from a new management science called “cyber supply chain risk management.” It combines conventionally-separate disciplines cyber security, enterprise risk management and supply chain management.

Funded by the National Institute of Standards and Technology (NIST), the UMD researchers developed the formula, in part, after surveying 200 different-sized companies in various industries.

“We found that, collectively, the cyber supply chain is fragmented and stovepiped, and companies are ill-prepared to sense and respond to risks in real time,” said research professor and center co-director Sandor Boyson, who collaborated on the study and portal design with faculty-colleague/center co-director Thomas Corsi, research fellow Hart Rossman and UMD-Smith CIO Holly Mann. “Just half of our subjects used an executive advisory committee such as a risk board to govern their IT-system risks.”

The findings ended up published in a study entitled “Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems.”

The researchers leveraged the study into the portal. Companies can log on cost-free, and track developing threats, plus map their IT supply chains and anonymously measure themselves against industry peers and NIST standards.

The benchmarking covers operations and allocating for cyber insurance via separate functions:

A self-evaluation exercise shows a company’s structure for cyber protecting the supply chain. For example, users reply to: “To what degree is your CIO and-or IT shop isolated from, or collaborative with, your supply chain specialists who actually procure the hardware and software for your IT system?”

A special formula measures the risk levels of each company asset. The Common Vulnerability Scoring System — standard for analyzing software systems – can analyze the entire range of assets connected to the cyber supply chain.

Firms can compare corporate disclosures, exposures and vulnerabilities to those of peer companies via an insurance-risk analysis framework provided by The Willis Group. The global insurance broker’s database of aggregated SEC-reported cyber attacks — mandated for public companies — supports this tool.

The portal is scalable. About 150 various-sized companies have completed at least one or more of the functions. Fifteen of those firms completed all three assessments and represent industries including high-tech aerospace manufacturing, telecommunication, real estate, and medical and professional services.

“The portal helps individual organizations understand their risk and how they can better manage it. This bolsters the resilience and security posture of the entire ecosystem of the U.S. economy,” said Jon Boyens, senior advisor for information security in NIST’s computer security division. “While this ecosystem has evolved to provide a set of highly refined, cost-effective, reusable products and services that support the U.S. economy, it has also increased opportunities for adversaries and made it increasingly difficult for organizations to understand their risks.”

Wednesday, June 25, 2014 @ 05:06 PM gHale

By Gregory Hale
Cyber security is really all about risk management, but before you make any kinds of decisions on risk levels you have to know what you have that is at risk. That is just where a risk assessment comes into play.

“There is a relationship between process safety and security,” said John Cusimano, director of ICS cybersecurity solutions at aeSolutions during his talk entitled “Measure Twice, Cut Once! The Value of Conducting Cyber Risk Assessments” Wednesday at the 2014 Siemens Automation Summit in Orlando, FL. “In process safety you have a Process Hazard Analysis (PHA) mandated by OSHA and focused on the process and the equipment in the process. You have to establish a risk assessment and security is no different. In process safety we talk about layers of protection. In normal conditions the system keeps everything in control. If things don’t work the safety instrumented system kicks in and puts the plant in safe state.”

Summit: System Under Attack
Summit: Safety, Security Add to Complexity
Chemical Safety Report Updated
West, TX, Blast First Responders Unprepared

When a user is looking at cyber security, Chris Da Costa, global operations security manager for Air Products and Chemicals Inc. said here are just some of the questions users should ask themselves:
• Is the plant ICS system secure from a cyber perspective?
• If there is an architecture change, will it change the security?
• What kind of firewall do you use?
• Do you have the right firewall rules?
• Has the plant ICS been compromised?
• Do you have the right layers of protection?
• How good is good enough?

“How do you go about answering those questions? To answer those questions you have to do a risk assessment,” Da Costa said. “What threats are in your system?” Are safeguards in place to have risks at an acceptable level?”

A risk assessment, though, is only the beginning. “It is only a portion of the security philosophy. You need to address the people aspect, but the strategy part includes a risk assessment,” Da Costa said.

As a part of the discussion, Cusimano went through a basic assessment and some of the approaches to what he called a cyber PHA.

Some of the deliverables that come out of a risk assessment include:
• ICS security architecture drawings
• Requirement specification
• Vulnerability assessment
• Peer comparison
• Zone and conduit model

Just remember, as Da Costa said, “a risk assessment is so critical in where you want to go.”

Wednesday, June 4, 2014 @ 07:06 PM gHale

By Gregory Hale
There are heavy challenges facing automation professionals in the years to come and cyber security ranks up there at the top.

“There are issues like skills availability, working in remote locations and cyber security,” said Vimal Kapur, the brand new president of Honeywell Process Solutions (HPS) during his keynote address Tuesday at the 2014 Honeywell Users Group in San Antonio, TX. “We can’t ignore (cyber security). It is an undesired event and we have to do something about it.”

Ineffective Password Security Practices
Insider Threat Real; Protection Weak
Aware of Info Loss, Data Still Not Secured
Major Update to ICS Security Guide

Kapur, just named president of HPS in May, talked about trends and outlooks he sees in the industry. While newly named as president, Kapur has been with Honeywell for 25 years so he is very aware of industry nuances and trends.

One of the areas he wants to focus on collaborating to ensure global coverage as the world markets emerge from long standing recessions.

“China and the Americas continue to lead in capital spending, but Europe, Middle East and Asia (EMEA) and Asia Pacific are recovering,” he said.

Closer to home in North America, Kapur said natural gas is continuing its growth curve.

“The Americas oil and gas industries continue to dominate capital spending in the region, especially as they migrate to new natural gas sources,” said Kapur. “These changes have been having a profound impact for the past two or three years, and this trend is going to continue for several more years.”

He also pointed out how Honeywell will be able to leverage its capabilities in upstream oil and gas, midstream and downstream with new SCADA, RTU, DCS, safety, advanced and field instrumentation solutions.

Also understanding and designing the systems properly from the beginning is more vital now than it ever has been.

“Large capital expenditure projects are growing more complex, expensive and time-consuming. So instead of us coming in and adding automation and control at the end of a project before start-up, it’s becoming critical for us to execute automation and get it out of the critical path of these projects,” Kapur said.

Planning the project is one thing, but the next step is applying operational integrity and operational excellence.

“Being able to accomplish operational integrity means operating safely. Operational excellence means running a process more efficiently,” he said. “That all includes making people and assets safer, and running processes more reliably.”

One other trend Kapur discussed was cloud computing.

“Cloud computing in automation has huge potential,” Kapur said. “That is something that is happening now; not something that will happen in the future.”

Another trend is universality, Kapur said. By that he said there would be one universal device that handles multiple capabilities. A case in point is a smartphone that can handle computing, video, phone and general communications capabilities.

In the past one device could handle one function, but why not have one device that handles multiple functions.

He then translated that to the Honeywell environment where, in one case, he pointed to Universal IO which transformed from a single device to one that can handle multiple tasks.

Universal I/O and cloud computing capabilities form the core of the company’s Lean Execution of Automation Projects (LEAP) program for taking automation out of the critical path on customers’ projects.

The goal behind LEAP is to cut engineering time

  • No repeat engineering
  • Drives efficiency
  • Lean execution
  •  Standardized processes and tools
Archived Entries