Posts Tagged ‘cyber security’
Wednesday, February 11, 2015 @ 05:02 PM gHale
By Gregory Hale
Cyber security permeates every part of your company and it is a must that it is on everybody’s agenda.
That was the message that came from Gregory Touhill, Air Force Brig Gen (ret), CISSP and Deputy Assistant Secretary for Cybersecurity Operations and Programs at the Department of Homeland Security during his keynote address at the ARC Industry Forum 2015 in Orlando, FL, Tuesday.
As he started off his keynote with a “Happy Patch Tuesday morning,” Touhill continued by saying the industry is just facing more attacks then every before and it doesn’t look like it will let up any time soon.
Chinese Hacking: Ineptitude, Confusion
Solar Companies Under Attack
Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15
Sony: Risk Management in Real Time
“Cyber security is misunderstood by many folks,” he said. “People think it is a technology issue. I say it is a risk management issue for companies and individuals. Risk management is something we all need to look at as we conduct business on a daily basis.”
He likened his job to being the captain of the neighborhood cyber watch for the entire country.
Some of the duties of the neighborhood watch include:
• Share information about bad actors
• Do things about attribution. We anonymize data
“There is a myth out there that we are all knowing and all seeing. That is a myth. We are as transparent as we can be. We are the champion of declassification. We are dedicated to maintain privacy, civil rights and civil liberties.
Touhill said the threat environment continues to grow and there are three types of attackers out there:
• Nation state actors who are very capable adversaries
• People trying to get a competitive advantage and steal your IP to gain as much information as possible
• Hacktivists, who are people that don’t agree with your company’s activities
And then the final threat environment Touhill said was on his personal list but not the official DHS stance and that is people being “just plain stupid. Your IT staff is not stupid, but sometimes they do stupid things. They miss things.”
Security, he said, remains more than just a technology issue; it is also a people and physical issue.
“If we just look at technology security will fail. We also have to look at the physical side.” He mentioned the substation in California that ended up attacked a year or so ago by bad guys who shot out the facility and then took off.
Looking at the cyber security environment, Touhill knows the origin of control systems and why they are vulnerable to attack.
“As we look at industrial control systems, they are not designed with security in mind,” he said. “They are old and security is bolted on. Sometimes we find owners and operators have decided to take the risk and not pay for security. As we go out into the sector, we have to bake in security.”
Touhill said there are five key best practices to think about when it comes to an attack:
• ID what you have
• Protect it
• Detect it
• Be able to recover
“I contend there are very few companies doing that,” he said. “They are not doing asset valuation. It is important to protect appropriately. Identify what you have and make sure you protect the proper things in the most appropriate way.”
Vigilance remains a key aspect because as he said, the average time from penetration to detection is 240 days.
“That is unacceptable,” Touhill said. “I want to know when they are coming through the gate and have a response plan in place.”
“Cyber security permeates every part of your company,” he said. “It has to be a part of everybody’s agenda. Each one of us in this room has a responsibility to cyber security. We all have a stake in cyber security.”
Wednesday, June 25, 2014 @ 05:06 PM gHale
By Gregory Hale
Cyber security is really all about risk management, but before you make any kinds of decisions on risk levels you have to know what you have that is at risk. That is just where a risk assessment comes into play.
“There is a relationship between process safety and security,” said John Cusimano, director of ICS cybersecurity solutions at aeSolutions during his talk entitled “Measure Twice, Cut Once! The Value of Conducting Cyber Risk Assessments” Wednesday at the 2014 Siemens Automation Summit in Orlando, FL. “In process safety you have a Process Hazard Analysis (PHA) mandated by OSHA and focused on the process and the equipment in the process. You have to establish a risk assessment and security is no different. In process safety we talk about layers of protection. In normal conditions the system keeps everything in control. If things don’t work the safety instrumented system kicks in and puts the plant in safe state.”
When a user is looking at cyber security, Chris Da Costa, global operations security manager for Air Products and Chemicals Inc. said here are just some of the questions users should ask themselves:
• Is the plant ICS system secure from a cyber perspective?
• If there is an architecture change, will it change the security?
• What kind of firewall do you use?
• Do you have the right firewall rules?
• Has the plant ICS been compromised?
• Do you have the right layers of protection?
• How good is good enough?
“How do you go about answering those questions? To answer those questions you have to do a risk assessment,” Da Costa said. “What threats are in your system?” Are safeguards in place to have risks at an acceptable level?”
A risk assessment, though, is only the beginning. “It is only a portion of the security philosophy. You need to address the people aspect, but the strategy part includes a risk assessment,” Da Costa said.
As a part of the discussion, Cusimano went through a basic assessment and some of the approaches to what he called a cyber PHA.
Some of the deliverables that come out of a risk assessment include:
• ICS security architecture drawings
• Requirement specification
• Vulnerability assessment
• Peer comparison
• Zone and conduit model
Just remember, as Da Costa said, “a risk assessment is so critical in where you want to go.”
Wednesday, June 4, 2014 @ 07:06 PM gHale
By Gregory Hale
There are heavy challenges facing automation professionals in the years to come and cyber security ranks up there at the top.
“There are issues like skills availability, working in remote locations and cyber security,” said Vimal Kapur, the brand new president of Honeywell Process Solutions (HPS) during his keynote address Tuesday at the 2014 Honeywell Users Group in San Antonio, TX. “We can’t ignore (cyber security). It is an undesired event and we have to do something about it.”
Kapur, just named president of HPS in May, talked about trends and outlooks he sees in the industry. While newly named as president, Kapur has been with Honeywell for 25 years so he is very aware of industry nuances and trends.
One of the areas he wants to focus on collaborating to ensure global coverage as the world markets emerge from long standing recessions.
“China and the Americas continue to lead in capital spending, but Europe, Middle East and Asia (EMEA) and Asia Pacific are recovering,” he said.
Closer to home in North America, Kapur said natural gas is continuing its growth curve.
“The Americas oil and gas industries continue to dominate capital spending in the region, especially as they migrate to new natural gas sources,” said Kapur. “These changes have been having a profound impact for the past two or three years, and this trend is going to continue for several more years.”
He also pointed out how Honeywell will be able to leverage its capabilities in upstream oil and gas, midstream and downstream with new SCADA, RTU, DCS, safety, advanced and field instrumentation solutions.
Also understanding and designing the systems properly from the beginning is more vital now than it ever has been.
“Large capital expenditure projects are growing more complex, expensive and time-consuming. So instead of us coming in and adding automation and control at the end of a project before start-up, it’s becoming critical for us to execute automation and get it out of the critical path of these projects,” Kapur said.
Planning the project is one thing, but the next step is applying operational integrity and operational excellence.
“Being able to accomplish operational integrity means operating safely. Operational excellence means running a process more efficiently,” he said. “That all includes making people and assets safer, and running processes more reliably.”
One other trend Kapur discussed was cloud computing.
“Cloud computing in automation has huge potential,” Kapur said. “That is something that is happening now; not something that will happen in the future.”
Another trend is universality, Kapur said. By that he said there would be one universal device that handles multiple capabilities. A case in point is a smartphone that can handle computing, video, phone and general communications capabilities.
In the past one device could handle one function, but why not have one device that handles multiple functions.
He then translated that to the Honeywell environment where, in one case, he pointed to Universal IO which transformed from a single device to one that can handle multiple tasks.
Universal I/O and cloud computing capabilities form the core of the company’s Lean Execution of Automation Projects (LEAP) program for taking automation out of the critical path on customers’ projects.
The goal behind LEAP is to cut engineering time
- No repeat engineering
- Drives efficiency
- Lean execution
- Standardized processes and tools
Wednesday, March 12, 2014 @ 10:03 AM gHale
Lockheed Martin will acquire manufacturing automation security provider, Industrial Defender.
“Industrial Defender’s expertise in cyber security for critical infrastructure is a natural extension of our commercial cyber security business,” said Marillyn Hewson, Lockheed Martin chairman, president and chief executive. “Their experience in addressing cyber threats to industrial control systems complements our information technology cyber security expertise and strengthens the value we deliver to our customers.”
Foxborough, MA-based Industrial Defender is a privately held company with more than 130 employees in three facilities. The company’s solutions focus on protecting and managing critical infrastructure by reducing cyber risks, easing regulatory compliance and enhancing the efficiency of customers’ control environments.
“Lockheed Martin is a leader in cyber technology and IT security,” said Industrial Defender Chief Executive Brian M. Ahern. “We share a common perspective on the importance of protecting global critical infrastructure from an increasingly hostile threat landscape. The combined capabilities of Industrial Defender and Lockheed Martin will enable us to offer a comprehensive suite of technology and services designed to face modern day threats and business challenges to both enterprise information and operational technologies.”
Industrial Defender focuses on areas such as electric power grids, chemical facilities, and oil and gas pipelines. The company has over 400 companies in its stable of customers.
Bethesda, MD-based Lockheed Martin’s net sales for 2013 were $45.4 billion.
While terms of the deal were not immediately available, the deal should close within 30 days.
Tuesday, January 7, 2014 @ 06:01 PM gHale
In a move to expand is security portfolio, Palo Alto Networks dealt for Morta Security, a Silicon Valley-based cyber security company operating since 2012.
Morta Security brings to Palo Alto Networks a team experienced at protecting national infrastructure as well as technologies that enhance the proven detection and prevention capabilities of the Palo Alto Networks WildFire offering, which has over 2,400 users.
“The Morta team brings additional valuable threat intelligence experience and capabilities to Palo Alto Networks” said Mark McLaughlin, president and chief executive of Palo Alto Networks. “The company’s technology developments align well with our highly integrated, automated and scalable platform approach and their contributions will translate into additive threat detection and prevention benefits for our customers.”
“Palo Alto Networks has a successful history of disrupting the network security landscape with its unique offerings” said Raj Shah, chief executive of Morta Security. “The Morta team is excited to work with the clear leaders in this space and we look forward to joining the company and contributing to future highly innovative technology leadership.”
Financial terms of the deal were not immediately available.
Monday, January 6, 2014 @ 02:01 PM gHale
By Eric D. Knapp
Digital segmentation and separation are fundamental components of basic cyber security, yet they remain difficult to implement in industrial control environments.
This is partly due to an industry-wide focus on perimeter security, a carryover from the days of air gap protection. The thinking is, “if we can recreate the air gap digitally, we will once again be secure.” However, this is fundamentally flawed thinking.
As industrial systems continue to evolve, they become more distributed, and there are more and more legitimate interconnections between internal systems within that distributed environment. The number of valid reasons for interconnectivity requires that more traffic be allowed through the perimeter, and if perimeter access isn’t denied outright, it isn’t really a gap. With that said, a more flexible approach becomes required.
Anyone who has wrestled with this conundrum understands the challenge: There are many systems that make up a distributed industrial automation system; within these systems are devices that must communicate with each other, and in some cases with devices in other subsystems. Some of these connections are purely between control devices, some are between operations and business systems, some are diagnostic in nature, but they are all very real and they’re not going away. The trick is getting the right connections in place, so that only necessary information flows occur. The necessary flows can then be secured, and the unnecessary flows prevented outright.
Purdue Reference Model
This is well defined by the Purdue Reference Model for CIM, which is crowded with flow diagrams, (appropriately) resembling neurons. These diagrams map information flow against logical device groups according to zones and conduits—each zone representing a specific group of devices that work together and require interconnectivity, and each conduit representing connectivity between zones. These concepts are ingrained into the industry’s thinking, and are a foundation for industrial cyber security. Perhaps most notably, this model is used within ISA99 and IEC 62443, where it is presented in terms of security levels, zones and conduits. So, if there are defined zones and levels, what’s wrong with existing perimeter security techniques to protect these levels and zones?
Primarily it’s an issue of semantics, but the flaw here is the term perimeter implies one big shell around an entire system, within which many devices, residing within many zones, with different security levels and conduits could all go unmanaged. In other words, what we think of as perimeter security doesn’t infer the same level of granular access controls that a properly enforced conduit provides. Of course, perimeter security is able to properly secure zones: Every zone has a logical perimeter that defines it; if all information flows are forced to cross this boundary via appropriate cyber security measures, each conduit is made more secure.
1. Many such perimeters need to be created
2. Appropriate security controls need to be put in place around each, so flows can be inspected
3. These controls need to be able to map different policies to different information flows, so each flow or conduit can be adequately protected
Using these criteria, it becomes obvious that, while there are many ways to segment zones and to enforce perimeter security, they are not always feasible or adequate.
For example, traditional segmentation mechanisms that use VLANs and/or routing would either prohibit the amount of zone separation (by using too few devices), or it would become unduly complex (requiring massive network redesign to accommodate VLANs and IP subnetting). Too simple, and the right security isn’t implemented in the right places; too complex, and the risk of misconfiguration can result in less effective security and unintentional vulnerability. The complexity of highly sub-networked or VLAN-separated systems also requires administrative overhead to operations teams, who are already strapped for IT skills and resources. Last, and certainly not least, the ICS vendors may dictate specific designs, with specific layer-2 and layer-3 configurations, making the implementation of new network segmentation contractually impossible. In other words, traditional segmentation is not feasible for deep segmentation of industrial systems.
Routing can enforce the security of information flows, as can VLANs. However, this security is not absolute, and these paths remain susceptible to attack. Generally, the higher up the OSI stack you go, the more difficult the attack will be. VLAN ‘hopping’ is a relatively simple task that renders VLANs inherently insecure; routers are more difficult to circumvent; while application layer controls are hardest to overcome. Therefore, while VLAN and network segmentation can be effective, it is not entirely adequate for use in industrial systems.
The necessity for a secure segmentation of the network is the crux of the issue: Zones and conduits exist because of a need to restrict access to and between systems, in an effort to improve the security and reliability of the overall system(s). If the information flow isn’t secure, the zone is moot. If the logical perimeter doesn’t adequately control access to the devices it contains, the system remains vulnerable.
To deploy an enterprise-class IT security device within a control environment to separate two discrete control zones, would be to pound a square peg into a round hole. It would also be difficult to justify: The device would be costly, cumbersome, and may in many cases disrupt industrial communications (typically due to latency and other performance characteristics that simply aren’t tuned for sensitive industrial networks). There is also, typically, undue complexity to help products differentiate themselves in the highly competitive enterprise security market.
The answer isn’t to develop entirely new tools, but rather to make existing cyber security tools more relevant. To do so, we must first look at the tools that are available and then determine how to make them more appropriate to industrial control systems.
The basic requirement is simple: Limit the network traffic allowed into and out of any given zone. It is a task that could be easily accomplished with a firewall, using bi-directional traffic filters to prune out unwanted traffic on unwanted ports. It is a good idea, and many cases it’s a necessary one — due to industry mandates that require the use of a firewall or similar technology for this purpose. Because firewalls filter IP traffic, they can also filter industrial control traffic running atop IP. However, while this will narrow the scope of legitimate traffic to what is authorized, even legitimate traffic needs to be inspected more closely.
Network based exploits, denial of service attacks, and insider attacks from disgruntled employees all utilize legitimate traffic in illegitimate ways. Deep packet inspection can help, by looking into packets for an indication of malicious intent. Content filtering (a feature in next generation firewalls) looks at the application contents rather than simply matching packet contents, to determine if an application is being misused. For example, to prevent access to a specific URL instead of blocking all web traffic. This provides additional granularity, but commercial content filters aim primarily at filtering web content and email, and not industrial applications. However, most application-layer firewalls lack the ability to make decisions upon the specialized application-layer protocols used within industrial systems, which ride atop TCP/IP but which establish their own application sessions, enact their own controls, and carry their own payloads.
To become relevant, the firewall must be able to understand these industrial applications, track application-layer sessions, and make decisions accordingly. To become highly relevant, the firewall should allow unwanted or unnecessary features to be disabled by default, so that they are more easily deployed and maintained in an environment staffed by operations managers and not IT managers.
Firewalls with Context
By utilizing existing firewall technology with the necessary relevance, context, and policy enforcement to filter industrial traffic and enterprise traffic; the device can adequately protect an industrial system and effectively secure zones. If the firewall can act transparently (i.e., it does not alter or impact IP communications) then it becomes feasible for deployment, by enabling zone-level separation (separation of systems by logical grouping and function) without the need for network reconfiguration. Such a firewall is much more practical for OT managers and staff because it will not interfere with approved control system designs.
Using relevant cyber security mechanisms, the complex network access policies required can finally be enforced. Through extensive filtering (using next generation firewalls that understand the nature of ICS application-layer protocols), the control network can be essentially “whitelisted.” By filtering the contents of industrial protocols, control can be highly granular and effective by defining which protocols are acceptable, which devices are authorized to communicate, and which tasks they are authorized to perform.
What this means is that zoning can finally be well defined and implemented by operators, using readily available and easy-to-use technology. This very basic and necessary first step toward a mature cyber security profile — the separation of systems into functional groups — will do more for security, reliability and safety than almost any other available security measure. Properly established zones and conduits will make unauthorized access to (and exploitation of) critical devices more difficult; they will help to isolate functional systems to minimize the impact of an incident; and perhaps most importantly, they create a strong architecture foundation upon which more sophisticated security controls can be built.
Eric D. Knapp (@ericdknapp) continues to drive the adoption of new security technology for a safer and more reliable automation infrastructures. Eric is the director of strategic alliances for Wurldtech Security Technologies. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems,” and the co-author of “Applied Cyber Security for Smart Grids.”
Tuesday, December 17, 2013 @ 08:12 AM gHale
What is worse, not knowing you have a security weakness and not doing anything about it or knowing you have a security issue and not doing anything about it? The answer is both are worse.
One federal agency knew it had a weakness with its cyber security, but they did nothing about it and ended up hacked to the point where private information of employees, their dependents and contractors ended up compromised, federal auditors said.
In a report released Wednesday, Department of Energy (DoE) Inspector General Gregory Friedman said the DoE breach last summer affected over 104,000 people, providing access to names, Social Security numbers, dates of birth and other information from a human-resources network.
The end result was confusion over who was in charge of making the fixes, poor communication among responsible officials and pressure to keep systems running to maintain productivity all contributed to the problems, according to the report. Sound familiar?
DoE is not the first agency to have issues with cyber security as the Inspector General had issues with the Department of Homeland Security for having a difficult time protecting itself.
The agency for months failed to patch its systems regularly against known cyber security threats or scan its networks consistently, in real time, to keep out digital malefactors, according to a report released by the DHS inspector general.
In fact, the federal government as a whole is failing to lead when it comes to cyber security best practices, said an advisory council to President Obama. The council recommended a real-time threat intelligence-sharing among private-sector entities.
A new, unclassified report to the Obama administration, the President’s Council of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes.
Along those lines, auditors found DoE did not implement accepted standards for protecting its networks and failed to ensure its security controls were working effectively in many cases.
DoE has been hacked three times since May 2011, according to auditors. DoE acknowledged two incidents this year alone, telling employees in an August memo it would offer one year of free credit monitoring for impacted personnel and assistance in protecting them from identity theft.
The inspector general said those efforts, along with paid leave allowed for individuals needing to correct issues associated with the breaches, could cost the government up to $3.7 million, all of which could have been avoided.
The report said the department used complete Social Security numbers contrary to federal guidance, allowed direct Internet access to a highly sensitive system without adequate protections and failed to take action on known network vulnerabilities.
“In spite of a number of early warning signs that certain personnel-related information systems were at risk, the department had not taken action necessary to protect the [information],” Friedman said in a summary.
Despite the recent breaches, the department said in August no classified government information ended up compromised. However, hackers could use stolen employee data to access other agency systems, potentially leading to future intrusions.
Wednesday, November 6, 2013 @ 06:11 AM gHale
By Gregory Hale
Security can be that big bad all encompassing and confusing quagmire that can consume a user, or you can have Johan Nye break it down to make is seem simple and understandable.
Cyber security is a shared responsibility between suppliers, integrators and asset owners,” said Nye, senior engineering advisor at ExxonMobil Research and Engineering, co-chairman of the ISA99 Working Group 4 Subcommittee, which is developing technical requirements for the Security of Industrial Automation and Control Systems and chairman of the ISA Security Compliance Institute Governing Board, which is developing the ISASecure certification program for Industrial Automation and Control Systems cyber security. “It is a supply chain problem. It starts with suppliers where products have to be security by design and by default.
“We have a good track record with safety, but now we have to pick up security,” he said during his talk Wednesday at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France.
There are methodologies to secure industrial automation and control systems, Nye said. There is the NIST Cybersecurity Framework; there is the ISA99/IEC 62443 standard, and the ISA Security Compliance Institute.
The NIST Cybersecurity Framework is a voluntary framework to improve critical infrastructure. It can be a high level framework within your company where you can go to the executive level and talk security without having to get into the technical details. “If you start talking about things like buffer overflows you lose the executive within five minutes,” Nye said. The framework talks about risk and that is something executives can understand. What is important is how you are going to respond if the worst happens.
The ISA99/IEC 62443 standard has been in development for quite a while and has four components: General, policies and procedures, system and components. While there are subsections within those four areas, Nye said they apply to certain segments of the industry.
“What is good about having a standard is there ends up being a common terminology,” Nye said. “The standard allows everyone to talk to each other and they are on the same page.”
Standards can be intimidating at first, but after you break them down, they can become very understandable, Nye said.
“Cyber security is mainly an art. There are not enough cyber security gurus out there to secure all the critical infrastructure. What we have to do is turn an art into an engineering discipline.”
Within the standard there are areas that can make security a bit more understandable, like security zones and conduits. A zone is a grouping of logical or physical assets that share common security requirements. A Conduit is simply the connection between zones.
There is also the idea of security levels, which are somewhat similar to safety integrity levels. Security level one would simply cover an employee having an accidental or casual introduction of malware. Where security level 4 would be an attack from a nation state that could focus on an advance persistent threat.
After the user understands and implements a standard, then there is compliance and that is where the ISA Security Compliance Institute (ICSI) comes into play.
ICSI introduced ISASecure a little while ago and that is an internationally accredited conformance scheme that ensures the certification process is open, fair, credible and robust, Nye said. It provides global recognition for ISASecure conformance.
“It is important that security is thought of throughout the lifecycle,” Nye said. “Security is not like an M&M where it is hard on the outside, but soft on the inside. It has to be like a hard candy: Hard on the outside and hard on the inside.”