Posts Tagged ‘productivity’
Tuesday, April 14, 2015 @ 04:04 PM gHale
By Frank Marcus
There is no doubt the industrial Internet holds great promise for improving efficiency, productivity, and most importantly, human safety. However, the level of network connectedness required to gain these benefits makes operational systems security more essential than ever, especially in Oil and Gas and other energy sectors.
While critical infrastructure security is already recognized by regulators and compliance leads (see NERC CIP regulations), there are further opportunities to truly strengthen an industrial facility’s security posture. Here are some of the key points I shared with Oil and Gas executives at a GE conference in Florence last month. These points are the result of my experience and current role in performing security assessments across industrial facilities worldwide, from wind farms to oil rigs.
What most companies don’t realize is simply having the right view into different types of information can speed your ability to fix common problems. Think about traveling on a city’s subway system as a good analogy. Of course, you need the basic information like which stop is closest to the address you’re visiting, and what subway line goes there. However, there are additional details that could vastly change how quickly and efficiently you arrive, such as which trains are local and which are express. One might pass right by the stop you need. Yet another level of information – real-time schedule data – might tell you which lines end up affected by delays, helping you determine another way to travel all together.
The same thing can be said of the path to secure critical infrastructure – it can be seamless and fast, as long as you have the right perspectives and information.
Along those lines, the most obvious example is companies only monitoring IT protocols, thus missing the depth and richness OT protocol visibility can provide. Indicators of compromise specific to control systems (such as unexpected control set point changes, logic updates, and administrative settings like date/time) are only available to systems capable of understanding how control systems communicate, and most importantly, with the context to interpret what those signals mean.
Many organizations have not prepared adequately for critical infrastructure and operational technology (OT) risks. It is a delicate balancing act between automating and interconnecting formerly closed systems and mitigating risks. Implementing critical infrastructure security into existing operations is essentially helping organizations to affect change – changing its People, Process and Technology to meet security requirements not there when the operation originally commissioned. Companies can approach security methodically, focusing on three primary areas: Visibility into their security posture; building security into workflows; and hiring and training qualified OT personnel.
To better illustrate the People, Process, Technology approach, I’ll share the type of efforts we completed for a Major Oil Producer to benchmark their security practices relative to a new international standard specific to OT Security.
General awareness training was available to various employee types, which helped the organization then appoint personnel responsible for security implementation and risk management. Why is the People component so critical?
Consider an oil spill or another kind of physical accident. Generally speaking, most employees in the Oil and Gas sector know how to successfully respond to handle such a situation. The same cannot be said about cyber security issues. Not everybody recognizes a Phishing attack email or knows how to deal with suppliers who want to use USB sticks to transfer configuration information. And even if they do, chances are things will change the next month due to new viruses or breaches.
Starting with education across a spectrum of workers, it will increase how quickly and well you can handle the new information and risks prevalent across more connected industrial facilities.
A cyber incident response program helps define clear roles and responsibilities, offering personnel a robust mechanism for effectively containing threats as they occur. Today, the Major Oil Producer regularly conducts risk assessments to understand their security posture as it relates to the evolving threat landscape. In addition, a process is in place to help those newly educated employees act on what they see and monitor.
While companies think about technology in terms of what to buy, operational facilities answer another question – how to secure and manage legacy systems with long operational lifespans. The goal here is to develop technical requirements to adopt security technology compatible with their legacy equipment and process workflows. We determined how they should evaluate technology to find the right fit for their systems. In some cases, this means an upgrade is the most efficient path. But, as our subway analogy explained, with all of the assessment information at hand, sometimes the path is to supplement workstation patching with additional compensating controls for vulnerabilities in the controls equipment proper.
This company is now well down the path of establishing a “Culture of Security,” analogous to the Culture of Safety that drives the everyday behavior of those working in the field and managing physical risk. Also, the organization understands the trade-offs they need to make between securing existing operations and replacing outdated equipment with new solutions that have the ability to support modern security requirements.
New perspectives into information, and working across People, Process and Technology, has delivered an actionable framework to mitigate risks as the producer further connects to more systems, workers, and vendors.
Frank Marcus is the director security technology at Wurldtech. He is responsible for product security architecture. He is an industrial control security analyst for brownfield and greenfield applications primarily in oil and gas, power and water, factory automation, and ICS-specific vulnerability research. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.
Tuesday, February 24, 2015 @ 03:02 PM gHale
By Nate Kube
The Industrial Internet holds so much promise for oil and gas and other energy sectors: Increased human safety, efficiency, productivity. At the same time, the network connectedness required to reap these benefits makes operational systems security more important than ever.
Imagine that while reading this, your chief executive interrupts you with an urgent question: Is your organization protected against Regen, a just disclosed industrial controls vulnerability?
For many companies we consult with, this type of industrial cyber risk question cannot be easily answered. While their CFOs may review daily reports for IT security risks, they have nothing in place to handle the realities of critical infrastructure and operational technology (OT) risks.
Moving forward, companies will need to balance between these opposing forces. On the one hand, the desire to automate and interconnect will push for opening up systems that have been closed for decades. On the other hand, leaders will need to understand and responsibly mitigate related risks. As we have seen while performing OT security assessments and certifications worldwide, organizations need help to address several operational realities first, including:
- Visibility into security posture – Considering the massive number of controls systems and vintages of operational equipment, it’s difficult for a manufacturing plant or wind farm to see operational-specific network traffic. (This is partially what makes it impossible to respond to the chief executive’s valid question in the example above.) Adding more sensors and connected equipment will only make this situation more acute.
- Workflows – Closed off, isolated processes (such as shutting down a turbine engine) used to be the norm, but today, business and technical drivers are forcing more open workflows. Plant managers and compliance directors will need to build security into workflows, to assure commands are authenticated first, as an obvious example.
- People qualified in operational technology (OT) security – Achieving a good balance between the promise of the Industrial Internet and the operational challenges of securing it will depend on who can see the nuances of industrial security risk. IT perspectives will not suffice to address OT risks. Few companies have considered who can design and implement the steps needed to address the unique threats facing critical infrastructure. Nor have they considered who will accurately monitor dynamic threat landscapes and implement updates as attack vectors evolve.
This may seem an overwhelming set of tasks, but there is hope. A pragmatic starting point is having the vital information to make correct risk assessments. Are you looking at how your operational equipment connects and communicates, for example, or only seeing IT protocol traffic? Do the technologies, processes, and people responsible for watching that communication know how and where to look if something suspicious is detected?
Believing they have security visibility is the most common misperception I see across the energy sector. In the majority of cases, only IT risk is addressed at operational facilities today.
If you think about how we use driving information like Google or Yahoo maps, it helps to understand just how insufficient the current security posture information really is. If you are driving in a foreign city, for example, one map version might show you existing roads and interstates. Yet another map might highlight and recommend the best routes based on real-time traffic, latest road conditions, and accidents.
Which map would you rather have to plan your trip?
Similarly, many power plants and oil refineries today are relying on that first map when it comes to protecting their operations. Worse, they are unaware there could be other, more effective maps to guide them. And worse still, they believe their current information is everything they need to be secure.
Vital information is just one part of balancing the promise of the industrial Internet with risk. In follow-on columns, we will share insights from recent customer case studies to pinpoint three areas you can act upon to lead your operations securely into a more interconnected world.
Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer, is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.
Monday, April 28, 2014 @ 02:04 PM gHale
As cyber attacks get more sophisticated, costly and abundant, there is a continuing need to elevate security awareness to the same level as safety – ensuring not only a safe, but also a secure manufacturing environment, while increasing productivity, uptime and profitability.
While security awareness is slowly growing, it suffers from an identity crisis at manufacturing facilities across the globe. Big, small or anything in between, there is a general lack of understanding for security best practices.
Just look at some of the facts: Reported cyber attacks have grown by 600 percent since 2010. 600 percent. On top of that, the industry is losing around $400 billion a year in cyber attacks. There is no doubt cyber attacks are the most common and most costly attacks in industrial control systems.
It is easy to get lost on the enormity of a security solution, but it doesn’t have to be that way. Yes, there are answers and it starts with technology. But technology ends up being a solid tool. In the end, people wield the power. That means security culture must be on a par with safety to effectively protect against cyber attacks.
Join Honeywell Process Solutions’ Director of Cyber Security Solutions and Technology, Eric Knapp and ISSSource May 15 at 2 p.m. eastern time for a webinar that focuses on how to get security awareness on the same level as safety.
In the webcast we will discuss:
• Quickly Evolving Needs of Security Compared to Safety
• Proactive Security Approach
• Driving Awareness and Implementation of Security Measures
• Standards and Government Legislation is Slow in Development
Register here for Security Awareness: A Matter of Safety.
Wednesday, December 5, 2012 @ 07:12 PM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
Industry needs to quickly come to terms with the bring your own device (BYOD) trend if we are ever going make our plant floors secure.
Let’s start with mobile devices, especially personal mobile devices, showing up on the plant floor. Never going to happen you say? Don’t be so sure.
First, a definition. The topic of personal mobile devices is referred to in the corporate IT world as “Bring Your Own Device” or BYOD. If you haven’t heard of BYOD, Wikipedia defines it as: Bring your own device (BYOD) is a business policy of employees bringing personally owned mobile devices to their place of work and using those devices to access privileged company resources
A common example is using your personal iPhone to access your company’s email system. And as I will explain later, the iPhone is only the tip of the iceberg. The whole BYOD phenomenon is a major concern throughout the corporate world.
An iceberg is a good metaphor for the onslaught of this technology. When dealing with an iceberg, pushing against it or ignoring it generally aren’t effective options. It is bigger than you are and will go where it wants. The best you can do is to try to manage it.
Most IT departments are beginning to accept the inevitability of BYOD. According to a one study, the majority of companies surveyed said they are now adapting their IT infrastructure to accommodate employee’s personal devices, rather than restricting employee use of personal devices.
What about the plant floor? Will tablets soon be standard equipment in the refinery? Or will they be banned from moving outside the corporate office?
When engineers are asked to identify their unfulfilled industrial networking desires, the number 1 item is: “Connecting to the factory with a smart phone”.
I have discussed in the past that in any war between security and productivity, security will lose. The situation is no different here. Smart phones are coming to the plant floor. The only question is “Will we adapt to this new world in a secure way or will it be another source of insecurity”?
One option for the mobile device question is to just ban them outright. There are cases when this might be appropriate (explosive environments for example), but generally outright bans rarely work the way people want them to. One of the reasons is we have a tendency to see technology only in terms of what is available today or what is popular. This results in narrow definitions of a specific technology that lets other technologies slip through. For example, an iPhone is clearly a mobile device, but what about a personal USB keyboard or mouse that an employee brings in, perhaps for health reasons?
Sometimes a “mobile device” isn’t even a device at all. Consider a CD that contains a Stuxnet-infected S7 ladder logic file. Or an automated forklift that moves from site to site. At the extreme end, many people know we have been working with Boeing for the past few years – they have large mobile devices called 787s. What is important to remember is mobile devices can range from a CD with what appears to be an innocent document file, to the obvious iPhone, right up to entire mobile platforms.
The only way to address this range of evolving “mobile” technology is to use the Zone and Conduit concepts promoted in the ISA/IEC 62443 standards. Properly done, zone and conduit security can result in operational requirements that define a security process, rather than proscriptive requirements like “Mobile Devices should not be used on the plant floor.” Restricting devices seems simple and comforting, but since this is so narrow, restrictive and inflexible, it encourages inventive staff to find ways around the rules so they can do their job.
Recently I talked to a customer with a very innovative way to manage Wi-Fi-capable mobile devices on his factory floor. Instead of banning wireless technologies (something that is hard to enforce if you have a lot of contractors), he actually set installed Wi-Fi access points throughout the manufacturing areas. Then he routed all the access points into a “Captive Portal” – one of those locked down web pages you run into in hotels and airports.
This Captive Portal strategy had multiple benefits – first he immediately had a record of who was trying to use Wi-Fi in his factory. Second, by forcing all employees and contractors to log in, he could track exactly what they were doing and when. Then, based on each user’s log-in credentials, he could restrict network access to specific systems in his factory. For example, a contractor working on the Finishing Line could be restricted to only seeing the Finishing Line PLCs. And finally, by using deep packet inspection, he could force the contractors into a view-only mode by blocking all PLC write and programming commands.
Information technologies are changing constantly. Trying to manage them with proscriptive rules is a hopeless task, because we can never keep up. Instead we need to work from general principles. For example, the definition of mobile device can expand from specific technologies (such as cell phones) to a definition based on their general functionality. For example, one proposed definition is “non-fixed location digital information storage or processing devices”. That covers basically anything that can contain an electronic 1 or a 0 and isn’t bolted down.
Once we have our definitions set, we can move onto determining what actions we want to manage. The example with the captive portal showed how all Wi-Fi devices (rather than subsets like laptop or iPad) can be managed in a uniform manner. If we stick to those principles, I believe we can have mobile devices and security at the same time.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog and to download the white paper.
Tuesday, August 28, 2012 @ 12:08 PM gHale
Vital New Approach to a Defense in Depth Security Program
By Gregory Hale
It wasn’t that long ago deep within eastern Tennessee’s Anderson and Roane counties, the Department of Energy’s Oak Ridge National Laboratory (ORNL) fell victim to a hack attack where several megabytes of data ended up stolen.
That 2011 attack started when multiple Lab employees clicked on a link in a phishing email disguised to look like benefits information from the human resources department. Hackers were aware of a Zero Day vulnerability in the Lab’s Internet Explorer browser software and they knew just how to take advantage of it.
Lab workers became aware of the intrusion on April 11 and that started them on a frenetic hunt to find a way to stop the attack. By April 15, Lab management came to the ultimate decision: Unplug the Internet. No connection in or out. The attack stopped; so did any hope of using the Internet for the next two weeks.
Work continued at the lab — home to nuclear, chemical and biotechnology research centers — but any kind of communication or interaction or connection to outside sources was gone. Productivity was lost for a two-week period.
To win and gain an advantage today, manufacturing and process businesses must adapt quickly to change. Time to make decisions and take action is more compact. That makes timely distribution of reliable information vital. In today’s business climate, data needs to go out to operations, engineering and management in the proper context. That all means manufacturers must increase accessibility to the system and, while exchanging business and process information is necessary, it does open the door to intrusions.
That is why a solid defense in depth security program is essential for manufacturers, including antivirus, blacklisting, firewalls and whitelisting to name a few. Security ends up being a process of working with and creating continuously-evolving strategies to fend off attackers, who always find new ways to steal information, data, money or whatever they can get their digital hands on.
Whitelisting to Rescue
One of the newer ways to fend off would-be attackers is to create an application whitelisting program.
The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.
“If you look at the basic premise of application whitelisting, it is turning patching upside down,” said Rick Kaun, global business manager Industrial IT Solutions at Honeywell Process Solutions. “I use the analogy of being in a night club. As long as you don’t cause trouble, you are allowed in. That means the bad guys can get in and you don’t find out about it until they are causing trouble. Once I know about you, I put a picture of you at the front door and the bouncer does not let you in next time. That is what antivirus is. Whitelisting is the other. Three couples come to your house for dinner. It is a very expected list. You know what to do.”
“If you look at the basic premise of application whitelisting, it is turning patching upside down.”
– Rick Kaun, Honeywell Process Solutions
Antivirus used to be a great tool that could stop an attack cold. Antivirus’, or blacklisting’s stated goal is to keep all the bad players out of the system by defining a list of file formats the antivirus mechanism does not allow. Plug in the software and watch it do its magic. Antivirus these days is a staple for a security solution, but it cannot work alone any more. With new versions of malware hitting the cyber street every day, antivirus just can’t keep up. New variants pop up that can totally evade any detection.
Just in the first quarter this year alone, malware had its biggest increase in more than four years, according to a report from security software provider, McAfee. The number of samples taken was at 83 million, according to McAfee’s quarterly security report. Fake antivirus programs declined in popularity, but software with faked security signatures, rootkits and password-stealing Trojans rose. McAfee counted 200,000 new examples of password-stealing Trojan horses. That is in just one quarter.
As a part of a defense in depth posture, manufacturers need whitelisting to play off antivirus.
“They have to work together,” said Mike Baldi, chief cyber security architect for Honeywell Process Solutions. “Our recommendation for industrial control systems is for them to work together. The technologies are not designed to know about each other so they need to be configured to work together otherwise they can conflict. We have seen that scenario. We do feel it is the best protection for a system to have antivirus and whitelisting installed.”
“I don’t think anyone can just stand up with just one,” Kaun said. “A lot of people are standing up with just blacklisting today because whitelisting is such a challenge, but you really shouldn’t put all your eggs in one basket.”
The two technologies need to work together to act as a back up or there could be a problem.
“I can give an example of how they couldn’t work together,” Baldi said. “Both technologies intercept system operations when you open a file. If you have two applications trying to open the same file at the same time, you can get into system contention problems and they could actually cause one or the other applications to fail. For example, whitelisting runs at the kernel mode so it could block antivirus from doing its job. Antivirus could encounter errors because whitelisting was using a file as it was being opened. So, the two applications have to be aware of each other. There is also some scanning that is done by antivirus that needs to be accounted for and whitelisting needs to allow that.”
Thinking whitelisting was complex has always been one of the issues behind why manufacturers shied away from implementing a program.
“When it comes to process control, I think whitelisting is very well-suited and incredibly challenging,” Kaun said. “The reason why it is incredibly challenging is we are talking legacy control systems. Putting tools in there and locking things down, especially when there are people that don’t understand what their equipment does, if you are using dynamic port ranges for example, how do we actually capture that? That is the challenge.”
One benefit, though, is the process control environment is relatively static when it comes to software programs. Software is not constantly changing.
“I think the wonderfully beneficial advantage is the environment does not change a lot, so when we get it right, the need to continually tweak that allowed list is a lot less than it would be in a dynamic corporate environment,” Kaun said. “I think on the one hand it is very well-suited because we don’t change a lot, but it is challenging because we have some interesting legacy stuff out there.”
“I can give you a good example of how whitelisting would or would not protect a system,” Baldi said. “A common mode of attack is to replace one of your system files with a version that has malware embedded in it and when you run that utility you also enable the malware which does damage to your system. For instance they could replace the notepad system and when you run notepad you are actually enabling the malware. That kind of attack will be prevented in whitelisting because with your system whitelisted it will not allow a different version of notepad to run.”
The catch Baldi said is if the allowed software has a vulnerability embedded in it.
“If there is a Zero Day vulnerability in the existing version that you have whitelisted of notepad on your system, whitelisting will allow that version to run and the attackers can take advantage of that vulnerability,” he said. “Only the version you have whitelisted will run, but if you whitelisted a Zero Day vulnerability, whitelisting will not protect you against that.”
“That is why you need hand-in-hand antivirus and whitelisting, said Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions. “The antivirus should pick up that version of notepad that has a virus in it.”
With the traditional security software on a system, end users often fret over adding any more software, fearing it will slow down the process.
But that often ends up not being a problem.
“That is always one the biggest concerns we have,” Gold said. “From anything we add to a process control system, where some IT folks may not be as concerned about the loading on a system, we are paranoid. We have very strict rules on how much load a system can have.”
“From a technical side we are extremely concerned about any changes in the load to our systems because it can impact performance in an upset condition when we need the most horsepower,” Baldi said. “Because of that, we have done some exhaustive testing on our largest systems and we have found some scenarios where whitelisting had a significant impact on operations because of the way the operations worked with the files system. We were able to very quickly — once we have tested them and discovered them — tune the whitelisting so it didn’t impact those areas.”
“If properly tuned and managed for your systems, it can have a negligible impact,” Gold said. “But you have to take that due care and attention.”
For an industrial control system, whitelisting does not run at the network level, but rather on every individual node you install it on. So every PC running either a Windows or Linux operating system can have whitelisting running on it. The installation on that node protects only that node.
That means for users to get the most benefit out of whitelisting, they need to understand their system and know what is running on it.
“You should be reviewing your cyber security vulnerability and attack vectors on your system on a somewhat regular basis,” Gold said. “When it comes to whitelisting, if you install an update to your system, you will have to update your whitelist as a part of the ongoing maintenance. It depends on how frequently you upgrade your systems. If you are going to install software upgrades once a year, you should be updating your whitelisting as well.
“The conclusion is whitelisting has to be tightly integrated into your process control solutions,” Baldi said. “If it is tightly integrated it is not an issue, it is not something a casual user will go and pull a whitelist solution off the shelf put it on the system and expect it to work seamlessly, there is a definite tight integration needed there.”
That integration will enable the manufacturer to do what they do best: Make product. As a part of an integrated security package, it will also help keep systems running, which increases productivity and profitability. But whitelisting is not the Lone Ranger; it will need to work in conjunction with other programs and solutions and that will increase a defense in depth posture so attackers can’t get in and steal important information.
“White listing should never be considered a silver bullet,” Gold said. “It’s not a replacement for a customer that has other things like blacklisting/antivirus or what other tools they may have. It is something they should be considering in addition to what they currently have. It does buy them some additional benefits in addition to the added security it does provide.”
Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (ISSSource.com).
Tuesday, August 28, 2012 @ 12:08 PM gHale
Application Whitelisting can Toughen Up Weakest Link
By Gregory Hale
IT folks were happy at one major U.S. manufacturer a few years ago as they were installing state of the art security technology. “This is the best move for the organization to keep free and clear from any miscreant bug or viruses launched into the network,” they were saying at the time. Just as they neared the end, the crew worked over the weekend to iron out all kinks so they could have it ready first thing Monday morning.
When Monday came, the long-time process control engineering team came in and promptly turned off all the new security measures because it was too different and not the way they always did things.
It seems a hacker element left a bunch of malware-riddled USB sticks in parking lot at Dutch chemical giant DSM. Instead of plugging the discarded drives into a workstation, which would have infected the machine, a DSM worker who found one of the devices handed it in to the IT department.
The IT workers did a quick check and found an unspecified password-stealing keylogger.
Technologies like antivirus, firewalls and whitelisting, are vital to helping secure any manufacturing automation system, but the human factor is the key ingredient to shepherd any process to ensure continued uptime that will hike productivity and profitability. The catch is though, everyone needs to be on the same security page.
“The gray beards are saying ‘unplug it, we don’t’ need it, who cares. I have been running this plant for 30 years,’ ” said Rick Kaun, global business manager Industrial IT Solutions at Honeywell Process Solutions. “That just isn’t realistic given the business needs for data.”
Arms Around Information Flow
Information, and information flow, is more valuable than ever to organizations. Despite its importance, companies don’t really understand how to effectively manage this valuable resource. An estimated 49 percent of the worth of organizations derives from the information they own, according to the “State of Information Survey” from Symantec Corp.
When asked what would happen if their organization’s information were irrevocably lost with no chance of recovery, survey respondents said they would lose customers (49 percent), damage the brand (47 percent), decrease revenue (41 percent), increase expenses (39 percent) and suffer a tumbling stock price (20 percent).
Protecting against stolen data, information, intellectual property, business market plans, and even money is becoming more complicated and sophisticated. That is why a solid defense in depth strategy for manufacturers, including application whitelisting is more important than ever.
Complexity, or perceived complexity, of technology is an automatic turn off for users. That has been the problem in the past with whitelisting, but this technology is much too valuable to dismiss with a mere perception. Whitelisting, unlike other security programs, can actually be an application where you put it on the system and forget about it. Just maintain it when you do a security assessment.
“Whitelisting can reduce the need to patch, but it will not eliminate the need to patch. It is protecting you from certain vulnerabilities until the opportunity comes to apply the patches.”
– Mike Baldi, Honeywell Process Solutions
The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.
“I think whitelisting further enhances the value of a skill set that has the knowledge of process control and IT,” Kaun said.
The initial pushback against whitelisting always seems to fall along the lines of complexity and restrictiveness. But in reality, a manufacturer can make the program as restrictive as it wants and building it can be as easy as following directions.
“You have to build a list, said Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions. “There are tools that come with the whitelisting that has some installation scripts, but you have to build a list of things that are allowed.”
“Basic whitelisting provides protection by creating a list of known good executables that can run on your systems,” said Mike Baldi, chief cyber security architect for Honeywell Process Solutions. “All the application whitelisting systems available provide that functionality, but there are additional features. For example you can choose to protect areas of your registry if you want. You can choose to lock down your USB devices. You can enter rules for the whitelisting to protect against certain memory type attacks. These are above and beyond the basic white listing protection. Everything you configure in the system has a risk that you may lock down some normal operation that is needed to run the system. So you have basic whitelisting that can be restrictive to a certain point or you can continue to lock down the system extremely tight with whitelisting, but you have to be very careful to understand the consequences of locking it down.”
With a slowly recovering economy, the need to keep producing more product these days at a lower cost point is at a premium. That means any unplanned downtime could be devastating to any manufacturer’s bottom line. That is why companies need to avoid dreaded downtime and work with multiple layers of defense and constant user education.
The problem is end users tend to be the most common and hard-to-remediate weak point, and even security researchers struggle to address the problem. “You can’t patch users,” said Greg Conti, associate professor of computer science at West Point in the Georgia Tech Information Security Center and the Georgia Tech Research Institute, “Georgia Tech Emerging Cyber Threats Report for 2012.” “And there’s always a human being somewhere behind the security technology.”
One source in that study agreed with Conti, “People are always the most vulnerable part of the IT infrastructure,” he said. “We have so many security layers and defenses, from separating physical control systems from the standard business network, to DMZs, to limiting network protocols that communicate with physical systems, and securing all the primary UIs to the Internet. At the end of the day, there’s a person on the end of all that security that can make decisions that will have an impact.”
Installing application whitelisting presents an upfront learning curve for users, but it is one that can be worth the time and effort.
“Our customers are learning really quickly,” Gold said. “I think the majority expect whitelisting to be more all encompassing and reduce the level of management significantly. It will help, but you have to really be careful about it. The maturity of our customers is increasing, but I do think there are a lot of misconceptions still.”
“The hype about whitelisting is high,” Baldi said. “There has been a lot of publicity. The understanding at the technical level at how involved it is and how tightly it has be interlaced with your system isn’t there. They hear words that this wonderful technology is available and it is going to increase your security protection, but there hasn’t been a lot of activity so far in applying whitelisting so there is not a lot of practical knowledge with that.”
Fear of complexity is one issue, but there is another Kaun feels has a strong human factor involved.
“It is apathy,” Kaun said. “I think the big vendors last year came up with 4,000 viruses or threats, but internally we came up with about 15,000 threats out there. Your least informed employees are your single biggest threat, so you can have all the technologies in the world, but if someone is holding the door open or handing out passwords then you have a problem.”
“I read one study that said 50 or 60 percent of people on the street said they would give over their favorite password for a free chocolate bar. It’s not whether we have application whitelisting or not; whether we have intrusion detection or not; whether we have a full robust program; whether we have point solutions, it is apathy.’’
Users need a solid technology base and a good plan that everyone knows, Kaun said.
“The source of the threat is not as important as when it gets here, and some day it will in some shape or form. How equipped are we to weather that storm, that is the real risk. If you see it as you want to spend how many dollars to make sure al-Qaeda doesn’t hack us, your problem there isn’t budget, it is education and awareness.”
Who takes responsibility and what should a user do often becomes an issue at a plant. Should it be IT, or should the process engineering team take control? At the end of the day, it often becomes an all hands on deck effort.
“Manufacturers are using every tool available to them,” Gold said. “Every combination exists; from the IT group being responsible, to the IT group embedding a person within the process control group, to the process control group being totally responsible and not having anything to do with the IT group.”
“The worst situation is where no one does anything, which is more common than one would expect. Then there is the thinking that we don’t have to do much because we are locking things down with an air gap. Even when air gaps are used in combination with locking down USB ports and not allowing vendors with their laptops to connect to their system, they are missing the critical point on how to mitigate or manage a virus when a path in is eventually compromised There are various levels of preparedness.”
Patch management is one more way whitelisting can help users overcome some threat issues.
“Whitelisting can reduce the need to patch, but it will not eliminate the need to patch. It is protecting you from certain vulnerabilities until the opportunity comes to apply the patches,” Baldi said. “It is a tremendous potential benefit as long as the limits of that benefit are realized. There are combinations of technologies and benefits that we call defense in depth that together can significantly reduce the need to patch. What I mean by that is they can allow you to run with known vulnerabilities in your system longer until you can schedule maintenance time to do your patches. That would be your antivirus software, your whitelisting software and a third technology called virtual patching, which is basically intrusion protection from the network out. Those three technologies together can significantly reduce your need to patch and allow you to better manage your patch cycles.”
“A lot of people in the plant environment think along the lines of you set it and forget it,” Kaun said. “Part of the value of whitelisting is it works on that premise. The flip side is when you go to change something, how do we manage that so we don’t turn the whitelisting off? The problem is if anything changes it becomes completely useless. That is the challenge when we apply patches we have to make sure the scrutiny has to be much greater so we don’t break our application whitelisting. So, a very detailed technical analysis and a more thorough change management needs to take place.”
Application whitelisting all comes down to helping eliminate human error so manufacturers can keep their system up and running during a time when sophisticated attacks are on the rise.
“It is about safe reliable expected operation,” Kaun said. “Am I concerned? I am concerned because there is more risk and the clients we serve are increasingly under pressure and hitting downtime.”
“We need to not worry about the noise and just get down to work.”
Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (ISSSource.com).
Tuesday, June 26, 2012 @ 01:06 PM gHale
By Gregory Hale
In these days of resource challenges, productivity will be the answer on how to get manufacturers to the next level of strong profitability.
That is one of the most important topics in the business world today,” said Raj Batra, president of Siemens Industry Automation Division during his keynote address today at the 2012 Siemens Automation Summit in Washington, DC.
Contrary to public opinion, manufacturing in the United States grew last year by 4.3 percent and should grow by 5.2 percent this year, Batra said. While that not is a huge number, it is a positive sign the economy is coming out of its deep slump and is moving forward.
One of the reasons for the growth is a concept called reshoring, where manufacturers are not farming out manufacturing to a less costly manufacturing center, but rather bringing manufacturing closer to where they will sell the product.
A few of the reasons for this are the energy costs involved in shipping the product across the globe and also the rise in wages in the manufacturing countries. Batra said.
Also because manufacturing is more strategic to enterprises, that means companies are now spending more on innovation. “Manufacturing represents 11% of U.S. GDP but accounts for 70 percent of R&D,” Batra said citing industry research.
Yet another issue confronting manufacturers is the hunt for resources. Finding oil, water, natural gas, and minerals is not as easy as it used to be, so it costs more to cull them from the earth.
“We are feeling the resource crunch,” Batra said. “There has been a 100 percent increase to bring oil wells online in the past decade. The next 20 years are going to be different.”
What is the answer? Batra said productivity.
If a company can increase its productivity, they can reap more in profitability. Areas to do that include increasing energy efficiency, increase the efficiency in municipal water operations, and increase the use of renewable energy.
Increasing productivity is something the industry has talked about for years, and it is really moving in that direction, but that is just one aspect a manufacturer can look at for future growth.
Another area for a manufacturer to understand is what the plant will look like in years to come. That is where Yiannis Dimitratos comes in.
The head of the Corporate Center of Competency in Automation & Process Control in Engineering and Operations for DuPont said during his keynote manufacturing plants will look quite a bit different in the coming years than they have in the past.
He said it is all about process operability. “That is the key to making desired products in order and on time and to defined quality in a safe, secure and environmentally acceptable way,” Dimitratos said. “The plant of the future will be a totally different place. It will be a smart plant.”
The idea of a virtual plant working within the real plant is coming closer to reality, he said.
“Virtualization can help improve the plant where you are not testing on the real plant, but instead are validating and testing before going live,” Dimitratos said.
Wednesday, April 18, 2012 @ 02:04 PM gHale
By Gregory Hale
A successful safety profile is all about making quality risk assessments and the new ISO machine safety standard that is making the old EN 954-1 standard obsolete does that by increasing a manufacturer’s performance level.
“The standard provides a quantitative approach to risk assessment and safety validation,” said John D’Silva, marketing manager safety at Siemens during a webinar entitled “Transitioning to ISO 13849-1: Changes Required and Helpful Tools.”
“This makes sure that safety is not solely a matter of component reliability, but also relies on common-sense safety principles such as redundancy, diversity and fail-safe behavior. Under this standard, the risk assessment for a given safety function will yield a performance level, this helps eliminate both over- and under-engineering, a costly or risky result of EN954-1’s limitations.”
“The new standard accommodates the advances in technologies and that is the main advantage,” D’Silva said. “Further it corrects deficiencies in EN 954-1.”
ISO 13849-1 Safety of machinery: Safety-related parts of control systems (SRP/CS) provides safety requirements and guidance on the principles for the design and integration of safety for control systems, including the design of software.
It specifies characteristics that include the performance level necessary to carrying out safety functions. It applies to SRP/CS, regardless of the type of technology and energy in place whether electrical, hydraulic, pneumatic, mechanical, or others and for all kinds of machinery.
The new standard addresses the dramatic changes in technology the older standard (EN 954-1) was incapable of handling, in particular, determining the safety of programmable products.
D’Silva, an integrated safety expert at Siemens, gave an outline on software-based tools that assist in achieving compliance to the standards. The tools are SISTEMA (Safety Integrity Software Tool for the Evaluation of Machine Applications) and SET (Safety Evaluation Tool).
The SISTEMA software utility provides developers and testers of safety-related machine controls with comprehensive support in the evaluation of safety via ISO 13849-1. It enables one to model the structure of the safety-related control components based upon the designated architectures, thereby permitting automated calculation of the reliability values with various levels of detail, including the Performance Level (PL). The SISTEMA program is now available.
SET for the IEC 62061 and ISO 13849-1 standards is a TÜV-tested online tool that supports the fast and reliable assessment of your machines’ safety functions. One can realize a standard-compliant report that serves as documentation as a proof of safety.
Safety is becoming even more important today than ever before and the new standard will help users move toward the main functions of safety and that is to protect workers, property and the surrounding area. In addition, there are the needs to reduce cost pressures and maintain productivity. With the push toward globalization, there is an increased need for production and one of the ways to meet that need is to lose the old way of doing things and integrate safety.
It is simple, reducing risk means systems remain running, which means a higher level of productivity and increased profitability. While that sounds simple, getting from Point A to the Point B is often fraught with challenges.
The new standard is one area that can help eliminate those challenges.
Key changes incorporated into EN ISO 13849-1 to address deficiencies in the previous standard and accommodate new technologies:
• Addresses the programmable electronic safety devices used increasingly in modern machines.
• Accommodates new technologies now commonly used in safety systems.
• Provides a quantitative approach to risk assessment and safety validation.
• PL’s quantify the required and achieved level of safety in probabilistic terms.
• Defines measures for diagnostic capability and common cause failures.
• Increases customer confidence in safety and integrity of their product.
Tuesday, November 15, 2011 @ 03:11 PM gHale
By Gregory Hale
Talking about the theory of safety and productivity working in unison is a nice lecture for a college professor to give in engineering school. It is very useful, but seeing it work in real time often seems like a pipe dream.
Not anymore. Manufacturers are truly seeing the light and understanding the two concepts are able to work together to not only ensure a safe work environment, but also bump up productivity. Three companies that truly get it gave presentations during Tuesday’s Rockwell Automation Fair 2011’s Safety Automation Forum in Chicago.
PepsiCo, GM and L’Oreal talked about various forms of implementing a safety culture in a real life scenario.
“It is possible to go five years or so without injuries at your plant,” said Tommy Short, health and safety manager at L’Oreal during his presentation. “Yes, it is possible, but you have to believe.”
That is where the issue lies, people have to believe and buy into a true safety culture. “Safety is a lot of work and it takes a lot of energy from everybody involved,” Short said.
“I hear safety is the number one priority at our company,” said Craig Torrance, global senior manager of health, safety and well being operations at PepsiCo. “I don’t agree, I feel it should be a value. It should be something we just do.”
Short talked about three areas in the safety culture spectrum: Dependent safety culture, independent safety culture and interdependent safety culture.
Dependent is more restrictive, doing things people are told, following rules and regulations to the letter. Independent, he said, allows for personal values, and good practices and habits. Interdependent allows for a caring culture where people work well with one another; more of a true communication environment.
He showed a chart that proved the interdependent safety culture that had true worker participation had the lowest rate of safety incidents.
He talked about an employee program at L’Oreal where there was participation and a reporting system. This was not about getting other workers in trouble, but rather, ensuring there was a safe work environment. This means the culture at the company was able to change and be more active because workers were looking out for one another.
“True ownership comes from employees,” Short said. “You really need to focus on what matters and make sure everyone is actively engaged. Actively engages employees will reduce safety issues.”
Torrance agrees, but his issues were all about implementing a safety program across a truly global enterprise. With over 800 manufacturing plants located around the world, implementing any kind of plan can be very difficult to say the least.
In a decentralized, autonomous, innovative and fast-paced corporation, it is difficult to get everyone thinking on the same page.
“That environment makes it very difficult to implement any kind of standardized safety program,” Torrance said.
He said it is difficult to have people buy into anything about safety until you start buying safety related items.
“Once you start spending dollars on safety, that had a huge impact on the culture,” Torrance said. “We actually had operators say to us, ‘you are actually serious about this.’”
Torrance talked about a 10-year machine safety program he launched this year. Before he could really get it going he knew the most important factor he had to work with was getting true executive level buy in from the beginning. He then sought out the various chief executives and business heads for all the units within PepsiCo. He was able to achieve the buy in, but that endeavor took him nine months.
“Without leadership buy in, you can’t implement a global safety program,” Torrance said. After you get executive sponsorship, you also need to implement an accountability measure.
“Accountability is something that has gone away. For safety, you need accountability,” Torrance said. “We have accountability on the business side, but not as much with health and safety.”
One more important element that will help get the job done in a global initiative is keeping everything as simple as possible. “Too often,” he said, “global programs get lost in the details.”
One of the other areas he often encounters is when engineers meet and go over programs they will say to him the plan we have works well and we have a solid return on investment, but the problem we have is the safety part of the program is too costly and we can’t get a return. They will then want to unbundle safety from the package.
“If you can’t afford to do the project with safety, you can’t afford to do the project,” Torrance said.
That all goes back to the credibility issue that talks about safety as a value within the mindset of the organization.
“You need to dialogue with workers to be fluid, effortless and spontaneous,” said Mike Douglas, senior manager for safety at General Motors. “That is how you achieve all the goals you need.”