The Accidental Hacker

Wednesday, November 4, 2015 @ 01:11 PM gHale

By Nate Kube
Threat vectors affecting critical infrastructure are not always as they seem. Those seeking to disrupt oil drilling upstream or manufacturing operations downstream may not, in fact, be seeking disruption at all.

Based on hundreds, if not thousands, of security assessments we’ve performed globally, there are several gaps to watch out for and harden from a risk mitigation perspective. This month I’d like to focus on a risk we often encounter on client sites. It appears to be the least known, yet potentially most obvious risk – your extended team.

Control System Standards Working for You
Inspiring Cyberphysical Security into Design
Security: Time for OT, IT to Align Priorities
Learning to Navigate OT Security Risks

A typical large-scale industrial facility may have upwards of a dozen different contractors coming and going to perform specialized work. While these may not be corporate employees, they may be dedicated partners with the same vested interest in your success. Corporate security policies, if in place, specify a least-privilege access model. In a least-privilege access model, workers are prohibited to access specific site assets, such as workstations, servers and control equipment not related to their job function. Enforcing these policies, however, is another story.

Case in Point
An example that illuminates such risk is the situation in a refinery in the Middle East. A contracted employee carried in a thumb drive (also known as a memory stick, USB drive or portable hard drive). After inserting it, against policy, into a company server, the network became infected with a virus, shutting down operations. This happened recently, yet when was this Conficker virus first discovered? Approximately 2008, with patches available for years for its underlying vulnerabilities.

There are two clear lessons from that scenario. First, a written security policy alone is not enough to prohibit your people from an activity that can be dangerous, such as contractors inserting unapproved peripherals into a USB drive or connecting insecure laptops to operations networks. To enforce the policy, security monitoring and a baseline of your operational network behavior have to be implemented. Had this operator put in place OT security technologies that alert when particular servers communicate with other servers they are not supposed to, earlier detection would have been the result. Automated blocking of unauthorized traffic would have contained the virus and provided investigators valuable time to limit damage.

Enforcing your policy also means investing in training and documenting it, to avoid an “I didn’t know” response, as well as to support compliance. Your people – whether employees or specialized contractors – can benefit from OT security training, just as they are taught to limit physical safety hazards through HSE-related training.

Updates to industry standard IEC 62443-2-4 can help you scope what type of critical infrastructure security work third parties can deliver (compliance deadlines may help you expedite getting this work done). This can include assessments, certifications, and recommendations that span from designing a critical infrastructure security program to implementing it and enforcing it.

Spotlight on OT
The second takeaway from this case is that the nature of critical infrastructure operations is far different than a typical IT network. Years of education and prolific security technologies have kept many enterprise servers upgraded and running despite offering services to a massive population of users while becoming increasingly resilient to a rapidly evolving threat environment. The operational environment in critical infrastructure sectors is the next frontier. For the better part of two decades, the threat exposure of cyber-physical systems has been driven by the convergence of OT and IT technology between the control room and the field. Now, OT systems are rapidly adopting cloud centric technologies to deliver a new generation of control and analytics technologies to the Industrial Internet. Personnel are accustomed to the “air gaps” of years past, and even if they do have interest in OT security, they often lack specialized expertise to know how to securely operate the highly distributed and interconnected harden environments that modern cyber-physical systems have evolved into.

Patching in OT is frequently misunderstood, for example. The basic assumption of enterprise security is that if patches are available, they’ve been installed. That assumption doesn’t hold true for cyber-physical systems. A seven-year-old virus can still affect critical infrastructure like a refinery because legacy equipment still runs many of our industries. With safety, uptime and process efficiency as core requirements, operational systems that work well and consistently produce can have a decade-long lifespan.

IT software and systems, on the other hand, are upgraded frequently, and it is acceptable business practice to stop IT services or force maintenance-related downtime without major disruption. OT personnel must fit patching, upgrades and networking updates within maintenance windows, and thus cannot simply apply patches for a specific threat as the fixes become available. They must patch with more enduring solutions that address overall vulnerabilities and the numerous ways they can be exploited, beyond just the immediate threat.

Evaluate Critical Assets

This type of specialized OT security understanding is not yet prominent among the critical infrastructure operators we have seen, except for a select market-leading few. As a result, operators make one of a few common mistakes:
• They assume OT security is the same as IT security, when in fact, the equipment lifespan, operational uptime requirements, and protocol sets for critical infrastructure are completely different.
• They focus on only one dimension of OT security, such as process, instead of the three dimensions required for a hardened security posture – people, process and technology.
• They trivialize the level of risk, despite high profile attacks such as Shamoon and the high probability of accidental hacks like the case described above.

To mitigate risks in your environment, a good starting point is to evaluate your high value critical infrastructure assets and determine who is allowed access, as part of an overall OT security posture assessment.

In the same way you identify external risks such as hacktivist and state-sponsored actors, recognize accidents can happen and do present a highly probable set of risks. Particularly if staff are untrained and you do not have technology countermeasures in place, the very people hired to partner with you for business success may inadvertently and unintentionally cause your downfall.

Wurldtech's Nate Kube.

Wurldtech’s Nate Kube.

Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technology Officer is responsible for strategic alliances, technology and thought leadership. Kube has created an extensive Intellectual Property portfolio and has filed numerous authored patents in formal test methods and critical systems protection. Wurldtech is an independent subsidiary of GE, which acquired the company in 2014.