Search results

Friday, May 31, 2019 @ 04:05 PM gHale

By Dave Cronberger
One of the many unique aspects of the manufacturing industry is its diversity of operating systems in terms of purpose, vintage and version.

Besides the real-time operating system of controls, you could argue the only other operating system within manufacturing is Windows. Although that is technically untrue, Windows certainly covers greater than 90 percent of the installed base.

It is impossible to update every version of software or the Windows operating system that might be on a machine. Remember, Windows is often the interface of the machine, or rather, a Human Machine Interface (HMI) where interactions between humans and machines occur.

How to Address Plant Floor Data Security Threats
Intent-Based Industrial Networks
Turn Fear into an Advantage
Security, Yes, Cameras Provide Other Value

This is often due to the applications and drivers that interface to a machine, causing many vendors to halt support when they have revised and updated their product, or when Windows drops support for its software as they did for XP back in 2014.

The machine itself has and continues to provide good service and so, despite the lack of support and security fixes, the software continues to run because the machine continues to run.

Worn Out Parts
This longevity brings with it an interesting problem – things just wear out.

One case in point is printed circuit boards begin to fail as solder joints crack and flash memory fails when the charge in the gates goes away.

This brings an opportunity to move the operating system and application to a virtual machine on much newer server hardware.

The HMI is based on a thin client with a touch screen, the required connections to the machine itself and application servers housed in the plant computer room. In addition to examining the traffic on the network, it is possible to apply certificates on the VM and multifactor authentication on the thin client mounted at the machine. This then makes it possible to use policies to control the applications and devices that can be communicated with regularly. This new method also brings forth the use of other services like domain name services (DNS).

DNS Role in Manufacturing
In manufacturing networks, DNS domain name services continue to play a larger role.

Eventually, programs for the control systems will no longer hard code the IP address of a device into the program, but refer to it by name or other some form of identification. This will happen as services like DNS continue to be highly reliable. The ability to trust these kinds of systems is crucial now and, in the future, being able to objectively evaluate the trust of that system and other systems will be critical.

To begin, we must assume that nothing can be trusted.

From there, we have to classify devices and applications based on what needs remediation and what can actually be remediated. For those plant floor devices that cannot be reconciled, the network must be used to provide the correct degree of isolation and permissions. For those that can be reconciled, certificates and other methods can be added to further identify and classify what applications can be contacted and used by those devices. These same tools can be used to ensure the operator is the correct administrator and has the appropriate permissions to access the remediated machines.

The next step is remote access.

There is so much demand now to lower service costs that it cannot be ignored. One of the approaches is to put a small device in front of every machine that allows, essentially, out of band connectivity. This can become impractical if we intend to ensure the integrity of our plant floor, because there needs to be entry point control for anyone doing remote access against the machine. We need to insert protections so line of sight, for example, can be maintained on any machine that moves in a three-dimensional space. One needs to ensure the person coming in remotely is indeed who they say they are with the proper credentials.

The Cloud’s Role
This is where third party cloud-based services may play a role.

You need a security tool that can operate in a manner that allows anyone from anywhere to access the service so the integrity and identity can be ascertained with certainty.

In the existing environment with no controls, the issue really must be addressed. Relying on the air gap – physically separating the network for other systems – is not the answer.
Dave Cronberger is a solutions architect for Internet of Things at Cisco.

Wednesday, May 22, 2019 @ 08:05 AM gHale

Mitsubishi’s Interactive Cycle Insertion lets engineers choose and customize cycles or features directly into their G-code program, which can reduce programming time and potential for human error.

Machine tool programmers and engineers that utilize Renishaw’s GoProbe macros could save significant time and labor with the use of Mitsubishi Electric Automation, Inc.’s Interactive Cycle Insertion screens on its M8 Series of CNC controls.

They can use the Interactive Cycle Insertion screens to integrate Renishaw GoProbe macros directly into their CNC control. Those looking to acquire a new Renishaw probe can also do so with the knowledge it will integrate into the Mitsubishi Electric M8 Series CNC Controls.

Interactive Cycle Insertion is an icon-based programming method that lets engineers choose and customize cycles or features directly into their G-code program, through the edit screen. It reduces programming time and potential for human error because programmers do not have to hand-type the G-code into the control. This solution is specifically applicable for tool and workpiece measurement.

“Renishaw probes can reduce set-up times by up to 90 percent and improve process control. Probing is an established practice for maximizing efficiency, quality, capability, and accuracy of machine tools,” said Dave Bozich, vice president of operations at Renishaw. “Standard routines built into modern CNC controls simplify integration of probing cycles. These routines, when combined with a CAD interface, streamline the simulation of measurement functions.”

Click here for additional information on Mitsubishi Electric interface functions for the machine tool industry.

Click here for more information about Renishaw probes and software.

Friday, March 22, 2019 @ 11:03 AM gHale

Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol in the MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, and various Medtronic implanted cardiac devices, according to a report with NCCIC.

In addition, other mitigations are being developed and will end up deployed through future updates, after regulatory approval.

Weather System Clears Holes
InduSoft Web Studio, InTouch Edge HMI Hole Fixed
LCDS Updates SCADA Software
Siemens Mitigates SCALANCE Hole

The vulnerabilities are improper access control, and cleartext transmission of sensitive information.

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.

Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham, and Rik Willems of University Hospital Gasthuisberg Leuven reported these vulnerabilities.

Successful exploitation requires: An RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); an adjacent short-range access to the affected products, and the products to be in states where the RF functionality is active.

Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications.

The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

The following products and versions of Medtronic devices utilizing the Conexus telemetry protocol suffer from the issues:
• MyCareLink Monitor, Versions 24950 and 24952
• CareLink Monitor, Version 2490C
• CareLink 2090 Programmer
• Amplia CRT-D (all models)
• Claria CRT-D (all models)
• Compia CRT-D (all models)
• Concerto CRT-D (all models)
• Concerto II CRT-D (all models)
• Consulta CRT-D (all models)
• Evera ICD (all models)
• Maximo II CRT-D and ICD (all models)
• Mirro ICD (all models)
• Nayamed ND ICD (all models)
• Primo ICD (all models)
• Protecta ICD and CRT-D (all models)
• Secura ICD (all models)
• Virtuoso ICD (all models)
• Virtuoso II ICD (all models)
• Visia AF ICD (all models)
• Viva CRT-D (all models)

The Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

CVE-2019-6538 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.3.

In addition, the Conexus telemetry protocol utilized within this ecosystem does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

CVE-2019-6540 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

The products see use mainly in the healthcare and public health sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited. However, an attacker with low skill level could leverage the vulnerabilities.

Ireland-based Medtronic applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, after regulatory approval.

Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Users should:
• Maintain good physical control over home monitors and programmers
• Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system
• Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections
• Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments
• Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment
• Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative

Medtronic released additional patient-focused information at the following location:

Monday, February 25, 2019 @ 06:02 PM gHale

By Dave Cronberger
In order to fully understand data passing through an industrial network, one needs to take a deep dive and analyze the data itself.

In other words, when we have data moving from controllers to I/O blocks, how do we actually know it’s the right data?

To understand the kind of data to look for it is important to consider the following:
• Does the data have the correct motion control movement? Is it setting a value that it’s supposed to set?
• Have we reached a point in industrial networking where data threats lead us to consider reassessing the data we have in our control networks across an entire plant?
• Are we examining this data using artificial intelligence to determine if there is an actual threat?

Intent-Based Industrial Networks
Turn Fear into an Advantage
Security, Yes, Cameras Provide Other Value
Magnifying Visibility in OT Environment

For some time now, it’s been clear the focus on factory security has been around the perimeter of the network. Now we are beginning to see a shift in attention being given to the identity of system services and the people behind these services involved in protecting plant processes. While these are all necessary steps to take, they will not help uncover the possibility of malware being inserted into a system, or even just a simple change of programming that is malicious in nature.

By examining the actual information that is traversing the network, we may determine if something problematic or malicious is actually occurring and take the necessary steps to solve it. But the reality of existing security methods, as good as they are, is that no one can guarantee a 100 percent chance that you can keep someone out.

Detecting An Intrusion
So what do you do when someone gets access to your plant? You cannot simply stop the line and interrupt the process. There needs to be a way to detect the intrusion and evaluate the intent. This is crucial because some forms of intrusion are solely for observational purposes, while some are there to do damage.

Observing your own network traffic will have an impact on the network infrastructure. The network equipment needs to have the capability to make copies of the traffic in order to send it off to the applications that can evaluate it and perform an intelligent analysis of the data. The next step is for an individual to take the data analysis and make a decision based on those facts. One option to consider is to implement an automated reaction at this time, but that still requires thought and analysis about the intent of an intrusion.

The network will then need to respond to a signal, whether directed from an automated application or a human being, in order to mitigate the discovered anomaly. From here, the insertion of a new white list Access Control List versus a blacklist Access Control List can help terminate communications from an unknown device that is not expected to be present on the network.

On The Network
At a practical level, the only place to do this is in the network itself.

The network is a platform that touches all the devices and systems on the plant floor. Distributing the intelligence needed through the floor plan by way of the network then makes it easy to perform an analysis on a smaller scale in each of the cells or zones. The network can then send the accumulated behavior data to a central location to evaluate the information and present notifications to people and systems as needed. This approach is already active in the data center space with respect to normal business applications, so this is an extension of existing technology in order to accommodate the kinds of information we see in industrial applications.

Those individuals overseeing data travelling through their network would benefit from implementing advance machine learning, to identify behavior anomalies. They also need to have access to a data set of common vulnerabilities, the ability to recognize behavior deviations, and control access for systems and applications.

These capabilities combined with other security infrastructure settings can help the plant floor to detect and mitigate threats faster.
Dave Cronberger is a solutions architect for Internet of Things at Cisco.

Wednesday, January 9, 2019 @ 06:01 PM gHale

By Gregory Hale
An oil refinery was undergoing a performance review some years ago and a team of security experts were touring the facility when they went out to a remote station a long way from the main plant.

“We were working at an oil refinery and they had a remote station control room that was a mile off in the corner, and we went out to it for an inspection. What we found was the gate was hanging wide open and even though it was locked, you could crawl under the fence and then you were in a control room,” said Eric Byres, chief executive at software security validation provider, aDolus. “None of the security in the world would have helped.”

Oil Giant Attacked to Steal Money
Supply Chain Security, a Charter Requirement
ROK: Security’s ‘Tower of Babel’
USB Drives Loaded with ICS-Based Malware

While that situation occurred years ago, that control room was live and anyone could get in pretty much at any time and go to work. That scenario shows the growing intersection of the triangle of safety with physical and cyber security.

The distinction between digital and physical worlds is vanishing, while the risks associated with connectivity have accelerated the need for new overall security protections for all aspects of manufacturing.

Everyone must understand attackers will leverage anything they can get their digital hands on to gain access to an OT system, including those within the enterprise security system itself to potentially infiltrate a manufacturing enterprise.

Fully Aware
“The triangle of safety, physical and cybersecurity have been acknowledged at least in the world of power utilities. After the Metcalf incident in California (where snipers drove up to a power substation and opened fire), the power utility industry was fully aware of the consequences of physical sabotage against power utility equipment,” said Dewan Chowdhury, chief executive and founder of security provider, malcrawler. “When the power utilities of America perform their GridEx exercise they include the combination of cyber-physical scenarios.”

Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable. Every connection and connected device is an entry point, a golden opportunity for a breach.

“Attacks such as Shamoon and Blackenergy, or even Stuxnet, have a component of physical access attached to them in some form, ranging from plugging a USB stick in, to physically injecting malware or signaling to previously compromised devices.”
— Dean Weber, Mocana

A case in point is deploying IP cameras with default passwords or with a lack of proper network segmentation that could serve as viable entry points into a network, which boosts the risk of attack. This is a common practice, as installers may not be aware of the cybersecurity consequences. The irony is the cameras are there to act as a security device, but it potentially could end up an breach access point.

“Without a doubt these three disciplines are converging and at record pace. Accelerating this pace is the general threat landscape and the corresponding governance trends necessary to manage this phenomenon,” said Dave Weinstein, vice president of threat research at network monitoring provider, Claroty. “There continues to be a wide skills and cultural gap between safety, physical, and cyber personnel but we are witnessing a growing adoption of cross-training and collaboration initiatives to shrink this divide. Doing so will help organizations realize much needed synergies across people, process, and technology.”

A security model needs to tie safety, physical and cyber security together, but not necessarily integrate them, said Eric Knapp, chief engineer, cyber security solutions and technology at Honeywell Industrial Cyber Security (H-ICS).

“With Triton, we saw how a digital attack could be used to target a safety system. As physical security systems become more intelligent and connected, a similar risk exists. The easiest way to mitigate such a risk is with current best practices: Keep them as isolated as possible digitally, do not use common credentials or access controls across systems, etc. so that they can be checks and balances for each other, and one does not inadvertently become the vector of attack for the other. This requires a degree of coordination (and ideally top-down support) of the three groups. This means that those in charge of physical security, cyber security, and safety all need to work together, and each should consider the other disciplines when threat modeling.

Different Types of Attacks
There are different models of physical attacks, ranging from counterfeit devices/software installed, to side channel issues like differential power analysis attacks and similar efforts, said Dean Weber, chief technology officer at security provider, Mocana.

“The manufacturing supply chain is physical issue, as is ‘embedded at manufacture time’ potential compromises such as Huawei has been accused of by western organizations,” Weber said. “The concept of waterfall attacks can also be a component of a physical breech, where systems that have been previously compromised are alerted to a trigger event by some physical activity (loss of primary system for example). So not only are attacks possible, but many are currently in play. Attacks such as Shamoon and Blackenergy, or even Stuxnet, have a component of physical access attached to them in some form, ranging from plugging a USB stick in, to physically injecting malware or signaling to previously compromised devices. All such attacks are evolving and present new danger to the industrial communities.”

“One could easily argue that certain USB attacks emanate from the physical side, Knapp said. “Only about a third of USB threats are actually malware based; the rest involve the introduction of a physical USB device that is designed to be malicious. Accidentally or intentionally carrying these devices into a network circumvents cyber defenses and instead crosses physical defenses like locked doors and inspections. The attack itself could even by physical, as in the case of USBKill devices, which fry computers electrically, or USBee attacks that use physical/electrical characteristics of the USB interface to exfiltrate data instead of using files. So in this context, we’ve already seen a physical device (USB drive) used to carry out a cyber attack (Triton) against a safety system.”

Safety and Physical
The intersection of safety and physical and cyber remains an ongoing issue.

“We were talking to a 300,00 bpd refinery (contributed to approximately 15 percent of country refining capacity) about upgrading approximately 40 legacy Triconex safety systems,” said Steve Elliott, safety expert and senior director of offer marketing for process automation at Schneider Electric. “They had an independent OT cybersecurity consultant in who determined a target Security Level 3 (SL3).

“I contend we should scrub cyber and talk about security and what that means, with cyber as a subset of the overall security posture.”
— Steve Elliott, Schneider Electric

“However, It didn’t take a rocket scientist to spot the greatest weakness to the security posture was physical protection methods. The lack of physical hygiene was seen as most obvious cyber risk. There was literally no security on the buildings, equipment rooms, equipment cabinets; you could just roll up and cause chaos.

“So, it was obvious that it was no good investing in hardening the cybersecurity measures for the safety systems and then literally leaving the ‘front door’ open to physical attack methods. We included access control as part of the upgrade plan to strengthen the physical posture as well as the SIS posture. I contend we should scrub cyber and talk about security and what that means, with cyber as a subset of the overall security posture,” Elliott said.

Cyber and Physical
Byres had a personal cyber twist on the issue.

“I purchased a high end commercial grade lock system for my house. It had some beautiful bit of engineering behind it. You could hit it with a hammer and not break it. It had infrared video cameras. It was a piece of engineering artwork. But you had to connect the controllers over the Ethernet because they were powered over the Ethernet. Unfortunately, when I set it up, I realized I could send a completely unauthenticated HTTP message to the IP address ‘/open’ or ‘/close.’ That meant anybody in our house network could send a command to open or close a gate anytime. The company subsequently changed it to HTTPS so you need authentication to open it up. This was a commercial grade product, so when it was used in a commercial setting, it would be possible to open a gate to a warehouse or a gate to a refinery using the same command. Anybody in the organization could open that at any time. It was an interesting intersection of really good lock engineers not really knowing anything about the Ethernet.”

Finding an Entry Point
Any weakness an attacker can find in the security armor could be an entry point.

“We are seeing attacks across all vectors, and the majority are still seen as transiting across the magic air gap from the enterprise into OT,” said Jason Haward-Grau, CISO at PAS Global. “The challenge is that we don’t tend to talk about the attacks that are happening unless necessary. In some cases, they aren’t even identified as cyber attacks as the outcome is safety related (this covers varied understanding of the etymology of attacks themselves, through engineering errors and malicious insiders).

“We are seeing attacks across all vectors, and the majority are still seen as transiting across the magic air gap from the enterprise into OT.”
— Jason Haward-Grau, PAS Global

“Attackers are looking to reference the optimal approach and often this is a mix of physical, psychological and virtual,” Haward-Grau said. “This in part is why almost all government advisories are extending the recommended practices to cover everything from awareness (phishing, vishing and spoofing) to the physical. Human nature is a much relied on accomplice to getting the malware into the plant. We all wonder what’s on the USB drive marked “HR Data” found in the parking lot, so we want to plug it in and see what it is.”

Standards Can Help
Some guidance can be found in standards.

“Several available standards and guidelines (most notably IEC 62443) incorporate both physical and cybersecurity in their normative requirements and recommendations,” said Eric Cosman a security expert and consultant with ARC Advisory Group. “I believe that most companies who have implemented a security program have recognized the importance of dealing with both at the same time. At my previous employer, we had a steering team that included the CSO, the head of engineering and the corporate director of safety and loss prevention. All three perspectives are necessary to address the evolving threat. Physical barriers such as access control can sometimes be effective countermeasures for cybersecurity risks.”

In keeping with IEC 62443, there is a physical security component.

“In cybersecurity one of the fundamental defensive mechanisms is to secure the perimeter, and air gap where you can. This forces attackers to gain a physical presence,” said Andrew Kling, senior director of cybersecurity and system architecture at Schneider Electric. In a reverse engineering presentation last year, we watched a skilled engineer remove the flash chips from a safety control to extract the firmware. In the latest IEC 62443-4-2 included are requirements to resist and detect physical tampering.”

With increased connectivity through digitalization and the Industrial Internet of Things (IIoT), it remains a huge issue as the attack surface continues to grow.

“While most companies isolate the networks used for IIoT applications from core control systems, the fact that they are communicating with external systems undermines the integrity of IIoT information and the security of anything that relies on the use of the IIoT data,” said Sid Snitkin, vice president at ARC Advisory Group. “Concern over IIoT security continues to constrain broader adoption of IIoT.”

Increased Attack Surface
“The more accessible devices become, the greater the attack surface from both a physical and a cyber perspective,” Weber said. “Many of the older industrial endpoints are analog, meaning voltage and/or current reliant to function. The upstream devices are where most of today’s attacks are targeted, but the ability to influence the data being generated due to the reliance on back end analytics for day-to-day efficiency of operations (AI) means a simple change to input data can have disastrous impacts on the industrial operations; ranging from simple denial of service to very advanced data poisoning designed to alter outcomes. The more connected we become, the more important it is to develop and deploy countermeasures to our highest risks.”

It is easy to start off the new year thinking there is no hope, but there are positives.

“While increased connectivity undoubtedly yields greater productivity and output, it also presents attackers with opportunities that heretofore did not exist,” Weinstein said. “For all of the doom and gloom about IIoT from a security perspective, it is a manageable risk and I expect to see more and more innovation in terms of monitoring these devices over the next few years.”

Friday, November 30, 2018 @ 04:11 PM gHale

By Dave Cronberger
Manufacturing networks today are massive and pass quite a bit of unutilized data. These networks also have a lot of equipment on them that, from time to time, is moved around where the plant floor is re-optimized to make people and machinery more efficient.

Plant floor re-optimization can save large amounts of money, while automating the movement of equipment, or at least the network supporting manufacturing, can save additional money.

This, however, can still create a number of challenges for the factory control engineering folks, as well as the industrial engineers that work out the flow of product through the manufacturing process.

Turn Fear into an Advantage
Security, Yes, Cameras Provide Other Value
Magnifying Visibility in OT Environment
Know Your Vendor before a Partnership

The current quantum manner of managing industrial networks will no longer scale in the way manufacturers need them to. Another issue here is having multiple networks running in parallel in these manufacturing plants. Here, it is important to consolidate these networks physically into a single network solution and distribute them at a domain level.

Another challenging factor is the increase in the amount of data points that will be collected from I/O devices in the manufacturing plant. This additional data will need to be analyzed in near real-time, while many of the more intricate parts of that data will need to be summarized and sent up into a data lake or similar repository in order to be examined differently and, perhaps more thoroughly.

Compute technology at the edge and in the data center can do a great deal of good on the factory floor with respect to all of the items that have been outlined:
• Plant movement
• Plant re-optimization
• Machine movement
• Information collection
• Analysis and reporting

The goal in mind here is to have the network appear to behave as though it were a giant USB hub. In this way, any piece of equipment can be:
• Located anywhere
• Uniquely identified
• Communicated with directly or as a group via multicast

At the same time, we need to be able to allow for separate domains on a common infrastructure. For example, we don’t necessarily want the administrative domain for the control’s environment in the manufacturing domain to be part of the overall enterprise information technology domain.

In-sync Orchestration
For all of these factors to come together, there needs to be an in-sync orchestration of all the network services and communication with each slice of the network as part of the overall system. We also need to virtualize the services in order to ensure we can control and migrate them from central locations.

Automation is a critical piece of making this orchestration happen, so each network element has to be supervised and managed by the higher-level administrator in order to ensure there are consistent conditions on the network for the machines. In other words, services have to be monitored and managed by the layer of orchestration in a consistent manner; a few of these items administrators must monitor include:
• Port configuration
• Access control lists
• Security parameters

Converting the backbone network as your step 1 also allows for the initial implementation of DNA, which positions for SDA (Software Defined Access). Being able to program a network around policy is a new paradigm and will take planning around converting policy to application.

Moving to Automation
Once the physical network is sorted out, there needs to be an evaluation of the logical topology and its attributes. It is here the benefits of automation begin to be realized – having software to define the network, particularly at the access layer, proving to be especially powerful and effective.

For the example pictured, the focus of SDA and principle automation is on the leaf/spine network backbone with limited support for extended node on certain industrial switches. In this case, the support for SDA in the backbone presumes the use of programable switches, while the support for SDA on industrial switches will grow over time starting with availability of programable industrial switches when released. The industrial segments that will exist in the manufacturing cells are presumed to be ring based, however, a ring topology is not required per se, but it serves as the most conservative approach in this context.

In this scenario, there are two access layers:
• First access layer is the leaf nodes on the backbone
• Second are the ring nodes on the cells on the plant floor

While DNA and SDA will be able to exist across the total network in the future, there will still likely be political boundaries that have to be taken into account or, if not political, then operational.

In these early days of automating industrial networks to make them intent-based, we must cross the line of abstraction between the physical and logical network. This must be done because of the changing demographics of the work force and the talent that will be leaving and not easily replaced.
Dave Cronberger is a solutions architect with the Cisco Industries Solutions Group (ISG).

Wednesday, November 14, 2018 @ 09:11 AM gHale

A scooterbot stalls behind a busbot and causes a manned vehicle to collide with the bus, which then automatically calls for assistance.
Source: NIST

Smart cities are continuing their growth curve and that means the cyber-physical relationship will need to get stronger at the same time.

Take this case as an example: Aunt Edna tells her “scooterbot” where to go and it takes her there. She crosses a downtown intersection, where a semi-autonomous “busbot” is waiting to turn right.

Next-Gen Security for IoT
New Process can Keep Fusion Reactor Safe
Quantum IT can Prevent Network Hacking
Quantum Physics Brings Unhackable Network

The busbot queries the scooterbot, verifying trajectory and speed, and calculates the scooterbot’s passing. Aunt Edna’s scooterbot nears the other curb, and the busbot begins rolling — but the scooterbot’s battery shorts-out, stopping it. The busbot quickly brakes, but a manned vehicle rear-ends the busbot, jolting passengers. The busbot notifies traffic management and emergency medical services.

That is not a science fiction scene, that is something that is coming sooner than anyone thinks. That is why the National Institute of Standards and Technology’s (NIST) Marty Burns, Edward Griffor, Dave Wollman and their colleagues presented this scenario at the Human Factors and Ergonomics Society Annual Meeting in Philadelphia, PA with an accompanying conference paper, Elaborating the Human Aspect of the NIST Framework for Cyber-Physical Systems.

They explored the need to further develop the human aspect, or grouping of concerns, in cyber-physical systems, along with experts in human factors and ergonomics.

That development is challenging. “Humans can play a role in different ways in CPS, including as a CPS component, as CPS operators and as the CPS themselves” the researchers said in the paper.

Moreover, “addressing the challenges of such (cyber-physical) systems requires the development of fundamentally new constructs,” they said.

To aid this development, NIST researchers propose decomposing, or factoring, the human aspect of the CPS Framework, into ‘sub-concerns’ that both drive and provide context for system requirements.

NIST developed a Framework for Cyber-Physical Systems (CPS Framework) that supports system engineering analysis, design, development, operation, validation and assurance of CPS.

Cyber-physical systems (CPS) comprise interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.

For instance, a city implementing an advanced traffic management system including real-time predictive analytics and adaptation/optimization must consider all aspects of such a CPS system of systems’ functioning and integrations with other systems, including interactions with humans.

Friday, September 21, 2018 @ 03:09 PM gHale

The White House will increase the potential for stronger offensive measures as part of a new national cyber security strategy.

The move comes as U.S. intelligence officials expect a flurry of digital attacks ahead of the Nov. 6 congressional elections.

Security Apprenticeship Bill Introduced
Bipartisan Security Bill Passes House
House Passes ICS Security Bill
DHS’ New Cybersecurity Strategy

The strategy provides federal agencies with new guidance for how to protect themselves and the private data of Americans, said White House National Security Adviser John Bolton.

The policy change was needed “not because we want more offensive operations in cyber space but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear,” Bolton said.

The new policy also outlines a series of broad priorities, including the need to develop global Internet policies and a competent domestic cybersecurity workforce.

Part of the new policy focuses on security the critical infrastructure. The new policy reads:
“The responsibility to secure the Nation’s critical infrastructure and manage its cybersecurity risk is shared by the private sector and the Federal Government. In partnership with the private sector, we will collectively use a risk-management approach to mitigating vulnerabilities to raise the base level of cybersecurity across critical infra- structure. We will simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure. We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, as part of a broader deterrence strategy.”

Some priority actions the new policy is looking to take on include:

Refining roles and responsibilities: The Administration will clarify the roles and responsibilities of Federal agencies and the expectations on the private sector related to cybersecurity risk management and incident response. Clarity will enable proactive risk management that comprehensively addresses threats, vulnerabilities, and consequences. It will also identify and bridge existing gaps in responsibilities and coordination among Federal and non-Federal incident response efforts and promote more routine training, exercises, and coordination.

Prioritize actions according to identified national risks: The Federal Government will work with the private sector to manage risks to critical infrastructure at the greatest risk. The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas: National security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.

Dave Weinstein, cybersecurity fellow at New America, formerly served in Cyber Command and as a public sector CTO/CISO, and is now vice president of threat research at network monitoring security provider, Claroty, said with the new policy there is not really much new.

“Most government strategy documents tend to be underwhelming and this one is no different. This isn’t a whole lot of new content or ideas, but rather amplification, clarification, and renewal of previous ones.

“The paragraph that stands out to me is the one on the Cyber Deterrence Initiative. Until now we haven’t formally adopted an international approach to deterrence, which includes collaborating on incident response and attribution. This Initiative has enormous potential to be successful if the right nations formally participate and equally contribute to its cause. I would expect to see the Five Eyes join in but it should extend even further, beginning with NATO member-states.

“Another one that stands out to me and is much overdue is modernizing of surveillance and computer crime laws. The Computer Fraud and Abuse Act (CFAA) in particular is in desperate need of a refresh.

“On critical infrastructure, it’s encouraging to see it featured so prominently in the Strategy but the substance is a bit lacking.  More creativity is needed for government to maximize its contributions to what is largely a private sector problem. Some of the best ways for government to “secure critical infrastructure” is to incentive investment in technology, people, and training; share actionable threat intelligence; and deter activities that hold infrastructure assets (and the citizens they serve) at risk. Again, some of these are mentioned but not in great detail.

“Would’ve like to see a bit more emphasis on state and local cybersecurity and a key component of the national strategy.

“They punted on encryption – would’ve like to see them take a strong stance on encryption while committing to foster a dialogue between the public and private sector recognizing the real concerns of law enforcement and the national security establishment.
“I was struck by the explicit mention of transportation and maritime cybersecurity – would’ve thought energy and maybe even advanced manufacturing would have received similar attention (especially given the Administration’s domestic policy priorities).

Wednesday, September 5, 2018 @ 04:09 PM gHale

By Gregory Hale
With connectivity and interconnectivity on the rise, manufacturers need to understand there are solutions out there to ward off the bad guys and they don’t have to be too complicated.

“It is not always rocket science, sometimes the solutions are pretty basic,” said Dave Weinstein, vice president of threat research at network visibility provider, Claroty, during a talk entitled, “Tales from the Field: Dissecting Recent ICS Network Assessments,” last week at the ICSJWG Fall 2018 conference in Cincinnati, OH, “(Users must) accept the reality your organization has OT networks adversaries want.”

ICSJWG: ‘If it Isn’t Secure, it Isn’t Safe’
ICSJWG: Govt has to ‘Work with Private Sector’
Black Hat: Breaking Down Safety System Attack
Lessons Learned One Year After Triton

Growth in network interest from an attacker perspective started just over 10 years ago.

“2007 was an inflection point with a massive uptick in interconnectivity, Weinstein said.

He said the most common ICS-OT risks are:
• Inherently vulnerable: Flat networks that have weak authentication, no encryption, insecure ICS protocols, problems with patch management, aging infrastructure
• Increasingly connected: Vendor remote access, visibility from the shop floor to the top floor, data analytics, supply chain
• Lacking collaboration: Shop floor vs. IT security mentality, no common IT/OT view, governance gaps and conflicts
• Insufficient visibility: No visibility across ICS networks, undetected network configuration issues, limited monitoring or threat hunting

Moving forward to the present, Weinstein said connectivity is continuing to increase between IT and OT.

The issue that still remains, and did cause some conflict between the two organizations, was IT and OT were designed with different missions in mind.

But any kind of schism that existed or even remains, has to be put aside because of the connected nature of the networks, too much is at stake – and attackers know it.

“There are now plummeting barriers to entry for threat actors,” Weinstein said. “Back in 2007, it had to be highly funded nation states. While that is still true, it is easier today to plan and execute ICS attacks.”

Plus, he said, there is an expanding attack surface with the Industrial Internet of Things (IIoT) that compounds with the increased interconnectivity between devices.

Right now, he said, “there is a very active threat landscape.”

He pointed out five observations he has seen from the ICS environment:
1. Unpatched vulnerabilities: On average, Weinstein said 5 to 10 percent of assets have unpatched vulnerabilities; most vulnerabilities relate to OT devices like PLCs. Operators are aware of most vulnerabilities, but are unwilling to risk downtime from patching.
2. External communications are usually engineering workstations and PLCs. They are using multiple protocols, often the result of misconfigurations, and commonly impersonated by hackers.
3. Insecure protocols are often used by engineering workstations and PLCs. Some of the protocols abused by attackers are Telnet, SNMP, LanMan, Net Bios, SMTP, SMB, FTP, plus the use of plain text data.
4. Abnormal write operations are mostly HMIs unnecessarily writing to PLCs, baseline details reveal unnecessary data acquisition communications.
5. Open ports: Not unusual for over half of assets to have open ports.

One key piece to all of this is understanding the baseline, he said. Once any organization understands the baseline to the network, it can become easier to interpret how everything should be.

While pointing out the issues is one thing, Weinstein also went on to offer some ecommendations and best practices.

While he did mention sometimes security solutions can end up being basic and you don’t need all the bells and whistles, it is pretty obvious the manufacturing automation sector is under the bad guys’ microscope.

That is why, he said, users need to “assign accountability for monitoring and continuously assessing risk. In addition, they need to acknowledge blind spots and orient defensive posture to identify and harden them.”

In addition, Weinstein said users should “make networks visible and prioritize network segmentation, expand the governance model to include ICS/OT and educate operators, executives and the board.”

Wednesday, August 8, 2018 @ 05:08 PM gHale

A beverage distribution plant on Detroit’s east side suffered from a chemical leak Monday, officials said.

The building was closed and 15 employees were sent home as investigators looked for the cause of the leak, said Fire Department Lt. Clarence Watts.

Manufacturing Plant Blast Hurts 2
WI Plant Ammonia Leak Injures 15
Crushed Fuel Pump Ignites, Causes Fire
Tanker Blast Hurts 1, Forces Evac

The building houses a company that distributes Towne Club beverages, and has dry goods and liquids stored on the premises, Watts said.

He said the Fire Department received a call from the company’s employees about the leak at 9:15 a.m. Monday.

Fire officials said the level of danger wasn’t enough to warrant evacuating the surrounding neighborhood.

Fire crews had to wait to enter the plant because HazMat crews had to determine whether it was safe.

The leak may have been caused by a leaky or broken pipe, said Dave Fornell, deputy commissioner of the department.

It’s considered a level two HazMat situation, which according to the National Fire Protection Association, is “an incident involving hazardous materials that is beyond the capabilities of the first-responders on the scene and could be beyond the capabilities of the public-sector responders having jurisdiction,” which “can pose immediate and long-term risk to the environment and public health.”

Two police officers and a worker were treated at Detroit Receiving Hospital after suffering from exposure, Fornell said.

The facility is operated by Intrastate Distributors. No one at the company was immediately available for comment.