Belden: A Needed Basics on Security

Tuesday, September 23, 2014 @ 07:09 PM gHale

By Gregory Hale
You can talk about securing a system until you are blue in the face, in the end, it is all about network reliability and uptime.

“Safety and security go hand in hand when you are looking at industrial process,” said Scott Howard, commercial engineer at Belden Inc. during his talk Monday at the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX. “An IT engineer’s prime goal is to keep information confidential. They can unplug the system if need be. That can’t happen in a manufacturing environment.”

Belden: Major Role of Security
Hackers Hit Defense Contractor Systems
Dragonfly: Pharma Industry Targeted
Keyboard Manufacturer Hacked

With IT, it is all about CIA, which stands for confidentiality, integrity and availability. However, in a control environment, they have the same concerns, but a different set of priorities. There it is more of an AIC mentality; availability, integrity and confidentiality.

So that can be the root cause behind why IT and control, or OT, can butt heads when it comes to security priorities.

Differences between IT and OT are an age old issue, but what does not get as much attention is the types of threat sources. While the big terrorist or hacker attacks garner big publicity and headlines, the true cause of the most cyber incidents comes from unintentional attacks.

Threat Sources
Howard said the security threat sources are 80 percent unintentional and 20 percent intentional. And, of the intentional attacks, 47 percent were from outsiders and 53 percent were disgruntled employees. On the unintentional side, 14 percent were human errors, 38 percent were malware infections and 48 percent were software or device flaws. Users need to understand who and what the threat sources are:
• Device, software failures
• Malware
• Human error
• Insiders
• Terrorist/hackers

Along those lines, Howard gave some classic cases of cyber incidents and costs associated with them.

An oil pipeline shut down for six hours after a user was testing software and it ended up uploaded to the PLCs. The cost for that incident was $250,000.

In another case, 13 auto assembly plants shut down for one hour after a worm infiltrated the system. That cost was $14 million.

Yet another case that had a big dollar number, but an even bigger safety impact was when there was excessive network traffic at a nuclear plant that scrammed a reactor after some drivers crashed. That led to unsafe temperatures at the plant. The cost was $2 million, but the safety implications were far worse.

Case of Stuxnet
In addition to those cases, there have been some classic attacks on industrial control systems with the most famous being the 2010 Stuxnet attack when the U.S. and Israel hit a nuclear enrichment facility in Natanz, Iran. The focus of the attack was Siemens PCS 7 PLCs and WIN-CC systems. The attack was a targeted attack at the Natanz facility that damaged the plant’s centrifuges. But the collateral damage ended up hitting over 100,000 computers at 22 industrial sites, Howard said.

The design behind the malware was to destroy the uranium sites. The residual effect of the Stuxnet attack is the code is now available online and it has appeared on other attacks since then, Howard said.

Another aspect behind the attack was Stuxnet brought attention to weaknesses in SCADA and ICS security. Now everyone is aware of the flaws in systems.

“This is not going away,” Howard said. “This is something we need to address. We need to design security in and we need to retrofit security (in legacy systems).”

Control networks, however, have issues business systems don’t have, which makes them and entirely different environment to work with. PCs run 24×7 without security updates; controllers end up optimized for realtime I/O, not for robust networking connections. In addition, there are multiple entry points, poor network segmentation and no isolation.

“A firewall is good, but it is not enough. A user needs a complete understanding of threat sources,” Howard said.

When it comes to security it is all about defense in depth. Borrowing from a military model, a user needs multiple layers of defense that if an intruder does get in, he or she ends up slowed down to the point of not being able to fulfill the attack mission.

“Layers of defense has been proven to work in the military,” Howard said.

There are layers of security on a control network:
• Policy and procedures
• Physical security
• Computer layers/antivirus
• Control network
• Automation devices

Zones and Conduits
Part of a defense in depth model calls for segmentation via zones and conduits which is part of the IEC 62443 standard. This model helps lock down a network. Using this model, a user should only allow minimum required traffic into zones and when threats do come through alarms sound, Howard said.

A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection.

When it comes to a business network, when there is a software issue, a company issues a patch and IT workers apply it to help shore up the problem. That does not always work very well in the control environment. Howard talked about one case where a vulnerability ended up discovered in 2006 and a patch did not end up applied until 2011. Systems cannot come down to apply a patch, so that means control system security needs to apply a different set of work arounds. “Patches are very difficult to handle,” Howard said. “You need to handle vulnerabilities differently. You have to hide them.”

In essence, professionals in the control environment need to understand the security lifecycle where the user goes from assessing to implementing to maintaining the system. The catch is, though, security is not a one off solution, so the lifecycle keeps evolving and going in a circular motion.

In the assess mode, the user should start off with a risk assessment to understand where vulnerabilities are and also establish zones and conduits. Then in the implementation stage, there is training and then the user is able to design in zones and conduits and then validate and test. In the maintain stage, the user would conduct periodic vulnerability assessments and also test and deploy patches.

Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years.

“Hackers are getting more sophisticated,” Howard said. “In the old days, you could keep them out with perimeter detection, but now it is about intruder detection because they can get in.”

Leave a Reply

You must be logged in to post a comment.