Data Compromise; the New Business Risk

Wednesday, January 11, 2012 @ 05:01 PM gHale

Editor’s Note: This is an excerpt from Frank Williams’ entry on the Practical SCADA Security blog at Tofino Security.

By Frank Williams
Industrial cyber security is the next major impactful technology to hit the automation industries.

You might say I grew up in the process control and factory automation industry. For over 30 years I have observed and participated in bringing innovative technologies into this market we call process automation. Productivity gained from these new technologies has been huge, yet these same technologies often introduce unforeseen issues into the plant or factory operation.

Hacked Systems and Poor Passwords
Feds: No Cyber Intrusion at IL Water Plant
NJ Water Plant Victim of ‘Terrorism’
Three Legs to SCADA Security

Rarely will an alert control or systems engineer completely replace a legacy system with new technology. Advances in technology end up applied incrementally. Unlike the office environment, industrial deployment tends to blend the old with the new. Unfortunately, the sales pitch of productivity gain that accompanies new technology deployment may hide unintentional threats.

Such is the case with the current rush to connect everything through Ethernet and IP technology. This rush glosses over the lack of preparedness by end users and automation vendors to address a new working reality called industrial cyber security.

In the early 80’s a strategy to de-centralize proprietary process control systems emerged and spawned the Fieldbus Wars. Thus began the unravelling of central control strategies with a vision toward driving more intelligence into each field device and utilizing non-proprietary technology.

Advances in technology continued, and in the late 80’s and early 90’s they brought us industrial computers driven by the personal computer revolution, which challenged PLC dominance. These rugged PC’s suggested a more flexible approach to monitoring and control using the Microsoft Windows operating system. In turn, this led to PC-based HMI (human-machine-interface) application SCADA software and from this, new industrial firms with software-only solutions, such as Heuristics, Iconics, Intellution and Wonderware.

As the clocks ticked into the new millennium and fears of the dreaded Y2K subsided, industrial users found significant cost reductions and huge productivity gains in selective installation of a network technology called Ethernet. Ethernet, an open standard and an already established connectivity technology on most business networks, would find similar value as control and system engineers began to thread together various “islands-of-automation” into a plant-wide control network infrastructure. Soon most industrial devices were “Ethernet-enabled.”

In the same decade, Ethernet became ubiquitous and the Internet more pervasive as IP technology connected everything for an anywhere, anytime, access-to-data experience. And industrial wireless sensor technology (WSN) with its self-configuring, self-healing mesh approach further added to the networking infrastructure. Wireless devices extended or in some cases replaced hard-wired solutions and connected remote and hard-to-reach areas of any process to the plant network.

With these network advances, a more comprehensive plant-wide picture is now available to management, yielding real-time information on the cost and performance of the firm’s process 24/7. And the more the operators knew about the actual performance of their process, the tighter (more productive) it could be run.

All is well in the newly networked industrial kingdom. Right? Well, sort of.

As plant operators and owners demanded even more productivity from their process, control engineers installed ever wider network coverage to push and pull data from all areas of the operation. Local, offshore, and even cross-country connections became cost-effective and easy-to-use through selective use of various networking and IP technology.

However, significant danger lurks in the shadow of many of these deployed networks. While key advances were made in networking, little attention was paid to industrial cyber security.

Think about this – data available to authorized personnel, will also be available to unauthorized folks. You may ask – who and why would someone, other than plant personnel, want to capture my data?

This is where the game-changing Stuxnet malware comes into play.

Stuxnet, a worm discovered affecting Siemens’ PLC and SCADA products in July of 2010, shocked the industry by showing how determined perpetrators can create malware that enters your network, without your knowledge, and silently waits for remote commands or collects data on your process for competitive or disruptive purposes. In this case, the outcome was the specific destruction of centrifuges used in Iran’s nuclear enrichment program. What is less well known is the collateral damage to manufacturing plants in other countries that had to reconfigure PLCs and shutdown networks to purge them of Stuxnet.

An unfortunate development of the media attention Stuxnet received was to point out to the hacking/security researcher community that it is straightforward to penetrate into the millions of legacy control and monitoring systems deployed worldwide. This is mainly because these systems were designed prior to Internet IP and Ethernet enabled devices. No protection was designed into these devices as the threat didn’t exist or wasn’t perceived as significant.

Hacker focus on industrial systems led to ICS-CERT releasing 104 security advisories for ICS/SCADA products in 2011. Prior to Stuxnet, only 5 SCADA/ICA vulnerabilities had ever been reported.

Why would anyone want to know how much material you had stored in a tank, or running through your pipeline? This line of thinking has been the prevailing attitude until now.

Well, think of the possible consequences. It could be destructive damage to the plant or process, or subtle and persistent attempts to steal valuable information. For example, theft of process information for commercial espionage could make a competing or counterfeit product. Furthermore, “easy” access into the process network could lead to the theft of business information on the enterprise network.

Now, contrast the fast pace and ingenuity of hackers with the incremental approach to changes to legacy systems mentioned earlier. You can’t help but conclude that hackers will remain well ahead of industry if we don’t start paying more attention. And commercial or criminal villains are sure to take advantage of resulting opportunities.

I was recently talking with someone who works for a large automation company. He told me that his firm was convinced that adding more security technology to their devices was important. He then quickly lamented this would add to the cost of the device and he wondered if the end user would be willing to pay.

In this new era of industrial interconnectedness and prolific security researcher disclosure of automation system vulnerabilities, no one wants to be part of the team responsible for a system that could lead to data compromise and plant or business damage.

This year must bring a redoubling of effort by end users and control engineers to send a clear message to the automation vendors that industrial cyber security must transition from a “nice to have as insurance” feature to a key feature and design requirement of any process or device that wishes to remain reliable.

Frank Williams senior product manager at Byres Security Inc. focusing on strategy and platforms. You can read his entry in the Practical SCADA Security blog at Tofino Security.

Leave a Reply

You must be logged in to post a comment.