Defend Against Stuxnet, ‘But Look at Big Picture’

Wednesday, February 16, 2011 @ 02:02 PM gHale

Markus Braendle, division cyber security manager for ABB, sat down with Gregory Hale, editor and founder of Industrial Safety and Security Source ( to discuss security issues facing the manufacturing automation industry today. This is the second in an occasional series in the Executive Corner.

ISSSource: How much are you seeing security as top of mind with users today?
Braendle: That really depends on what kind of users and where. If you look at the global picture, in North America security seems to be a bit more on customers’ minds than the rest of the world. If you look at the power industry and the process automation it seems like the power industry is driven more by regulations such at NERC-CIP here in North America and smart grid stimulus funding. Industrial customers, especially in the oil and gas sector like BP, Shell, or Exxon Mobil, on the other hand are more self driven and they really take security seriously. They have the size to afford dedicated security teams. In general the smaller the customer the less money they can spend on security.

In terms of thinking about security, you get the whole mix. There are customers that really know what they want and have detailed requirements — sometimes even too detailed — on the other side there are customers that still don’t care about security that we try to educate and have them come around to it.

ISSSource: Are you finding people are using the ostrich mentality and burying their head in the sand saying “why would anyone want to hit my little plant?”
Braendle: Absolutely, we do see that. A typical example of what we see is for example related to the NERC-CIP regulations and the exclusion of serial protocols. We have heard customers say they will go back to serial so that they don’t have any critical cyber assets and don’t have to worry about it. In such cases we try to explain to them that serial isn’t secure and can be used for attacks as well. There are also customers that still believe that cyber threats are not realistic and it is all just a lot of media hype.

ABB's Markus Braendle

ABB's Markus Braendle

< ISSSource: Do you have any thought on how much the industry is losing per year due to security issues?
Braendle: I couldn’t tell you. And part of the reason is that we don’t have an accurate picture of real incidents, which is one of the biggest issues in security right now. Incidents are not being made public; there are some documented incidents, but they are few and it is often the same ones that are being cited. I am absolutely convinced there are more.

The RISI database is a good example for this. Even though they do have a good number of documented incidents and constantly seek to add new ones, only a part of all incidents are actually being reported to them.

ISSSource: The RISI database has about 200 incidents. In talking to others in the industry, they said they may have that many incidents at one plant in a week. Are you still finding manufacturers do not want to reveal that information?
Braendle: I think so. Part of the reason is there still is a lack of trust between end users and government, end users and vendors, or consultants and vendors. Every time something does come up, whoever is involved always gets hit over the head with it. One of the examples was TVA with the GAO report that came out saying they are not taking security seriously enough. (The GAO issued a report in 2008 saying the Tennessee Valley Authority, or TVA, needed to address weaknesses in control systems and networks.) I think that TVA is taking security very seriously and they are doing a lot of things. But the focus too often is on the negative only. As soon as someone admits that there was an incident for instance, many people start pointing fingers saying you should have done this and you should have done that instead of appreciating the openness and constructively working on a solution.

ISSSource: How does a company go about making a business case for security?
Braendle: If I knew that, I would probably be a very rich man. That is a good question. To me it all comes down to risk management, which is one of the fundamental challenges we have when talking about security and how to bring it into products, systems, new projects and into the installed base.

Cyber security investments should be based on a risk assessment, and our industry is currently often not doing that. A lot of the things that are being done are driven by regulations or by technologies being pushed by “experts.” One of the reasons why we are struggling with proper risk management is because it is so difficult to calculate. How big is the risk? How big is the likelihood of a system being hit by a virus; an attacker? And what are the consequences? Putting likelihood values and dollar values on the cost of an incident is very difficult and that makes it difficult to estimate a ROI for security. NERC-CIP gave utilities an easy ROI because of the fines. If the amount of money spent on security to avoid fines is smaller then the potential fines the investment is worth it.

Calculating a real ROI however is difficult since we don’t have the statistical information and we don’t have a true understanding of all the incidents. This also applies to us as a vendor — and I have these discussions all the time with our internal product management and R&D — how do we justify spending all the money we do on security.

ISSSource: How do you justify that?
Braendle: Part of it is just saying that cyber security is part of our commitment to be a responsible member of the industry. Security to some extent is just part of offering high quality products. We invest for instance a lot of money in security testing and I don’t think we ever did an ROI on this because it is something we just know we have to do.

ISSSource: Could Stuxnet affect anybody at any time?
Braendle: It would be ignorant for any vendor or end-user to say it couldn’t affect them, so everyone needs to draw their lessons learned from Stuxnet and take necessary steps. But it would also be dangerous to now focus efforts only on this very specific attack and think that addressing this specific malware will solve everything. We really need to look at the bigger picture. The bigger picture is for instance that Stuxnet uses vulnerabilities in Windows that have been around for a long time and the likelihood is very high that there are other vulnerabilities that have been around for a very long time that could be exploited and could be used to do something similar.

ISSSource: How do you know about the vulnerabilities? No one knew these vulnerabilities were out there. How can you find them?
Braendle: Actually, one of the vulnerabilities was first mentioned in 2003 but at the time it was said that it could not be exploited. In general vulnerabilities have always been around and they will always be around, some of them are unknown vulnerabilities others are known but remain unpatched. The unknowns are obviously difficult to address today, the known and unpatched ones need our attention. Patching is still a process that needs improvement on all sides.

ISSSource: How do you stay ahead of these cyber bad guys?
Braendle: To me there are several things that can help you stay ahead. The first thing you have to do is your basic homework. Patching your systems for example or installing antivirus software and regularly updating signature files. This will take care of the bulk of vulnerabilities that have been known for a long time. Then there are newer technologies out there such as application white listing where, instead of listing all the bad things you want to protect from, you list all the good things allowed to run. It is like giving a bouncer at a party a list of people that can get in instead of trying to list all the people that can’t get in.

Another simple thing is following the principle of privileges. Not everyone needs to have full access to everything on the system. We don’t all need to have administrative rights. That can limit what malware can potentially do because it can limit it to the access privileges of the user that is on the system when the system is infected. There are a lot of basic things you can do to reduce the risk. You can never get the risk down to zero.

So, while you are applying these protection mechanisms you also have to think about how to deal with potential incidents. You need to have mechanisms in place that can detect an incident or a piece of malware and then you need to have an incident response plan in place. Incident response is one of the areas that people pay too little attention to. It is not a question of if you will be infected, but it is a question of when you will be infected. So you really need to have a plan on how you will respond.

ISSSource: I am told there has not really been an increase in the amount of attacks, but the sophistication level is getting higher. Are you seeing that?
Braendle: I guess that is true. What we saw in the past was mainly generic malware knocking on the doors of control systems. A virus for instance does not care if it is a control system, personal laptop, a financial institution or whatever, it just sees a Windows PC and says “I can infect it, OK let’s go.” Now we see changes and more sophisticated attacks because cyber security for control systems is getting more attention, also from the hacker community.

ISSSource: Do you find the majority security incidents are internal or external?
Braendle: The majority is probably internal incidents, but the way I prefer to look at it is a little bit different. I look at it as being targeted or untargeted incidents. Someone making a mistake, someone pressing a button that they should not have without malicious intent or a generic malware infecting a system is an untargeted incident. A disgruntled employee manipulating a system or something like Stuxnet on the other hand is a targeted incident. I think the big chunk we still need to worry about is untargeted attacks, especially generic malware that sees a system that hasn’t been patched and says “let me see what I can do with it.” There is much more of that out there than targeted attacks and they can be just as devastating as targeted attacks. We do need to worry about sophisticated, targeted attacks also but we should not completely focus on them — that would be like saying we need to put a very sophisticated lock on a door, but then leave all the windows open. We need to be realistic about it.

ISSSource: When you look at risk analysis, what level satisfies a user? 80%? 90%? 95%?
Braendle: I really don’t have the answer to that one. Part of a risk assessment should be to look at the system and really try to understand all its dependencies and interconnections. What you need to do is start thinking about “what if.” “What if I lose control over this PLC?” “What if someone else gains control of the PLC?” “What if I can’t access this HMI anymore?” “What happens if someone else can?”

When you start asking these questions you can rate the criticality of the components. You can say this piece is more critical than this other piece. You then start by securing the most critical components. Where do you stop? That is probably up to your budget. If you have unlimited budget, then go for it, but that is not reality. Typically you will have a limited budget. That is just a reality. You need to protect the crown jewels first then you can add different layers.

ISSSource: When you are talking to customers, do they really know what they need?
Braendle: We get everything. We have some that give detailed specifications. There are others that really don’t know what they want, and they want use to advise them.

ISSSource: Who owns the security environment right now?
Braendle: Very different. For some customers it is the operations guys who are saying they don’t want IT anywhere near their systems. For other customers it is very different and IT is dictating security on operations. To be honest, I don’t know which is the better approach. When it seems to work the best is when operations and IT get together and discuss and promote a solution. Typically, operations doesn’t have enough security expertise to have the detailed understanding, and on the other hand, IT doesn’t have the understanding of what a process is. If they can get together and talk to each other than that is a pretty good approach.

ISSSource: Do you find they are able to talk to each other?
Braendle: I think it is getting better because they start to realize that they have to talk to each other. But sometimes we as a vendor still get caught up in the discussion and have to mediate.

ISSSource: Is there a big difference between making a business case for safety compared to security?
Braendle: They should both be based on risk. For safety that is well understood. For security we are still trying to figure out how to do that. One of the big differences in security is that we don’t have the statistical data. For safety we have the statistical data; we know the mean time to failure for a piece of hardware. For security we don’t know the mean time for being attacked. The second difference is that the safety threat landscape really doesn’t change. For security it constantly changes. If I put in a counter measure for security that might help me today, but it might not help me tomorrow.

Where I think safety and security are similar is from an organizational perspective. From a cultural perspective, safety is or should be in the back of the heads of every employee. Safety is always a topic. Everyone understands what safety is all about. Everyone knows if they violate safety procedures, they could get fired.

For security that is not the case, but we should really get there. We should have security policies, for instance, that say if you find a USB stick you should not take it and plug it into a control system and if you do, there will be consequences. That type of cultural shift has not happened. We need to have this cultural shift take place so people understand this is something they need to take care of.

ISSSource: How do safety and security work with each other?
Braendle: I think they are related and they are also connected. If you put in a safety system it also needs security. People have shown that a safety system can also be compromised. Sometimes an argument you hear when talking about security is even if someone for example could compromise a PLC or controller and manipulate the physical process, the safety system should kick in so that for instance a tank doesn’t over flow. But again the safety system could also be compromised.

I don’t think you can say here is security and here is safety and they are completely distinct. I think there is quite a significant overlap that needs to be looked at.

ISSSource: Is there enough technology available today to stop a cyber attack?
Braendle: It is always a race. There is certainly quite a lot of very good technology out there that can minimize the risk to an acceptable level. One of the huge advantages we have for control systems is that we know exactly what should be going on within our systems. With control systems you know exactly what applications you have installed, you know exactly what communications protocols are being used and if something is not on that list it really should not be there. We have some new technologies with application white listing and also traffic white listing that is really going to help us immensely. Now we can create a list of applications that are allowed to run on a PC , a server or an HMI. This kind of technology will help us minimize the risk even further. But we just will never get to the point where we can say we are completely secure.

ISSSource: That is the technology side, but what about the social engineering side?
Braendle: I think that goes back to the cultural change issue where people need to understand what could happen. People really need to understand that security is not just about security geeks like me trying to annoy everyone else and trying to make a living for themselves. There is actually a reason for why we are doing what we do. Once people start to understand this and start to be more sensitive about it social engineering will become much harder.

ISSSource: Do you see the social networking sites, being more of a hindrance for you guys?
Braendle: I don’t see it as a hindrance, I see it as more of a risk. In general, many people don’t understand that anything you put on Facebook or Twitter can potentially be seen by anyone. People put too much information out there without considering the risks.

ISSSource: Are you finding more and more companies are now creating a security team?
Braendle: Yes. One of the things we have seen is an increasing number of people that have dedicated time and resources to do security. In the past an engineer often ended up being responsible for his normal job and also security on the side. But that is now changing.

ISSSource: How do you stay ahead of the bad guys?
Braendle: To some extent it comes back to not focusing on specific incidents. If you take a specific malware like Stuxnet and focus all of energy on fixing just that, you will never stay ahead. We need to look at the bigger picture and do our homework, do risk assessments, threat models, security testing, system hardening etc. For us another very important aspect to properly address cyber security and to stay ahead is to have good partnerships. ABB has for instance a strategic partnership with Industrial Defender that allows us to not only benefit from their know-how and experience but also to truly integrate their solutions with our systems.

ISSSource: Do you hire an outside agency to come in and try to hack you?
Braendle: Actually yes. We have worked with Idaho National Laboratories and also others. With INL we started in 2004 and have been back several times with our network management platforms and also our 800xA control system. The security experts at INL are among the most sophisticated guys around – it is astonishing and a bit scary to see what they can do.

On the product level we have our own, dedicated security test center where we test all of our embedded devices with tools such as Achilles Satellite or Mu8000 platforms.

One Response to “Defend Against Stuxnet, ‘But Look at Big Picture’”

  1. jlangill says:

    It is great to see vendors, like ABB, place Security as a high-priority within their solution development. I only hope that buyers, end-users and integrators will start to consider security capabilities when making commercial decisions.

    The one flaw I see in the approach of ABB, vendors in general, and the national labs like INL is that they are not testing a realistic representation of a true ICS. Most of the time, these test beds are built up from a single vendor, and include a fairly limited diversity of control equipment integration. Real-world ICS’s are heterogeneous and comprise the integration of control equipment from a variety of vendors almost making each installation unique from any other. It is this integration that often leads to significant vulnerabilities that are typically absent from any analysis otherwise performed.

    In order to address this, vendors like ABB, as well as asset owners, need to encourage actual system security testing both before initial commissioning, and on a reoccurring basis in order to both identify potential overlooked vulnerabilities, as well as measure the effectiveness of the installed security controls.

Leave a Reply

You must be logged in to post a comment.