Summit: Hacking Via YouTube

Wednesday, June 26, 2013 @ 06:06 PM gHale

By Gregory Hale
Attacking a system today is as easy as jumping on to YouTube and watching a video.

“You can go on YouTube and find out how to hack into a system. You can even pick the system you want to get into,” said Marc Ayala, ICS/SCADA security manager for integrator Cimation, during Wednesday’s 2013 Siemens Automation Summit in New Orleans.

Phishing Attacks Keep Growing
Costs of Breaches Up Globally
Speeding Up System Forensics
Espionage Campaign Uncovered

With the abundance of information out on the Internet and with manufacturers just now getting a firm grasp on the security threat facing them every day, Ayala said users need to really understand what they have on their control systems.

Users should have a plan where they know their policies and procedures, hardware and software, connections and designs, and access control.

Along those lines, Ayala said he went into one user’s facility and asked if they had a disaster recovery plan and they showed him a plan on what they would do if a hurricane or tornado blew through. He said that is fine, but it did not cover a disaster like a huge cyber attack and what, if any, plans they had to back up the system.

One of the things about disaster recovery is “make sure they are up to date because things change,” he said.

When it comes to cyber incidents Ayala said the breakdown is almost 25 percent intentional to 75 percent unintentional. “There is no security without visibility,” he said.

Part of that visibility is about understanding just where users stand with their security profile. One of the most basic forms of security is having a firewall in place.

“I went out and did an assessment and the company had a firewall and they said they had it in place for the past four years,” he said. “But when I looked at it it said ‘allow all.’”

When you really look at it, Ayala said, things have changed in a control room. They used to have up to 15 people manning the control room and then that changed to three or four to now you have one person overseeing a control system.

That means companies need a solid defense in depth program featuring:
• Physical
• Policies and procedures
• Zones and conduits
• Firewalls and DMZs
• System hardening
• User accounts
• Patch management
• Antivirus and whitelisting

Speaking of whitelisting, when Ayala asked if anyone was using the technology, only a few hands ended up raised in the packed room.

“Whitelisting from my experience is a really good technology,” he said.

Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown executables, including malware.

Ayala was able to demonstrate how he could shut down a system via a denial of service attack, but by using some proper techniques, he was able to stop the attack and keep the system up and running.

“Keeping your system updated and patched can do an awful lot of good for you,” he said. “And when you can’t patch for six months to a year, a simple appliance firewall will help.”

Understanding the threats and your system will not stop a targeted attack, but it will help keep the system more productive and profitable.

Leave a Reply

You must be logged in to post a comment.