While cybersecurity has always been a major concern for any industry, a common perception was that the threat from it pertained to losing proprietary data, falling victim to espionage, and facing shutdowns. The Triton (also called Trisis or HatMan) attack last year however has shown another side of that very serious threat: potentially catastrophic disaster.
Traditionally industrial control systems were designed to run in isolation on their own control networks, where few could have foreseen a threat from cybersecurity. With the evolution of other technology around industrial facilities however – including smart sensors, wireless gateways, remotely managed systems, virtualization, cloud computing, smartphones and various business intelligence needs – the chances of these industrial systems remaining free from external interference grow slimmer by the day.
The first proof of industrial control systems being manipulated externally was Stuxnet in 2010, a script deliberately designed to sabotage industrial controllers running centrifuges. This was followed by the Havex attack in 2013 that targeted electricity grids and power companies, a large amount of data was gathered through it for espionage and sabotage. 2015 saw two threats, BlackEnergy that destroyed data and files on workstations, causing significant power outages in Ukraine, and IronGate that was discovered on public sources and performed the same function as Stuxnet. Industroyer caused havoc in 2016, this malware wiped data and performed DDoS attacks on the network, causing another shutdown of Ukrainian grids.
The Triton attack was found in 2017 and its discovery possibly barely prevented what could have been a serious disaster. This malware could infect Triconex safety controllers, giving the hacker access to change safety parameters. A malicious attack with this could disable safety setpoints for industrial equipment, potentially causing an incident of the same magnitude as the Jiangsu Tianjiayi Chemical Plant explosion.
The first step to tacking this threat to cybersecurity is understanding where attacks can come from as attackers use reconnaissance as first step to gauge and understand the targets weaknesses over a certain period. In the longer run an organization may use Threat Vector Analysis to identify different methods the attacker may use, or the system might be prone to. All this needs to be based on the risk emerging from Business Impact Analysis of your company’s assets. You might want to take some off the shelf assessment tools and use them to segregate/rationalize your critical assets from non-critical and perform gap assessment on them to start with.
Some of the common entry points for attackers are:
- Inbound attacks from external networks, internet, and remote connections through ERP, gateways, and repositories like Sharepoint and online Historians
- Improperly configured firewalls and gateways
- User Access through stolen/phished credentials into business workstations and control computers
- Physical attacks that target production systems, in most cases these are HMIs, engineer/operator workstations, and actual process/safety controllers
- Lateral network attacks that target control networks and use industrial communication protocols to discover other devices on the network and spread malicious code
- Social engineering attacks, which focus on using personally identifiable information to trick insiders into granting access, opening gateways and running scripts unintentionally
Each type of attack comes with its own set of precautions that we’ll discuss below:
Segregation and Segmentation:
While it may sound obvious, a thorough gap assessment of the control network through tools and qualified personnel can often reveal many unmonitored access points that are ignored while following standard practices to protect the control network. These threats may stem from:
- Unrestricted access to engineering/operator workstations
- Outdated malware detection
- Third party applications and connectors that haven’t been secured or audited
- Lack of DMZs or data diodes when exporting data from control networks
- Critical assets connected on a common domain
Manage User Access Control:
This task covers taking actions to restrict unauthorized access and tracking and halting any activity related to unauthorized access. This includes:
- Hardening access to unauthorized personnel
- Managing policies and updating them on a strict schedule
- Enabling multi-factor authentication across the organization
- Whitelisting, adding pre-approved address, location and port-based alarms to identify personnel accessing systems
- Changing defaults for all passwords and passcodes, renewing user passwords periodically
Patching all control and safety equipment to the newest firmware versions needs to be a periodic activity. While routine non-intrusive patches should be the way to go for all critical controllers, at the very least patching should be done during each annual maintenance cycle.
Run Validation Checks:
Program, logic and executable validation checks ensure that changes to logic, codes and scripts are the changes that were made intentionally by the authorized person. Emulated validation environments help monitor any unwanted changes to logic and parameters in addition to helping operators train on the equipment without risking actual physical systems. There are tools available that automatically detect any change at logic level and any such changes are executed in a controlled environment with a backup copy maintained, ready to be restored in case a controller or system gets compromised.
Add Physical Security:
Considering recent cybersecurity threats, some control system vendors now include physical locks on their controllers which prevent any additional code from being executed on a controller without first passing the physical security layer.
Train on Cybersecurity:
A critical part of the cybersecurity threat comes from attackers relying on mistakes made by the plant personnel. No cybersecurity measure can be fully implemented without having all stakeholders in it being fully on board and aware of their responsibilities. This includes training personnel how to identify attacks, how to protect their personally identifiable information, and how to secure themselves against attacks. This training should be provided at all levels of Management, Executives, OT System Administrators and Users.
Create an Incident Response Plan:
In the off chance that an odd mistake or oversight leaves an opening for potential attackers, a cybersecurity implementation effort needs to include an actionable plan for personnel to follow if security is breached or a threat is identified. These plans once designed need to be practiced through regular workshops and made available for all responsible personnel to ensure quick action if security is breached.
Maintain an Updated Asset Register
By having an up to date record of all the listed inventory of OT assets including switches, routers, firewalls, OWS, EWS PCs, SCADA, Historian Servers, Controllers or any IP addressable device, chances to leave gaps for attackers to exploit an unmanaged system get reduced. Assets can be monitored over the network for their latest version updates, while patches and any vulnerabilities can be monitored through various tools.
How to get started?
Getting started on cybersecurity for industrial systems isn’t as daunting a task or as big an investment as it might appear at first, and the tradeoff in preventing the amount of damage that can be done makes it ridiculous to not consider investing in cybersecurity. Like any company-wide initiative that needs to be successful, cybersecurity also requires in-house champions that work for its cause and help the company adopt the new policies and procedures necessary to implement cybersecurity. In most cases the best way forward is to define owners for business network cybersecurity and control network cybersecurity.
Cybersecurity needs to be a plant-wide initiative. It is implemented through three phases:
Phase 1: Design & Framework
Designing a Cyber Security Management system is the most comprehensive phase and requires the most investment in terms of time and effort. There are many cybersecurity consultation firms out there that focus on helping companies design their cybersecurity infrastructure, policies and procedures. This task includes identifying all systems and personnel linked to cybersecurity, defining their roles, defining their access and control rights, and building policies around these parameters to ensure safe operations. The cybersecurity design phase also requires a significant internal push and buy-in from stakeholders to ensure its successful completion.
Phase 2: Gap Assessment
The assessment phase primarily consists of reviewing the cybersecurity design, and identifying potential vulnerabilities and risks depending on business impact. Identified gaps are promptly addressed and updated in the design. Assessments can be performed using experienced personnel and various tools that sniff the network level packets and identify anomalous behavior and gaps in system hardening.
Phase 3: Implementation
This part is the actual implementation of cybersecurity policies, procedures and practices. Often external help at this stage can help significantly speed up the implementation process and ensure all checklists are marked promptly. One key method of implementation is system hardening.
Phase 4: Audit
Auditing cybersecurity covers tasks like comprehensive penetration testing to ensure that the cybersecurity implementation is achieving desired results. Specialized audit companies usually tackle this job and help ensure solid cybersecurity. This part requires the largest amount of external expertise for a new implementation, however if an internal cybersecurity audit team is trained during all phases, that team can then use its learning and expertise to audit other plants and facilities in the company.
Osman Ahmed, Business Development Lead
Asad Rehman, Design & Application Engineer
Ahmed Habib, Marketing Manager
INTECH Process Automation