|
Our last blog, contributed by Thomas Nuth, highlighted the fact that industrial cyber security is now being discussed by heads of state within the international community – the Executive Order – Improving Critical Infrastructure Cybersecuritysigned by President Obama in February of this year being just one indication of the importance being attached to this issue. Let’s continue the discussion… Read more Editor’s Note: This article was contributed by Thomas Nuth, product marketing manager. Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year is just one indication of the importance being attached to this issue. What’s also interesting is the change in focus of this discussion topic. The key question has changed from an interested “Why do we need to secure our industrial network?” to a frantic “How do we do it?”
Obama’s Executive Order on Cybersecurity: A Sign of the Times? Image Credit: Mashable Read more If you have read my previous blogs on patching for control system security, you might think I am completely against patching. Guess what? I’m not against them! Actually, I think applying patches is a critical part of good security. According to US-CERT, about 95% of all network intrusions could have been avoided by keeping systems up to date with appropriate patches. If you never patch, you are leaving your system open to a decade of malware. What I am against is patching as a knee-jerk reaction to security vulnerabilities. You can’t expect your control system to operate reliably if you don’t have a controlled process for patching. In the words of Richard Brown, at Dow Chemical: “Patch management is about managing the risk of change”. Patches are changes to your system. Changes to your system need to be managed. One cannot blindly deploy new patches into the process control environment without risking disruption of operations. Thus careful policy and practice is required to balance the need for system reliability with the need for system security.
A successful patching strategy balances system reliability with system security. Image credit: A Perfect World Read moreIn my last blog, I discussed the reasons why critical industrial infrastructure control systems are so vulnerable to attacks from security researchers and hackers, and explained why patching for such systems is not a workable solution. But let’s now examine the good, the bad and the ugly details of patching as a means to secure SCADA and ICS systems. And to begin, let’s suppose patches could be installed without shutting down the process (for example, through the staged patching of redundant controllers)…
“You may run the risks, my friend…” Image Credit: pictureshowpundits.com Read more
As regular readers of this blog know, after Stuxnet, security researchers and hackers on the prowl for new targets to exploit shifted their efforts to critical industrial infrastructure. Unfortunately, the Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) applications they are now focusing on are sitting ducks. Up until recently SCADA and ICS systems have been designed with reliability and safety in mind; security has been a minor consideration. Products that have never faced security tests are now under attack from sophisticated vulnerability discovery tools, and major control system security flaws are being continuously exposed. Recently I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).
Phishing, like fishing, can be profitable. Image Credit: Fotopedia
Notice that the US Internal Revenue Service now uses Cyrillic script on its staff email addresses! And they use AOL as an email service, rather than irs.gov. (Is the US budget sequestration really hurting that badly?
 )
The third fun item is that the link you are supposed to click on (irs.gov/pub/irs-pdf/forms2012/) actually resolves to prospectrealty.net/wp-content/plugins/Bridge-Book-Printer/forms.htm.
(Note to Prospect Realty – you might want to secure your web site a little better.) Beware Industrial Security Pros: Phishing Season is OpenObviously, this email is a phishing attack. The creators of the email want me to click on the fake IRS link. If I did, my browser would be directed to the Prospect Realty website they have hacked. There I would either see a page that looked like an IRS log-in page (so the crooks could steal any confidential corporate information I enter) or the site would try to download some nasty Java applet that would take over my computer (assuming I hadn’t patched Java recently). This phishing attack is so crude and so obvious that it is funny. But in another way, it isn’t funny at all. Phishing is Profitable for AttackersAttacks like this only continue if they make their creators money. And the criminals behind them have very simple and effective ways to determine if their attacks are effective. They launch the email and then count the number of suckers that click in the next few hours. If they don’t get any clicks, they try something different. If they get enough victims, they launch the attack again against a new list of email addresses. Now I received this same phishing email multiple times over several days – which leads me to believe that it was effective for the bad guys. Poor sods were clicking on the links. And these aren’t just any poor sods. Remember that this email is addressed to employers – not grandma or grandpa. So the email is an attack on the accounting teams in corporations, a group one might hope is very computer savvy.
Not All Cyber Security Threats are Stuxnet QualitySo what is my point? In the SCADA and ICS world we worry a lot about highly sophisticated threats like Stuxnet attacking our companies. Yet it seems that completely amateurish attacks work too (remember Shamoon?). Crooks don’t need sophisticated teams of hackers to be successful in cybercrime. All they need are employees to be so poorly trained that they click on even the most obvious phishing email. Industry has a long way to go to make both IT and SCADA systems truly secure. To get there, it will cost a lot of money. But it seems like there are a lot of baby steps that still aren’t being taken on the road to security. Maybe it is time to take another look at those. Does your organization train employees to be wary of phishing attacks? Do you have any “phishing” stories to share? Related Content to DownloadWhite Paper: “Using ANSI/ISA-99 Standards to Improve Control System Security” Download this White Paper and learn about:
Note: ANSI/ISA-99 Standards have recently been renamed ISA IEC 62443 Standards. Related Links
© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand Editor’s Note: This is an excerpt from ISSSource. It wasn’t that long ago when cyber security seemed like a foreign language to those folks entrusted with running companies. It was not like they didn’t know about it, but it just was not top of mind. Not anymore. With cyber threats evolving to the point where they are affecting their companies and their customer’s companies, chief executives are taking a new look and approach to how they attack cyber security. They know meeting objectives and delivering on business initiatives means they need to rely on information systems and the Internet. That means a cyberattack could cause severe disruption to a company’s business functions or operational supply chain, impact reputation, or compromise sensitive customer data and intellectual property. Read more Editor’s Note: this is an excerpt from the Pike Research Blog. The story goes that a group of business people were stranded on a desert island with a bountiful supply of canned and therefore imperishable food, but no way to open the cans. As the group struggled to find a solution the lone economist in the group piped up, “Assume a can opener…”
Sometimes it seems that’s how we approach industrial control systems (ICS) security. “Assume a secure perimeter…” It’s not fair to expect any single product or any single vendor to provide complete security for ICS networks, and yet we seem stuck in a world of point-solution purchases and security without any overriding architecture. It’s as if we’re saying, “If I can just get me some [insert technology of the week], then I’ll be secure.” Read more We all agree that SCADA and Industrial Control System security needs to improve. However there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective. Last week’s blog exchange between me and Dale Peterson, is just one example of those differences. Now this week I am going to go in a different direction when it comes to improving security. Something I believe industry urgently needs is better standards for information exchange between security solutions. It is great to have the latest security technologies like VPNs, anti-virus (AV), firewalls, IDS, etc. on your plant floor. Unfortunately getting them to interact with each other can be like pulling teeth. Read more As a reader of this blog you likely don’t need to be convinced that SCADA and ICS Security need to be greatly improved. There are several ways to go about accomplishing that, and I am glad that there is a healthy dialogue underway on this topic within the industrial security community. This includes the back and forth between myself and Dale Peterson of Digital Bond, that continues with this article. When I attended Digital Bond’s S4 Conference earlier this month I heard Dale talking about “SCADA apologists”; however, I didn’t think he was referring to me. Then, in a blog article posted yesterday, he says “I’m disappointed that Eric went the SCADA apologist route”. I am writing today to restate my position on what I believe needs to happen to improve SCADA and ICS security. I will also clarify where our own Tofino Security products fit in. Read more |
