This week, the largest electric utility trade show and conference in the U.S., DistribuTECH, is being held. One of the tracks in the conference portion of the event is “Defending the Grid.” The prominence of the topic at this show, along with recent high-profile hacking attacks (Sony, Target) that have caught the attention of top management in all industries, add up to one thing – it’s time to look at or review the state of cyber defenses at your substations.
It’s not a surprise that critical infrastructure, such as the electrical grid, has been an increasing target for sophisticated cyberattacks. What may be news to you, however, is the fact that the legacy devices and protocols used in substations are particularly vulnerable to both intentional and accidental cyber incidents.
What then is the right approach to take to secure substations? It starts with the best practice of Defense in Depth.
Electrical substations are vulnerable to both intentional and accidental cyber incidents.
Editor’s Note: This article was contributed by Julia Santogatta, Belden’s director responsible for wireless initiatives, with expertise from Daniel Wade, Chief Architect-Wireless Products and Jeffrey Caldwell, Chief Architect-Security.
In Part 1 of this article, I introduced the Golden Rule of Industrial Wireless Security – Deploy Securely, Monitor Regularly. Following this rule ensures that unwanted access to your wireless LAN and the rest of your network does not occur.
But, how do you deploy securely?
While you may fear that industrial wireless is insecure, today’s reality is different.
By using current equipment and following our special Golden Rule, it is possible to design a robust and secure wireless application.
These days, most cyber security articles talk about using Defense in Depth, or a layered approach to securing industrial networks. This means using a variety of defenses at various points in the system to protect the network or contain threats. The idea of layering, and the resulting benefits, is no different in wireless applications.
By implementing measures to address these seven key questions you will be building layers of protection that contribute to the best practice of Defense in Depth. Let’s take a look at the questions in detail.
The End of Service (EOS) for Windows XP means it is going to be harder to keep existing industrial networks cyber secure and available.
After our series of articles on the impact of End of Service (EOS) for Windows XP you may realize that moving away from the operating system is going to be difficult and time consuming. Plus, you need a way to mitigate risk in the meantime.
Fortunately there is an easy fix for mitigating Windows XP risk now. It is as simple as installing industrial firewalls to protect your control networks from malware, whether introduced accidentally or maliciously.
Now, many vendors’ claim that using their products is “easy”. Just like programming a VCR was never as easy as it was cracked up to be, you might be suspicious of our assertion that installing industrial firewalls is easy.
Manufacturing networks such as the one at this pharmaceutical factory can be protected from Windows XP cyber security risk through the use of industrial firewalls.
If you are a regular follower of this blog, you’ve probably noticed that I haven’t been writing much in the past few months. I just have been too busy, traveling and speaking at some really great security conferences.
The most recent and the most informative (for me at least) was the International NCSC One Conference 2014 at the World Forum in The Hague. This is a massive and well organized event run by the Netherlands National Cyber Security Centre, the Dutch equivalent to the US-CERT. Close to 950 people listened to my talk on “The Internet of Insecure Things”
During NCSC One I heard some great talks on the state of encryption technology today, SCADA Security consortium and foreign APT threats. But the highlight was the plenary speech by Jon Callas on the second day entitled “Security and Usability in the age of Surveillance”. Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
If you’re not familiar with the BYOD security debate and want to get some background, check out my blog on the topic – The iPhone is coming to the Plant Floor – Can we Secure it?. The short version is that the BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources.
A common example is using your iPhone to access your company’s email system – does this increase or decrease corporate security?
System Integrators play an important role in helping manufacturers benefit from industrial automation technologies. They design and implement sophisticated control systems and their expertise, project management skills and manpower help companies achieve advances that cannot be realized with internal resources.
If your company is a System Integrator or Control System Integrator then you have likely been building up your expertise in the area of industrial cyber security as demand for services related to this topic has grown.
In fact today I am participating in a webinar for the Control System Integrators Association. It’s about how to help companies reduce the operational risk created by the end of service (EOS) for the Windows XP operating system. The webinar is at 11am EST today, and you can still register for it. If you miss the webinar, this article provides an overview of what I will be saying.
Windows XP EOS is a BIG Opportunity
Windows XP has been the workhorse operating system for factories, energy facilities and many critical infrastructure systems around the world. The operating system runs important manufacturing, process and production applications on the plant floor, in the field as well as in control rooms and engineering offices. It is also embedded in thousands of devices that control many factory automation and process control operations.
With Microsoft ceasing to provide the security updates and “hot fixes” that were routinely available before April 8, 2014, computers and other devices are more vulnerable to security risks and viruses. The EOS of Windows XP places industrial users in a very uncomfortable position.
The risk of security issues and resultant downtime will steadily increase over time. Yet the cost of upgrading or replacing Windows XP-based systems, and particularly the cost of the associated disruption to operations, is often prohibitive.
If your job mandate includes maintaining uptime then network security is an area you can’t afford to ignore. In the industrial space the biggest risk comes from accidental network introductions, such as a virus introduced by a supplier or an employee via a USB drive. Once that happens, your manufacturing or process control operations could be in jeopardy.
In the two videos in this article I explain how cyber security risk is different in the industrial environment than in the IT or office environment. I then zero in on how risk has been increased with the end of service for Windows XP and I explain how industrial firewalls can help.
Preserve Uptime by Minimizing Industrial Cyber Security Risk
Cyber security for industrial networks focuses on preserving uptime by guarding against accidental introductions of viruses or malware. (1:10)
On the eve of April 8, Microsoft retired support for the Windows XP operating system (OS) – leaving millions of Windows XP users susceptible to accidental and deliberate security issues. Though the retirement had been long planned and with fair warning, industrial network users are just beginning to comprehend the ramifications.
And it’s not that Windows XP will no longer work – it’s that Microsoft will no longer provide patches, security updates or infrastructure support, leaving industrial networks vulnerable to production disruptions and system downtime.
Even more concerning? Windows XP is the most popular OS for industrial users. It can be found in ruggedized PCs performing mission-critical tasks, such as control, safety and asset management, as well as embedded in thousands of devices used in factory automation and process control operations.
Those responsible for protecting critical industrial processes and networks are left with few options. And a system upgrade isn’t as simple as it may seem – one upgrade can trigger a lengthy “domino effect.”
Windows XP-based computers, machines and devices are installed EVERYWHERE in industry. They include the white box PCs running important manufacturing, process or production applications on the plant floor, in control rooms and in engineering offices. They also include ruggedized PCs running PLC, DCS and other device configuration / monitoring applications in your processes.
Furthermore, they include a lightweight version of Windows XP that is in embedded components in thousands of devices that control many factory automation and process control operations. Today, I am going to look at what the end of service (EOS) for the Windows XP OS means for those responsible for keeping industrial processes up and running.
There’s no escaping the push to secure industrial applications. The end of support for Microsoft’s Windows XP operating system is just the latest situation that contributes to the need to make sure that industrial networks have cyber security measures in place.
The challenge is how to go about it. No one wants to be tagged with the responsibility to implement it because the technology can be confusing, the doublespeak from the experts can be frustrating, and the pressure to do something without clear direction or budget from management is commonplace.
If you’re the person tasked with security—and if you’re reading this, you probably are—the ambiguity surrounding security for industrial systems has probably struck you already.
Vendors are not offering security like they offer a PLC or drive. There are plenty of experts who can help you, but their approach feels more custom than standardized, and they tell you you’re never completely secure … just more secure than you were before.
One tool in the toolbox to help you improve the cyber resilience of your facility is to leverage the know-how of your company’s IT security experts. Before you start running for the hills at this suggestion, I hope you will read on and find out how this may actually help.
Why IT Are Your Friends When IT Comes to PLC Security
As daunting as solving the industrial systems security puzzle for your facility may seem, a part of the answer has been right in front of you the whole time:
You need to reach out to your friends in the IT department.
While many controls and process engineers have had their struggles working with IT, when it comes to security, they are your most valuable resource.
You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility.
This was the situation in a mid-sized city in the Eastern U.S. In 2012 the Department of Water Resources upgraded their SCADA network to industrial Ethernet. At the time there was little protection or separation of the SCADA network from the city’s IT network. While this provided many benefits it also made the controls network susceptible to malware attacks and traffic storms.
Fortunately, the team involved, particularly the plant electronics technician, recognized the issue and took the initiative to review the situation and look for ways to improve security. What unfolded next is a great example of how multiple industry players, that is, a standards organization, a cyber security services group and a vendor were able to work together to provide a robust solution.