Over the holidays, you likely read or heard about a number of “Top 10” lists. Examples include Top 10 News Stories, Top 10 Books, Top 10 Movies, and Top 10 You-Name-It.
Thinking you would not want to miss out on the top topics about one of your favorite subjects, industrial security, I took a look at what the top articles were for this blog in 2014. I also looked at which cyber security white papers and other documents were downloaded most frequently.
The results show that there were three top themes:
1.The End of Support (EOS) for Windows XP
2.The Dragonfly advanced malware campaign
3.“Cyber Security Big Picture”
The “Cyber Security Big Picture” topic included information on the NIST cyber security framework and cyber security concepts for CEOs.
Finally, particular application areas showed a high area of interest. This included Defense in Depth strategies for oil and gas applications and industrial wireless applications.
If any of these topics are of interest to you, or you want to make sure you didn’t miss any useful content, read on.
Reader visits and content downloads helped us determine
the top cyber security topics of 2014.
The End of Service (EOS) for Windows XP means it is going to be harder to keep existing industrial networks cyber secure and available.
After our series of articles on the impact of End of Service (EOS) for Windows XP you may realize that moving away from the operating system is going to be difficult and time consuming. Plus, you need a way to mitigate risk in the meantime.
Fortunately there is an easy fix for mitigating Windows XP risk now. It is as simple as installing industrial firewalls to protect your control networks from malware, whether introduced accidentally or maliciously.
Now, many vendors’ claim that using their products is “easy”. Just like programming a VCR was never as easy as it was cracked up to be, you might be suspicious of our assertion that installing industrial firewalls is easy.
Manufacturing networks such as the one at this pharmaceutical factory can be protected from Windows XP cyber security risk through the use of industrial firewalls.
System Integrators play an important role in helping manufacturers benefit from industrial automation technologies. They design and implement sophisticated control systems and their expertise, project management skills and manpower help companies achieve advances that cannot be realized with internal resources.
If your company is a System Integrator or Control System Integrator then you have likely been building up your expertise in the area of industrial cyber security as demand for services related to this topic has grown.
In fact today I am participating in a webinar for the Control System Integrators Association. It’s about how to help companies reduce the operational risk created by the end of service (EOS) for the Windows XP operating system. The webinar is at 11am EST today, and you can still register for it. If you miss the webinar, this article provides an overview of what I will be saying.
Windows XP EOS is a BIG Opportunity
Windows XP has been the workhorse operating system for factories, energy facilities and many critical infrastructure systems around the world. The operating system runs important manufacturing, process and production applications on the plant floor, in the field as well as in control rooms and engineering offices. It is also embedded in thousands of devices that control many factory automation and process control operations.
With Microsoft ceasing to provide the security updates and “hot fixes” that were routinely available before April 8, 2014, computers and other devices are more vulnerable to security risks and viruses. The EOS of Windows XP places industrial users in a very uncomfortable position.
The risk of security issues and resultant downtime will steadily increase over time. Yet the cost of upgrading or replacing Windows XP-based systems, and particularly the cost of the associated disruption to operations, is often prohibitive.
If your job mandate includes maintaining uptime then network security is an area you can’t afford to ignore. In the industrial space the biggest risk comes from accidental network introductions, such as a virus introduced by a supplier or an employee via a USB drive. Once that happens, your manufacturing or process control operations could be in jeopardy.
In the two videos in this article I explain how cyber security risk is different in the industrial environment than in the IT or office environment. I then zero in on how risk has been increased with the end of service for Windows XP and I explain how industrial firewalls can help.
Preserve Uptime by Minimizing Industrial Cyber Security Risk
Cyber security for industrial networks focuses on preserving uptime by guarding against accidental introductions of viruses or malware. (1:10)
On the eve of April 8, Microsoft retired support for the Windows XP operating system (OS) – leaving millions of Windows XP users susceptible to accidental and deliberate security issues. Though the retirement had been long planned and with fair warning, industrial network users are just beginning to comprehend the ramifications.
And it’s not that Windows XP will no longer work – it’s that Microsoft will no longer provide patches, security updates or infrastructure support, leaving industrial networks vulnerable to production disruptions and system downtime.
Even more concerning? Windows XP is the most popular OS for industrial users. It can be found in ruggedized PCs performing mission-critical tasks, such as control, safety and asset management, as well as embedded in thousands of devices used in factory automation and process control operations.
Those responsible for protecting critical industrial processes and networks are left with few options. And a system upgrade isn’t as simple as it may seem – one upgrade can trigger a lengthy “domino effect.”
Windows XP-based computers, machines and devices are installed EVERYWHERE in industry. They include the white box PCs running important manufacturing, process or production applications on the plant floor, in control rooms and in engineering offices. They also include ruggedized PCs running PLC, DCS and other device configuration / monitoring applications in your processes.
Furthermore, they include a lightweight version of Windows XP that is in embedded components in thousands of devices that control many factory automation and process control operations. Today, I am going to look at what the end of service (EOS) for the Windows XP OS means for those responsible for keeping industrial processes up and running.
There’s no escaping the push to secure industrial applications. The end of support for Microsoft’s Windows XP operating system is just the latest situation that contributes to the need to make sure that industrial networks have cyber security measures in place.
The challenge is how to go about it. No one wants to be tagged with the responsibility to implement it because the technology can be confusing, the doublespeak from the experts can be frustrating, and the pressure to do something without clear direction or budget from management is commonplace.
If you’re the person tasked with security—and if you’re reading this, you probably are—the ambiguity surrounding security for industrial systems has probably struck you already.
Vendors are not offering security like they offer a PLC or drive. There are plenty of experts who can help you, but their approach feels more custom than standardized, and they tell you you’re never completely secure … just more secure than you were before.
One tool in the toolbox to help you improve the cyber resilience of your facility is to leverage the know-how of your company’s IT security experts. Before you start running for the hills at this suggestion, I hope you will read on and find out how this may actually help.
Why IT Are Your Friends When IT Comes to PLC Security
As daunting as solving the industrial systems security puzzle for your facility may seem, a part of the answer has been right in front of you the whole time:
You need to reach out to your friends in the IT department.
While many controls and process engineers have had their struggles working with IT, when it comes to security, they are your most valuable resource.
You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility.
This was the situation in a mid-sized city in the Eastern U.S. In 2012 the Department of Water Resources upgraded their SCADA network to industrial Ethernet. At the time there was little protection or separation of the SCADA network from the city’s IT network. While this provided many benefits it also made the controls network susceptible to malware attacks and traffic storms.
Fortunately, the team involved, particularly the plant electronics technician, recognized the issue and took the initiative to review the situation and look for ways to improve security. What unfolded next is a great example of how multiple industry players, that is, a standards organization, a cyber security services group and a vendor were able to work together to provide a robust solution.
One of the major differences between industrial networks and enterprise networks is that industrial networks are typically managed by engineers or technicians. Now engineers are experts at making good product, designing control loops and so on, but they are not IT security wizards. That’s the reality, and it means that security products that “just work” reliably and safely with automation systems are going to be more effective in actually delivering security than products that don’t.
That’s why Schneider Electric is to be commended for all the measures they are taking to improve cyber security for their customers. This includes conducting a detailed security analysis of all of their major automation products and partnering with us to create the ConneXium Tofino Firewall in 2012. A , which adds the Tofino Enforcer’s Deep Packet Inspection technology for the EtherNet/IP protocol.
Let’s take a look at what this product does and how its ease of use helps improves SCADA security.