This week, the largest electric utility trade show and conference in the U.S., DistribuTECH, is being held. One of the tracks in the conference portion of the event is “Defending the Grid.” The prominence of the topic at this show, along with recent high-profile hacking attacks (Sony, Target) that have caught the attention of top management in all industries, add up to one thing – it’s time to look at or review the state of cyber defenses at your substations.
It’s not a surprise that critical infrastructure, such as the electrical grid, has been an increasing target for sophisticated cyberattacks. What may be news to you, however, is the fact that the legacy devices and protocols used in substations are particularly vulnerable to both intentional and accidental cyber incidents.
What then is the right approach to take to secure substations? It starts with the best practice of Defense in Depth.
Electrical substations are vulnerable to both intentional and accidental cyber incidents.
Over the holidays, you likely read or heard about a number of “Top 10” lists. Examples include Top 10 News Stories, Top 10 Books, Top 10 Movies, and Top 10 You-Name-It.
Thinking you would not want to miss out on the top topics about one of your favorite subjects, industrial security, I took a look at what the top articles were for this blog in 2014. I also looked at which cyber security white papers and other documents were downloaded most frequently.
The results show that there were three top themes:
1.The End of Support (EOS) for Windows XP
2.The Dragonfly advanced malware campaign
3.“Cyber Security Big Picture”
The “Cyber Security Big Picture” topic included information on the NIST cyber security framework and cyber security concepts for CEOs.
Finally, particular application areas showed a high area of interest. This included Defense in Depth strategies for oil and gas applications and industrial wireless applications.
If any of these topics are of interest to you, or you want to make sure you didn’t miss any useful content, read on.
Reader visits and content downloads helped us determine
the top cyber security topics of 2014.
The malware campaign known as Dragonfly has surprised those of us concerned with industrial cyber security on several fronts. Initially, it was notable as the first malware since Stuxnet in 2010 to specifically target Industrial Control Systems (ICS) components.
Then, research done by Joel Langill of RedHat Cyber, showed that its target was most likely the pharmaceutical industry, rather than the energy industry as initially reported. This represented the first time that a sophisticated attack vector had gone after the discrete manufacturing sector.
Next, although Dragonfly collected information on industrial control systems, it did not harm these systems. Instead, it gathered information for the likely purposes of counterfeiting or competitive intelligence. (It would, nonetheless, be easy for its creators to modify its modules for destructive purposes in the future.)
Dragonfly was also remarkable because of the devious methods and pathways it took to get to the control system. Joel coined the apt term “Offense in Depth” to describe the diversified arsenal of attack vectors it employed.
Today, we are releasing the final two parts of our white paper on Dragonfly. These are Part C – Assessing the Consequences and Part D – Defending Industrial Control Systems. These analyses reveal another concerning aspect of Dragonfly, in particular how “usual” security solutions would not have defended against it. Thankfully though, there are techniques and products available to defend against it.
The Dragonfly malware campaign used devious Offense in Depth techniques to access control systems. While “usual” security solutions would not have defended against it, there are techniques and products that would have been effective.
The End of Service (EOS) for Windows XP means it is going to be harder to keep existing industrial networks cyber secure and available.
After our series of articles on the impact of End of Service (EOS) for Windows XP you may realize that moving away from the operating system is going to be difficult and time consuming. Plus, you need a way to mitigate risk in the meantime.
Fortunately there is an easy fix for mitigating Windows XP risk now. It is as simple as installing industrial firewalls to protect your control networks from malware, whether introduced accidentally or maliciously.
Now, many vendors’ claim that using their products is “easy”. Just like programming a VCR was never as easy as it was cracked up to be, you might be suspicious of our assertion that installing industrial firewalls is easy.
Manufacturing networks such as the one at this pharmaceutical factory can be protected from Windows XP cyber security risk through the use of industrial firewalls.
The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Since that shock, we have seen advanced malware, such as Flame and Duqu target energy companies for espionage purposes. We have also seen the unsophisticated, but highly effective, Shamoon malware massively infiltrate Saudi Aramco .
Today, I want to let you know about a new malware, coined as coming from the “Dragonfly hacking group” by Symantec. It indicates a modis operandi on the level of Stuxnet in terms of technical brilliance and strategic execution.
Aimed at energy companies, it has at least three different attack mechanisms, including taking over the software download sites at trusted ICS/SCADA suppliers. The download packages look legitimate (since they come from trusted suppliers), but when the unsuspecting user installs them on their control system, the malware comes to life.
What does this have to do with everyday ICS and SCADA security? It is yet another example of targeted attacks of organizations in the energy sector. If you are in the energy sector, or your business relies on it, you may need to factor this type of cyber threat into your security risk assessments.
Let’s take a look at Dragonfly in more detail and see what we can learn from it.
RATs (Remote Access Tools) are key components of the Dragonfly malware.
Image Credits: The Quinton Report and The Dragonfly Woman
When I started Tofino Security in 2006, my two goals were to make industrial cyber security easy to deploy and better suited for the real needs of mission critical networks. Our first generation products went a long way in doing that, but like any initial offerings they reflected a limited feedback loop from users in the field.
Today I am proud to say that we have integrated lessons learned over the last eight years to deliver Tofino 2.0, our next generation of industrial cyber security solutions.
Tofino 2.0 is a suite of products and services that includes:
- A new set of security appliances—the Tofino Xenon product line
- A new software tool—the Tofino Configurator 2.0
- A new Deep Packet Inspection Loadable Security Module (LSM)—the Tofino EtherNet/IP Enforcer
All products are now integrated with online licensing systems, plus made-to-order manufacturing. I believe this combination makes it extremely easy for control systems professionals to deploy ready-to-go cyber security solutions that work.
While normally my articles are designed to help educate you on industrial security topics, I hope my enthusiasm for Tofino 2.0 will convince you to read further and find out how this new generation makes implementing security on the plant floor both flexible and simple.
Introducing our new Tofino Xenon family of state-of-the-art security appliances
Editor’s Note: This article was contributed by Ernie Hayden of Securicon LLC, an expert in industrial controls security, especially for the power utility industry.
About 6 months ago I wrote an article for this blog about the NIST Cybersecurity Framework. The article described how the framework came to be, what it is, what it is supposed to do and what you should do about it.
If you have any interest in industrial cyber security you will want to download the latest version of the framework and have it on hand for reference. If you are in one of 16 critical infrastructure industries (shown in a table in this earlier article), or if you rely on any of them for your success, your organization needs to go one step further and become familiar with its content.
In this article I am going to discuss the newly revised ICS Security Guideline – NIST 800-82 Rev. 2 – and offer some useful thoughts on it.
If you are a regular follower of this blog, you’ve probably noticed that I haven’t been writing much in the past few months. I just have been too busy, traveling and speaking at some really great security conferences.
The most recent and the most informative (for me at least) was the International NCSC One Conference 2014 at the World Forum in The Hague. This is a massive and well organized event run by the Netherlands National Cyber Security Centre, the Dutch equivalent to the US-CERT. Close to 950 people listened to my talk on “The Internet of Insecure Things”
During NCSC One I heard some great talks on the state of encryption technology today, SCADA Security consortium and foreign APT threats. But the highlight was the plenary speech by Jon Callas on the second day entitled “Security and Usability in the age of Surveillance”. Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
If you’re not familiar with the BYOD security debate and want to get some background, check out my blog on the topic – The iPhone is coming to the Plant Floor – Can we Secure it?. The short version is that the BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources.
A common example is using your iPhone to access your company’s email system – does this increase or decrease corporate security?
System Integrators play an important role in helping manufacturers benefit from industrial automation technologies. They design and implement sophisticated control systems and their expertise, project management skills and manpower help companies achieve advances that cannot be realized with internal resources.
If your company is a System Integrator or Control System Integrator then you have likely been building up your expertise in the area of industrial cyber security as demand for services related to this topic has grown.
In fact today I am participating in a webinar for the Control System Integrators Association. It’s about how to help companies reduce the operational risk created by the end of service (EOS) for the Windows XP operating system. The webinar is at 11am EST today, and you can still register for it. If you miss the webinar, this article provides an overview of what I will be saying.
Windows XP EOS is a BIG Opportunity
Windows XP has been the workhorse operating system for factories, energy facilities and many critical infrastructure systems around the world. The operating system runs important manufacturing, process and production applications on the plant floor, in the field as well as in control rooms and engineering offices. It is also embedded in thousands of devices that control many factory automation and process control operations.
With Microsoft ceasing to provide the security updates and “hot fixes” that were routinely available before April 8, 2014, computers and other devices are more vulnerable to security risks and viruses. The EOS of Windows XP places industrial users in a very uncomfortable position.
The risk of security issues and resultant downtime will steadily increase over time. Yet the cost of upgrading or replacing Windows XP-based systems, and particularly the cost of the associated disruption to operations, is often prohibitive.
If your job mandate includes maintaining uptime then network security is an area you can’t afford to ignore. In the industrial space the biggest risk comes from accidental network introductions, such as a virus introduced by a supplier or an employee via a USB drive. Once that happens, your manufacturing or process control operations could be in jeopardy.
In the two videos in this article I explain how cyber security risk is different in the industrial environment than in the IT or office environment. I then zero in on how risk has been increased with the end of service for Windows XP and I explain how industrial firewalls can help.
Preserve Uptime by Minimizing Industrial Cyber Security Risk
Cyber security for industrial networks focuses on preserving uptime by guarding against accidental introductions of viruses or malware. (1:10)