industry-week_rgb-200

Sponsored by:

kepware-logo

INTERACTIVE GUIDE

Close the ICS Security Gap & Open the Doors to IoT Success

The internet of things (IoT) has unlocked data that helps manufacturers operate more efficiently to meet today’s market demands. It also could potentially open the door to cybercriminals. Industrial control systems (ICS) are becoming more vulnerable to malicious attacks, in some cases due to additional IoT connectivity.

To remain competitive, manufacturers know they can’t halt or scrap their IoT plans. That means they need to understand how to identify security risks and best practices to protect themselves. This interactive guide offers a closer look at the current state of ICS security, tips to help identify and address risks and keys to protecting systems from potential threats.

hex-71

Threats are on the rise.

ransomware-wht
Malware

Malware is spreading from IT systems to operations. Expect more cybercriminals to remotely access industrial automation systems with malware due to accidental infections from more traditional office networks’ IT systems and limited adoption of security best practices in operations systems.2

 

Once criminals have access to the system, they can conduct malicious operations manually simply by understanding the different protocols that are commonly used within an operational environment.

Triton’s RAT Attack
Triton malware attacked Schneider Electric’s Triconex Safety Instrumented System (SIS) in 2017.3 Triton is a Remote Access Trojan that caused a shutdown at an operation in the Middle East.4 Schneider’s SIS devices monitor and shut down processes if they move beyond safe parameters. “The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers. Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access,” according to Schneider.

Ransomware

The threat of ransomware attacks against industrial firms is increasing. In the first half of 2017, Trojan ransomware attacks on ICS tripled.5 Attackers launch ransomware software to exploit programmatic flaws on a computer or server. They often lock the files or programs and then demand payment—often in the form of digital currency.6

WannaCry Raises Red Flags
In 2017, a ransomware attack known as WannaCry infected more than 200,000 Windows-based systems worldwide. The U.S. linked the attack to North Korean actors. ICS security firm Claroty warns that industrial environments are vulnerable to similar attacks for various reasons, including a lack of segmentation between their IT and OT networks, and the presence of Windows machines inside ICS environments that are not fully patched and often outdated or unsupported.7 The attacks impacted several manufacturers, including disruptions at Honda and Renault-Nissan auto plants.8

PLC Worms

A potential new threat is the introduction of PLC worms, which could spread from one programmable logic controller (PLC) to another.9 Worms differ from viruses because they can self-replicate across a network without any human action (such as downloading a file or opening an email). Researchers have tested worms specifically designed to attack PLCs. Unlike previous attacks, such as Stuxnet, the worm is capable of spreading from one PLC to another without the use of a PC.10

“PLC-Blaster” Test Exposes Weaknesses
Researchers from OpenSource Security created an experimental worm called PLC-Blaster that targeted Siemens SIMATIC S7-1200v3 controllers.11 The worm uses the PLC’s communication features to spread from one device to another. The most likely cause of infection would involve distribution of the worm by an industrial component supplier, or infection of the device during transport.

Are your existing security measures enough?

Traditional security approaches are often inadequate to protect against the latest threats. Some common tactics include the use of air gaps and “security through obscurity.” Unfortunately, many organizations lack a clear understanding of how these systems work to make them effective. Here’s a closer look at each approach and the challenges they present:

Air Gaps

An air gap is essentially a fallacy. In an industrial environment, many organizations may believe their operations systems are protected because they’re not connected to a network. But they may be tied to enterprise networks, such as the ERP system, which often have some level of internet connectivity. On average, industrial networks have 11 direct connections to enterprise networks.12 In some extreme cases, the U.S. Department of Homeland Security has identified up to 250 connections.  Even truly air-gapped systems are not safe. Stuxnet is one of the most prolific examples of an air-gapped system under attack. In the case of Stuxnet, infected USB sticks bridged the air gap and wreaked havoc on the operations network.

Security Through Obscurity

Similarly, security through obscurity is built around the idea that the complexity of an ICS protects the system from attacks. Many organizations believe they’re safe because their ICS isn’t connected to the internet or there is relatively little public knowledge about the way an ICS operates. The increase in IoT-enabled attacks prove that cybercriminals are more sophisticated than many people believe.

ptc2artboard-1

Attack modes and consequences.

Once attackers gain access to a system, they can take advantage of a manufacturing operation in many ways, including:

Loss
of view
Impeding or eliminating view of key interfaces, such as an HMI.
Manipulation
of view
Misdirecting operators by manipulating information.
Denial
of control
Denying access to critical systems.
Manipulation
of control
Changing control signals sent between devices.
Loss
of control
Denial of information and control signals from reaching intended devices or systems correctly.

Each type of attack can result in significant consequences for manufacturers, including:

Financial Losses
The average annual financial loss for an organization experiencing an ICS cybersecurity breach is $347,603, which includes the actual consequences of the incident and corrective actions (such as software upgrades and additional training).13

Downtime
When attacks occur, downtime or complete shutdowns are inevitable. For example, Renault and its alliance partner Nissan had to idle some of their plants in Europe due to the WannaCry attack.14 Honda was also forced to halt production at a plant near Tokyo.15

Compromised Safety
Cyberattacks may target critical safety systems, as demonstrated in the Triton incident. By attacking the SIS, hackers could have used Triton to cause an explosion or a leak.16 Triton’s code could have disabled the SIS’ safety measures, including automated shutdown capabilities if any abnormalities were detected.

IP Losses
Hackers could launch an attack that gains access to an entire network map. Hidden in this network map is information about the manufacturing process, including how devices and systems are configured. The loss of intellectual property (IP) could put manufacturers at a competitive disadvantage.

7 best practices for securing your ICS.

hex-duo-1-mobile

Assemble a Cross-Functional Security Team

Prevention starts with the workforce. Build a cross-functional security team that oversees implementation and monitoring of the security system. The team should consist of key personnel from the IT staff as well as a controls engineer, a control system operator, security subject matter experts, a member of the enterprise risk management staff and representatives from the control system vendor or integrator.17 The National Institute of Standards and Technology (NIST) also recommends that:

  • The team has knowledge about network architecture, security infrastructure and security processes and practices.
  • The team reports directly to the information security manager who reports to a facility manager or enterprise IT security manager, such as a CIO or CSO, who assumes complete responsibility for ICS security.
hex-duo-2-mobile

Maintain Up-to-Date Software

Don’t take a passive approach to security. Organizations should take an active role in upgrading their software so they can ensure they have the most recent versions as quickly as possible. According to ICS CERT, additional proactive measures should include:

  • Development of a patch and vulnerability management plan for ICS.
  • Set a schedule for software upgrades and patch management.
  • Develop procedures to carry out security patches quickly and implement updated software recommendations on a regular basis.
wp-thumb-iiot-cyber

Shared Responsibility: IoT Cyber Safety & Security

The Internet of Things (IoT) has introduced unprecedented connectivity and major shifts in the way businesses innovate and operate. To realize the full promise of IoT, we must all acknowledge the peril connected technology presents and each take responsibility for securing the IoT landscape. We must band together.

hex-duo-3-mobile

Perform a Security Audit

Before making any changes, upgrades or additions to the ICS security framework, it’s important to understand current capabilities and vulnerabilities. Organizations can accomplish this by performing a security audit. The key steps in a security audit include:

Step 1: Inventory of Assets
Many manufacturers don’t have complete transparency into which assets they need to protect, such as PLCs, HMIs and SCADA systems. Categorize assets based on common properties and understand the data attributes of each asset. This exercise helps manufacturers identify what they need to protect.

Step 2: Inventory of the Network
Organizations also need to know how their assets are connected via networks to understand data paths. Mapping the enterprise’s network helps manufacturers identify how an attacker could gain access to data.

Step 3: Inventory of Data Flows
Many industrial automation protocols don’t include options for securing traffic. This is critical because many attacks only require access to the network and understanding the protocol. Manufacturers should conclude their security audit by understanding the port, protocol, end-points and timing requirements (deterministic or not), so they know where their data needs to flow over the network assets identified in Step 2.

hex-duo-4-mobile

Build a Secure Architecture

Two of the key components to a secure architecture are segmentation and the use of secure protocols at different layers within the ICS.

Segmentation

In the simplest terms, segmentation involves the separation the ICS network from the corporate network. This includes the use of two opposite-facing firewalls to create a “demilitarized zone” (DMZ) for any communications between them.18 The DMZ allows users to receive historian data, antivirus upgrades, patches and other updates without placing the network at risk.19 A best practice is to segment networks with similar functionality into zones, including an enterprise zone (enterprise network/site business planning network), manufacturing zone (DMZ/manufacturing operations and control) and a security cell (supervisory control network/control system network/field device level network).20 All communications within each zone are trusted, while any that enter or leave the zone must be filtered or monitored.21 Preventing unwanted communications requires an automatic, heuristic software tool.22 These tools should flag unexpected traffic, and disallow unauthorized traffic through security points.23

Secure Protocols

Not all operations or IoT protocols are created equal. The nature of the factory is that it contains legacy equipment, as machines and assets are expected to perform for 10 or 20 years, and often even more. Legacy equipment communicates using legacy protocols. To promote interoperability, these protocols are often used even in modern plants. But many of these protocols, such as Modbus, are completely devoid of security.

 

While it may be impossible to eliminate an operations network of legacy protocols, organizations can ensure their use is controlled. Manufacturers should convert legacy, unsecure protocols into modern, secure protocols such as OPC UA or MQTT using an OPC server or industrial communications platform. They should avoid sending data over a wide-area network using legacy protocols that lack security options. Similarly, legacy protocols should never be used to communicate in network layers above Level 3 in the ISA 95 stack. They only should be used in direct manufacturing control.

wp-thumb-iiot-proto

IIoT Protocols to Watch

A big challenge in IoT is interoperability. There are many protocols to connect industrial devices to IT and IoT platforms. These protocols will co-exist—each with their own strengths and weaknesses—and it’s our job to understand where and when to use them. This white paper focuses on the open standards for connecting industry to IT and provides use cases for each.

hex-duo-5-mobile

Pay Attention to Passwords

Weak passwords are an invitation to cybercriminals. Tips to consider:24

  • Passwords should be at least 14 characters in length and include a mix of uppercase and lowercase letters, numbers and special characters.
  • Avoid well known, easily guessed or common passwords.
  • Change passwords at least every 90 days.
  • Require separate passwords for corporate and control network zones and store them in separate trust stores.
  • Don’t share Active Directory, RSA ACE servers or other trust stores between the corporate and control network.
  • Use two-factor authentication whenever possible .
hex-duo-6-mobile

Patch and Update Frequently

Patches and updates are critical for maintaining system integrity. In fact, 59% of companies responding to a Business Advantage report on ICS security say they issue patches and updates every two weeks or less.25 Organizations that regularly patch software reduce system vulnerabilities that could lead to costly security breaches. Back-end security updates are also critical. Some best practices for patches and back-end security include the use of:

  • Updated encryption algorithms to keep pace with encryption-breaking technology.
  • Updates to third-party components.

Administrators should have a regular schedule for upgrades and patch management procedures.26 This is a critical practice because it can significantly minimize vulnerabilities in a system and prevent future attacks.

hex-duo-7-mobile

Work With a System Integrator or Security Services Firm

System integrators can help reduce the cost and time to establish and maintain a secure ICS network. An integrator can work with the IT department or security team to design and install the security system.27 Integrators also can help:

  • Provide a quick recovery after a cyber attack.
  • Provide training to staff regarding ICS security.
  • Advise organizations on ICS security practices.

Companies like Red Trident partner with their clients to provide this type of support and more.

Get connected safely from the start.

IoT is a competitive difference maker for manufacturers. But they must conduct due diligence to ensure they don’t introduce security risks to their ICS. A shared responsibility approach is a critical step toward ensuring manufacturers remain secure while achieving their business goals. This includes the selection of vendors that offer secure connectivity platforms with key security features, including modern encryption, updated versions and ongoing support.

 

KEPServerEX® is the industry’s leading connectivity platform that provides a single source of industrial automation data to all of your applications. The platform design allows users to connect, manage, monitor, and control diverse automation devices and software applications through one intuitive user interface.

KEPServerEX Business Value

KEPServerEX solves common connectivity challenges—providing secure and reliable access to real-time industrial data so everyone from the shop floor to the top floor can make smarter decisions.

KEPServerEX Secure Deployment Guide 

Deploy KEPServerEX with maximum security. It is recommended that this guide is followed closely when deploying new production installs as well as to compare existing configurations and adjust for best practices.

kepserver-laptop-600

KEPServerEX Demo

KEPServerEX version 6.5 provides you the tools and resources you need to address evolving cybersecurity threats to your industrial control system (ICS).

For more information about Kepware:

Start typing and press Enter to search