Cybersecurity / Resiliency is a path, not a destination

It is not reliable if it is not secure.

Ransomware has significantly affected companies abilities to deliver their product (and in some high profile cases, deliver other people’s products). A backup guards against many types of protection. Protection against failure of hardware in the system.

Even reliable devices eventually fail.

Protection against bugs in the software that might cause the loss of configuration or data. Protection against human mistakes that can cause the loss of device configurations. And protection against ransomware. Backing up devices in the lower levels of control systems requires a different strategy. Since many devices cannot be backed up directly, instead capture and store the device’s configuration, and keep the last installed firmware image the device should be running. Even if the device runs the factory-installed firmware, a copy should be kept handy for reinstallation if it fails or fails during an upgrade process, and the firmware is needed.

Our facility is not safe if it is not secure.

We have seen the first documented attack on Safety Instrumented Systems, where it has been said that either the attackers did not care if someone died during their attack or the attack was planned to cause death in the facility. We use control systems to keep potentially dangerous processes from damaging people or equipment. It is not hard to grasp that the same control system could be used with malicious intent to make the plant more dangerous.

The Internet is here to stay, and the air-gap isn’t

Remote access has actually gained in importance. We found ourselves in situations where we wanted to limit the number of people in close proximity required to run critical operations. There are many ways to do this, including providing more operator and vendor remote access and pushing off some maintenance and new installations. The wrong way to provide remote access is to wait until after it is needed. That is when quick solutions become the priority, and security becomes a secondary measure. This backward prioritization is the way the systems get connected directly to the Internet.

A temporary solution. “Nothing is more permanent than a temporary solution [that works].” _ Old Russian Proverb.

Those who do not live and breathe in the security space may not realize that it is possible to scan all of IPV4 space in a day with the help of modern cloud resources. People do that all the time. It is easier to think, “If, in my average plant in the middle of nowhere, I plug this little cable into the switch on the other side of the firewall, how could anyone else possibly know that?” It is not hard for someone skilled in the art.

Cybersecurity / Resiliency is a path, not a destination.

We inherently know that cybersecurity is an “arms race.” We spend lots of time talking about and studying Stuxnet. That attack is over ten years old. Like most everything else in the last ten years, state of the art in attacking systems has improved. The security had even five years ago is not necessarily sufficient to meet today’s updated attacks. Our defenses must improve as well to keep pace.

There is a benefit to this arms race. A successful attack on industrial control systems takes at least six months and one year to do reconnaissance, plan, and execute. It requires multiple teams to do it well. An attacker will look for teams with expertise in: phishing for an initial foothold, software vulnerabilities, and networking to move laterally in Windows to understand how to hold ground and borrow in. Someone with expertise in how Firewalls and VPN’s are used is needed to move towards the control system. The knowledge of process engineering combined with knowledge of multiple pieces of ICS equipment from multiple vendors. That is a small benefit of this arms race; it keeps the small players out because the attack team’s size and expertise becomes too large for them. It also provides additional opportunities to discover the attack in progress and react before it causes damage.