Cyber security: Common sense security for industrial engineers

Inside machines: Even the best industrial security products cannot prevent all unwanted traffic and malicious attacks to control systems; there is no such thing as a completely secure control system. Control engineers can reduce cyber incident risk by consistently investing time and effort in security measures. Cyber security advice follows.

By Dan Schaffer, Dan Fenton May 14, 2012

There is no such thing as a completely secure control system. Even the best industrial products on the market cannot prevent all unwanted traffic and malicious attacks. But by investing time and effort into security measures on an ongoing basis, control engineers can significantly reduce the threat of a cyber incident. Background and practical advice follow.

The acceptance of Ethernet, wireless, and TCP/IP for industrial communication has made it easier to design networks using products from different vendors. Yet, some of the advantages these technologies offer—they are widely known and make it possible to connect your plant floor to your office networks—also take away the inherent security automation professionals relied on for decades. 

As networks become more open and interconnected, plants are at higher risk for cyber attack than ever before. Unintentional incidents, such as a broadcast storm from a malfunctioning office device, can also pose a threat.

Control engineers got their first major wake-up call with the discovery of Stuxnet in July 2010. Thousands of articles have already been written on Stuxnet and its effect on the Iranian nuclear program. Stuxnet was the first major virus to target the industrial sector, but more recent discoveries include Nitro and Nightdragon, designed to steal sensitive data from the chemical and energy industries, and Duqu (aka “Son of Stuxnet”), which is still a mystery. Unfortunately, it is probably only a matter of time until we hear about a newer and larger threat.

Today, automation professionals realize they can no longer ignore network security. But at the same time, deciding where to start can feel like an overwhelming task. While there is no way to completely ensure the security of your control system, there are a few easy and cost-effective steps you can take almost immediately.

Choose and use passwords carefully

Passwords guard access to your data, your equipment, and your programs.  Without the use of good passwords, your network infrastructure is very vulnerable.

Passwords should be:

• Private: Don’t post your password in public places.

• Employee-only: Sometimes, multiple employees need to share a password for equipment. If one of those employees leaves the company, change the password immediately, even if the person leaves on good terms.

• Complex Your password shouldn’t be easy to guess. Don’t pick something common like “password,” “123456,” “qwerty,” or “abc123.” Your child’s name or other personal information is also a poor choice. Instead, come up with a sentence you can remember and use abbreviations to create a mnemonic device. For example, “I want to secure my control system” can become “I12sMcS.” Vary between numbers, symbols, and upper- and lowercase letters for the most security. In fact, an eight-character password with upper- and lowercase letters and numbers has more than 200 trillion possible combinations.  Adding punctuation marks increases the possibilities to more than 500 trillion. 

While some people recommend changing your password frequently, that increases your chance of forgetting it or making a typo when creating the new one. If you change your password frequently, you’re more apt to need to write it down—bringing us back to the importance of keeping your password private.

Restrict Internet access

Can your employees surf the Web from your industrial PC or HMI? When they access Facebook, check their e-mail, or otherwise access the Internet, they are opening the door to viruses and other malware.

A control device with a public-facing address is an even bigger threat. While you might enjoy the convenience of checking your HMI from the road, a hacker might enjoy the convenience of shutting down your machine at a critical time.  If your system has a public IP address that anyone can access, your system is easy to find, and therefore, generally easy to hack. To find out just how easy, visit shodanhq.com—a site that makes it easy for hackers search for and discover PLCs, HMIs, etc., that publicly face the Internet.

A virtual private network (VPN) is a much safer choice. VPNs encrypt, or scramble, sensitive data as it traverses the Internet. They have been commonly used in the office environment for many years, but industrial networks have special requirements. An industrial VPN will have the rugged housing necessary on the factory floor and be able to operate within a wider temperature range. A VPN that is optimized for engineer programming, rather than IT “command line” programming, will also be easier to use.

USB sticks: If you must use them, take precautions

The convenience of USB sticks for transferring files has made them extremely popular. But—as Stuxnet demonstrated—they are also one of the best ways to spread malware.

The only way to completely prevent a virus from spreading through USB sticks is to ban their use on your control system. However, even if you have such a rule in place, there’s no guarantee that your employees will follow that rule. There are a few preventative steps you can take.

The first is to implement a policy that a user must run a USB stick through the IT department before using on a control system device. IT can run the USB through a series of tests to ensure that it is clean of viruses. This takes time on everybody’s part—both the user’s and the IT department’s—and it’s not foolproof. It’s also wise to disable the USB in BIOS of your control PCs.

An additional measure is the use of Common Internet File System (CIFS) Integrity Monitoring. This is an option on some firewall software programs that will alert the system owner as soon as a file is added or changed on a monitored device. The system manager programs the CIFS firewall as to which directories and/or types of files to monitor (for example, .exe and .sys). This will serve as a baseline for the CIFS monitoring.

The next time the CIFS performs a scan, it will notice if any files have been deleted, added, or otherwise changed. This will not prevent infection from occurring, but with faster notification, you can mitigate any damage.

Ongoing security

The steps outlined above are just a few basic recommendations to start the process, but there are additional steps you can take to add layers to your security. An industrial-rated firewall can filter unwanted traffic, and don’t overlook potentially unsecure wireless connections. Advanced security options can include IPS/IDS, patch management, logging and auditing system, and in-depth training for personnel.

– Dan Schaffer is business and development manager for networking and security, and Dan Fenton is product marketing specialist, control and software, both with Phoenix Contact USA; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, at mhoske@cfemedia.com.

Plant Safety and Security Channel: Machine Safety