5 industrial control system cyber security mistakes

From spear phishing to encryption errors, there are many ways to let bad guys into your networks.

04/15/2013


Recently, I attended ICS Cyber Security (301) Training at the U.S. DHS CERT facility in Idaho Falls, Id. The five-day event featured hands-on training in discovering who and what is on the network, identifying vulnerabilities, learning how those vulnerabilities may be exploited, and learning defensive and mitigation strategies for ICSs (industrial control systems). Here are five key takeaways from that training.

1. Spear phishing attacks

Do you know how most computer networks are compromised? By employees that can’t resist an email with a subject line: “Click here to get free gas for a year.” Literally, that is the subject line. This is called phishing and it's the most prevalent way that a hacker gets through a company’s initial network defenses. Phishing emails go to large volumes of addressees and use a generic offer, such as free gas or an error from a bank. Spear phishing is more specifically directed at a particular company or other smaller group of individuals using a more tailored offer. Either way, this technique uses a malicious email that effectively plants a tiny program, known to most people as a virus or malware but functionally different, that grants access to the victim’s computer from outside the network. The difference is that, instead of implanting a virus, the attacker uses this access to explore the network secretly. There are easy, generally available tools that can be used to find further weaknesses which allow additional access deeper into the network, and ultimately to the industrial control system.

2. Wi-Fi weaknesses

You may be enjoying the convenience of using Wi-Fi on your control network. However, if your wireless networking equipment was installed before 2006, it is likely other people can also enjoy using it to get access to your equipment! The only safe way to go wireless is with WEP2 encryption. This is standard on all new COTS (commercial off the shelf equipment) and is considered safe, at least for now.

3. Hard drive encryption

If you have a strong laptop password but choose not to encrypt your hard drive, if your laptop is stolen, the thief can have full access to your company’s network. This access is generally gained through Microsoft machines’ connectivity—the feature that allows you to move from office to office while still maintaining connection to your network. Connectivity works because Microsoft stores a “token” or “hash” on your computer that says “Hey, this is a trusted company laptop with a correct password.” Attackers can use your token or hash to spoof a system to think that another laptop is your trusted company laptop and then they can gain access to your network. The only way to prevent this is to encrypt your hard drive. This process is actually fairly simple, so ask your network administrator how to do this if you travel a lot with your laptop.

4. Remote access

Since many PLCs and other industrial controllers now have web browsers, many people like to log in from home to keep up with what’s happening at the plant. However, they don’t realize that a few extra steps are needed to make sure an attacker can’t also enjoy that convenience. Embedded web browsers in PLCs assume that they are for internal use only, so they have little or no security features. Did you know that there are systems that actually search for PLCs on the Internet? Check out shodanhq.com to see if your PLC has been found yet. Do you want a bored 15-year-old to shut off your cooling tower, or something more important? Don’t be tempted to add external access to your control network without the proper layered security, or you might be the next Internet hacking headline.

5. Software patching

There is no clear answer to the “to patch or not to patch” question. Many software companies recommend, or explicitly state, that systems should receive software updates and patches to prevent them from being exploited by known vulnerabilities. But what if a patch causes your HMI (human machine interface) to crash? What is worse, a possible exploit or an unplanned outage caused by a failed software update? To the technician who anticipates being the person receiving the blame when the system crashes because of the patch, that answer is clear. So what is a technician to do? The only solution is to know what vulnerabilities exist in your system. Maybe some extra care and protection are required for you HMI’s running Windows 2000. For example maybe you need an extra firewall. You might find that less attention is needed for new Windows 7 HMI computers when they are regularly updated by IT.

Security takes time and effort, and properly prioritizing your response can give you the best protection for the lowest cost. For more visit the ICS-CERT overview of cyber vulnerabilities.

This post was written by Bruce Billedeaux, PE. Bruce is a senior consultant at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support, and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offers industrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.



No comments
Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
2014 Product of the Year finalists: Vote now; Boiler systems; Indirect cooling; Integrating lighting, HVAC
High-performance buildings; Building envelope and integration; Electrical, HVAC system integration; Smoke control systems; Using BAS for M&V
Pressure piping systems: Designing with ASME; Lab ventilation; Lighting controls; Reduce energy use with VFDs
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Consulting-Specifying Engineer case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Protecting standby generators for mission critical facilities; Selecting energy-efficient transformers; Integrating power monitoring systems; Mitigating harmonics in electrical systems
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software
Integrating BAS, electrical systems; Electrical system flexibility; Hospital electrical distribution; Electrical system grounding
As brand protection manager for Eaton’s Electrical Sector, Tom Grace oversees counterfeit awareness...
Amara Rozgus is chief editor and content manager of Consulting-Specifier Engineer magazine.
IEEE power industry experts bring their combined experience in the electrical power industry...
Michael Heinsdorf, P.E., LEED AP, CDT is an Engineering Specification Writer at ARCOM MasterSpec.