Building up the defence

The cyber physical bad guys are now attacking internet of things (IOT) and the industrial internet of things (IIOT), says Cevn Vibert, Industrial Cyber Security Consultant and Educator. As the bad guys get better and better at attacking, so we must constantly get better at defending. There is evidence that the good guys have not properly started to improve their security stance yet, so this is a serious call-to-action.

Our modern society is built on automation, control systems and their management. The things mentioned often in the internet of things (IOT) and the industrial internet of things (IIOT), are becoming smarter and more ubiquitous. If you think about all the automation-controlled things that have contributed to your day and try to list them, you may be surprised and perhaps a little worried to know that everything from the power grid to planes and care suppliers to cashpoints are being invisibly attacked.

Critical national infrastructures are under pressure from government, regulators and themselves to enhance their defences, improve cyber monitoring and to re-work the gargantuan quantities of legacy systems. This is not an easy task with Industrial IT. The ageing and legacy industrial systems were not designed to be monitored and interrupted and scanned by active defence solutions. These security problems are both procedural, legislative and technical, so all end-users are now having to review remediation against enormous business and operational risks.

Cyber attacks on the rise

The rise in attacks on these things has started to concern people. National Infrastructures are investing in improvement plans, many markets are ahead of the game, but so much more needs to be done. Meanwhile the bad guys get better at the attacking. Cyber attacks on industrial control systems are increasing both in complexity and in frequency. All the statistics from the industry back this up. The attackers don’t need high complexity or advanced skill sets to attack most industrial control systems as many highly capable tools are available ‘open-source’ and more ‘user friendly’.

Debunking the myths

The typical myths which bolster the prevalent inertia in organisation’s implementing security for their Industrial OT and ICS systems are well known and have been debunked a thousand times.

Myth: We are disconnected from the internet.
Fact: Most real systems have at least 10+ information connections to the world and you must include connections via USB, CD, DVD, and maintenance as well as patching connections.
Myth: We are Firewall protected.
Fact: Many firewalls allow ‘any’ on inbound and are poorly understood by each department.
Myth: Hackers don’t understand SCADA / OT / ICS / IIoT.
Fact: Increase of hackers specifically attacking ICS / OT / SCADA due to kudos of accomplishment, ease of use of tools, and readily available tools.
Myth: We are an unlikely target.
Fact: Collateral damage is usual due to proliferation of attacks and supply chain connections.
Myth: Safety backup system will protect us.
Fact: Safety systems just as likely to be hit as control systems. Triton attack is good example.

Industrial Control Systems owners cling to the myths because the current ICS OT systems seem unaffected. What’s more, the cost of a security enhancement programme is often seen as prohibitive by the board and senior management.

Most businesses have been attacked

Over 60% of information breaches take months to be discovered, not days or hours. Around 70% of respondents to a recent survey admitted to being victims of a cyber-attack. Organisations are not reporting the attacks, the effects or the remediations carried out, often due to strict corporate embargoes.

What is not so well recognised are the business and operational improvements a security programme will bring about, including reduced insurance premiums, reduction in the cash safety float, improved operations, asset awareness and increase resilience. These business improvements are often enhanced by better staff morale and a much clearer understanding of operational technology and the current risks landscape.

The revolution has begun

We are into the fourth industrial revolution with industry 4.0 (2011 - 2019+). This revolution brings enormous commercial benefits, at a cost. Often the cost of implementing greater automation omits the cost of securing that automation. Companies have relied on the IT department doing something clever, within their annual budget, to secure all new development in corporate systems, but largely, this hasn’t happened.

Physical Security is just as necessary as cyber security since a network or datacentre can be compromised much more easily by someone connecting devices, logging in directly to a terminal or stealing hardware for later analysis. Physical security can also help to protect staff who may be compromised through force or coercion by intruders. Compromise of user credentials, access control networks, CCTV networks and the CCTV cameras themselves are just some of the examples of hacking vulnerabilities. Physical security may include a wide range of technology such as ground seismic sensors, thermal imaging and air/force pressure sensors.

Integrated security systems

The security guardroom or control centre of a facility may have several computer screens dedicated to security management with an access control screen, PSIM screen, numerous CCTV screens, a card reader management screen, public address, radio communications management, fire management display and a building management display.

The diversity of each system, from different vendors with differing operator interface standards, methods and operations makes the life of the security personnel more difficult than it needs to be. Cyber security management systems are still in their infancy for industrial operators. These typically sit in a network operations centre (NOC) or a security operations centre (SOC). Cyber faces very similar challenges to physical security, except the adversaries are much harder to spot and keep changing their methods and attack vectors.

Operations security management is essentially about the people, their procedures, methods and capabilities. The concept of operations (ConOps) of a security team should be made up of the manuals and documents and the process which has been worked out to achieve the highest and most robust levels of security. In reality, the ConOps are defined once, read once, then left on the shelf or even ‘stored safely’ in a box!

Actively making changes

Changes have been seen in the market with a welcome increase in knowledge management systems deployed to support operations in security control rooms. Rules engines and flexible database driven operator assistance and mandatory guides are now being used to good effect.

When a site alert occurs, the Security personnel can be taken through an approved procedure step-by-step, with each action being recorded for future alarm analysis, and for operational improvements in the database steps. The concept of an industrial SOC is being discussed more frequently and the challenge of integration is being reviewed against the risk of implementations.

Ancillary systems such as building management BMS, HVAC, water management, and environmental monitoring are also subject to attacks, can have serious consequential impacts, and should not be left out of a good risk analysis solution.

Supply Chain risks are only now being reviewed with defence suppliers being more strictly audited right down through their supply chains and industrial and commercial organisations also waking up to their supply chains. An organisation can be excellent in its own defence, but if its supply chain is compromised, then either components or data can be compromised, exfiltrated or aggregated to increase the threats from their suppliers. The adage that a chain is only as strong as its weakest link applies.

Integrated security means bringing at least two or more security disciplines together to create a tangible benefit to the operations of a security room. Holistic integrated security means bringing multiple systems together to create a command, control, communications and computer solution.

The drawbacks of integrated systems are the cost of developing and maintaining the integration, the potential security risks of inter-connectivity, and the cost of managing the complexity and rule-sets. The benefits are often seen to easily outweigh the potential drawbacks. Integrated systems are evolving as the norm. Security of interconnection is not such a challenge with newer technologies being adopted.

Keeping ahead of the bad guys

Remember, the bad guys are always improving, so it is essential for organisations to also keep improving, but more than that, looking for that giant leap ahead in defences. There is talk of new secure operating systems, new secure trusted computer systems, and of the increased lock-down and monitoring of the internet. All of these advances are being made, but are they appearing on the market quickly enough to make that giant leap forward in the cyber arms race?

Innovations are being made around big-data, artificial intelligence, block-chain, encryption, and other technologies in order to defend against the bad-guys. The bad guys are always ahead, so our defenders must keep creating better defences in our new cyber security 4.0, or 5.0, or 6.0.

Cyber attacks are made by humans, often exploiting human weaknesses as key building blocks of their attacks. The cyber defence industry must recognise this and build security improvement programs which include humans at the core of the solution.