Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2017
02:00 PM
David Zahn
David Zahn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

'Molecular' Cybersecurity Vs. Information Cybersecurity

When it comes to industrial processes, security begins at the molecular level.

Not all cybersecurity risk is created equal. Case in point: when Sony was hacked, information was stolen, systems were wiped, and society was temporarily deprived of a Seth Rogan movie. These were mostly bad outcomes, and Sony certainly suffered a significant financial loss.

Now, imagine a similar attack on an oil refinery where compromised systems include the proprietary industrial control systems that manage volatile processes. When I say volatile, I'm referring to processes where a boiler is heating oil by hundreds of degrees separating molecules to produce gasoline and other products. With appropriate access, a bad actor can change how hot that boiler is configured to run. If you combine that with disabled safety systems, production, environments —  even lives —  can be severely affected. A German steel mill experienced this in 2014 when a boiler exploded after an industrial control system attack; and 225,000 Ukrainians lost power in December 2015 when a hacker group shut down substation systems.

I don't want to diminish the impact that malicious attacks have on our financial industry and others. However, chemical, oil and gas, and power generation attacks can have much graver outcomes — yet, surprisingly, these industries are in some ways the most vulnerable. If you examine cybersecurity within a typical industrial process company, you find many of the same protections you find in any other company — antivirus software, firewalls, application whitelisting, and more. These security controls are focused on protecting workstations, servers, routers, and other IT-based technology. In other words, they protect the flow of information.

But systems that move and manipulate molecules (for example, oil separating into constituent parts) are not nearly as secure. Why? Because many of these systems were built and deployed before cybersecurity was even a thing. Industrial facilities rely primarily on layered defenses in front of industrial control systems, security by obscurity (think complex systems on which it takes years to become an expert), and air gapping (physical isolation from other networks).

The reality is that layered defenses and air gapping can be bypassed. Industrial facilities, for instance, periodically have turnarounds where they perform maintenance or switch production output. This requires hundreds of engineers — many of them third-party ones — working multiple shifts to get production back online. They are authorized users who could accidentally (or intentionally) introduce malicious code or configuration changes into a control system.

Relying on obscurity as a strategy only has limited effect. With the rise of nation-sponsored cyber warfare, the capability of manipulating complex control systems is also on the rise. The Ukrainian power attack, for instance, included malicious firmware updates that were believed to have been developed and tested on the hacking group's own industrial control equipment. Heck, you can even buy a programmable logic controller (a type of industrial control system) on eBay.

Potential Impact
The Obama administration's Commission on Enhancing National Cybersecurity report was released in early December. There were some good recommendations in the report, particularly around having a security rating system for Internet of Things devices. What I found disturbing was that the report stated the distinction between critical infrastructure systems (found in the industries highlighted in this post plus others, such as transportation, that also rely on industrial control systems) and other devices is becoming impractical. The point is that in a connected world, everything is vulnerable and attacks can come from any quarter. It's a fair point, but this idea diminishes the importance of impact, which is essential to driving priority, policy, and investment decisions. Protecting the systems that manipulate molecules must have priority and, in some cases, have precedence over the ones that maintain information.

So, where do you start? Where should investment flow? Most companies need to start at the beginning and simply begin to track the cyber assets they have in an industrial facility. Another fun fact: many don't track that data today, or do so in a highly manual way, which means there are data gaps and errors. Without visibility into the cyber assets in a plant, you can't effectively secure them.

And when we talk about cyber assets, any credible inventory plan must include the controllers, smart field instruments, and other systems that manage the volatile processes we've discussed (these systems, by the way, make up 80% of the cyber assets you find in an industrial facility). This can't happen in a spreadsheet, but it must happen through automation software that can pull data from the many disparate, proprietary systems that can exist in a single facility.

With an automated, detailed inventory that is updated regularly, companies can begin to do the things they know are important for securing any system — they can monitor for unauthorized changes, set security policies, and more. Doing so allows companies not only to secure information, but also secure the molecules — the lifeblood of an industrial process company.

Related Content:

As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite. David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.