The last few years has seen huge growth in industrial networking. Since protocols like Fieldbus (IEC 61158) were not meant to be integrated into larger business networks, most suppliers and end users have concentrated on network connectivity and not network cyber security.
Given that the cyber security problems in industrial networking are similar in many ways to office networking, many industrial control system (ICS) asset owners have embraced the industrial network challenge and are expanding their deployments from the most vulnerable interconnected office to plant environments.
Meanwhile, other ICS asset owners have taken a cautious approach to this new world of industrial networking. Conversely, such organisations are concerned about the vulnerability of ICSs by the increased connectivity. Are there any basic steps an organisation can take to prevent compromise in this area?
Introductory cyber defence
Like all applications of defensive measures, cyber defence begins with a mindset or philosophy. This is grounded in the understanding that everyone who uses ICS is a target. No longer can any ICS asset owner say with certainty that “they are too small or too obscure to be a target”. In fact many smaller plants or facilities across the world are finding themselves increasingly being targeted as larger corporations establish sophisticated security defences.
Being a hacking target is one thing, but it is also hard for the average ICS operator to know where to concentrate any defensive measures. In large corporations, Security Risk Management efforts now quantify a scored hierarchy of importance. Then, after the hierarchy is established, security defensive measures are applied to the most critical systems first. Smaller ICS owners can do this scoring as well. But they should score systems which hackers are most likely to attempt to exploit, like PC workstations that are connected to critical systems.
Cyber defence guidance
According to the Australian Signals Directorate Top 35 list of mitigation strategies (http://tinyurl.com/p7tehyh), at least 85% of intrusions could have been mitigated by combining the top four mitigation strategies.
These four strategies are:
1. Patching applications.
2. Patching operating system vulnerabilities.
3. Restrict administrator privileges.
4. Application whitelisting.
Operating system and application updates – basic digital hygiene
For ICS computers, there is no better, high value mitigation than regular operating system (OS) updates. These should be set to “automatic”, but if you suspect your computer is out of date and has Windows OS, simply perform a windows update. The same can be said for other operating systems such as Linux. Operators should establish an update policy and perform the updates on a monthly schedule, if possible.
The following applications on ICS computers should be updated with the latest versions or uninstalled: Web browsers, Adobe Acrobat, Microsoft Office and Adobe Flash. These install base common applications are prime targets for hackers to exploit. A special mention should be the use of an up-to-date anti-virus. A non-current anti-virus is sometimes worse than none at all.
Wherever possible, ICS related devices should be updated to the latest software version. This is especially important for industrial network related devices like switches and routers. Hackers are very keen to infiltrate unsecure network devices to maintain persistence in an attacked organisation.
Restrict administrator privileges – keep safety features in place
The reason that administrator accounts need to be controlled is to prevent privilege escalation. Whenever possible, an operating system login should be done with standard user privileges. Administrator privileges should only be used when needed, and sparingly during normal operation.
Application whitelisting – no rogue programs
A whitelist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition on a system. Entities on the list will be accepted, approved and/or recognised. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied.
For most computing applications, whitelisting is not very practical. But the principles of whitelisting can be applied manually to yield some protection. Mitigations like manually monitoring process listings to see if any strange applications are running and then ending that process/application if it seems to be running when it shouldn’t be.
How to detect if a system is ‘Hacked’?
There are many ways to detect if your ICS is hacked but without the use of sophisticated forensic tools, a qualitative assessment is usually an acceptable method for most ICS users.
Observable indicators of compromise (OIC)
• System runs slowly. This could be due to malware background processes running.
• System takes overly long to boot. This could be possibly due to hacker hardware drivers loading.
• System makes strange noises at odd times or at startup. This could be due to malware hardware driver being poorly coded.
• System applications do not run as desired, for example, the system update, system restore or anti-virus not being able to update is an indicator that the system has been hacked.
• You find web services, such as web searches, are redirected to unusual sites due to a Malware/Adware compromise.
In general, should any of the above occur, it is wise to contact an IT security professional to resolve the problem. Additionally, once the near term issue is resolved, the computing asset should be rebuilt with fresh OS load media during the next maintenance shutdown.
Can cyber defence be this simple?
Industrial networks offer huge advantages when secured properly. There is always the potential for a hacker to compromise your control system, however if you secure your systems, even to a basic level, most attackers will proceed to easier targets elsewhere.
The biggest issue today, in industrial networks, is the concern with disruption and loss of control.
Cyber security may be inconvenient but if you do implement it, you can still maintain operations within safety margins. Deployment of industrial networks with the above cyber defensive practices makes them more dependable and allows organisations to enjoy the benefits of increased connectivity.
|Tel:||+27 11 831 6300|
|Fax:||+27 11 86 411 8144|
|Articles:||More information and articles about Yokogawa South Africa|
© Technews Publishing (Pty) Ltd | All Rights Reserved