Recently, I attended ICS Cyber Security (301) Training at the U.S. DHS CERT facility in Idaho Falls, Id. The five-day event featured hands-on training in discovering who and what is on the network, identifying vulnerabilities, learning how those vulnerabilities may be exploited, and learning defensive and mitigation strategies for ICSs (industrial control systems). Here are five key takeaways from that training.
1. Spear phishing attacks
Do you know how most computer networks are compromised? By employees that can’t resist an email with a subject line: “Click here to get free gas for a year.” Literally, that is the subject line. This is called phishing and it's the most prevalent way that a hacker gets through a company’s initial network defenses. Phishing emails go to large volumes of addressees and use a generic offer, such as free gas or an error from a bank. Spear phishing is more specifically directed at a particular company or other smaller group of individuals using a more tailored offer. Either way, this technique uses a malicious email that effectively plants a tiny program, known to most people as a virus or malware but functionally different, that grants access to the victim’s computer from outside the network. The difference is that, instead of implanting a virus, the attacker uses this access to explore the network secretly. There are easy, generally available tools that can be used to find further weaknesses which allow additional access deeper into the network, and ultimately to the industrial control system.
2. Wi-Fi weaknesses
You may be enjoying the convenience of using Wi-Fi on your control network. However, if your wireless networking equipment was installed before 2006, it is likely other people can also enjoy using it to get access to your equipment! The only safe way to go wireless is with WEP2 encryption. This is standard on all new COTS (commercial off the shelf equipment) and is considered safe, at least for now.
3. Hard drive encryption
If you have a strong laptop password but choose not to encrypt your hard drive, if your laptop is stolen, the thief can have full access to your company’s network. This access is generally gained through Microsoft machines’ connectivity—the feature that allows you to move from office to office while still maintaining connection to your network. Connectivity works because Microsoft stores a “token” or “hash” on your computer that says “Hey, this is a trusted company laptop with a correct password.” Attackers can use your token or hash to spoof a system to think that another laptop is your trusted company laptop and then they can gain access to your network. The only way to prevent this is to encrypt your hard drive. This process is actually fairly simple, so ask your network administrator how to do this if you travel a lot with your laptop.
4. Remote access
Since many PLCs and other industrial controllers now have web browsers, many people like to log in from home to keep up with what’s happening at the plant. However, they don’t realize that a few extra steps are needed to make sure an attacker can’t also enjoy that convenience. Embedded web browsers in PLCs assume that they are for internal use only, so they have little or no security features. Did you know that there are systems that actually search for PLCs on the Internet? Check out shodanhq.com to see if your PLC has been found yet. Do you want a bored 15-year-old to shut off your cooling tower, or something more important? Don’t be tempted to add external access to your control network without the proper layered security, or you might be the next Internet hacking headline.
5. Software patching
There is no clear answer to the “to patch or not to patch” question. Many software companies recommend, or explicitly state, that systems should receive software updates and patches to prevent them from being exploited by known vulnerabilities. But what if a patch causes your HMI (human machine interface) to crash? What is worse, a possible exploit or an unplanned outage caused by a failed software update? To the technician who anticipates being the person receiving the blame when the system crashes because of the patch, that answer is clear. So what is a technician to do? The only solution is to know what vulnerabilities exist in your system. Maybe some extra care and protection are required for you HMI’s running Windows 2000. For example maybe you need an extra firewall. You might find that less attention is needed for new Windows 7 HMI computers when they are regularly updated by IT.
Security takes time and effort, and properly prioritizing your response can give you the best protection for the lowest cost. For more visit the ICS-CERT overview of cyber vulnerabilities.
This post was written by Bruce Billedeaux, PE. Bruce is a senior consultant at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support, and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offersindustrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.