The first installment of the Cyber Security Essentials series introduces the topic of cyber security and outlines the major concepts to be aware of.
“What’s the worst that could happen?”
This question is at the heart of so many plant-wide discussions. Deliberations on safety interlocks, alarm rationalization, hazard analyses, job safety plans, and process equipment design routinely center on this premise. Why, then, do some facilities have a lackadaisical approach to the layout and protection of their network security? In this first installment, we’ll introduce the topic of cyber security and outline the major concepts to be aware of. In two other forthcoming articles, I’ll discuss cyber security with an ethical hacker and get his thoughts on defending against attackers.
We’ve seen a few examples of the “worst that could happen” in the last few years. Sony is currently in the news for the hack that leaked a major motion picture and some damaging executive level e-mails. Retail giant Target got hit by a massive phishing e-mail attack in 2014 that cost the company between $1.4 and $2.2 billion. Home Depot was the most recent high-profile case of corporate hacking. Malware took at least 56 million card numbers from customers and the cost to the company has not been fully tallied yet. Those numbers should be pretty jarring! Do you think your plant is immune? As Lee Courso would say on College Gameday, “Not so fast, my friend!” Symantec reported that the U.S. energy sector is the second most often attacked group, only beaten out by the government.
Speaking of governments, one of the slickest examples of nerd warfare was the U.S.-Israeli attack on an Iranian nuclear uranium-enrichment facility with the Stuxnet virus. This brilliant little bug mapped out an electronic blueprint of the plant’s network architecture then later varied the speed of the centrifuges enough to wear them out, all while replaying recorded values to the operators so that everything looked fine inside. One fifth of Iran’s nuclear centrifuges were destroyed, according to an article in the New York Times. USA! USA!
Who’s at risk?
I’ve been in some plants that do well, from a cyber security standpoint. Other sites that I’ve worked at have used such stringent security measures as the cryptic “text Billy for the wireless password” method. Seriously. Different plants run the gamut from requiring a transportation worker identification credential (TWIC) card upon entry, to requiring the driver of the vehicle to yell a number to the guard that supposedly corresponds to a vehicle pass list somewhere (my number was 12, but let’s just keep that between us). Where does your plant fall in this spectrum? Is your network password written on a whiteboard in the control room or e-mailed in halves to two trusted supervisors?
Understanding the threat
Before discussing strategies to isolate and protect plant networks, here is a brief look at the most common cyber attacks, as well as the simplest guards against them.
As mentioned earlier, an e-mail phishing scam was the entry point for the Target attackers. After a phishing e-mail was opened by a vendor with corporate network access, the attacker stole the vendor’s network credentials. The e-thief was then able to pull card data for approximately 40 million customers over the next few weeks. There are a number of ways individuals/companies can protect themselves from phishing e-mails, and most of it revolves around the ability to recognize a bogus e-mail link or attachment.
If the sender is from an external entity or is simply someone unfamiliar to the user, that should immediately warrant extra scrutiny. For example, if “Jane from Purchasing,” whom you’ve never heard of, sends you a highly generalized paragraph, then urges you to open an under-specified attachment or hyperlink, it’s probably best to delete that one. Hovering over the hyperlink in an e-mail should display the internet address it contains and if anything “smells phishy” (sorry, bad pun), such as an altered company name or references to ads, it’s probably best to leave that one alone. Setting up rules in your inbox to flag e-mails from external senders is another simple way to draw attention to suspicious messages, especially the easy to miss ones who mimic common addresses, by inserting a dash or substituting a numeral “1” or uppercase “I” for a lowercase “L” for instance. (PayPal did a great little lesson on phishing scams. Don’t worry, it’s legit—the “https” part helps).
Malware, like the Stuxnet virus or the Home Depot attack, may be a bit tougher to spot. It can enter via attachments, bad URLs, a thumb drive, or even embedded in the code of a .jpg image. Typically one computer will get malware, which then collects data or information about the user or network. Later on, the malware attack will launch with a variety of possible effects, but typically corrupting software or compromising sensitive information. The safe e-mail guidelines mentioned above can help to weed out some of this, but more stringent measures like website blockers and policies limiting the use of removable storage devices may be necessary, although they’re often unpopular with users.
You’re probably starting to notice a trend here: most cyber attacks prey on people. The human element is typically the weakest link in any network’s “security chain.” While we’ve looked at a piece of the puzzle, how to be a discerning user, there is much more to cover in the forthcoming cyber security interview!
In the next installment, I’ll sit down with a friend in the data security business for an in-depth discussion on what a robust system should look like.
This post was written by Josh Bozeman. Josh is a Proposal and Estimating Specialist at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.