Engineering giant Siemens and PAS, a company that specializes in cyber security solutions for industrial control systems (ICS), announced on Tuesday a new strategic partnership.

The goal of the partnership is to provide organizations the capabilities needed to identify and inventory assets, including distributed and legacy control systems, and provide visibility for detecting cyber threats and unauthorized engineering changes in multi-vendor environments.

SCADA 2.0, IIoT development

As old as the SCADA concept is, it has not lost any of its importance. In fact, the role of SCADA systems is growing, which is broadening their definition. With a higher degree of protocol standardization and greater connectivity to corporate information technology (IT) networks, the potential for a cyber-attack also increases and is growing.

The trends toward business systems using and processing SCADA data create new avenues and reasons for system exploitation. Sharing data is often the lifeblood for many companies, but new threats can emerge in the process.

On the other hand, developing technologies also are changing the current situation as the IIoT merges with SCADA to become “SCADA 2.0.” This still has some time before development is complete, but there are many possibilities, including its design and how it could affect security considerations

The RTU, at least as a gateway, no longer will be included since it won’t be needed. The individual field instruments and actuators at the hypothetical pipeline pump station will all communicate directly with the ubiquitous network, just as a technician visiting the site might call back to the office on a smartphone. The data from the devices goes to the cloud and can be captured and used by whichever part of the company needs it, from anywhere. At this point it’s difficult to say exactly what the network might look like, however it most likely will be 4G or 5G capable, but the communication will be direct. New networking technologies like low power wide area network (LoRa WAN) may be included as well.

Setup for these installations will be easier than with current SCADA systems. It will be as easy as installing the field device, turning it on, and connecting it to the cloud. This will get rid of all the expensive and dangerous manual operations still being done at many sites. If a level instrument is added to the storage tank, the need for a worker to be sent out for maintenance no longer will be necessary.

The reality of this concept is some time away since the networks with the necessary requirements don’t currently exist. Coverage and speed are improving all the time, but 5G or even 4G in all the areas where pipeline pumping stations are located is not there yet.

Accommodating multiple SCADA systems

One current aspect of monitoring technology is the idea of multiple SCADA systems at one location, and the user might not even realize it. How does this happen?

A turbine-compressor set might have its own system to remotely monitor performance and conditions, and there is probably an existing SCADA system. These original equipment manufacturer (OEM) systems often are included to verify performance requirements written into purchase agreements. This kind of monitoring keeps everyone honest and helps the party responsible for maintenance stay informed with what’s happening. The system is in communication with the OEM’s headquarters and sends data back every day via its own network. Having this kind of communication is necessary and is ultimately a good thing for the most part, but there can be problems.

Signs of threats to come

Cyber criminals looking to make money from their exploits have been stealing financial data, personal information, and credit card numbers for a long time. Major retailers and financial service companies have fallen prey largely for this reason. Fortunately, industrial companies don’t necessarily have much in the way of such marketable data capable of being stolen. The scary alternative is ransomware, which has targeted hospitals and now spread to many other users in the recent “WannaCry” ransomware attacks.

Returning to the example of the hypothetical pipeline station for this scenario, say the operators at the central control room receive an alarm via the SCADA system because transportation has been shut off. Calling up the human-machine interface (HMI), they see a top-level screen saying that access to the RTU has been locked out and encrypted. The only way to regain control is by paying to get the access code.

The option for the company is to pay, or send somebody out to the site to take it offline and turn operations back on manually. This is only temporary because it is not practical to leave an operator at the site on a continuous basis. The only real solution is to take out the compromised RTU and replace it, at a cost significantly higher than the ransom.

This situation may seem unrealistic, however, as technology and cyber criminals become more advanced, predicting situations like this should be considered.

Defensive strategies for SCADA systems

The following are a few defensive suggestions:

Maintain physical security at remote sites: RTUs and other network-connected hardware should be in locked enclosures. Unused ports should be plugged with epoxy.
Update old systems: Any company still running equipment using Windows 95, or even more recent but still obsolete versions, is asking for trouble. Platforms running un-updated software can be just as bad. WannaCry only worked on outdated and un-updated Windows platforms.
Use network identification: Intrusion detection systems are very useful tools, but many companies fear they can disrupt networks. They can be designed for low-impact and with a passive response to make them easier to use on operating networks.
Train personnel: Workers are still the weakest link in cyber defenses. Social engineering, phishing, and spear phishing remain effective hacking tools. Don’t open unknown attachments, don’t plug in unknown thumb drives, etc.
Maintain network traffic logs: It’s hard to know if something strange is happening if you can’t identify right from wrong. Logs help establish baselines, so they can help determine where intruders have been and what damage may have been made or attempted.
Use available cybersecurity resources: The International Society of Automation http://www.isa.org and the National Institute of Standards and Technology http://www.nist.gov ISA/IEC 62443 offers many helpful resources and provide best practices for network administrators and defenders, as do NIST 800-14 and 800-16.

It will be easier to implement more cybersecurity measures with new technologies, but many companies find themselves still working with yesterday’s equipment and software.

Siemens customers were informed last week that some of the company’s automation and power distribution products are affected by vulnerabilities that can be exploited for denial-of-service (DoS) attacks and session hijacking.

Sergey Temnikov of Kaspersky Lab discovered that several Siemens products using the Discovery Service of the OPC UA protocol stack are exposed to remote attacks due to a security flaw described by ICS-CERT as an improper restriction of XML external entity (XXE) reference issue.

The vulnerability exists in the OPC Foundation’s OPC UA .NET sample code and older versions of the Local Discovery Service (LDS). A remote attacker can exploit the security hole to trick the .NET libraries used by LDS and OPC UA servers into accessing arbitrary network resources, which can lead to a DoS condition.

This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:

Unsecure technologies are prevalent

Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.

Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.

Threat actors are more complex

While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address.

State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.

Damages can be severe

Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.

So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.

Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies.

Cisco cybersecurity survey also reported that 28% of manufacturing organizations suffered loss of revenue due to attacks in the past year.

In its 90-page 2017 Midyear Cybersecurity Report, Cisco raised a warning flag because of the accelerating pace and rising level of sophistication in the global cyber threat landscape. Focusing on manufacturing, the report said that the combination of connected devices on outdated machines might be “ripe for exploitation.” But even more concerning is what might be viewed as a muted response by companies to potential security breaches.

“A written security policy can provide a framework for improvements, yet according to the Cisco survey, 40 percent of the manufacturing security professionals said they do not have a formal security strategy, nor do they follow standardized information security policy practices such as ISO 27001 or NIST 800-53,” the report stated.

Key Concerns for Manufacturing

According to a Bloomberg study cited in the report, 80% of US factories are more than 20 years old and could be more vulnerable to attacks since systems are phased out gradually over time. Another potential issue is the use of a relatively large number of security vendors which could create a more complex and confusing picture as IT and OT personnel work together on security challenges, along with the number of personnel dedicated to security.

Key Report Findings

The report, in general, has a goal of keeping businesses apprised of cyber threats and vulnerabilities, and the steps companies can take to improve security and cyber-resiliency. Two dynamics are making the challenge for companies more difficult: the escalating impact of security breaches and the pace of technological change.

Tactics being deployed by attackers is also a problem, so the report provides a comprehensive view of new developments in malware, attack methods, spam and unwanted applications such as spyware and business email compromise (BEC).

The expectation is that defenders will struggle to maintain ground as the IoT continues to expand and the prospect of new types of attacks in the future. In response, the security community “needs to expand its thinking and dialogue about how to create an open ecosystem that will allow customers to implement security solutions that will work best for their organization and make the most of existing investments.”

Researchers at security firm IOActive have shown how a remote attacker can hack an industrial collaborative robot, or cobot, and modify its safety settings, which could result in physical harm to nearby human operators.

A few months ago, IOActive published a brief report providing a high-level description of its research into robot cybersecurity. Researchers analyzed industrial and business robots from six vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.

A brief analysis of mobile applications, software and firmware led to the discovery of nearly 50 vulnerabilities, including weaknesses related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.

Claroty, which emerged from stealth mode in September 2016 with $32 million in funding, will market its products through Schneider’s Collaborative Automation Partner Program (CAPP).

Schneider’s CAPP enables its customers to find the right technology solutions and integrate them with the company’s own offering. Claroty, whose products have undergone rigorous testing to ensure interoperability, will provide network monitoring solutions.

Claroty’s platform is designed to protect ICS and continuously monitor OT networks for threats without disrupting operations. The product enables organizations to control remote employee and third-party access to critical systems, including record their sessions. It also creates a detailed inventory of industrial network assets, identifies configuration issues, monitors traffic, and looks for anomalies that could indicate the presence of a malicious actor.

The product can be integrated with Schneider Electric’s existing cybersecurity and edge control offerings through the company’s EcoStruxure architecture.

Schneider Electric is not the only automation giant that has teamed up with Claroty. In February, Rockwell Automation announced a partnership with the company for combined security offerings.

Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, they could come in far more insidious forms than defenders expect.

In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.

“Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”

Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.

That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil’s attack doesn’t merely warn about the specific the danger of hacker-induced bubbles. Instead, it’s meant as a more general harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.

“She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”

Not surprisingly, a book about industrial cybersecurity becomes a deep dive into the endless conflict between information technology (IT) and operational technology (OT). Each of the two professions has an unequivocal mandate, and the mandates are in direct conflict. IT is devoted to security; OT is committed to uptime. Put simply, IT says, “If you don’t load this patch, you’ll get hacked,” while OT says, “If we shut the plant down for your patch, we’ll blow our quarter.”

Tripwire, a Belden company, has partnered with John Wiley & Sons to produce Industrial Cyber Security for Dummies, a short book authored by David Meltzer, Tripwire’s CTO, and Jeff Lund, a product manager at Belden. The book takes a look at the details of how to secure an industrial network. Digital copies are available free at this Belden link.

http://info.belden.com/iit/cyber-security-for-dummies

Pick a lock, plug in a WiFi-enabled Raspberry Pi and that’s nearly all there is to it.

There’s more than that of course, but the wind farms that [Jason Staggs] and his fellow researchers at the University of Tulsa had permission to access were — alarmingly — devoid of security measures beyond a padlock or tumbler lock on the turbines’ server closet. Being that wind farms are generally in open fields away from watchful eyes, there is little indeed to deter a would-be attacker.

[Staggs] notes that a savvy intruder has the potential to shut down or cause considerable — and expensive — damage to entire farms without alerting their operators, usually needing access to only one turbine to do so. Once they’d entered the turbine’s innards, the team made good on their penetration test by plugging their Pi into the turbine’s programmable automation controller and circumventing the modest network security.

Researchers Found They Could Hack Entire Wind Farms
https://www.wired.com/story/wind-turbine-hack