SCADA security basics

Supervisory Control and Data Acquisition (SCADA) systems are used for remote monitoring and control in the delivery of essential services products such as electricity, natural gas, water, waste treatment and transportation. SCADA software runs on regular computers, but is used by owners of critical infrastructure and other various types of industrial facilities to monitor and control industrial processes.

This blog post will introduce SCADA systems fundamentals that will help analyze security considerations.

Remote monitoring is widely considered one of the most difficult applications to do in a cost-effective way. Remote monitoring using SCADA systems has traditionally been a very difficult and expensive task. SCADA systems have traditionally used their own communications networks, and the security has been largly based on keeping the SCADA network separate from public networks and fact that not many people know the special protocols used on those systems (=security by obscurity).

Internet technologies have made the remote monitoring easier and more cost effective in many applications, but on the other hand has created new set of risks related to hacking. If you connect a remote monitoring system that uses insecure communications protocol to Internet, sooner or later somebody can figure out how to hack into your system. If your system is just doing monitoring, somebody hacking can stop our communications or worse can feed you with false data. If your remote monitoring system is also used to control something, then risks are far greater.

There isn’t a single security solution capable of addressing all existing and future risks. It’s necessary to implement a series of different defenses across the system. Deploy safeguards throughout the platform to provide a robust protection against the vast majority of attacks.

Modern SCADA systems are typically designed for security using platforms similar to typical networked clients, such as laptops and workstations. There are also some specific considerations. Security systems easily become complicated. Unfortunately as the complexity of securing devices increases, so does the risk of vulnerabilities slipping past equipment manufacturers and IT organizations. Industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) have all been around for decades, but thanks to Stuxnet, DuQu and other major incidents, these systems have recently began receiving serious security consideration.

Cyber security is war. You have to defend your systems from all sorts of outside attackers, and if one that’s skilled and determined gets you in his sights, defending yourself may be tougher than you think. Once an attacker breaks through a hardened perimeter, moving around inside is usually pretty easy. That’s why defense in depth with incident detection, response, and attribution is so important.

Security is all about layers. You can’t ever block everything on one place so you need layers of security to protect yourself. The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.

Want it Secure? Target Both Design and Data Security article says that in today’s increasingly connected world, security applies to servers as well as mobile and remote embedded devices. The latter are often exposed to physical tampering while data travelling over networks is exposed to compromise and hacking. Security depends on securing the complete connected universe.

How safe is your network? Is Your Network Safe? article tells that just a few years ago, plants didn’t have to worry about the safety of their networks. From an IT point of view, plants were silos — succinct and secure. That changed over the past decade. To improve efficiency, plants connected out to the company’s back office and beyond to suppliers and customers. Most of the connectivity runs along Internet connections. This extended network prompted a battle between the organization’s IT team and the control folks on the factory floor. If your plant is running 24/7, you can’t add patches and reboot without shutting down the plant. In addition, the plant is now vulnerable to hacking (terrorists, hackers, competitors and disgruntled employees).

Six Ways to Improve SCADA Security blog article tells that when it comes to securing SCADA networks, we are usually years or even decades behind when compared to securing typical IT networks. The article presents some of the SCADA security’s most daunting challenges along with some recommendations to secure SCADA networks.

1. A SCADA network is inadvertently connected to a company’s IT network or even to the internet
2. ‘Data presentation and control’ now runs off-the-shelf software
3. Control systems not patched
4. Authentication and authorization
5. Insecure ‘datacommunication’ protocols
6. Long life span of SCADA systems

Understanding cyberspace is key to defending against digital attacks article tells that in recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.

Growing numbers of other kinds of machines and “smart” devices are also linked in to Internet: security cameras, elevators and CT scan machines; global positioning systems and satellites; jet fighters and global banking networks; commuter trains and the computers that control power grids and water systems. “We have built our future upon a capability that we have not learned how to protect,” former CIA director George J. Tenet has said.

As commercial and civil network infrastructures become increasingly dependent on arrays of Internet-connected computers, they are becoming increasingly susceptible to attack from hostile nations, non-governmental terrorist groups and cyber criminals.

“Companies want to make money” “They don’t want to sit around and make their software perfect.” Many of vulnerabilities are related to errors in code designed to parse data sent over the Internet. The software makers often failed to heed the warnings from security researchers and some vulnerabilities remained for a long time. And even in cases where the manufacturer has a fix, the customer might hot apply it any time soon because in many cases you can’t add patches and reboot without shutting down the plant.

Want it Secure? Target Both Design and Data Security article says that adding robust security features to a design can substantially impact the complexity, power consumption and cost of a system. These challenges include supporting the computational complexity required to run advanced cryptographic algorithms; providing secure insertion and storage of encryption keys, and authenticating and encrypting data exchanged over public network connections.

HP Cyber ​​Security Risk Report says that the number of SCADA systems vulnerabilities have risen in last few years very much. In 2008 there were 22 holes in them. In year 2012 there were 191 holes in SCADA systems. This means 768 percent growth since 2008.


  1. Tomi Engdahl says:

    Steven Scheer / Reuters:
    Israel’s Cyber-security start-up Claroty exits stealth, raises $32M from Bessemer Venture Partners, Eric Schmidt’s Innovation Endeavors, others

    Israeli cyber-security firm Claroty exits ‘stealth mode,’ raises $32 million

    “The reason these critical systems are increasingly exposed to cyber threats is twofold: Industrial and IT networks are becoming considerably more interconnected in order to achieve important business goals, but industrial control systems were originally designed with safety and resilience, not cyber-security, as primary objectives,” said Amir Zilberstein, Claroty’s CEO.

  2. Tomi Engdahl says:

    Interest in the IoT yields interest in OT security

    The Internet of Things (IoT) is becoming more commonplace in the workplace, which has, in turn, increased interest in operational technology (OT) security.

    The more an organization wants to raise productivity, the more its individual parts need to connect-devices to systems, machines to data, people to processes-to create increased automation. Heat sensors tell the system when to cool down. Instruments detect when medical tests are complete. Viscosity sensors keep oil running through pipelines. These man-to-man, man-to-machine, and machine-to-machine (M2M) connections on the industrial Internet increase productivity and efficiencies.

    The industrial Internet represents a huge opportunity for growth and efficiency. To realize the full benefits of the industrial Internet, organizations have to connect to the Internet, to local and wide area networks, to information technology (IT) and to other control systems.

    Today, the industrial world runs on critical physical assets and embedded systems known as operational technology (OT). Gartner, Inc. forecasts that 6.4 billion connected Internet of Things (IoT) will be in use worldwide in 2016, up 30% from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.

    However, this growing number of connected devices also greatly expands the attack surface. Every new connection adds to that which security professionals must protect.

    Adding to the difficulty, those who attempt to hack into the industrial Internet tend to have a lower risk/higher reward dynamic than those who attack IT networks.

    Compared to IT hackers who end up with data, OT hackers can cause immense havoc, such as disabling a factory or generating other debilitating disruptions.

    Thus, there can be a false sense of security when protecting a network that does not have, and often has never had, an active unsecured connection. There are two major reasons why this is not possible:

    1. If a system is operating in isolation, that doesn’t mean it can’t get attached. An employee simply accessing an email with a keyboard can breach the gap.

    2. In today’s world, to raise productivity, a system must be connected. Somewhere along the connectivity chain, the system is going to become attached—either willfully or through a possible error. In fact, most CISO’s are more concerned over accidental activities by authorized users versus threats by external adversaries.

    Raising OT cybersecurity awareness

    It seems like every B2B trade publication has articles on the IoT. Although security concerns never seem to be the subject of the article, security directors are reading between the lines. And, although these articles don’t typically address the real problems inherent with protecting such systems, they are starting, at least, discuss the issues.

    As the IoT continues to change the industrial control landscape, it will also change the very nature of industrial cybersecurity. Future industrial Internet security strategies will require a broader scope that includes cloud systems and remote devices, more emphasis on device-centric security and secure-by-design and a shift from security management silos to IT-OT security networks.

  3. Tomi Engdahl says:

    Consortium Forms Framework for Industrial Cybersecurity

    The Industrial Internet Consortium (IIC) has released the initial version of its Security Framework for industrial Internet of Things (IIoT) development. The Framework, an adjunct to the IIoT Reference Architecture the Consortium released last year, seeks to initiate a process that will result in broad industry consensus on how to secure IIoT systems. The goal is to ensure that security is a fundamental part of an IIoT system’s architecture, not simply bolted on, and covers the system end-to-end including endpoint devices and the links between system elements.

    “The Security Framework looks at IIoT security from three different perspectives,” Hamed Soroush, the IIC’s security working group chair, told EE Times in an interview. “Chip makers, equipment developers, and end users all have an important role in security for the IIoT, but often work without knowing one another’s perspectives. The Framework will help them talk to each other.” It also provides guidance to management on risk management when considering security, he added.

    The Framework establishes a basis for discussions on how to address these needs. It also, Soroush pointed out, includes annexes that identify relevant existing security standards and best practices to guide developers. In addition, the Framework provides details on five characteristics — security, privacy, resilience, reliability and safety — that help define “trustworthiness” in the Information Technology (IT) and Operational Technology (OT) systems that overlap in the IIoT, as well as defining risk, assessments, threats, metrics and performance indicators to help business management protect their organizations.

    The IIoT Security Framework is available as a PDF document for any interested party, not just Consortium members.


  4. Tomi Engdahl says:

    Three Questions Every ICS Security Team Should Ask

    Securing ICS networks is an extremely challenging task. Primarily because they lack many of the threat monitoring, detection, and response capabilities commonly found in IT infrastructures. To put ICS security in context, let’s consider the top three questions every organization should ask themselves about securing their network.

    1. Do we know what needs to be protected?
    2. What is happening in the ICS network?
    3. Can we effectively manage and respond to security events?

  5. Tomi Engdahl says:

    Small-scale automation projects
    Inside Machines: How to get past time, money, and resource issues when executing small projects and specifying automation equipment and components.

    For small-scale automation projects, low costs, ease of implementation, and a simple purchasing process are key requirements. On the supplier side, servicing these smaller customers can be challenging using traditional distribution channels. Many of these small-scale projects are using online product selection, purchasing, and support to address these issues—with varying degrees of success.

    It’s important to understand the issues involved with small-scale automation projects—the advantages and the drawbacks of different buying processes.

    Small project issues

    Small-scale automation projects are common for many control system integrators and machine builders (see Figure 1). These projects are small in terms of allotted budget, time, and personnel-but flawless execution is still required. This makes efficiency during each step of the project extremely important.

    Common restrictions with executing small projects include tight budgets, short schedules, and limited availability of personnel. Before the project even starts, it often sits waiting for a purchase order from the customer. Many customers use this stage to request quotes for different options and to negotiate lower prices, and these tasks must be closely managed to stay within the budget. Given the small size of the project, suppliers can generally be strict with customers on these issues, holding to the price and restricting available options.

    The temptation on many small projects is to forgo schedule planning; however a schedule always needs to exist for the purpose of knowing the status of every project. Each schedule should include major tasks, due dates, and dependencies among tasks.

    Finding an online store or distributor that understands and can help address these constraints is critical to the success of small-scale automation projects. Online sources and distributors can help with the following list of steps for each project:

    Design and specification
    Product evaluation, pricing, and selection
    Purchasing process

    Solutions for small-scale automation projects

    Distributors and online stores simplify the design process for small-scale automation projects in many ways including:

    Efficiency: Reduces the stages of projects by reducing the required interactions between project personnel and suppliers.
    Order tracking: Helps the purchasing department track ordering and receipt of parts.
    Supply a list of parts: The right distributor or online store can supply a parts list with part numbers, manufacturers, pricing, and delivery times for 80% or more of the parts needed on a small project. Typical parts needed on a small automation project may include control enclosures, power distribution components, programmable logic controllers (PLCs), motor controllers, sensors, pneumatic components, cables and connectors-automation distributors and online stores will generally have most of these products on hand.
    Immediate delivery: Distributors can offer immediate delivery of product in stock but often take a few days to deliver other items. Online stores typically stock a much wider range of products and usually offer next-day delivery for all items (see Figure 2). While there may be some time available to wait for products during the initial purchasing stage, this usually isn’t the case when the project is in progress and a need arises for different or additional parts. In these cases, quick delivery becomes crucial.
    Free technical assistance: Some online stores provide lots of free technical assistance. While distributors will generally offer face-to-face assistance when available, the technical acumen of personnel varies widely, particularly when it comes to automation. These factors should be taken into account when technical assistance will be required on a small project, which is often.

    The final decision to buy online or through a distributor often comes down to factors outside of the project team’s control. If the local distributor is not technically competent when it comes to automation, then a good online store is often the only workable option. If the project team has a good working relationship with a nearby distributor, that may motivate a decision using that approach. Another factor is personal preference. Project personnel may prefer the online buying experience and its 24/7 access, often because of being more familiar with online buying.

  6. Tomi Engdahl says:

    Know the risks of securing safety systems

    Even if a safety system is isolated and separate from a network, the potential for a cyber attack remains and companies and users need to be vigilant and take necessary precautions.

    One assumption about safety systems is they need to remain isolated from the control system, ensuring nothing will hinder their mission to keep the plant and workers safe.

    If we have learned anything in this cyber-aware world, isolation is not security. That means no matter if safety is separate, integrated or interfaced, there is always a path in.

    In these days of working in open, connected manufacturing enterprises, security threats hover over a facility like a looming blizzard, potentially undercutting the vast ability connected plants have to reduce cost and increase productivity and profitability. Control systems, and just as importantly, the safety system, need to stay secure.

    That means the manufacturer needs to treat its safety systems like any other in a facility and conduct a risk assessment to understand any and all strengths and weaknesses.

    “The risk-assessment process is the same as with a control system in that you have to identify the system and how it interfaces with the rest of the system, which is pretty critical,” said John Cusimano, director of industrial cybersecurity at aeSolutions. “Generally speaking, it is always best practice to treat the safety systems as its own zone and then you perform a risk assessment on that safety zone.”

    While the process control system and the safety system have similarities, there is one major distinction.

    “The biggest difference with a safety system is the consequences,” Cusimano said. “When you do the risk assessment in the safety system zone it comes out at a higher risk, it will change your protection and your decisions on how you are going to secure that zone. It will be a higher level of security and require stronger mitigations. Generally, you are trying to minimize the communications and reduce the attack surface.”

    Safety systems remain a vital cog not just in keeping the plant and people safe, but also enabling successful business performance.

    “The biggest thing users are coming to realize is the attack will most likely come from inside the network than outside,” said Sven Grone, industrial automation turbomachinery control business development at Schneider Electric. “Things like inadvertent viruses on flash drives, contractors coming in with their machines and hooking up to the network to work on gear. These are people you invited into your systems to work on it and you are not controlling their machines and not controlling what they are putting on the network. There is definitely an element of social engineering and having to deal with people’s behavior and operational behavior in the cybersecurity process that is often not nearly as prevalent than doing functional safety.”

    Security whether separate or integrated

    When it comes to securing a safety system, the age-old question of integrated or separate systems continues to rear its ugly head.

    “I am a personal believer in a separate system. The little amount of money you save making it integrated is just the engineering portion of it,” said Nasir Mundh, global director of safety services at Schneider Electric

    No matter the type of system, vigilance remains the key priority.

    “Integrated, interfaced, or separate. There is no right, no wrong, only choice,”

    “We integrate safety and now security becomes an issue—we are seeing a movement back to maintaining as much distance between the control system and safety as possible,” Elliott said. “Thinking about moving toward open standards and connecting everything together, next security is a consideration—solving one problem, creates another.”

  7. Tomi Engdahl says:

    Preparing for a cyber attack
    An incident response (IR) plan is a vital component of cybersecurity strategy.

    What was once an afterthought for oil and gas organizations, cybersecurity is now center stage. Cybersecurity impacts every facet of oil and gas operations, which are now more digital and connected than ever. As such, chief information security officers (CISO) understand that attacks are inevitable, and what counts today is how organizations respond to threats and their overall level of cyber-readiness.

    Cybersecurity has similar traits to physical security. Many people have an alarm system in their house, not to prevent a break-in from occurring, but to immediately alert the house’s occupants, and authorities, when one happens. Further, while everything in a home may have value, the most valuable items are frequently stored in a safe for added protection.

    Organizations are beginning to think about cybersecurity in the same way. As threats become more sophisticated, companies must acknowledge that attacks can’t necessarily be prevented, but fast response time and a secure environment for the most critical data and assets are key to building a strong cybersecurity position.

    Cybersecurity attacks on energy organizations are more targeted than other industries, causing costly damage to operational technology (OT) environments. With an increasing number of connected devices and two very unique operating environments—IT and OT—the oil and gas sector’s greatest challenge is to establish clear and informative guidelines for people and processes during a cyber attack.

    Despite having an incident response (IR) plan in place, very few oil and gas organizations run through full simulation exercises of this plan. Simulated exercises can reveal incorrect assumptions made during the IR process and also alert security leaders to gaping holes

  8. Tomi Engdahl says:

    Nuclear Plants Leak Critical Alerts In Unencrypted Pager Messages

    A surprisingly large number of critical infrastructure participants — including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers — rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage. Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world’s biggest chemical companies sent a page containing a complete “stack dump” of one of its devices. Other unencrypted alerts sent by or to “several nuclear plants scattered among different states

    Nuclear plants leak critical alerts in unencrypted pager messages
    A surprising number of critical infrastructure participants do, too, study finds.

    A surprisingly large number of critical infrastructure participants—including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers—rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage.

    Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware.

    Other unencrypted alerts sent by or to “several nuclear plants scattered among different states” included:

    Reduced pumping flow rate
    Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
    Fire accidents in an unrestricted area and in an administration building
    Loss of redundancy
    People requiring off-site medical attention
    A control rod losing its position indication due to a data fault
    Nuclear contamination without personal damage

    The researchers also demonstrated that it’s trivial to inject counterfeit messages into the paging systems used by many of the organizations they monitored. The spoofed messages worked on systems using both the Post Office Code Standardization Advisory Group protocol and another one known as FLEX. The spoofing simulation was performed in a secure environment to ensure the bogus messages weren’t received by real pager systems.

    It’s ironic that light-weight text messaging programs such as Signal or WhatsApp contain more privacy controls than the alert mechanisms used by many nuclear plants and other critical infrastructure providers.

    A TrendLabs Research Paper
    Leaking Beeps: Unencrypted Pager Messages in Industrial Environments

  9. Tomi Engdahl says:

    Nuclear power plants are still using pagers to communicate, and that’s a big problem

    Nuclear power plants and other critical infrastructure could be vulnerable to hacking or attacks due to their continued reliance on a technology most young people today wouldn’t even recognise: pagers.

    According to a new report, these archaic precursors to mobile phones are still in regular use by workers at nuclear plants, who use them to send messages and alerts about plant operations.

    But the danger is that most of these communications have zero security, meaning they can easily be intercepted.

    Researchers at tech security firm Trend Micro collected almost 55 million pager messages – called pages – sent over US airwaves during a four-month sting earlier in the year, intercepting sensitive communications from nuclear (and other power) plants, plus chemical plants, defence contractors, and more.

  10. Tomi Engdahl says:

    USAF Academy Works With Cybersecurity Developer

    The United States Air Force Academy (USAFA) is collaborating with root9B to develop intrusion detection tools for industrial control systems (ICS). It is hoped that the efforts will advance the available knowledge of ICS Intrusion Detection and Prevention Systems (IDS/IPS), and work to recognize and protect ICS systems from malicious threats.

    Earl Eiland, root9B’s senior cybersecurity engineering and ICS expert, notes: “By improving IDS/IPS assessments, we are improving the overall IDS/IPS R&D process. By extension, ICS system attack resistance and mission assurance are increased.”

  11. Tomi Engdahl says:

    Streamline Your Network With A Syslog-enabled RTU

    Syslog is a standard protocol for logging event messages. A wide range of devices support Syslog Protocol, and it can be used to log different types of events. This flexibility makes it a popular choice in many networks.

    Unfortunately, it can be a challenge to find a quality Remote Telemetry Unit (RTU) that also report Syslog messages to your Syslog server. Most RTUs use telecom/SCADA protocols like SNMP or DNP and don’t support Syslog.

    Find an RTU that matches your network needs and reports messages to your current Syslog manager.

  12. Tomi Engdahl says:

    Why Unidirectional Security Gateways can replace firewalls in industrial network environments

    In this podcast recorded at IoT Solutions World Congress Barcelona 2016, Andrew Ginter, VP of Industrial Security at Waterfall Security, talks about Unidirectional Security Gateways. They can replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks.

    Unidirectional Gateway solutions come in pairs: the TX appliance contains a laser, and the RX appliance contains an optical receiver. The Gateway pair can transmit information out of an operations network, but is incapable of propagating any virus, DoS attack, human error or any information at all back into the protected network.

    Waterfall agent software gathers data in real time from operations servers inside the protected network. The software transmits that data to the external network, and populates replica servers with the data.

    Waterfall provides out of the box replication capabilities for dozens of industrial applications, including process historians, process databases, control system servers, OPC servers, and low-level devices.

    The server-replication process is transparent to external users, and has no effect on the original operations servers.

  13. Tomi Engdahl says:

    Israeli Tech Last Line of Defense for Power Plant Cyber Attacks

    Aperio AI detects false fingerprints behind erroneous data
    Company backed by PayPal cyber experts and top antiterrorist

    In a 2015 cyber attack on a Ukraine power plant, hackers did much the same, playing around for months with the electricity company’s network, disconnecting emergency backup systems and sending false information back through the servers to the control room.

    Aperio Systems Ltd., an emerging startup in Israel backed by the founders of PayPal’s cybersecurity lab in the country, believes it could help prevent such attempts succeeding. It went public Tuesday with technology it says can detect false information before it can do harm, alerting managers to a breach or turbine tampering.

    “We assume the worst, that the attacker already took full control over the operational network,” Michael Shalyt, Aperio’s vice president of product, said in an interview. Aperio monitors the data going through a utility’s servers, looking for clues to indicate an inauthentic data dump, he said.

    “Think of Aperio as a polygraph for process data,”

    Aperio’s systems are installed at several sites in Israel and one in Italy, centered on power generators. The company says its technology can prevent attacks like the hypothetical scenario described in a 2015 report by Lloyd’s insurers, in which 15 U.S. states and Washington D.C. are plunged into darkness after hackers shut down parts of the energy grid, leaving 93 million people without power.

    The incidence of detected attacks on power and utility companies soared 93 percent in 2015, PricewaterhouseCoopers reported in its 2016 Global State of Information Security Survey. Israel’s cybersecurity industry numbered nearly 430 companies at the end of 2015, and Prime Minister Benjamin Netanyahu says he aspires to make Israel a “global cyber greenhouse.”

  14. Tomi Engdahl says:

    Two security researchers have developed an undetectable PLC rootkit that will present at the upcoming Black Hat Europe 2016.

    The energy industry is under unceasing attack, cyber criminals, and state-sponsored hackers continue to target the systems of the companies in the sector.
    The Stuxnet case has demonstrated to the IT community the danger of cyber attacks, threat actors could spread a malicious code to interfere with processes inside a critical infrastructure.
    A new attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes.

    The security researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, an independent security researcher, have developed an undetectable PLC rootkit. The security duo will present the undetectable PLC rootkit at the upcoming Black Hat Europe, that will be held in London in November.

  15. Tomi Engdahl says:

    Ensuring SCADA/HMI cybersecurity

    Critical industries, such as chemical, energy, transportation, and water/wastewater depend on supervisory control and data acquisition (SCADA) systems for daily operations. Strengthening weaknesses in these systems must be a priority and is a shared responsibility.

    The U.S. Dept. of Homeland Security (DHS) has identified 16 critical infrastructure sectors that are “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These include the chemical, critical manufacturing, energy, nuclear, transportation systems, and water/wastewater sectors.

    According to a DHS report from the National Cyber Security and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the ICS-CERT team responded to 295 cyber incidents in U.S. fiscal year 2015, a 20% increase over the previous fiscal year. This included 95 incidents within critical manufacturing, 46 within the energy sector, and 25 within the water and wastewater systems sector.

    These industries rely heavily on supervisory control and data acquisition (SCADA) networks for day-to-day operations. If national security is only as strong as its weakest link, the SCADA networks in our critical infrastructure might be that weak point. Strengthening the weaknesses in these systems must be a priority and is a shared responsibility.

    The U.S. government has issued several guidelines and recommendations to help secure these critical industries, but most are vague and unenforceable. More than 85% of U.S. critical infrastructure is privately owned or operated, so it is largely up to the infrastructure operators to prepare action plans of prevention, mitigation, incident management, and response.

    Why industrial networks are so vulnerable

    Many of these SCADA systems have been running for decades. This legacy equipment was designed for the needs of the operational technology (OT) department, rather than the information technology (IT) department. IT and OT traditionally have had different priorities when it comes to security. IT is tasked with protecting a company’s data, so confidentiality is the main concern. The OT world was designed for ease of use, data availability and integrity, and uptime, but not necessarily for security.

    Where to turn for cybersecurity guidance

    Examples include:

    The North American Electric Reliability Corporation (NERC), a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America, created and regularly update a series of Critical Infrastructure Protection (CIP) standards. It is important to note that 11 of the NERC guidelines are subject to enforcement, making this the only regulated cybersecurity standard today.
    The International Society of Automation (ISA) together with the International Electrotechnical Commission (IEC) developed the ISA99/IEC62443 standard for manufacturing and control systems cybersecurity.
    The American Public Transportation Association (APTA) is currently working on Part 3 in its Recommended Practice for Securing Control and Communications Systems in Transit Environments.
    The Chemical Facility Anti-Terrorism Standards (CFATS) under DHS is dedicated to chemical infrastructure cybersecurity.

    These guidelines rely heavily on Recommended Practice: Improving Industrial Control Systems Cyber Security with Defense-in-Depth Strategies, a report from DHS, originally released in October 2009 and updated in September 2016.

    Steps to take to protect SCADA and HMI

    A defense-in-depth methodology recommends taking a layered approach to cybersecurity.

  16. Tomi Engdahl says:

    Six action items for an aging DCS/PLC

    Plant and operations managers need to be aware that their distributed control systems (DCSs) and programmable logic controllers (PLCs) could be obsolete and they should take appropriate steps to deal with the problem. Six immediate action items for an aging system are highlighted.

    Six immediate action items for an aging DCS/PLC

    1. Backup
    2. Get copies of all software license files
    3. Update system drawings
    4. Check available spare parts
    5. Make a wish list
    6. Develop a functional specification for a migration plan.

    Remember the famous words of Ben Franklin, “By failing to prepare, you are preparing to fail.”

  17. Tomi Engdahl says:

    The Role of Asset Management in ICS Network

    Most industrial Control Systems (ICS) were designed and implemented decades ago. Therefore they lack basic asset discovery and management capabilities common in IT networks.

    Process industries have traditionally struggled to maintain an accurate asset inventory. According to a survey of 185 process industry professionals performed by TechValidate for Intergraph, 61% of owner-operators “lack complete confidence in their ability to find information needed to support response to an emergency.” More than half spend 20-80% of their time just finding and validating plant information, including conducting walk-downs.

    With the growing risk of cyber threats, many process industry organizations are looking to secure their ICS networks. However, without fully understanding the assets in scope, it is impossible to do a risk assessment and apply effective defenses.

    Why ICS Networks Lack Asset Management

    Unlike the highly evolved world of IT networks, where automated discovery solutions and very sophisticated asset management practices are a given, industrial networks often rely on a patchwork of manual processes, notes and spreadsheets. Many plants have been storing facility information across various disjointed engineering information systems and struggle to gain a full picture of their assets. As older operational professionals leave the workforce, it is becoming even more difficult to track changes to these assets over time.
    What’s Needed to Implement Asset Management in ICS Networks

    ICS network asset management is typically deficient in three key areas — discovery, maintaining an accurate up-to-date asset inventory and tracking changes to assets over time.

    Automated asset discovery is key to securing these networks. Identifying new assets that have been deployed, or retired assets that have been decommissioned, provides the visibility needed to protect them and helps prioritize security efforts. Since the deployment of these networks is always accompanied by documented changes to the original design, it is impossible to rely on the blueprints.

    A typical ICS network contains controllers (PLCs, RTUs, DCSs) from a mix of vendors such as GE, Rockwell Automation, Siemens and Schneider Electric. Each of these technologies comes with a different set of requirements and challenges.


    Automated asset discovery and management is the first step for ensuring operational continuity, reliability and safety. Without it, it’s impossible to know what devices exist, when and what changes are made to them, and how to restore them to a “known-good” state. It also plays a key role in planning maintenance projects, deploying defense mechanisms, and carrying out effective incident response and mitigation efforts.

  18. Tomi Engdahl says:

    This industry must be to protect against cyber attacks:

    breeding and training of personnel kyberturvallisuustietoisuuden
    Clear instructions and its own policy
    Consideration of cyber security in automation systems for the procurement phase, for example. requirements by
    Monitor the situation in the automation network
    Design and implementation of secure remote access concepts
    Defining and implementing a secure network architecture
    Cyber security testing for automation systems (in particular, system vendors)


  19. Tomi Engdahl says:

    Networking is Not Something to Lose Sleep Over

    The world is more networked than ever. Some of you may be reading this very post on LinkedIn or after following a tweet.

    If you are, I heartily recommend looking up our company blog on the website for more from me and other Rockwell Automation leaders on a range of topics at the heart of industry today!

    For industry, as it takes its first steps into the world of IIoT, becoming more networked also brings risks. But industry is arguably much less mature than social media in the best approaches to mitigating those risks and achieving the benefit of connectivity without the vulnerability.

    Cybersecurity is the subject of eye-opening (and sleep inhibiting) studies, such as this one from PwC that suggests that three in four industrial manufacturers in Europe (76%) reported security incidents being detected in their company over the previous 12 months.

    Of the remaining quarter of respondents, 14% reported no security incidents but a staggering 10% did not know if, or how many times, their security had been breached.

    The ray of hope here is that the same research states a significant shift toward an understanding that cybersecurity solutions can also facilitate business growth, create market advantages and build brand trust.

    I believe this is a massive step forward.

    In a separate study by McAfee, 71% of respondents reported that a shortage in cybersecurity skills does direct and measurable damage. Similarly though, there is a positive observation that leaders are no longer burying their heads in the sand. Nine out of ten think that technology could help compensate for this skills shortage, and that outsourcing cybersecurity is considered an option to overcome this.

    Skilled teams of Network Security Service Consultants check our customers’ networks and give recommendations. It’s by working closely with our own network of Strategic Alliance Partners at Cisco and Microsoft that we are able to offer these services, because no one company or product can meet the security requirements of industry’s huge variety of unique applications and installed architecture. We advocate a defense-in-depth approach to security that adds layers of security on top of each other to reduce risk.

  20. Tomi Engdahl says:

    Bridge the IT, OT gap by bringing IT into acceptance testing

    Cybersecurity should be part of an industrial control system (ICS) or manufacturing application’s acceptance test and information technology (IT) resources should be involved to help ensure a successful implementation.

    A key part of starting up a new industrial control system (ICS) or manufacturing application is the acceptance test. If information technology (IT) resources are not already involved, the acceptance test presents an excellent opportunity to bring them into your project. A successful implementation may solicit IT input on acceptance testing criteria and enlist their aid in performing the cybersecurity portions of the acceptance test. This will also help bridge the gap between IT and operations technology (OT).

    An ICS should have cybersecurity requirements that can be addressed by IT resources during acceptance testing. These requirements could include guidelines for the changing of default passwords, disabling of unnecessary ports or DVD drives, and segmenting of the network (perhaps with firewalls or switches). Also, cybersecurity requirements should specify the access control for the various operating and managing users.

  21. Tomi Engdahl says:

    Hot topics in Control Engineering for 2016, 2017

    Think Again: Control Engineering readers choose hot topics of 2016, and that online traffic points to key trends in Control Engineering in 2017. What can you learn from these top Control Engineering articles of 2016? New: See related articles of 2017 and top graphics of 2016.

  22. Tomi Engdahl says:

    Incorporating cybersecurity awareness into OT

    Using cyber situational awareness platforms to enhance control system personnel needs to be part of a greater design goal and should act as an invisible layer for an operations technology (OT) environment. Here are four tips for cybersecurity situational awareness, and six responses to zero-day threats.

    Industrial control system (ICS) security is no longer merely about preventing hackers or having a strong physical perimeter. There is an underground digital economy that now offers multi-billion dollar incentives for potential corporate rivals or adversaries to exploit ICS vulnerabilities. And the influx of information technology (IT) into the OT further highlights the need for security by design rather than by association.

    Cybersecurity awareness: Four tips

    Cyber situational awareness tips include:

    Proper awareness of a facility’s cyber network
    In-depth understanding of the facility’s cybersecurity operations
    Appropriate and ongoing assessments of the existing operations within the network to identify potential vulnerabilities
    Continuous monitoring of unusual activity on the cyber network coupled with the ability to mitigate threats before they occur.

    Data should be aggregated from multiple control systems, controllers, smart field devices, and network switches to enable efficient information correlation and analysis. Continuous monitoring and collecting real-time data will help detect unfamiliar activity. This provides owners and cybersecurity auditors unprecedented detection capabilities and visibility.

  23. Tomi Engdahl says:

    Ensuring SCADA/HMI cybersecurity

    Critical industries, such as chemical, energy, transportation, and water/wastewater depend on supervisory control and data acquisition (SCADA) systems for daily operations. Strengthening weaknesses in these systems must be a priority and is a shared responsibility.

    The U.S. Dept. of Homeland Security (DHS) has identified 16 critical infrastructure sectors that are “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These include the chemical, critical manufacturing, energy, nuclear, transportation systems, and water/wastewater sectors.

    According to a DHS report from the National Cyber Security and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the ICS-CERT team responded to 295 cyber incidents in U.S. fiscal year 2015, a 20% increase over the previous fiscal year. This included 95 incidents within critical manufacturing, 46 within the energy sector, and 25 within the water and wastewater systems sector.

  24. Tomi Engdahl says:

    Rockwell Automation Teams With Claroty on Industrial Network Security

    Rockwell Automation this week announced that it teaming up with industrial cybersecurity startup Claroty to combine their security products and services into future, combined security offerings.

    Claroty exited stealth mode in September 2016 to announce a security platform designed to provide “extreme visibility” into Operational Technology (OT) environments and protect critical infrastructure from cyber threats.

    Claroty has built a platform that provides broad support for control system manufacturers and employs “high-fidelity models and advanced algorithms” to monitor industrial control systems (ICS) communications and provide security and process integrity alerts. The platform can inspect a large number of industrial control protocols; with support for both open and proprietary protocols from vendors including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, Honeywell, ABB and more.

    “The Claroty platform can detect a bad actor’s activities at any stage, whether they’re trying to gain a foothold on a network, conduct reconnaissance or inflict damage,”

  25. Tomi Engdahl says:

    Safety requires cybersecurity

    Technology Update: If it isn’t secure, it isn’t safe. Cybersecurity vulnerabilities represent additional failure modes and safety incidents not factored into traditional safety assessments. Consider safety when creating a business justification for cybersecurity risk assessments.

    Functional safety assessments are a well-established practice in machine and process automation. These assessments focus on random hardware failures or systematic software failures (such as bugs).

    However, cybersecurity threats and vulnerabilities represent additional failure modes that may lead to incidents that are unaccounted for in traditional safety assessments. A business justification can be developed for discussing cyber risk assessments.

    The majority of factories and process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. These systems are vulnerable to cybersecurity breaches resulting in potentially significant risks, including risks to health, safety and the environment. To address the risk, there’s a need to understand it—but how? Functional safety assessments focus on random hardware failures or systematic software failures (such as bugs) and generally do not consider cyber threats or cyber vulnerabilities. To understand cyber risk, it’s necessary to perform cyber vulnerability assessments and cyber risk assessments. Not surprisingly, this is exactly what cybersecurity standards and regulations require.

    ICS cybersecurity vulnerability assessment

    Figure 2: A cybersecurity vulnerability assessment also requires partitioning the system into zones and conduits. Courtesy: aeSolutionsVulnerabilities are a key variable in cyber risk. In theory, if there are no cyber vulnerabilities there is no cyber risk. Of course, in reality all ICSs have vulnerabilities, some more than others. The number and severity of vulnerabilities depends on the components used, how they are configured and how they are networked.

    So what is an ICS cybersecurity vulnerability assessment? It is an evaluation of a ICS design. In a brownfield design begin with the ICS as-built or as-found drawings. An example is shown in Figure 1.

    How is that control system constructed? What devices make up the system? How are they networked together? How do those networks communicate? Modern control systems are based on Ethernet networking and Microsoft operating systems. Understanding how these pieces go together can be very difficult in many facilities. Drawings that show the entire system architecture may not exist; these systems often have grown and evolved over decades.

    Start with an analysis of network communications to understand how these networks are constructed and, and how data moves throughout the system. This is done by recording actual network traffic and plotting it out to see the data flows.

    Identify what devices are communicating with each other. What devices should be communicating with each other? What devices are communicating with each other that perhaps should not be, or were not expected to be? Are any devices communicating using unexpected protocols? Are there control system devices that are trying to communicate to the Internet? Plot the communications and look for anomalous behaviors.

    A vulnerability assessment would then analyze the actual servers and workstations that make up the system. Most of the operating systems that are controlling the bulk of industrial facilities today are legacy Microsoft platforms such as XP and Windows Server 2003

    The next step in a vulnerability assessment would be to partition the system into zones and conduits

    A vulnerability assessment also should include a review of policies and procedures, and include a gap analysis. How does the system stack up against industry standards and best practices? Finally, the assessment should list the vulnerabilities that have been discovered and the recommended mitigations to close the gaps.

  26. Tomi Engdahl says:

    Reconnaissance in Industrial Networks: What You Don’t See Can Hurt You

    Organizations that operate Industrial Control Systems (ICS) understand the critical nature of these assets and have led all business sectors in the use of strong physical security controls. But ICS were built with process uptime and high availability in mind before cyber criminals were a threat. Today, cyber security in ICS is far behind IT security standards. This poses real risks to plant operations, personnel, the environment and the community in general.

    A typical reconnaissance mission begins with identifying an initial target that will facilitate the intrusion into the organization. This can be accomplished using well known techniques such as social engineering, email phishing, etc. It is not uncommon to find unpatched workstations running legacy operating systems such as Windows XP in these operational environments.

    The leading obstacle to detecting reconnaissance activity in industrial networks is lack of visibility.

    The communication of process data (tags, set points, etc.) between the operators and the industrial machines (I/Os) takes place over standard industrial data-plane protocols such as MODBUS, PROFINET, and DNP3. Since they are known, and well documented, it is relatively easy to monitor them. However, monitoring these protocols will not help detect reconnaissance activities.

    Full Visibility is Critical for Discovering Reconnaissance

    This lack of visibility into control-plane activities means that reconnaissance operations can go undiscovered for long periods of time. However, that’s not the only reason control-plane activities should be monitored. Even more concerning is the fact that malicious control-plane activity can result in far more perverse attacks than those executed from the data-plane given the potential for deploying altered control logic to a controller. Altering the control logic of a PLC, RTU or DCS can trigger a catastrophic event that could be nearly impossible to stop by operators. Organizations that only monitor data-plane network traffic do not have a complete view of ICS activity.

    Early Detection is the Key

    In order to mitigate the risks associated with reconnaissance, industrial organizations need early detection of suspicious activity like unauthorized network scans, attempts to read information from controllers and other unsanctioned control-plane activity.

  27. Tomi Engdahl says:

    Ethernet cuts automation hardware, labor costs, errors

    Think Again about digital networks: A redesigned automated industrial process with the goal of improving safety and efficiency saved $106,654 in hardware, design, and installation costs by using an industrial Ethernet protocol instead of hard wiring, not counting a two-thirds reduction in potential errors or other project benefits.

    Using an industrial Ethernet protocol saved money for industrial system project design, installation, and hardware costs, according to Mike Prokop, CMSE, LSO (certified machinery safety expert via TUV NORD, laser safety officer) and chief electrical engineer at Taylor Winfield Technologies Inc. Among those Prokop worked with on the project was Nick Maillis, electrical engineer, programmer, and co-worker on an industrial process redesign that included 2,700 hazards to mitigate. Prokop described the effort and quantified benefits associated with the efforts as saving $106,654 in hardware, design, and installation costs by using an industrial Ethernet protocol compared to hardwiring. He explained in a presentation at the 2016 General Assembly Meeting for PI North America in September 2016. The savings quantified in the presentation doesn’t include the savings related to a two-thirds reduction in potential errors or other project benefits.

    Automated system components

    The system uses a failsafe PLC, six enclosures, input/output (I/O) modules, light curtains, non-contact coded magnet safety switches, and safety input modules for zone isolation.

    Twenty pushbutton stations have guardlocking; E-stops and interlocks are used with an industrial safety Ethernet network. Three human-machine interface panels are connected via industrial Ethernet; another connects via a related industrial network as a smart client-server, server which connects to a mobile device providing status of consumables, order processing, and alarms.

    Thirty variable frequency drives (VFDs) are used, providing standard control over industrial Ethernet. Two industrial Ethernet-enabled laser distance sensors replace encoders on the rail.

    Seven robots are controlled via industrial Ethernet for job calls, enabled signals, tooling signals and control, “Removing the need for I/O in a robot controller, which would have been a nightmare,” Prokop said.

    Safety communication devices communicate from the primary failsafe PLC to two failsafe PLCs and with 5 slave machine PLCs over industrial Ethernet.

    Detailed savings analysis and tables were produced comparing hard-wired costs to use of industrial Ethernet, looking at wiring, safety relays, I/O connections, hardware, and labor, producing more than $106,000 in savings, not counting the cost of potential errors avoided with 1,146 connections with a digital network versus 3,795 with hardwiring, eliminating the need to look for broken wires.

    After arrival of the system in 13 semi-trailers, installation took the anticipated three weeks

  28. Tomi Engdahl says:

    The Threat to Critical Infrastructure – Growing Right Beneath Our Eyes

    Nation-States do Not Fear Reprisal and are Likely to use ICS Artacks as a Component of Geo-Political Conflict

    I’ve working in Industrial Control Systems (ICS) security for years and I’ve had conversations with hundreds of IT security and OT/ICS network practitioners. I’ve talked with them about the need to drive better security strategies for their industrial networks, gain deeper visibility, implement stronger defenses, and bridge the collaboration gap between security teams and the shop floor. My early conversations left me concerned as there didn’t seem to be much recognition of a problem. Increasingly, we’ve been met with a more encouraging amount of agreement in those discussions – from energy, to manufacturing, to oil and gas and so on – a majority understand they have serious problems to fix but we’d estimate only roughly 50% of those are prioritizing their resources to fix them.

    What of the remaining 50%? They fall into two categories:

    A. They don’t understand the level of exposure of their ICS networks/have a false sense of security. Unlike IT networks where dozens of security technologies are deployed/reporting back on activity, ICS networks are generally a blind spot for Security teams.

    B. They think the risk is still hypothetical / doesn’t warrant a priority focus over the dozens of IT Security projects they need to tackle because the volume of attacks pales in comparison to the noisy IT domain.

    To a degree, when using this attack based calculus, these folks aren’t – or, better phrased, weren’t wrong. The daily barrage of attacks from all angles and from all adversaries isn’t a reality in ICS…yet. Clearly, there are major gaps that need to be filled on the IT side to drive better security – and as a result, this needs to be a priority. But where the argument falls apart rather quickly is when we do the math – literally! The only way to adequately prioritize activities is to calculate the risk. I’ve attempted this below by using the cyber risk framework outlined in NIST 800-82, taking into account the rapidly evolving ICS threat landscape, and measuring the consequence (impact) of attacks on these networks against those felt in the IT domain.

    Industrial Control Systems Risk = t v x(tv) where t = threat, v = vulnerability and x(tv) = consequence of the threat successfully exploiting the vulnerability

    Let’s Start with Consequence (Impact):

    One could argue rather reasonably that the ‘cat and mouse’ or ‘whack-a-mole’ approach to IT security that we’ve relied upon for the past 10-20 years has been ‘effective enough.’

    In ICS, we aren’t talking about data theft, we’re not talking about micro-level impact where individuals, companies or certain Government agencies/agendas are impacted – we’re talking about a macro level issue related to the potential disruption of essential services that drive the global economy and support day to day life. We cannot afford to rely on the same (sub)standard we used in IT Security over the past 10 years.

    et’s look at Vulnerability Next:

    In the context of ICS, it is more meaningful to assess “attack surface exposure” of which vulnerabilities are just one aspect. We need to understand that there is inherent exposure due to some serious systemic issues:

    1. There are many unique ICS threat vectors due to:

    • Flat networks

    • Legacy systems which can be 20-30 years old / systems shipped without security as a focus

    - Many of these systems are ‘end of life’

    - New systems are being shipped on insecure, ‘end of life’ operating systems like WinXP

    • Increasing interconnectivity

    • Poor remote access designs/remote access allowed for multiple vendors

    2. There is basic or completely missing cyber hygiene in ICS networks compared to what we expect in IT.

    3. Vulnerabilities

    • Many vulnerabilities don’t have patches (or the gear is end of life) – consider a 2016 FireEye Report which found that 33% of the 1,552 known vulnerabilities analyzed had no patch at the time of disclosure

    • Many systems cannot be patched because of uptime requirements on the shop floor – consider a 2016 Kaspersky study which looked at patching in ICS and found that for one widely used vendor, “the proportion of the vendor’s software with unpatched vulnerabilities…could range between 17% and 93%.”

    The “red lines” that conventional wisdom once held would prevent disruptive or destructive attacks against critical infrastructure have now been crossed numerous times, and we can safely assume they will be again.

  29. Tomi Engdahl says:

    Cybersecurity risk spikes with mingling of operations and IT technologies
    Resources available to learn about cybersecurity frameworks; receive alerts, advisories and reports.[email protected]&ocid=101781

    The growing threat

    The threat is not hypothetical. The global energy industry has already experienced a number of significant incidents. Remote cybersecurity attacks were reportedly used to cause the 2008 explosion of a pipeline in Turkey. In December 2015, the first successful disruption of a public energy grid occurred in Ukraine when attackers used a spear-phishing campaign to obtain administrator credentials, then remotely accessed the SCADA network and halted electricity distribution. The resulting blackouts affected more than 230,000 customers.

    nformation sources

    As you might imagine, responsibility for U.S. federal government functions related to industrial cybersecurity is spread across several departments and agencies. Good places to start your quest for more insight into energy sector cybersecurity include the following:

    The “Cybersecurity framework implementation guidance” from the U.S. Department of Energy includes standards, guidelines and practices to promote the protection of critical infrastructure.
    The U.S. network of oil and gas transportation and distribution pipelines is the purview of the same Transportation Security Administration responsible for security in the 440 airports of the United States. Oil and gas pipeline managers’ can look to the cybersecurity recommendations in the Transportation Security Administration’s “Pipeline security guidelines.”
    The Federal Energy Regulatory Commission (FERC) is an independent agency that regulates interstate transmission of electricity, natural gas and oil. The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s “electric reliability organization,” has developed critical infrastructure protection (CIP) cybersecurity reliability standards for electric smart grids.

    Note that while these standards are a good place to begin, following their recommendations is in no way mandatory. Moreover, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving threats.

    In addition, The SANS Institute’s “CIS critical security controls” provide guidance for implementing cybersecurity and risk management programs specifically for critical infrastructure. The SANS Institute was established in 1989 as a cooperative research and education organization. It says it is the largest source in the world for information-security training and security certification in the world.

    Besides the adoption of frameworks, energy-asset owners and operators should develop appropriate supporting management practices, including employee training, performance tracking metrics and business intelligence related to their cybersecurity program.

    Cultural aspects of security

    Energy companies must develop a risk-management culture that focuses on identifying and preventing cybersecurity vulnerabilities. This can be done in much the same way a culture for identifying and eliminating threats to physical safety of individuals and infrastructure was developed in the U.S. and Europe in the past. The cultural aspects of security are especially a matter of concern because employees are often one of the weakest links in cybersecurity.

  30. Tomi Engdahl says:

    Medical Devices Infected With WannaCry Ransomware

    everal medical device manufacturers released security advisories this week following reports that the notorious WannaCry ransomware has infected some medical devices.

    The WannaCry ransomware, also known as Wanna Decryptor, WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, leverages a couple of exploits allegedly developed by the NSA and leaked recently by a hacker group called Shadow Brokers. The threat has hit hundreds of thousands of systems worldwide, including ones housed by banks, hospitals, ISPs, government agencies, transportation companies and manufacturing plants.

    Britain’s National Health Service (NHS) was among the worst hit by the malicious campaign, and the incident clearly showed the risk posed by WannaCry to healthcare organizations. However, initial reports suggested that the malware had mainly affected management systems.

    The U.S.-based Health Information Trust Alliance (HITRUST) later reported seeing evidence of Bayer (Medrad), Siemens and other medical devices getting infected with WannaCry. Bayer confirmed for Forbes that two of its customers in the United States had informed it about ransomware infections.

    ICS-CERT has provided a list of vendors that have released security advisories to warn customers of the risks and provide them with recommendations on how to prevent attacks.

    The list includes Rockwell Automation, BD (Becton, Dickinson and Company), Schneider Electric, ABB, Siemens, General Electric, Philips, Smiths Medical, Johnson & Johnson, and Medtronic. Some of these vendors have also issued warnings about the threat posed to their industrial products.

  31. Tomi Engdahl says:

    Understanding the Systemic Security Risks in ICS Networks

    In my previous article, I outlined details of the changing threat landscape in Industrial Control Systems (ICS). Of note, I pointed – as we have been with a good deal of frequency – to the growing risk of cyber-crime activity/ransomware activity on the shop floor.

    The security risk to ICS networks is systemic and not determined by vulnerabilities alone. Yes, vulnerabilities are a major problem and, of course, they represent pathways which can be exploited by our adversaries. But we need to understand that reaching the ICS network is relatively easy once a foothold is established on the IT side of the house – and we have seen just how easy that access is over the course of the past 10 years of daily breach headlines. Once inside the ICS/OT network, causing havoc is as simple as talking to PLCs with legitimate commands.

    Accessing the ICS/OT Network

    The concept of a completely air-gapped ICS/OT environment is dead. For a variety of reasons, these networks are increasingly interconnected with IT and accessible to the outside world. As a result, there are two main pathways open for adversaries. Neither of which require some insanely clever or novel vulnerability exploit:

    • Getting to ICS/OT through IT interconnections with the “normal tools of the trade” – spear phishing and watering hole attacks, etc.

    • Getting in directly through ICS/OT connections to the outside world – publicly facing IPs of PLCs, compromised VPNs, unaudited, uncontrolled, unmonitored remote access

    Side note: Keep in mind that the median number of days before attackers are detected on IT networks in North America is 99 days (source: Mandiant) with dozens of security tools watching. In the ICS/OT space network monitoring is scarce and once an attacker transitions from IT to ICS/OT, there is virtually nothing to detect them. Case in point: It is believed the Sandworm Team was active for MONTHS on the Ukraine networks impacted in 2015 and 2016.

  32. Tomi Engdahl says:

    Cisco IoT Threat Defense: Securing the IoT at Scale

    Protect Vital Services in Advanced Medical Care, Automated Manufacturing, and Power Generation and Delivery

    Cisco has designed, deployed, and secured networks for over 25 years. We continue to build the equipment, invent the technologies, and develop the standards that help make the Internet possible.

    We have invented an extensible, automated, policy-based technology to solve the problem of secure segmentation at scale for the IoT. It is supported across a wide range of Cisco equipment – ruggedized or non-ruggedized, in the data center or branch office.

    Cisco IoT Threat Defense is built as a cybersecurity architecture, featuring a strong cast of integrated products, starting with Identity Services Engine (ISE) and TrustSec, which facilitate extensible, scalable segmentation using group- and device-based access policy throughout the network. These are layered with Stealthwatch, Umbrella and Next-Generation Firewall, as well as Cognitive Threat Analytics, AnyConnect VPN, and Advanced Malware Protection. Cisco Security Services puts real people into the solution to help organizations make decisions about protecting their environments, from medical facilities treating patients, to manufacturing plant operations, to power companies powering the electric grid.

    Let’s be clear about something important. The last thing operators of critical networks want to hear about is automated cybersecurity. It may be fine for most IT networks, but certainly not for industrial control networks, and we know this. You can automate as much or as little as you want. It’s your network, and you control it. We help you do it more easily and securely.

  33. Tomi Engdahl says:

    Security Incidents Can Cost Industrial Firms $500K Per Year: Kaspersky

    While a majority of industrial companies claim they are well prepared to handle a cyber security incident, many have admitted experiencing at least one incident in the past 12 months, and the annual cost can be as high as half a million dollars, according to a new report from Kaspersky Lab.

    The security firm has conducted a survey of 359 industrial cybersecurity practitioners across 21 countries, mainly from the manufacturing, construction and engineering, and oil and gas sectors.

    A majority of the respondents (83%) said they were prepared to deal with cybersecurity incidents within their industrial control systems (ICS) environment, and 86 percent claimed they had a dedicated policy or program in place.

  34. Tomi Engdahl says:

    Thousands of Firms Fail to Update Software on Most Computers: Study

    An analysis of 35,000 companies from more than 20 industries across the world showed that many of them are at risk of suffering a data breach due to their failure to ensure that the software running on their computers is up to date.

    The study conducted by cybersecurity ratings company BitSight focused on Apple and Microsoft operating systems, and the Firefox, Chrome, Safari and Internet Explorer web browsers.

    The research showed that more than 50 percent of computers in over 2,000 organizations run an outdated version of the operating system, and over 8,500 companies have failed to update Web browsers on more than half of their machines.

    The fact that public sector organizations have done a poor job at protecting their systems is not surprising, and even U.S. President Donald Trump called for government agencies to take measures in his recent cybersecurity executive order.

    At the other end of the chart we have the legal and energy sectors, which had the fewest devices running outdated software.

    “Given that the Energy sector provides critical infrastructure services, organizations in this sector should maintain their proactive approach to security,” BitSight said in its report.

    In the case of Windows, more than 60 percent of analyzed PCs were running Windows 7 or earlier, including XP and Vista, which no longer receive updates from Microsoft.

    A Growing Risk Ignored: Critical Updates–3taBHmLJ9mFDRlsz6fBuZDx51wqsvo_wJigWcGRXX-ETGymjI-cur–Wj3e8dvaXAoXBgmyZjWPaJWoFHFp_ixaHelA&_hsmi=52515743


  35. Tomi Engdahl says:

    Hacking Into…. A Wind Farm?

    Pick a lock, plug in a WiFi-enabled Raspberry Pi and that’s nearly all there is to it.

    There’s more than that of course, but the wind farms that [Jason Staggs] and his fellow researchers at the University of Tulsa had permission to access were — alarmingly — devoid of security measures beyond a padlock or tumbler lock on the turbines’ server closet. Being that wind farms are generally in open fields away from watchful eyes, there is little indeed to deter a would-be attacker.

    [Staggs] notes that a savvy intruder has the potential to shut down or cause considerable — and expensive — damage to entire farms without alerting their operators, usually needing access to only one turbine to do so. Once they’d entered the turbine’s innards, the team made good on their penetration test by plugging their Pi into the turbine’s programmable automation controller and circumventing the modest network security.

    Researchers Found They Could Hack Entire Wind Farms

  36. Tomi Engdahl says:

    Dummies Book Takes a Crack at the IT/OT Conflict
    The book, Industrial Cyber Security for Dummies, looks at way to secure plants while preserving uptime.

    Not surprisingly, a book about industrial cybersecurity becomes a deep dive into the endless conflict between information technology (IT) and operational technology (OT). Each of the two professions has an unequivocal mandate, and the mandates are in direct conflict. IT is devoted to security; OT is committed to uptime. Put simply, IT says, “If you don’t load this patch, you’ll get hacked,” while OT says, “If we shut the plant down for your patch, we’ll blow our quarter.”

    Tripwire, a Belden company, has partnered with John Wiley & Sons to produce Industrial Cyber Security for Dummies, a short book authored by David Meltzer, Tripwire’s CTO, and Jeff Lund, a product manager at Belden. The book takes a look at the details of how to secure an industrial network. Digital copies are available free at this Belden link.

  37. Tomi Engdahl says:

    How Hackers Can Use ‘Evil Bubbles’ to Destroy Industrial Pumps

    Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, they could come in far more insidious forms than defenders expect.

    In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.

    “Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”

    Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.

    That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil’s attack doesn’t merely warn about the specific the danger of hacker-induced bubbles. Instead, it’s meant as a more general harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.

    “She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”

  38. Tomi Engdahl says:

    Energy management and automation giant Schneider Electric has teamed up with industrial cybersecurity startup Claroty to offer its customers solutions for protecting industrial control systems (ICS) and operational technology (OT) networks.

    Claroty, which emerged from stealth mode in September 2016 with $32 million in funding, will market its products through Schneider’s Collaborative Automation Partner Program (CAPP).

    Schneider’s CAPP enables its customers to find the right technology solutions and integrate them with the company’s own offering. Claroty, whose products have undergone rigorous testing to ensure interoperability, will provide network monitoring solutions.

    Claroty’s platform is designed to protect ICS and continuously monitor OT networks for threats without disrupting operations. The product enables organizations to control remote employee and third-party access to critical systems, including record their sessions. It also creates a detailed inventory of industrial network assets, identifies configuration issues, monitors traffic, and looks for anomalies that could indicate the presence of a malicious actor.

    The product can be integrated with Schneider Electric’s existing cybersecurity and edge control offerings through the company’s EcoStruxure architecture.

    Schneider Electric is not the only automation giant that has teamed up with Claroty. In February, Rockwell Automation announced a partnership with the company for combined security offerings.

  39. Tomi Engdahl says:

    Researchers Demo Remote Hacking of Industrial Cobots

    Researchers at security firm IOActive have shown how a remote attacker can hack an industrial collaborative robot, or cobot, and modify its safety settings, which could result in physical harm to nearby human operators.

    A few months ago, IOActive published a brief report providing a high-level description of its research into robot cybersecurity. Researchers analyzed industrial and business robots from six vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp.

    A brief analysis of mobile applications, software and firmware led to the discovery of nearly 50 vulnerabilities, including weaknesses related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.

  40. Tomi Engdahl says:

    40% of manufacturing security professionals have no formal security strategy

    Cisco cybersecurity survey also reported that 28% of manufacturing organizations suffered loss of revenue due to attacks in the past year.

    In its 90-page 2017 Midyear Cybersecurity Report, Cisco raised a warning flag because of the accelerating pace and rising level of sophistication in the global cyber threat landscape. Focusing on manufacturing, the report said that the combination of connected devices on outdated machines might be “ripe for exploitation.” But even more concerning is what might be viewed as a muted response by companies to potential security breaches.

    “A written security policy can provide a framework for improvements, yet according to the Cisco survey, 40 percent of the manufacturing security professionals said they do not have a formal security strategy, nor do they follow standardized information security policy practices such as ISO 27001 or NIST 800-53,” the report stated.

    Key Concerns for Manufacturing

    According to a Bloomberg study cited in the report, 80% of US factories are more than 20 years old and could be more vulnerable to attacks since systems are phased out gradually over time. Another potential issue is the use of a relatively large number of security vendors which could create a more complex and confusing picture as IT and OT personnel work together on security challenges, along with the number of personnel dedicated to security.

    Key Report Findings

    The report, in general, has a goal of keeping businesses apprised of cyber threats and vulnerabilities, and the steps companies can take to improve security and cyber-resiliency. Two dynamics are making the challenge for companies more difficult: the escalating impact of security breaches and the pace of technological change.

    Tactics being deployed by attackers is also a problem, so the report provides a comprehensive view of new developments in malware, attack methods, spam and unwanted applications such as spyware and business email compromise (BEC).

    The expectation is that defenders will struggle to maintain ground as the IoT continues to expand and the prospect of new types of attacks in the future. In response, the security community “needs to expand its thinking and dialogue about how to create an open ecosystem that will allow customers to implement security solutions that will work best for their organization and make the most of existing investments.”

  41. Tomi Engdahl says:

    Assessing Cyber and Physical Risks to Oil & Gas Sector

    This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:

    Unsecure technologies are prevalent

    Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.

    Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.

    Threat actors are more complex

    While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address.

    State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.

    Damages can be severe

    Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.

    So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.

    Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies.

  42. Tomi Engdahl says:

    Siemens Patches Flaws in Automation, Power Distribution Products

    Siemens customers were informed last week that some of the company’s automation and power distribution products are affected by vulnerabilities that can be exploited for denial-of-service (DoS) attacks and session hijacking.

    Sergey Temnikov of Kaspersky Lab discovered that several Siemens products using the Discovery Service of the OPC UA protocol stack are exposed to remote attacks due to a security flaw described by ICS-CERT as an improper restriction of XML external entity (XXE) reference issue.

    The vulnerability exists in the OPC Foundation’s OPC UA .NET sample code and older versions of the Local Discovery Service (LDS). A remote attacker can exploit the security hole to trick the .NET libraries used by LDS and OPC UA servers into accessing arbitrary network resources, which can lead to a DoS condition.

  43. Tomi Engdahl says:

    Cybersecurity for pipelines, other SCADA systems
    It’s critical to stay up-to-date with cybersecurity measures to improve defenses against cyberattacks.

    SCADA 2.0, IIoT development

    As old as the SCADA concept is, it has not lost any of its importance. In fact, the role of SCADA systems is growing, which is broadening their definition. With a higher degree of protocol standardization and greater connectivity to corporate information technology (IT) networks, the potential for a cyber-attack also increases and is growing.

    The trends toward business systems using and processing SCADA data create new avenues and reasons for system exploitation. Sharing data is often the lifeblood for many companies, but new threats can emerge in the process.

    On the other hand, developing technologies also are changing the current situation as the IIoT merges with SCADA to become “SCADA 2.0.” This still has some time before development is complete, but there are many possibilities, including its design and how it could affect security considerations

    The RTU, at least as a gateway, no longer will be included since it won’t be needed. The individual field instruments and actuators at the hypothetical pipeline pump station will all communicate directly with the ubiquitous network, just as a technician visiting the site might call back to the office on a smartphone. The data from the devices goes to the cloud and can be captured and used by whichever part of the company needs it, from anywhere. At this point it’s difficult to say exactly what the network might look like, however it most likely will be 4G or 5G capable, but the communication will be direct. New networking technologies like low power wide area network (LoRa WAN) may be included as well.

    Setup for these installations will be easier than with current SCADA systems. It will be as easy as installing the field device, turning it on, and connecting it to the cloud. This will get rid of all the expensive and dangerous manual operations still being done at many sites. If a level instrument is added to the storage tank, the need for a worker to be sent out for maintenance no longer will be necessary.

    The reality of this concept is some time away since the networks with the necessary requirements don’t currently exist. Coverage and speed are improving all the time, but 5G or even 4G in all the areas where pipeline pumping stations are located is not there yet.

    Accommodating multiple SCADA systems

    One current aspect of monitoring technology is the idea of multiple SCADA systems at one location, and the user might not even realize it. How does this happen?

    A turbine-compressor set might have its own system to remotely monitor performance and conditions, and there is probably an existing SCADA system. These original equipment manufacturer (OEM) systems often are included to verify performance requirements written into purchase agreements. This kind of monitoring keeps everyone honest and helps the party responsible for maintenance stay informed with what’s happening. The system is in communication with the OEM’s headquarters and sends data back every day via its own network. Having this kind of communication is necessary and is ultimately a good thing for the most part, but there can be problems.

    Signs of threats to come

    Cyber criminals looking to make money from their exploits have been stealing financial data, personal information, and credit card numbers for a long time. Major retailers and financial service companies have fallen prey largely for this reason. Fortunately, industrial companies don’t necessarily have much in the way of such marketable data capable of being stolen. The scary alternative is ransomware, which has targeted hospitals and now spread to many other users in the recent “WannaCry” ransomware attacks.

    Returning to the example of the hypothetical pipeline station for this scenario, say the operators at the central control room receive an alarm via the SCADA system because transportation has been shut off. Calling up the human-machine interface (HMI), they see a top-level screen saying that access to the RTU has been locked out and encrypted. The only way to regain control is by paying to get the access code.

    The option for the company is to pay, or send somebody out to the site to take it offline and turn operations back on manually. This is only temporary because it is not practical to leave an operator at the site on a continuous basis. The only real solution is to take out the compromised RTU and replace it, at a cost significantly higher than the ransom.

    This situation may seem unrealistic, however, as technology and cyber criminals become more advanced, predicting situations like this should be considered.

    Defensive strategies for SCADA systems

    The following are a few defensive suggestions:

    Maintain physical security at remote sites: RTUs and other network-connected hardware should be in locked enclosures. Unused ports should be plugged with epoxy.
    Update old systems: Any company still running equipment using Windows 95, or even more recent but still obsolete versions, is asking for trouble. Platforms running un-updated software can be just as bad. WannaCry only worked on outdated and un-updated Windows platforms.
    Use network identification: Intrusion detection systems are very useful tools, but many companies fear they can disrupt networks. They can be designed for low-impact and with a passive response to make them easier to use on operating networks.
    Train personnel: Workers are still the weakest link in cyber defenses. Social engineering, phishing, and spear phishing remain effective hacking tools. Don’t open unknown attachments, don’t plug in unknown thumb drives, etc.
    Maintain network traffic logs: It’s hard to know if something strange is happening if you can’t identify right from wrong. Logs help establish baselines, so they can help determine where intruders have been and what damage may have been made or attempted.
    Use available cybersecurity resources: The International Society of Automation and the National Institute of Standards and Technology ISA/IEC 62443 offers many helpful resources and provide best practices for network administrators and defenders, as do NIST 800-14 and 800-16.

    It will be easier to implement more cybersecurity measures with new technologies, but many companies find themselves still working with yesterday’s equipment and software.

  44. Tomi Engdahl says:

    Siemens, PAS Partner on Industrial Cybersecurity

    Engineering giant Siemens and PAS, a company that specializes in cyber security solutions for industrial control systems (ICS), announced on Tuesday a new strategic partnership.

    The goal of the partnership is to provide organizations the capabilities needed to identify and inventory assets, including distributed and legacy control systems, and provide visibility for detecting cyber threats and unauthorized engineering changes in multi-vendor environments.


Leave a Comment

Your email address will not be published. Required fields are marked *