Industrial Cybersecurity – A Structured and Practical Approach

By Eapen Jacob

Category:
ARCView

At ARC’s recent Fifteenth India Forum, silver sponsor Belden focused on the growing cybersecurity threats the industry faces while realizing the digital enterprise. The company’s presentation provided an overview on the importance of industrial cybersecurity and a practical and structured bc1.JPGapproach for avoiding/mitigating cyberattacks, both intentional and unintentional.

According to Justin Nga, Commercial Engineering Director, Industrial Cybersecurity, Belden, intentional cyberattacks caused by a hacker or disgruntled employee account for only 20 percent of known cyber incidents. Unintentional cyberattacks caused by a software or device flaw, human error, or malware infection account for the remaining 80 percent.

He further stated that the megatrends such as change in consumer behavior, labor substitution, and increased productivity are expected to drive investments in automation that requires Internet Protocol (IP). While IP can certainly help companies connect their plants and factories to the enterprises, IP-enabled automation equipment is likely to increase their exposure to cyberattacks due to increased interconnectivity. Therefore, organizations need to re-evaluate their systems and security approaches to secure against industrial control system (ICS)-related threats, breaches, and other incidents. Some key takeaways from his presentation include:

  • Identify and evaluate cybersecurity risks

  • Use recognized standards and frameworks to harden systems and manage potential threats

  • Monitor for change and implement continuous monitoring

Industrial Security Is Different
According to Mr. Nga, today’s data-driven economy, uninterrupted access to data, including ICS control information and data, is important for businesses to operate smoothly. For safeguarding the ICS environment, organizations require a different set of approaches than for enterprise information technology (IT) system. For the IT network, maintaining the confidentiality of the amount of sensitive operational data being stored or handled remains the top priority, followed by data integrity and data availability. In the ICS environment, while safeguarding data is certainly important, the priority here is to protect process availability, integrity, and confidentiality. Thus, cybersecurity techniques such as patch management, anti-malware protection, security configuration management, secure networks, ICS vendor software updates and a layered defense in-depth ICS infrastructure to ensure the availability, integrity, and confidentiality of system data.

bc2.JPG

Reports on industrial cybersecurity-related incidents show that the following three factors contributed to the recent surge in cyberattacks:

  • Increased use of information technology in industrial sites

  • Increased availability of ICS-related vulnerability information in public domain

  • Availability of cheap or free penetration testing and scripting tools

Case Studies on Industrial Cybersecurity Attacks
Mr. Nga explained the importance of cybersecurity for businesses with the help of the following four case studies:

Case Study #1: Stuxnet Worm
Stuxnet Worm, a malicious malware that first surfaced in 2010, infiltrated numerous Siemens PCS7 systems and the ancillary windows networks and computer systems, Siemens Step7 and WinCC software, and S7 programmable logic controllers around the world. The worm is reported to have infected over 200,000 computers. However, the main payload of the malware was to attack Natanz – Iran’s primary uranium enrichment facility.

The Stuxnet malware, 20 times denser than the average malware code, was professionally written and bug-free. The malware carried four zero-day exploits. Once the malware hit the target, it waited for 13 days before executing, recording normal operating parameters to replay on the HMI during the attack. Researchers took almost 30 days to just understand the initial payload, as they were not familiar with ICS protocols. A USB memory stick was used as the primary threat vector to spread the malware.

Stuxnet operated in two stages after infiltration:

  • First attack: The malware increased the centrifuge equipment rotational frequency, causing the unit to reach resonance and fail catastrophically.

  • Second attack: It then lowered the rotational frequency, causing centrifuge rotor imbalances, which in turn led to total centrifuge failure. The malware then showed plant operators and administrators fake replayed SCADA values and misled them to look for possible system failures. It even intercepted the system’s safety shutdown command, thereby leading to the total plant outage.

Though it was not the first time industrial systems were attacked, Stuxnet was the first malware equipped with a PLC rootkit to spy on and subvert industrial systems. The Stuxnet attack demonstrated that it is possible to cross the divide between the physical and the cyberworld.

Case Study #2: Shamoon
Shamoon, an aggressive data-wiping malware, was first publicized in August 2012. The malware overwrote the information on the hard drives of Saudi Aramco workstations. The malware also erased some vital data from the original system.

However, the number of bugs found in the Shamoon coding indicated that the hackers were not professionals, but skilled amateurs. Although low-intensity cyberattacks are more frequent, the Shamoon attack was widespread and wiped out close to 30,000 workstations.

Case Study #3: BlackEnergy
Identified several years ago, BlackEnergy is a sophisticated Trojan designed to conduct distributed denial-of-service, cyberespionage, and data destruction attacks. In December 2016, the malware appeared to have targeted the power grid in the western part of the Ukraine. The malware allowed hackers to remotely gain unauthorized access to the utility’s computer networks and critical power transmission and distribution (T&D) systems. This helped them take control of the T&D systems, thereby leading to a cascading power failure that caused huge power outages in close to 700,000 homes for almost three to four hours. The original threat vector was through “spear phishing,’ using an e-mail that contained the malware.

While malware attacks targeting critical industrial infrastructure are not a new phenomenon, viruses like BlackEnergy were equipped with destructive functionalities capable of penetrating critical ICS operations and causing difficult-to-prevent catastrophic system failures.

Case Study #4: Dragonfly
DragonFly, a destructive malware designed mainly to target the business computers in the pharmaceutical sector, was first publicized in February 2013. It was the first major documented cyberattack on the discrete manufacturing sector exploiting the vulnerabilities of Windows XP-based computers.

The malware infected systems vital to the operations of the targeted businesses via software supplied by three ICS vendors (eWON, MB Connect Line, and Mesa Imaging). The potential impact of the malware attack included theft of production batch sequences, proprietary recipes, and device and network information. Threat vectors used were email spear phishing, Trojan software, and a “watering hole.”

These case studies clearly indicate the importance of cybersecurity in industries as they can be highly disruptive for the targeted organizations, potentially damaging their critical industrial systems. As stated by Mr. Nga, without additional security measures, there is little that can be done to restrict the impact of such targeted attacks.

Industrial Cybersecurity Standards
Mr. Nga expressed the opinion that cybersecurity as a program is more of a strategic and economic proposition than a technical solution. He urged organizations to follow these eight major cybersecurity domains formulated by International Information System Security Certification Consortium, (ISC2) Common Body of Knowledge, 2017 to safeguard against potential cyberattacks, and build a holistic cybersecurity lifecycle program.

  • Security and Risk Management

  • Asset Security

  • Security Engineering

  • Communication and Network Security

  • Identity and Access Management

  • Security Assessment and Testing

  • Security Operations

  • Software Development Security

Industry-specific cybersecurity standards like NERC/CIP, IEC62443 and NIST SP800 can also help guide an organization on this journey,

Conclusion
Mr. Nga’s session at ARC’s India forum discussed the importance of industrial cybersecurity and the ways in which industry can safeguard itself against future cyberattacks. For businesses, as we know, the nonstop availability of the process systems and associated data is critical to avoid production losses and hazardous incidents, reduce costs, and improve productivity. Hence, organizations need to prioritize their cybersecurity strategies and to avoid or better prepare themselves to withstand the impact of any intentional/unintentional cyberattacks.

Suppliers such as Belden can offer flexible and secure cybersecurity solutions designed to protect industrial environments from such attacks.

ARC Advisory Group clients can view the complete report at ARC Client Portal on Office 365 or Box.com or New Client Portal on this website

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Engage with ARC Advisory Group