For some time infosec pros have said best cyber security practice is to have security embedded deep in an organization’s culture – meaning in every business process and every product it makes or handles.
Another example of why that standard is important comes from Indegy, a security provider for industrial control systems. In a blog Tuesday the company said it has discovered a vulnerability in Schneider Electric’s Unity Pro software, used for managing the manufacturer’s industrial controllers.
Disclosed to Schnider months ago, the manufacturer has since issued a new release of the software.
But Indegy CTO Mille Gandelsman says its another example of how different the vulnerabilities are in industrial control and enterprise networks.
Getting onto an enterprise network doesn’t necessarily get an attacker into every device attached, he said in an interview. On the other hand because many industrial controllers – particularly older ones — lack authentication and their protocols aren’t encrypted if an attacker gains access to the network there’s access to everything. As a result it’s easy for to issue commands to stop a process, change a process or change a controller configuration.
Industrial controllers, which include programmable logical controllers (PLCs) and remote terminal units (RTUs) are found in a wide range of systems from traffic lights to car assembly lines to hospital equipment to nuclear power stations. As such they qualify as part of the so-called Internet of Things.
Gandelsman admits for an attacker the challenge is getting onto an industrial control network. But the Unity Pro vulnerability shows, a vulnerability can be as near as a workstation.
Attackers can’t gain sensitive or financial information from breaching an operational network. Instead they can shut a system down – or cause mayhem – for political or publicity reasons.
However, there are ways of breaching both an enterprise and operational networks if they are linked – and increasingly they are. Last December an electrical utility Ukraine was hit by a series of power failures blamed on the BlackEnergy trojan. which typically infects an enterprise through a phishing attack that carries a document with an infected Microsoft Word macro. From there malware would try to be used to find a way onto the utility’s SCADA (supervisory control and data acquisition) network.
Suspicion has fallen on Russia as the source of the attack because it has been locked in a battle with Ukraine over territory.
Gandelsman agrees that all companies need to embrace end to end security. But, he says the DNA of many industrial control manufacturers hasn’t been like that.
Indegy talked about the vulnerability at the ISA Water Symposium. David Zahn, general manager at PAS, Inc., a provider of ICS cybersecurity, was at the session and said in an email that it is good that cybersecurity companies are disclosing these vulnerabilities and following good ethical disclosure practices. But, he added, no one should be surprised that such vulnerabilities exist. “This is tip of the iceberg stuff as most control systems in the field today were designed without cybersecurity as even a consideration. It is common to see control systems that are 15, 20, and 25 years old in a production environment. They rely on air gapping, complexity, and other factors to protect them, but nothing specific to cybersecurity was inherently built within them.”
Within industrial facilities, there is also an “if it ain’t broke, don’t fix it” approach to control systems, he added.
Organizations have to start protection by having an inventory of ICS devices, he said. Then perform a risk analysis of each. If a system has sufficient security controls in front of it and is critical to continuous plant operations, one answer might be “do nothing.” If the vulnerability is deemed critical enough, then patching the system – possibly in the next turnaround – has to be done.
But there also has to be a determination if and when an unauthorized change occurred. “Industry best practices and ICS cybersecurity standards prescribe an automated, auditable approach to change detection, investigation, and response,” he said. “Companies must have the ability to gather detailed configuration data on industrial control systems and drive investigatory action when necessary. Since patches are not applied to industrial control systems with the same frequency or immediacy as IT systems, having an automated change management process – one where even control logic is monitored – is critical to knowing whether an attacker has exploited a vulnerability.
“The trick is to do this across both the traditional IT systems as well as the myriad of proprietary systems found in industrial facilities today.”