Industrial Data Compromise – the New Business Risk

Today is the day that Tofino Security is announcing that I have joined their team.  I am very excited about this, particularly because I believe that industrial cyber security is the next major impactful technology to hit the automation industries.

I am also excited to be joining Eric and Joann Byres and their group; people I have high regard for, as I believe Tofino Security technology is poised to lead the way in protecting the critical infrastructure industries.

However, enough cheerleading - this is a blog.  Here is my perspective on technology advancement in the automation industries over the past few decades, and my belief in where it is going next.

Technologies that Increase Productivity Hide Unintended Threats

You might say I grew up in the process control and factory automation industry (for my career background, read today’s press release).  For over 30 years I have observed and participated in bringing many innovative technologies into this market we call process automation.  Productivity gained from these new technologies has been huge, yet these same technologies often introduce unforeseen issues into the plant or factory operation.

Rarely will an alert Control or Systems Engineer completely replace a legacy system with new technology.  Advances in technology are applied incrementally.  Unlike the office environment, industrial deployment tends to blend the old with the new.  Unfortunately, the sales pitch of productivity gain that accompanies new technology deployment may hide unintentional threats.

Such is the case with the current rush to connect everything through Ethernet and IP technology.  This rush glosses over the lack of preparedness by End Users and Automation Vendors to address a new working reality called industrial cyber security.

Let me explain.

(Short) Thirty Year Review of New Process Automation Technologies

In the early 80’s a strategy to de-centralize proprietary process control systems emerged and spawned the Fieldbus Wars.  Thus began the unravelling of central control strategies with a vision towards driving more intelligence into each field device and utilizing non-proprietary technology.

 

Advances in technology continued, and in the late 80’s and early 90’s they brought us industrial computers driven by the personal computer revolution, which challenged PLC dominance.  These rugged PC’s suggested a more flexible approach to monitoring and control using the Microsoft Windows® operating system.

 

In turn, this led to PC-based HMI (human-machine-interface) application SCADA software and from this, new industrial firms with software-only solutions, such as Heuristics, Iconics, Intellution and Wonderware, were born.

As the clocks ticked into the new millennium and fears of the dreaded Y2K subsided, industrial users found significant cost reductions and huge productivity gains in selective installation of a network technology called Ethernet.  Ethernet, an open standard and an already established connectivity technology on most business networks, would find similar value as Control and System Engineers began to thread together various ‘islands-of-automation’ into a plant-wide control network infrastructure.  Soon most industrial devices were designed to be “Ethernet-enabled.”

 

In the same decade, Ethernet became ubiquitous and the Internet more pervasive as IP technology connected everything for an anywhere, anytime, access-to-data experience.  And industrial wireless sensor technology (WSN) with its self-configuring, self-healing mesh approach further added to the networking infrastructure.

Wireless devices extended or in some cases replaced hard-wired solutions and connected remote and hard-to-reach areas of any process to the plant network.

With these network advances, a more comprehensive plant-wide picture is now available to management, yielding real-time information on the cost and performance of the firm’s process 24/7.

And the more the operators knew about the actual performance of their process, the tighter (more productive) it could be run.

All is well in the newly networked industrial kingdom.  Right?  Well, sort of…

Data Demands Increase Cyber Security Risk

As plant operators and owners demanded even more productivity from their process, Control Engineers installed ever wider network coverage to push and pull data from all areas of the operation.  Local, offshore, and even cross-country connections became cost-effective and easy-to-use through selective use of various networking and IP technology.

However, significant danger lurks in the shadow of many of these deployed networks.  While key advances were made in networking, little attention was paid to industrial cyber security.

Think about this – data available to authorized personnel, will also be available to unauthorized folks.  You may ask – who and why would someone, other than plant personnel, want to capture my data?

It is time to discuss the game-changing Stuxnet malware…

Stuxnet Draws Hacker’s Attention to Weak PLC Security

As anyone reading this blog knows, Stuxnet, a worm discovered affecting Siemens’ PLC and SCADA products in July of 2010, shocked industry by showing how determined perpetrators can create malware that enters your network, without your knowledge, and silently waits for remote commands or collects data on your process for competitive or disruptive purposes.

In this case, the outcome was the specific destruction of centrifuges used in Iran’s nuclear enrichment program.  What is less well known is the collateral damage to manufacturing plants in other countries that had to reconfigure PLCs and shutdown networks to purge them of Stuxnet.

An unfortunate development of the media attention Stuxnet received was to point out to the hacking / security researcher community that it is straightforward to penetrate into the millions of legacy control and monitoring systems deployed worldwide.  This is mainly because these systems were designed prior to Internet IP and Ethernet enabled devices.  No protection was designed into these devices as the threat didn’t exist or wasn’t perceived as significant.

Hacker focus on industrial systems led to ICS-CERT releasing 104 security advisories for ICS/SCADA products in 2011.  Prior to Stuxnet only 5 SCADA/ICA vulnerabilities had ever been reported.

Complacency of the Past Must Change

Why would anyone want to know how much material you had stored in a tank, or running through your pipeline?  This line of thinking has been the prevailing attitude until now.

Well, think of the possible consequences.  It could be destructive damage to the plant or process, or subtle and persistent attempts to steal valuable information.  For example, theft of process information for commercial espionage could be used to make a competing or counterfeit product.  Furthermore, “easy” access into the process network could lead to the theft of business information on the enterprise network

Now, contrast the fast pace and ingenuity of hackers with the incremental approach to changes to legacy systems mentioned earlier.  You can’t help but conclude that hackers will remain well ahead of industry if we don’t start paying more attention.  And commercial or criminal villains are sure to take advantage of resulting opportunities.

I was recently talking with an individual who works for a large automation company.  He told me that his firm was convinced that adding more security technology to their devices was important.  He then quickly lamented that this would add to the cost of the device and he wondered if the End User would be willing to pay.

A New Era:  Industrial Cyber Security Becomes a Must Have

In this new era of industrial interconnectedness and prolific security researcher disclosure of automation system vulnerabilities, no one wants to be part of the team responsible for a system that could lead to data compromise and plant or business damage.

2012 must bring a redoubling of effort by End Users and Control Engineers to send a clear message to the Automation Vendors that industrial cyber security must transition from a “nice to have as insurance” feature to a key feature and design requirement of any process or device that wishes to remain reliable.

That’s my opinion, what’s yours?

Related Content to Download

Note: you need to be a member of tofinosecurity.com and logged in to have access to the documents below. Register here to become a member.

Presentation - "Mission Critical Security in a Post-Stuxnet World Part 1"

 

These presentations summarize information about the Stuxnet malware and what it means for the future of SCADA and ICS Security.

Together, they are ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.

 

Presentation - "Mission Critical Security in a Post-Stuxnet World Part 2"

 

The presentations were given by Eric Byres at the Hirschmann 2011 Mission Critical Design Seminar.

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

6

Dear Mr. Williams:

Your 1/11/12 blog is excellent.

Why does no one ever mention the corruptible vulnerability of the write-always memories of all PLCs?

Dear Frank,

Nice article , keep it up.

Regards

Shariq

Thanks Shariq -- always good to hear from you.

Regards,

Frank

Dear Frank,

All good points although I think confidentiality is still less important for most control system applications, recipe and batch data might be the most common exception.

I don't believe we will see a change in complacency until there is either an embarrassing, public and very costly event which occurs or the risk to business is adequately articulated to insurers and businesses. Consider process safety, even with regulation we still hurt people unnecessarily and only events like Macondo change things. Even with plentiful data on the costs of injuring people. There is also a difference between what is mandated and what is practiced even in safety. Information security is much less regulated. Therefore expect more of the same.

Meanwhile I'll keep on trying to do the right thing and also reading these blogs.

Best Regards
David

David -- thanks for your feebback. Your point has merit, although I wish it wasn't so. The industry needs thought leaders on security in a pro-active way. Industry folks (automation & process control)who wait for an event are on the wrong side of the debate - Sooner than later, I won't be surprised to find that security, lke quality, will just be expected in each device,not something additive or special.

Frank

Thanks Frank

I like David's comparison with safety - tho I suspect that there is a greater awareness of safety than exists for ICS cyber security in most organisations.

Chris

Add new comment