Outlook optimistic despite tough year in cybersecurity.
In addition, the defensive technologies that help to counter this growing threat have evolved, providing new methods of protecting industrial systems against attack. In other words, the fight is escalating on both sides, indicating this will be an even more interesting year for industrial cybersecurity.
Industrial cybersecurity professionals had a busy year in 2014. First, broad-reaching vulnerabilities disclosed in open SSH (Heartbleed) and the Bash shell (Shellshock) had to be dealt with: Code had to be reviewed, and if vulnerable versions of these highly ubiquitous services were found, they needed to be patched. While not limited to industrial control systems, these vulnerabilities certainly affected the industrial world, and it meant overtime work for responsible vendors around the world.
We also saw some targeted cyber-threats, including Dragonfly--a sophisticated campaign that combined highly targeted infection vectors with advanced malware. The campaign included a targeted watering hole attack, using compromised integrated computer solutions (ICS) vendor sites to distribute trojanized malware to customers looking for support updates.
The malware, once introduced to the customer, performed a variety of tasks, including enumeration of object linking and embedding for process control (OPC). In short, it found its way into industrial networks and stole information specific to those networks. I personally would classify the campaign as "reconnaissance," and imagine that it could be the predecessor of a larger attack in the future.
Later, in November, we heard of another series of targeted attacks against the power grid, water systems, wind turbines, oil pipelines and other critical infrastructures throughout the United States and Europe. The attacks seemed to date as far back as 2011, using the trojan Black Energy, which has been widely attributed to a Russian cyber-espionage group.
Is the threat against critical infrastructure real? I think it's safe to say that in 2014, that question has been definitively answered. This is confirmed by a recent Honeywell survey, which showed that two-thirds of those surveyed thought the oil and gas, chemicals, and power industries were particularly vulnerable to cyber-attacks.
What's the good news? Despite all of this, or perhaps because of it, security awareness has increased dramatically. This was also the year that brought the introduction of a new industrial cybersecurity training and certification program in the United States. The Global Industrial Cyber Security Professional (GICSP) certification issued has supporting training curriculums available from the SANS Institute, and has also driven demand for boutique training by specialist cybersecurity organizations such as Red Tiger and RedHat Cyber (aka, "SCADAhacker").
Security vendors have also been busy, with specific industrial cybersecurity products or features being announced by security heavyweights, including Cisco, Intel Security (formerly McAfee) and Palo Alto. With more and more reports of control system traffic being improperly exposed to business networks and even to the Internet, support for industrial applications and protocols in these enterprise cybersecurity vendors is well justified and will help to better isolate and protect SCADA and ICS systems.
Many new specialty products have also been introduced, including protocol "enforcers" from Beldin's popular Tofino products, and a new version of a data diode, the "flip," which is designed to provide the best of both worlds by providing hardware-enforced unidirectional communications with the controlled ability to "flip" the information flow when necessary for operational reasons.
There are even some entirely new companies, including the mysterious SCADAfence, which according to the limited information on its website, provides "next-generation cybersecurity solutions for the critical infrastructure and manufacturing industries."
So, there's good as well as bad, but is it enough? As is typical in the world of cybersecurity, nothing stands still for very long. At the very end of 2014, we saw another targeted cyber-attack against an industrial system. In December, a German steel mill was attacked in what is being referred to as the world's second example of a cyberattack resulting in physical damage. The first was Stuxnet.
This more recent example was described in Wired magazine: "Hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in "massive"--though unspecified --damage."
What will the rest of the year bring? The silver lining of a busy year in cybersecurity is that awareness will continue to improve, thanks to more frequent media coverage. Security maturity should also benefit, due to some hard-taught lessons: Heartbleed and shellshock taught us that nothing is sacred, and nothing can be taken for granted; Dragonfly and Black Energy taught us that targeted attacks are not only possible but increasingly common; and the unfortunate steel mill incident has taught us that Stuxnet-class sabotage can and will happen again. With knowledge comes power, and so while attacks will undoubtedly continue to evolve, we'll be better prepared when they do.
With better awareness, an improved focus on strong cybersecurity, and new tools available to help protect industrial control systems, the race will continue, it will escalate, the stakes will likely become higher, and the rules more complex. What does this really mean? Well, no one can predict the future, but it's safe to say 2015 should be another incredibly interesting year for industrial cybersecurity.
The largest cybersecurity gaps in 2014 continued to be split among poor access controls and insufficient security patch management.
The first is evident by continued reports of control systems that are publically available--and often freely accessible--via the Internet. Project SHINE, a research project using the Shodan search engine, found over a million Internet-exposed ICS devices, with as many as 8,000 new devices exposed per day. The second is an unfortunate Catch-22 of the industrial sector: You can't patch systems that need to be fully operational 24 hours a day, seven days a week, and 365 days per year.
Will these trends continue in 2015? Perhaps, but hopefully increased cybersecurity awareness, as well as improved risk management tools and capabilities, will help address both. You can't fix problems you aren't aware of, so improved awareness, visibility and understanding of cybersecurity risk will--hopefully--drive improved decision-making and more effective cybersecurity in the new year.
By Eric D. Knapp, Global Director of Cyber Security Solutions, Honeywell Process Solutions
Eric D. Knapp is global director of Cyber Security Solutions and Technology for Honeywell Process Solutions. He has over 20 years of experience in information technology, specializing in industrial automation technologies, infrastructure security and applied Ethernet. Knapp is the author of "Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems," and the co-author of "Applied Cyber Security for Smart Grids."
|Printer friendly Cite/link Email Feedback|
|Author:||Knapp, Eric D.|
|Publication:||Pipeline & Gas Journal|
|Date:||Aug 1, 2015|
|Previous Article:||NAPCA convention hears of need for more gathering pipe.|
|Next Article:||Survey: IT experts confident of ability to detect attacks.|