Companies are focusing more than ever on system safety analysis. The increasing scale of cyber threat, and the disastrous consequences it brings along, have tuned the attention of the whole world.
Cyber-attacks go largely unreported, since having a case investigated would spotlight weaknesses in companies’ software, systems and set up. The unknown exposure, even to the company itself, contributes to underestimating the severity of the consequences of a potential incident. Malware attacks have brands risking a significant reputation blow, loss of public trust, and brand equity. Simultaneously, actuaries dealing with Cyber insurance have no data for neither severity nor frequency needed in statistical modelling.
Insurance companies are called to and it is within their best interest to be vigilant in this regard. They should counteract the cyber risks by contributing to the general body of knowledge within the field, and by providing prophylactic measure guidance, in addition to insurance.
On 9th of October, at the 5th Annual Industrial Control Cyber Security European Summit, a diverse group of experts in terms of professional fields, backgrounds, and countries spanning all around the world, have gathered to share their knowledge and opinions. The summit would facilitate exploring best practices revolving around the battle against the invisible enemy.
This article focuses on readily applicable action points: setting up a preventive plan, followed by setting up a reactive plan. Among key contributing factors to upgrade cyber defense, stands IT/OT convergence and the supply chain. Innovations like Malware sandbox and OT cloud migration stand out as solid means preventing cyber-attacks. The article rounds off with the depiction of the industries that are most prone to being subjected to the direct consequences of an attack, shall it occur, and covers regulations around cyber-attacks.
Immediate action points:
Preventive measures plan
Marty Edwardsa starts by quoting Sun Tzu’s “Know yourself and know the enemy” and proceeds to unraveling all the aspects of the enemy: viruses, worms, trojan horses causing ransom infections (CryptoLocker / Petya), physical destruction (TRITON), IT destructive (BlackEnergy 3) a.s.o.
Part of “knowing yourself” begins with taking full inventory of all devices and components (referred later as all assets). Several speakers mentioned repeatedly that “If you don’t know where it is or what it is, you cannot protect it”. The following step is to determine the critical business function and map all the systems that can impact that function. It is important to mention that the system used need not have a control archetype, it might very well be either a warehouse system or an inventory management one.
Having established potential attack targets, a company can proceed to define high risk events and prioritize what must not fail, based on the consequences of these, and which function or system one should protect, no matter what it costs. Straightforward reasoning would advocate the implementation of protection layers and extant safety measures set up for control. And while solid engineering input should still be a prioritized strategy, thinking as a hacker is of paramount importance in the attempt to spot and diagnose weaknesses in the process of designing, operating and maintaining systems. Two steps would be followed by a hacker at this point:
- Getting access to the system – getting into the environment.
This is most frequently achieved through the enterprise work, the people in an enterprise (e.g. spear fishing). If the hacker traces an employee pattern, such as: belonging to a union, being customers of the same local restaurant, etc, and the company lacks up-to-date security tactics, the attacker could place a malware in the menu pdf file from next week’s take-away food. When one brings that to the inside environment, it opens them the door to access private systems. To top that up, an attacker would dig out detailed probable attack paths, access holes and information leakage possibilities.
- Identifying specific controllers a company/employee uses.
This happens when they have broken into the system, and they do it to make sure they place a malware specific to one’s environment. This step is a perfect opportunity to observe action points on how to disrupt an attacker in these environments, and luckily, there are plenty. Engineer out the prioritized cyber-risk controls, tripwires, mitigations and backstops to interrupt high-consequence risk.
In some cases, you might have a function that is of such importance, that shall its security veil fail, it would pose a threat to human life or safety, fail to protect a multi-million dollar piece of machinery that may take 18 months to replace, or sabotage a company’s performance and/or existence per se. You should aim to protect that equipment, those people, and that function by using non-cyber means, or in other words - the big red button. Marty Edwards illustrated with an example of a company that had hazardous chemicals placed in one side of the building. For the operational processes that employ these resources they were recommended to be located on the opposite side of the building. The significant separation in this case was intentional, mainly to maximize the potential of one part remaining intact, in case the other would experience issues, and explode. Between them, there was a series of valves, with a (literally) be a big red button on the wall connected to them. Shall there surge a problem with one of the plants, the personnel pushed the button and the interconnection between the 2 of them would shut. These valves are specialized: once you pushed the button, you could not open them again, they will have to physically rebuild them to open them, making it an extremely costly event. Although costly, this solution is worth considering, if it would save millions of dollars of equipment, or the lives of hundreds of people working in those facilities.
Martya ends the story by affirming that we place too much faith in logic solvers and computerized equipment within the safety systems, instead of doing it in the old-fashioned way.
Start with questioning what is the most important business function you have, and what power you to impact it. Continue by encouraging your analysts to find each and every system that can impact the function you are trying to protect, what would be the weaknesses of those systems, and how do you take them off the table. Do you do that through isolation, intrusion detection, or by applying non-cyber means? Dare and be confident to think differently, because it is more rewarding to avoid the short easy way.
Recovery improves Cyber Security Maturity
Another brilliant participant, Eric Knappb, launched his speech by stating that “No single control will solve any problem entirely on its own”. No matter how solid we perceive our IT fortress to be, we should also plan for the “What if it DOES happen?” scenario, followed by a: not “if” it does happen, but “when”.
It is neither possible, nor fundamentally significant to plan for the slightest details of potential events. Those who were not hit by NOTPEYA were merely lucky, by fortunate rather than judgement. People often claim that if you knew or did something, you would have stopped it. Rubbish! For every barrier you build, 2 hackers would pop up to bypass that barrier, easily. Aim to plan for a more realistic scenario, that they might get through, and you might not always be able to stop it, but nevertheless, keep your eyes on the ball and shift your focus towards recovery.
Rob Hayesc builds on the aforementioned opinion by stating that a firewall is not enough. That is because when a company gets hit, they often struggle with estimating the scale of the impact, the time and resources that would be necessary to get the systems back, up and running. The reality is that plenty of companies do not even have guides, rules or protocols. Rob underlines that it should not be restricted to develop incident response plans and procedures. A fire risk can be drawn as a metaphoric parallel: one has have a policy strategy, prevention measures (no smoking signs) and reactive measures (fire extinguishers, fire alarms in the ceiling, emergency exit signs).
Focusing on business continuity, each company should zoom in to understand its key business processes, operational impacts and systems. Andy Powellg adds that we need to understand all sides of the risk, but focus on the most important things first. It would be challenging and risky to deal with all of them at the same time. A company should be capable to respond adaptively to any cyber threat. Response and recovery should be developed, tested, practiced and exercised, until they are fully learned and performed till mastery. There should also be barriers against the risk spreading to third parties, in order to reduce collateral damage.
Long-term action points:
Operational technology (OT) is the hardware and software category that monitors and controls the way physical devices perform. Until recently, OT has been primarily used in industrial control systems for automating operations that were previously manual (manufacturing, transportation a. s.o). Unlike information technology (IT), the technology that controlled operations in those industries was not networked. Most of the monitoring and control devices were mechanical, and those that were actually automated, had rigorous protocols strictly followed1.
Currently, as the OT infrastructure is becoming stronger in interconnectivity, the OT world has become “smart”, a transition that makes IT/OT convergence inevitable and compulsory. As business efficiency through automation increased exponentially lately, the need for improved visibility of operational processes has quickly become crucial. Wireless connectivity has provided administrators in charge of operational technology with better monitoring systems and the ability to control physical devices remotely. OT is exposed to the same risks and battles the same challenges as IT, including malware, identity management and access control security. A significant difference from IT is perceived though, for vulnerabilities in an OT system, if not addressed and managed appropriately, can leave critical infrastructure at risk and result in corporate sabotage, or worse, human injuries1.
Cavus Batkid from Hinkley Point C (the first UK nuclear plant in a generation) also supports the need for rigorous protection on level 2 (control) and level 3 (industrial). However, he posits that more attention should be accorded to the level 1 (information entry level, automation systems), i.e. OT systems.
Martin Farbye draws the lines on safety mandates used to see OT environments as an integral part of the enterprise’s networks (compared to the separate part it was before). IT/OT convergence poses its fair share of challenges. We must however, ensure security without compromising operational efficiency and safety. With fundamental differences regarding both mindset and processes within IT and OT, it is required to assess:
Confidentiality, integrity and availability (IT) vs safety, reliability and productivity (OT)
Building an orchestrated platform with best breed IT security tools, that would be supported and tested by ICS Engineers from the OT side
The possibility to use Bluetooth or another connection means similar to it, that does not require internet access to exchange information between the parties.
On transport OT is very rigorous due to management. This is one of the causes that OT is much slower than IT.
As a result, many asset owners have embarked on the proactive cyber protection crusade. Yet, there are cases when production/functioning processes cannot be disrupted, even if cyber-threatened. Key security controls for reducing remote risk areas or vulnerabilities are essential to deter cyber threats that can disrupt process control and production. These should be strategically placed in high risk areas.
Dave Weinsteinf, from Claroty suggests “zero-impact” deep packet inspection to precisely map and place under the microscope communications between assets, in complex and sensitive industrial networks. These are seen to often contain hidden cyber risks.
He also suggests applying passive techniques to identify misconfigurations, vulnerabilities and anomalies, in addition to providing operational security gaps and context. This would allow plants to have visibility into what’s happening and what to do about it without downtime, manual labor or the pressure to become industrial cybersecurity experts overnight.
Cross-department communication is now the engine running businesses, and the IT function is expected to be flawlessly integrated within other company functions. A great example to illustrate IT/OT integration could be the shipping industry. In this case, Engineering and IT are both vital and interdependent. During a 48-hour shift/period, the engineers change details very often, but they do not change policies and documents (the way the IT protocol would have done) at the same pace. They need flexibility, which calls for adaptability from all the parties involved in the integration quest.
On another note, Andy Powellg suggests that tech service and exponential digital transformation translates into grandiose vulnerabilities, since an incident would affect at least 2 company departments at the same time. This fact should be accounted for and it stimulates an even greater expansion of the cybersecurity domain.
The Supply Chain – collective resilience, collaboration and information sharing
Recent APT attacks (advanced persistent threat - a threat or malware that infiltrates in the company’s network and remains undetected for an extended period of time2) have demonstrated that irrespective of the height of the walls of our fortress, our information and systems may still be prone to attacks through 3rd party systems with weaker security controls. This is a multiple-sector problem caused by attack through a common attack surface. “Individually we may all be resilient, but collectively we are not” Marty Edwardsa. As critical infrastructure depends more heavily on interconnectivity to function efficiently, we have to shift classification from a local - to a collective problem. 3rd party risk management may be more intricate than the general thinking and opens fundamental questions around the broader level of safety and security of our products and systems, from an integration point of view. Nothing can be achieved in isolation. A collective meaningful collaboration is imperative for all parties involved: suppliers, regulators, asset owners and so on. We must move towards developing the trust and mechanisms to better support a collective collaborative approach to security with our suppliers, partners and interrelated sectors (Do your partners have policies and procedures in place to even map the incident? Another is that many devices/pieces have some employment in some companies and others in other companies. They are used differently. So their level of security is different. Standards are also important: “How secure?” “Very, very secure” is not an acceptable measure.
Collective resilience points to several action points:
all parties involved must be able to voice an opinion
streamline in places where we double our effort
develop fit for purpose standards, compliance checklists and conformity assessments
to do’s around mediation and liability
Apart from action points, a few questions should be considered in order to identify the right strategy to develop. What do we do to improve the knowledge in the sector? Are we going to share in the system? What do we do about threats, risk and probabilities? Resisting being much more open and transparent between companies increases security failure risk. We cannot allow commercial reasons to prevent us from stopping the bad guys.
Innovations in the cyber defense world
Triton and CrashOverride were caused by a malware built with the only purpose to hijack the OT system using its own protocol. Ron Yosefih proposes an “ICS Network Sandbox” where we could artificially detonate and test the impact and consequences before it deploys in the main system. These sandboxes exist nowadays only as part of the IT protocols, rather than OT. As IT sandboxes are unable to detect OT malware, the latter slips by unharmed. This is why ICS-specific malware such as TRITON is undetected because IT malware sandboxes are unable to flag ICS-specific activities such as OPC scanning, overwriting of PLC configuration files, calls to ICS specific libraries and ports, etc. CyberX’s research team has built ICS-aware malware analysis sandbox that stimulates a complete ICS execution environment to detect ICS-specific behavior.
OT Cloud migration
Complex environments that are difficult to manage in regards to the operational technology control systems, have raised security concerns around the increased connectivity of industrial systems and the OT security protection need. In a cost-conscious policy, frugality often results in a trade-off between increased operational efficiency and security, where speed and scale are decisive factors. Moving away from the traditional model (6 weeks to get a server and then 3 weeks to go “on air” a.s.o.), the cloud solution for SCADA3 systems would result in agility, significant complexity decrease, enhanced opportunities, reduced capital expenditure and better control capability. It was initially intended to be used only for IT, but OT would be a good platform to apply it to too. However, Mo Ahddoudi enumerates some key issues to be taken into account:
Dedicated SCADA teams who would dissolve capital expenditure on control and backup centers
The need for efficient cloud solutions
Effective collaboration with key vendors to securely and cost-effectively migrate collectively OT environment to the cloud
Security and reliability of cloud solution for industrial applications
Industries with catastrophic consequences if cyber attacked
A cyber-attack is costly in both temporal and financial terms. Irrespective of the size of the company, they will have to temporarily close their operations, repair, replace, test a.s.o. What if the situation concerns a critical national infrastructure company? A possible cyber attacker would most probably be another nation state with a decisive goal to cause as much damage as possible. Here is a list of some industries that are most prone to being the target of a cyber-attack:
Military base supplier
Being selective about protection and doing a lot of due diligence is compulsory. The country has to invest in extraordinary detection capabilities, and the military supplier must have people with extraordinary analytical skills. The US government spends lavishly to attempt to lower the risk of attacks and build supply chains that are as clean as possible. Governments manufacture their own equipment for certain applications (e.g. nuclear weapons and military technology). No government would buy anything from another country. It is manufactured in controlled facilities by people who have clearances, and other similar cyber barriers.
Mærsk, represented by Andy Powellg, revealed interest in 78 ports, running 30 of those (Mumbay, Singapore, Rotterdam a.o.). If one of those key ports goes down, then 20% of worldwide trade stops. Currently, they are trying to make the ships more effective and automated. He confirms that that there are states that would launch an attack to steal secrets, so espionage is a problem in this sector. The issue with the transport and logistics has become the target of various ransomware where the ability to disrupt the production line will disrupt operations. That is the emerging risk that the shipment sector faces. From core threats, the following are the most palpable:
a. Safety - Will the ship/people be safe?
b. Loss of money – 250 million dollars were lost on cyber-attacks last year.
c. Loss of confidence in the brand, in what they do.
d. Safety and integrity of supply chain.
e. Some of the equipment is not easy or possible to replace.
Didier Giarratanoj points out that a power system failure in a city or country, for a period of time as short as a couple of hours would be disastrous, but a couple of days would cause complete chaos. Just imagine: no fridge, no heating, no bankcard payments a.s.o.
Water is considered to be as crucial as electricity, with comparable consequences.
Nuclear power – it goes without saying that this industry is important from political, economical, environmental and many other reasons.
One of the most urgent needs, is to develop a systematic method of assessing essential services (Food, power, water, transportation, military power), understanding assessment methods and use the Cyber Assessment framework.
Robc (nuclear background) posits that the regulation’s purpose is to gather all the organization to address sizable risks together, rather than facing them alone. NIS4 (EU Security of Networks and Information Systems) is about resilience, not about safety or security. Prior to a stamp on a regulation paper, the following prerequisites should be taken in the discovery phase: setting the line, setting the expectations, setting agreed taxonomies of the critical stuff at a national point of level. This triggers multi-faceted points of view, because critical has a differently charged meaning for different sectors (and people). Going down to the details on a deeper level is absolutely fundamental.
Among other necessary pillars for regulations, is the insurance module, which has to be built too. This has to be adapted to each specific sector. This may induce the risk of diversion, due to such a variety of authorities. Still, the government has to sustain a coherent approach between sectors. The regulators on an international level have to think about coherence among states too (Norway, EU, UK), because if a company works in a different/another sector or state, it will be difficult to manage. It pays to think twice and act once when setting up the regulations.
The NIS regulation is also about impact. There are other regulations that focus on safety. Here, the main concern in case of a cyber-attack, is the contagion to the entire sector. Looking outwards from the infrastructure components of the economic loss of a multi-billion dollar asset, a cyber-attack might cause the business environment contamination. As mentioned above, among the most susceptible is the electricity sector. If a facility producing electricity is lost, it can that trigger a loss to another company that would cascade in another loss forward. On the other side, the collapse of one single nuclear power plant has an influence on a national level. So we’re looking at national security interests on one side and corporate on the other.
The regulators must take a proactive view and from the lenses of a reactive point of view: if the worst should happen there will be contending priorities from different entities trying to step in.
In the cyber world a lot of responsibility is put on the companies’ operators and services with strict regulations. But should government/authorities also provide finance (or part of it)? The philosophy also compels us to ask where the balance of responsibility lies. If a company gets hacked by a nation because they haven’t got the basics right, then clearly it was their responsibility. But what if threat-nation wants to get in their system?
Digital transformation in sync with exponential technology advancements posit an incremental exposing risk for companies, both for the increasing amount of sensitive available information, and the easy accessible opportunities to hack data. Integration between IT and other company departments, but mainly OT, would allow greater control and management over hacking incidents. Nevertheless, companies should master preventing and curving hacking attempts.
Although certain industries are more prone to be targeted, all companies should treat cybersecurity with the same degree of responsibility.
It is said that data is the new oil. How can an industry that grows exponentially, and manifested into the most revolutionary economy transition, be made safer for all of us?
“Think like a hacker, act like an engineer”
3. SCADA - supervisory control and data acquisitions
Quoted Key speakers:
a) Marty Edwards
Director of Strategic Initiatives at ISA and Managing Director of the Automation Federation
b) Eric Knapp
Leader and visionary in industrial control systems cyber security
c) Rob Hayes
Director Deloitte UK and Lead for Cyber Security of Critical National Infrastructure and Industrial Control Systems
d) Cavus Batki
Design Authority, Cyber Security
e) Martin Fabry
Critical Infrastructure Cybersecurity Consultant
f) Dave Weinstein
Vice President of Threat Research at Claroty
g) Andy Powell
CISO at A.P. Moller - Mærsk
h) Ron Yosefi
International Sales & Business Development Manager
i) Mo Ahddoud
CISO at SGN
j) Didier Giarratano
Cyber Security program manager
All credits for the information and technical content belong to
the 5th Annual Industrial Control Cyber Security European Summit,
October 9th – October 10th 2018