This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
In October 2012, then-U.S. Secretary of Defense Leon Panetta gave a speech in which he warned that the United States was facing the possibility of a “cyber Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government. According to Panetta, the nation's adversaries have been acquiring technologies that could allow an aggressor nation or extremist group to gain control of critical infrastructure. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
None of those things have happened in the U.S. – yet – but there have been recent high profile attacks on industrial and critical infrastructure systems elsewhere.
Investigators have confirmed that the Ukrainian power grid was knocked offline in December 2015 by a cyber attack that used malware to damage computers and sensitive control systems. A troubling aspect of this attack is that other countries' power systems aren't much better protected than the Ukrainian system, meaning this could happen anywhere. Even in the U.S.
Germany's Federal Office for Information Security reported a cyber attack on a steel manufacturing plant in late 2014. According to the agency, attackers used a spear phishing email to gain access to the plant's office network, and from there made their way into the company's production network. Commands were sent to the network's control components, preventing the plant from appropriately shutting down a blast furnace. This resulted in significant physical damage to the plant, costing millions of dollars and shutting down productivity for months.
Many experts believe this is just the beginning of cyber warfare events that will be waged around the world. Unfortunately, the industrial world is years behind the information technology (IT) world in preparing for cyber attacks, largely because this is something new in the operational technology (OT) world.
Traditionally, OT systems have been isolated and protected by the means of "security through obscurity." Industrial systems run on proprietary operating systems from companies like Schneider Electric, Honeywell, Emerson, Siemens and a handful of other vendors. Until recently, they have had no connections to the IT world where malware is prevalent.
This is changing, however, as plant operators seek the benefits of creating connections between IT and OT systems. Operators want to gather important metrics that can help them improve their production processes and gain better insight into the business overall. But this is creating vulnerabilities on the OT side of the house, and as a result, plant operators need to harden their OT environments—something that is easier said than done.
The IT and OT environments are quite different. In the IT world, if a vulnerability is discovered, say on a Windows or Linux system, it's simple to install a patch and reboot the system. In an industrial environment, you can't just shut down a production system to apply an update or patch and then reboot. Something like a petroleum refinery, a water treatment plant or an electricity generating station has to be scheduled for downtime, and even at that the maintenance is typically performed only once or twice a year.
In the IT world, systems get replaced every three to five years. In the OT world, the replacement cycle for machines might be 10, 20 or 30 years or more. Equipment that is decades old was never built with security in mind, so there might not even be a way to update the OS.
There are many issues in the industrial world that make security hardening a real challenge. NextNine is one company stepping up to address the challenges, offering a distributed platform for security management of the Supervisory Control and Data Acquisition/Industrial Control Systems (SCADA/ICS) environments.
NextNine's platform consists of a centralized security center, virtual security engines that are located at each plant location (one per plant), and a secure communications tunnel that connects the security center to each plant's security engine.
The plant operator defines the enterprise security policy in the security center and it is pushed out to the various plant locations. The virtual security engine can semi-automatically – with help from a human because of the industrial environment – implement security policy. The engine also measures the compliance of the security policy to what has been defined and will send the results back to the central office to present in a dashboard. This process goes well with concept of the hardening circle that security people would like to see: set the security policy, measure current compliance to the policy, report the gaps, address the gaps, repeat.
NextNine offers a variety of services with its platform. One of them is a granular remote access solution that enables a vendor – say, Honeywell – to get into the plant to provide updates and patches to its own devices. The remote access solution would allow a specific engineer at Honeywell to see only Honeywell devices, and only the ones that he is allowed to deal with. He can only perform tasks he is authorized to do, and even those can be overseen by local personnel and aborted in case the engineer does something dangerous or that isn’t allowed. It's a strong mechanism with audit trails that are required by various security regulations such as NERC CIP.
Another NextNine capability is inventory. Maybe this sounds trivial, but many of these industrial companies don't know what assets they have. If they don't, they definitely cannot defend them. It's not as easy as it sounds to do an asset discovery and inventory because in this fragile, proprietary world of industrial systems, if the asset discovery is done too aggressively, it's possible to bring the plant down, which is the worst possible scenario. NextNine says it enables an asset inventory without putting availability at risk.
NextNine keeps a whitelist of approved applications and a blacklist of things that aren't permitted to run on these systems. The solution also collects log files to send to a centralized security information and event management (SIEM) system for analysis. NextNine supports a variety of third party anomaly detection tools and does compliance measurement. Everything is presented in a dashboard to keep management informed of the security status.
The end result is that there is an inventory report, a site compliance report for the security policy, and a dashboard that managers can look at and act upon to improve the hardening of the plant. While this is commonplace in IT environments, it's truly a new experience in many industrial situations that have never done this before.
NextNine says its solution is vendor-agnostic and will work with equipment from a variety of industrial vendors, as well as with active security protection solutions (like anomaly detection and patching) from specialty software vendors.
This platform is said to fully conform to the NERC CIP 5.1 standards, and NextNine says it is even helping define industrial security standards being put forth by the White House and NIST. It's all done with the goal of reducing industrial cyber risks and bringing a more mature security posture to this vulnerable environment.