This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The U.S. Department of Homeland Security (DHS) received reports of 59 cyber incidents at energy facilities in 2016. This is an increase of nearly a third over 2015. Security specialists believe this number is quite conservative, considering that energy companies aren’t required to report cyberattacks to DHS.
But the actual number of incidents isn’t the really concerning part of the story. More worrisome, say federal cybersecurity officials and private security specialists, is that the vast majority of energy industry companies lack the technology and personnel to continuously monitor their operational systems for anomalous activity, which leaves them unable to detect intrusions when they happen. Consequently, they don’t even know about incidents to be able to report them.
This concern is not unique to the energy industry. In general, cybersecurity capabilities in the industrial world lag far behind the information technology (IT) world. However, there’s a new focus on industry control system (ICS) security that is fairly recent, driven largely by the key trend of operational technology (OT) and IT starting to merge. This is sometimes referred to as Industry 4.0.
The idea behind Industry 4.0 is that the industrial Internet of Things (IIoT) means there are now sensors everywhere throughout a facility that enable the collection of operational data. With the goal of optimizing operations, companies want to analyze this data, which means passing over to IT tools for analysis. So now there is this integration between IT systems and large-scale physical processes – generating energy, pumping fluids, heating materials in furnaces, etc. – and the cyber risks are high. The industrial devices, which used to operate in isolation and obscurity, are increasingly part of an organization’s overall attack surface.
Industrial networks are easy targets. They were designed at a time when it was assumed that if someone had access to the device, they were allowed to control the device. In many cases, industrial devices have weak or no authentication. Sometimes companies rely on perimeter firewalls, which, as we have learned on the IT side, don’t protect against many types of threats, including insiders.
There is little visibility into targeted threats in industrial networks. A recent study by Deloitte revealed that 31% of manufacturers have never conducted a vulnerability assessment, and 50% only do so occasionally because, for the most part, assessments are done manually.
CyberX has developed a set of products that address these shortcomings in industrial cybersecurity. One product is an automated vulnerability assessment to see where the cyber risks are in an industrial environment. The other is a system that continuously monitors for anomalies. They are complementary tools that can alert plant operators to existing vulnerabilities and changes in the operational environment that could indicate an intrusion.
Both products work in a non-invasive way by capturing a copy of the network traffic from a SPAN port. This traffic is then analyzed to discover vulnerabilities in the environment, such as unpatched devices or unauthorized connections to the Internet, and to monitor for anomalies.
Most CyberX customers start with the ICS Vulnerability Assessment, which does a complete asset discovery and then generates a detailed audit report with a risk score and prioritized mitigations. The assessment report is actually quite thorough; most customers that run the report have never had this type of visibility into their ICS environment before. The report is written in such a way that it provides value to both OT operators (who tend not to be cybersecurity experts) and IT cybersecurity personnel (who are often trying to adapt their knowledge to the unfamiliar environment of industrial controls).
The report lists all the devices that are found, as well as known vulnerabilities (CVEs) associated with those devices. For example, here is a programmable logic controller (PLC) from a specific manufacturer, and it has these ports that are open and a number of CVEs that could allow an attacker to do things like execute arbitrary code or insert a man in the middle. The assessment also discovers network vulnerabilities; for instance, the firewall rules state that this server should not be permitted to talk to that client over this port but the traffic analysis did find that traffic. CyberX has found the following types of vulnerabilities in customers’ environments:
- Direct Internet connections that shouldn’t be allowed
- Unauthorized network devices
- Misconfigured PLCs
- Clear text passwords
- Industrial malware
- Unauthorized wireless access points
- Failed Dynamic Host Configuration Protocols (DHCPs)
- Unauthorized remote connections
In addition to identifying the vulnerabilities, the report also provides prioritized recommendations on how to mitigate them. It only takes a day or two to run the ICS Vulnerability Assessment, and CyberX says it’s usually a big eye-opener for the plant managers.
The XSense Platform provides continuous monitoring for anomalies, again based on the information collected from the SPAN port run through analytics engines. CyberX has developed unique machine learning algorithms it calls finite state modeling, which is based on the principle that an OT environment is very deterministic. That is, the communication is all machine to machine, and there is a finite limit to what network communication is considered to be normal. Anything outside of that range of communication is considered an anomaly. CyberX can identify both cyber anomalies such as malware on the network as well as operational anomalies such as a piece of equipment that is showing signs of imminent failure.
CyberX has a threat intelligence team that is actively monitoring campaigns around the world and looking for new types of industrial malware. This team discovered new things about BlackEnergy, which was the malware that was used in the Ukrainian power grid attacks in 2015 and 2016, and that KillDisk evolved from being a simple piece of software used to destroy disks in the Ukrainian grid attack to now being a piece of ransomware. The team also uncovered a massive cyber espionage operation in the Ukraine that uses Dropbox for data exfiltration and also monitors audio conversations through the PC microphone. This research is used to enrich the XSense Platform analytics.
Although CyberX offers a cloud-based deployment option, most customers choose to deploy the solution on-site. The CyberX products have a scalable global architecture designed to support industrial facilities with multiple locations. All the information can be rolled up into a centralized view, and information can be delivered to a Security Information and Event Management (SIEM) tool or other existing solution for monitoring the cybersecurity posture across the enterprise.
Worldwide, there is a growing concern about cyber threats to industrial systems. It’s time that all plant managers implement a solution to assess their vulnerabilities and monitor for cyber risks.