Ripped from the Headlines: An Industrial Cyber Security Plan

In today’s Breaking News, a malware named Triton recently brought down a Saudi Petrochemical Plant. Sounds like another shock & awe headline from this fall’s torrent of political ads? You might be surprised to learn it’s not fake news but a real-life industrial cyber-security threat that warrants a little more investigation.

It’s all about Russia

Except this time it’s not about the Mueller probe into our electoral process, but rather, The Infiltration of U.S. Controls Systems by the Russians. Indeed, the US Computer Emergency Readiness Team (CERT) confirmed (TA 18-074A) that a Russian government research institution located in Moscow is responsible for the malware that shutdown a large Saudi Arabian petrochemical plant in 2017, removing any doubt that hostile nation states are targeting industrial controls systems worldwide.

The attack was deployed on a safety instrumentation system called Triconex from Schneider Electric, the majority stakeholder of AVEVA software, which now manages a $1B portfolio of Industrial control software brands including Wonderware, Telvent, Citect, Indusoft, and SimSci.

The caravan is coming

For a long time, it seemed the only poster child for Industrial Cyber-Security threats was the well-publicized 2010 Stuxnet attack on a Siemens control platform at an Iranian uranium refining facility. Despite warnings of impending disaster, the anticipated “doomsday” attack on an industrial target hasn’t occurred leading many companies to take a wait and see approach.

But, that may be changing. With names like WannaCry, HaveX Industroyer, DoublePulsar, EternalBlue, that put the Weather Channel’s winter storm names to shame, there is an increasing frequency of attacks that may signal it is finally time to act to secure sure your plant’s IT border.

Industrial & manufacturing companies are confirming suspicious activity is up. Cisco’s Cyber Security Report 2018 confirms 31% of security professionals said their organizations have “already experienced cyber-attacks on OT infrastructure”.

Of concern for our industry, CERT warns the Russian government is actively targeting “US government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors”, which the US government historically defines as primary metal, machinery, electrical and transportation equipment.

Keeping the RATs out

Schneider Electric responded to the Triton attack with unprecedented transparency, acknowledging the threat and deploying troops to neutralize, capture and reverse engineer it. At an S4 Cyber-Security event, their team presented Schneider Electric Analysis And Disclosure to share the results of their extensive forensic effort. The team explained how the attackers deployed a RAT (Remote Access Trojan) by exploiting a common practice allowing engineers and SI’s remote access to operational networks via Remote Desktop Protocol (RDP). In this case, the attackers targeted an engineering development workstation which amplified the threat by allowing multiple avenues of attack on the installed system.

Building the Wall

There is no doubt that Digital Transformation initiatives are growing as companies see solid returns from IIoT projects that deploy networked sensors to deliver actionable information to more employees. We’ve seen some knee-jerk reactions to tighten access to networked applications because of the recent attack. But in general, there is no doubt that the IIoT wave of change is here to stay. So, what practical actions can be learned from the attack and applied to better protect your assets?

• Develop a cyber-risk mitigation plan that resembles the approach already taken for safety or hazardous area control protocols. This often includes an assessment which documents the complete architecture of networked industrial assets along with their potential risks and mitigation recommendations. Traditional industrial control system integrators are evolving to offer this capability and InSource can suggest partners with these capabilities.
• Employee cyber-security training and certifications. CERT noted that technology was not the lone culprit as the attack also used social engineering attacks on employees in the form of watering holes, phishing emails and even published photos of SCADA screens for reconnaissance on the industrial control system under attack.
• Select vendors with cyber-security service guarantees and build policies to manage patches. Top tier industrial platform companies like AVEVA, Rockwell & GE are investing in cyber-security best practices from code development to white-hat testing and post-sales support. Some like AVEVA post a public security statement and an update site that publishes threats in real-time including analysis and patches as part of their software maintenance agreements. This is an on-going process and manufacturers should commit budget and resources to be aware of threats, download and install patches.
• Improve supervision of remote access. Providing employees access to critical systems and information improves productivity but companies need to develop a managed approach that addresses the risks posed by greater access.  New unlimited client SCADA models and more outsourced external development may also create unsanctioned backdoors that will need to be closed with tighter security practices, strengthening passwords and dual-step authentication to thwart misuse.
• Adopt cyber-security industry standards. Daniel DesRuisseaux, Director of Cybersecurity Programs at Schneider Electric explains that the industry has responded to heightened threat levels by creating standards that “assist end users and equipment vendors through the process of securing industrial control systems”. He’s published a white paper on IEC 62443, Implement Security Levels in Industrial Control Applications for people with limited experience, providing implementation guidance and examples.
• Evaluate emerging Industry 4.0 Cyber-Security Platform companies. IIOT World’s recent cybersecurity start-up list includes companies like Claroty, Nozomi, Bayshore and Sentryo all offer unique solutions to continuous threat detection and remote access security by applying artificial intelligence to passively monitor and analyze baseline operations to detect anomalous activities.

As manufacturing companies embrace the many benefits of Industry 4.0, improvements in cyber-security technology, processes and training will be required to establish a border that provides benefits to employees and partners while preventing access from bad actors. Our current geo-political and economic environment could make this more vexing if nations continue to use their scientific community to not fix the problem but exploit it. Allocating time and resources to identify threats, educate people and develop proactive security processes should be the minimum steps manufacturing companies should take to manage the risk.