Viewpoint: use cyber sense to safeguard industrial control networks

It is difficult to think of a phrase that brings more of a feeling of dread to an organisation than ‘advanced cyber attack’.

However, these have only become more advanced in terms of the parties that have been conducting the attacks and the targets that they are seeking to exploit or damage.

Take the case of the Ukraine Power Station in 2016, when 230,000 people were left in the dark for six hours. Officially, this was the first reported cyber attack against a nation’s power infrastructure, with the attack vector being the supervisory control and data acquisition (SCADA) system.

The following procedures can be employed to counter such incidents:

• Use data available to you. Spikes in network traffic would have been seen from the updates made to device firmware in the Ukrainian case. This would have provided an early warning indicator – the success of the attack pivoted around this oversight.
• Consider the access that your engineers have to the system. Are all the entry points needed and have they been secured with the correct level of protection?
• Use up-to-date anti-virus definitions to catch known malware
• Learn about your usual alarm events, monitor abnormal events within the process and control system
• Attackers are persistent, conducting a large amount of reconnaissance over a period of months. Take an evolutionary approach to your network security.

Changing stakes

The typical industrial control network may appear to have the greatest of all protection – air gapping. This physical network separation is now the status quo across industry, and rightly so.

However, as the defence has changed now, so has the attack vector. Malware that is created to destroy a SCADA system will lay dormant, moving from phone to USB stick to laptop, using its host as a means of transport, until it finally meets its end destination – a company’s process and control equipment.

Spikes in network traffic would have been seen from the updates made to device firmware in the Ukrainian case. This would have provided an early warning indicator – the success of the attack pivoted around this oversight

The dormant malware that evaded your corporate firewalls and personal device protection is now on an air gapped system – a system that may have an out-of-date firewall because it was deemed secure.

The key finding across all attack vectors in all industries is that people are the problem: password capture, insecure connections, phishing emails and the USB stick in the car park.

These attacks play on one human instinct – curiosity. Do not rely on the fact that your staff have been trained.

Persistent security

The methodology of persistent security is to assume the worst. It requires building an eco-system in which you have full visibility of your weaknesses.

You must first contain your network, ensuring that access to critical systems is planned, logged and audited. Access granted must also be controlled.

End device protection technology protection must be implemented to protect against internal tampering or accidental exposure to malware. Devices that may have already been exposed can also be detected using the latest definitions, without having to ever expose them to the internet.

Monitoring is fundamental to understand your weaknesses and can expose existing breaches that may have occurred in previous months. Patching these insecure access points and understanding your vulnerabilities may deter opportunists.

The top ten discoveries made within weeks of using the ‘persistent security’ technique are:

• Clear text/weak passwords
• Illegal remote connections to OT
• Unexpected/unknown network devices
• Misconfigured PLCs
• Operational malfunctions
• Generic and targeted malware
• Manufacturer vulnerabilities
• Multiple wireless access points
• Direct internet connections
• Exploitable attack vectors.

• Tim Ricketts is director of MAC Solutions