Heiko Luckhaupt and Paul Forney discuss the elevated threat of malware in industrial environments and what companies can do to secure their assets – especially in light of the connectivity delivered by the Industrial Internet of Things and the resulting increase in data traffic
Viruses and malware have gained some major headlines over the last year, with localised and international ‘infections’ bringing entire organisations to a standstill.
With device-to-device and device-to-enterprise connectivity growing at an almost exponential rate – thanks to concepts like the Industrial Internet of Things (IIoT) – this issue is being compounded by the sheer volume of additional threat vectors and nodes enabled by these newly interconnected devices.
From an industrial/commercial perspective, probably the most high-profile breach was Stuxnet, malware that was developed to interject malicious control, resulting in the destruction of uranium enrichment centrifuges.
Specifically, it targeted certain models of a widely used programmable logic controller (PLC) being used in the Natranz uranium enrichment plant in Iran. Research has shown that the malware propagated across a variety of media – including thumb drives – leapfrogging from platform to platform, lying dormant until it had reached its target.
More recently, in 2015, a cyber attack on Ukraine’s power grid compromised the information systems of three energy distribution companies, ultimately disrupting the electrical supply to 225,000 consumers.
In 2016, a subsequent attack deprived part of Kiev of power for an hour. ESET researchers analysed samples of the malware detected and identified Win32/Industroyer. According to ESET: “Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly.
“To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transmission control systems, and other critical infrastructure systems (such as water and gas).
“These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions.
Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well.
“Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services.”
The worrying thing about these attacks is that they could have been prevented if proper, robust procedures had been put in place.
Even if the software elements did not exist to detect them, procedural protocols, such as banning external thumb drives and hard drives, might have.
On the flip side, the good news is that these threats are now forcing discipline on many organisations, which is why we are now seeing much tighter access control and a reduced number of threats even with the vector-count growing.
But not all organisations have taken these necessary security steps yet.
With the advent of the IoT and IIoT, the pathways into and out of company networks have increased almost exponentially.
To illustrate this point, the Shodan website (www.shodanhq.com) offers a search engine to locate a variety of software and hardware solutions that have a direct connection to the Internet.
From the manufacturing perspective, Shodan seems to be very adept at finding internet-facing SCADA (supervisory control and data acquisition) systems.
Worryingly, these SCADA systems could be controlling critical Infrastructure or machinery. This should never be allowed and is a very dangerous practice.
Stuxnet, Industroyer and Shodan highlight the issues, but what can be done to secure systems and prevent ingress of malicious code and egress of confidential information, especially in industrial organisations?
The first step of any security plan is to conduct a survey or define what assets (both hardware and software) exist on the target network, vulnerabilities and their associated risk, and how they can be mitigated.
Many leading industrial automation companies have significant experience of this and will offer support programmes and the expertise needed to define effective strategies.
The audit must take into account every facet of the system, from external ingress points, including those from trusted suppliers and contractors, all the way through to corporate LAN interfaces to the control systems.
The next step will be to shut the door by implementing robust and fit-for-purpose hardware and/or software firewalls.
Firewalls are designed to ‘gate keep’ external and internal connections by controlling communications.
There are three primary variants of firewalls and the choice should be based on the requirements of the application, the level of risk that can be tolerated and the potential impact of an infected system.
Firewalls must be set up so as not to hinder ‘trusted’ traffic and can be configured to allow certain secure external connections via VPNs – such as remote maintenance from a machine supplier.
As industrial organisations become more connected, we are seeing a convergence of IT strategies with the operational, or OT security controls. In these instances, a so-called demilitarised zone (DMZ) can be created.
A DMZ comprises a separate isolated area for network devices such as HMI, SCADA systems and Historians. Sitting between the IT and OT networks, this arrangement helps to provide a safe and secure means for sharing data between zones.
Once the foundations are in place, security has to be considered at device level – from PLCs through to office equipment.
Each will have its own parameters and means to access and share data. These assets should be part of the initial risk assessment. IT/OT managers also have to consider the way employees interact with systems and may, inadvertently and not maliciously, plug in an unsecured device. This can be countered with additional training and, in some cases, penetration testing of USB connections on company hardware.
Hackers are often after information as much as they are after money and new ways of bypassing security systems and infecting computers are being developed all the time.
But with a robust gateway and internal control procedures, many attacks can be stopped in their tracks. If they do get through the first line of defence, vital equipment can still be isolated.
Recent global ransomware attacks provide a chilling reminder that even the biggest companies or organisations are at risk. If you have critical systems or highly sensitive data, cyber security should be a central tenet of any IT/OT infrastructure you deploy.
The damaging implications are far reaching and can have a huge impact on your bottom line, in terms of lost assets, downtime and punitive fines.
Brand, trust and integrity can be commensurately affected and some companies can often take years to claw back hard-earned reputations and goodwill.