8 October 2009

Plan, plan, plan to avoid security breech

By Ellen Fussell Policastro

If there is anything Marty Edwards wanted attendees to walk away with at Wednesday’s keynote session, it was this: Planning means everything in the security world.

As program manager at Idaho National Laboratory, DHS, control systems security program (CSSP), Edwards painted a pretty scary picture of the threat of cyber security in industrial control systems, but it is not a threat automation professionals cannot overcome.

Some of the key strategies to avoiding a catastrophe are building security into systems, planning for patch management, and disabling passwords for displaced workers before they walk out the door.

Olden days of secure isolation

“In the old days, we had a valve and pump in field and could send operators out to operate it. But with processes we run now, if you don’t have DCS running with permissives and everything running right, you can’t get the plant started,” Edwards said.

With isolation on traditional systems, they used a method of “gates, guns, and guards,” he said. “If you could get into the control room where the engineering workstation was, that’s where you could take control of that system.”

Back then, proprietary highways had no connections to business networks. “Over the past 20 years, we’ve added those capabilities, but for good reason,” he said. “There are clear business drivers; managers need real-time data on their desktop to make decisions on how the company is operating. And we can even push data down into control systems so the system itself could make decisions.”

Without buy/sell data in the control system, buyers could not make a decision about whether to generate power onsite or buy from the grid, he said. Now they have evolved, but with little planning. “You see now this equipment coming on market to facilitate this connection—cards that go in a PLC pack that are wireless, transmitters hanging off tanks, either with proprietary or open standard mesh networks.”

Build security in design

“If I can communicate anything to you, it’s that we need to look at cyber security as design criteria when we’re setting up our systems,” he said. Edwards remembers when users drove vendors toward commercial-off-the-shelf solutions. As a former user himself, Edwards was there “when we said we didn’t want to pay half a million dollars for an HMI.” What we did not realize was that broadened the attack vulnerabilities. “We connected to the rest of the IT infrastructure worldwide. Attackers might not be targeting your plant, but your technology. Since we deployed that technology, we were very vulnerable.”

With today’s modern connectivity, “we no longer have gates, guns, and guards,” he said. “We have multiple connections to higher level networks within business. In some cases when we go onsite, we see good perimeters of firewall technology, but we also go to sites where we see a completely flat network, where all the PLCs are on the same network as the business network. So the administrative assistant sitting in the mill manager’s office is sitting on the same network as the PLC running the packing line.”

You’re still connected

“One thing I commonly hear is, ‘My system is isolated,’ ” Edwards said. “That may be true; you may not have a switch that connects you to your corporate intranet. But in most cases, there are other connections into your control system.”

Edwards pointed to one example of a virus being hand-carried to a system on board the international space station. “If you have USB keys (that’s what I packed my presentation on this morning), and you haven’t taken proper procedures for preventing operators from plugging them into HMIs,” you could infect the system. “Say an operator wants to show you pictures of his kids camping; he plugs his USB into the HMI, the pictures pop up, and there’s malicious software on his USB stick. It gets on the HMI, and it can quickly proliferate. We’ve seen that before,” he said.

You might not think you are connected, but at 3 a.m., the operators know how to get connectivity on the HMI. “If you don’t have systems in place, proper intrusion detection sets, they will bypass those systems and figure a way to plug it in. Operators have a lot to do at 3 a.m. when the plant is running smoothly. You should always question that statement that says, ‘I’m not connected.’ ”

Lab assessment shows vulnerabilities

Edwards’ team took lab assessments performed as part of the DHS security program and broke those down into common vulnerabilities; poor code quality, vulnerable web services, poor network protocol implementations are a few.

Here are some others:

Patch management: “I can’t go into this enough. If you can come up with a methodology in partnership with your vendor that says, ‘When a new version comes out, this is our plan to get it patched,’ you’re off to a good start,” he said. “We see lots of systems that get deployed and not touched until the next revision comes out—on an every-two-years cycle—when they come out with the next major release of software.”

Authentication-user privileges: There is a lot of code running at higher privileges and root level privilege levels. “We have to get better at use privilege concepts,” he said.

One example that Edwards said was probably way over-cited is a when a disgruntled former employee of a wastewater plant intentionally released more than 750k gallons of sewage released into parks, rivers, and hotel grounds. The hacker was a former employee of the plant who still had authorized privileges, which were not removed when he was terminated. He got into the system over 42 times.” Here is the lesson: “If you have subcontract employees, the engineers have high privilege access to these systems. When their contract is done, turn that off. I can go back to some of the systems I sat in front of in the early 1990s and still log in with the same password I had.”

Information disclosure: As a user in the past, Edwards said he would have thought nothing of “throwing up my network diagram at a presentation, because I was proud I got one vendor system to collate with another. I wanted to share that experience with other users.” But you do not want to leave that lying around, he said. “If the cyber guys get a hold of that, it’s like keys to the candy store. It may be an engineering server that just happens to have all the diagrams and P&IDs so they can extract everything they need to target the control system.”