Industrial cyber physical security enhancement
The industrial cyber security market is facing rapid changes as more threats are discovered, more impact is felt by end-users and cyber security vendors vie for leadership.
The paper highlights both alerts and advice for end-users of automation and control systems (ICS/OT) and selected advisory notes for practitioners of industrial cyber physical security. Strategic methodologies and programmes of activities for mitigation of impacts on IIOT, IOT and how holistic integrated security can provide comprehensive situational awareness are provided. Multiple types of security are addressed, together with some mythical attack and defence scenarios. The history of industrial cyber-attacks is mentioned briefly, to counterpoint the prevalent myths of defence, and finally some alerts to the cyber arms race. End-users face increased pressure to improve their security stance, and the paper discusses some successful methods for implementing these improvements including a “stairway”, a “jigsaw” and an “A-Team”.
The cyber physical bad guys are now attacking IOT and IIOT. They are constantly getting better at attacking and so the good guys must also constantly get better at defending. There is much evidence that most good guys have not even properly started to improve their security stance yet, so this is also a serious ‘call-to-action’ paper.
Our modern society is built on automation, control systems and their management. The “things”, mentioned often in the internet of things (IOT) and the industrial internet of things (IIOT), are becoming smarter and more ubiquitous. If you think about all the automation controlled “things” that have contributed to your day and try to list them, you may be surprised and perhaps a little worried to know that they are also being invisibly attacked.
Food manufacturing, transport (planes, trains, automobiles, etc.), clothing, water treatment, waste processing and management, pharmaceutical manufacturing and testing, logistics, medical device manufacturing, energy (generation, transmission, distribution), power, defence, hospitals, cashpoints, and beverage dispensers are just some of the examples of this melange of “things” in our personal lives. Critical national infrastructures are under immense pressure from government, regulators, and themselves to enhance their defences, improve cyber monitoring and to re-work the gargantuan quantities of legacy systems. This is not an easy task with industrial IT, due to a range of largely legacy problems. The aging and legacy Industrial systems were not designed to be monitored and interrupted and scanned by active defence solutions. These security problems are both procedural, legislative and technical, so all end-users are now having to review remediation against enormous business and operational risks.
The rise in attacks on these ‘things’ has started to concern people. National infrastructures are investing in improvement plans, many markets are ahead of the game, but so much more is to be done. Meanwhile the bad guys get better at the attacking.
Historically the first cyber attack was in 1988: “The Morris worm - one of the first recognised worms to affect the world's nascent cyber infrastructure - spread around computers largely in the US. The worm used weaknesses in the UNIX system Noun 1 and replicated itself regularly. It slowed down computers to the point of being unusable. The worm was the work of Robert Tapan Morris, who said he was just trying to gauge how big the Internet was. He subsequently became the first person to be convicted under the the US' computer fraud and abuse act. He now works as a professor at MIT.” 
The first cyber hacker publicly convicted: “1999: 46 months prison plus 3 years' probation 1988: One year prison. Kevin David Mitnick (born August 6, 1963) is an American computer security consultant, author and hacker, best known for his high-profile 1995 arrest and later five years in prison for various computer and communications-related crimes. He now runs the security firm Mitnick Security Consulting, LLC” 
We now know of many new cyber perpetrators/threats and there is a veritable ‘cyber zoo’ of attackers: yetis, bears, dragons, dragonfly, worms, penguins, etc.… A whole new cyber genus perhaps yet to come?
There are also many new words and references in our evolving Cyber weapons vocabulary: Cyber Zombies, Watering holes, Slammer, Nachi, Mahdi, Shamoon, Red October, Conficker, Duqu, Flame, Havex, APTs, Blasters, Dumpsters, Drive-bys, Honeypots, Pastebin, Phishing, BotNets, Trojans, Heartbleed, Modbus and CANbus, etc. all being aired or created on social media and on news sources around the world.
Figure 2: Industrial cyber words (used wordle.org)
An Abbreviated History by SANS has researched and listed quite a catalogue of Industrial attacks over the years starting with: 1982 Uncorroborated report of a Trojan program inserted into SCADA system software that caused a massive natural gas explosion along the Trans-Siberian pipeline in 1982. ‘Farewell Dossier’ 
Also listed are attacks on sewage works, gas operational systems, rail signalling and despatch, bulk electric controls, auto manufacturing, water plants, air traffic control breach, power gen, tram switching, utilities extortions, offshore oil platform leak detection, smart meters, petrochemical OPC SCADA servers. There are estimated to be many more attacks not publicly reported or known.
The fabled first big industrial cyber attack was StuxNet 2010 (2005 variations), since then there have been a wide range of new attack vectors with ransomware, exfiltration, darknet resellers, custom hack sites, etc. These have now led to some stringent data law sanction proliferations due to the slow speed of response in industry compared to the high rate of advancement by the attackers.
Huge rise in attacks and a quantity/quality adjustment over the years is shown on many graphs such as the data provided by the Hackmageddon website. 
The hacks on Industrial systems, like commercial systems, are becoming simpler, using social engineering compromises and more widespread. Some attacks, such as zombie denial-of-service (DDOS) attacks are largely automated. A recent, much publicised attack on the Ukrainian Grid involved multiple coordinated attack vectors. This resulted in widespread impact and greatly hampered any recovery or mitigation efforts by the defenders.
“We are all going to die!” was the repeated phrase at a recent Cyber Security Conference Key note address by Eugene Kaspersky of Kaspersky Labs. He said it tongue-in-cheek as most of the presentations at cyber conferences are focussed on doom and gloom so he offered positives.
Cyber Attacks on industrial control systems are increasing both in complexity and in frequency. All the statistics from the industry back this up. The attackers don’t need high complexity or advanced skill sets to attack most industrial control systems. “It’s almost child’s play”, he said.
Attackers used to be a wide range of groups from a script-kiddie to nation-states but now the primary volume of successful attacks are from organised crime. Crime gangs have widened their business models to now include hacking-as-a-service (HAAS) where you can define your attack and target and strategy online with an attacking service and pay for the attack, delivery, telephone support and service level agreement SLA, all online, using PayPal or similar simple payments.
Many conferences now are haranguing the audience as being ‘incompetent’, again tongue-in-cheek, but aiming at both the vendors and integrators who do not implement security-by-design in their products and systems together with the security industry which has not yet eradicated cyber-attacks by leap-frogging the bad guys with new innovative defences and solutions.
The industry must now stop talking about Stuxnet and start talking about Innovation and new ways of thinking. Keynote speakers are talking about the soft skills of the cyber war. Cyber-attacks are made by humans, often exploiting human weaknesses as key building blocks of their attacks. The cyber defence industry must recognise this more and build security improvement programs which include humans as the core to the solution.
The typical myths which bolster the prevalent inertia in organisation’s implementing security for their Industrial OT and ICS systems are well known and have been debunked a thousand times. Some statements ring true about myths including these from Kaspersky Labs about ICS industrial plants.
- Myth: We are disconnected.
- Fact: Most systems have at least 10+ information connections to the World.
- Myth: Firewall protected.
- Fact: Most firewalls set to allow ‘any’ on inbound and poorly understood by each department.
- Myth: Hackers don’t understand SCADA/OT/ICS.
- Fact: Increase of hackers specifically attacking ICS/OT/SCADA due to kudos of accomplishment.
- Myth: We are an unlikely target.
- Fact: Can be collateral due to proliferation of attacks and own supply chain. E.g. Stuxnet variants.
- Myth: Safety backup system will protect us.
- Fact: Safety systems just as likely to be hit as control systems. Often similar systems are deployed.
Industrial control systems owners cling to the myths because the current ICS OT systems work well and they do not see lots of local news about their neighbours and competitors suffering the negative consequences of cyber-attacks. The cost of a security enhancement programme is often seen as prohibitive by the board and senior management. What is not so well recognised are the business and operational improvements a security programme will bring about, including reduced insurance premiums, reduction in the cash safety float, improved operations and increase resilience. These business improvements are often enhanced by better staff moral and a much clearer understanding of operational technology and the current risks landscape.
In fact, over 60 per cent or Information breaches take months to be discovered, not days or hours or minutes.
Around 70 per cent of respondents to a recent survey admitted being victims to a cyber-attack. Organisations are not reporting the attacks, the effects or the remediations carried out, due to strict corporate embargoes.
The way forward
The steps to climb the stairway to security can be very high, certainly for organisations with extensive legacy systems, but the steps need to be climbed, and sooner rather than later. The best approach is often to build small steps, parallel steps and think differently.
Remember, the bad guys are always improving, so it is essential for organisations to also keep improving, but more than that, looking for that giant leap ahead in defences. There is talk of new secure operating systems, new secure trusted computer systems, and of the increased lock-down and monitoring of the internet. All these advances are being made but are they appearing on the market quickly enough to make that giant leap forward in the cyber arms race?
We are now into what is being called the fourth industrial revolution with industry 4.0 (2011 – 2014+). This revolution brings enormous commercial benefits but at a cost. Often the cost of implementing greater automation omits the cost of securing that automation. Companies have relied on the IT Department doing something clever, within their annual budget, to secure all new development in corporate systems. This is obviously not the case to those who think about the holistic nature of automation enhancements within the corporate boundaries of data, interactions and information assurance as much more must be done to include people, informational and operational security in the life-cost of new systems and not just a thin spread of IT security.
Physical security is in a marginally better security position due to its longer history of implementation although physical security is also being found lacking in its cyber foundations. Compromise of user credentials, access control networks, CCTV networks and the CCTV cameras themselves are just some of the examples of hacking vulnerabilities. Physical security is just as necessary as cyber security since a network or datacentre can be compromised much more easily by someone connecting devices, logging in directly to a terminal or stealing hardware for later analysis. Physical security can also help to protect staff who may be compromised through force or coercion by intruders. The logs and records of physical security systems can be a valuable component of a forensic analysis, or the status of cameras and Intrusion detection systems can be valuable situational awareness for a real-time event.
Physical security may include a wide range of technology such as CCTV, intrusion detection, fence alarms, break-beam or IR detectors, radar, ground seismic sensors, thermal imaging, vehicle identifying systems, card readers, biometrics, audio sensors, chemical and radiological sniffers, and x-ray and radiometric sensors and air/force pressure sensors. There are many different technologies deployed to detect changes or unknown people or vehicles around and inside perimeters. The sensors are usually networked and collated into an intrusion detection system or access control system or a PSIM (physical security information management) system.
The security guardroom or control centre of a facility may have several computer screens dedicated to security management with an access control screen, PSIM screen, numerous CCTV screens, a card reader management screen, public address, radio communications management, fire management display and a building management display. The diversity of each system, from different vendors with differing operator interface standards, methods and operations makes the life of the security personnel more difficult than it strictly should be. Operator standards have been known, defined and standardised nationally and internationally for a variety of industries. The security vendors are most often not cognisant or have chosen to ignore such standards. Each system requires both education and experience to use effectively hence creating many opportunities for ineffective operation. This is an area for significant improvement where PSIM systems are starting to take on more and more management functions for all the other systems in the Security Room.
Security operation centres (SOC)
Cyber security management systems are still in their infancy for operator interfaces. These typically sit in a network operations centre (NOC) or a security operations centre (SOC). Cyber faces very similar challenges to physical security except the adversaries are much harder to spot and keep changing their methods and attack vectors.
Operations security management is essentially about the people, their procedures, methods and capabilities. The concept of operations (ConOps) of a security team should be made up of the manuals and documents and the process which has been worked out to achieve the highest and most robust levels of security, and of course honed over time. In reality the ConOps are defined once, read once, then left on the shelf or even ‘stored safely’ in a box!
Changes have been seen in the market with a welcome increase in knowledge management systems deployed to support operations in security control rooms. Rules engines and flexible database driven operator assistance and mandatory guides are now being used to good effect. When a site alert occurs, the Security personnel can be taken through an approved procedure step-by-step, with each action being recorded for future alarm analysis, and for operational improvements in the database steps. The concept of an Industrial SOC is being discussed more frequently and the challenge of integration is being reviewed against the risk of implementations.
Safety is becoming a strong component part of the security mix, and vice versa. Systems cannot be stated as safe if they are not secure, and systems cannot be stated as secure if they are not safe. Safety and Security have different meanings for each exponent of expertise. We are lacking a truly international definition which is used as a standard by all experts, be they safety experts or security experts.
Ancillary systems such as building management BMS, HVAC, water management, and environmental monitoring are also subject to attacks, can have serious consequential impacts, and should not be left out of a good risk analysis solution.
Outside the box
Supply chain risks are only now being reviewed with defence suppliers being more strictly audited right down through their supply chains, and industrial and commercial organisations also waking up to their supply chains. An organisation can be excellent in its own defence but if its supply chain is compromised then either components or data can be compromised, exfiltrated or aggregated to increase the threats from their suppliers. The adage that a chain is only as strong as its weakest link applies.
Data promulgation and corruption is also a threat to Industrial systems. CAD drawings, netlists, build diagrams, material make-ups, cavity and void plans, electrical schematics, 3D drawings of physical security systems, 3D object definition files for 3D printing and modelling all could pose significant risks if compromised or exfiltrated and then re-used by attackers or unaware suppliers in the supply chain.
Integrated security means bringing at least two or more security disciplines together to create a tangible benefit to the operations of a control room or security room.
Holistic integrated security means bringing multiple systems together to create a command, control, communications and computer solution.
The drawbacks of integrated systems are the cost of developing and maintaining the integration, the potential security risks of inter-connectivity, and the cost of managing the complexity and rule-sets.
The benefits are often seen to easily outweigh the potential drawbacks. Integrated systems are evolving as the norm. Security of interconnection is not such a challenge with newer technologies being adopted.
A selection of scenario stories now follows which are designed to illustrate a disconnected enterprise and a Holistic Integrated Security System: -
Scenario 1: Nuclear operations controls manager
The Manager is authorised to use the main control room control screens to adjust reactor control parameters. He logs into the control screen and issues a 20 per cent increase in the control rod levels.
The control system allows this, as he is logged-on properly as authorised.
- Door access system of the control room does not show him as being in the control room.
- The site access management system does not show him as being on-site.
- The HR management system shows him as being on vacation this week.
- The HR training system shows his training status for control screen authorisation has lapsed.
- The site IT network intrusion system has recently discovered a number of unauthorised virtual private network (VPN) connection tunnels being used.
- The control system has not had a 20 per cent parameter increase for the control rods in its normal history pattern.
- There was no control screen keyboard activity when the parameter was changed.
- The control room had not had any IR movement detector triggers for at least 25 minutes prior to the action.
With an integrated solution, the attempted actions would not have been permitted.
Scenario 2. An Intruder climbs over a fence……
A secure facility somewhere, somewhen…
- The site fence impact and vibration alarms are suddenly triggered.
- The site fence alarms have just slewed the PTZ CCTV cameras to the alarm zone.
- Review of the CCTV footage in the control room in real-time shows a person in a hoody and jeans climbing over the perimeter fence.
- A security guard force is alerted to attend the scene. They confirm their e.t.a.
- The site CCTV motion detectors detect significant movement of the intruder over the roads and grassed areas outside of normal traffic times. The CCTV cameras follow the intruder to a building.
- The local Police force is alerted to attend the site. They confirm date and time and their e.t.a.
- The building access control detects a break-in at an external door followed by a break-in at an internal door to the server room corridor.
- The internal intruder detectors detect movement in the corridor.
- The Fire Alarm Panel detects a smoke detector, at the far end of the corridor, triggered to an alarm state.
- The door to the server room signals a break in.
- The server room computer cabinet-opened alarm is triggered as out-of-normal-hours.
- A server alerts the IT system IDS as an unauthorised USB stick has been detected on a server.
- The server IDS signals a major cyber alarm due to significant file changes and the server attempts to run non-whitelisted programs.
- The security guard force arrives at the scene having been briefed in real-time to the actual situation, including location and nature of the alarms and potential efforts by the intruder to mask their targets. Smart devices, position based information, body cams and bidirectional information flow between operatives and control room and between operative teams. These are all excellent enablers for realistic real-time Situational Awareness.
- Actions can be taken in real-time to mitigate either actual occurring threats, or potential threats based on a situation unfolding.
- The Intruder situation is effectively and speedily resolved due to fully integrated holistic situational awareness.
Technology all plays a key role in the solutions to improve security but human interactions and the softer skillsets are also needed in equal measures. Much more work is being done on social engineering and operator interactions and the scientific findings are being increasingly understood and practically applied. Security designers need to understand the technologies but motives and compromises also need understanding of psychology, social engineering, MITM, least privileged operations, politics, espionage, current affairs, etc…
Enterprises need to be aware of the significant advantages of holistic integrated security solutions for de-risking potential threats, improving current business operations though efficiencies, reducing mistakes across disparate systems, and finally improving morale through greater staff security.
Integrated holistic situational awareness is not a silver bullet to threats posed but can yield enormous improvement if carefully engineered, and integrated into the normal operations of security teams and seen as a clearly perceived benefit.
Many industry exponents are now trying to include safety within the security umbrella to ensure that safety systems are secure and security systems are safe. The UK Health and Safety Executive (HSE) has recently released guidance relating IEC 62443 with safety integrated systems (SIS). Again, this seems an obvious inclusion in business planning and in system architectures but has been lacking due to many factors. Hazard analysis (Hazops/Hazans/etc) has often excluded intentional attacks in any form as this exclusion approach reduces the complexity of the analysis task, and ensures a sensible consideration of hazards and effects within normal boundaries. Unfortunately, this likelihood appreciation is now no longer the case. Hackers can intentionally disrupt both operational and safety systems and use man-in-the-middle (MITM) insiders to override basic safety systems and hence cause catastrophes. Multiple safety compromise actions can cause events assumed to be highly unlikely but these must now be re-assessed. The cost of reassessment will be considerable, adding further to the cost of the new security mitigations also needed.
Many serious account hacks that happened in the past were disclosed in 2016. Overall, a billion account credentials fuelled the black market. 
- 2012 LinkedIn breach affected around 117 million.
- MySpace breach exposed 427 million users.
- Tumblr data breach exposed 65 million accounts.
- VK security breach exposed 93 million accounts.
- DropBox security breach exposed 69 million accounts.
These accounts hacks are then used to compromise the identity and authorised capabilities of staff. Ideal information for MITM attacks.
Industrial cyber security is now deeply into a form of arms race. Defenders are needing more defence tools and monitoring wizardry to detect and prevent attacks, but only if they can afford the resource time and expertise costs. They are usually seriously hampered by lack of budget and resources. Automation and security vendors are building more and more complex systems to help the defenders, but only if the defenders can afford the prices. Automation systems integrators are skilling up their resources to provide the expertise in security, not previously provided or required. Government and academia are trying to find expertise, solutions, projects and understanding of the unfamiliar automation industry. The attackers are often either state or organised international criminal gang funded and have neither the resource, cash or time limitations of the defenders. Attackers are becoming more formidable adversaries than was previously known or expected.
There are numerous approaches to enhancing industrial cyber security. The best approaches consider the many factors in and around the environment to be secured, often called the focus of interest or the systems boundary, depending on the scale of the scope. The scope could be a full enterprise including all the IT and operational technology (OT) Automation or it could be a single factory/plant or a manufacturing line or a single system of interest. The important points to ensure that are addressed are the holistic nature of the systems, and the solutions, both for the enhancement event and the very necessary long-term programmes. No enhancement solution is a project, and they should be both viewed and promoted as an ongoing programme. Every solution to include the formulate-review-install-monitor-review-formulate cycles since there is no such thing as 100% per cent secure and the attacks change constantly.
There are international methodologies for analysing and assessing the informational and operational security under scrutiny. No single method is “the best” as has been found by many practitioners, since no single system and environment are the same as others. For IT information assurance, standards such as ISO 2700x may be suitable, and for Industrial systems the use of ISO 62443 or ANSSI or NIST methods may be suitable. Many programmes involve a form of hybrid of several methods together with customised measures designed for each system under scrutiny.
Stairway to security
There is a well-planned, but adaptable, stairway to security. Each step is an achievable security improvement, either in understanding, awareness, readiness, or defences. Each step can be small or large but is always an improvement.
Figure 2: The stairway to security
The security A-team
To achieve the successful security enhancement project requires a wide range of disciplines and people of differing roles. Selection and the coming together of an effective security ‘A-team’ of people who are tasked, and keen, to carry through the enhancements both from a project basis, a technical and assurance basis, and a social and marketing basis is essential. All aspects must be considered in the team selection and the formation is critical to both the practical and political success of the programmes.
Figure 3: The industrial cyber security A-team
The security jigsaw
The products, partners and solution integrators are also key parts of the enhancement programmes and should also be thought out, researched and integrated closely in the success measures. Often, security enhancement projects are disruptive and require significant changes to technical, social, operational, procedural and political well-worn grooves. Building the jigsaw of security products, operations, procedures and activities into the Security solution can reveal strengths and weaknesses. Creation of an overall security jigsaw map of each system under consideration is useful for communication and for a missing-pieces check.
Figure 4: The industrial security jigsaw
The team should walk through the reasons for selection of each Jigsaw part and record the reasoning. System design records can really help review decisions made in both current and future mitigations. Systems having firewalls with particular ports being blocked for no currently known reason is an example of decisions made but not recorded.
U.S. software firm Microsoft will continue to invest over $1 billion annually in cyber security research and development in the coming years…..While the number of attempted cyber-attacks was 20,000 a week two or three years ago, that figure had now risen to 600,000-700,000, according to Microsoft data.
Having the right ‘A-team’, the right political and financial backing, the right partners and choosing some suitable methodologies and standards is essential to effective enhancements. Consider both the technical aspects, the inter-departmental aspects (e.g. IT vs OT vs H&S), the financial aspects and the political change aspects, and keep refining these considerations throughout the programme. All the industry must keep remembering that the bad guys are getting better; they have unlimited everything and our industries have limited resources, so the resources must be used wisely and continuously. When building the A-Team take on both members and advice from 3rd parties to both give an alternate perspective, and to utilise other people’s experience and expertise.
A security improvement checklist might follow some typical points such as: -
- Agree internally that action, or investigation, is needed, will be funded and supported.
- Identify the internal leader of this improvement initiative
- Engage trusted external assistance in building the programme
- Create an “A-team”
- Plan the stairway to security programme ahead
- Start the cycle of plan-monitor-decide-act-review within the programme
- Engage with supplier of the security jigsaw components
- Train staff, consult, partner, communicate, promote, collaborate, etc.
The industrial cyber war continues…
- http://www.nato.int/docu/review/2013/cyber/timeline/EN/index.htm Accessed Jan 2017
- https://en.wikipedia.org/wiki/Kevin_Mitnick Accessed Jan 2017
- https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf Accessed Jan 2017
- http://www.reuters.com/article/us-tech-cyber-microsoft-idUSKBN15A1GA Accessed Jan 2017
- http://resources.infosecinstitute.com/the-biggest-cyber-security-incidents-of-2016/#gref Accessed Jan 2017