Cybersecurity – Understanding the Vulnerabilities
Published on : Monday 30-11--0001
The threats from network, web and the Internet are coming a lot nearer to the plants and the ‘attack surface’ is getting bigger with Industry 4.0, says Shekhar Pawar.
If we go back a few decades, ‘Industrial Safety’ was an important term, but now ‘Industrial Security’ is equally important. The vulnerabilities in case of connected plants are a very serious threat, including damage to capital assets, personnel safety issues and most importantly, loss of production. Industry 4.0 is the current trend in automation as is data exchange in manufacturing technologies, which includes cyber-physical systems, the Internet of Things, cloud computing and cognitive computing. Industry 4.0 is also referred to as the fourth industrial revolution or Industrial Internet, or Smart Industry and Smart Manufacturing. Figure 1 shows the nine pillars of the Industry 4.0. Hence, nowadays production plants all are connected through a lot more network and web integration. It means the threats coming from network, web and the Internet, are coming a lot nearer to the plants. In simple words, we can say the ‘attack surface’ is getting bigger.
Fig.1
There is regular news flow that many power plant networks are under constant attack from many unknown hackers across the world every hour of the day round the year. A hacker’s main goal is always to breach critical infrastructure, such as a power plant’s external firewalls, to gain access to the internal networks and find a way into the control system environment. Many organisations lack dedicated IT staff that can effectively identify and repel a cyber attack where user diligence is key to identifying problems. Remember, as an organisation you must protect a wide span of technologies, but cyber attackers focus and pinpoint the weakest link. It is important to take maximum actions towards how to prevent than how to act during or after a cyber-attack. Hence from the beginning itself, cybersecurity should be considered as an integral part of the strategy, design, and operations.
Hackers can use several different techniques to compromise plant computers, including emailing fake resumes that can contain malicious code. Once inside the system, hackers can cause quite significant damage to production sites. For example, applications for SCADA systems which are even available in the Android Google Play Store may have vulnerabilities. Vulnerabilities can be present that allow code tampering, which could lead to the application being exposed and exploited on a rooted device. Insecure authorisation vulnerability, if present in such application, can cause attackers to physically access an unattended or stolen device or even use it remotely via the use of malware. There are many such vulnerabilities which can damage the system. It is important that application developers embrace security coding best practices to protect their applications and systems from dangerous and costly attacks. Defence in depth is essential which refers to employing multiple layers of security that makes it more difficult for cyber attackers to gain access to sensitive plant control networks. This can include complex password implementations, shorter password expiration policies, multi factor authentication, firewalls configured with the least privileged access and intrusion prevention systems (IPS).
Dealing with cyber attacks
IT risk is associated with the ownership, use, operation, influence, involvement and adoption of Information Technology within a business. Any organisation is successful based on three main pillars – People, Process and Technology. It is important that best security practices are implemented in all these areas. A holistic security plan is essential for any organisation to address security challenges on their plant floor and protect their industrial control systems (ICS) from any cyber attacks.
Machines, networks and plant systems conforming to international standards, such as IEC 62443 are near-immune to cyber threats in an industrial automation environment. As most of us know, ANSI/ISA 62443 is a series of standards, technical reports and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). The IEC-62443 cybersecurity standards are multi-industry standards listing cybersecurity protection methods and techniques. Devices, network, machines and plant systems should conform to international standards such as IEC-62443 which is always near-immune to cyber threats in industrial environment.
Mentioned below are the three key areas to be considered at high level to address increasing cyber security issues with reference to IT security.
Be Secure – Organisations should take a measured, risk-based approach to plot what and how to be secure. To avoid security risks periodic Vulnerability Assessment and Penetration Testing (VAPT) is essential for cloud as well as connected devices. Also, organisation’s top management should fix issues reported during VAPT and retest after fixes got deployed to make sure no gap is left.
Be Alert – Awareness is the key for anything. Regular monitoring of various systems, networks, devices, personnel, and the environment for possible threats. Regular audits and fixes are required. Nowadays implementation of real-time threat intelligence and AI are also widely used.
Be Resilient – It may happen that a security incident occurred even though you took all possible measures. Your organisation should be ready to respond to it in structured way, organization should have ability to know how sooner recovery is possible through steps to remediate the effects of an incident. Like there are fire drills, regular cyber-attack drills are also important to perform. Cybersecurity incident simulation exercises helps organisations to know where you stand in case of real incident happens in near future. It gives opportunity to improve organisation’s security practices.
IIoT Devices & Storage
Most of the Industrial IoT devices are connected to the Wi-Fi or internet and those devices contain important and confidential data. Many IoT devices are lacking security and privacy policies where hackers can exploit those to conduct malicious activities.
As shown in Figure 2, a combination of highly secured Application, network, mobile and cloud are full proofing IoT security as whole.
If we see the history of cyber attacks on cloud, they are more vulnerable against DoS assaults, because they have numerous individuals or user groups, making DoS assaults potentially very harmful. Cloud systems try to work against attackers by providing more and more computational power, but they inadvertently aid the attacker by enabling the greatest possible damage to the service’s availability – a process that all started from a single flooding-attack entry point. Thus, attackers need not flood all servers that provide a certain service, but merely flood a single to make cloud-based address to the service unavailable. It is risk in connected environment where devices or other entities acting as entry point to cloud getting compromised by cyber attacker, further it can allow attack to the cloud.
Let me give an example of remote access using backdoor for hacking industrial devices or smart grid. Using social engineering, attackers gather basic information about target organisation. After collecting information like email ids of the employees, attacker sends phishing emails to them with a malicious attachment such as, say, a word document. As soon as any employee opens the email and clicks on attached document, immediately a backdoor is installed in the target system. Now using this backdoor, attacker gains access to the private network of the target organisation. It means after gaining access to the private network, an attacker can access the SCADA (Supervisory Control and Data Acquisition network), which controls the power grid. After gaining access to the SCADA network, the attacker replaces the legitimate firmware with a malicious firmware to process commands sent by the attacker. Furthermore, the attacker can disable power supply to any particular place by sending malicious commands to the substation control systems from SCADA.
Internal controls are an enterprises’ internal processes implemented to achieve specific objectives while minimising risk. They comprise enterprise structures, procedures, policies and practices implemented to lower the level of risk in an enterprise. For example, IT Management Process within the organisation is extremely important such as change management process. Suppose to increase efficiency through technology, organisations try to give users more robust access privileges than they might be requiring. It increased the risk. Shadow IT refers to information technology projects that are managed outside of and without the knowledge of, the IT department. It can include hardware, software, web services or cloud applications that employees turn to without IT authorisation to accomplish their tasks and projects. Shadow IT is the biggest risk for cloud computing, in which departments or business units independently adopt technology without telling the central IT of the organisation. It is often faster and easier for departments to directly establish accounts for cloud-based applications and services than to submit technology requests to a central IT group. But it can expose the organisation to new, unknown risks since IT may not even know which services are being used and is therefore unable to assess their security or enforce the use of strong login credentials. The unmonitored and unauthorised data that flows from your business is never good for security. There are many security countermeasures which help in mitigating Shadow IT risks, one of which is adhering change management process with strict Change Approval Board (CAB) approval for any such changes on live environment.
Internal threats
Cyber attackers are also taking advantage of innocent employees or users who tend to use USB peripherals. There are around 29 known attacks which can be performed using USB drives. These USB drive attacks are mainly categorised as reprogrammable microcontroller USB attacks, maliciously reprogrammed USB peripheral firmware attacks and attacks based on unprogrammed USB devices. Apart from these, one more type of USB drive attack is ‘USB Killer’ which comes under electrical attack, which permanently destroy devices by inserting a USB device that triggers an electrical surcharge. Employees of any organisation need to be trained to understand risks and impacts of such internal vulnerabilities. Apart from training employees, physically protecting USB ports by blocking them off, using endpoint security software to manage hardware or scan for malware, making hardware as tamperproof as possible, conducting regular audits of USB drives are few promising steps to avoid risks.
Captions
Fig.1: The nine pillars of the Industry 4.0.
Fig.2: IoT = Application + Network + Mobile + Cloud.
Pix3: There are around 29 known attacks which can be performed using USB drives.