Copyright©2010

ISA—TheInternationalSocietyofAutomation

Allrightsreserved.

PrintedintheUnitedStatesofAmerica.

1098765432

ISBN978-1-936007-07-3

Nopartofthisworkmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recordingorotherwise,withoutthepriorwrittenpermissionofthepublisher.

ISA

67AlexanderDrive

P.O.Box12277

ResearchTrianglePark,NC27709

www.isa.org

LibraryofCongressCataloging-in-PublicationDatainprocess

Notice

professionaljudgmentinusinganyoftheinformationpresentedinaparticularapplication.

Additionally,neithertheauthornorthepublisherhaveinvestigatedorconsideredtheeffectofanypatentsontheabilityofthereadertouseanyoftheinformationinaparticularapplication.Thereaderisresponsibleforreviewinganypossiblepatentsthatmayaffectanyparticularuseoftheinformationpresented.

Anyreferencestocommercialproductsintheworkarecitedasexamplesonly.Neithertheauthornorthepublisherendorseanyreferencedcommercialproduct.Anytrademarksortradenamesreferencedbelongtotherespectiveownerofthemarkorname.Neithertheauthornorthepublishermakeanyrepresentationregardingtheavailabilityofanyreferencedcommercialproductatanytime.Themanufacturer’sinstructionsonuseofanycommercialproductmustbefollowedatalltimes,evenifinconflictwiththeinformationinthispublication.

AcknowledgmentsMyappreciationisexpressedforthepeoplewhohelpedandinspiredmetowritethesecondeditionofthisbook.

Onceagain,myspecialthanksgotomyISAeditor,SusanColwell.

JohnClem,fromSandiaNationalLaboratories,contributedcontentonRedTeamingforthenewChapter9,NewTopicsinIndustrialNetworkSecurity.

Mygoodfriendfromcollege,AndyHagel,providedcontentandreviewforChapter3,COTSandConnectivity.

Aswiththefirstedition,TomGoodfromDuPontandDaveMillsofProcter&GambleprovidedcontentforChapter10.

TableofContents

Preface

Chapter1.0 IndustrialNetworkSecurity

1.1 WhatAreIndustrialNetworks?

1.2 WhatIsIndustrialNetworkSecurity?

1.3 TheBigPicture:CriticalInfrastructureProtection

1.4 TheChallenge:“OpenandSecure”

1.5 Who’sWorkingonWhat?

1.6 FederalRegulatoryAuthority

References

Chapter2.0 ASecurityBackgrounder

2.1 Physical,Cyber,andPersonnelSecurity

2.2 RiskAssessmentandITCybersecurity

2.3 RiskAssessmentforthePlant

2.4 Who’sResponsibleforIndustrialNetworkSecurity?

2.5 TipsforMakingtheBusinessCasetoUpperManagement

2.6 MakingtheBusinessCasewithData

References

Chapter3.0 COTSandConnectivity

3.1 UseofCOTSandOpenSystems

3.2 Connectivity

3.3 WhatYouGetthatYouDidn’tBargainFor

References

Chapter4.0 CybersecurityinaNutshell

4.1 SecurityIsaProcess

4.2 BasicPrinciplesandDefinitions

4.3 BasicPrinciples:Identification,Authentication,andAuthorization

4.4 MoreCyberAttackCaseHistories

4.5 RiskAssessmentandRiskManagementRevisited

4.6 CyberThreats

4.7 Vulnerabilities

4.8 ACommonCOTSVulnerability:TheBufferOverflow

4.9 AttackerToolsandTechniques

4.10 AnatomyoftheSlammerWorm

4.11 Who’sGuardingWhom?

References

Chapter5.0 Countermeasures

5.1 BalancingtheRiskEquationwithCountermeasures

5.2 TheEffectofCountermeasureUse

5.3 CreatinganIndustrialNetworkCyberDefense

Chapter6.0 CyberdefensePartI—DesignandPlanning

6.1 DefenseinLayers

6.2 AccessControl

6.3 PrincipleofLeastPrivilege

6.4 NetworkSeparation

References

Chapter7.0 CyberdefensePartII—Technology

7.1 GuidancefromISA99TR1

7.2 FirewallsandBoundaryProtection

7.3 IntrusionDetection

7.4 VirusControl

7.5 EncryptionTechnologies

7.6 VirtualPrivateNetworks(VPNs)

7.7 AuthenticationandAuthorizationTechnologies

References

Chapter8.0 CyberdefensePartIII—People,Policies,andSecurityAssurance

8.1 ManagementActionsandResponsibility

8.2 WritingEffectiveSecurityDocumentation

8.3 AwarenessandTraining

8.4 IndustrialNetworkSecurityAssuranceProgram:SecurityChecklists

8.5 SecurityAssurance:Audits

8.6 AddinginPhysicalSecurity

8.7 AddinginPersonnelSecurity

References

Chapter9.0 NewTopicsinIndustrialNetworkSecurity

9.1 RedTeaming:TestYourselfBeforeAdversariesTestYou

9.2 DifferentTypestoAnswerDifferentQuestions

9.3 RedTeamingIndustrialNetworks–Caution,It’sNottheSame!

9.4 SystemSecurityDemandsBothPhysicalSecurityandCybersecurity

9.5 TheTransportationConnection:PassengerRailandCybersecurity

References

Chapter10.0 DefendingIndustrialNetworks—CaseHistories

10.1 ALargeChemicalCompany

10.2 AnotherCompany’sStory—Procter&Gamble

AppendixA–Acronyms

AbouttheAuthor

Preface

SomuchhashappenedsincethefirsteditionofIndustrialNetworkSecuritywaspublishedin1995.Thisareahasgone“mainstream”intermsofpublicawarenessoftheimportanceofIndustrialNetworkstoourcriticalinfrastructureandthethreattothemfromhackers,cyberspies,andcyberterrorists.

Forinstance,thestory“America’sGrowingRisk:CyberAttack”isfeaturedonthecoveroftheApril2009PopularMechanics.Andoneoftheleadstoriesonthefrontpageofthe8April2009editionofTheWallStreetJournalwas“ElectricityGridinU.S.PenetratedBySpies.”ThestorytalkedabouthowforeignpowershadmappedtheU.S.electricalgridandleftbehindsomerogueprogramsthatcouldbeactivatedremotelytodisruptthegrid.

The“BigR,”Regulation,hasreareditsheadintheelectricpowerindustry.TheNERC-CIPcontrolsystemcybersecuritystandardsforelectricpowergenerationandtransmissionentitiesarenowmandatedbytheU.S.government.

Commercial-off-the-shelf(COTS)hardwareandsoftware,asdescribedinChapter3,continuesitsmoveintoIndustrialNetworksaslegacyequipmentisphasedout.Andothersectors,suchaspassengerrail,describedthroughthewriter’seyesinthenewChapter9,arecominguptospeedonIndustrialNetworkSecurityasCOTSbecomecommonplaceinthatsectorcontrolsystems.

Consistentwiththefirstedition,anefforthasbeenmadetokeepthisbookintroductoryandeasy-to-read.Aswiththefirstedition,thiseditionisintendedforthetechnicallayman,manager,orautomationengineerwithoutacybersecuritybackground.Newcyberincidentsandupdatedinformationhavebeenaddedtothechapterswithoutchangingtheoriginalformat.

1.0

IndustrialNetworkSecurity

1.1 WhatAreIndustrialNetworks?Todefineindustrialnetworksecurity,onefirsthastodefineindustrialnetworks.Forthepurposesofthisbook,industrialnetworksaretheinstrumentation,control,andautomationnetworksthatexistwithinthreeindustrialdomains:

• ChemicalProcessing–Theindustrialnetworksinthisdomainarecontrolsystemsthatoperateequipmentinchemicalplants,refineries,andotherindustriesthatinvolvecontinuousandbatchprocessing,suchasfoodandbeverage,pharmaceutical,pulpandpaper,andsoon.UsingtermsfromANSI/ISA-84.00.01-2004Part1(6),industrialnetworksincludetheBasicProcessControlSystem(BPCS)andtheSafetyInstrumentedSystems(SIS)thatprovidesafetybackup.

• Utilities–Theseindustrialnetworksservedistributionsystemsspreadoutoverlargegeographicareastoprovideessentialservices,suchaswater,wastewater,electricpower,andnaturalgas,tothepublicandindustry.UtilitygridsareusuallymonitoredandcontrolledbySupervisoryControlAndDataAcquisition(SCADA)systems.

• DiscreteManufacturing–Industrialnetworksthatserveplantsthatfabricatediscreteobjectsrangingfromautostozippers.

ThetermIndustrialAutomationandControlSystems(IACS)isusedbyISAinitscommitteenameandintherecentlyissuedstandardsandtechnicalreportseriesfromtheISA99IndustrialAutomationandControlSystemsSecuritystandardsandtechnicalcommittee(also,simplyISA99).ThistermiscloselyalliedwiththetermIndustrialNetworks.

Thestandard,ANSI/ISA-99.00.01-2007-SecurityforIndustrialAutomationandControlSystems,Part1(1),definesthetermIndustrialAutomationandControlSystemstoinclude“controlsystemsusedinmanufacturingandprocessingplantsandfacilities,buildingenvironmentalcontrolsystems,geographicallydispersedoperationssuchasutilities(i.e.,electricity,gas,andwater),pipelinesandpetroleumproductionanddistributionfacilities,andotherindustriesandapplicationssuchastransportationnetworks,thatuseautomatedorremotelycontrolledormonitoredassets.”Thisstandardwillbereferredtoas“ISA-99Part1”inthebook.

ThetechnicalreportANSI/ISA-TR99.00.01-2007SecurityTechnologiesforIndustrialAutomationandControlSystems(4)succeedsthe2004versionofthedocumentreferencedinthefirsteditionofthisbook.Thisreportwillbereferredtoas“ISA-99TR1.”Note:Atthetimeofthiswriting,Part2oftheISA-99standardhasjustbeenapproved.Part2is

titledSecurityforIndustrialAutomationandControlSystems:EstablishinganIndustrialAutomationandControlSystemsSecurityProgram(5).

1.2 WhatIsIndustrialNetworkSecurity?Whenwespeakofindustrialnetworksecurity,wearereferringtotherapidlyexpandingfieldthatisconcernedwithhowtokeepindustrialnetworkssecure,and,byimplication,howtokeepthepeople,processes,andequipmentthatdependonthemsecure.Securemeansfreefromharmorpotentialharm,whetheritbephysicalorcyberdamagetotheindustrialnetworkcomponentsthemselves,ortheresultantdisruptionordamagetothingsthatdependonthecorrectfunctioningofindustrialnetworkstomeetproduction,quality,andsafetycriteria.

Harmtoindustrialnetworksandtotherelatedpeople,processes,orequipmentmightbethroughthefollowing:

• MaliciousActs–Deliberateactstodisruptserviceortocauseincorrectfunctioningofindustrialnetworks.Thesemightrangefroma“denial-of-service”attackagainstaHuman-MachineInterface(HMI)servertothedeliberatedownloadingofamodifiedladderlogicprogramtoaPLC(ProgrammableLogicController).

• AccidentalEvents–Thesemaybeanythingfroma“fat-fingered”employeehittingthewrongkeyandcrashingaservertoapowerlinesurge.

Whenwethinkofindustrialnetworksandcomputer-controlledequipment,weusuallythinkofwhatISA99documentscall“electronicsecurity,”butweshouldalsoincludesomeaspectsoftwootherbranchesofsecurity:physicalsecurityandpersonnelsecurity.TheseothertwobranchesofsecuritywillbeaddressedinChapter2.

Toillustratethedistinction,let’ssaywehaveadisgruntledemployeewhoventshisangerinachemicalplantand:

1. turnsaviruslooseonthecomputerworkstationthatrunstheHMIsoftware,allowingthevirustospreadthroughtheindustrialnetwork;

2. takesapipewrenchandbreaksaliquidlevelsightglassonastoragetank,causingtheliquidtoleakoutonthefloor;and

3. priesopenthedoortoanSISsystemcontrollerboxanddisablestheoverpressureshutdownbyinstallingjumpersbetweenisolatedconductorsandbypassingtheaudiblealarms.

Byourdefinition,acts1and3fallwithinourdefinitionofindustrialnetworksecurity.Act2isdeliberatesabotage,butitisphysicalsabotageofamechanicalindicatinginstrument,notofanindustrialnetwork.Act3involvessomephysicalactions,suchasbreakingthelockandinstallingjumpers,butthejumpersthenaltertheelectricalflowwithinanindustrialnetwork,aSISsystem.

Weacknowledgeandstresstheimportanceofphysicalprotectionofindustrialnetwork

components,andalsothepersonnelsecuritythatappliestotheoperatorsofthesenetworks.However,physicalandpersonnelsecurityprotectivemeasureshavebeenaroundforalongtime,andinformationabouttheseprotectivemeasuresisreadilyavailableelsewhere.Chapter2introducesphysicalandpersonnelsecurityaspartoftheentiresecuritypicture;however,themajorityofthisbookcoverstheelectronicsecurityofindustrialnetworks.

TheISA99committeealsoacknowledgesthattheseotherbranchesofsecurity,suchasphysicalandpersonnelsecurity,arenecessarybutsimilarlystatesthatitsstandardsaremainlyconcernedwiththe“electronicsecurity”ofindustrialautomationandcontrolsystems.

1.3 TheBigPicture:CriticalInfrastructureProtectionItisbesttointroducethesubjectofCriticalInfrastructureProtectionfromahistoricalperspective.In1996,PresidentClintonissuedPDD63(PresidentialDecisionDirective63)onCriticalInfrastructureProtection(2),declaringthattheUnitedStateshadcriticalinfrastructurethatisvitaltothefunctioningofthenationandmustbeprotected.PDD63identifiedeightcriticalinfrastructuresectors,includingtheseinfrastructuresusingindustrialnetworks:

• GasandOilStorage&Delivery

• WaterSupplySystems

• ElectricalEnergy

Alongwiththesethreewerealsogovernmentoperations,bankingandfinance,transportation,telecommunications,andemergencyservices.

InFebruary2003,PresidentBushreleasedTheNationalStrategytoSecureCyberspace(3).Init,someadditionalcriticalsectorswerelistedthatuseindustrialnetworks,including:

• ChemicalIndustry

• DefenseIndustrialBase

• FoodProduction

Figure1-1showshowthoseoriginalandadditionalcriticalinfrastructuresectorsmaptothethreeindustrialdomains—chemicalprocessing,utilitiesanddiscretemanufacturing—wedescribedinSection1.1asusingindustrialnetworks.

Figure1-1.IndustrialDomainvs.NationalCriticalInfrastructureAreasUsingIndustrialNetworks

ThelistofcriticalinfrastructuresectorshascontinuedtoevolvesinceFebruary2003,withthefederalgovernmentadding“criticalmanufacturing”tothelistin2008.

Aglanceathistoryshowshowmuchthecriticalinfrastructuresectorsdependoneachother—takeonecriticalsectorawayandothersmaycometumblingdownlikedominoes.TheNortheastBlackoutofAugust2003showedhowafailureofonesectormaycascadetoothers.WhenthepowerwentoutinCleveland,thewatersupplypumpsinthatcityalsoshutdown,sincetheyranonelectricity.Similarly,thetransportationsectorinNewYorkwasaffectedwhentrafficlightsceasedfunctioningandgasstationscouldn’tpumpgas,sincebothwereelectricallyoperated.

Whatconclusionscanwedrawfromthisdiscussionofcriticalinfrastructure?

Wecanconcludethatsecuringindustrialnetworksinourthreedomainsofinterestisaprerequisiteforsecuringcriticalinfrastructureatthenationallevel.Andthisistrueforallindustrializednations.Infact,themoreautomatedandcomputer-dependentanation’scriticalinfrastructureis,themoreitdependsondevelopingandapplyingindustrialnetworksecuritytoensureitsfunctioninginanewageofworldwideterrorism.

1.4 TheChallenge:“OpenandSecure”Let’slookatwhathashappenedinthefieldofindustrialnetworksinthelast12yearsorso.

• COTS.Proprietarysystemshavegivenwaytocommercialoff-the-shelf(COTS)hardwareandsoftwareinindustrialnetworks.NowweseeeverythingfromMicrosoftWindows®todifferentflavorsofLinuxandUnixforoperatingsystems,alongwithEthernet,TCP/IP,andwirelessprotocolsfornetworks.

• Connectivity.OnceCOTShardware,software,andnetworkcomponentsareusedinindustrialnetworks,thenextlogicalthingistoconnecttheindustrialnetworksandthebusinessnetworkssotheformerlyincompatiblesystemscancommunicate.ThebusinesssystemsareinvariablyhookeduptotheInternet.

• Web,WebServices,andWireless.Recentdevelopmentsincludetheabilityto

accessaWebserverineveryintelligentelectronicdeviceandabrowseroneveryengineer’sofficedesktoptomonitorequipmentoperations.AndwirelessLANs(LocalAreaNetworks)offertheconvenienceofconnectingdeviceswithouthavingtoinstallexpensivecablingwithintheplant.

Allthesedevelopmentshaveopenedupoursystems,butthequestionis,“Canwebebothopenandsecure?”Beingopenandsecureisthe“HolyGrail”ofournewindustrialnetworksecuritydiscipline.Wewanttokeeptheoverwhelmingbusinessadvantagesofhavingopensystems,yetsecureoursystemsenoughtoensurethatourplantsandutilitygridsdon’tbecomereadytargetsforcyberattack.

1.5 Who’sWorkingonWhat?Forallpracticalpurposes,thefieldofindustrialnetworksecuritybeganinthelate1990s.TheSeptember11thattacksgreatlyacceleratedthepaceofactivity.Sincethen,abewilderingvarietyoforganizationswithstakesinsecuringindustrialnetworkshavegeareduptoworkonvariousaspectsoftheproblem.

Theorganizationsworkingonindustrialnetworksecuritymaybedividedintocategories:

• GovernmentOrganizations.IntheU.S.,governmentagenciesactiveinindustrialnetworksecurityincludetheNationalCyberSecurityDivision(NCSD)oftheDepartmentofHomelandSecurity(DHS),organizationswithintheDepartmentofEnergy(DoE),theDoENationalLaboratories(e.g.,Sandia,PacificNorthwest,andIdahoNational),theDepartmentofCommerceNationalInstituteofStandardsandTechnology(NIST),theFederalEnergyRegulationCommission(FERC),andtheGeneralAccountingOffice(GAO).Eachorganizationhassomestakeinprotectingtheindustrialnetworksthatmakeupportionsofthenation’scriticalinfrastructure.Someorganizations,suchasFERC,nowhaveregulatoryauthority,aswillbediscussedin1.6.

• Intheinternationalarena,governmentorganizationslikeCanada’sOfficeofCriticalInfrastructureProtectionandEmergencyPreparedness(OCIPEP)andBritain’sCentreforProtectionofNationalInfrastructure(CPNI)playasimilarroleinprotectingtheirnation’scriticalinfrastructure.

• NonprofitOrganizations.Theserangefrominternationalprofessionalandtechnicalsocietiesspanningindustrialsectors,likeISA,toU.S.-basedindustrysector-specificgroupsliketheNorthAmericanElectricReliabilityCorporation(NERC)forelectricpowerandtheAmericanWaterWorksAssociation(AWWA)forthewaterutilities.Includedamongthenonprofitsareschoolsanduniversitiesthathavecourses,seminars,andresearchanddevelopmentprogramsinindustrialnetworksecurity.

• For-ProfitEntities.Thevariouscorporationsthatarethevendorsandusersofindustrialnetworksarekeyindeterminingwhetherindustrialnetworksecurityproceduresandequipmentaredeveloped,commercialized,purchased,andusedsuccessfully.

Withintheorganizationalcategorieslistedabovearetwoorganizationsthatdealwithindustrialnetworksecurity,workingattheinternationallevelacrossthethreeareasofchemicalprocessing,utilities,anddiscretemanufacturing.

Theseorganizationsare:

• ISA,throughtechnicalandstandardscommitteeslikeISA99,ManufacturingandControlSystemsSecurity.

• IEC(InternationalElectrotechnicalCommission),includingCommittee65forworkontheIEC62443NetworkandSystemSecurityStandards.

Theseorganizationsworkacrossindustrialareasand,therefore,manufacturingsectors.Forinstance,wepreviouslymentionedtheISA-99seriesofstandardsandtechnicalreportsthatdefinethebreadthof“IndustrialAutomationandControlSystems”as“appliedinthebroadestpossiblesense,encompassingalltypesofmanufacturingandprocessfacilitiesandsystemsinallindustriesineveryareaofmanufacturing.”

1.6 FederalRegulatoryAuthorityRecently,twofederalgroupshavebeengivenregulatoryauthorityoverindustrialnetworksecurityinthepublicandprivatesector.TheFederalEnergyRegulatoryCommissionhasbeengiventheauthoritytoregulatethecybersecurityofthetransmissiongrid,andithasexercisedthatauthoritybymakingtheNERCCIP(NorthAmericanReliabilityCorp.CriticalInfrastructureProtection)ConsensusIndustryStandardsintoofficialfederalregulationswithenforcementpenalties.TheDepartmentofHomelandSecuritywiththeirCFAT(ChemicalFacilityAnti-terrorism)Regulationsonthechemicalindustry,aremostlyconcernedwithphysicalsecuritybuthaveacybersecuritysection.Otherdepartmentsofthefederalgovernmentregulatingothercriticalinfrastructuresectorsmaywellgetintotheactinthefuture.

References1. ANSI/ISA-99.00.01-2007SecurityforIndustrialAutomationandControlSystems,

Part1.ISA,2007.

2. TheWhiteHouse.PresidentialDecisionDirective63.ProtectingAmerica’sCriticalInfrastructure.May22,1998.Retrieved11/11/2004from:http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.

3. TheWhiteHouse.NationalStrategytoSecureCyberspace.February2003.Retrieved11/11/2004from:http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf.

4. ANSI/ISA-TR99.00.01-2007SecurityTechnologiesforIndustrialAutomationandControlSystems.ISA,2007.

5. ANSI/ISA-99.00.01-2007SecurityforIndustrialAutomationandControlSystems:EstablishinganIndustrialAutomationandControlSystemsSecurityProgram,Part2.ISA,2007.

6. ANSI/ISA-84.00.01-2004Part1FunctionalSafety:SafetyInstrumentedSystemsfortheProcessIndustrySector–Part1.ISA,2004.

2.0

ASecurityBackgrounder

2.1 Physical,Cyber,andPersonnelSecurityWhenconsideringsecurityforbusinessandindustry,securitypractitionershavetraditionallydividedthemselvesintothreeareasofspecialization.Wedescribethesethreeareaswiththeaidoftwotermsusedfrequentlyinsecurity:

• Insiders.Thepeoplewhobelonginyourfacility,includingemployeesandinvitedcontractors,visitors,ordeliveryandservicepeople.

• Outsiders.Peoplewhodon’tbelonginyourfacility,whethertheyenterphysicallyorelectronically.Thiscategorycoverseveryonefromvendorsthroughhardenedcriminals!Uninvitedoutsidersinyourfacilityareintrudersandareguiltyoftrespassing,attheleast.

Keepingthesetermsinmind,andasmentionedinChapter1,thethreetraditionalareasofsecurityare:

• PhysicalSecurity.Guards,gates,locksandkeys,andotherwaystokeepoutsidersfrombecomingintrudersandinsidersfromgoingwheretheydon’tbelong.Thisistheoldestandmostestablishedbranchofsecurityandclaimsthehighestpercentageofsecurityprofessionals.

• PersonnelSecurity.Practitionershereareusuallyoccupiedwiththesequestions:“AretheoutsidersI’mabouttobringintomyplanttrustworthy?”and“MayIcontinuetoplacetrustinmyinsiders?”Thisareaofthesecurityprofessioncoverseverythingfromcriminalbackgroundchecksonnewemployeesandcontractorstoinvestigationofsecurityviolationsbyemployeesandperiodicbackgroundrechecksofexistinginsiders.

• Cybersecurity.Thiscategorycoversprevention,detection,andmitigationofaccidentalormaliciousactsonorinvolvingcomputersandnetworks.TheareanowknownasbusinessorITcybersecurityhasitsrootsinthefinancialandintelligencecommunitiesofthe1960sand70s.

IndustrialnetworksecurityisprimarilyITcybersecurityadaptedtoindustrialnetworks,butincludesimportantelementsofphysicalandpersonnelsecurityaswell.Forinstance,doesitmakeadifferenceifyourvaluableprocessrecipes,keptastradesecretsonyourcontrolnetwork,aretakenbyindustrialspieswho:

• hackintoyourindustrialnetworkthroughthecorporatefirewallandbusinessnetworkandthendownloadandsellthem?(acybersecurityincident),or

• pullupinavandisguisedaslegitimatemessengersfromyourcomputertape

backupstoragefirmandgetanunwittingemployeetohandoveryourfreshlymadebackuptapescontainingthesametradesecrets(apersonnelsecurityincident),or

• breakintoyourplantlateatnight,cleverlybypassingtheburglaralarm,andwalkoutwiththeharddrivesfromyourcontrolserverscontainingtherecipes(aphysicalsecurityincident)?

Theneteffectisthesameinallthreeincidents—yoursecretsaregone!Infact,anindustrialspymaypurposely“casethejoint”andchooseanattackplanbasedonwhereyourdefensesareweakest.

Successfulpreventionofindustrialnetworkattacksinvolvesgettingknowledgeablespecialistsfromallthreeareasofsecuritytositaroundthetableanddiscusspossibleattacksandmeanstopreventthem.Brainstormingtechniquesmaybeused,withnotypeofattackdismissedas“toowildanidea”toconsider.

Forexample,beforetheSept.11,2001attacks,thephilosophydrivingairlinesecuritywas“hijackerswanttolive.”Wouldn’tithavebeenvaluabletoquestionthatassumptionintheyearsleadinguptoSeptember11andsay,“Butsupposethehijackerswanttodie?Whatcouldorwouldtheydothen?”

Inthiswriter’sexperienceinthecorporatesecurityworld,Iwouldsitatthelunchtablelisteningtocorporatesecurityinvestigatorstellstoriesofactiveinvestigations.Manyoftheirstorieswerebizarre,suchasemployeesusingtheircorporatecreditcardstopayforanythingfromexpensivepartsfortheirownmotorcyclestothousandsofdollarsinelectivesurgery!Anyrationalemployeewouldsay,“Don’tdothat,you’llgetcaught!”Didtheseemployeesthinkaboutconsequencesbeforetheywentaheadwiththeirplans?Maybe,buttheconsequencesdidn’tdeterthemfromgoingaheadanyway.

Let’sseeifwecanbrainstormascenariooffactorysabotage.Forexample,thesuccessfulsabotageofafactoryconveyorsystemmight(1)involveanunscrupuloussalesmanfromarivalconveyorcompanywhohasacriminalrecord(personnelsecurity).(2)Hestraysintotheproductionareawhileleftunattendedaftervisitingtheengineeringdepartment(physicalsecurity).(3)There,hedownloadsamodifiedladderlogicprogramfromhislaptoptotheconveyormachineryPLC(cybersecurity).Thatcausestheconveyortomysteriouslymalfunctionthenextday,makingapurchaseofhiscompany’srivalconveyorsystemmorelikelythenexttimehepaysasalescall!

Analysesofsecurityincidentsusuallyrevealachainofeventsthatleduptotheactualcriminalactivity.Ifsecuritymeasures,whethertheyinvolvephysical,personnel,orcybersecurityactivity,canbeintroducedtoprevent,detect,andrespondtothechainofactivitiesatanypoint,thereisagoodchancethefinalcriminalactivitycanbeprevented.

Intheconveyorsystemexample,wheremightsecurityhavebeenintroducedtointerruptthechainofeventsleadinguptotheconveyorsabotage?Wouldtheoutcomehavebeendifferentif:

• therivalconveyorcompanyhaddoneacriminalbackgroundcheckinthehiringphaseanddiscoveredthatthesalesmanhadacriminalrecord;or

• thefactoryhewasvisitinghada“companyescortrequired”physicalsecuritypolicy,preventingthesalesmanfromwanderingintotheproductionareaalone;or

• thefactoryhadactivenetworksecuritymeasuresthatpreventedthesalesmanfromenteringthePLCnetworkanddownloadingamodifiedladderlogicprogram?

Ifanyofthesephysical,personnel,orcybersecuritymeasureshadbeeninforce,thefinaleventinthechain,theconveyor’smysteriousmalfunction,mighthavebeenprevented.

2.2 RiskAssessmentandITCybersecurityRiskassessmentistheprocessbywhichyouandyourmanagementteammakeeducateddecisionsaboutwhatcouldharmyourbusiness(threats),howlikelytheyaretooccur(likelihood),whatharmtheywoulddo(consequences),and,iftheriskisexcessive,whattodotolowertherisk(countermeasures).

Let’ssayyouaretheownerofalargefactorymakingwidgetsinaMidwesternstate,whichhappenstobein“TornadoAlley.”YourplantbuildingandattachedbusinessofficebuildingareasshowninFigure2-1:

Forinstance,forriskstotheofficebuildinganditscontents,suchasthebusinesscomputersystems,wecanillustratewhatonetypeofriskassessment—aquantitativeriskassessment—lookslike.Inthisexamplewewillconsideronephysicalandonecyberthreattotheofficebuildinganditscomputersystem,perFigure2-2.

Figure2-1.WidgetEnterprises,Inc.

Thefirst,amild-to-moderatetornado,representsaphysicalrisktotheofficebuildinganditscontents.Let’ssaythelikelihoodofamild-to-moderate(knownascategoryF0toF2)tornadohittingtheofficebuildingisonceevery20years(afairlydangerousneighborhood!).Thefigureassumestheconsequenceofthethreatoraveragedamagetotheasset(officebuilding)is$5million.Therefore,theannualriskfrommild-to-moderatetornadodamageis:

1event/20years×$5million/event=

0.05×5=

$0.25million/yearatriskfromthistypeoftornado.

Nowwehaveameasureofannualriskintermsofdollars.Wecancompareitwiththeverydifferentriskof,let’ssay,aparticulartypeofcyberattackbyanindustrialspywhoseekstodownloadyourcarefullyguardeddatabaseofbestcustomersandwhattheytypicallyorderfromyou.

Figure2-2.OfficeBuilding–PhysicalandCyberRiskAssessment

Onceweenterthecyberrealm,doingaquantitativeriskassessmentraisesaproblem:unlikeweatherdamageoraphysicalsecurityissuelikerobbery,therearenotalotofhistoricalstatisticstodrawfromtogetlikelihoodnumbers.Butsomedataonthefrequencyofindustrialspyingofalltypesdoesexist,withon-averagelossbydifferentsizecompaniesandindustries.Thisdata,coupledwithlossdatafromyourfactory,mightenableyoutocomeupwithareasonableestimatesoyoucouldcontinuebeingquantitative(asopposedtoqualitative,whichisthealternative.Wewillfocusonqualitativeriskassessmentinanupcomingsection).

Let’sestimatethelikelihoodofthiseventatonecyber-theft(threat)everythreeyears,andthesalesyouwouldloseasaresultofthisinformationbeinggiventoyourcompetitors(consequence)at$10million.Then,fromthistypeofcyberevent:

1event/threeyears×$10million=$3.3million/yearatrisk.

Hereisthepowerofaquantitativeriskassessment.Forthefirsttime,wecancomparethecostofphysicaldamagetocyberdamageintermsthattopmanagementwillunderstand—dollars.Basedonthisriskassessment,wemayconcludethatthemonetaryriskofanindustrialspycyberattackisgreaterthanthemonetaryriskofatornado.Inlaterchapters,wewillseehowcountermeasuresorpreventiveremedies,suchasreinforcedconstructiontolimittornadodamage,canbeevaluatedagainstcalculatedrisktoseeiftheyareworthwhile.

Keepinmindthatourriskanalysishasbeensimplified.Usually,moretermsenterintoariskanalysis,and,asmentioned,gettinggoodnumbersorrangesofnumbersforaquantitativecyberriskassessmentmaybedifficult.

Thefollowingpeoplewillhavealotofinterestintheofficebuildingriskassessmentwejustmade:

• Thebusinessowner,theCEO,andthegeneralmanagers

• ThePhysicalSecurityManagerandtheFacilitiesManager(whomaybethesameindividual)

• TheChiefInformationOfficer(CIO)andthepartoftheCIO’sorganizationresponsibleforbusinesssystemscybersecurity(perhapsanITcybersecuritymanager).

Let’sdrawanorganizationchart(seeFigure2-3)torepresentasimplifiedmanagementstructureforastand-alonefactory.(Notethatinamodernmulti-plantmanufacturingcorporation,numerous“dottedline”relationshipswouldexistbetweencorporateandplantmanagement.)

Figure2-3.OrganizationChart

TheITcybersecuritymanager,whoreportstotheCIO,isresponsibleforthecorporatefirewallsandIntranetandInternetaccess,andmighthavetheseITsecurityissuestodealwith:

• Web.Downloadingofpornographyorillegalcontentbyemployees.

• Email.Virusescomingin;spam.

• Remoteaccess.Allowingauthorizeduserstoconnectviamodempoolorvirtualprivatenetwork,andkeepingunauthorizedpeopleandhackersout.

• Unlicensedsoftware.Keepingemployeesfromusingunpaid-fororunapprovedsoftware.

ToaddresstheseproblemsandahostofotherITsecurityissues,theITcybersecuritymanagerdrawsonthefieldofbusinessorcommercialcybersecurity.Thisfield,termed“computerandnetworksecurity”inpriortimes,includesthefollowing:

• ITsecuritytechnology.Firewalls,antivirusprograms,andauditandsecuritydiagnosticprogramsandtools.

• Trainedpersonnel.Speciallytrainedcomputersecuritypractitioners,holdingcertificationssuchasCertifiedInformationSystemSecurityProfessional(CISSP)orCertifiedInformationSystemsAuditor(CISA)andtrainedintheITsecuritybodyofknowledge.

• ITsecuritypolicies,processes,andprocedures.Publishedcybersecurityguidelinesandrecommendationsfromvariouscommercialcybersecurityorganizations.

Inshort,a“bodyofknowledge”isreadilyavailableforthisarea,whetherwecallitIT,commercial,orbusinesscybersecurity.

2.3 RiskAssessmentforthePlantNowthatwe’vecoveredthebusinessofficebuilding,let’stakealookatourwidgetproductionfactorybuilding(Figure2-4):

Figure2-4.InsidetheFactoryBuilding

Here,weseethetypeofindustrialnetworkwewouldexpecttoseeindiscretemanufacturing,withPLCs,HMIs,etc.

Thistime,let’sillustrateariskassessmentmoreappropriatetoaplantscenario,wherewemaynothaveaccesstorealisticnumbersorestimatesforthelikelihoodofaphysicalorcyberattack.Inaqualitativeriskassessment,relativityrankingssubstituteforabsolutenumbersorestimatesoflikelihoodandconsequences.Theoutputisaprioritizedlistofrisks,showingwhicharemoresubstantial.

Figures2-5and2-6givetheprocedureforaqualitativeassessmentandtheresultingriskmatrix.Weareevaluatingtwoscenarioshere.Thefirst—aphysicalattack—isasabotageoftheassemblylinebyadisgruntledemployeewithhandtools.ThesecondisacyberattacktosabotagethePLCnetworkthatrunstheassemblyline.

Figure2-5.QualitativeRiskAssessmentExample

Asaresultoftheriskassessmentprocessshowninthesefigures,theriskassessmentteamconcludesthatscenario(b),thecyberattack,ismorethreateningthanscenario(a),thephysicalattack.

2.4 Who’sResponsibleforIndustrialNetworkSecurity?Nowwecometothequestion,“Who’sresponsibleforthe(1)physicalsecurityand(2)cybersecurityoftheindustrialnetwork?”

Let’slookatapossiblelistofcandidates.WithintheCIOorganization,theremightbeanITcybersecuritymanager,pertheorganizationalchartinFigure2-3.Withinthefactoryorganizationanyorallthefollowingmanagersandtechnicalpeoplemightbeinvolved:

• PlantManager

• ProductionManager

Figure2-6.QualitativeRiskMatrix

• EngineeringManager

• AutomationandControlManager

• AutomationEngineer,Technician,andPlantOperator

• FacilitiesManager

• PhysicalSecurityManager

SowhodotheCEOanduppermanagementusuallythinkisresponsibleforindustrialnetworkphysicalandcybersecurity?Forthephysicalsecurityoftheindustrialnetwork,itmaybearguedthatwhoeverisinchargeofplantphysicalsecurity,suchastheFacilitiesorPhysicalSecurityManager,hasthisresponsibility.(Althoughtheplantsecurityguardsareusuallyguardingtheplantentrances,farawayfromtheproductionareaofthefactory,thismighttheoreticallycoverthedisgruntledemployeeattackingthePLCnetworkwithapipewrench!)

But,inmanyconferencediscussionstheauthorhasparticipatedin,theusualansweristhatiftheCEOandtopmanagementrealizethatindustrialnetworkcybersecurityisalegitimateconcernatall,theythinktheCIOandtheITcybersecuritymanagerhavethisareacovered.(Andtheyusuallypointtothecorporatefirewall,corporatecybersecuritypolicies,andthegamutofITsecuritycontrolstoproveit.)

ButifwethengototheCIOorganizationandasktheITcybersecuritymanagershowwelltheyarecoveringthis“newlyassigned”areaofindustrialnetworksecurity,thetypicalanswermightbetheyaretotallyunfamiliarwithcontrolsystems:“EngineeringandProductionhandlethat.”

Asmentioned,thefieldofindustrialnetworksecurityreallybeganinthelate1990sandthenacceleratedfollowingtheSeptember11attacks.SinceSeptember11,alotofprogresshasbeenmadeinthisfieldbythemanyorganizationslistedinSection1.5ofthisbook.

However,incontrasttoITcybersecurity,thefieldisstillyoungandthereisonlyalimitedamountofknowledgeandexperiencetodrawupon.Andunlessacorporationhashadtheforesighttospecificallydesignateanindividualoragroup,oritsentireAutomationandControlEngineeringstaff,tohandlethisveryspecializedareaofindustrialnetworksecurity,therealanswertowhoisresponsibleforindustrialnetworksecurityis“noone!”

Unlikethecommercialcomputingprofession,whichhasincludedcybersecurityasalegitimateareaofstudyandpracticeformanyyears,theautomationandcontrolsareahasnottraditionallyhadmuchcontactwithanyareaofsecurity,especiallycybersecurity.Security,whetherphysical,personnel,orcyber,isjustnotinthecurriculumofthevastmajorityofengineeringandtechnicalschools.Itisslowlymakingitswayintothecurriculuminsomeuniversitiesintheformofindividualcoursesandseminars,butiscertainlynotinthemainstreamyet.

Manymanufacturingcorporationsthatdecidedtobuildanorganizationorentitytohandleindustrialnetworksecurityhaveformedacross-disciplinarytaskforce,committee,orpermanentgroup,consistingofpeopleand/orknowledgeandexperiencefromthefollowingplantorganizations:

• AutomationandControlsEngineering,Production,andMaintenance

• ITCybersecurity

• Safety(especiallyinahazardousworkplace,suchasachemicalplantorrefinery)

• PhysicalSecurity(facilities)

• HumanResources(forpersonnelsecuritymatters)

Onlywhenindustrialnetworksecurityisincludedaspartofanoverallsecurityeffortwilltheproperresources,leverage,andempowermentbeavailabletodothejobwell.Althoughgrassrootseffortsbycontrolengineerstosecuretheirindustrialnetworksarewell-intentionedandcommendable,theywillseldombeenoughtodothejob.Justaswithsafety,thefirststepstartswithownershipandcommitmentbyuppermanagement.

But,asmentioned,topmanagementmaynotrecognizeaclearneedforaneffortinthisarea.Abusinesscaseforindustrialnetworksecuritymayhavetobemadeandpresented.Thefollowingsectiongivessometipsonhowtodothis.

2.5 TipsforMakingtheBusinessCasetoUpperManagement

1. Don’tusecyber“tech-talk”toselltopmanagementonindustrialnetworksecurity.Instead,usealanguagetheyunder-stand—risks,consequences,andthecostofreducingtheriskversusthecostofdoingnothing.Asmuchaspossible,trytoputconsequencesindollarterms.

2. Don’tusethe“sky-is-falling”approachandconcentrateonlyontheworstcasescenario.Thatgetsoldfast.Instead,adduptheconsequencesofinaction—

whetheritbeathreattosafety,losttradesecrets,downtime,etc.Evenbetter,trytoincludeallpossibleconsequencesinanitemizedscenario.

3. Dobeveryspecific.Ifproductiondowntimeisaconsequence,howmanydaysofdowntime?Whatwillthecostbe?Whatwillbethecostofgettingproductiongoingagain,ofcleaningupavirusfromtheindustrialnetwork,forinstance?

4. Dorealizethatyoucan’tprotecteverythingfromeverythreat.Countermeasurestoreducetheriskusuallycostmoney.Andthenecessityofspendingthemoneytopayforthesecountermeasureswillhavetobesoldtomanagement.(Thisisaprocesscalledriskmanagement,whichwewillcoverlaterinthisbook.)

5. Dousepubliclydocumentedcasesinwhichindustrywashitbycyberattacks.Somewell-documentedcasesofcyberattacksaredescribedinChapter4.Thendescribewhattheconsequenceswouldbeifasimilarattackhityourplantorindustry.

2.6 MakingtheBusinessCasewithDataHereisanexampleofhowabusinesscasewasmadeforasignificantITcybersecurityinvestment(1).

ATexasUniversitymedicalcentercybersecuritymanagercalculatedthecostofspamtohisorganizationat$1perspammessage,andthecostofrecoveringfromtheNimbdaoutbreakin2001at$1million.Onthebasisofthesenumbers,hesuccessfullyjustifiedtothechieffinancialofficerthepurchaseofspamfilteringandenterpriseantivirussoftwareandshowedhowthecountermeasureswouldmorethanpayforthemselves.Thebusinesscasewasmadewithhardbusinessdatafromhisorganization,indollars.

Asimilarapproachmightbeusedtoargueforindustrialnetworksecurity.Let’ssayyouareacontrolengineerusingCOTSsoftwareonyourindustrialnetworkandhavehadthegoodfortunenevertohavebeenhitbyavirusorworm.Ifyourcontrolnetworkispartofalargemultinationalcorporation,chancesarethatsomeportionoftheITnetworkinyourcorporationwashit.Anditprobablyhasdowntimeandnetworkrecoveryfiguresthatyoucanuseforyourestimates,aswellashorrorstories.

Byaskingthequestion“Ifthisattackhadhappenedtoourindustrialnetwork(s),whatwouldtheresultbein,say,Xnumberofserversdown,Ydaysoflostproduction,Zdaystocleanupandrecover?”Youmightmakeaconvincingcasethat,sincemajorvirus/wormattackshappenatleastseveraltimesayear,yourcompanymightavoidtheinevitablelossbyinstallingcountermeasuressuchasfirewalls,antivirussoftware,orotherproducts.

References1. Violino,B.“TexasUniversityCalculatesFinancialBenefitsofitsSpam,Virus

Defense.”InternetWeek.comarticle.October29,2003.Retrieved11/11/2004from:

http://www.internetweek.com/showArticle.jhtml?articleID=15600902.

3.0

COTSandConnectivity

3.1 UseofCOTSandOpenSystemsCommercial-off-the-shelf(COTS)describesthemovementofbusinessandcommercialcomputerandnetworkinghardwareandsoftwareintotheindustrialnetworkarea,displacingproprietarydevicesandapplications.Thistrendstarted10to15yearsagoandincludesthefollowing:

• Operatingsystems.MicrosoftWindowsNT®,Windows2000®,andWindowsXP®arebeingusedinindustrialnetworks.IntheUnixworld,flavorsofUnixincludingSunMicrosystems’Solaris®,IBM’sAIX®,andHewlett-Packard’sHPUX®,tonameafew,havealsomovedintoindustry.Mostrecently,theLinuxworldhasenteredindustrialnetworks.

• Databasesoftware,suchasMicrosoftSQLServer®andOracle®databases.

• Hardware,includingWindows®PCs,workstations,andservers,andUnixworkstationsandservers.

• NetworkingproductssuchasEthernetswitches,routers,andcabling.

• NetworkingprotocolsforTCP/IP-basedLANs,usingprotocolssuchasHTTP,SNMP,FTP,etc.

• Developmentlanguages,includingC++,MicrosoftVisualBasic.NET®,MicrosoftC#®,Sun’sJava®,etc.

• ObjectLinkingandEmbeddingforProcessControl(OPC).

• Internet,withstandardorcustombrowsersasprocessinterfacestowebserversinIEDs(IntelligentElectronicDevices).

• WirelessLANsusingtheIEEE802.11protocol.

3.2 ConnectivityOnceCOTSisusedinindustrialnetworks,thebusinesssidedemands,“Nowthatyouhaveopeneditup,connectitsowecantalk.”

Connectivityisdesired:

• betweenthecorporatebusinessnetworkandtheindustrialnetwork,

• forremoteaccesstotheindustrialnetworkfromoutsidethecorporatefirewall,and

• tovendors,customers,andotherbusinesspartnersfromtheindustrial

network.

3.3 WhatYouGetthatYouDidn’tBargainForThemovementtoCOTSandconnectivitygivesyouamultitudeofbusinessadvantages,suchas:

• Standardization

• Compatibilitywithbusinesssystems

• Muchlowerpurchasecost

• Familiarinterfaces

• Lesstrainingtimeandeffort

Withtheseadvantages,youalsogetsome“baggage”tocontendwith:

1. Forcedupdatestosoftwarearemuchmorefrequentthanwiththeoriginalproprietarysystems.

2. Therearemillionsofextralinesofsoftwarecodeforamultitudeoffeatures,manynotwantedorneededinindustrialapplications.

3. TheindustrialworldisnotthebusinessdriverforCOTS.

4. Numeroussoftware-relatedqualityandsecurityissuesexist,inparttheresultofthedrivebyvendorstogetnewsoftwareoutthedoorquickly.

5. Thereisacontinualneedtoinstallpatchesforsoftwaresecurityandproperfunctionality.

Thesedrawbacksareseldomrealizedupfront,whenthesystemsarepurchased.

Thebusinessconceptcalled“totalcostofownership”enablesyoutorealisticallyevaluatethesesystemsbyaddingthecostofmaintenance,updates,patching,etc.,totheup-frontpurchaseorlicensingcostoverthelifeoftheinstalledsystem.Whendoingatotalcostofownershipanalysis,theselife-cyclecostsshouldbeincludedintheanalysis.ThisconceptisdiscussedinReference1.

ItisapparentthatsomeoftheeconomicbenefitsofmovingtoCOTSandconnectinguparenegatedbysomeofthedrawbacks.Forinstance,howmanyproprietaryindustrialnetworksoftwareprogramshaveeverbeenhitbyacomputervirusorworm?

RemediationofattackbyavirusorwormisahiddencostofusingCOTS,whichwillnotshowupduringpurchasebutwhichshouldbeincludedinatotalcostofownershipanalysis.Ifantivirussoftwareispurchasedtopreventthesecyberattacks,thecostofinstallingandmaintainingthissoftwareshouldalsobeincludedinthetotalcostofownershipanalysis.

References

1. Emigh,Jacqueline,“TotalCostofOwnership.”Computer-world.comarticle.December20,1999.Retrieved11/11/2004from:http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,42717,00.html

4.0

CybersecurityinaNutshell

4.1 SecurityIsaProcessSecurityisverysimilartosafetyinthatitisacontinualprocessratherthananendpoint.Acontrolnetworkthatissecuretodaymaybeinsecuretomorrow,becausehackersarealwaysthinkingupnewattacks.

Securingindustrialnetworksinvolvestechnology,buttechnologyisonlyoneingredientofthefinalmix.Successfulindustrialnetworksecurityisacarefullycomposedmixtureofthefollowing:

• Educatedandawareusers

• Appropriateorganizationalstructure

• Securitystrategymatchedtotheorganizationstructure

• Policiesandproceduresthatwork

• Auditandmeasurementprograms

• Securitytechnologyappropriatetotheabovemix,atalevelofsophisticationunderstoodbythosewhouseit

4.2 BasicPrinciplesandDefinitionsWecancarryoversomebasicprinciplesofcommercialcomputerandnetworksecuritytotheindustrialnetworkspace.ThefirstiscalledtheAICtriad.AICstandsforAvailability,Integrity,andConfidentiality.Figure4-1showstheseprinciplesasthepointsofatriangle:

Let’sstartwithavailability.Forindustrialnetworks,availabilitymeansthenetworkisfullyoperationalandavailabletousersandothermachineryandprocesseswhenneeded.Ifthesystemisnotoperating,ornotoperatingcorrectlyforanyreasonwhenitisneeded,thispropertyisnotsatisfied.Itcouldbeunavailableformanyreasons,suchasthefollowing:

Figure4-1.TheAICTriad

• Anunintentionalusererrorcrashedthesystem.

• Thesystemhasacomputervirusorwasjusthackedbyaninsideroroutsider.

• Apowerfailurehasoccurred,andthebackupgeneratorisn’tsupplyingenoughpower.

• Thecomputerroomjustburnedtotheground.

CaseHistory1:LackofAvailabilityTheOmegaEngineeringlogicbomb:OmegaEngineeringisaninstrumentandcontrolvendorinNewJerseythatsufferedheavylossesinMay2000whenitfiredadisgruntledcomputersystemsadministrator(1).Beforeheleftthebuilding,theemployeeplanteda“logicbomb,”which,whenactivated,erasedOmega’sproductionsoftwareprograms.Healsostolethecompany’ssoftwarebackuptapesas“insurance”!

IttookOmegaEngineeringmonthstogetbackintoproductionafterthisincident.Thecompanysufferedheavyfinanciallosses,whiletheircompetitorsgainedgroundonthem.

ThenextAICfactorisintegrity.Integrityincomputersecuritymaybedefinedfromtwoangles:theintegrityofthedata,andtheintegrityofthecomputerhardwareandsoftwareitself.

Integrityofdatameansthatthereshouldbenoinadvertentormaliciousmodificationofdatawhileitisstoredorbeingprocessedonasystem.

Let’sapplythisconcepttoaSCADAsystemforagaspipeline.Ifaremotepressuresensoronthepipelinereads1000psig(processdata),andthatvalueisfaithfullytransmittedtothecentralgascontrolroomandshowsupas1000psigonthemaincontrolpanel,wehavedataintegrity.Ifthevalueshowsupas2000psigor500psig,wehaveaprocessdata

integrityproblem!

Hardware/softwaresystemintegrityimpliesthatthehardwareandsoftwareversionsandconfigurationarecorrectatanygiventime,andonlyauthorizedchangesorupdateshavebeenmade.

Forinstance,hardware/softwareintegrityisflawedifanHMIapplicationwastestedonlywithapreviousreleaseofanoperatingsystem,andtheoperatingsystemsoftwareisupgradedorpatchedwithoutpropercompatibilitytestingandchangeauthorization.

ThethirdAICcomponentisconfidentiality—theabilitytokeepinformationonacomputersystemsecret.Itshouldbeaccessibleonlytopeopleauthorizedtoreceiveandviewandmodifythatinformation,andnooneelse.

Forinstance,achemicalorpharmaceuticalcorporationhasrecipes,formulas,andproductionmethodsitwantstokeepawayfromcompetitorsandtopreventtheinformationfrombecomingpublicknowledge.Thecompanyhasgonetogreatlengthstodeveloporacquirethisinformation.

CaseHistory2:TheftofTradeSecrets

AcaseinvolvingLucentTechnologies(2)illustratesthesignificanceofconfidentialityincomputersecurity.In2001,twoChinesenationalswereindictedforstealingproprietarytelecommunicationscomputercodewhileworkingatBellLabsinMurrayHill,NewJersey.Theywerefirstnoticedwhentheiremployerobservedportionsoftheproprietarycomputercodebeingemailedfromthecompany’snetwork.Theyweresuccessfullyconvictedinoneofthefirstcasesprosecutedunderthe1996FederalEconomicEspionageActprotectingtradesecrets.

4.3 BasicPrinciples:Identification,Authentication,andAuthorizationInadditiontotheAICtriad,threeotherimportantdefinitionsareimportantinclassiccomputerandnetworksecurity:identification,authentication,andauthorization.

Identificationanswersthequestion,“WhoamI?”IfIlogontomycomputerasuserDJT,thattellsthecomputerIamDavidJ.Teumim,alegitimateuserlistedinthepasswordfile.

Buthowdoesthecomputerdistinguishmefromanimposterposingasme?

Authenticationrequiresthatyou“proveit”byreinforcingyouridentity,usingoneormoreofthreepossibleauthenticationfactors:

• Somethingyouknow(apassword)

• Somethingyouhave(ahardwaretokenorkey)

• Somethingyouare(abiometric,likeyourvoiceprintorfingerprint)

Usingmorethanoneauthenticationfactorincreasessecurity.

Forinstance,severalchemicalcompaniesuse“two-factorauthentication”tograntemployeesremoteaccesstoplantcomputersfromtheirhomes.Thehardwaretoken(somethingyouhave)displaysauniquenumberthatchangeseveryminuteaccordingtoarandompattern.Whentheremoteuserlogsin,heorsheentersthenumberonthetoken,alongwithafour-digitfixedPINnumber(somethingyouknow).Therandomnumberenteredbytheusermustmatchthepre-synchronizedrandomnumberonthecompany’scentralsecurityadministrationserver.Onlythenistheusergrantedremoteaccessrights.

Authorizationdealswithwhatyouraccessprivilegesare,onceyouhavesuccessfullyloggedontotheprotectedsystem.Whichsystemfeaturesmayyouuse?Whichsystemprogramsorfilesmayyouview,modify,delete,etc.?

Forinstance,inthecontrolroomofapetroleumrefinery,controlroomoperatorsmayhaveaccesstofunctionsrequiredfornormaloperation,butonlycontrolengineersmaybeauthorizedtoperformotherfunctions,likechangingHMIprogramming.

4.4 MoreCyberAttackCaseHistoriesThissectiondescribessomecontrolsystemattacksthathavebeendocumentedinthepress.

CaseHistory3:SCADAAttackThisincidentisaclassicinindustrialnetworksecurity,thefirstpubliclydocumentedcyberattackonacontrolsystem,inthiscase,awastewatertreatmentSCADAsysteminAustralia.

Inthisincident(3),a49-year-oldmanwhohadworkedforthesupplierthatinstalledacomputerizedSCADAsystemforthemunicipalwastewaterworkswasconvictedofacyberattackonthemunicipality’ssewagesystem.TheattacksentmillionsofgallonsofrawsewagespillingintolocalparksandriversinQueensland,Australia,causingconsiderabledamage.TheconvictedmanwascaughtwithradioequipmentandothercomputerapparatususedtohackintotheSCADAnetworkinhiscar.

CaseHistory4:ComputerWorminaNuclearPlantControlSystemInAugust2003,theNuclearRegulatoryCommission(NRC)issuedaninformationalerttoallnuclearplantoperatorsaboutasituationthatoccurredearlierin2003attheDavis-BessenuclearpowerplantinOhio(4),whichwasinfiltratedbytheSlammerworm.InascenarioalltoofamiliartoITcybersecurityexperts,thewormenteredtheplantbyaroundaboutroute.AT1communicationslinethatledtoanetworktowhichthecompany’scorporatebusinessnetworkwasconnectedbecametheconduitforthewormtoreachandcrashtheSafetyParameterDisplaySystem(SPDS).TheSPDSsystemisanindustrialnetworkthatdisplaysthestatusofcriticalreactorsafetymonitoringsensorssuchascoretemperature,coolantstatus,etc.Fortunately,theplantwasoffline,andabackupanalogsystemcouldbeusedwhilethedigitalsystemwasout.

CaseHistory5:ComputerWormsInfectAutoManufacturingPlantInAugust,2005,thirteenDaimlerChryslerautomanufacturingplantswereknockedofflineforanhourbytwoInternetworms,idling50,000workers,whileinfectedWindows2000®systemswerepatched(5).TheZotobandPnPwormsinfectedsystemsintegraltothemanufacturingprocess.

CouldtheincidentsdescribedinCaseHistories3,4,and5havebeenprevented?Chancesareexcellentthatwithasufficientlyadvancedandwell-thought-outindustrialnetworksecurityprogram,theycouldhavebeen.However,eveninthebest-plannedschemes,thereisnofoolproofprogramtoensureyouwillneverhaveasecurityincident.Ifpreventionfailsandyoudohaveanincident,thegoalofindustrialnetworksecurityistodetectthethreatandmitigatethedamageasquicklyandefficientlyaspossible.

4.5 RiskAssessmentandRiskManagementRevisitedLet’sreturntoourdiscussionofriskassessment,beguninChapter2.

Supposewehaveanindustrialnetworkcontrollingourfactory’sassemblyline.Theassemblylinemachinerycanbeattackedphysically,byadisgruntledemployee,orbyanoutsidehackerwhocangetintothesystembyseveralmeans.

WeintroducedthesetermsinChapter2:

• Asset(Whatyouhavethatyouwanttoprotect.)

• Threat(Thepersonoreventthatcancauseharm.)

• Consequence(Theharmthatcanbecaused.)

• Likelihood(Howoftenthethreatisexpectedtocauseharmoveracertaintime.)

• Risk(Consequencesexpectedoveracertaintime.)

• Countermeasures(Waystoreducerisk.)

Let’snowlookatcyberthreatsinmoredetail,andaddanothertermtoourriskassessmentmodel:vulnerability.

4.6 CyberThreatsMilitary,lawenforcement,andITcybersecurityexpertstypicallybreakdownthecategoryofthreatsfurther,inwhatisknownas“threatanalysis.”

Wecanintroducethefollowingtermsandconcepts:

• Adversary(Whoishe,she,orit?Isitasingleperson,anorganization,oraterroristgroup?)

• Intent(Whatmotivatesthispersonororganization?Anger?Revenge?Money?)

• Ability(Howcapableisyouradversary?Abletowritecustomscriptsforcyberattack?Ormerelycapableofdownloadingscriptsthatotherswrite,andthenrunningthem?)

• Target(Whatistheirimmediategoal?Theirultimategoal?)

Let’sconstructasimplechart,athreatmatrix,todescribetheseconceptsforseveralthreatagents(seeFigure4-2).

4.7 VulnerabilitiesAvulnerabilityisa“chinkinyourarmor,”aninvitingspotorsituationwhereanattackbyanadversaryislikelytosucceed.Forinstance,ifaburglartriesyourlockedfrontdoorandthengoesaroundtothebackdoorandfindsitunlocked,theunlockedbackdoorisavulnerability.

Figure4-2.AThreatMatrix

Inindustrialnetworksecurity,avulnerabilityisaplacewhereacyberattackercanbypasswhateverbuilt-indefensesanapplication,network,oroperatingsystemhasinordertogainprivilegesthatwouldnormallybeunavailable.Thisenablestheattackertoinsertactionsandcommands,orevenbecometheall-powerfulsystemadministratoronanoperatingsystemlikeWindows,oracquire“root”privilegesonaUnixbox.

UsingCOTShardware,software,andnetworkinginindustrialnetworksbringsintothecontrolsworldthesamevulnerabilitiesthatplaguetheInternetandthebusinesscomputingworld.COTSsoftwarevulnerabilitiesareduetothefollowing:

• Complexity.Operatingsystemsandapplicationsoftwarehavemillionsoflinesofcode.Onefigurequotedintheliteraturesaysthereisanaverageofonesoftwarebugper100linesofcode.Somefractionofthesebugswillbesecurityvulnerabilities.(Figureouthowmanysoftwarebugsareina40millionlineprogram!)

• InadequateQualityAssurance.Softwaremanufacturersdonotalwayscatchthesequalityandsecurityflawsbeforetheygooutthedoorasproductioncode.Theymaythinkitsufficienttousesoftwarecustomersas“qualitytesters”andhavethemreportbugstobecorrectedinthenextsoftwarerevision.

• SpeedtoMarket.Competitionandconcentrationonnumerousnewfeaturesleadtorapid-firereleasesofnewsoftwareversions.

• LackofSellerLiability.Themajorityofcommercialsoftwarelicensesdonotholdthesellerresponsibleforanydamagetoyoursystemsfromsoftwarethatdoesnotfunctionproperly.(Contrastthatwiththeliabilityformanufacturersofcars,householdappliances,orairplanes.Iftheseproductscauseinjuryoreconomicdamage,arashoflawsuitsusuallyfollows,sometimesinvolvingpunitivedamages.)

• LackofSecurity-BasedDevelopmentToolsandLanguages.Thestandardsoftwaredevelopmentlanguages,suchasC,C++,andVisualBasic,werenotcomposedwithsecurityinmind.Addingsecurityfeatureswasfrequentlyanassignedorunassignedtaskleftuptotheprogrammer,whoisunderdevelopmenttimepressure.Thissituationisbeginningtochange,astherearenowseminars,books,andsomesoftwaretoolstohelpthedeveloperwritemoresecuresoftware.

Let’slooknextatthemostcommonCOTSsoftwareflawaffectingsecurity—thebufferoverflow.

4.8 ACommonCOTSVulnerability:TheBufferOverflowBufferoverflowscauseanestimated40percentoftheexploitablesoftwareflawsintheCOTSsoftwareenvironment.Sadtosay,theyhavebeenaroundformorethan20years.Weknowhowtofixthisflaw,butthedisciplinetoeliminatebufferoverflowshasnotpermeatedveryfarintoCOTSsoftwaredevelopment.

Inprogramminglanguages,suchastheClanguage,whenyourunafunction(whichissomewhatlikeasubroutine)fromthemainprogram,thememoryareadevotedtoyourfunctionwillcontaina“stack,”orbufferarea.Thestackcontainsthingssuchasthevaluesyouarecallingthefunctionwith,andthelocalvariablesyouwillbeusinginthefunction.Attheendoftheallottedbufferspaceforthefunctionisa“returnaddress”thattellsthecomputerwhatlineinthemainprogramtoreturntoafterithasfinishedrunningthefunction.

Suppose,intheClanguage,youwanttoasktheuserforinputviathekeyboardasataskforyourfunction.Sayyouwanttoasktheuserforhisorher“lastname,”andyoufigureitshouldbenomorethan20characterslong.

Youwouldassignavariablelike“Lastname”tohold20charactersmaximum.ButtheClanguagelacksaninherentmechanismforpreventingamalicioususerfromputtingintoomanycharacterswhentypinginput,andthecomputerwillacceptthoseextracharactersandallocatethoseextraandunexpectedcharactersto“Lastname”inthebuffer.

Acleverhackercancraftaverylongstringofcharacters,followedbyashort,verycarefullyconstructedcommandthatoverwritestheoriginalreturnaddresssittinginmemoryattheendoftheallocatedbufferspace.Thenewreturnaddresstellsthecomputertoreturntoaplaceinthehacker’scode,nottothelegitimateaddressthatwasintheoriginalprogram.Thisoverrunsthebufferwhentheinputisgiven.

Ifthehackeriscleverenoughtocrafttherightcommandsinthatillegitimatestring,heorshecaninsertcommandsthatwillgive“root”privilegesonaUnixboxoradministratorprivilegesonaWindowsoperatingsystemwhenoverflowingcertainprograms.Essentially,thehackernow“owns”thesystem,withonebufferoverflowcommand.Notabadachievementforahackerwhocancrafttherightstring!

Thecleveroriginalhackerwhodiscoveredthebufferoverflowstringmaythenpublishthetechniquetoahackerwebsiteorbulletinboardforother,less-experienced“scriptkiddies”touse.

Aswehaveseen,despitethefactthatbufferoverflowshavebeenknownaboutformorethan20years,andprogrammingtechniqueshavebeendevelopedtofixthem,progressoneliminatingthemhasbeenslow.Newcodecomesouteverydaywithbufferoverflowvulnerabilitiesjustwaitingtobediscovered.Oncetheyarediscoveredinpublishedsoftwarecode(let’shopebysomeoneonthesecuritysideofthefenceandnotahacker),theonlyhopeisforthesoftwaresuppliertoissueacodefixor“patch”forsystemsadministratorstoapplybeforeanewcyberattacktakesadvantageofthevulnerability.

4.9 AttackerToolsandTechniquesLet’slookatsomeofthetoolsandtechniquesouradversariesuse:

• Viruses.ViruseshavebeenaroundsincetheadventofthePC.Theyspreadbyinfectingnewhostcomputerswiththeircode(whichcanbecarriedonaUSBflashdriveorCD),byaprogram,orabymacroforaspreadsheetorwordprocessingprogram.Aviruscanspreadbyemailifitcontainsanexecutableattachmentthatcanbeopened.

• Worms.Awormcontainsself-replicatingcodethatmayspreadthroughanetworklikeaLANortheInternet.Awormspreadscopiesofitselfanddoesnotneedhostsoftwaretospread.

• TrojanHorse.Thisisaprogramthatseemstodosomethingbeneficialwithonepartofthecode,whileahiddenpartofthecodedoessomethingmalicious.AnexampleofaTrojanHorsewouldbeascreensaverthatalsoemailsacopyoftheconfidentialdatafilesonyourcomputertoacompetitor!

• LogicBomb.Thissoftwareprogramliesdormantonacomputerharddriveuntilitisactivatedbyatrigger,suchasacertaindateorevent.Thenitactivatesandcausesmaliciousactivity.

• Denial-of-ServiceAttack.Thiskindofattack,usuallynetwork-based,overwhelmsaserverwithaflurryoffalserequestsforconnectionorservice,

causingtheservertolockuporcrash.

• Botnets.Botnetsarenetworksofinfectedcomputersavailabletodothebiddingof“botherders”whorentouttheirhundredsorthousandofcompromisedcomputersforhackingorcoordinateddenial-of-serviceattacks.

Thehackingcommunityspreadsitsknow-howandwaresthroughavarietyofoutlets:

• Hackingwebsites.ThousandsofwebsitesacrosstheInternetofferadviceandcodeoneverythingfromstealingphoneservicetobreakingintowirelessnetworks.Suchsitesmayevenofferdownloadable“point-and-click”hackingtoolsforthenovice.

• BooksandCDs.Atmostlocalcomputershows,youcanfindinexpensiveCDsloadedwithhackers’toolsand“exploitcode.”

• ChatRoomsandBulletinBoards.ManyhackerswillbragabouttheirtechniquesandoffertosharetheminonlinechatroomslikeInternetRelayConnection(IRC).

4.10 AnatomyoftheSlammerWormNowthatwe’veseenhowouradversaries(disgruntledemployees,industrialspies,andhackers)cangettheirhandsontools(viruses,worms,networkscriptsthatexploitvulnerabilitiesinCOTScode),let’stakealookata2003wormcalledSlammerthatcausedthenuclearplantsafetydisplaymonitoringsystemshutdowndescribedinSection4.4.

TheSlammerwormcausedhavoc,bringingtheentireInternettoacrawlinjust15minutes.Theattackstartedwithasingledatapacket,aUserDatagramProtocol(UDP)packetof376bytestotal(muchsmallerthanpreviouswormssuchasCodeRed,at4KB,orNimbda,at60KB).IttargetedUDPport1434,theportthatMicrosoftSQL(StructuredQueryLanguage)Serverdatabasesoftwarelistensinon.Oncereceived,Slammeroverflowedthebufferwithspecializedcodethatspilledpastthe128bytesofmemoryreservedfortheinput.Itthenhadmachine-languagecodethatcausedthemachinetooverwriteitsowncodeandreprogramitselftosendoutaflurryofnew376-byteUDPpacketstoInternetIP(InternetProtocol)addressesitcalculatedusingarandomnumbergenerator.Thetimingwassuchthatthewormcoulddoublethenumberofinfectedhostsevery8.5seconds,bringingtheInternet,andcorporateLANsconnectedtoit,toacrawlastheavailablebandwidthwasusedup.

Astheprevioussectionindicates,theSlammerwormcloggedupinternalbandwidthattheDavis-Bessenuclearplantindustrialnetwork.Italsocausedconsiderabledamageelsewhere.A911callcenterinWashingtonStatethatusedtheSQLServerdatabasewaseffectivelyshutdown.Emergencydispatchershadtoresorttoacumbersomemanualproceduretomakedountilthesystemcouldbebroughtbackup.

AsynopsisofhowtheSlammerwormspreadisshowninFigure4-3.

4.11 Who’sGuardingWhom?OnefinalobservationwilladdabitofironytoroundoutourdiscussionofCOTSsoftwarevulnerabilities.Let’sassumewehaveasoftware-basedfirewalltoprotectaninternalLANthatweconnectuptotheInternet.WeneedthisfirewalltopreventInternetbasedattackslikeworms,andothernetworkattacks,fromreachingourinternalhostsbecauseweknowthesoftwareonourinternalhostsonourLANmightbesusceptibleto(forexample)bufferoverflowattacks.

Figure4-3.HowtheSlammerWormOperates

Sooursoftware-basedfirewallis“guardingthegate”againstcyberattacksthatexploitbufferoverflowvulnerabilities.Thisgivesusawarmfeelingofsecurityuntilwefindoutthatourfirewallcodeitselfmaycontainbufferoverflowvulnerabilities!(Note:Securityresearchersregularlyfindandpublishinformationaboutsoftwarebugsandvulnerabilities[includingbufferoverflowattacks]withinsecuritysoftware,suchassoftware-basedfirewallsandantivirussoftware).

Oncethesevulnerabilitiesarefoundandpublished,theonlyalternativeforsecurity-conscioussystemsadministratorsistopatchandpatchagain.Thereisanareaofexpertisecalled“PatchManagement”thatisnowapplicabletoindustrialnetworkstoaddresshow,when,wheresoftwarepatchesshouldbeapplied.Withinindustrialnetworks,apatchmanagementprogramassumesaveryimportantrolebecausecriticalinfrastructureisinvolved.

References1. Ulsch,M.SecurityStrategiesforE-companies.Infosecuritymag.comcolumn“EC

DoesIt,”July2000.Retrieved11/11/2004from:http://infosecuritymag.techtarget.com/articles/july00/columns2_ec_doesit.shtml

2. UnitedStatesDepartmentofJustice“FormerLucentEmployeesandCo-conspiratorIndictedinTheftofLucentTradeSecrets.”Cybercrime.govpressrelease,May31,2001.Retrieved11/11/2004from:http://www.cybercrime.gov/ComTriadIndict.htm

3. Schneier,B.TheRisksofCyberterrorism,Crimeresearch.orgarticletakenfromTheMezz.com,June19,2003.Retrieved11/11/2004from:http://216.239.39.104/custom?q=cache:uJQl__6DhAUJ:www.crime-research.org/news/2003/06/Mess1901.html+Schneier&hl=en&ie=UTF-8

4. Poulsen,K.SlammerWormCrashedOhioNukePlantNetwork,Securityfocus.comarticle,August19,2003.Retrieved11/11/2004from:http://www.securityfocus.com/news/6767

5. Roberts,P.F.Zotob,PnPWormsSlam13DaimlerChryslerPlants,August18,2005.Retrieved8/8/2009fromhttp://www.eweek.com/c/a/Security/Zotob-PnP-Worms-Slam-13-DaimlerChrysler-Plants/

5.0

Countermeasures

5.1 BalancingtheRiskEquationwithCountermeasuresInourdiscussiononriskassessmentthusfar,wehavebeenaddingtermstoourlistofriskassessmentfactorsfrompreviouschapterstoarriveatthelistbelow:

• Asset

• Threat

• Consequence

• Likelihood

• Vulnerability

• Risk

• Countermeasures

Let’stakealookattheinterrelationshipsamongthefirstsixtermsinFigure5-1.Then,inFigure5-2,let’sseehowcountermeasuresfitin.

Nowthatwehaveillustratedtherelationshipsbetweentherisktermswithandwithoutcountermeasures,let’ssee,onamorepracticallevel,howcountermeasuresmightbeintroducedintoourquantitativeandqualitativeriskassessmentexamplesfromChapter2.

5.2 TheEffectofCountermeasureUseFigure2-2(Chapter2,Section2.2)showedasimpleriskassessmentillustrationfortheofficebuildingconnectedtothewidgetfactory.Init,weseethattherisk,orexpectedlossperyearfromamild-to-moderatetornadostrikingtheofficebuilding,is$.25million,or$250,000peryear.

Figure5-1.RiskAssessmentBeforeCountermeasures

Figure5-2.RiskAssessmentAddingCountermeasures

Nowsupposewewanttointroduceacountermeasuretoreducetheexpectedlossperyear.Wecancomputethecostofreinforcingtheofficebuildingstructureandspreadthatcostoutoverthesamenumberofyearsasourriskassessmenttimeframefigure,20years.(Notethatthisisarathersimplisticanalysisintermsoftherealityoffinancingbuildingimprovements.)

Let’ssayreinforcingthewallsandrooftopreventtornadodamagewillcost$1million,andwedothistoday.Theriskevaluationforthereinforcedbuildingcoversthenext20years.So$1million/20years=$.05millionor$50,000costperyearfor20years.

Nowlet’scalculatethereductioninexpectedlossperyearbyreinforcingthebuilding.Ourriskwas$.25million,or$250,000peryear,sospending$50,000peryearoncountermeasureswillreduceriskby$250,000.(Note:inpractice,countermeasuresarerarely100percenteffective.Acertainamountofdamageriskperyear,termedresidualrisk,wouldprobablyexistdespiteyourbesteffortsatbuildingreinforcement.)

Notbad—wehavespent$50,000peryeartosave$250,000inrisk.Neglectingresidual

risk,ournetsavingbyriskreductionis:

$250,000saved/year–$50,000spentoncountermeasures=$200,000/year.Itstilllookslikeagooddeal!

Figure5-3showstheriskassessmentforthebuildingafteraddingtornadocountermeasures.

Nowsupposeinsteadwespend$5milliontoreinforcethebuildingandevaluatethatover20years.Wouldthisbeagooddecision?Well,$5million/20years=$0.25million/year.Wewouldspend$250,000oncountermeasurestosave$250,000onannualrisk.Ournetsavingsinestimatedlossperyearwouldbezero!

Figure5-3.OfficeBuilding–PhysicalandCyberRiskAssessment

Wecanseethatweareinapowerfulpositionifwearefortunateenoughtohavehistoricalweatherdamagedatatodrawfromtosupportaquantitativeriskassessment.Wecancalculatewhenacountermeasurewillpayforitselfandatwhatpointitdoesnotmakeeconomicsense.

ThesametypeofanalysiscanbemadeforourindustrialcyberspyscenarioinFigure2-2.However,weshouldrememberthatourrisknumbersandtheeffectofcountermeasureswillbemoreestimatedand,therefore,moreopentovariability.

Let’sturntohowwecanevaluatetheeffectofcountermeasuresinaqualitativeriskassessment.Withaqualitativeriskassessment,wedonotdealdirectlyindollars.Instead,wedeterminewhichrisksaregreater,thenprioritizethespendingofourresourcesoncountermeasures.

Let’sgobacktothefactoryriskassessmentfromChapter2,Section2.3,andthequalitativeriskassessmentprocessandmatrixshowninFigures2-5and2-6.AsFigure2-6shows,scenario(a)(physicalattack)producesa“medium”riskrating,andscenario(b)(cyberattackonthePLCnetwork)producesa“high”riskrating.

Ifwecanintroducecountermeasurestodecreasethelikelihoodofacyberattack,thenwemightbeabletomovescenario(b)fromthe“high”riskzonetothe“medium”riskzone,alongsidescenario(a).WemightdothisbybetterisolatingthePLCnetworkfromtherest

ofthecompanyandtheoutside,orbydecreasingcybervulnerabilities,orbymitigatingtheeffectsofasuccessfulcyberattackwithaquickerormorecompletedisasterrecoveryprogram.

Discussionmightfocusonwhichapproach(es)wouldlowerrisklevelmost,whatcountermeasure(s)touse,howeffectiveeachwouldbe,andsoon.Thecostofeachalternativecountermeasuremightbeestimated,forexample,alongwithhoweffectiveitwouldbeinreducingtotalrisk.

Sowhenweevaluatetheeffectofcountermeasuresinreducingtotalriskinaqualitativeriskassessment,wearereallygoingthroughaprocessanalogoustoourquantitativeexample.

Ariskmanagementstepnormallyfollowstheriskassessmentstep,withtheassessmentteamweighingtheresultsoftheriskassessmentstep.

Therearethreepossibleriskmanagementdecisionstheteamcanmakeoncetheyknowwhattherisksare:

• Accepttherisk

• Minimizeoreliminatetherisk

• Transfertherisk

Acceptingtheriskmeansessentiallytodonothing.Theenterprisechoosestolivewiththeriskandaccepttheconsequencesshouldithappen.

Minimizingoreliminatingtheriskmeanscountermeasureswillbeevaluatedandapplied.(Andtheresidualrisk,leftoveraftercountermeasuresareapplied,willbeaccepted).

Thethirdalternativetransferstherisktoanotherparty,suchasaninsurancecompany.Forinstance,theenterprisewillpayaninsurancepremiumforprotectionfromlossofsalesintheeventofasabotageattack.

Theremainderofthisbookdealswithconstructinganindustrialnetworkcyberdefense.Inotherwords,weareassumingthesecondriskmanagementoptionandfocusonminimizingoreliminatingrisk,ifpossible,byusingcountermeasures.

5.3 CreatinganIndustrialNetworkCyberDefenseAfterwehavedoneaqualitativeriskassessment,wemaydecidetogowiththesecondriskmanagementoptionandfocusonminimizingoreliminatingrisk,ifpossible,bytakingcountermeasures.Howdowegoaboutdecidingonwhatcountermeasuresareappropriateforindustrialnetworksinourchemicalplants,utilitygrids,andfactories?Chapters6–8ofthisbookdealwithconstructinganindustrialnetworkcyberdefense,butwe’lllookatitbrieflyhere.

Figure5-4summarizesthecontentsofChapters6through8.Itshowsthe“Countermeasures”blockfromFigure5-2,separatedintophysicalandpersonnelsecuritycountermeasures,togetherwiththetopicsofChapters6–8ascomponentsofanoverall

cyberdefense.

AsshowninFigure5-4,agoodindustrialnetworkdefensecontainsthefollowing:

• DesignandPlanning

• Technology

• People,Policies,andAssurance

• PhysicalandPersonnelSecurityCountermeasuresandSupport

Figure5-4.CountermeasureComponents

Countermeasuresmayactinavarietyofways,asthefaceofthecountermeasuresblockofFigure5-2shows.Countermeasuresmayactto:

• deteranddetectthethreat(asabarkingwatchdogonthepremiseswoulddetectanddeteraburglar),

• minimizeavulnerability(asbarsonawindowwouldmakeforcedentrymoredifficult),and

• mitigatetheconsequences(aseffectivedisasterrecoveryplangetsahackedserverupandrunningagain).

6.0

CyberdefensePartI—DesignandPlanning

6.1 DefenseinLayersTheprincipleofdefenseinlayersisthatonereliesonmanydifferentoverlappinglayerstopreventaworst-casescenario.Ifonelayerfails,thenextistheretotakeover,andsoon.

Tounderstandhowthisconceptmaybeappliedtoindustrialnetworksecurity,let’sfirstlookatthewaytheconceptisappliedinacommonchemicalprocessingapplicationthatincorporatesaSafetyInstrumentedSystem(SIS).

Onesimplepolymerizationprocessusestwohazardouschemicals,amonomer(chemicalA)andasecondreactant(chemicalB),whichmaybeaninitiatororcatalystforthereaction.Thereactionisexothermic,whichmeansheatisreleasedwhenthetwochemicalsarecombinedandbroughtuptoreactiontemperature.

Figure6-1showsanexampleofthesimplepolymerizationreactionsetup.Init,ourmonomer(chemicalA)flowsfromastoragetankontherightthroughacontrolvalveintothereactor,whereitcombineswithchemicalB,whichflowsfromthestoragetankontheleft,throughacontrolvalve,andtothereactor.Theprocessmaybesequential(i.e.,firstthemonomerischargedtothereactor,thenchemicalBisaddedslowlyduringtheactualreactionstep).

Awell-knownprocesssafetyhazardofpolymerizationisthepossibilityofa“thermalrunaway,”wherethereactionheatbuildsupinsidethereactorvessel,raisingthetemperatureandpressureofthereactionmixtureuntilitburststhereactorvessel,leadingtoanexplosion,fire,andhazardousfluidreleaseintothesurroundings.Theprocesssafetystrategyistokeepthereactionundercontrolbyremovingtheheatthatisgenerated,neverlettingitbuilduptothepointwherethereactionproducesmoreheatthancanberemoved.

Figure6-1.PolymerizationPlantExample

Reference(1)givesacasehistoryofapolymerizationreactorrunawayandexplosionthatwasinvestigatedbytheU.S.ChemicalSafetyandHazardInvestigationBoard.

Tocounterthepossibilityofathermalrunaway,controlsystemssafetydesignuses“layereddefenses”(2).ProtectioninlayersformsthefoundationsofSISdesignbysuchspecificationsasANSI/ISA-84.00.01-2004,FunctionalSafety:SafetyInstrumentedSystemsfortheProcessIndustrySector,andIEC61508,FunctionalSafetyofElectrical/Electronic/ProgrammableElectronicSafety-RelatedSystems.Thesystemdesignercontainsthehazardsofthisprocessbysuccessivelayersofcontrolandmechanicalsystemsprotection,asshowninFigure6-2(3):

Thelayersofprotectionagainstarunawayreactionbeginwiththebasicprocesscontrolsystem(BPCS).IfcontroloftheprocessfromtheBPCSislostandthereactiontemperatureandpressuregotoohigh,then,inthenextlayer,alarmsonexcessivereactiontemperatureandpressurewillsound,requiringmanualactionbyoperatorstoshutdownthereactionprocess.

Figure6-2.LayersofProtectionAgainstaRunawayReaction

Iftheselayersfail—thealarmmalfunctions,theoperatorsdon’trespondorrespondincorrectly,etc.—thenthenextlayer,theSIS,willtakeover.Inourexample,thismightbedonebyshuttingofftheflowofreactantBand/orbyprovidingemergencycooling.

Thenextlayerismechanical(forexample,blowingtherupturedisktoreleasethereactioncontents).Afterthat,additionallayersmightincludeasecondarycontainmentsystem(dikes,etc.),and,finally,emergencyresponse,firstbytheplantandthenbythecommunity.

Theselayersofprotectionshouldbeasindependentaspossible,sothefailureofonelayerdoesnotaffecttheperformanceofthenext.

ASecurityExample

Nowlet’ssayourpolymerizationtakesplaceinasmallchemicalplantthathasanofficebuildinglocatedbesidethecontrolroomasshownonthesitelayoutinFigure6-3.(Inreality,thecontrolroomandofficebuildingshouldbelocatedasafedistancefromthereactionareaandchemicalstorage.)Notethatinthesafetyexample,thehazardwewereprotectingagainstaroseinsidethereactionvessel,andourlayersextendedoutwardaround

it.Inthissecurityexample,weareprotectingfromtheoutsidein.

Figure6-3.PolymerPlantSiteLayout

Let’sincludethebusinessandcontrolnetworksinFigure6-3.Thebusinessnetworkwillservetheofficebuilding,andthecontrolroom/chemicalreactorareawillhaveaBasicProcessControlSystem(BPCS)networkandaSafetyInstrumentedSystem(SIS).

Let’ssayourtaskistoprotecttheofficenetwork,theBPCS,andtheSISfromahackerwhoisbentoncausingarunawayreactionbyusingtheInternettopenetratethechemicalplantthroughthefirewall.Aboveall,wewanttoprotecttheSIS,sinceitisacriticalsafetysystem.NextinimportancetotheprocessistheBPCSand,finally,thebusinesssystem.

DrawingaseriesofconcentricringsaroundfirsttheSIS,thenaroundtheBPCS,andfinallyaroundthebusinessnetwork,asshowninFigure6-4,willhelpusdiscussdefenseinlayersforsecurity.

Figure6-4.CyberDefenseinLayers

Acyberattackerwouldfirsthavetopenetratethecorporatefirewalltogettothebusiness

network(LayerOne).ThenexttargetwouldbetheBPCSnetwork(LayerTwo),andfinallytheSIS(LayerThree).IfonlythebusinessnetworkandBPCSarecompromised,theSISandsubsequentsafetylayerswillacttopreventarunaway.IfboththeBPCSandtheSISarecompromised,arunawayismorelikely.Itcannowbepreventedonlybyadditionalprotectionlayerslikeoperatoractionormechanicalsafetydevicessuchasrupturedisksandsecondarycontainment.Ifallelsefails,theconsequenceswouldbedealtwiththroughemergencyresponse.

Foracybersecuritydefenseinlayerstobeeffective,eachlayershouldhaveitsowndefensesandnotmerely“sitby”passively.Forinstance,thebusinessnetworkmighthaveanintrusiondetection/protectionsystemtodetectandpreventcyberattacksfrombeyondthefirewall.

However,supposeweattachanexternalmodemtotheBPCSnetworkinFigure6-4,sotheprocessengineerscantelecommutetotheplantonweekendsandholidays.Whathappenstoourdefenseinlayersmodelnow?Ifanoutsidehacker,throughwardialingandpasswordguessing,canobtainentrytotheBPCSinonestepinsteadofhavingtohackinthroughthecorporatefirewall,hehaseffectivelybypassedLayerOneandisatLayerTwo.(Awardialerisacomputerprogramusedtoidentifyphonenumbersthatcanconnectwithamodem.)Evenworse,ifthereisamodemconnectionintoLayerThree,perhapstolettheSISvendorcommunicatewiththeSIS,thehackermightbypassbothLayersOneandTwotogainaccess.ThehackermightcommithiddensabotagetoLayerThree,perhapsbydeactivatingtheSIS.ThismightnotbecomeobviousuntiltheBPCSlosescontrolofthereaction,andtheSISisneededtobringthereactionbackintocontrol.

Thisbringsupanotherobservation:Eachlayerofdefenseiseffectiveonlyifthereisnoeasywaytobypassthelayer.

6.2 AccessControlAccesscontrolforindustrialnetworksistheimportantareaofdeterminingandenforcingwho(orwhatdeviceorsystem)hasaccesstothesystemassets,suchastheHMI,theprocesscontrolnetwork,thecontrollers,servers,etc.And,ifaperson,device,orsystemisallowedto“touch”thesesystemassets,accesscontrolspecifies:

• Whatistheirauthorizationlevel?

• Whatdataorsettingsmaytheychange,delete,add,etc.?

• Howwillthisbecontrolledandenforced?

Alongwithcyberaccesscontrol,theparallelareaofphysicalaccesscontrolwilldetermineandenforcewhocanwalkintothecontrolroomorotherphysicallocationwheretheindustrialnetworksarelocated.Tobetrulyeffective,cyberandphysicalaccesscontrolmustacttogether.

Solet’scontinuewithourillustrativeexampleofthesmallpolymerizationplantillustratedbyFigures6-1through6-4,andseehowaccesscontrolintegrateswiththe“defenseinlayers”model.

Althoughitmightnotbetypicallythoughtofinthisfashionforadefenseinlayersmodel,wemightvisualizeLayerOneinthisexampleashavingtworegions:

1. Aperimeter,orboundary

2. Aninteriorarea

ItiseasytovisualizethesetwoLayerOneregionsintheofficeLANinFigure6-4.ThecorporatefirewallseparatestheofficeLANfromtheInternet.Thefirewallrepresentsregion1above,theperimeterorboundary,separatinginsidefromoutside.TheofficeLAN,ontheotherhand,extendingthroughtheofficebuildingandinterconnectingmanydifferentserversandworkstations,istheinteriorareaandrepresentsregion2.

Itisjustasimportanttothesuccessofthedefenseinlayersmodelfortheinteriorregion,theofficeLAN,tobe“hardened,”thatis,nottohaveobviousnetworkorhostvulnerabilities,asitisforthefirewalltobecorrectlyconfigured,monitored,andmaintained.WhathappenswithintheofficeLANiscrucialtomaintainingtheeffectivenessoftheperimeterprotectionofthefirewall.BoththeperimeterandtheinteriorofLayerOnemustacttogether.

Forexample,let’ssaythefirewallisconfiguredandoperatingperfectly.IfanofficeworkerreceivesapieceofmaliciousemailcontaininganexecutableofaTrojanHorse,hisorhermachinemaybe“takenover”andusedtolaunchattacksontheconnectingnetworks.SomeTrojanscanevenestablishanoutboundconnectionfromtheofficeLANhostthatwastakenoverthatgoesoutthroughthefirewalltothehacker’sserverontheInternet.Theoutgoingtrafficfromthemachinethathasbeentakenoverwilllooklikeaninnocentweb(http)connectioninitiatedbythatinternalhost.

Foranotherillustrationoftheconceptofdefenseinlayers,let’snowconsiderbothphysicalandcyberaccesscontrolofLayerTwo.Physicalaccesscontrolwouldregulatewhocancomeintothecontrolroom,whichmayhavealockeddoorwithonlyauthorizedemployeeshavingthekey,forinstance.Onceinsidethecontrolroom,anemployeewouldneedthepropercyberaccess,acorrectloginandpassword,toaccessBPCScontrolfunctions.Accesscontrolalsoincludesauthorizationlevels,whichmightallowcontrolengineerstochangeprocesssetpointsbutnotallowoperatorstoperformthesameactions.

Italsowouldbedesirabletohaveathirdpersonintheloop,acontrolnetworkadministrator,whowouldassignandadministerthelogins,passwords,andauthorizationlevelsinstepwithpersonnelchanges.Inthefollowingsectionsofthischapter,wewilldiscussdifferentsecurityaspectsthat,takentogether,leadtothesuccessofthedefenseinlayerssecuritystrategy.

Theabovediscussion,wherewevisualizeeachlayerofprotectionascomposedofaperimeterandaninteriorarea,isformalizedintheISA-99Part1standardasthe“zoneandconduit”methodforIndustrialNetworkSecurity.

Thezoneandconduitmethodbecomesthetoolforriskassessmentandthenriskmanagementandreduction.TheinteriorareacomprisingLayerOnebecomesthe“zone,”whererisklevelisuniform,andthecorporatefirewallconnectingLayerOnewiththe

Internetbecomesthe“conduit.”ReadersarereferredtoISA-99Part1(4)forfurtherdetails.

6.3 PrincipleofLeastPrivilegeOneconceptwewillborrowfromITcybersecurityforuseinindustrialnetworkaccesscontroliscalled“theprincipleofleastprivilege,”alsoknownas“securitybydefault.”Intheory,thisprincipleisstraightforward,butinpractice,applyingthisprincipleisverydifficultinaconventionalplantcontrolroomwithoperators,supervisors,andengineersloggingontoconsolesusingatypicalsystemofuserloginsandpasswords.Ifweweretoapplytheprincipleofleastprivilegetoaccesscontrolinacontrolroom,wewoulddothefollowing:

• Startbydenyingeverything.Denyallaccessandauthorizationtoeverybody.

• Afterproperidentificationandauthentication,grantaccessandauthorizationprivileges(theabilitytodoauthorizedtasks)foronlythoseminimumsetsoffunctionseachindividualneedstodohisorherjob,andnomore.

• Removetheseaccessandauthorizationprivilegespromptlywhentheindividualnolongerneedsthem,suchasafteranewassignmentorjobrotation.

Manylongtimeemployeesintheprocessindustries“accumulate”passwords—andthereforeunneededaccessandauthorizationprivileges—astheyrotatethroughvariousjobs.Theprincipleofleastprivilegerequiresorganizationstokeeptrackofwhataccessandauthorizationprivilegesanemployeeneedstoperformpresenttasks,andtoallowauthorizationforthosefunctionsonly.

Ifanemployeeorcontractorleavesoristerminatedforcause,byfarthemostimportantaccesscontrolactiontoperformistoremoveallphysicalandcyberaccessandauthorizationprivilegesimmediately.Thismeansgettingbackorinvalidatingallphysicalaccesscards,keys,etc.,andimmediatelydeletingorinvalidatingtheirpasswordsandotherauthorizationsfromeverysystemtheyeverhadaccessto.Itisespeciallyimportanttoremovetheirabilityforremoteaccess(throughmodem,virtualprivatenetwork,etc.).Iftheyhadaccesstoanygrouporsharedaccounts,thosepasswordsshouldbechangedimmediately.

Applyingtheprincipleofleastprivilegeinpracticeisdifficult,ifnotimpossible,withouttherightaccesscontroltechnology.ThedifferenttypesofaccesscontroltechnologiesarecoveredinChapter7.Chapter7discussesrole-basedaccesscontrol,animportanttechnologytoenableadoptionoftheprincipleofleastprivilege,aswellastosimplifyandbettermanageidentification,authentication,andauthorization.

6.4 NetworkSeparationNetworkseparationisaperimeterorboundarydefense,whichwediscussedinSection6-2.Let’slookbackatFigure6-4,CyberDefenseinLayers,andlookattheconnectionbetweenourofficeLAN,inLayerOne,andtheBasicProcessControlSystem(BPCS).

TheprincipleofdefenseinlayersimpliesthatadirectofficeLAN-to-industrialnetwork

connectionisnotagoodidea.AnyonehavingaccesstotheofficeLAN,whetheraccesswasobtainedlegitimatelyorillegally,nowhascompleteaccesstotheindustrialnetworkanditscomponents,includingHMIs,controlservers,etc.

Sowhatshouldourriskteamdoaboutadirectbusiness-to-controlsystemconnection,ifitexists?

ApplyingthebasicriskmanagementchoicesdetailedinChapter5-1,theriskteammayelectto:

1. accepttherisk,anddonothing,leavingadirectconnectiontotheindustrialnetwork;

2. partiallycloseoffthisaccesswithafirewall,filteringrouter,orotherrestriction;or

3. cuttheconnectionbetweenthebusinessandindustrialnetworkscompletely.

Mostcompaniesinthechemicalprocessing,utility,anddiscretemanufacturingindustriessaytheyneedsomeconnectivitybetweenthebusinessnetworkandindustrialnetworktosurvive.Thereisjusttoomuchbusinessadvantagefromhavingsomeformofconnectivityandinformationflow.

Inthewriter’sexperience,mostcompaniesstartedoutwithanunfetteredbusiness-to-industrialnetworkconnection.WhilesomecontinuetoelectOption1,accepttherisk,mostaregoingtoOption2,puttinginaninternalfirewallorothernetworkrestrictionsuchasafilteringrouter.

Chapter10presentsanaccountofthewayalargecompanyhashandledinternalbusiness-to-controlsystemconnections.

FewcompanieswillelectOption3,tocuttheconnection.However,somecompaniesthatneverconnectedtheindustrialandbusinessnetworkstobeginwithmaycontinuetoobservethatpolicy.

References1. U.S.ChemicalSafetyandHazardInvestigationBoardInvestigationReport–

ChemicalManufacturingIncident,ReportNo.1998-06-I-NJ.(April8,1998).Retrieved11/11/2004from:http://www.csb.gov/Completed_Investigations/docs/Final%20Morton%20Report.pdf

2. AmericanInstituteofChemicalEngineers(AIChE),CenterforChemicalProcessSafety.GuidelinesforSafeAutomationofChemicalProcesses.AIChE,1993.

3. AmericanInstituteofChemicalEngineers(AIChE),CenterforChemicalProcessSafety.GuidelinesforSafeAutomationofChemicalProcesses,Figure2-2.AIChE,1993.

4. ANSI/ISA-99.00.01-2007,SecurityforIndustrialAutomationandControlSystems,Part1.ResearchTrianglePark,ISA,2007.

7.0

CyberdefensePartII—Technology

7.1 GuidancefromISA99TR1TheANSI/ISA-TR99.00.01-2007–SecurityTechnologiesforIndustrialAutomationandControlSystemsstandardhasawealthofinformationonITsecuritytechnologyandhowitmaybeappliedtosecuringindustrialnetworks.Eachtechnologyissummarizedaccordingtothefollowingheadings:

• SecurityVulnerabilitiesAddressedbythisTechnology,Toolsand/orCountermeasures

• TypicalDeployment

• KnownIssuesandWeaknesses

• AssessmentforUseintheIACSEnvironmentSystems

• FutureDirections

• RecommendationsandGuidance

• InformationSourcesandReferenceMaterial

ThesectionsinthischaptercoversomeofthetechnologiesdescribedintheISA-99seriesofstandards.Ourcoverageofthesetechnologiesisintendedtobeageneralintroductiontothevarioustechnologiesandhowtheyareused,ratherthanadetailedtechnicalexplanation.

7.2 FirewallsandBoundaryProtectionAfirewallactsasa“gatekeeper”or“trafficcop”tofilterandblocktrafficfromonenetworkgoingtoanother.Let’slookattwocases,illustratedinFigure7-1:

Figure7-1.FirewallIllustration

• Firewall“A”protectsthecorporationbusinessLANfromtheoutsideInternet.

• Firewall“B”isinternalandseparatesthebusinessLANfromtheindustrialnetwork.

Eachfirewallhasasetoffirewall“policies”(nottobeconfusedwiththehigher-levelsecuritypoliciesdescribedinChapter8)thatdetermineswhichhostsornetworksononesidemaytalktohostsornetworksontheotherside.

Itallboilsdowntoayes/nodecisionforeach,whethertopermitordenyeachattemptedconnection.

Asanexample,let’slookatclassesofusersinsideandoutsidethebusinessnetwork,asshowninFigure7-2,andwhatconnectionstheymightwanttoestablish.

Figure7-2.SampleFirewallSetup

IfabusinessLANuserwantstoconnecttoanoutsidewebserver(thefirewall“listens”forattemptsatconnectionviathewebprotocolknownasHTTP),thisis“permitted”(unlessmanagementisclampingdownontoomuchoutsidewebsurfing!)

However,ifabusinessLANuserwantstoconnecttoanoutsidestreaming“RealAudio”server,perhapsthisconnectionwillbe“denied”byCorporateITcybersecurity.

Let’stakealookatattemptedtrafficgoingtheoppositedirection.Ifamachineontheoutside,host“hacker.com,”wantstoconnectfromtheoutsideInternettoaninsidebusinessLANworkstationorserver,thisshouldbeblockedor“denied.”MostcorporationshostawebserverinanintermediatezonecalledaDMZ(DemilitarizedZone)forlegitimateincomingtrafficsuchastogetsalesbulletinsandthelike.

SP99TR1goesontodescribethreedifferenttypesoffirewalls:

• PacketFilter

• ApplicationProxy

• StatefulInspection

Modernfirewallsmaybehardware-based(e.g.,afirewallappliancewithembeddedsoftware)orsoftware-based,runningasapplicationsoftwareonaWindowsorUnixoperatingsystem.Ifsoftware-basedfirewallsareused,theunderlyingoperatingsystemmustbehardened,asdescribedinChapter8,tobeeffective.

AnexampleofamodernchemicalcorporationusinginternalfirewallsisgiveninChapter9.

AlternateInternalBoundaryProtectionNearlyallcorporationswillhaveacorporatefirewall(FirewallAasshowninFigure7-1).However,somemayelectnottogowithafull-fledgedinternalfirewall(FirewallBinthe

figure)toseparatecriticalinternalsystemsfromtheirbusinessLANsandintranets.Adegreeofprotectioncanbeprovidedbyusingarouterwithfilteringcapabilities.Forinstance,usingarouter’sAccessControlLists(ACLs),anetworkadministratorcanselectwhichhostsandnetworksononesideoftheroutercanconnectwithspecifichostsandnetworksontheothersideoftherouter,asdescribedearlierinthissectioninthediscussionoffirewallpolicies.

7.3 IntrusionDetectionIntrusiondetectorsmonitorcomputernetworksorcomputerhosts,lookingforpossibleintrusions.Therearetwogeneraltypesofintrusiondetectors:

• Network-based(NIDS–NetworkIntrusionDetectionSystem)

• Host-based(HIDS–HostIntrusionDetectionSystem)

Anetwork-basedintrusiondetectormaybeattachedtothenetworkitmonitorsbya“networksniffer”arrangement,oritmaybeembeddedintotheoperatingcodeofarouter,firewall,orstandaloneappliance.

Itmaylookforeitherorbothofthefollowingwarningsigns:

• Knownattacksignatures,recognizedfromanup-to-datedatabaseofknownattackssuchasworms.

• Networktrafficanomalies,changesintrafficpatternsthatarestatisticallysuspicious.Forinstance,heavyincomingtrafficonalittle-usedportorIPaddressmightindicateanattack.

Ahost-basedintrusiondetectorismountedonaparticularhostcomputer,suchasaworkstationorserver.Itmayperformaperiodicscanofallcrucialfilesonthehosttolookforsignsofunauthorizedalteration,whichmightindicateacompromiseofthehostsystembyanintruder.Thisactioniscalleda“fileintegritycheck.”Itmayalsomonitornetworktrafficinandoutofaparticularhost,orlookforsuspicioususagepatterns,whichmightindicateanintruderisatwork.

Figure7-3showshowatypicalNIDSandHIDSmightbedeployedinthecorporatenetworkexampledisplayedinFigure7-1.

Figure7-3.IntrusionDetection

Figure7-3showstheNIDSdeployedtolistentoor“sniff”thenetworktrafficjustinsidethecorporatefirewall.ItlooksforsignaturesorpatternsofintrusionfromtheoutsideInternetpastthecorporatefirewall.

Ontheotherhand,theHIDSmonitorsonehost;inthiscase,thehostonthebusinessLAN.

TheactiontakenbyaNIDSorHIDSuponsensingapotentialbreak-incanvary,anywherefromsendinganemailtopagingasystemadministrator.

Anemergingvariationonintrusiondetectioniscalledintrusionprevention.Thisdetectorautomaticallytakesaprearrangedactionuponanysignofintrusion.Forinstance,iftheNIDSinFigure7-3weretodetectananomalyandcausethefirewalltoblocksomeoralltrafficintothebusinessnetworkfromtheInternet,itwouldbeactivelydoingintrusionpreventionratherthanthemorepassivenotificationthatcomeswithintrusiondetection.

OneconcernwithdeployingNIDSandHIDSisthetendencyforfalsealarms,orfalsepositives,whichtaketimeandefforttotrackdown.Justasyoudon’twantaburglaralarmtogooffbecauseitthinksthefamilypetisaburglar,minimizingfalsealarmsisnecessarywhendeployingthistechnology.

7.4 VirusControlSincetheadventofthePC,therehasbeenaconstantstrugglebetweenviruswritersandpeoplewhomakesoftwaretodetectandcontrolviruses.Overtheyears,newandmorecleverviruseshaveevolved,andantivirusresearchersareevolvingmorestrategiestospotandcleanthem.

Theviruspreventionanddetectioncycleisa“chaseyourtail”game.Morethan50,000

virusesareknowntoexist.Alargenumberofthemare“zoo”viruses,whichexistincontrolledlaboratorycollectionsonly.Asweareonlytooaware,however,asignificantnumberof“inthewild”viruseshavebeenreleasedintocyberspaceandhavedonedamage.

Figure7-4showsthedilemmaantivirusresearchersface.

Figure7-4illustratesasituationinwhichaviruswritercreatesatotallynewvirus,oranewvariationonanoldvirus,andreleasesit“inthewild.”Somecomputersgetinfected,andtheirownerssendasampleofthenewviralinfectiontoanantivirusvendor’sresearchteam.

Withinafewhours,theantivirusteamhas“disassembled”theinnerworkingsofthevirusandcapturedthatvirus’sdistinctsignature,orcodepattern,asashortsequenceofbits.Theantivirusvendorthendistributesthatvirussignaturetoitscustomersasanupdateoftheirvirussignaturesfile.

Figure7-4.TheAntivirusCycle

Theproblemisthatthevirussignaturetheydevelopedisvalidonlyforthatparticularvirus.Viruswriterscan“tweak”avirustoalteritscodepatternandmakeanewversionthatwillgoundetected.Viruswritersmaygoasfarasbuyingseveralbrandsofvirusdetectionsoftwareinordertodownloadthelatestsignaturefileupdatesandchecktoseeiftheir“tweaked”virusisdetectable!

Thus,thereisaconstantrunningbattlebetweenviruswritersandtheantivirusresearchcommunity.

Severalantivirusproductstrytodetectnewvirusesforwhichnosignatureisyetavailable.Thisantivirussoftwarewatchesforunusualprogrambehaviororcombinationsofbehaviorsinanefforttoidentifyvirusesupfront,beforeinfection.

Antivirusprogramstypicallycontainthreeparts:

1. TheGraphicalUserInterface(GUI).

2. TheEngine.Thiscontainsthescanningsoftware,whichcomparesfilesonthehostcomputerwiththelatestvirussignaturesfromthesignaturefile.

3. TheSignatureFile.Downloadedatregularintervals,sayeachday,itcontainssignaturesofthelatestvirusesandTrojans.

Virusesmayattackvariouslocationsinoperatingprogramsandmemory.Figure7-5showsjustafewofthemajorvirusesthathaveattackedinhistory,alongwiththetypeofattack.

Figure7-5.SomePastVirusAttacks

SomePastVirusAttacksVirusdetectionand/oreliminationmaybedeployedatthreelevels,ortiers,withintheindustrialnetwork:

• Attheperimeteroftheindustrialnetwork.Virusprotectionmaybebuiltintooraddedontofirewallproducts.

• Atthecontrolserverlevel.Servereditionsofantivirusproductsmaybeusedhere.

• AttheindividualworkstationorPClevel.Forinstance,theworkstationrunningtheHMIconsolemayhaveantivirussoftwaretoprotectagainstemployeesbringingindiskettes,flashdrives,orCDswithviruses.

Atpresent,thereisstillsomeresidualdiscussionaboutwhetherusingantivirussoftwareatthecontrolserverorworkstationlevelwillinterferewithproperoperation.Manycontrolvendorsapproveusingonlyspecificbrandsofantivirussoftwarethathavebeentestedfornon-interferencewithapplicationsoftware.Inaddition,thevendorsmayspecifythatonlycertainfeaturesoftheantivirussoftwaremaybeused,anditmustbeconfiguredacertainway.

In2006areporttitled,“UsingHost-BasedAntivirusSoftwareonIndustrialControl

Systems”wasissued,describingtheresultsofatwo-yearDOENationalSCADATestBedstudywrittenonthesubjectofusinghost-basedantivirussoftwareoncontrolsystems,writtenbytheauthor,SteveHurd,andJoeFalcofromNIST(1).

Ifavirusisdetectedinrealtime,thenextquestionis:Whatistheplantoisolatethenetworksection,cleanthevirus,andthengetbackinoperation?Thisispartofanincidentresponseplanthatmustbesetup.

7.5 EncryptionTechnologiesEncryptiontechnologiesarethepracticalapplicationofthefieldofcryptography,whichmeans“secretwriting.”Cryptographyhasbeenusedinmanyformssinceancienttimestoconcealinformationlestitfallintothewronghands.Amessage,onceencrypted,appearsasgibberishandisofnousetoanadversaryunlesstheadversaryknowshowtoreverseordecrypttheencryptedmessage.

Tounderstandthebasicsofencryption,sometermsneedtobeintroduced:

• Plaintext.The“plainEnglish”versionofatextornumericalmessagetobeconcealed.

• Ciphertext.Theplaintexttransformedbyanencryptionalgorithm,usinganencryptionkey,intoamessagethatisunreadablewithoutbeingdecrypted.

• EncryptionAlgorithm.Themathematicalformulaorprocedureorotherformulathatwillconverttheplaintexttociphertext.

• EncryptionKey.Auniquecombinationofnumbersand/ordigitsthatisusedbytheencryptionalgorithmtoconvertplaintexttociphertext.

Let’sgiveasimpleexampleoftheuseofanencryptionalgorithmwithkey,attributedtoJuliusCaesarandhismethodof“secretwriting.”TheCaesarcipherusesaverysimplesecretkeyalgorithm,calledasubstitutioncipher.Wesubstitutenewlettersforeachletteroforiginaltexttomaketheoriginaltextillegible.

Supposewe’recommunicatingwiththebattlefield,andthemessagewewanttosendis:

ATTACKATDAWN

Ourencryptionalgorithmworksasfollows:Firstwewriteoutthelettersofthealphabet.Thenwewriteoutasecondalphabetbeneaththefirstalphabet,exceptweshiftitoneletterover:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

ABCDEFGHIJKLMNOPQRSTUVWXY

Startingfromthebottomalphabet,whereverwehaveanAinouroriginalmessage,welookdirectlyaboveitandsubstituteaB,inthetop(shifted)alphabet.SoouroriginalmessageATTACKATDAWNbecomestheunreadable

BUUBDLBUEBXO

(Inpractice,wecaneliminatethespacesbetweenwordsaswell.)

Thekeytooursimplealphabetsubstitutionalgorithmisthenumber1.Weshiftedthealphabetoverbyonelettertoformciphertext.Wecouldjustaseasilyhaveshiftedthealphabetby2,sothatAwouldnowbecomeC,BwouldbecomeD,etc.

Caesar’sgeneralinthefield,receivingthecrypticmessageBUUBDLBUEBXOonlyneedstoknowthealgorithmandthekeytogetbacktheplaintextATTACKATDAWN.Usingthetwoalphabetsabove,thegeneralgoesfromtopalphabettobottom,reversingthewaytheencryptionwasperformed.

The“keyspace”isthenumberofuniquevaluesthekeycantake.Whatarepossiblevaluesofthekey?Well,wecanshiftthealphabetbyuptothenumberoflettersinthealphabet,25.(Ifweshift26,wecirclearoundthealphabetandcomebacktowherewestarted.)Sowehave25uniquekeysthatcanbeusedwiththissimplesubstitutionalgorithm.

IftheenemyfindsoutthealgorithmbeingusedistheCaesarcipher,hecantryabruteforceattackagainstthealgorithm,usingonemessageintheciphertexthehasmanagedtointercept:BUUBDLBUEXBO.

Bytryingeachuniquecombinationinthekeyspace,1-25,theenemycandiscoverthekeyused.Inourexample,ifhejusttriesthenumberone,theplaintextbecomesevident.

Ashasbeenmentioned,theCaesaralgorithmiscalledasecretkeyalgorithm.Onlythesenderandrecipientofthemessagemayknowthesecretkey.Ifanadversaryfindsout,allislost.

Writingsecurecryptographicalgorithmsisverydifficult.Thealgorithmmustberesistanttoanattackbyanalysis,calledcryptanalysis.Andthekeyspacemustbelargeenoughthatitwouldtaketoolongtofindthekeythroughtrialanderror(abruteforceattack).

Inourexample,ifdawnandtheattackcomebeforetheadversarycanfindtherightkeybytrialanderrororanyothermethod,thenthealgorithmwillhaveserveditspurpose.

Modern-daysecretkeyalgorithmsusemathematicalcalculationswithkeysizesdescribedintermsofbits.TheDataEncryptionStandard(DES)algorithm,whichisattheendofitsusefullife,uses56bits.AbruteforceattackonDESisverytimeconsumingbutachievablewithtoday’scomputingpower.ItisbeingsupersededbytheAdvancedEncryptionStandard(AES),whichusesuptoa256-bitkey.

Justlikethecat-and-mousecompetitionbetweenviruswritersandantivirusresearchers,thereisarunningcompetitionbetweencryptographers,whodevelopnewencryptionalgorithms,andpractitionersofcryptanalysis,whotrytobreakthembymanydifferentmeans.Atstakearebillionsofdollars—forinstance,ininterbankmoneytransfersthatmightbecompromisedifsomeoneonthewrongsidediscoversthekeyorhowtocrackthealgorithm.

PublicKeyvs.SecretKeyAlgorithms

Secretkeyalgorithms,runningthegamutfromtheCaesarciphertoDESandAESalgorithms,aredesignedtopreserveconfidentiality.(RemembertheAICtriadoutlinedinChapter6?)Theconfidentialityofthedata(plaintext)ispreservedonlyaslongastheadversarydoesnothaveaccessto,ortheabilitytofigureout,thesecretkeybyabruteforceattackoranyothermethod.

Anotherformofcryptography,publickeycryptography,wasinventedin1978bythreeindividuals,forwhomitiscalledRSA:Rivest,Shamir,andAdelman.Itmaybeusedforbothauthenticationandconfidentiality.

Inpublickeycryptographyeachuserhastwokeys,ora“keypair.”Akeypairismadeupofapublickey,whichmaybegivenoutin“publicplaces,”andaprivatekey,whichmustbekeptsecretbytheuser.Thetwokeysaremathematicallyrelated.Figure7-6showshowpublickeycryptographymaybeusedtoensureconfidentiality.

Figure7-6.UsingPublicKeyforConfidentiality

ReferringtoFigure7-6,thereceivergeneratesakeypairandkeepstheprivatekeysecret,butsendsthepublickeytothesender,whowantstosendthereceiveraconfidentialmessage.

Thesenderencryptsaplaintextmessagewiththereceiver’spublickey,thensendstheencryptedmessagebacktothereceiver.Thereceiver,usingtheprivatekey,istheonlyonewhocandecryptthemessage.

Thisillustrationshowswecanuseapublickeyalgorithmtodothesamethingasasecretkeyalgorithm.Inpractice,though,usingapublickeyalgorithmtakesmuchmoreprocessingtime.Itwouldnotbepracticaltousepublickeytoencryptandsendlargeamountsofdata.Inpracticethepublickeyisusedincombinationwithasecretkeyforthispurpose.

Therealadvantageofpublickeyencryptionisthatitmaybeusedforauthentication.

Figure7-7showshowwemayhaveourusersauthenticateeachother.

Figure7-7.UsingPublicKeyforAuthentication

ReferringtoFigure7-7,supposethereceiverwantstobesurethemessagereallycamefromthesender,notanimposter.Ifthesenderandreceiverhadeachgeneratedtheirownkeypairsandthenswappedpublickeys,thiswouldbeachievable.Thereceiverwouldhavethesender’spublickeytobeginwith.Thereceiverwouldaskthesenderto“sign”themessagewithhisorherprivatekey,creatingadigitalsignature.Uponreceivingthemessage,thereceiverwouldcheckthesender’sdigitalsignatureagainsttheircopyofthesender’spublickeytoseeiftheymatched.Iftheydid,themessageindeedcamefromtherealsender,notanimposter.

Aswecanseefromtheaboveexample,iftwousersgeneratekeypairs,theymaybeusedforbothauthentication(digitalsignature)andconfidentiality(encryption).

Inourpreviousexample,thesenderandreceiverhavemetinperson,knoweachother,and,therefore,havea“trustrelationship.”Butwhatifthesenderandreceiverhavenevermetandestablishedthattrustrelationship?Howdoesthereceiverknowthepublickeyreceivedoriginallyfromthesenderreallybelongstothesenderandnottoanimposter?

Theansweristoprovideapublickeyinfrastructure,orawayofcertifyingorguaranteeingthepublickeysaregenuineandreallybelongtotheauthenticsenders.Thisisusuallydonebyanoutsideagencysuchasabankorothercertifyingagency.Theoutsideagencycertifiesinsomewaytothereceiverthatthesenderisauthentic(byrequiringproofofidentity,forinstance)andthepublickeyisgenuine.

MessageIntegrityCheckingWeneedanothertypeofcryptographicalgorithmtocompleteourcryptotoolkit—analgorithmthatcanletusknowifamessagehasbeenalteredinanyway.Acryptographicchecksumdoesthisforus.Usinganalgorithm,itsumsuptheuniquepatternofonesandzeroescomprisingthebinaryrepresentationofamessage,generatingashortchecksum.

Intelecommunications,acyclicredundancycheck(CRC)isusedforthispurpose—aftereveryframeofdataacyclicredundancycheckiscomputedandtackedontotheendofthemessage.Computingacryptographicchecksumensuresthatthemessage/checksum

correspondencecannotbetamperedwith.

Addingacryptographicchecksumtoourtoolkitgivesusmethodstoensureconfidentiality,authentication,andmessageintegrity.

ApplicationofCryptographytoIndustrialNetworkSecurityApplicationsusingcryptographyareenteringthefieldofindustrialnetworksecurityataslowpaceforthefollowingreasons:

1. Encryptionisacomplexsubjectandrequiresanunderstandingofthemathematicalbasisofthealgorithmsused.

2. Addingencryptiontoindustrialnetworkdatatransmissionsaddsprocessingtimetowhatmaybefullyutilizedmicroprocessorsandalsorequiresadditionalcommunicationsbandwidth.Whentalkingaboutresponsetimeinmillisecondsorfordeterministiccontrolapplications,thelatencyor“jitter”introducedcoulddelaycrucialcontrolevents.

3. Keymanagement.Generating,storing,anddistributingkeyscanbeadifficultprocess.Ifusingpublickeyinfrastructure(PKI),asuitablestructuremustbesetup.

7.6 VirtualPrivateNetworks(VPNs)VirtualprivatenetworksfulfillanimportantroleinthenetworkedworldandtheInternet.

UsingtheopenInternet,theyaredesignedtogiveprotectiontodatacommunicationequaltoorgreaterthansendingdataviaadedicatedphoneline.AVPNworksbysettingupasecuretunnelovertheInternetusinganencryptedconnection,andoffersthesethreecapabilities:

1. Identification,Authentication,andAuthorization(see7.7)

2. Integrityofinformationtransfer

3. Confidentiality

Figures7-8and7-9showtwowaysaVPNmightbesetup.

Figure7-8.VPNConfiguration1

Figure7-9.VPNConfiguration2

Figure7-8showsaVPNconfigurationforgivingsecureremoteaccessacrosstheInternet.Here,remotehosts(saytwodifferentemployeesworkingathome)mayaccessacorporateprivatenetworksecurelybysettingupVPNstotheirlaptopcomputers.TheywouldlogintotheirlocalInternetServiceProviders(ISPs),gotothewebaddresssetupfortheircorporation’sVPNequippedfirewall,authenticatethemselves,andbegrantedaccess.

IntheconfigurationshowninFigure7-9,theVPNconnectionallowsprivatenetworkA,shieldedfromtheInternetbyFirewallA,toconnectsecurelywithprivatenetworkB,whichissimilarlyshieldedfromtheopenInternetbyFirewallB.

7.7 AuthenticationandAuthorizationTechnologiesInSection4.3wedealtwiththeissuesofIdentification,Authentication,andAuthorization.Weintroducedtheseconceptsasfollows:

• Identification=Whoareyou?

• Authentication=Proveit.

• Authorization=Nowthatwe’veestablishedyouridentity,whatsetofaccessprivilegesdoyouhave?

Wealsointroducedthethreefactorsofauthenticationasthefollowing:

• Somethingyouknow

• Somethingyouhave

• Somethingyouare

Wecanuseanyfactorofauthenticationaloneorincombinationwithotherauthenticationfactorstohaveastrongerauthentication.

Incyberspace,usingsomethingyouknowtranslatesintousingapasswordorpassphrase.Apasswordisrelativelyshort,sayeightalphanumericcharacters,andapassphraseislonger.Thisisthemosttime-honoredandwidelyusedmethodofcyberauthentication.Thismethodassumesthesystemuserwillenterasecretandcrypticcombinationoflettersand/ornumbers,andthenwillrememberthemthenexttimeheorshewantstologontothesystem.

Anyonenotknowingthiscrypticcombinationoflettersandnumberswouldhavetogetthepasswordfromtheuserbytrickerysomehoworresorttobruteforceguessing,atrial-and-errormethodoftestingallpossiblecombinationsofnumbersandlettersthatmightmakeupapasswordorpassphrase.

Tobeeffective,passwordsorpassphrasesmust:

• Haveenoughcharacterssothetaskofabruteforcetrial-and-errorattackwouldbeprohibitivelytime-consuming;

• Notbeeasilyguessablebyanotherparty;

• Beretainedintheuser’smemoryonly,notwrittendownonslipsofpaper,stickynotes,etc.;and

• Bechangedatreasonableandregularintervals,sayonceortwicepermonth.

Authenticationwith“somethingyouhave”equatestoauthenticationwithakeyorhardwaretoken.Oneofthemostdirectwaystoprovideauthenticationisbyresortingtoaphysicalsecuritydevice,suchasalock,withakeycarriedbytheuser.

Theuserplugsinahardwaretokentogainaccess,perhapsoneintheformofanRadioFrequencyIdentificationDevice(RFID)oraUSBdongle.Anembedded-chipcardorasystemusingamagneticstripemaybeusedalso.

Authenticationwith“somethingyouare”bringsuptherapidlydevelopingareaofbiometrics—thetechnologyofverifyingidentitywithauniquephysicalattributethatisnoteasilyduplicated.Biometricidentificationcanincludethefollowing:

• HandGeometry

• Fingerprint

• Voiceprint

• FaceRecognition

• SignatureRecognition

• IrisRecognition

Thefieldofbiometricshascomealongwayinthelastfewyears.Someoftheabovemethods,suchashandgeometry,havebeenusedinindustryfor20–30years;others,suchasfacerecognition,aremuchnewer.

Biometricsmaybeabusedaswellasusedproperly.

Whensystemdevelopershavetriedtousebiometricsforidentificationandauthenticationtogether,ratherthanforauthenticationalone,theyhavegenerallynotbeensuccessful.Reference(2)isanewsstoryofanattempttousefacerecognitiontocatchcriminalsbytheTampa,Florida,policedepartmentthatfailedtoproduceresults.

IncreasingtheFactorsofAuthenticationGreaterconfidenceintheauthenticationprocessmaybehadbyusingtwoormorefactorsofauthentication,eithermultipleinstancesofthesamefactorordifferentfactors.Forexample,inapopulartwo-factorauthenticationprocessreferredtoinSection4.3,atokenflashingaonetimepasswordthatchangeseachminutecanbeusedasacentralizedlog-inscreen,wheretheusermustinputapassphraseconsistingofauniquefour-characterPINthatdoesn’tchange(somethingyouknow)withtheone-timepassword(alsosomethingyouknow)displayedontheencryptiontokentologonandgetaccesstothecomputingservices.

AuthorizationFinally,let’stalkaboutauthorization.AsintroducedinSection4.3,onceauser(ordevice)isidentifiedandauthenticated,weneedsomewayofallocatingcertainaccessprivilegestothepersonordevice.Whataretheypermittedtodo?Whichfilesmaytheychange,delete,orcreate?

Historically,severalconceptualmodelsofauthorizationhavebeenusedbygovernmentandthemilitary,andbyindustry.

• MandatoryAccessControl.Thishasbeenusedinmilitaryandgovernmentcircles.Hereinformationfilesareclassified“Secret,”“TopSecret,”etc.,andonlypersonswiththematchingsecretortopsecretsecurityclearancemayhaveaccesstothesefiles.Controliscentralized,andbasedonarigidsetofaccesscontrolrules.

• DiscretionaryAccessControl.Thishasbeenusedcommonlyinindustryandcommercialcomputersystems.Here,whoever“owns”theinformationisempoweredtosetlimitsonwhomayaccesstheinformationandwhatprivilegestheyhavetomodifyit.

• Role-BasedAccessControl.Thistypeofaccesscontrolshowsgreatpromiseforindustrialnetworkingsituations.Here,theusersaregroupedintoroles,dependingonwhattheirjobfunctionis.Forinstance,inabank,therolesmightbeteller,headteller,branchmanageretc.,withanumberofindividualsbelongingtoarolegroup.Onceemployeesareidentifiedandauthenticatedwithinthesystem,theirrolesdeterminetheirauthorizationprivileges,nottheirindividualidentities.Onecanseetheefficiencyadvantageif,forinstance,acentralizedrole-basedaccesscontrolsystemwereusedinalargeindustrialcontrolroom.Operators,shiftsupervisors,engineers,andtechnicianswouldeachbeinarolegroupthatwouldhavecertainfixedprivileges.Ifoneemployeeleavesandanotherarrives,eachonlyneedstoaddordeletetheirindividualidentitiestotheroleslistonthecentralizedserver,notaddordeletethemfromaccesscontrollistsonpiecesofindividualsystemsinthecontrollist.

Itshouldbeemphasizedthatidentification,authentication,andauthorizationdon’tpertainexclusivelytopeople.Asecureintelligentdevice,suchasacontrolsensororactuatororaPLConanetwork,mayneedtoidentifyitselftotherestofthecontrolnetworkasthe“realthing”andnotan“imposterdevice.”Andawholesubnetwork(forinstance,aremoteindustrialnetworksegment)mayneedtoidentifyitselftoanothernetwork.Identification,authentication,andauthorizationareformachines,devices,andindustrialnetworksegmentsaswellasforpeople.

References1. Falco,J.,Hurd,S.,andTeumim,D.“UsingHost-BasedAntivirusSoftwareon

IndustrialControlSystems.”NISTSpecialPublication1058(2006).

2. Bowman,L.M.“TampaDropsFace-RecognitionSystem.”Cnet.comarticle.August21,2003.Retrieved11/11/2004from:http://news.com.com/Tampa+drops+facerecognition+system/2100-1029_3-5066795.html

8.0

CyberdefensePartIII—People,Policies,andSecurityAssurance

8.1 ManagementActionsandResponsibilityInChapter2,wesawthattobeeffective,industrialnetworksecurityhastobedrivenbytopmanagementandworkitswaydownthecorporation.Thealternative,a“grass-roots”effortbyautomationandcontrolengineering,maybecommendablebutwillprobablynotgettheattentionandresourcesitneedstosucceedinameasurableway.

Severalkeyfactorsarenecessarytodevelopameaningfulindustrialnetworksecurityorganizationandprogram.Twoofthesefactorsare:

• Leadershipcommitment.Industrialnetworksecurityneedsagenuineplaceintheorganization,aplacethatfitsinwithcorporategoalsforriskmanagementandforcorporateandITsecurity.Thismeanstopmanagementmustbecommitted,andthisoftenmeansaconvincingbusinesscasemustfirstbemade(seeChapter2).

• Anindustrialnetworksecuritycommittee,taskforce,orsimilarentity.ThisentitymaybecalledaProgramTeam.

ResourcesfortheProgramTeammustinclude:

• Personnel

• Budget

• Training

• Organizationalempowermentandauthority

• Acharter,usuallysomehigh-levelsecuritypoliciesthatdetailthemission,structure,goals,andresponsibilitiesoftheProgramTeam

• Afirstproject—asmodestorasambitiousasProgramTeamresourceswillallow

• Aplanforthefirstproject.

8.2 WritingEffectiveSecurityDocumentationSecuritydocumentationcreatesavehicleforinformingyourcompanyaboutrecommendedand/orrequiredpracticesforcybersecuritythatcanbereadandunderstoodbyreadersatalllevelsoftechnicalsophistication.Mostreaderswanttospendaslittletimeaspossiblewadingthroughinformationthatdoesnotapplytothemtogettowhat

theyreallyneed.

Let’stalkaboutITcybersecuritybeforeweconsiderindustrialnetworks.TherearemanydifferentapproachestowritingsecuritydocumentsintheITworld,andtheresultingdocumentationmaybelabeleddifferentlyandbecomposedofdifferentsetsofinformationfromcompanytocompany.

Thewriter’spointofview,afterspendingmanyhoursinfruitlessdiscussionswithpeersoverwhichpieceofpapershouldbecalledbywhatname,isthattheissueisnotsomuchwhatnamewegivetoourdocumentsbutwhetherthedocuments,takentogether,conveytherequiredinformationinanefficientfashion.Also,doesthefinalsetofsecuritydocuments“hangtogether”andproduceacoherentframeworkforthevariousreaders?

Withthisintroductioninmind,let’slookatthebusinesssideofthecompanywedescribedinChapter2.AsetofITcybersecuritydocumentsforthebusinesssideofourwidgetfactorywouldaddresstheseissues,amongmanyothers:

• Web.Downloadingofpornographyorotherillegalcontentbyemployees.

• Email.Virusesandspamcominginwithemail.

• Remoteaccess.AllowingauthorizeduserstoconnectviamodemorVPNandkeepinghackersout.

• Unlicensedsoftware.Keepingemployeesfromusingunpaid-forsoftware.

Whatsortofsecuritydocumentationsystemisbesttoconveyalltherequiredsecurityinformation?ThewriterpresentsthefollowingITcybersecurityframeworkasonesystemthat“hangstogether.”Bynomeansisittheonlywaytoalsostructureasetofindustrialnetworksecuritydocuments,butitisacommonandprovenway.

Thissystemusesfourtypesofsecuritydocuments:

• SecurityPolicies

• SecurityStandards

• SecurityGuidelines

• SecurityProcedures

Classificationofsecuritydocumentsintothecategoriesabovedependsonthemessage,theintendedaudience,thedocument’stechnicalsophistication,andwhetherthemessageandinstructionsarerecommendedormandatory.

Let’sstartatthetopofthelist.Securitypolicyusuallycomesfromhighinthemanagementchainandisashortstatementofthecorporation’spositiononsecurityissues.Forinstance,itmaycomefromashighalevelastheCEOofthecompany,sayingsomethingsuchas,“ThiscorporationbelievesthatITcybersecurityiscrucialtothesuccessofthecompanyforthefollowingreasons:(listreasons).Therefore,wehaveassignedthe(nameofgroup),undertheleadershipof(nameortitleofpersonincharge),toberesponsibleforthisareaandtoreporttomeatregularintervals.”

AmongITcybersecurityprofessionals,theterm“securitypolicy”mayalsobeusedatmuchlowerlevels.Forinstance,thesecuritypolicyforafirewallmaysimplybealistofrulesforsettingupafirewall.AmongITprofessionalsthismaybeanallowableusefor“securitypolicy,”butwemustclearlydifferentiatethisdocumentfromtheCEO’sproclamation!

Wewillshowhowtodothisinanupcomingfigure.Let’snowdefinethethreeothersecuritydocumentslistedabove:

• SecurityStandard.Adocumentthatismandatoryandprescriptive,describinghowtodealwithcybersecurityissues.Forexample,“AfirewallmustbeusedateveryconnectionfromthebusinessLANtotheInternet.”Itmayalsoincludeprovisionssuchasthelevelofapprovalnecessaryforelementsofthesystemnottobesubjecttoacertainpartoftherequirement.

• SecurityGuidelines.Adocumentthatdescribesrecommendedbutnotmandatorywaystosolvesecurityproblemsorsetsforthoptionsforsolvingproblems.

• SecurityProcedures.Detailedtechnicaldocumentsforaccomplishingsecuritytasksandmeantfortheemployeesdoingthework.Asecurityproceduremaybeamandatoryorrecommendedwaytoperformasecuritytask.

Next,let’screateaframeworkonwhichhangthefourtypesofsecuritydocumentswhileallowingfordifferentlevelsofsecuritypolicy.Figure8-1givessuchasecuritydocumentframework.

AsshowninFigure8-1,securitypoliciescascadefromthehighestlevel(CEOlevel)tomid-level(CIOorITcybersecurity)tolowlevel(forinstance,theindustrialnetworksecuritylevel).TheaforementionedProgramTeamthatdecidesandimplementssecuritywithintheindustrialnetworkboundarymightbeanexcellentchoicetowritethelow-levelsecuritypolicies.

Figure8-1.ACybersecurityDocumentFramework

ConsideraspecificexamplefromourlistoftypicalITcybersecurityissues—Internetandemailusebyemployees.Atthetop(CEO)level,theremightbepolicieson“businessonly”useofInternetandemailbyemployees.Atmid-level(CIO),theremightbefurtherpolicyqualificationofwhatconstitutesbusiness-onlyuseoftheseresources,withstandards,guidelines,andprocedurestoenableandenforcethispolicy.

Finally,thelow-levelpolicydescribeshowInternetandemailaccesswillbeaddressedinsidetheindustrialnetworkboundary.

AmajorcybersecurityquestionmaybewhethertoallowcompanyemailandInternetconnectivitytoanycomputerconnectedtotheprocesscontrolnetwork,forfearofspreadingvirusesorTrojanhorsestocriticalprocessnetworks.

Somealternativesmightbeto:

1. allowcompanyemailandInternetconnectivitytoanyoperatororengineeringworkstation,asdesired;

2. allowcompanyemailandInternetconnectivityonlytocertaincontrolledandmonitoredworkstations;or

3. notallowanycompanyemailorInternetconnectivitytoanycomputerontheprocesscontrolnetwork.(Thisisthemostrestrictivesecuritypolicy,andtheapproachfavoredbythewriter.)

However,analternatemeansofprovidingemailandInternetaccesswithinthecontrolroomistoextendthebusinessLANintothecontrolroomasaparallel,“air-gapped”network,andhavededicatedbusinessworkstationsforoperators.Thisway,businessnetworkconnectivityisprovidedwithoutdirectprocesscontrolnetworkaccess.

Butlet’ssayalternative2ischosen.Thesecuritydocumentsmightbeframedaroundthe

mechanismandinfrastructuretoprovidethissolution.

TheSecurityPolicywouldsimplystatethatonlycertaindesignatedandcontrolledworkstationsontheprocesscontrolnetworkcouldbeusedforInternetandemail.

ASecurityStandardmightspecifythetypeandnumberofworkstationallowed,whowillsettheseup,theconfiguration,methodofmonitoring,auditing,etc.

ASecurityProceduremightbetheinstructionstotheIT/ControlEngineeringstaffonexactlyhowtosetuptheseworkstations.

Akeyfeatureofthesecuritydocumentframeworkisthatonegroupofreadersisnotburdenedwithunnecessarydetailmeantforanothergroupofreaders.Thepolicydocumenthasnoneedforthetechnicaldetailsofhowtosetuptheworkstation.Thissecuritydocumentframeworkismodular,concise,andprovidesfordifferentdocumentsfordifferentclassesofreaders.

8.3 AwarenessandTrainingOneareaofsecuritythatisfrequentlyoverlookedisindustrialnetworksecurityawarenessandtrainingforalltheusersofasystemorgroupofsystems.

Securityawarenessisaccomplishedwhenindustrialnetworkusersunderstandtheneedforsecurity,thethreatsandvulnerabilitiesinageneralway,thesecuritycountermeasuresandwhytheyaredesignedthewaytheyare,andhowthelackofsecureoperationofthesesystemswillaffecttheirjobsandthecompany’sbottomline.

Itisimportanttorepeatawarenesssessionstoregularlyremindemployees,contractors,andotherusersofthesystemofthesemattersandtokeepthemuptodateonchanges.

Someformatsforawarenesssessionswithemployeesmightbe:

• Livesecuritytalksorpresentations

• Printedmaterials,suchasbrochures,posters,etc.

Thesecurityawarenessprogramisforeverybody—allwhowilluseorcomeincontactwiththesystems.Ontheotherhand,securitytrainingisspecific.Securitytopicsmaybepresentedinself-taughtsessionsorinmoreformalclassroomsessions.Forinstance,trainingnewengineersonthemethodforsecureremoteaccessoveraVPNmightbeasuitabletopicfora“hands-on”trainingsession.

8.4 IndustrialNetworkSecurityAssuranceProgram:SecurityChecklistsSecuritychecklistsarelistsofroutineactivitiesthatmustbecompletedtoaccomplishacertainsecuritygoal,suchassecuringahostornetwork.Theyareusedextensivelyforday-to-dayactivitiesinITcybersecurityandmayalsobeusedforindustrialnetworksecuritytasks.Let’slookatsomefunctionssecuritychecklistsprovideinITcybersecurity.

OnewayCOTSsoftwarecanbevulnerabletocyberattackisbyhavingopenportsand

servicesonthehostcomputerthataren’tbeingused,therebyopeningavenuesofattack.Thisismuchlikeleavingmanydoorsinabigbuildingunlockedeventhoughnooneusesthesedoors.

COTSoperatingsystems,wheninstalled“outofthebox,”frequentlyleaveservices(fromwebserverstoexotic,little-usedservices)andportsopenbydefault.Itistheoppositeofthebasicsecurityprinciple—thePrincipleofLeastPrivilege—describedpreviously.Ifportsandservicesarenotclosedinasystematicprocedure,theseopendoorsmakecyber-attackeasier.

AnotherwayCOTSsoftwaremayinvitecyberattackisbyleavingunpatchedvulnerabilities.Asdiscussedpreviously,manyvulnerabilitiesinCOTSsoftwareforbusinessandindustrialnetworkapplicationsarecodedintothesoftwareduringthedevelopmentprocessandthennotcaughtinacodeinspectionorqualityassuranceeffortbeforerelease.WesawinChapter4thatasimplebufferoverflowconditionisresponsibleformanysecurityvulnerabilities.

Unfortunately,thesevulnerabilitiesarethenfoundoneatatimebysecurityresearchersorbythehackingcommunity.Ifavulnerabilityiscaughtbyasecurityresearcher,perhapsafterausercomplaint,theresearchershouldworkwiththevendortoensurethatapatchisdevelopedandavailableatthesametimeasthevulnerabilityismadepublic.

Thisgivesconscientioussystemadministratorstimetodownloadthepatchfromthevendor’swebsiteandfixtheirsystems,hopefullybeforeanewvirusorwormtargetingthatvulnerabilitycanbeinventedbyahacker.

Vendorsandnon-profitsecurityorganizationshavesecuritychecklistsandevenautomatedsystemconfigurationtoolstoidentifyandclosetheunneededportsandservicesdescribedabove,aswellastocheckonsecuritypatchlevelandinstallation,inastep-by-stepfashion.

Thisprocessofpatchingvulnerabilitiesandturningoffunneededportsandservicesforyourcomputersandnetworkequipmentisknownas“hostandnetworkhardening.”

Anexampleofacoordinatedhostandnetworksecurityhardeningprojectisaprogrambegunin2003bytheNationalInstituteofStandardsandTechnology(NIST).NISTbegantogatherandputintoadatabasemanydifferentsecuritychecklistsandautomatedconfigurationtoolsetsfurnishedbysuchcompaniesandorganizationsasMicrosoft,theNationalSecurityAgency(NSA),andothers.(1)

Theconceptofhostandnetworkhardeningandsecuritychecklistsmayalsobeappliedtoindustrialnetworksecurity.Someapplicationsmightinclude:

• checkinganindustrialnetworksecurityconfigurationbeforeputtingitintoproductionmodeor

• hardeningaWindowsorUnixhostbeforeconnectingittoanindustrialnetwork.

BeforeusinganITsecuritychecklistforanindustrialnetwork,oneadditionalstepis

necessary:lettingtheindustrialnetworkvendorreviewandtestthechecklistactivities,includingclosingportsandservicesandapplyingpatches,toensurethatchecklistactivitiesarecompatiblewiththeapplicationsoftwareasinstalled.Figure8-2givesasimpleflowchartthatincludesthisextrastep.

Figure8-2.IndustrialNetworkHardeningFlowchart

Once“blessed”bytheindustrialnetworkvendorasinFigure8-2,securitychecklistsmaybeveryeasilyincorporatedintothesecuritydocumentframeworkoutlinedpreviously,atthelevelofstandards,guidelines,orprocedures.Theywillsavetime,improveuniformityandconsistencyofsecurityefforts,andhelpensurethatorganizationalknowledgeofindustrialnetworksecurityisnotlostifkeypeopleleavethecompany.

8.5 SecurityAssurance:AuditsSecurityauditsarealsofrequentlyusedinITcybersecurityasameansof:

• checkingthatchangestoanetwork’ssetupandconfigurationaresatisfactoryandagreewithestablishedsecurityproceduresbeforeallowingthenetworktobeputintonormaloperation,

• reviewingsecuritylogs,frequentlywiththeaidofsoftwareaudittoolstoautomatethelogscanningprocedure,andlookingforsignsofanintrusionorcompromise,and

• performinganoutsideandindependentauditonthenormaloperationofsecurityfeaturesbysystemsadministratorsorothers.

Usually,auditorsarespeciallytrainedinITcybersecuritytechniques.OneorganizationthattrainsITcybersecurityauditorsistheInformationSystemsAuditandControlAssociation(ISACA).AuditorswiththecertificationISACAsponsors,whoareknownasCertifiedInformationSystemsAuditors(CISA),areskilledinavarietyofauditingmethodologiesforvariousITsystemsandapplications.

Inasimilarvein,anindustrialnetworkalsoneedsaperiodicaudittoensurethatsecuritycountermeasuresaresetup,configured,andoperatingproperly.

Thegoaloftheindustrialnetworksecurityauditoristofindoutifthecountermeasuresdesignedintothesystemarestilloperatingeffectively,thewaytheyweredesignedandintendedtooperate,orifmaintenancehasfallenoffandthecountermeasureshavenotbeenupdated,yieldinganineffectivecyberdefense.

8.6 AddinginPhysicalSecurityAsChapter2emphasizes,physicalsecurityplaysamajorroleinthesecuritydefenseofanysegmentoftheindustrialplant,includingtheindustrialnetwork.Physicalsecuritycountermeasurestopreventordeterunauthorizedentryand/oraccessincludemeasuressuchaslocksondoorsandwindows,fences,andsecurityguards.Countermeasurestodetectunauthorizedintrusionsincludeburglarandintrusionalarms,closed-circuitTV(CCTV)cameras,andvideorecordersforthosecameras.MorerecentlytherearevideoanalyticssoftwarepackagesforCCTVsystems,whichcanalertoperatorstosuspiciousorunauthorizedmovementsofpeopleinrestrictedareas,etc.Physicalsecurityhasbeenaroundforhundredsofyears,andquiteanumberofsophisticatedphysicalsecuritydevicesareonthemarket.

Therearemanygoodsourcesofinformationonphysicalsecurityinaplantenvironment.TheAmericanChemistryCouncil(ACC)hasafairamountofmaterialonphysicalsecurityinitspublication“SiteSecurityGuidelinesfortheU.S.ChemicalIndustry.”(3)

ASISInternational,aninternationalorganizationofsecuritymanagementprofessionals,hasawealthofgoodarticlesandresourcesonphysicalsecurityonitswebsite(4),includingarticlesfromitsmonthlymagazine,SecurityManagement.

ButperhapsthebestadviceonphysicalsecurityfortheindustrialnetworksecurityProgramTeamisalsotheeasiesttofollow:AsurgedinChapter2,includearepresentativeofphysicalsecurityorfacilitiesmanagementinriskassessmentandotheractivitiesoftheindustrialnetworksecurityTeam.Withoutphysicalsecurityrepresentation,animportantperspectivewillbemissing.

8.7 AddinginPersonnelSecurityLikephysicalsecurity,personnelsecurityisanotherimportantcomponentnecessarytoroundouttheindustrialnetworksecuritydefenseforanindustrialplant.Someofthemorecommonpersonnelsecuritycontrolsincludethefollowing:

• Backgroundscreeningchecksbeforehiringemployeesandcontractors.Thesemayincludecriminalrecordchecks,creditchecks,drivingrecords,educationrecords,etc.

• Aclearstatementofcompanysecuritypoliciesandthesecuritybehaviorexpectedofemployeesandcontractors.

• Companytermsandconditionsofemployment,includingmeasuressuchasemployeerightsandresponsibilitiesanddetailingoffensestosecuritypolicies,disciplinaryactions,etc.

• Incidentinvestigation.Manybigbreachesofsecurityareprecededbysmallbreaches.Allsecurityrelatedincidentsshouldbeinvestigatedandtheindividualsinvolvedmonitoredforindicationsoffurthersecurityviolations.

• Recheckingemployees’andcontractors’backgroundsperiodically,especiallyafterasecurityviolation.Thisshouldbedoneinlinewithcompanypersonnelpolicies.

Aswithphysicalsecurity,personnelsecurityhasbeenaroundalongtime.Therearemanyresourcesoutthere,andmanypractitioners.ThepreviouslymentionedACC“GuidetoSecurityatFixedChemicalSites”hasanumberofpersonnelsecurityguidelinesandrecommendations.But,asmentionedpreviouslyinSection8.7regardingthefieldofphysicalsecurity,thebestadvicethewritercangivewithpersonnelsecurityissimplytohaverepresentativesofpersonnelsecurity,whethertheHRdepartmentormanagementoranothergroup,sittingatthetablewhentheriskassessmentteamortheindustrialnetworksecurityProgramTeammeets,andtomakesurethattheirpointofviewisincluded.

References1. ComputerSecurityResourceCenter(CSRC)SecurityChecklistforCommercialIT

Products.NationalInstituteofStandardsandTechnology.Lastupdated10/19/2004.Retrieved11/11/2004fromhttp://csrc.nist.gov/checklists/.

2. Kirk,M.“EligibleReceiver”fromPBSFrontlinedocumentary“CYBERWAR!”OriginallyBroadcast4/23/2003.Retrieved11/11/2004fromhttp://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/.

3. AmericanChemistryCouncil,ChlorineInstitute,andSyntheticOrganicChemicalManufacturersAssociationSiteSecurityGuidelinesfortheU.S.ChemicalIndustry.10/2001.

4. ASISInternationalWebsite.Retrieved11/11/2004fromwww.asisonline.org.

5. Kaplan,D.“AttackCodeReleasedforSCADASoftwareVulnerability.”SCMagazinearticle,Sep.8,2008,Retrieved8/30/2009fromhttp://www.scmagazineus.com/Attack-code-released-for-SCADA-software-vulnerability/PrintArticle/116387/.

9.0

NewTopicsinIndustrialNetworkSecurity

9.1 RedTeaming:TestYourselfBeforeAdversariesTestYouRedteamingtracesitsrootstowarfarewherecommandersneedtotestandrefinetheirowndefensesandbattleplanstoferretoutweaknesses,studyadversarytactics,andimprovetheirstrategies.Sincethisbookcoversindustrialnetworks,ourfocuswillbeoncyberredteamingusedtoevaluatesecurityquestionsrelatedtothesesystems.Cyberredteaminghasstrongtiestobothnetworkvulnerabilityassessmentandpenetrationtesting.

Cyberredteaming,asyoumightexpect,isaratheryoungfield,butitismaturingasredteamshavebeguntocollaborate,exchangingideas,sharingtools,anddevelopingnewtechniques.Overtime,differentgroupshavecometousecyberredteaminginoneformoranother,applyingittoanswerdifferentquestions(e.g.,Aremypersonnelpreparedtodefendmynetworkfromacyberattack?andWhichofseveralsecurityapplianceswillbestprotectmynetwork?),andindifferentdomains(e.g.,cyberandphysical).

Butwhatexactlyisredteaming?Akeyfactoristhatredteamingismission-driven.

Manydifferentgroupsperformredteamingandusedifferingterminology,techniques,andprocesses:commercialsecurityfirms,variousmilitaryunitsandgovernmentagencies,andnationallaboratories.Ifonewantstounderstandagroupthatperformsredteamassessmentsthenfirstonemustunderstandwhatthatgroupmeansbyredteaming.Forinstance,SandiaNationalLaboratories’InformationDesignAssuranceRedTeam(IDART™)groupdefinesredteamingas“authorized,adversary-basedassessmentfordefensivepurposes.”TheIDARTgroupadvocatesthatredteamassessmentsbeperformedthroughoutanycybersystemlifecyclebutespeciallyinthedesignanddevelopmentphasewherecooperativeredteamassessmentscostless,andcriticalvulnerabilitiescanbeuncoveredandmitigatedmoreeasily.

9.2 DifferentTypestoAnswerDifferentQuestionsTheIDARTgrouphasbeenredteamingfortheU.S.governmentandcommercialcustomerssince1996andiswidelyknownintheredteamcommunity.IDARTidentifieseightuniquetypesofredteamingthatcanbeperformedindividuallyorcanbecombinedwithothertypes.Theyarequicktopointoutthatcareful,detailedplanningofaredteamassessmentrequiressignificantcommunicationbetweenassessmentcustomersandtheirredteam.Experiencedredteamsshouldprovidetheircustomerswithtechnicaloptionsforanefficientandeffectiveassessmentprocessthataddressestheircustomers’securityconcerns.

TheeighttypesofredteamingidentifiedbyIDARTintheirRedTeamingforProgram

Managerscourseare:

1. Designassurance(toimproveneworexistingsystemdesigns)

2. Hypothesistesting(tomeasureperformanceagainstawell-formedhypothesis)

3. Redteamgaming(toevaluateadversaryattackdecisionmakinginagivenscenario)

4. Behavioralanalysis(toanalyzeadversariesinordertoidentifyindicationsandwarnings)

5. Benchmarking(toproduceaperformancebaselinethathelpsmeasureprogress)

6. Operational(totestpersonnelreadinessanddefensivetactics,techniques,andprocedures)

7. Analytical(toformallymeasureandcompareavailableadversarycoursesofaction)

8. Penetrationtesting(todeterminewhetherandbywhatmeansanadversarycancompromisesystemsecurity).

9.3 RedTeamingIndustrialNetworks–Caution,It’sNottheSame!Mostredteamsdon’tassessindustrialnetworksbecausetheylackthespecializedknowledgeandtrainingrequiredtoassessthesensitivecomponentsfoundinindustrialnetworks.Industrialnetworksprovidecriticalreal-timeornearreal-timecontroloverphysicalprocesses,andcyberredteamingsometimesresultsinintentionaloraccidentaldenials-of-service.Activenetworkassessments(includingpenetrationtesting)shouldalmostneverbeconductedinaproductioncontrolsystemorcontrolsystemnetwork.

Whereacontrolnetworkinterfaceswithabusinessnetwork,cyberassessmentteamsshouldbeexpertinunderstanding(andverifying)thenetworkboundariesandhowtrafficispassedbetweenthenetworks.Vulnerabilityscansandnetworkfoot-printingactivitiesroutinelyexecutedbybothnetworkadministratorsandindependentassessmentteamsintraditionalITnetworkscanhaveextremelyadverseimpactsonindustrialnetworks.

Insteadofconventionalactiveassessments,industrialnetworkstakeholdersmustenableassessments(includingredteaming)byusingpassivetechniquesandisolatedtestsystemsandnetworks.Still,integratingredteamassessmentsintoindustrialnetworkenvironmentsdemonstratesanaggressive,proactive,security-consciousculture.Thekeystosuccessarewhatformofredteamingisimplemented,whoisontheteam,andthataresponsible,safestrategyisadoptedtoprotectagainstaccidentaldamageand/ordisruptiontothenetwork.

9.4 SystemSecurityDemandsBothPhysicalSecurityandCybersecurity

Physicalsecuritysystemsareevolvingtobeincreasinglydependentoncybersystemsandinformationtechnology.Forinstance,physicalaccesscontrolsystemsatsensitivemilitary,government,andcommercialinstallationsusecomputers,sensors,communicationsnetworks,databases,andotherelectronicinformationtechnology.SuchsecuritysystemnetworksarenearlyindistinguishablefromanyotherkindofITnetwork.

Indeed,newindustrialnetworkstandards,suchasthosecontainedinNERCCIP,mandatephysicalsecuritysystemshavinggreatercapabilities.Thesesystemscontainfunctionality(likestreamingvideo)thatrequirebandwidththatisnotfoundina24-Kbprocesscontrolline,butwhichisfoundina100-to1000-Mbbusinessnetwork.

Oneeasysolutionfornetworkownersistorunthephysicalsecuritycommunicationsthroughthebusinessnetwork,andperhapsestablishaWiFiconnectionforremotesensors.Theproblemisthatifsomeoneissuccessfulincompromisingthebusinessnetwork,theyarenowwithinstrikingdistanceofthephysicalsecuritysystem.Anotherapproachmightbetorunsomeorallofthephysicalsecuritysystemcommunicationsthroughthecontrolsystemsnetwork.Insomeinstancesthiscanworkwell,butinothersitcanrepresentabigrisktothecontrolsystemsnetwork.

Thebottomlineis,giventheemergingtrendinphysicalprotectionsystems–incorporatingCOTSnetworkingtechnologiesandcommunicationsprotocols–acapableadversary(outsiderorinsider)isbutastone’sthrowawayfromchangingaphysicalsecuritydatabaseandlettingsomebodyinsideasensitivefacilitywhomyoudon’twantinside.

Becauseattacksagainstanykindofsystemornetworkcanusephysicalmeans,cybermeans,orboth,acomprehensiveapproachtosecurityrequiresassessmentsofbothphysicalsecurityandcybersecurity.Evenmore,systemdefendersmustunderstandtheconceptofblendedattacks,wherebyanattackerusesphysicalmeanstoenablecyberattacks,andcybermeanstoenablephysicalattacks.Systemownersanddefendersshouldconsiderthatcyberredteamingtheirindustrialandadministrativenetworkswithoutalsoredteamingtheirphysicalsecurityisinadequate.

Finally,performingredteamassessmentsisnotataskforamateurs.Evenprofessionalsecurityorganizationsthatlackspecificexperienceinredteamingshouldconsultwithexperiencedredteamstoconsideravarietyofassessmentquestions,options,recommendedpractices,legalities,andlessonslearnedbeforeattemptingtoimplementaredteamassessment.

9.5 TheTransportationConnection:PassengerRailandCybersecurityBy2005manyindustrysectors,suchasoilandgas,chemicals,andelectricpowerwerealreadyawareof,andworkingon,aspectsofindustrialnetworksecurity.Muchofthecriticalinfrastructureinthesesectorsisprivatelyowned;whataboutpubliclyownedinfrastructure,suchasinthetransportationsector,particularlypassengerrail?

ThepassengerrailindustryintheUnitedStateshasaninterestingvarietyofsystems.Itcontainssomeoftheoldestandlargestsubwaysystemsintheworld,includingNewYork

CityTransit.TothatonemayaddshowpiecesubwaysystemslikeWashington,D.C.’sWMATA,new,sleeklightrailsystemssuchasHoustonMetro,andadvancedpeople-moverandcommuterrail.

Passengerrail,aswithothercriticalsectorsmentionedearlierinthisbook,hasnotbeenwithoutitscyberincidents.Forinstance:

• In2003acomputervirusshutdowntheCSXsystem.Amtraktrains,whichnormallyusethefreightcompany’srails,werelikewiseshutdownforhours.(1)

• In2007a14-year-oldPolishteenagerinthecityofLodzhackedintothecity’stramsystem,causingtwostreetcarstocollidehead-onandsendingpassengerstothehospital.(2)

• In2006inToronto,ahackerchangedtheelectronicpassengeradvertisingontrainsignboardstodisplayadisparagingcommentaboutCanada’sprimeminister.(3)

Inthesummerof2005,thewriterapproachedAPTA,theAmericanPublicTransportationAssociation,withaproposal.APTAisthetradeassociationforNorthAmerica’spassengerrailandbuspublictransitagenciesandassociatedindustry.Publictransit,coveringeverythingfrombigcitysubwaysandcommuterrailtonewerlightraillines,wasundergoingachangeincontrolsystemsfromoldelectromechanicalrelayandserialcommunicationssystemstomodernindustrialnetworksusingPLCs,fiberoptics,wideareanetworks(WANS),andInternetprotocol(IP)-basedcommunication.WouldAPTAbeinterestedinjumpingonthesamebandwagonastheindustriesmentionedabove,andsupportacontrolsecurityinitiative?

ThewriterrecallsthemeetingwithAPTA’sstaffattheirWashington,DCheadquarters:“Ihadtheusualarticlesaboutcontrolsystemsecurity,concerningcomputervirusesandworms,andIwasmakingmoderateprogress,whenIdecideditwastimetopulloutmyheavyammunition:acopyof2600,theHackersQuarterly,Spring2005edition,freelyavailableinmanybigbookstores.

ThispublicationhadaarticleonhackingtheMetroCard®farecollectionsystem,whichisusedbyanumberofbigcitysubwaysystems.Theauthorofthe2600articlehadreverseengineeredtheinformationencodedonthemagneticstripesonthesecards,andresearchedtheoriginalpatentsonthesystemtogainknowledgeofthetechnicaldetails.Itwasafulldescriptionofthesystem,howthecardsareencoded(andhowtodecodethem),howtheoreticallythecardscouldbeoverwritten(withadisclaimertotheeffectthattheauthorsurelywouldn’twantanyoftheirreaderstodoanythingillegalsuchastryingtochangetheamountstoredonthecardsandtrytousethem!).Inall,thearticlewasveryprofessionallydone,andwouldhavemadeanytechnicaleditorproud.”

Thatarticledidit!IhadmadeasaleonthevalueofindustrialnetworksecuritytoAPTA.Withsomemoreawarenessandorganizationalefforts,theAPTA“ControlandCommunicationsSecurityWorkingGroup”wascreatedandfunded.Atthetimeofthiswriting,Part1oftheRecommendedPractice“SecuringControlandCommunications

SystemsinTransitEnvironments”isintheballoting/approvalstage.Part1containsgettingorganizedandbackgroundinformationfortransitagencies,upthroughriskassessment.Part2willfollow,whichwillcontaindevelopingasecurityplananddesigning,installing,andmaintainingsecuritycontrols.

References1. Hancock,D.“VirusDisruptsTrainSignals.”CBSNews.comarticle,8/21/2003.

Retrieved8/2/2009fromhttp://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml.

2. Leyden,J.“PolishTeenDerailsTramafterHackingTrainNetwork.”TheRegister,1/11/2008.Retrieved8/2/2009fromhttp://www.theregister.co.uk/2008/01/11/tram_hack/print.html.

3. Leyden,J.“HackersLibelCanadianPrimeMinisteronTrainSigns.”TheRegister,5/3/2006.Retrieved8/2/2009fromhttp://www.theregister.co.uk/2006/05/03/canadian_train_sign_hack/.

Note:Mr.JohnClemofSandiaNationalLaboratorieswasamajorcontributortothematerialinSections9.1–9.4.

10.0

DefendingIndustrialNetworks—CaseHistories

10.1 ALargeChemicalCompanyInthissection,wewilltakealookatacasehistoryofalargemultinationalcorporationinaddingindustrialnetworksecuritytoitscontrolnetworks.

Thefigureswewillusetoillustratethisstoryhavebeentakenfromslidesgivenbythiscompanyatapastconference.

Figure10-1showsthetypicalsituationinthecompanyasfarasindustrialnetworkswereconcernedbeforetheindustrialnetworksecuritypush.

Here,weseethatthebusinessLANsandtheprocesscontrolnetwork(theProcessControlLANinthediagram)wereblendedtogether,makingupacorporateIntranet.

Therevisednetworkarchitecture,afteranintensivecampaigntoisolatetheprocesscontrolnetwork,isshowninFigure10-2.The“E-Pass”notationonthediagramwillbeexplainedlaterinthissection.

HereweseeacompletereengineeringtoseparatethebusinessLAN,orIntranet,fromtheProcessControlNetwork(PCN).IfwereferbacktoChapter6,thedesignandplanningphilosophyofdefenseinlayerswasappliedtoseparatethebusinessLANandtheProcessControlNetworkusingafirewall.

Figure10-1.Pre-ExistingSecurityControlsNote–E-Pass=TwoFactorAuthentication(RSA)

Figure10-3showshowseveralfirewalloptionsweretriedbythecompany,andthelow-cost“SOHO”typeappliance(singleoffice/homeoffice)wasrejected.Amoderate-sizeenterpriselevelfirewallwasselected.

Itisimportanttomentionthatthecompanydidnotattempttodothisinternalfirewalladdition/networkseparationexclusivelyin-house.Rather,thecompanychosetopartnerwithaManagedFirewallProvider,anexternalvendorthatsuppliedthefirewallsandprovidedoffsitemonitoringandfirewallexpertiseforthecompany’splantnetworksaroundtheworld.TheManagedFirewallProviderconceptisusedinthebusinessworldbymanymediumandlargecompaniesthatdonotwanttodotheentirejobin-house.

Figure10-2.NewPerimeter-BasedSecurityControls

Figure10-4showshowcommunicationtypicallyflowsacrosstheinternalfirewallfromthe“clean”processsidetothebusinesssideforsuchthingsasbackups,OPCdataupdates,antivirussignaturefileupdates,andsoon.

Figure10-5givesaperformancesummary,basedonthenumberofinstalledfirewalls(morethan60).Asthefigurementions,thenecessaryprocesscommunicationswerehandledwithnothroughputissues,andtheconclusionisthat“standardITfirewalltechnologycanbeusedforprocesscontrolapplications”.

Figure10-3.FirewallCharacteristics

Let’snowturnourattentiontothecaption“E-pass”thatismentionedinFigures10-1and10-2.E-Passisatwo-factorremoteaccessauthenticationmethodusedcorporate-wideatthiscompany.Thetechnologyissuppliedbyacommercialcybersecurityprovider,RSA.AsyouwillnoticeinFigures10-1and10-2,thediagramsmention“E-PassRequired,”or“E-PassNotRequired,”or“E-PassMaybeRequiredtoAccessCertainAssets.”

TheRSAtoken-based,two-factorauthenticationschemeusesacentralizedserverthatisqueriedtosecurelyauthenticatethatremoteusersarewhotheysaytheyare.Accessrightstohostsonthenetworkareprovidedbytheapplicationsand/orinternalprocesscontrolfirewall.

Figure10-4.TypicalCommunications

Figure10-5.Performance

Tosummarize,thiscasehistoryshowsthatalargecorporationwithplantsacrosstheglobewasabletoverysuccessfullyapplysomefundamentalstrategiesofindustrialnetworksecurityandseparatetheirProcessControlNetworksoffwithfirewalls.

10.2 AnotherCompany’sStory—Procter&GambleInthissection,wewilllookatacasehistoryfromasecondlargecorporation,Procter&Gamble.Thistimewewillfocusonhowalargecompanyviewsindustrialnetworksecurityrisksandperformsaqualitativeriskanalysis,aswasdescribedinChapter2.The

figurestoillustratethisstorywereprovidedbyDaveMills,aTechnologyLeaderinProcter&Gamble’sCorporateEngineeringorganization.

Figure10-6showsageneralmodelfordevelopingariskmanagementprocessforemergingareasofrisk.AtProcter&Gamble,thismodelwashelpful,butrealityprovedmorecomplicated.Inordertoobtainthehumanresourcestoperformthequalitativeriskassessment,aninitialscreeningassessmentwasneededtopersuademanagementthatamorein-depthstudywasjustified.TheRiskReductionProgramappearsfairlylinearinFigure10-6,but,inreality,thesecuritygoalsandstandardsweredevelopedinparallelwiththesecuritycontrols.Ifyouaredevelopingariskmanagementprogramwhileyouareexperiencingtherisks,youoftendon’thavethetimetoperformeachstepinseries.

DealingwithriskisnotanewphenomenonatProcter&Gambleorotherlargecorporations.Riskinmoretraditionalandfamiliarareashasbeenanalyzed,evaluated,andmanagedforyears.Whatisnewaretheuniquesecurityrisksassociatedwithmodernindustrialnetworksandhowtobringthatrisk“intothefold”alongsideotherriskmanagementprograms.

Figure10-6.Background-RiskManagement(CourtesyofProcter&Gamble)

Figure10-7showstheexistingriskdisciplinesthatindustrialnetworksecuritycutsacrossatP&G:BusinessContinuityPlanning(BCP),ITSecurity(IT)andHealth,SafetyandEnvironment(HS&E).

Figure10-8showshowProcter&Gamblewoundupwithaspecificriskassessmentmethodology:FacilitatedRiskAssessmentProcess(FRAP).TheprimarycustomerwastheInformationSecurityorganization,andthiswasthemethodologytheyhadthemostexperiencewith.

OneofthemainpointsDaveMillsstressedisthatthewholeriskassessmentdiscussionisbynaturedifferentfordifferentcompanies,asdifferentcompanieshaveuniqueproducts,

manufacturinglocations,manufacturinghazards,andprobablydifferingthreatprofiles.Onthe“soft”side,corporatecultureandpersonnelmanagementissuesmustbetakenintoaccountwhenperforminganindustrialnetworksecurityriskassessmentthatmatchesyourcompany.

Figure10-7.RiskAreasbyDiscipline(CourtesyofProcter&Gamble)

Figure10-8.RiskAnalysisMethodologies(CourtesyofProcter&Gamble

ManythankstoDaveMillsandProcter&GambleEngineeringforallowingtheirstorytobepublished.

AppendixA–Acronyms

ACC AmericanChemistryCouncil

AIC Availability,Integrity,andConfidentiality

AIChE AmericanInstituteofChemicalEngineers

AWWA AmericanWaterWorksAssociation

BCIT BritishColumbiaInstituteofTechnology

BPCS BasicProcessControlSystem

CCPS CenterforChemicalProcessSafety

CIDX ChemicalIndustryDataExchange

CIO ChiefInformationOfficer

CISA CertifiedInformationSystemsAuditor

CISSP CertifiedInformationSystemSecurityProfessional

COTS CommercialOffTheShelf

DCS DistributedControlSystems

DHS DepartmentofHomelandSecurity

DoE DepartmentofEnergy

FERC FederalEnergyRegulationCommission

GAO GeneralAccountingOffice

GUI GraphicalUserInterface

HMI HumanMachineInterface

IDE IntelligentElectronicDevice

M&CS ManufacturingandControlSystems

NERC NationalElectricalReliabilityCouncil

NIST NationalInstituteofStandardsandTechnology

NISCC NationalInfrastructureSecurityCo-ordinationCenter

NRC NuclearRegulatoryCommission

OCIPEP OfficeofCriticalInfrastructureProtectionandEmergencyPreparedness

OPC ObjectLinkingandEmbeddingforProcessControl

PCSRF ProcessControlSecurityRequirementsForum

PLC ProgrammableLogicControllers

SCADA SupervisoryControlandDataAcquisition

SIS SafetyInstrumentedSystems

SPDS SafetyParameterDisplaySystem

TCP/IP TransmissionControlProtocol/InternetProtocol

AbouttheAuthor

DavidJ.Teumim’sbackgroundincludescorporatesecurityandwebprojectmanagementpositionswithAgereSystemsandLucentTechnologies,alongwith15yearsofprocess,project,control,andsafetyworkforUnionCarbideCorp,BritishOxygen,andAT&T.

HisassociationwithISAbeganinearly2002whenhechairedISA’sfirsttechnicalconferenceonIndustrialNetworkSecurityinPhiladelphia,PA,andtaughtthefirstISAseminaronthissubject.

Since2004,hisfirm,TeumimTechnical,LLC,hasprovidedindustryoutreachforthreeU.S.DepartmentofEnergyNationalSCADATestBedprojects,consultingforSandiaNationalLaboratories.Morerecently,hehaschairedanAmericanPublicTransportationAssociation’sWorkingGrouponControlandCommunicationsSecurity.

Teumimholdsamaster’sdegreeinchemicalengineeringandiscertifiedasaCertifiedInformationSystemSecurityProfessional(CISSP).HeresidesinAllentown,PA.