As I attend cybersecurity and industrial conferences across the country and world, I often hear some great questions and comments. I also sometimes hear questions that concern me very much. On a number of occasions over the past year, utility representatives, industry leaders and even regulating authorities have asked questions about exposure. No, they are not asking how to limit their attack surface. Rather, they are interested in making sure that the systems they run, build or regulate are not published to the public. Each time I hear these questions, I get a little more scared, for here is another person, perhaps even an entire company, who believes that their security depends on (at least in part) the fact that no one in the world knows where they are or what software they run. This is called “security through obscurity” and it does not work.
These questions are asked in several different ways, which explains the motivation behind such inquiries. Some want to make sure they do not need to publically disclose the manufacturer of the control systems. Others want to submit generic RFPs so that “the bad guys” don’t know what software they are running. Some extremists even want to eliminate their facilities from online services such as Google Maps.
There’s no escaping the fact that we live in a connected world, and there are some robust tools developed by the cybersecurity community to identify and fingerprint live systems. For any host connected in almost any fashion to a network, security researchers and professionals can map the system details, which can include hardware information, such as CPU and memory; software information, such as operating system and version, and applications installed; and even location, in many cases.
There are tools such as Shodan that can allow anyone to search for industrial control systems connected to the Internet. Further, using social and business media websites such as LinkedIn, Facebook and even press releases, it is almost always possible to determine the software used within the control systems at any company. Technical forums can provide even more detail, such as version and even configuration information.
The obscurity that we thought we had created is a myth. In many cases, the secrecy has been breached without hacking or direct access to any assets. To make a long story short, the “bad guys” already know what you are running and where.
Of course, critical infrastructures should never publish the details of their systems, such as network diagrams or detailed device logic. However, to assume that no one knows a particular site runs GE iFix or Wonderware, for example, would be a mistake. To predicate one’s security program on the concept that no one knows this is a backwards way of thinking. Best-practice defense-in-depth security architecture should begin with the assumption that the attackers know what systems and software are running.
It is time to stop kidding ourselves into believing that only we know the details about our critical infrastructure, and it is time to start protecting our control systems. This starts by reducing the attack surface. With strong perimeter protection, proper cybersecurity awareness education and good vulnerability management as a starting point, we can go a long way in protecting the safe and reliable operation of our infrastructure.
Want to learn more about strong cybersecurity? Check out our webinars page for a case study of a power plant.