Thursday, May 28, 2015

Shelfware: Why security solutions end up shelved, and how to avoid it

A layered “defense-in-depth” approach to security has been best practice advice for many years for both IT networks and ICS networks. Intrusion detection systems (IDS) and security information and event managers (SIEM) are often described as the pinnacle of these layered security architectures. Many organizations have purchased these systems, but few have achieved their project goals. The deployments are never completed, or the systems are implemented and ignored: in both cases, becoming “shelfware.”

According to the Ponemon Institute’s “Risk & Innovation inCybersecurity Investments industry survey sponsored by Lockheed Martin, 90 percent of respondents said their organization invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment. The reasons ICS IDSs become shelfware are unanticipated costs and the eventual realization that these projects can never achieve their goals. Let’s discuss cost first… All IDSs and their SIEM analysis systems need to be tuned. If the systems are made too sensitive, they generate floods of false alarms resulting in information overload. If the systems are de-sensitized to where false alarms are eliminated, the systems stop detecting real attacks. There is a middle ground that must be found. A certain number of false alarms per day, or per week, are essential to effective intrusion detection. The problem is that nobody knows which alarms are false until the alarms are investigated. Investigating alarms takes experts who understand control systems working with the network technicians that received the alarms, not just network technicians in an outsourced security service. Costs escalate because control system experts are busy with other work and can’t drop what they are doing a dozen times a week to investigate false alarms without impairing the progress of every other active OT project. Each investigation costs time and effort from our already overburdened experts.

Costs are a problem, but also worth considering is: does the new security system meet its goals? Even when we discover a potential intrusion, it takes hours or days to establish that the intrusion is real and then determine how to remediate it. That being said, how long are we willing to permit an enemy to control our costly and often dangerous industrial equipment?  Days?  Hours? Minutes? Investigating and remediating real intrusions takes at least this long, while unauthorized, unqualified intruders are on our control systems the entire time. This is dangerous.


The first goal of a control system security program must be intrusion prevention, not detection. Intrusion detection may be considered the pinnacle of a defense-in-depth program, but intrusion prevention is the mountain. We can't support the pinnacle on thin air – there must be a base. Shelfware is the natural consequence of the failure to achieve our most important goal: preventing compromise.

Intrusion detection certainly has its place, especially when the perimeter firewalls are porous by design and made for bidirectional communications. On the corporate IT side, compromised equipment can simply be restored from backup after intruders have “stirred the pot” for days or even weeks, but, on the OT side, damaged industrial equipment, lost production and even human lives cannot simply be restored from backup. Even the briefest operation of industrial equipment by unauthorized, unqualified intruders is an unacceptable risk.

Unlike IT, the clear focus and priority for ICS security programs must be intrusion prevention, which begins at the control system network perimeter – the IT/OT network interface.

Tuesday, May 19, 2015

Protecting TV Stations


I was at a security conference recently, and a representative of a television station approached me. He had seen coverage of the hack of the French television station TV5Monde by ISIS and needed to know what he could do to prevent a similar incident at his own station.

I admit that, when I first saw coverage of the attack on the TV station, I dismissed it as yet another IT network breached that was not directly relevant to Waterfall's focus on industrial control systems.

The security manager from the TV station, though, explained to me that, in fact, the station had a control system and leased network connections for its physical broadcast towers, controlling characteristics of the physical broadcast and, of course, feeding signal into the towers to broadcast. Much of the signal is recorded, but some of it is live.  The station never wants a cyber assault to hijack its signal the way TV5Monde was hijacked, right through what the TV5Monde described as a "very strong firewall."

The more I heard, the more it became clear that this was a classic control system problem. The computer control system controlled the physical broadcast and needed continuous communications with corporate monitoring and billing systems. The system also had occasional needs to pick up new, approved, recorded video content from external sources, and to receive live feeds for broadcast. Unidirectional gateways support continuous monitoring without introducing vulnerabilities that always come with firewalls. The FLIP enables occasional updates of scheduled, recorded material in a queue for broadcast, and a variety of mechanisms support occasional live broadcasts, depending on circumstances of the broadcast and the source of the live feed.

Targeted attacks are everywhere nowadays. It seems not even television stations want to entrust their broadcasts and their reputations to firewalls any more.

Tuesday, May 12, 2015

April news roundup: The results are in…

Critical infrastructure security was a major topic among analyst firms and researchers in April. If you didn’t stay up to date with the findings throughout the month, we prepared a brief recap for you. Included are findings from Dell’s survey on cybersecurity and a report by the Organization of American States. Read more in this month’s news roundup.

Hacks on critical infrastructure are more common than you think (The Inquirer - April 7, 2015)
In a recent report, the Organization of American States found that hackers commonly seek to destroy major critical infrastructures. The report shows that 54 percent of the 575 companies polled encountered attempts to manipulate control systems. Even more troublesome is that 60 percent of the companies detected attempts to steal data.

Cyberattacks on SCADA and industry double in 2014, says Dell (Fox News – April 8, 2015)
Analysis from Dell’s intelligence network shows attacks against SCADA systems have doubled in the last few years. These attacks on industrial systems can cause more damage than traditional hacking because of the risks they pose to critical infrastructures. Of the attacks that Dell investigated, most were against Finland, the U.K. and the U.S. since industrial control systems are commonly used in these countries. Dell also noticed a rise in point-of-sales malware and attacks on payment infrastructure, leading to some of the highest-profile breaches in history.

Are you prepared? This year's fastest growing security threats (Business News Daily - April 14, 2015)
In a more detailed article about the Dell study, Business News Daily offers some key insights from the results. Attacks against SCADA systems are the third largest security threat that businesses should be planning for in 2015. These attacks often go unreported, and when combined with the U.S.’s aging infrastructure, they present huge security risks.

The U.S.’s energy infrastructure will need major changes, says Obama report (Washington Post – April 21, 2015)
According to a recent report released by the Obama administration, the U.S. electric grid will require major changes to adapt to future national security challenges. The report comes in the wake of new developments to the grid system, increased threats from hackers and climate extremes, among other developments.


Protect cybersecurity spending to avoid attacks on energy infrastructure (Newsweek - April 27, 2015)
According to analysts, defense budget cuts have left the U.K. open to cyberattacks. Ewan Lawson, senior military research fellow at the Royal United Services Institute, recommends increasing budgets for cybersecurity to prevent attacks on energy infrastructure. He also points to the German steel mill attack, which caused massive damage to the plant control system. An additional report by cybersecurity firm Cylance Corporation shows Iranian actors have hacked into critical infrastructures in the U.K., France, Germany and the U.S.

Did you miss March’s critical infrastructure security news? Check it out in last month’s industrial security news roundup.

Wednesday, May 6, 2015

April 25-26th, 2015 – Waterfall/Area 81 Adds Another Epic Battle to the History Books

The Waterfall/Area 81 Racing team returned to Roebling Road Raceway in Savannah, Ga., for the Jim Stark Memorial Double SARRC/SECS.  Seven years after the team was formed, both Tim and Richard are in the hunt for championships. Tim placed second in SECS both races, while finishing third on Saturday overall and second on Sunday overall. Richard earned first-place finishes both days in SARRC with a fourth overall and a third overall.

Throughout Saturday severe thunderstorms pelted the area including lightning, 80 mile-per-hour winds and 2-3 inches of rain. At the start, Tim passed seven cars before Turn 1 and soon another epic battle between Area 81 teammates would ensue. Each lap, Tim would pull away in the first sequence of turns, only to have Richard threaten in the second half of the course. A disabled car in Turn 1 brought out a standing yellow caution, which thwarted Richard’s plans to pass from Tim’s draft on the front straight. 

Sunday’s race featured sunny skies and expected temperatures into the 90s. Richard qualified on the second row and Tim directly behind on the third row. This time, Richard fended Tim off at the start for five laps until Tim drafted going into the first turn. The teammates resumed their fight, but both encountered lapped traffic. Tim passed two lapped cars deep into Turn 1, leaving Richard to wait to get around. By the time he was able to navigate around the slower cars, it was too late.

“My car had the same shifting issues from the last event, and I wasn’t as fast as I expected to be,” Tim Pierce, driver of Car 18, said. “(Franklin’s car) was definitely the faster car this weekend.”

Franklin said, “It’s no secret that Roebling is my favorite track, and I felt confident all weekend that sufficient speed was in the car. On Saturday, I drafted alongside Tim for at least nine laps every time down Roebling’s front stretch. … On Sunday, I led him for five laps, but we were able to draft by. Going nose-to-tail for lap after lap is why I love racing.”

The team continues its 2015 racing schedule at the SARRC/MARRS Double SARRC/SECS at VIR on May 8 and 9 near Danville, Va. Be sure to stay tuned to www.Area81Racing.com and our Facebook page for updates.