Thursday, August 27, 2015

Which of our control system networks is expendable?

Traditional cybersecurity measures, such as firewalls and anti-malware, were once considered adequate to protect our IT networks and industrial control systems (ICS) alike. Recently, however, this assessment has been challenged as the frequency and success of modern cyberattacks against these networks have increased. Practitioners of critical infrastructure are questioning the security tools they once used. If these technologies are repeatedly failing to protect IT networks from attack, why should they be trusted to protect control system networks? In short, which of our industrial control system networks are expendable enough to expose to these software-based, IT-style cybersecurity approaches?

The answer is, of course, “none.” None of our industrial control system networks can afford such risk. Compromised control systems put workers’ lives and public and environmental safety at risk, and introduce risks of downtime and damage to large, costly and difficult-to-replace equipment.

The damage to blast furnaces in December’s German steel mill cyberattack is a good example of these risks. This incident demonstrated what today’s attackers are capable of, and the consequences of this kind of attack. Software-based cybersecurity protections failed to protect the steel mill and the physical equipment at the site.

If not software, then what?
To provide effective protection for industrial control networks, security standards must keep pace with modern attacks. The latest NIST 800-82r2 and Agence nationale de la sécurité des systèmes d'information (ANSSI) guidance for industrial control system security recognize the strength of hardware-enforced unidirectional security gateways. Unidirectional gateways provide physical protection for control system networks, not just software security. The gateways replicate industrial servers to corporate networks, providing safe IT/OT integration for control system networks.

Given the continued evolution of best-practice ICS security guidance, and the widespread acceptance of unidirectional security gateways, the question we must all ask of our control systems networks is: which of these networks are expendable enough to be protected with only firewalls and other IT security software components?

Interested in reading about the challenges in securing IT/OT networks? Check out our recent article for more information.

Tuesday, August 25, 2015

August 14-15, 2015 – Waterfall/Area 81 Racing Solidifies their Top Spots in the SARRC and SECS Championships with Double Wins at Charlotte Motor Speedway

It was an exciting weekend at the Central Carolina SCCA’s Daylight into Dark races at Charlotte Motor Speedway as the Waterfall/Area 81 Racing team posted double F1000 wins.

Richard Franklin, Car 81, qualified first in class for both races and posted his personal best on the high banks of Charlotte Motor Speedway with the fastest F1000 lap of the event. Although oil leaks prevented a finish in Saturday’s race, Car 81 came back strong on Sunday with a SARRC race win and second-overall finish.

“It was not a perfect weekend for me by any means, but not too bad,” said Franklin. “Handling wise, my car was very comfortable, and I set my fastest top MPH speed ever at Charlotte, confirming that my engine tuning and aerodynamic tweaks are working.”   

Not far behind, was Tim Pierce with his first appearance at Charlotte. Pierce qualified first in class in SECS both days, and despite some handling issues caused by the uneven track surface, Car 1 finished third overall on Sunday, taking home two SECS wins.

“The goal for Car 1 was to score two SECS wins and bring it home in one piece. I think we accomplished our goal and performed very well in the process,” said Pierce.

Next up is the 2015 SCCA National Runoffs at Daytona International Speedway Sept. 26. Stay tuned to and the Area 81 racing Facebook page for updates.

Wednesday, August 12, 2015

Best practices in IT/OT integration for ICS

Applying IT-style cybersecurity defenses to operations technology (OT) networks is not effective to ensure reliable operations of industrial control systems. Thus, OT cybersecurity practices are always evolving to address these concerns. For more on Waterfall’s perspective on the IT/OT challenge, check out some of our media articles.

  • Firewalls alone are not enough to protect our industrial control systems from hackers. While you might think that firewalls and encryption will keep your industrial control systems secure, these forms of protection are essentially software, which has the capacity to contain bugs and, even worse, be hacked. That said, there are so many limitations to software-based firewalls, all of which are common knowledge to anyone with an elementary awareness of cybersecurity. For example, a recent German steel mill attack proved that cyber hackers were able to compromise industrial corporate and production networks and solidified the need for safe integration of IT networks and operations technology (OT) networks. To find out more about the implications of firewall use, check out my recent article in BetaNews, “Cybersecurity best practices for facilitating IT/OT integration.
  • As software and computer hacking become more complex, so do cyberattacks. Standards and regulations are attempting to solve these problems, but the hackers are becoming much more capable. French ANSSI standards, which forbid the use of firewalls in control system networks, are a recent example of this. However, security practitioners need to consider the technologies in play. We need to ask ourselves if any of our control systems, let alone those in critical infrastructures, are expendable enough to be protected by firewalls. IT/OT integration is the best solution. Read more in my recent article in Utility Products, “What's Wrong With IT-style Cybersecurity Approaches?
  • While there are some similarities between the hardware and software on corporate and control system networks, the characteristics of the two are quite different. However, the main difference is control. Control system networks govern the physical world while corporate systems manage data and IT processes; hence, why cybersecurity best practices are evolving to recognize the differences between the two types of networks. Standards, like the above mentioned ANSSI rules and NERC-CIP requirements, are encouraging hardware-enforced unidirectional security gateways. You can read more of my insights into the differences between control and corporate networks, as well as more information about these regulations, in Security Magazine: “Control System Cybersecurity Is Shifting Away from Corporate Thinking.”

Want to stay up to date on critical infrastructure news? Follow us on Twitter.

Monday, August 10, 2015

July news roundup

There has been no shortage of industrial cybersecurity concerns in the news last month. Particularly noteworthy are the Federal Energy Regulatory Commission’s new CIP standards and the Lloyd’s of London report about the future of our critical infrastructure, including a frightening potential attack scenario. If you missed any of these stories, check out our July news roundup to quickly catch up.

United States military bases’ power grids are at risk for cyberattacks according to a new Government Accounting Office report on defense infrastructure. The document concludes that these bases are vulnerable to cyberattacks that could greatly effect operations. Retired Navy captain Joe Bouchard said the problem will eventually be corrected; however, in the interim there will be a lot of opportunities for sophisticated cyberattacks on military bases.

The Federal Energy Regulatory Commission (FERC) is offering new rules intended to improve the U.S. electric system’s cybersecurity. These standards are intended to address possible threats to communication networks and other electric system assets and will address issues ranging from personnel and training to physical security of the bulk electric system’s cyber systems and information protection.

A National Grid security manager notes there is a need for real cultural change in the energy sector in terms of security, especially in the U.K. He says the rate of change in technology across the world comes with increasing risks to industrial control and SCADA systems. Additionally, there is an increasing reliance on cyber tools to operate critical infrastructure systems. In combination with physical and cybersecurity concerns, the energy sector needs to mitigate these risks. FERC describes the goal as “a forward-looking, objective-driven standard that encompasses activities in the system development life cycle from research and development, design and manufacturing to acquisition, delivery, integration, operations, retirement and eventual disposal of the equipment and services.”

According to the recent Lloyd’s “Business Blackout” report, the potential financial loss from a Stuxnet-style attack on the U.S. smart grid could be more than $1 trillion. The report provides a hypothetical scenario in which hackers use a Trojan attack to shut down electricity generation control rooms to create a blackout across 15 U.S. states. While researchers admit this attack is improbable, they do agree that it is technologically possible and would result in huge government and insurance pay-outs, as well as a rise in mortality rates, decline in trade and “general chaos on transport networks.” The Lloyd’s report suggests that these hackers would likely be engineers with the ability to write malware. While the cybersecurity market is still evolving these risks and losses are very much possible.

For a look at other industrial cybersecurity news we find noteworthy, check out our Junenews roundup.