Waterfall/Area 81 team succeeds despite inclement weather on Fourth of July weekend

A short trip away from its headquarters in North Carolina, the Waterfall/Area 81 Racing team traveled to Roebling Road Raceway in Savannah, Ga., for the SECS.

Richard Franklin, driver of car 81, planned to use these races to prepare for October’s SARRC Invitational Challenge Championship race; Tim Pierce, of car 18, planned to do the same for the 2015 Runoffs in September. This boded well for the team on Saturday, as it qualified third and fourth overall. Franklin finished first in SARRC and Tim finished second in SECS.

However, Sunday’s races were cancelled due to unstable weather.

“The whole team weathered the storm and sacrificed its comfort and well-being to get the car to the grid. We would not be successful without these efforts,” said Pierce.

Franklin added, “Hopefully, those who showed up on grid will receive Championship points for their efforts.”

All in all, it was a productive weekend for the team, proving once again that it can continue to capture Championship points among unforeseen circumstances.

The team continues its 2015 racing schedule at Charlotte Motor Speedway for the Daylight-into-Dark Double SARRC/SECS on Aug. 15 and 16. Be sure to stay tuned to www.Area81Racing.com and our Facebook page for updates.

Digital Bond Labs assess FLIP technology’s unidirectional security

Last month, Digital Bond Labs, a cybersecurity lab focused on finding new security and reliability vulnerabilities in control-system components, performed a security assessment of Waterfall’s FLIP product line. We have great confidence in our solutions at Waterfall, and DigitalBond’s testing verified what we were already convinced of, that the FLIP cannot be transformed into a bidirectional communication channel, nor can it be controlled remotely.

The Waterfall FLIP is type of a hardware-enforced unidirectional security gateway. The technology replicates control system servers to IT networks without enabling anything to move in the opposite direction. When needed, the Waterfall FLIP also replicates servers from IT networks to control networks, for as long as is needed. For example, FLIP products are routinely deployed to replicate historian data out of control system networks nearly continuously, and reverse orientation several times per day so that the FLIP software can fetch anti-virus and other security updates and transmit them to the control system.

Digital Bond’s findings were in line with Waterfalls marketing message for FLIP, stating that:

• It could find no way to transform the FLIP into an interactive bidirectional channel, and that “the FLIP is always a one-way system.”
• IT could find no way to remotely control the FLIP mechanism that reverses direction from either the “inside” or “outside” networks.

Digital Bond concluded that, since the FLIP is unidirectional at all times, and the direction cannot be remotely controlled, “the FLIP is a much stronger security mechanism than a firewall.” Digital Bond Labs’ researchers also concluded that the FLIP “provides a defensive advantage versus. traditional thumb drive data transfers” because the FLIP “provides a single entry point to the control system network that can be hardened and monitored versus thumb drive transfer, which introduces a risk of infection to every system that the thumb drive is connected to.”

Unidirectional security gateways prevent IT security issues from weakening operational technology (OT) security. The verification from Digital Bond Labs serves as assurance that Waterfall solutions are capable of protecting reliability-critical systems and process equipment from security threats. Cyberattacks aimed at control systems have much greater potential consequences than attacks on IT systems. Unidirectional security gateways stop IT network attacks from becoming OT problems.

Waterfall also has FLIP technology solutions for Substations. Learn more on our product page.

June news roundup: How safe is the U.S. power grid?

Are the U.S. power grid and other critical infrastructures safe from cyberattacks? According to recent news and research, the answer is no. Reliance on the power grid is increasing, as are the threats that plague it. Read the latest on the risks to U.S. critical infrastructure below in this month’s news roundup.

A Critical Threat (SC Magazine UK, June 30)

Attacks to Iran’s nuclear plants and last year’s attack on a German steel mill prove the level of damage that can be done with little effort. Critical infrastructure can easily be penetrated; therefore, SCADA devices that aren’t secure are causing growing concern. These threats are fueling global legislation.

Power Grid Vulnerable To Cyber Attack, Former Defense Secretary Says (Inquisitr, June 30)

According to former Secretary of Defense William Cohen, the U.S. power grid is becoming increasingly vulnerable to terrorist attacks. These attacks, he stresses, are likely to be cyberattacks, which have the capability to completely shut down the power grid. Furthermore, the American Society of Civil Engineers (ASCE) did a formal review of the U.S. power grid, which resulted in a barely passing grade of D+. This grading shows that U.S. critical infrastructure is in poor condition with a strong risk of failure. That being said, there is not enough attention or funds dedicated to secure the power grid.

Industrial Control System Breaches Rising, Says New Report (ITWorldCanada, June 25)

Attacks on industrial control systems and SCADA systems are increasing at a rapid rate. According to a recent survey by the SANS Institute, more than 30 percent of respondents said their organizations’ control systems have been breached. Of those, 17 percent acknowledged six or more breaches so far this year alone.

Ex-CIA Director: U.S. Wide Open to Grid Attack (WND, June 21)

Has the Obama administration done enough to protect the U.S. power grid? A former CIA director says no. According to R. James Woolsey, the country has done a poor job protecting the critical infrastructure that includes the Internet and the power grid. He proposes a few reasons as to why security has not been a high priority in the U.S., including the administration’s lack of focus on this issue. He says that the U.S. power grid has 18 critical infrastructures, with 17 of them relying on electricity. If the entire power grid is hacked, so many things are at risk: food, water and even lives.

Will America’s Power Stay On? (Homeland Security Today, June 13)

Aside from the risk of cyberattacks, security and energy experts are also warning that the U.S. power grid is equally vulnerable to natural factors that could result in outages across the country. According to a recent Johns Hopkins University study, there are shortcomings across all 50 states, such as variations of standards and lack of accountability at the national level. The report states that these shortcomings, if not addressed soon, could be exposed on a much larger scale. The North American Electric Reliability Corporation (NERC) has failed to produce enforceable standards and, as a result, outages will likely occur.

Want more critical infrastructure news? Read last month’s news roundup

May news roundup

Every day, the need for effective cybersecurity becomes apparent across new global sectors. Whether in the energy industry, power grids or critical infrastructure, it is clear that industrial cybersecurity is essential to an international audience. We’ve got the latest on this growing theme in this month’s news roundup. 

Water and wastewater utilities at high risk of cyberattack (Water Online, May 26, 2015)

Federal cybersecurity experts are finding more and more vulnerabilities in control system components. Of the 245 cyberthreat-related incidents last year, 14 came from the water sector. Water utilities are bringing in an increasing amount of attention from the Homeland Security Department. According to a survey by the Ponemon Institute, nearly 70 percent of critical infrastructure companies suffered a security breach in the last year. Moreover, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has said that the number of vulnerability reports for industrial control systems increased more than 15 percent in the last year.

Ensuring pipeline physical and cyber security (Plant Engineering, May 20, 2015)

Production of oil and natural gas in the United States and Canada is much higher than ever before. However, an increase in gas production means a denser network of pipelines, inviting more cyberattacks. The U.S. has more than 182,000 miles of hazardous liquid pipelines, 325,000 miles of natural gas transmission pipelines and 2.15 million miles of natural gas distribution pipelines, which are all sensitive to impending threats. While there have not been reports of pipeline attacks in the U.S., the number of international attacks is growing.

Africa's critical infrastructure vulnerable to attack (IT Web, May 14, 2015)

According to Yusuph Kileo, cybersecurity and digital forensics investigation expert, Africa’s greatest security threat is to its critical infrastructure due to several factors. For instance, because of their lack of knowledge in the field, decision makers in Africa do not consider cyberthreats a priority. There is also a lack of collaboration and few laws to protect the continent against cyberattacks, especially those to its critical infrastructures.

Iran rapidly building cyber warfare capabilities (Free Beacon, May 12, 2015)

According to a new report by the State Department, recent research suggests Iran may have intentions to use its cyberforce to attack global critical infrastructure. Hackers in Iran have been the culprits of multiple attacks to the private sector, including energy and power firms.

Utility, security experts warn of mounting threat to grid (Capital New York, May 7, 2015)

During a panel discussion at the Independent Power Producers of New York conference, security experts discussed cyber and physical vulnerabilities in the energy sector. The U.S. power grid is the most complex risk landscape, so says William Flynn, former Homeland Security principal deputy assistant secretary for infrastructure security. Threats to the U.S. power grid include domestic and overseas acts of terrorism.

Interested in learning more about international industrial security? Read more in last month’s news roundup.

Shelfware: Why security solutions end up shelved, and how to avoid it

A layered “defense-in-depth” approach to security has been best practice advice for many years for both IT networks and ICS networks. Intrusion detection systems (IDS) and security information and event managers (SIEM) are often described as the pinnacle of these layered security architectures. Many organizations have purchased these systems, but few have achieved their project goals. The deployments are never completed, or the systems are implemented and ignored: in both cases, becoming “shelfware.”

According to the Ponemon Institute’s “Risk & Innovation inCybersecurity Investments” industry survey sponsored by Lockheed Martin, 90 percent of respondents said their organization invested in a security technology that was ultimately discontinued or scrapped before or soon after deployment. The reasons ICS IDSs become shelfware are unanticipated costs and the eventual realization that these projects can never achieve their goals. Let’s discuss cost first… All IDSs and their SIEM analysis systems need to be tuned. If the systems are made too sensitive, they generate floods of false alarms resulting in information overload. If the systems are de-sensitized to where false alarms are eliminated, the systems stop detecting real attacks. There is a middle ground that must be found. A certain number of false alarms per day, or per week, are essential to effective intrusion detection. The problem is that nobody knows which alarms are false until the alarms are investigated. Investigating alarms takes experts who understand control systems working with the network technicians that received the alarms, not just network technicians in an outsourced security service. Costs escalate because control system experts are busy with other work and can’t drop what they are doing a dozen times a week to investigate false alarms without impairing the progress of every other active OT project. Each investigation costs time and effort from our already overburdened experts.

Costs are a problem, but also worth considering is: does the new security system meet its goals? Even when we discover a potential intrusion, it takes hours or days to establish that the intrusion is real and then determine how to remediate it. That being said, how long are we willing to permit an enemy to control our costly and often dangerous industrial equipment?  Days?  Hours? Minutes? Investigating and remediating real intrusions takes at least this long, while unauthorized, unqualified intruders are on our control systems the entire time. This is dangerous.

The first goal of a control system security program must be intrusion prevention, not detection. Intrusion detection may be considered the pinnacle of a defense-in-depth program, but intrusion prevention is the mountain. We can't support the pinnacle on thin air – there must be a base. Shelfware is the natural consequence of the failure to achieve our most important goal: preventing compromise.

Intrusion detection certainly has its place, especially when the perimeter firewalls are porous by design and made for bidirectional communications. On the corporate IT side, compromised equipment can simply be restored from backup after intruders have “stirred the pot” for days or even weeks, but, on the OT side, damaged industrial equipment, lost production and even human lives cannot simply be restored from backup. Even the briefest operation of industrial equipment by unauthorized, unqualified intruders is an unacceptable risk.

Unlike IT, the clear focus and priority for ICS security programs must be intrusion prevention, which begins at the control system network perimeter – the IT/OT network interface.

Protecting TV Stations

I was at a security conference recently, and a representative of a television station approached me. He had seen coverage of the hack of the French television station TV5Monde by ISIS and needed to know what he could do to prevent a similar incident at his own station.

I admit that, when I first saw coverage of the attack on the TV station, I dismissed it as yet another IT network breached that was not directly relevant to Waterfall's focus on industrial control systems.

The security manager from the TV station, though, explained to me that, in fact, the station had a control system and leased network connections for its physical broadcast towers, controlling characteristics of the physical broadcast and, of course, feeding signal into the towers to broadcast. Much of the signal is recorded, but some of it is live.  The station never wants a cyber assault to hijack its signal the way TV5Monde was hijacked, right through what the TV5Monde described as a "very strong firewall."

The more I heard, the more it became clear that this was a classic control system problem. The computer control system controlled the physical broadcast and needed continuous communications with corporate monitoring and billing systems. The system also had occasional needs to pick up new, approved, recorded video content from external sources, and to receive live feeds for broadcast. Unidirectional gateways support continuous monitoring without introducing vulnerabilities that always come with firewalls. The FLIP enables occasional updates of scheduled, recorded material in a queue for broadcast, and a variety of mechanisms support occasional live broadcasts, depending on circumstances of the broadcast and the source of the live feed.

Targeted attacks are everywhere nowadays. It seems not even television stations want to entrust their broadcasts and their reputations to firewalls any more.