Many Cyber Security Experts Don’t Understand The Systems They Are Trying To Secure

Uploaded on 2022-09-27 in FREE TO VIEW, BUSINESS-Production-Manufacturing, NEWS-Cybersecurity News

There is an old saying about not forcing a square peg into a round hole. The square peg is IT and Operating Technology (OT) network security. The round hole is the insecure Industrial Control System (ICS) field device. 

Without the ICS devices working properly, facilities cannot operate reliably and safely whereas facilities can operate without the IP networks, as demonstrated by the recovery from the 2015 Ukrainian power grid cyber attack.

The approach for offensive cyber operators when they attack an industrial or manufacturing system is to identify the impact they want to achieve and then study the systems to find out the best way to accomplish the goal. The approach of OT cyber security defenders is to assume that what needs to be defended are the OT networks and therefore it is not important to understand how the systems they are trying to protect work.

In order to defend and optimize the plants, buildings, facilities, and transportation, one needs to understand how the systems and components work. It doesn’t make sense that the approaches attackers have used to successfully compromise physical infrastructures continue to be ignored by the cyber defenders. 

The Gap Between OT And Engineering

IT and OT cyber security focuses on the Internet Protocol networks and are under the purview of the CISO. Control system field devices such as process sensors are used for reliability, safety, predictive maintenance, and cyber security. Control system cyber security focuses on the field devices such process sensors and their associated lower-level networks which are often serial.

These field devices have no cyber security and are under the purview of engineering. Protecting these field devices is different from protecting IT or OT networks and requires different technologies and training. When control systems are impacted, the results are obvious – trains or planes crash, pipelines rupture, power is lost. Because of the lack of control system cyber forensics and training, these incidents are generally not identified as being cyber-related. Yet, to date, there have been more than 11 million control system cyber incidents with more than 34,000 deaths. There is a need to address this cyber security gap in technology, training, and culture.”

Connecting The Dots

Unfortunately, dots are still not being connected in control system cyber security: incidents continue to occur in all sectors that are not shared within the sector or between sectors. That is obvious from my database where the same types of incidents occur within multiple sectors. The focus on IT and OT also limits recognizing cyber incidents that didn’t involve IP networks as being identified as being cyber-related. This was obvious from the RSA session.

Education

Cyber security is taught as a subdiscipline of computer science. There are very few universities that require an introduction to engineering for cyber security. Conversely, there are very few universities that require the engineering disciplines of electrical, mechanical, chemical, nuclear, or systems engineering to include an introduction to cyber security. This past year, I was a senior research associate at the University of Missouri Science and Technology. The course I supported required a capstone project to take an engineering/utility company and determine how well the student felt it met the NIST Cyber Security Framework. The students were neither engineers nor from the utility industry, and they could only use publicly available data for their projects.

They found issues that weren’t identified by the utilities’ cyber security organizations – appropriate training can work.

I also talked to a utility senior manager who was teaching a cyber security course at a university and felt it was too complex to even mention control systems. Unfortunately, this is the norm and it’s why there is such an education gap. The process sensor issues are not being addressed even with the work being done by CISA and ISA on OT cyber security training.

Lack Of Understanding Of Systems & Components

The fundamental approach for offensive cyber operators when they attack an industrial or manufacturing system is to identify the impact they want to achieve and then study the systems to find out the best way to accomplish the goal. That is, they want access to specific pumps, motors, valves, relays, etc. to accomplish their goal.

Accomplishing that goal may involve a combination of physical, IT, OT, and control system cyber approaches.

Additionally, offensive cyber operators may use the IP networks as part of their attack technique using approaches such as man-in-the middle attacks to provide the operators with misleading information. Often, the cyber approaches may be very basic as the control systems often are not designed to keep cyber attackers out. Consequently, state-of-the-art zero days are not needed. Process sensors are 100% trusted and are the input to OT monitoring systems that cannot detect or correct sensor data.

This means the offensive path of least resistance is where there is no cyber security - the process sensors and their ecosystems. This is what the ICS cyber “kill chain” defenders continue to ignore.

The fundamental approach of OT cyber security defenders is to assume that what needs to be defended are the OT networks and therefore that it is not important to understand how the systems they are trying to protect work. Unlike the offensive attacker’s attempt to cause a specific impact, compromising an OT network does not directly lead to an affect on specific pieces of equipment. For example, if the OT network is in a power plant, there is no understanding by many OT security defenders how a power plant and the equipment in the plant work and the associated system interactions. Process sensors are also the input to OT networks, and OT security experts commonly assume these to be uncompromised, authenticated, and correct which makes the attacks possible. It is not a “fair fight” when the defenders won’t address what the attackers are targeting especially when many of the networks and devices being targeted have no cyber logging or forensics.

Understanding how the systems and components work is not just a cyber exercise as the process sensors are the input for predictive maintenance, digital transformation, Industry4.0, smart manufacturing, smart grid, etc. In a recent plant test, the Windows-based HMI was not effective and, in fact, provided misleading information on the state of the process sensors and plant equipment.

Monitoring tools for process sensors and plant equipment need to be purpose-built, not general-purpose systems such as Windows. When sensors are wrong, equipment can be damaged and people can die.

Unfortunately, you don’t need to be a cyber expert to impact sensors. Two fast food workers told police they wanted their shift at the fast-food restaurant to slow down. During the interview, they told the police their intentions were that if the railroad crossing gates could malfunction and they could somehow block traffic, that would prevent people from getting to the restaurant, and they could have a slow night at work. Police said one of the fast food workers placed a makeshift device on the tracks that affected the crossing gate sensors. The railroad’s dispatch center could not have determined that the crossing gate signals were being intentionally disrupted. This was a control system cyber incident, one of many that have affected rail transportation.

Inadequate Government Approaches

Recent events have shown that pipeline cyber security requirements are inadequate and there have already been more than 125 recorded control system cyber incidents in water/wastewater that include complete loss of water, water hammer, chemical contamination  pumping contaminated water into the drinking water system This is trivial compared to the 2005 collapse of the Taum Salk earthen dam and the loss of billions of gallons of water because of inaccurate sensors.

The US Cyber Incident Reporting for Critical Infrastructure Act assumes cyber forensics exist, which is not the case for legacy ICS field devices. The zero trust initiative promtoted by CISA also does not apply to legacy control system devices that do not have minimal cyber security capabilities and are 100% trusted.

Summary

Control system cyber security is more than just protecting IP networks. In order to defend and optimize the plants, buildings, facilities, and transportation, one needs to understand how the systems and components work. It doesn’t make sense that the approaches attackers have used to successfully compromise physical infrastructures continue to be ignored by the cyber defenders.

Joe Weiss is Managing Partner at Applied Control Solutions

You Might Also Read: 

Industrial Control System Security Is Overlooked:

 

« Quantum Computing Raises As Many Problems As It Solves
Securing The Future Of Open Finance »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BH Consulting

BH Consulting

BH Consulting we are a vendor independent consulting firm providing market leading range of information security services focused on data protection and cybersecurity.

Outpost24

Outpost24

Outpost24 provides easy to deploy and intuitive solutions to continuously identify, remediate and mitigate vulnerabilities in your network.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality ISAC operates as a central hub for sharing sector-specific cyber security information and intelligence.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Eseye

Eseye

Eseye is a global specialist supplier of cellular internet connectivity for intelligent IoT (Internet of Things) devices.

Arc4dia Labs

Arc4dia Labs

Arc4dia have developed SNOW, a cyber security solution to combat the world’s most sophisticated cyber threats.

Cloud Managed Networks

Cloud Managed Networks

Cloud Managed Networks provides enterprise grade IT network solutions for cloud-based and on premise network security, Wi-Fi, data switching, collaboration, device management and more.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

Visible Statement

Visible Statement

Visible Statement is a computer-based delivery system designed to insure the retention and recall of your most important security training messages.

Reliance Cyber

Reliance Cyber

Reliance Cyber (formerly Reliance ACSN) help to monitor and manage your organisation’s security infrastructure 24/7, so you can make sure all threats and issues are dealt with.

Hubify

Hubify

Hubify is an experienced, service-driven technology company specialising in business connectivity across mobile, data, voice, cloud, & cyber security solutions.

CSIOS Corp.

CSIOS Corp.

At CSIOS we help our customers achieve and sustain information and cyberspace superiority through a full range of defensive and offensive cyberspace operations and cybersecurity consulting services.

Atlas VPN

Atlas VPN

Atlas VPN is a highly secure freemium VPN service with a goal to make safe and open internet accessible for everyone.

CYTUR

CYTUR

CYTUR provide trusted and secured maritime cybersecurity solutions to keep ships safe, protecting them, their crews, cargo and all stakeholders from maritime cyber threats.

Internet Watch Foundation (IWF)

Internet Watch Foundation (IWF)

Since the early days of the internet, our job has been to help child victims of sexual abuse by hunting down and removing any online record of the abuse.