Control system security: safety first
by Andrew Ginter - VP of industrial security, Waterfall Security Solutions - Wednesday, 30 October 2013.
Every large utility, pipeline, refinery and chemical plant has a cyber security program, but most are IT-centric. Anti-virus programs, software update programs and programs of integration with corporate active directory controllers are all managed by IT teams, along with some degree of convergence and consultation with operations technology (OT) teams. While we have seen few large-scale cyber attacks in these industries, IT-style defenses invite such attacks. Cyber-sabotage is a real threat and it will take more than yesterday’s firewall-level protections to ensure the safety and reliability of today’s industrial sites.

IT-based defenses are routinely defeated

The continuing trend towards the convergence of IT and OT teams, the convergence of IT and OT business processes and technologies and the interconnectedness of IT and OT networks may all have sound business drivers, but too often the result is unexpectedly vulnerable industrial control system security postures. IT-centric firewalls and anti-virus solutions do a fair job of defending against the pervasive threat of viruses and botnets, but have repeatedly proven inadequate to defend against more sophisticated acts of sabotage.

The stock formula for these “more sophisticated” attacks has become widely known and widely practiced: use spear-phishing to pull malware past corporate firewalls, craft your own bits of low-volume, remote-control malware to defeat anti-virus systems, disguise your communications as legitimate traffic to defeat application-layer firewalls, and defeat security update programs by stealing passwords rather than attacking vulnerabilities. New, advanced data-exfiltration prevention technologies are being deployed to address this class of attack on corporate networks, but data-exfiltration-prevention technology does nothing to prevent the cyber-sabotage of industrial networks.

To date, there has not been a well-documented new-style attack on an industrial control system with the intent of cyber-sabotage. That said though, given the easily-available means for such an attack, it remains only a matter of time before some hacktivist couples these well-known attack techniques and technologies with a malicious motive. IT-style defenses designed to prevent the theft of intellectual property do not address this class of cyber-sabotage threat to worker safety, to public safety and to plant reliability. To maintain effective control of the dangerous and very costly physical infrastructure at industrial sites, owners and operators must do more to address modern cyber-sabotage threats.

Beyond IT-style security

Industry leaders are not ignoring this problem. Many are starting to deploy unidirectional gateways, which are hardware-and-software solutions that securely integrate operations data with business networks and systems. The gateway hardware enforces unidirectional data flows, while gateway software replicates servers. The replica servers on the corporate network allow corporate users to access production data in real time without any threat to, or impact on, the real operations servers. Information can flow out of operations networks without allowing any network or remote-control attacks whatsoever back into the network.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th