In my recent reading through ISA and AIChE publications, there have been a multitude and variety of content dedicated to the issues of cybersecurity within the process controls industry. Over the past few months, I read through the following articles:
- “Incorporate Cybersecurity into Your PSM Program” by Ursula Malczewski and Amy E. Theis, P.E. (CEP June 2017 edition, p. 30 – 33)
- “Ukrainian power grids cyberattack” by Patrice Bock with input from Jean-Pierre Hauet, Romain Françoise, and Robert Foley (InTech March / April 2017 edition, p. 32 – 37)
- “A practical approach to ICS cybersecurity” by Lee Neitzel and Gabe Faifman (InTech May / June 20176 edition, p. 28 – 31)
- “Industrial Cybersecurity: How Much Is Enough?” by Michael Firstenberg (CEP June 2017 edition, p. 26 – 29)
As a chemical engineer by educational background, I admittedly had not had much prior exposure to such a field even though I have been peripherally aware of such things as malware and spam e-mail in personal computing for many years. Access to updated news and resources by our ProSys staff has enhanced my awareness and educated me further, to relate to the referenced information.
The first article I read displays how significant the cybersecurity realm has become. Malczewski and Theis write, “An analysis of cyberattack and incident data found that in 2015, manufacturing was the second-most-targeted industry; within manufacturing, chemical manufacturers were the second-most-targeted subcategory. Almost half of the security incidents involved unauthorized access.” Additionally, they cite an IBM Security report which stated that “sixty percent of the attacks in 2015 were carried out by insiders [to the affected organizations], either as individuals with malicious intent or people who served as inadvertent actors.”
The second article highlighted a recent cyberattack that occurred at three power distribution companies in Ukraine back on December 23, 2015. It occurred in three phases:
- Spear-phishing of the information technology (IT) network for the initial intrusion via e-mail attachment
- Deploying BlackEnergy malware to gather intelligence on the IT and operational technology (OT) networks to identify device vulnerabilities and create backdoor entries to the power plants
- Conducting the actual attack over the course of merely 10 minutes in which the hacker remotely logged in and controlled the HMI to switch off most of the power grid’s switchgears, meanwhile preventing local operator access by wiping many hard drives, overwriting Ethernet-to-serial gateway firmware with random code, and performing a distributed denial of service (DDoS) attach on the call center
In the process, hundreds of thousands of western Ukrainians subscribed to the grid lost power to their homes and/or businesses. Bock, et al note that “the attack was too fast to allow any reaction; indeed, in a critical infrastructure environment, operator actions may cause safety issues.” And while the people onsite could have stopped the attack by simply pulling the cable connecting the OT to the IT network, they remark that “untrained operators cannot be expected to take such disruptive steps on their own initiative in a stressful situation where mistakes are quite possible.” However, all of this would have been avoided if original e-mail attachment had not been opened! Regardless, the rest of the article details how the ISA / IEC 62443-3-3 standard helped “identify all the controls that were missing and that could have prevented the cyberattack”, emphasizing consistency across all aspects of cybersecurity.
In the third article, Neitzel and Faifman begin the piece by promoting the defense-in-depth industrial control system (ICS) security approach and emphasizing the need for everyone in the organization to be onboard with it. The approach has three main questions to consider:
- Where can the attacker gain entry or break into your ICS?
- Once an attacker gains entry, what will the attacker do next?
- What are the ultimate objectives of an attack?
They observe that the most commonly used entry points include operator consoles, engineering workstations, handheld devices, laptops, tablets, and smartphones; essentially anything that has a user interface to the ICS, so they advise using multifactor authentication for all HMIs that are in open areas or that can connect from a remote location. Next, they elaborate on the use of perimeter security devices, such as firewalls and routers, that segment ICS networks from external networks, which they say “should be physically protected from tampering and from having unauthorized devices connected to them.” Finally, they recommend that “all configuration and maintenance should be controlled by change management procedures, and they should be performed only by authorized network administrators.”
For the fourth article, Mr. Firstenberg writes, “Security is a continuum… We can always be more secure, and we can always be less secure.” He understands that with all kinds of attack methods out there and the severity of each (like production downtime), a business cannot prevent them all, but when they outline realistic possibilities, they can decide “which combinations of attacks, consequences, and risks to accept and which to mitigate or transfer. In the initial phases of such a risk assessment, the business may easily realize all the potential threats the plant is not prepared for, but he discusses how using unidirectional gateway technology can improve the security of the business’s operations by allowing control system information to be viewable to corporate-end users and applications but preventing corporate network communications from sending anything back to the control system. He also notes, “Adding controls over removable storage media and computers/laptops, deep inspection of all data media at physical security boundaries, and security awareness training can raise the security bar even further.”
Cybersecurity is a constant battle that evolves as technology advances and at ProSys, cybersecurity is addressed consistently by our specialized staff. In addition, we have written cybersecurity policy documents for control systems and performed mitigation work at multiple mission critical sites.