Verizon has released new cybersecurity figures, and the statistics, which are based on actual events — not polls — are scary.
According to the company’s 2017 Data Breach Investigations Report (10th Edition):
- 75 percent of actual breaches were caused by outsiders
- 25 percent involved internal actors
- 18 percent were conducted by state-affiliated parties
- More than half (51 percent) involved organized criminal groups
The report also showed that:
- As many as 62 percent of breaches were caused by hacking
- 51 percent included malware
- 81 percent leveraged stolen and/or weak passwords
- 43 percent were social attacks
And industrial control systems are not exempt from attacks.
However knowledge of how attacks occur, new tools coming on the scene, and long-term investments in cybersecurity can all help processors stand a better chance of keeping their plants safely up and running.
ICS-CERT (Industrial Control Systems-Cyber Emergency Response Team) recently released its third “Annual Assessment Report for Fiscal 2016” (ending in June 2017).
The report highlighted continued and significant risks on industrial control systems. ICS-CERT also released Version 8.0 of its Cybersecurity Evaluation Tool (CSET). The team identified 700 discoveries for the year through design architecture reviews and network validation and verification assessments.
For the third year running, “boundary protection” was the most commonly identified area of weakness, and weaknesses related to boundary protection accounted for 13.4 percent of all discovered weaknesses.
The next three weakness categories in order of prevalence were listed as “least functionality,” “identification and authentication,” and “physical access control.”
In boundary protection, the two major risks reported were undetected unauthorized activity in critical systems and weak boundaries between ICS and enterprise networks.
Least functionality risks include increased vectors for malicious third-party access to critical systems and rogue internal access.
Identification and authentication risks include a lack of accountability for user actions on compromised accounts and increased difficulty in securing accounts when personnel leave a company.
Physical access control risks include unauthorized physical access to field equipment and locations where someone could access the ICS network, steal or vandalize cyber assets, add rogue devices — or make changes to programs or device firmware.
The latter issue (changes to programs or firmware), however, is not limited to physical tampering alone, but a new vector was discovered with the 2014 Dragonfly/Havex attack, otherwise known as a remote access Trojan (RAT), which was embedded into firmware updates on various automation vendors’ websites. The virus payload would cause multiple common OPC platforms to crash, which could cause a denial of service effect on applications reliant on OPC communications.
New tools in development
“We all know that ICS and IIoT asset owners depend on their vendors to supply valid software and firmware for system implementation and upgrades,” says Eric Byres, PE, ISA Fellow, noted industrial security expert and inventor whose firm, aDolus, is now working on a US Department of Homeland Security funded research project to investigate the viability of using trust anchor technologies for real-time verification of ICS software/firmware packages. “However, if this chain of trust is compromised, then malicious software can be introduced that alters core system functionality, potentially impacting critical operations and human safety.”
Unfortunately, there are currently few safeguards in place to protect IIoT and ICS devices against introduction of counterfeit firmware/software.
This is not a hypothetical risk, adds Byres.
In 2014, the Dragonfly attack targeted critical infrastructure in North America and Europe by inserting malware into legitimate software bundles available for download on three ICS vendors’ websites. Any asset owner that downloaded and installed these modified software bundles had their critical control systems infected.
These attacks highlighted the fact that industry needs a robust and universal solution for safeguarding against the counterfeiting of firmware/software upgrades.
“Our project is investigating methods of generating digital fingerprints of both legitimate and suspect firmware via automated agents, and then assigning reputational scores to the software package,” says Byres. “An API and web tool we’re developing allows end users to incorporate a validation process into their daily operations, ensuring the legitimacy of updated firmware/software without impeding critical operations.”
In other words, a technician at a site uses the tool to scan any firmware upgrade package just before loading it into a controller, says Byres. The tool then gives the software/firmware a score between 1 and 10, where 10 means the software bundle is highly validated and thus safe, while 1 means it is pure evil malware.
“Asset owners in the food and beverage industry can’t buy the ‘Secure Trust Anchor’ tool, but they can partner with us and use it for free as we go through the research process,” says Byres.
Cybersecurity demands ongoing management participation
Cyber-attacks already are costing companies worldwide an estimated $300 billion to $400 billion each year, and that number is projected to increase sharply, according to an article in the Series “Insights on the connected enterprise,” which can found on the Schneider Electric website. Entitled “Justifying Industrial Site Cybersecurity Investments to your CEO,” the article suggests strategies for funding cyber security initiatives.
The problem is that many CEOs tend to look at a cybersecurity investment as a one-time expenditure that will fix all on-going issue. But, cybersecurity is an ongoing investment — much in the same way an antivirus program updates itself on an almost daily basis. Imagine the results if your virus definitions were last updated Jan. 1, 2015.
One of the hurdles is that plant managers find it difficult to convince their CEOs to fund ongoing cybersecurity investments.
These investments are often defined as short-term projects and are not positioned as long-term investments for conducting business. But plant managers need to link their cybersecurity proposal to business benefits. For example, it’s not unreasonable to think that a cyberattack could put your business on hold for a few days or a week while you rebuild the system from backups.
You do have backups, right?
For more information: Eric Byres, CEO of aDolus Inc., eric.byres@aDouls.com or (866) 897-9980.