Cyber Security Threats: Expert Interview with Eric Byres, Part 1

  • August 28, 2011
  • Feature
August 2011
By Bill Lydon
Cyber Security is a hot topic that has become more intense since the notoriety of the Stuxnet virus. I interviewed Eric Byres, one of world’s leading industrial automation cyber security experts, to gain a greater understanding of the challenges and solutions for industrial cyber security. Byres earned the respect of the automation industry with a unique combination of experience and knowhow.   In addition to experience as a process controls engineer, he has researched and written extensively about Stuxnet and founded the British Columbia Institute of Technology (BCIT) Critical Infrastructure Security Centre, resulting in receipt of the SANS Institute Security Leadership Award in 2006. He is responsible for numerous industrial automation and SCADA cyber security standards and best practices and was formally recognized in Oct 2009 by the International Society of Automation (ISA) as an ISA Fellow. Byres is also chair of the ISA SP-99 Security Technologies Working Group, which is responsible for the standardization of technologies for Industrial Automation and Control System cyber security and the Canadian representative for IEC TC65/WG13, a standards effort focusing on an international framework for the protection of process facilities from cyber attacks.
His background is an important qualifier that lets you know what I already know - Eric Byres is a knowledgeable professional committed to the cause of industrial automation and SCADA cyber security. This is serious business.
Question: Is all the media coverage of Stuxnet good or bad for the industry?
Eric’s Comments: It is painful, but necessary. The bad news is that bad people who might not have heard of SCADA or process control systems before now have been made aware of them. They also have a step-by-step recipe for attacking these systems. However, the good news is that the Stuxnet media coverage has woken up many end users and suppliers to the need for SCADA/ICS security. That had to occur at some point and at least no lives were lost in this wakeup call.
Contrast this to the terrible incidents like Bhopal that drove the industry to take safety more seriously - so far we have avoided any incident that tragic and I hope we continue to do so.
Question: What are the misconceptions about Stuxnet?
Eric’s Comments: There are many misconceptions, but the one that is really serious is the belief that Stuxnet was all about USB keys and if you ban the use of USB keys on your plant floor, you have solved the security problem. Stuxnet’s designers gave the worm eight different spreading mechanisms and the USB key was only one. Even without this vector, a sophisticated worm like Stuxnet will just pick a different path.
Eric’s Comments:  In many ways, and that is a key lesson the industry needs to take from Stuxnet. Stuxnet doesn’t just walk through the corporate firewall and suddenly it has infected its target PLC. Instead it spreads via secondary pathways that are never considered in most security designs – subtle pathways like infected PLC project files, USB keys, and maintenance laptops. And when it does find a firewall in its way, it rides on protocols that are typically allowed through a control system firewall, so that it doesn’t set off any alarms.
Question: In your blog you have coined the term “Son of Stuxnet”. What do you mean by this and what is the threat?
Eric’s Comments: Malware writers and hackers never create anything in isolation – each new worm or attack tool takes advantage of previous techniques and vulnerabilities. For example, within days of the world learning about Stuxnet’s USB Key tricks, (technically it used a .LNK file vulnerability), other worms like Sality started exploiting the same vulnerability.  
Now the scary thing about Stuxnet is that it introduced so many advanced attack and malware techniques to the black hat world – basically it gave the technology of malware design a major leap forward. Perhaps more serious, it showed exactly how to build and then use weaponized software against critical control systems. So unless every bad guy in the world has some sort of miraculous memory lapse regarding Stuxnet, we are certain to see the Stuxnet techniques being reused in future worms. These worms will be directed at different targets, take advantage of different control products and be driven by different political or financial motivations. But regardless, they will borrow something from the Stuxnet legacy. 
Configuration Issues
Question: If a control system is NEVER connected to the Internet, is it still at risk from cyber incidents? (i.e., do air gaps provide protection?)
Eric’s Comments: Of course, most control systems are never DIRECTLY connected to the Internet, but they all connect to other systems that eventually do connect to the Internet. Typically these connections are to the enterprise business systems (such as MRP inventory management, etc.), but they can also be connections for maintenance support from vendors and consultants, or regulatory connections to agencies like the EPA.  Mr. Sean McGurk, the Director of National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security put it best:
"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network.” Source: The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing. 58:30 -- 59:00
But let’s assume that a company really has somehow severed all network connections to and from the plant floor. They are still at risk because, as much as we want to pretend otherwise, modern control systems need a steady diet of electronic information from the outside world. For example, PDF-based user manuals from vendors, updated PLC logic from consultants, patches for the computer operating systems, anti-virus signatures, remote support connections – you can’t ignore them all. Severing the network connection simply spawns new pathways – pathways like the CD, the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect.
As I have detailed in my blog the true air gap is a fantasy. For effective ICS and SCADA security the entire industry needs to move past this myth and learn to deal with the reality: control systems are connected to the outside world.
Question: If a control system is separated from the business network with a firewall does it still need additional security?
Eric’s Comments: Absolutely. As I noted earlier, Stuxnet got past the firewalls by either using secondary “sneakernet” pathways like USB keys and CDs, or it rode on top of the protocols that the firewalls were configured to let through. Even though my company sells firewalls, I will be the first to say they are part of the solution, not the whole solution. You need to create an architecture that both defends the overall control system from external attacks, and hardens each individual system and device from harm, in case something malicious does get in (such as a worm like Stuxnet or a disgruntled employee).
You also need to divide your plant into security zones so that you can contain trouble when it does get in. For example, I recently got a call from a power company in South America that had the Conficker worm running wild in its control system. It started with a single infected computer but it spread unhindered throughout the plant. After that, no sooner had they disinfected one server than it was re-infected by another server: “The problem occurs when all [control] networks are connected. All machines in SGE, Alspa and PI work well and without virus if they are disconnected; when all networks are connected the virus infects the machines again.” The only viable long term solution was to use deep packet inspection firewalls between the networks, to tightly manage exactly what traffic passed between systems.
Thoughts & Observations
Stuxnet has clearly been a wakeup call for the industry and companies need to have cyber security plans if they want to protect their operations.
Cyber security is a complex issue and in the next part of this interview with Eric Byres, we will discuss actions automation people can take to protect operations.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..