Security Cycle of Awareness

  • April 08, 2014
  • Honeywell Process Solutions
  • Feature

By Eric Knapp, Honeywell Process Solutions A virus containing a piece of malware slithers into a nuclear enrichment facility system. It sits there for a year, learning more and more about the operation — just waiting for the call to attack. When it comes time to attack, operators are unaware and view control indicators as normal. Meanwhile, centrifuges in the facility run wildly out of control, causing severe damage. If this scenario played out in a movie four years ago, it would have been considered science fiction. With breaches like Stuxnet having since occurred, however, what was once thought impossible is here, and the scenario is now reality, Today, malware can evolve, mutate and hide in its tracks. It can seek out embedded devices and inject them with code. In short, bad guys can gain access and cause harm to industrial control systems once thought to be impenetrable. Stuxnet — the first military-grade cyber attack of its kind — drew from thousands of lines of code and upped the ante in terms of cyber weaponry. As a virus created to damage a nuclear enrichment facility in Iran, Stuxnet has spawned an awareness that continues to grow today as manufacturers look to the security world to protect their infrastructure. And, the challenge is increasing, with new cyber attacks and spying programs already overshadowing Stuxnet, including Night Dragon, Duqu, Shamoon, Flame and Gauss, among others. With each escalation in attack capability, this awareness continues to improve, and cyber threats become very difficult to ignore. A clear and present danger exists for the industrial world, with the compounded annual growth of cyber attacks on industrial control systems at 54 percent over the past seven years. According to research conducted by BAE Systems Applied Intelligence that examined business security concerns, 53 percent of surveyed U.S. companies now regard cyber threats among their top three business risks. This also indicates a growing demand from major global companies for greater intelligence about cyber threats and a better understanding of business vulnerabilities. It also aligns with the warning from the World Economic Forum that cyber attacks are among the five most significant global threats in 2014. Other research echoes these findings. For example, according to a report from Bain & Company, cyber security has morphed from an operational concern to a vital piece of executives’ strategic agenda, highlighting the need for comprehensive planning. This evolution is largely due to increased knowledge of the frequency and sophistication of cyber threats, as well as their potential overall business impact. In fact, a SANS Institute report says the majority of organizations now operate under the assumption that their network has already suffered a compromise, or will soon be attacked. And, other research says this awareness can help: According to a Symantec study, top-tier companies employing security strategies are 2.5 times less likely to experience a major cyber attack, and 3.5 times less likely to experience downtime. Despite this increased awareness, executives still face an information gap when it comes to adequately addressing cyber threats, making it difficult to align investments in risk protection to true strategic value. The referenced Bain & Company report found many organizations fail to align IT security capabilities with larger goals and overall risk, simply due to not being aware of how it can be done. This can contribute to a lack of quality risk management and result in a “reactive security” culture. And, this often is largely due to a disconnect between an organization’s risk management efforts and the development of security that occurs — all because business groups and IT often fail to discuss emerging threats. Starting to Meet the Challenge A general awareness of security tends to exist on the enterprise IT side of the network, but this awareness is typically not specialized enough to provide the value needed on the operational transformation (OT) side. Cultural conflicts between IT and OT also lend to the issue. They both have the same goal to make reliable and protected systems, but operate according to a different lexicon and background. Unless both teams fully understand the realm of their compatriots, it is hard for communication to occur. For example, “Ethernet” is a layer two networking protocol, and “IP” is the Internet Protocol at layers two and three of the OSI model. “Ethernet/IP” is an industrial communication protocol used to carry Common Industrial Protocol (CIP) over Ethernet. To further complicate matters, the layers of the OSI model used by IT can be confused with the levels of the Purdue model employed in the industrial realm. To overcome this communication challenge, IT must take the time to talk to the industrial side to understand their problems. At the same time, the operations people have to understand information security so they can help shape what does, and does not, belong on their networks. Overall, this cultural challenge might be one of the largest challenges to overcome in the process, but it is not insurmountable if the proper steps are taken.  

Starting Point Once it became clear that malware could specifically target an industrial network, manufacturers realized they needed to start thinking about cyber security in a new way. As a result, cyber security is now a necessary step to obtaining reliability and safety. Previously, it was often seen as a disruption, but a gradual culture change involving time and education has resulted in a shifting of the tides.

These days, more companies in most industries are making real progress when it comes to solidifying security plans. Most have a security plan — some more mature than others. But even in the least-developed examples, having a plan is a good starting point toward what is essentially an evolution, marked by an awareness and gradual learning process in the beginning, which can lead to significant gains and improvement. After the awareness and education stage, manufacturers begin to understand which assets need protection, and what could possibly go wrong. This is not possible without awareness and education, since you must know what you are trying to protect — and what you are trying to protect against. Fortunately, when it comes to security, manufacturers can cover a lot of the basics simply with what they have, from end point hardening to proper network design. If architected correctly, networks will have a degree of inherent security. And, manufacturers can further this security by hardening systems’ disabled ports and removing unnecessary services and applications. When manufacturers implement a security plan, they must also consider the risk equation. For example, how will a dedicated attacker or a malicious agent hack into the system? What are the chances of that happening? What targets could then be compromised? What is the value of an attack? If manufacturers learn through the risk equation that they have a high-risk system that could cause large monetary damage if attacked, or possibly lead to loss of life, then they are justified in spending more money on tighter security controls. After considering this equation, it is then easier to propose and implement a countermeasure with network security monitoring, intrusion prevention systems, firewalls and anti-malware. These additional levels of security each provide greater, in-depth defense. Diligence Means People Manufacturers must make security a part of their culture. The industrial world understands safety very well, and security requires the same attention. Each involves understanding risks and how to address those risks — ideally to the point where avoidance is second nature. When cyber security also becomes second nature, manufacturers can avoid more cyber incidents and common social engineering attacks, like phishing and dropping USB sticks. Employees must be trained in all aspects of security — like stopping someone from inserting a USB stick into a workstation, for example — just like they would stop someone from entering a dangerous area without the proper safety equipment. Creating a secure system is challenging and manufacturers must ensure the right people in the organization have input into their security plan development so it is best suited for the company’s needs.   Manufacturers must first understand the need for a plan of action. However, justifying cost will come into play quickly, so organizations can employ proven risk assessment methodologies that can determine if countermeasures are justified by the financial impact of incidents. For example, if the risk value is x, and the cost to implement a countermeasure is less than x, then an organization can easily justify the countermeasure. While those at the chief information security officer level are familiar with this decision process, others on the business side may not be as familiar with the process and the intricacies of an industrial operation. They know, for example, that if an explosion occurs and causes loss of life, there is high value in prevention. But they must also understand the secondary and tertiary systems that could potentially impact their business and productivity. Security is a process, and not a product. Awareness, correct architecture and the right counter measures — coupled with diligence — are a critical part of this process. By improving awareness, understanding technology and adopting a cultural shift with staffers, security can provide a significant business advantage. While it is no walk in the park, the days of ignoring security are long gone.

Security Challenge Checklist Starting off a security process or plan is a big challenge, and it is easy to become overwhelmed. The key is to focus on achieving incremental goals instead of focusing on the challenge as a whole, which can be daunting and overwhelming. Starting off with this mindset can help lead to ensuring a very strong security program is in place. The following checklist can help overcome some common challenges in implementing a security program:

  • Make sure all parties involved speak the same language
  • Ensure IT and OT take the time to learn from each other
  • Conquer the cultural challenge
  • Know education is a start to the process; learn what you don’t know about your system and the rest of the planning will fall into place
  • Ensure all employed vendors build security into products
  • Safety and security must follow the same risk management strategies
  • Understand the risk equation
  • Understand the risks involved and how they should be addressed
  • Know there is no one set answer to solving a security challenge; nor is there is a one-size-fits-all approach to doing it correctly
  • Make sure the right people in the organization have input into security development
  • Ensure support comes from all levels — including the top
  • Communicate, communicate, communicate

AUTHOR BIO Eric D. Knapp is Global Director of Cyber Security Solutions and Technology for Honeywell Process Solutions.  Eric is a recognized expert in industrial control systems cyber security. He is the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems,” and the co-author of “Applied Cyber Security for Smart Grids.” Eric has over 20 years of experience in Information Technology, specializing in industrial automation technologies, infrastructure security, and applied Ethernet protocols as well as the design and implementation of Intrusion Prevention Systems and Security Information and Event Management systems in both enterprise and industrial networks.  He has held senior technology positions at NitroSecurity, Intel Security/McAfee, and Wurldtech, and currently acts as the North American Technical Advisor to the Industrial Cyber Security Center.

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..