Reports on Industrial Control Systems’ Cyber

Security

Compendium of some of my reports on Critical Infrastructure Industry Cyber Security

Contents

- Industrial Control Systems: Functional Safety and Cyber-security

- Industrial Control Systems: Cyber Security Imperatives

- Cyber Vulnerabilities Distract Industrial Companies’ Focus on Core Activities

- Cyber Security: Troubling Questions - Havex Demolishes the Myth of Trusted Sites - Can India Protect itself from Cyber Threats? - Industrial Control Systems’ Cyber Security

Industrial Control Systems: Functional Safety

and Cyber-security

[Published in Industrial Automation October 2013 issue]

Manufacturing companies, while investing in automation systems, seek to automate the manufacturing

operations for achieving efficient & consistent production, meet the health, safety, and environmental

protection objectives, realize productivity improvements, agility, responsiveness, and gain

competitiveness. Automation involves massive real-time data gathering, analysis, and storing,

retrieving, & sharing of information; and in these areas, information and communication technologies

are extremely powerful. The automation industry, recognizing the benefits of leveraging the

information and communication technologies (ICT), incorporated processing and communication

features of ICT in automation systems. The industry took big strides in leveraging ICT to enhance

analytical capabilities & self-diagnostic features, improve operator interfaces & collaboration, store and

retrieve historical information, and such others.

ICT’s ever Increasing Role in Automation and Manufacturing

The ever increasing power and reliability of microprocessors and rapid advances in the software

technology provided the necessary impetus to the automation industry to develop distributed control

systems (DCS) and Safety Instrumented systems (SIS) for use in process industries, PLC for discrete

industry applications, and SCADA for operating pipelines and electrical transmission & distribution, and

such others. The industry also developed intelligent industrial robots to perform hazardous operations

that one hand enhanced operations safety and on the other improved productivity.

The adoption of information and communication technologies also helped the automation industry to

integrate broadly not only various automation systems such as DCS, PLC, SIS, and SCADA and their

subsystems but also automation systems with enterprise solutions. It adopted digital communication in

place of the conventional analogue signal transmission to connect field devices to control systems. After

protracted deliberations, the IEC committee developed the required standards governing the computer

network protocols used in real-time distributed controls. Because of the need to use different

technologies for meeting the application requirements, it became necessary for the IEC standard

IEC61158 to include multiple technologies. In the process control domain, both Fieldbus and Profibus

technologies are commonly used. Recent trends indicate wider use of Ethernet-based industrial

communication systems even at device levels. This trend will gain further momentum as the

manufacturing industry becomes more efficient and leaner.

While avid discussions are taking place about Internet of Things and cyber-physical systems in the

international conferences and industry events, ensuring industrial control systems’ functional safety and

cyber security is emerging as a major challenge.

Cyber Security is Integral to Functional Safety

Many of the production processes are hazardous and complex and this spurred the automation industry

to develop safety devices and control systems suited to work in such environments and for performing

critical control functions such as fail-safe plant shutdown and such others. In case an operational

problem (including shutdown) occurs in a plant, a well-designed Safety Instrumented System (SIS)

controls the plant so that it does not lead to adverse safety, health, and environmental consequences.

While SIS operates independent of other control systems that control the plant operations and performs

Safety Instrumented Functions (SIF), it is composed of the same types of control elements such as

transmitters, actuators, and others.

At the completion of the engineering design, a plant project team with process experts performs HAZOP

study involving systematic, rigorous, procedural reviews to identify possible hazards and establish Safety

Integrity Levels (SIL) for the safety instrumented systems to achieve the required integrity and reliability.

International standard IEC 61511 provides guidance to end-users on the application of Safety

Instrumented Systems in the process industries and this standard is based on IEC 61508, a generic

standard for design, construction, and operation of electrical/electronic/programmable electronic

systems. Other industry sectors also have standards that are based on IEC 61508, such as IEC 62061

(machinery systems), IEC 62425 (for railway signaling systems), IEC 61513 (for nuclear systems), and ISO

26262 (for road vehicles). The increasing use of robotics is driving the use of EN ISO 13849-1 for

ensuring machine safety. EN ISO 13849-1 standard covers both mechanical and electronic safety

components.

While the automation industry has taken major steps in developing industrial control systems and

standards that ensure operational and functional safety, the recent incidents such as the Stuxnet attack

have exposed their inherent vulnerabilities to cyber threats. These threats, viewed in the context of the

extensive role of cyber-physical systems (CPS) in the manufacturing facilities of the future, look

ominous. Fundamentally, automation systems are built to meet the productivity and business needs of

the manufacturing industry. Securing the control systems from cyber-attack was not envisaged earlier

as part of the requirement criteria and as such was not on the radar screen of automation companies

and standards’ committees. However, the growing recognition that cyber threats are real calls for

recognizing the need to ensure secure functioning of the control systems even in the event of cyber-

attacks. It has to be recognized that cyber Security is integral to functional safety.

The report, prepared under the coordination of the German Government’s Federal Ministry of

Education and Research & Federal Ministry of Economics and Technology, looks at the future

manufacturing landscape - symbolically referred to as Industry 4.0. While highlighting on one hand the

extensive use of technology such as Cyber-physical systems (CPS), the report identifies key action areas

that need extensive research and development. Among others, the action areas include standardization

and reference architecture, safety and security, and design, training and continuing professional

development.

Roadmap for Ensuring Cyber Security

While automation companies may have to go back to their drawing boards to design automation

systems that include security as one of the manufacturing industries’ fundamental requirements,

manufacturing companies have their tasks cut to secure their present. Vigilance & readiness and ability

to identify cyber-attacks and quickly recover & nullify the effects of the cyber-attacks are crucial to

achieve a fair degree of protection. The way forward for them is to carry out security audit, vulnerability

assessment, and penetration testing as they develop and implement defense-in-depth strategies at both

the company and national level. The most important thing is to be aware of the threats, take serious

note of the same, and plan & implement counter measures. Almost all automation suppliers have

established dedicated teams to address the cyber security challenges and end users must begin to

engage with them more proactively. In order to safeguard their future, end users must include

necessary contractual clauses as part of procurement specifications. Automation suppliers, on their

part, must offer control systems that have strong security features to ensure protection from cyber-

attacks.

While protecting the enterprise begins with implementing the proper work related systems such as

access control and ensuring adherence to cyber security standards, such as ICS: ISA-99 & IEC 62443 and

ISO/IEC 27001, it is essential for the manufacturing company to create an in-house industrial control-

system cyber security team. The industrial control-system cyber security challenges are different from

ensuring data security. Therefore, it is necessary for the team to consist of experts in automation

process technologies in addition to experts in information and communication technologies. What is

crucially important is to make a beginning by creating the in-house industrial control-system cyber

security team that is charged with the responsibility to carry out security audit, vulnerability assessment,

and penetration testing, evolve solutions, and implement them. The team may seek the support of

technology solution providers and competent system integrators having the appropriate skills in

industrial control-system cyber security.

The Government of India, has designated ‘National Critical Information Infrastructure Protection Centre’

(NCIIPC) of National Technical Research Organization (NTRO) as the nodal agency under Section 70A(1)

of the Information Technology (Amendment) Act 2008 for taking all measures including associated

Research and Development for the protection of the country’s Critical Information Infrastructure (CII). It

has authorized NCIIPC “to take all necessary measures to facilitate protection of CII, from unauthorized

access, modification, use, disclosure, disruption, incapacitation, or destruction, through coherent

coordination, synergy, and raising information security awareness among all stakeholders” and

mandated it with the vision “to facilitate safe, secure, and resilient Information Infrastructure for Critical

Sectors in the country.”

Some of the tasks assigned to NCIIPC include among others the following: facilitate capacity building

towards creation of highly skilled manpower through engaging premier institutes such as IISc, NITs, and

others including private/non-government partners working on CIIP; facilitate thematic workshops and

information security awareness and training programs. Without qualified and trained professionals and

their deployment plans, these initiatives would remain non-starters.

While the nodal agency NCIIPC, working in conjunction with industry and global organizations, develops

long-term strategies and approaches, it is important for the companies operating in critical

infrastructure industries to initiate appropriate measures to fully comprehend the serious threats and

counter measures in the interim. Critical infrastructure industries, such as communications, electric and

water utilities, oil and gas, transportation, and others play a crucial role in ensuring not only the

country’s economic wellbeing but also its territorial integrity and therefore they are most vulnerable.

"Incorporate cyber risks into existing risk management and governance processes. Cyber security is NOT

implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level.

Managing cyber security risk as part of an organization’s governance, risk management, and business

continuity frameworks provides the strategic framework for managing cyber security risk throughout

the enterprise,” is the US Department of Homeland Security’s advice to CEOs. This advice holds true not

only for CEOs of US companies but also for domestic companies.

Industrial Control Systems: Cyber Security

Imperatives [Published in Industrial Automation April 2013 issue]

With the information technology having emerged as the underlying technology supporting the industrial control systems, automation companies took a quantum leap in leveraging IT to improve control systems’ functionality performance, operator interfaces, archive historical information, improve communication and analytical capabilities, self-diagnostic features, and such others. Initially, industrial control systems used proprietary hardware and software platforms and operated on standalone mode, but as microprocessors and other devices, used in enterprise and other commercial applications, became more powerful, reliable, and robust, automation suppliers began to deploy them extensively in automation systems. This trend apart, with enterprises demanding seamless flow of information from plant floor to boardroom and vice versa, integration of automation systems with enterprise solutions became an accepted practice. This further spurred the increased use of commercially available off-the-shelf technologies in industrial control systems as they facilitated easier collaboration among manufacturing IT solutions.

While this trend continued, securing the safety of control systems took a back seat, but recent cyber-attacks as Stuxnet, Flame, Duqu, and such others acted as a wakeup call to both suppliers and end-user industries and exposed the vulnerabilities of control systems to such attacks. According to some sources, India is one among the affected countries and many infrastructure industries, such as oil and gas refineries, electric power grids, railways, and others face the threat.

Ensuring ICS Security through Defense-in-Depth Strategies

Infrastructure industries rely upon Industrial Control Systems (ICS), such as Distributed Control Systems (DCS), Programmable Logic Controls (PLC), Safety Instrumented Systems (SIS) used for plant safety shutdown, and Supervisory Control and Data Acquisition Systems (SCADA) to ensure not only plant asset performance, but also to provide health, safety, and environment (HSE) protection in industries. Control system malfunctioning can lead to serious consequences. While at the affected-industry level control system, malfunctioning could result in production losses, loss of intellectual property, and risking the lives of employees, at the national level the consequences could be catastrophic. It is important to understand that some incidents could result in cascading and escalating effects and cyber attackers could trigger such incidents. For example, the electric grid could be manipulated to collapse with a view to disrupt almost all other services, such as communication and transportation. The modus operandi of cyber-attack through control systems is to deliberately cause the malfunctioning of control systems. It is a new weapon that is still under development, and therefore one could expect it to emerge more

sophisticated. Both the captains of the automation industry and critical manufacturing verticals could only ignore these developments at their peril. Hence, it is imperative for process industries in the country to become aware and comprehend the magnitude of cyber threats and the high risks to which they are exposed. They must take appropriate remedial actions including the creation of comprehensive cyber-security programs to develop and adopt defense-in-depth strategies.

Homeland Securities Report ‘Recommended Practice: Improving Industrial Control Systems’ states, “Cyber security, from a defense-in-depth perspective, is not just about deploying specific technologies to counter certain risks. An effective security program for an organization will depend on its adherence and willingness to accept security as a constant constraint on all cyber activities. Implementing an effective defense-in-depth strategy will require taking a holistic approach and leveraging all of an organization’s resources in order to provide effective layers of protection.”

Roadmap to Overcome Vulnerabilities of Control Systems

The control system, at the broadest level, has innumerable nodes spanning numerous field devices, IO cards, communication buses, controllers, and operator interfaces. Typically, field devices are accessible through dedicated lines, handheld devices or other communication protocols including wireless. A cyber attacker, by gaining unauthorized access to the filed devices, can cause their malfunctioning by changing their characteristics and/or behavior and thereby manipulate the entire plant or the enterprise control. Additionally, the control system architecture has numerous servers, engineering stations, human machine interface terminals, and such others. By gaining access to them, a cyber-attacker can manipulate operator and controller actions and data driven applications. Similarly, by gaining access to communication buses, an attacker could gain complete control over the network and manipulate the flow of information and command signals.

The multitude of information technology and automation devices found in the control system architecture are certainly robust from functional and operating environment perspectives but not necessarily from the perspective of tamper proofing them to prevent manipulation. Overcoming the control system cyber-security challenges would call for automation suppliers to assess afresh the industrial-control system architecture and all its subsystems and components in the context of their vulnerabilities to cyber-attacks. It is essential for automation vendors to collaborate with other stakeholders including standards organizations to reevaluate the readiness to meet the challenge head-on and quickly develop and offer appropriate solutions with the help of collaborative partners working in domains, such as smart firewall, endpoint security, safe coding certification, and others. There exists significant scope for domestic software service providers, such as TCS, Cognizant, Wipro, HCL Technologies, and others to play their role.

In the long-term, automation vendors have to introduce a range of control system offerings, which inherently have built-in strong security features to protect them from malicious attacks. They may have to offer add-on packages with configurable options to meet the needs of customers using the existing and erstwhile control systems. As it stands now, the potential attackers probably are a few steps ahead and this necessitates immediate and concerted efforts from automation suppliers and their stakeholders

to develop their defenses. While almost all automation suppliers have established dedicated teams to address the cyber-security concerns, they need to lead from the front to reassure end users and protect their in ICS from being hijacked for meeting malicious objectives. End users have invested in ICS to protect their plants from the adverse safety, health, and environmental consequences.

The Role of Automation Suppliers, Infrastructure Industries, and the State

The escalating awareness about the vulnerabilities of control systems is forcing automation suppliers to find, on one hand, some near-term solutions and, on the other, go back to their drawing boards to design and engineer automation systems that includes security as one the fundamental requirements. Another important mindset change that is required is to move away from the misconception that cyber threats are purely IT related. It calls for a top down approach with CEOs of manufacturing companies realizing the true nature of cyber threats on one hand and on the other automation companies to create necessary awareness among end users about the control system vulnerabilities and offer appropriate solutions. However, ensuring security from cyber-attacks calls for policy initiatives not only from enterprises and industry organizations but also at national and global levels. How critical it is to formulate national level policies aimed at protecting the critical infrastructure industries from possible cyber-attacks could be gauged from the fact that the President of the United States issued an Executive Order on February 12, 2013 to improve the critical infrastructure cyber security. The Executive Order is the result of recognizing the cyber threat to critical infrastructure as one of the most serious national security challenges.

Positive Developments

Government of India’s Inter Departmental Information Security Task Force (ISTF) has set up Indian Computer Emergency Response Team (CERT-In) to respond to the cyber security incidents and take steps to prevent recurrence of the same.

While the Honeywell Industrial Cyber Security workshop, recently held at Kolkata, is a welcome initiative in this direction, the need of the hour is for more such workshops by other suppliers. From the industrial companies’ perspectives, it is necessary for them to initiate specific actions to begin with to gain awareness and evaluate risks and subsequently move forward to carry out security audit, vulnerability assessment, and penetration testing, and develop set of policies and procedures, and crisis management program. Protecting the enterprise begins with implementing straight forward proper work related systems, such as access control and ensuring adherence to cyber security standards. Eternal vigilance and the readiness and ability of the enterprise to identify, recover, and nullify the effects of the cyber-attack are key to achieve fair degree of protection. These apart, the ability and preparedness to initiate counter measures to recover quickly from the attack are also critical. The most important thing is to be aware of the threats, take serious note of the same, and plan & implement counter measures.

o the United Nations Environment Program’s, report “Sustainable, resource efficient cities – Making it happen,” compared to over half of the world’s population residing in cities now, by 2050 almost 80 per cent would be living in cities.

Cyber Vulnerabilities Distract Industrial

Companies’ Focus on Core Activities [Published in Industrial Automation July 2014 issue]

The role of manufacturing information technology as a business enabler is well recognized. It began with manufacturing companies leveraging information technology in their finance and human resource departments to perform transactional functions, such as maintenance of accounts, preparation of financial statements, personnel records, and others. Often a company created an electronic data processing department with few information technology professionals playing a supporting role. Information technology also made its way into hardcore production operations through instrumentation and control systems. Over the years, this trend expanded and information technology became pervasive to emerge as a powerful tool in the hands of manufacturing enterprises pursuing productivity improvements and business excellence. Information Technology solutions’ span expanded beyond enterprises to interconnect all economic, industrial, and other activities. Further convergence of information and communication technologies provided the additional spur.

While these trends have generally have been positive, the ICT technology has a serious downside too. It is its vulnerability to cyber-attacks, and such threats are increasing by the day. It is important to note that cyber threats go far beyond the often-reported web site and phishing attacks; it now includes advance persistent threats and such others. Advanced persistent threat (APT) is a continuous computer hacking process often orchestrated by hackers to target a specific entity including nations with business or political intent. It uses sophisticated techniques by planting malware that uses the vulnerabilities in the systems. It may use external command and control to continuously monitor, manipulate, and threaten the target’s information technology systems. The Stuxnet, which targeted the nuclear centrifuges in is a typical example of APT.

Comprehending the implications of cyber-attacks

The cyber-attacks are not limited to banks and ATMs but include manufacturing and especially the critical infrastructure industries, such as electric power and water utilities, transportation, and communications and such others. In an interconnected world, such attacks can be catastrophic. Concerned about the lack of necessary awareness and preparedness among the stakeholders about the potential consequences, the US President Barack Obama had to issue the Executive Order for improving the Critical Infrastructure Cybersecurity. The section 1 of the Executive Order relating to policy highlights, “The cyber threat to critical infrastructure ….represents one of the most serious national security challenges we must confront. The national and economic security of the United States

depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”

Industrial companies are yet to be fully comprehend the implications of cyber-attacks, such as zero-day attacks and advance persistent threats on their own enterprises and on national security. Despite malwares, such as Stuxnet, Flame, Duqu, and others, having exposed the vulnerabilities of industrial control systems to cyber-attacks, lack of awareness about the true nature of such threats among the industrial companies exits. Ironically, the very same industrial companies might have made significant investments in protecting their traditional information technology infrastructure! The general perception among most industrial companies is that their control systems, which all these years operated in obscurity, are safe from cyber threats. It is a myth!

The spate of recent happenings in the cyber world clearly establishes that companies have to come to terms with the new reality and act swiftly. Are the manufacturing companies ready is however the moot question. Probably, the answer is ‘no’ and manufacturing companies may find themselves caught on the wrong foot. Let us look, for example, at the recent announcements about the Heartbleed vulnerability and Microsoft’s withdrawal of support to Windows XP operating system. While the former is a newly discovered threat vector, the later was only a reconfirmation of the earlier deadline.

Advisories and notifications – Industrial Companies caught on wrong foot

According to the ICS-CERT Advisory (ICSA-14-105-3) released recently some of the Siemens Industrial Products that may be working in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems are vulnerable to OpenSSL Heartbleed. Regarding the impact, the Advisory states, “a successful ‘Heartbleed’ exploit of the affected products by an attacker with network access could allow attackers to read sensitive data (to include private keys and user credentials) from the process memory.” It adds that the impact to individual organizations would depend on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

Siemens in its Security Advisory ‘SSA-635659: Heartbleed Vulnerability in Siemens Industrial Products’ says, “The ‘Heartbleed’ vulnerability in the OpenSSL cryptographic software library (CVE-2014-0160) affects several Siemens industrial products and goes on to add ‘Siemens is working on updates for the affected products…’ and that the company already provides updates for two of the affected products which fix this vulnerability. The company’s update on the mitigation for two of the affected product includes steps such as disabling the web server or limiting web server access to trusted networks only, disabling FTPS, and such others.

While the ICS-CERT notification that says that hackers with even low skills would be able to exploit this vulnerability and even from remote with tools that are publicly available is worrisome, end users’ challenges in handling such situations and in implementing mitigation measures suggested by the

supplier of industrial products are more troubling. My heart bleeds for end users, the manufacturing companies!

The ICS-CERT advisory also encourages asset owners to take defensive measures that include minimizing the network exposure for all control system devices and/or systems and locating control system networks and remote devices behind firewalls and isolating them from the business network. Additionally the advisory suggests use of Virtual Private Networks (VPNs) when remote access is required and adds a rider that VPNs may have vulnerabilities.

Microsoft notification is about the withdrawal of technical support or security patches and updates for the Windows XP operating system, with effect from April 8, 2014. Those, who had not switched over to later versions of operating systems or taken Microsoft’s extended support, which too is available for an additional 15 months only, face a perilous future beyond that date. According to the company’s notification it is very important for customers and partners to migrate to a modern operating system; the available Microsoft options are Windows 7 or Windows 8.1. Explaining further, Microsoft says that systems running Windows XP after April 8, 2014 should be considered as not protected. In other words, persisting with the use of Windows XP beyond the deadline could result in increasing the cyber security risks, as no new security patches for vulnerabilities would be available. The implied meaning is, either upgrade to a newer operating system or buy a new computer; if you want to buy some additional time then Microsoft would do you a favor but at additional cost – not a small sum as the UK government signed the deal that cost almost £5.6 million.

Asset owner challenges in ensuring control systems’ cyber security

However, implementing some of the suggestions contained in the above-mentioned advisories and notifications pose challenges to many of the asset owners who are purely users of industrial control products, which are an integral part of much larger complex plant and enterprise automation system-architecture. Compared to enterprise applications where potential disruptions are manageable, the implementing challenges are more serious in Industrial control applications, which demand low downtime and involve customization. In the case of enterprise applications, it is possible to take a backup, shut down the system, apply patches or updates, and then restart. However, in the case of real time control systems in critical infrastructure industries, which require 24x7 availability, shutdown has to be a scheduled operation with adequate planning. Often migrations and applying updates may call for redeveloping control applications involving additional efforts, interoperability testing to ensure that the software update works and is compatible with legacy subsystems, and unbudgeted expenses. Additional hardware upgrade required, if existing hardware does not meet system requirements, and the need to monitor and evaluate the stream of patches and updates that flood almost on continuous basis are the other caveats.

Some of the troubling questions that arise are; do end users - industrial companies - have the necessary expertise to effectively implement corrective measures on their own without the support of the supplier?; what are the consequences of a successful cyber-attack and who bears the costs?; and such others. More pertinently, how prepared are supplier companies to provide support to their clients in

addressing the cybersecurity challenges or would they take a subtle hands-off position. One, unfortunately, gets the message that supplier companies have subtly transferred to responsibility to asset owners. It is interesting to note that the ICS-CERT advisory, ICSA-14-105-3 also talks only of encouraging asset owners and does not provide any direction to control system and related information technology suppliers. Looking beyond, should industrial companies make budget provisions for such incidents in terms of maintenance time and costs, and evolve the necessary command and control reporting structure to quickly handle situations that may arise in future. The moot point is how can asset owners focus on their core business, for example generating and distributing electricity, when the non-core activity of protecting their information technology and control system infrastructure, distracts their in-house resources.

Cyber Security: Troubling Questions

[Published in Industry 2.0 May 2014 issue]

While information and communication technology continues to contribute in connecting the world and shaping our lives in ways never thought of before, its downside is beginning to cast dark shadows. Hackers and cyber criminals are not only exploiting the vulnerabilities but also the technology as a cyber-weapon which, in the words of the US President, can take down vital banking systems, trigger a financial crisis, and bring businesses, cities, & entire regions to a standstill. Serious players, including State-managed actors, with high degree of cyber hacking skills, sophistication, and resources, have joined the erstwhile criminals, whose primary interest was in seeking financial gain through fraud. While cyber hacking has extended beyond stealing intellectual property or identity to include sabotaging businesses and disrupting nation’s critical infrastructure industries, such as electric power, water utilities, transportation and others, the number of vulnerabilities discovered and notified is also on the increase.

While the report that came out of the joint efforts between the World Economic Forum and McKinsey & Company talks about the frequent occurrences of highly visible information and data breaches and their impact, many Nation States have begun to deliberate about the offensive capabilities of cyber-attacks on their critical infrastructure to destabilize economic & livelihood activities and defense capabilities.

While the recent vulnerability alerts relating to Microsoft Internet Explorer and Heartbleed are a few examples of information and data breaches whose ramifications raise serious discussions, President Barack Obama’s Executive Order highlights the need to secure the critical infrastructure sector from cyber threats as they present the US the most serious national security challenge. It is cyber threats’ new avatar and such threats hold true for India and other countries as well. Stuxnet, Duqu Flame, and Shamoon are the examples of the threats that confront Nation States and their critical infrastructure industries. Stuxnet is the first known-malware to explicitly attack industrial control systems and in the reported case of an Iranian nuclear facility, the malware destroyed centrifuges. Duqu, on the other hand, gathers information and does not interfere with industrial operations. Flame can record audio, screenshots, keyboard activities, and network traffic and sends the data along with locally stored documents to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers. A virus, called Shamoon, attacked Saudi Aramco’s computer systems that resulted in the shut down the company’s internal corporate network, disabling employees’ e-mail and Internet access.

Reverting to the customary information and data related breaches, according to information available in the public domain, the Internet Explorer vulnerability allows a remote, unauthenticated attacker to

exploit the vulnerability to install programs and view, change or delete data as well as create new accounts with full user rights and IE versions 6 through 11 are affected.

US-CERT announced on April 10, 2014 in its advisory about “Heartbleed” OpenSSL vulnerability that can potentially impact internet communications and transmissions that were otherwise intended to be encrypted. It adds further that cyber-criminals could exploit this vulnerability to intercept and decrypt previously encrypted information. Going further, the ICS-CERT Advisory (ICSA-14-105-3) released recently highlights the more worrisome impact of the Heartbleed vulnerability. According to the ICS-CERT Advisory, some of the Siemens Industrial Products that may be working in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water & wastewater systems are vulnerable to OpenSSL Heartbleed.

Going beyond the President Obama’s Executive Order that focuses on the cyber threat perception to the Nation States, the US Department of Homeland Security had advised CEOs that cyber security risk management should form an organization’s governance and risk management strategies. The recent cyber incidents or advisories about vulnerabilities clearly establish that companies have to come to terms with the new reality and act swiftly. Some of the troubling questions that arise due to cyber security issues; do end users have the necessary expertise to effectively implement corrective measures on their own without the support of suppliers?; In case of a cyber-breach, who bears the responsibility and the costs?; and such others. More pertinently, how prepared are supplier companies to provide support to their clients in addressing the cybersecurity challenges or are they taking a subtle hands-off position. Unfortunately, one gets the impression that supplier companies are not proactive in tackling cyber security issues and have subtly transferred to responsibility to asset owners. Looking beyond, should industrial companies make budget provisions for such incidents in terms of maintenance time and costs, and evolve the necessary command and control reporting structure to quickly handle situations that may arise in future. The moot point is how can asset owners focus on their core business, for example generating and distributing electricity or making life-saving medicines, when the non-core activity of protecting their information technology and control system infrastructure, distracts their in-house resources.

Few days back, Target Corp, a retail giant, announced that its CEO Gregg Steinhafel had stepped down and according to industry observers, the ouster may be due to the massive data breach that the company suffered few months back. The data breach that occurred during 2013 holiday shopping period resulted in the compromise of approximately 40 million credit and debit cards and the personal information of millions of customers. The company’s CEO had taken the ultimate responsibility. The boards can pin the responsibility on the CEOs but what are the resources that CEOs have at their command to effectively prevent cyber-attacks? Can suppliers touch their hearts and say that they are not responsible?

Havex Demolishes the Myth of Trusted

Sites [Published in Industrial Automation August 2014 issue]

While information technology professionals were developing faster more-powerful user-friendly computers and applications, some others, who were equally competent in the technology, began to indulge in hacking computers and computer systems. In the early years, their primary motivation was the thrill of discovering and exploiting loopholes to proclaim their skills or for personal gains. Identifying vulnerabilities and exploiting them was more of a pastime and less of a profession, mostly indulged at personal level or by small groups. Now, the scenario has changed and is very different; cyber hacking has become a profession; some practice it with bona fide intentions while others with mala fide goals.

Serious groups, with very high stakes and huge resources, have come to the center stage with the goal of exploiting the cyber vulnerabilities to carry out espionage and to leverage them as a powerful destructive weapon to take down critical assets and cause disruption. The target of cyber-attacks go beyond the attacks on IT infrastructure and enterprise systems and includes the control systems, such as the supervisory control and data acquisition systems, distributed control systems, and programmable logic controls. Such attacks can result in shutting down of power plants & water utilities and in disrupting communication & transportation services. They possess high degree of cyber hacking skills, sophistication, and resources. Today, the cyber-attacks could come from state actors or other unknown groups acting at the behest of others for strategic purposes. The canvas is so wide that it is even difficult to imagine the scope of the future cyber-attacks much less prepare an effective defense against them.

Out comes Havex RAT from the Pandora’s Box

The perpetrators of Stuxnet have opened the Pandora’s Box of cyber warfare and Havex RAT is the latest to come of it. Security firms, Symantec and F-Secure, have released information about the malware Dragonfly / Havex. According to Symantec, the targets of Dragonfly include energy grid operators, major electricity generation firms, and petroleum pipeline operators and it attacks industry industrial control systems. According to available reports, Symantec has notified affected victims and relevant national authorities that handle and respond to Internet security incidents such as the Computer Emergency Response Centers (CERT) and Department of Homeland Securities. In the public domain, there is no information about alerts or advisories from any of the ICS suppliers.

The new malware, like Stuxnet, infects industrial control systems (ICS). It uses the remote access Trojan (RAT) and according to the reports available in the public domain, the malware uses websites of

software companies including ICS/SCADA suppliers to install malware versions of legitimate apps in targeted systems.

Following the alerts from the security firms, ICS-CERT has reported of the possible Havex Trojan infection of the software installers on at least three industrial control system (ICS) vendor web sites. The Remote Access Trojan (RAT) communicates with a Command and Control (C&C) servers. It further states that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash. This could have a denial of service effect on applications that are reliant on OPC communications.

Havex includes a data-harvesting component and a trojanized software installer. The trojanized software installer can drop and execute files without the user of control systems and their vendors being aware of this. By this, the attacker gains access and the means to control of the target systems. The target systems may be controlling the operations of critical infrastructure industries. The data-harvesting component, acting as an intelligence-collecting tool, gathers details about the operating systems, connected devices, such as the connected control system devices, network, vendor information, tag numbers, and similar others and sends them back to the command and control centers (C&C) for attackers analysis. It also has credential-harvesting tool that gathers password details to aid further subversive actions. It is a sophisticated attack and only time would reveal the true implications of Havex RAT.

With the information that the malware collects, the organization behind Havex RAT will have all the necessary information to attack the critical infrastructure firms that it is interested in targeting. It has the tag numbers of the important regulated parameters, passwords necessary to change the set points, and details of the operating systems and hence their known vulnerabilities. With these operating details available, it would not be a big challenge for the cyber criminals to sabotage the operation of the targeted infrastructure firms.

The myth of trusted sites

This modus operandi has established that it is possible to infiltrate the trusted sources and take control of them to embed the malware right into the software, which users rely upon. While from hackers perspective it is a smart modus operandi, from an end users’ perspective it is body blow because the cyber criminals have successfully breached the trusted servers and implanted the malware into them. In other words, ICS users cannot even trust the sites on which they that depend on for their software updates, patches, and such others. Havex has demolished the myth of trusted sites. There exists no more a trusted site, at least for the time being!

The mitigation strategies recommended in the related alerts or advisories include measures such as implementing IT best security best practices, using strong passwords, ensuring all operating systems and public facing machines to have the latest versions and security patches, and similar others. While it is agreed, that these are mandatory cyber security measures, it is not clear how they would serve the

purpose if the malware steals the passwords and makes its entry through trusted sites on which end users ultimately depend on installing patches!

It is time for the thought leaders from the IT and automation industries to introspect and chart out a new roadmap so that they can provide in the near future control systems that are built on security as the cornerstone – control systems that are inherently more resilient to cyber-attacks. Their silence cannot wish away the cyber threats.

Can India Protect itself from Cyber Threats?

[Published in Deccan Herald on July 21, 2014]

Just think of series of incidents taking place in quick succession across the country that cripples power & water supplies and communication and transportation services to understand their debilitating effects on our lives. A cyber-attack can trigger all these and many more catastrophic incidents that will have grave consequences. This is not a preamble to a science fiction but a depiction of things happening in the cyberspace. While most of us are well aware of how information technology is transforming our lives in positive ways, many are not cognizant of its down side, the cyber vulnerabilities. Highly skilled and organized cyber attackers, which include nation states as well, have developed cyber weapons that target critical infrastructure assets. It is important for India, which is in the process of building critical infrastructure assets as part of its economic growth ambitions, to reckon with its geo-political compulsions, recognize the true nature of the threats, and develop strategies to secure their protection from cyberattacks.

The recent revelations of Edward Snowden and reports on Stuxnet, Duqu, Flame, Shamoon, Dragonfly and similar others provide us a glimpse of how cyberspace is emerging as the major battleground to gather intelligence and launch subversive activities. The cyber weapons are low-cost and yet very powerful that possess both offensive and defensive capabilities. They can effectively take down critical assets on which a country’s national and economic security depends.

Cyber threat perceptions

The consequences of cyber-attacks are truly serious and that necessitated President Barak Obama to issue an executive order on this issue for improving the US Critical Infrastructure Cyber Security. The blog ‘”The Comprehensive National Cybersecurity Initiative” on www.whitehouse.gov says that the President has identified cybersecurity as one of the most serious economic and national security challenges that confronts the US. He adds that the government and the country are not adequately prepared to counter them. If what is widely written in numerous articles and reports are true, then the US was involved with Stuxnet, a malware that crippled the Iranian centrifuges; therefore, the US President knows best about the true implications of cyber-attacks in their new manifestations. According to the recent poll conducted by Defense News Leadership and underwritten by United Technologies, almost half of US national security leaders who responded to the poll are of the opinion that cyber warfare as the most serious threat facing the United States. Israel’s Major General Aviv Kochavi, speaking at the annual conference of the Institute for National Security Studies in Tel Aviv, said, “Cyber, in my modest opinion, will soon be revealed to be the biggest revolution in warfare, more than gunpowder and the utilization of air power in the last century.” David Cameron, Briton’s Prime Minister, writing in The Telegraph, has warned that the country faces changing threats in the form of global

terrorism and unseen cyber criminals who can target the country from abroad and pledged £1.1 billion for defense to fight cyber terrorists.

Cyberattack targets control systems and critical infrastructure assets

Stuxnet, a computer malware that targeted industrial sites in Iran – a uranium enrichment plant - is a good example of a cyberattack on critical national assets. Stuxnet successfully destroyed the centrifuges by changing, without the knowledge of the uranium enrichment plant-operators, the set point at which the centrifuges are supposed to rotate. It is the first known reported case of a malware that explicitly and successfully attacked the industrial control systems. While it established the offensive capabilities of cyberattack, the most recent discovered malware dragonfly shows the information gathering activities in the cyberspace that could be a precursor to launch cyberattacks in future.

Security firms, Symantec and F-Secure, have recently released information about the malware Dragonfly / Havex RAT. According to Symantec, the targets of Dragonfly include energy grid operators, major electricity generation firms, and petroleum pipeline operators and it attacks industry industrial control systems. It uses the ‘remote access Trojan’ (RAT) and according to the reports available in the public domain, the malware uses websites of software companies including ICS suppliers to install malware versions of legitimate apps in targeted systems.

The Trojan communicates with a Command and Control (C&C) servers. It can drop and execute files without the user of control systems and their vendors being aware of this. By this, the attacker gains access and the means to control of the target systems. The target systems control the operations of critical infrastructure industries. The data-harvesting component, acting as an intelligence-collecting tool, gathers details about the operating systems, connected devices, such as the connected control system devices, network, vendor information, tag (identification) numbers, and similar others and sends them back to the command and control centers for further analysis of hackers. It also has credential-harvesting tool that gathers password details to aid further subversive actions. It is a sophisticated attack and only time would reveal the true implications of Dragonfly.

The ICS-CERT of the US reports of the infection of the software installers on at least three ICS vendor web sites. It further states that ICS-CERT testing has determined that the malware payload has caused multiple common OPC platforms to intermittently crash. This could have a denial of service effect on applications that are reliant on OPC communications. The OPC acronym comes from "OLE (Object Linking and Embedding) for Process Control” and is a software interface standard.

With the information that the malware collects, the organization behind Dragonfly has all the necessary information to attack at will the critical infrastructure companies that it is interested in targeting. It has the tag numbers of the important regulated parameters, passwords necessary to change the set points, and details of the operating systems and hence their known vulnerabilities. With these operating details available, it would not be a big challenge for the cyber criminals to sabotage the operation of the targeted infrastructure companies engaged in producing electricity, distributing water supply, operating airports and rail transportation, providing communication services, and such others.

Is India doing enough?

Groups possessing high degree of cyber hacking skills, sophistication, and resources are involved in such activities. They include even state actors or other groups acting at their behest or on behalf of non-state actors. The canvas is so wide that it is even difficult to imagine the scope of the future cyber-attacks much less prepare an effective defense against them.

While all countries face cyber threats, India because of its geo-political compulsions is highly vulnerable. Except for the information that the Stuxnet malware has infected a large number of installations in India and that the government has authorized ‘National Critical Information Infrastructure Protection Centre’ (NCIIPC) to take all necessary measures to facilitate safe, secure, and resilient Information Infrastructure for Critical Sectors in the country no other information is available in the public domain. NCIIPC is under of National Technical Research Organization (NTRO).

Additionally, the government of India’s Inter Departmental Information Security Task Force (ISTF) has set up Indian Computer Emergency Response Team (CERT-In) to respond to the cyber security incidents and take steps to prevent recurrence of the same. Lack of credible information about the measures that NCIIPC is taking in protecting the country from cyber threats is a cause of concern. NCIIPC’s charter mandates that it should “raise information security awareness among all stakeholders” and it is failing in its duty by its silence.

While almost all leading Computer Emergency Response Teams (CERT) are regularly issuing alerts about the vulnerabilities, it is annoying to find that even the website of its Indian counterpart (CERT-In) is not accessible most of the time. In matters such as the cyber security threats to the country’s critical infrastructure industry, it is critical to get all stakeholders on the same page and a certain degree of openness is absolutely necessary to create necessary awareness and ensure their commitment to take appropriate actions.

More proactive measures such as organizing seminars and training workshops, involving the academia in starting appropriate courses, initiating a dialogue with the information technology companies and seeking their involvement in software testing are needed to prepare the country for future eventualities. Creating awareness among the critical infrastructure industries so that they are future ready for such contingencies is critically important.

In my opinion, self-reliance is the way forward while fully collaborating with all the global initiatives. Based on the success achieved in space and nuclear technologies thanks to domestic institutions such as Indian Space Research Organization and Bhabha Atomic Research Center, it is time for the policy makers to initiate appropriate measures.

Industrial Control Systems’ Cyber Security

[Published in Honeywell’s ‘isolve’ Issue26]

During the many years of my association with the control and instrumentation (C&I) industry, I have worked on the assumption that controllers and instruments must meet industrial companies’ functional requirements; accuracy, safety & reliability, and robustness & repeatability. Industrial companies invested in C&I systems not only to secure health, safety, and environment (HSE) protection, but also to improve plant asset performance and profitability.

Information Technology and Industrial Control Systems

With the information technology (IT) emerging as the underlying technology supporting the industrial control systems, C&I companies took big strides and leveraged IT to improve control systems’ functionality performance, operator interfaces, archive historical information, improve communication and analytical capabilities, self-diagnostic features, and such others. They enhanced the performance of control and instrumentation systems and made them user friendly and functionality rich by leveraging the power of the IT. While they enhanced the functional safety of the control systems measured in terms of mean-time-to-failure, availability, and such other factors, what was lost sight of was to secure the control systems from cyber criminals manipulating them to malfunction. True, such acts were not foreseen and unthinkable when automation companies were beginning to leverage the power of information technology to introduce industrial control systems, such as distributed control systems (DCS), supervisory control and data acquisition systems (SCADA), programmable logic controllers (PLC), but the situation has changed drastically since then. However, things have changed since then.

ICS Vulnerabilities Get Exposed

The recent advent of Stuxnet, Flame, Duqu, and such other malwares have exposed the vulnerability of industrial control systems to cyber-attacks, and thus have opened the Pandora’s Box. We cannot wish away the ground reality, and cyber threats, posing serious challenges not only to industries but also to nation states, are here to stay. The only way forward is to accept the reality of such threats and take remedial actions. Vigilance, readiness, and the ability of the enterprises and the country to initiate measures to prevent cyber-attacks through industrial control systems are vital to address these threats. While the threat perceptions keep escalating, the smug feeling that they would pass away or chances of attack are remote or that we would escape the agony continues to linger among many enterprises, especially among manufacturing companies in India. These are false and dangerous assumptions.

A control system, at the broadest level, has innumerable nodes spanning numerous field devices, IO cards, communication buses, controllers, and operator interfaces. Typically, field devices are accessible

through dedicated lines, handheld devices or other communication protocols including wireless. A cyber attacker, by gaining unauthorized access to the filed devices, can cause their malfunctioning by changing their characteristics and/or behavior and thereby manipulate the entire plant or the enterprise control. Additionally, the control system architecture has numerous servers, engineering stations, human machine interface terminals, and such others. By gaining access to them, a cyber-attacker can manipulate operator and controller actions and data driven applications. Similarly, by gaining access to communication buses, an attacker could gain complete control over the network and manipulate the flow of information and command signals.

Protection Calls for Two-pronged Approach

Protecting the infrastructure industries from cyber-attacks would call for a two-pronged approach; automation suppliers’ initiatives on one hand to create awareness among end users about the threats and, on the other, offer appropriate solutions, and end users to initiate counter measures to secure protection from such attacks.

Automation Suppliers’ Initiatives

Honeywell Industrial Cyber Security workshop, recently held at Kolkata for the company’s clients, is a welcome initiative in this direction. According to the agenda, the workshop covered various topics, such as the recent cyber security incidents, security standards for ICS: ISA-99 & IEC 62443, ISO/IEC 27001, various government regulatory initiatives, Cyber Security Management system (CSMS), selected security counter-measures, and the portfolio of Honeywell Cyber Security Services. The need of the hour is for more such workshops by other suppliers to create necessary awareness about improving industrial control systems from a defense-in-depth perspective among end users. While almost all automation suppliers have established dedicated teams to address the cyber-security concerns, they need to lead from the front to reassure end users and protect their in ICS from being hijacked for meeting malicious objectives.

End Users’ Initiatives

In addition, it is necessary for automation suppliers to assess afresh the industrial-control system architecture and all its subsystems and components in the context of their vulnerabilities to cyber-attacks. It is essential for automation vendors to collaborate with other stakeholders including governmental nodal agencies, such as Government of India’s Inter Departmental Information Security Task Force (ISTF) and its arm Indian Computer Emergency Response Team (CERT-In) and the industry association bodies. Automation suppliers must also quickly develop and offer appropriate solutions with the help of collaborative partners working in domains, such as smart firewall, endpoint security, safe coding certification, and others. In the long-term, automation vendors have to introduce a range of control system offerings, which inherently have built-in strong security features to protect them from the malicious attacks. They may have to offer add-on packages with configurable options to meet the needs of customers using the existing and erstwhile control systems.

From the industrial companies’ perspectives, it is necessary for them to initiate specific actions beginning with gaining awareness, evaluating risks, and subsequently moving forward to carry out security audit, vulnerability assessment, and penetration testing, develop set of policies and procedures, and crisis management programs. Protecting the enterprise begins with implementing straight forward proper work related systems, such as access control and ensuring adherence to cyber security standards. The ability and preparedness to initiate counter measures to recover quickly from the attack are also critical. The most important thing is to be aware of the threats, take serious note of the same, and plan & implement counter measures.

The US Department of Homeland Security had this as one out of the five advices to CEOs and this advice is equally valid to CEOs of domestic companies. "Incorporate cyber risks into existing risk management and governance processes. Cyber security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.”