Is Cybersecurity really on the agenda of the ICS community?

In November, Toreon (my colleague Vincent Haerinck and myself) attended the fifth LSEC annual Industrial Automation Security conference at the Antwerp Engineering Company.

It was a nice one-day event with speakers from companies such as Airbus, Rhode Schwarz, SecurityMatters, Kaspersky, DutchSec, Secudea and Flowman. Topics covered included “Actual and future Industrial Cyber Security views on Process, People and Technology”, “Cybersecurity Challenges at Airbus Defense & Space production”, “Protecting Industry 4.0 and the Industrial Internet of Things”, “Tricking the hacker: Honeypots for Industrial Control Systems”, “Hidden Dangers of Remote Management in ICS”.

Very interesting subjects, right?

The intended audience of the event included:

• Manufacturing Companies
• Critical Infrastructure Operators
• IT / OT Security Managers
• Plant / Production / Process Managers
• Industrial Control Systems [Security] Experts

And yet:
There were seventy seats at the event. Ten remained empty, ten were for speakers, ten for vendors, ten for students and ten for consultants such as myself. That leaves a about twenty seats for people from the Industry. Only twenty people from the industry attended a nice event about Industrial Automation Security!

What does that mean?
Do automation engineers just not care about security in the OT environment? I would have thought that incidents like Stuxnet, … would have shown people that ICS security really matters!
I still find it so unbelievable that companies are willing to invest time and resources to protect their intranet servers while at the same time leaving their production systems unprotected.

You know, today, OT systems are no longer purely mechanical and they are not isolated. They are IT systems that are connected to the rest of the IT infrastructure and (indirectly) to the internet. Worse yet, they often lag the IT world by five to ten years in technology but have a lifespan of several decades.
ICS systems really need to be protected!

What can we do to raise awareness in the ICS/SCADA/OT community?

, ,

Why the IT-OT Convergence is all about knowledge sharing

After attending the fifth Cyber and SCADA Security for Oil & Gas Industry conference, it became apparent lots of companies are having a hard time with the mingling of IT staff in the OT/ICS environments; the so-called IT-OT Convergence.

My personal opinion is that the involvement of the IT people in OT environments is a very positive thing, as both typically have their strong points:
– IT environments often have a broader experience of assessing cyber threats and their associated attack vectors as they have long left the ideology where they could protect all information systems by merely ensuring the physical security of the building they are placed in.
– Both IT and OT face increasing numbers of targeted attacks towards their environments, like Zeus, NotPetya, Trisis, BlackEnergy…
– Lots of IT-targeted attacks created collateral damage in the OT environments due to the type of malware and their attack vectors (e.g. the numerous ransomware attacks that were seen on SCADA and ICS systems, which were spread by infected USB devices or just because the system had direct internet access).
– OT people often have far more experience in risk and safety analysis, as they have been doing it for the better part of a century.

When combining these strong points, we might just create an acceleration in the ever-so-slow development cycle of the OT environments. However, we must also keep a few important things in mind:
– OT and IT have very different goals regarding what they want to protect from cyber-attacks. IT is typically all about confidentiality and privacy, where the OT environment is all about (personal) safety, reliability and availability.
– Some technologies in IT seem like a good fit for particular problems within OT, but they might break more than they fix. OT environments often contain legacy systems dating from the eighties or even before, using proprietary protocols and might even be retrofitted to be able to communicate over IP networks. Some automated network scans could e.g. break an older RTU by just trying to ping it.

With OT environments undergoing a skill drain, there are important challenges ahead that might require innovative approaches and efficiency gains.

I would strongly advise to keep putting the IT people in OT environments and vice versa, but solely to act as advisors to one another. Both have years or even decades of experience in their respective areas and now that they are facing similar challenges, time has come to join forces and go for a safer tomorrow!


The problem with ICS security improvements

In the BruCON workshop on ICS and SCADA security (which you can read about here), we learned how to hack ICS systems using Wireshark. In the progress of which we also came to some conclusions about problems with ICS security in real life.

One problem with ICS and SCADA systems is the limited hardware. Old PLCs run very limited chipsets, not at all comparable to the hardware that now runs our small devices. These systems were only designed to handle a very small set of data and logic actions. Even if you wanted to include them, there just isn’t any room for advanced software features like proper authentication or encryption.

Furthermore, many industrial facilities are now using unsupported PLCs. Upgrading security would mean replacing all of these old devices.

Then, if you decide to do so, making changes in the PLC environment is not so simple, when the environment is live. The focus of the business is on uptime. Awareness of ICS security is too low, so security improvements are not held in great value by the business, compared to the cost of stopping a production line.