Stuxnet Legacy 2 – New advanced persistent threats target industry: Stuxnet’s design provided a toolkit for other sophisticated malware known as advanced persistent threats (APTs); however, unlike Stuxnet that targeted an industrial process, recent APTs have been focusing on industrial espionage to steal business information. APTs are hard to detect, they can hide and collect data for years, and the losses resulting from them are financial- and reputation-related rather than safety or environmental incidents. Critical infrastructure such as financial services has been dealing with APTs for years, but they are new to the industrial space. An example is the Night Dragon attacks that stole business information from petro-chemical companies in North America, including energy contract information, oil field bids and production data.
Stuxnet Legacy 3 – Focusing cyber terrorism in the United States and the Middle East: According to a June 2012 article in The New York Times, Stuxnet was attributed to a joint U.S./Israeli intelligence operation called "Operation Olympic Games" started under President George W. Bush and expanded under President Barack Obama. As word spreads, attacks from nation states, criminals or other hackers will increase. Particularly for security executives with facilities in the United States or the Middle East, now is the time to renew your industrial cyber security efforts.
A successful attack on an industrial network could mean production losses, significant safety or environmental issues or the theft of intellectual property, including information obtained from the enterprise network. Indeed, the industrial network could be the simplest backdoor to your enterprise network.
With reliable, continuous production a high priority, industrial networking devices with usable lives of 10 to 20 years and restrained capital spending, the solution to this problem is not the wholesale replacement of equipment.
Security Best Practices
A combination of best practices using technologies designed for industrial security, and a focused effort is effective in mitigating the risk of industrial system attacks.
It is important that your security staff is familiar with industrial security standards. No matter what industry you are in, the ISA IEC 62443 (formerly ISA-99) standard should apply. Major oil, gas and chemical companies such as Exxon, Dow and Dupont are using it and its strategies are often used successfully in the field.
Particular industries also have their own standards, such as NERC CIP for the North American power industry. The NERC not only develops reliability standards, it assesses adequacy, monitors the system and educates, trains and certifies industrial personnel. Unlike IEC 62443, which is a voluntary standard, NERC CIP has enforcement powers.
Here are seven steps to ICS and SCADA security, which condenses numerous industry standards and best practice documents. The result is an easy-to-follow process (Download a white paper detailing this process at http://web.tofinosecurity.com/download-7-steps/):
- Assess existing systems: Understand risk and prioritize vulnerabilities.
- Document policies and procedures: Determine your organization’s position regarding ICS and develop company-specific policies.
- Train personnel and contractors: Develop and institute policy awareness and training programs.
- Segment the control system network: Create distinct network segments and isolate critical parts of the system.
- Control access to the system: Provide physical and logistical access controls.
- Harden the components of the system: Lock down the functionality of components.
- Monitor and maintain the system: Update anti-virus signatures, install patches and monitor for suspicious activity.
Another best practice is to follow the principles of Defense in Depth, which emphasize using many layers of defense, and avoid reliance on a single technology such as a perimeter firewall.
It is important to look for technology solutions that are designed for the plant floor. The harsh physical environment, the staff skills, the unique communication protocols and the focus on safety and reliability distinguish industrial requirements from IT requirements.
Here’s a guide to selecting technology: