In our last blog article, we discussed the rise of cyber attacks targeting the manufacturing sector. As legacy systems get updated for the modern age, industrial equipment and other control systems that were never designed to connect to the Internet are now vulnerable to sabotage, information theft, and ransoming.
Craig Reeds is a Cybersecurity Systems Engineer at Velta Technology. His 30+ years of experience in the industry predate the word “cybersecurity” itself. He has generously agreed to shed some more light on technical and conceptual problems with control systems security in the Internet age.
What motivates the decision to connect legacy control systems to other computer networks?
The main factor in the decision to connect an Operational Technology (OT) network to the IT network is convenience. The ability to remotely control, monitor and make changes remotely, especially in our current “work from home environment”, looks like a great productivity increase. The problem is that often the people doing this work do not have a clear understanding of the OT network and its vulnerabilities.
Can modernization of legacy systems be achieved without connecting them to the Internet, or to other computer systems that connect to the Internet?
Yes, Industrial Control Systems can be modernized by using IoT and IIoT devices and can be connected to the IT network securely, by allowing data traffic to flow out of the OT network to the IT network for monitoring and reporting purposes. If firewalls are configured appropriately or data diodes are put in place to only allow traffic to flow out of the OT network, modernization can be achieved securely.
In your recent article in 2600 magazine, you examined typical architectures of these systems. It looks to me like legacy systems do not use a layered approach, such as that found in the OSI Model or TCP/IP Protocol Architecture Model. Are there historical or technical reasons for this? Does a non-layered approach present unique security benefits or challenges? Does modernizing a legacy system necessitate alterations to its architecture?
The unfortunate part of the article published in 2600 was the fact that I could not include diagrams to better make my points. In the OT or Industrial Control System environment everything is in what is called the Purdue Model.
In the work that we do at Velta Technology, we go in and make sure that systems are communicating based on the Purdue Model. For instance, there is no reason for a PLC that exists in Level 2 to be communicating directly with devices in Level 4 or 5. We find these abnormalities in communication and then work with our customers to fix and secure their OT network.
If leaders in government, disgruntled employees, or carelessness can still lead to system failures today, does this mean there are security problems within control systems that are not related to computer networking or hacking? Can these problems be solved simultaneously to external security problems?
Every computer and every network, be it IT or OT, is vulnerable to attack. The issue is that cybersecurity of industrial networks has been ignored until recent years. Disgruntled employees, employees that accept bribes to do or allow damage to happen, and general carelessness will always be issues that we battle. We can have the most cyber secure system possible, but that is no protection from someone who has the right to control the system and does something to damage it intentionally or unintentionally.
You also mentioned in your article that policy compliance and security don’t always share goals or may fundamentally conflict. Is policy compliance a substandard solution for measuring system safety and security? What other models of verification, validation, etc. exist in your field?
In the electric power generation and distribution industry you have the NERC CIP regulations. These are a series of Critical Infrastructure Protection regulations that have helped to improve the cybersecurity of the systems, however, just because an entity is compliant with the regulations does not mean they are cyber secure. Organizations sometimes get too wrapped up in checking compliance boxes and not going the extra step to achieve true cybersecurity.There are other standards such as ISO 27001, IES 62443, NIST 800-53 or NIST 800-171 that take things much further toward cybersecurity.
Do you oppose merging IT and OT departments because it represents inherent risk to security, or because of logistical complications or other practical reasons? What motivates keeping IT and OT departments distinct?
I have no problem with IT and OT departments merging as long as everyone understands the difference in mission between IT and OT. IT is all about what is new and shiny, whereas OT is all about what is proven and has always worked. IT is about the CIA Triad – Confidentiality, Integrity, Availability. OT on the other hand is about the AIC triad – Availability, Integrity, Confidentiality. As long as this is understood, then I see no reason why the two teams cannot merge.
In the critically acclaimed 1983 action adventure movie WarGames, starring Matthew Broderick, Ally Sheedy, and John Wood, a young computer enthusiast stokes the slow burning fire of a nuclear cold war by inadvertently compromising the United States’ nuclear missile launch system through a backdoor vulnerability. Do simple flaws such as backdoor access exist in real control systems, or are more sophisticated forms of attack required to compromise these systems?
Yes, some vendors do put backdoors in their systems for maintenance purposes which can lead to vulnerabilities. Also, by doing a simple search on Shodan or Censys, you can easily find PLC’s and other Industrial Control Systems connected to the Internet and unprotected. Backdoors are unnecessary when mistakes like that are made.
What regulatory bodies or other legal actors monitor and respond to errors in life-critical and safety-critical control systems? What should the public know in order to understand news events about hacked control systems?
The Cybersecurity and Infrastructure Security Agency (CISA) as well as the FBI monitor cybersecurity issues here in the United States and around the world. They send out alerts and mitigation steps that can be put in place to secure against new vulnerabilities.
Should people in technological disciplines outside your industry do anything in particular to stay informed or protect themselves and their investments from harm? What cooperation is needed from those or other people in order to effectively realize modern security goals?
Education is key, not necessarily certification, but always reading, always experimenting, always learning about the risks, threats and vulnerabilities that are out there and how to protect against them. Cybersecurity practitioners have a wealth of knowledge that needs to be shared with the general population. Teach cybersecurity awareness for senior adults, schools, or any other place that they will let you speak. By educating everyone on cybersecurity, we all become more secure.
Do you want to learn more about cybersecurity? Please subscribe to our newsletter.