industrial network security, second editionindex-of.es/varios-2/industrial network...
TRANSCRIPT
![Page 1: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/1.jpg)
![Page 2: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/2.jpg)
![Page 3: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/3.jpg)
![Page 4: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/4.jpg)
![Page 5: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/5.jpg)
Copyright©2010
ISA—TheInternationalSocietyofAutomation
Allrightsreserved.
PrintedintheUnitedStatesofAmerica.
1098765432
ISBN978-1-936007-07-3
Nopartofthisworkmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recordingorotherwise,withoutthepriorwrittenpermissionofthepublisher.
ISA
67AlexanderDrive
P.O.Box12277
ResearchTrianglePark,NC27709
www.isa.org
LibraryofCongressCataloging-in-PublicationDatainprocess
Notice
professionaljudgmentinusinganyoftheinformationpresentedinaparticularapplication.
Additionally,neithertheauthornorthepublisherhaveinvestigatedorconsideredtheeffectofanypatentsontheabilityofthereadertouseanyoftheinformationinaparticularapplication.Thereaderisresponsibleforreviewinganypossiblepatentsthatmayaffectanyparticularuseoftheinformationpresented.
Anyreferencestocommercialproductsintheworkarecitedasexamplesonly.Neithertheauthornorthepublisherendorseanyreferencedcommercialproduct.Anytrademarksortradenamesreferencedbelongtotherespectiveownerofthemarkorname.Neithertheauthornorthepublishermakeanyrepresentationregardingtheavailabilityofanyreferencedcommercialproductatanytime.Themanufacturer’sinstructionsonuseofanycommercialproductmustbefollowedatalltimes,evenifinconflictwiththeinformationinthispublication.
![Page 6: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/6.jpg)
AcknowledgmentsMyappreciationisexpressedforthepeoplewhohelpedandinspiredmetowritethesecondeditionofthisbook.
Onceagain,myspecialthanksgotomyISAeditor,SusanColwell.
JohnClem,fromSandiaNationalLaboratories,contributedcontentonRedTeamingforthenewChapter9,NewTopicsinIndustrialNetworkSecurity.
Mygoodfriendfromcollege,AndyHagel,providedcontentandreviewforChapter3,COTSandConnectivity.
Aswiththefirstedition,TomGoodfromDuPontandDaveMillsofProcter&GambleprovidedcontentforChapter10.
![Page 7: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/7.jpg)
TableofContents
Preface
Chapter1.0 IndustrialNetworkSecurity
1.1 WhatAreIndustrialNetworks?
1.2 WhatIsIndustrialNetworkSecurity?
1.3 TheBigPicture:CriticalInfrastructureProtection
1.4 TheChallenge:“OpenandSecure”
1.5 Who’sWorkingonWhat?
1.6 FederalRegulatoryAuthority
References
Chapter2.0 ASecurityBackgrounder
2.1 Physical,Cyber,andPersonnelSecurity
2.2 RiskAssessmentandITCybersecurity
2.3 RiskAssessmentforthePlant
2.4 Who’sResponsibleforIndustrialNetworkSecurity?
2.5 TipsforMakingtheBusinessCasetoUpperManagement
2.6 MakingtheBusinessCasewithData
References
Chapter3.0 COTSandConnectivity
3.1 UseofCOTSandOpenSystems
3.2 Connectivity
3.3 WhatYouGetthatYouDidn’tBargainFor
References
Chapter4.0 CybersecurityinaNutshell
4.1 SecurityIsaProcess
4.2 BasicPrinciplesandDefinitions
4.3 BasicPrinciples:Identification,Authentication,andAuthorization
4.4 MoreCyberAttackCaseHistories
4.5 RiskAssessmentandRiskManagementRevisited
![Page 8: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/8.jpg)
4.6 CyberThreats
4.7 Vulnerabilities
4.8 ACommonCOTSVulnerability:TheBufferOverflow
4.9 AttackerToolsandTechniques
4.10 AnatomyoftheSlammerWorm
4.11 Who’sGuardingWhom?
References
Chapter5.0 Countermeasures
5.1 BalancingtheRiskEquationwithCountermeasures
5.2 TheEffectofCountermeasureUse
5.3 CreatinganIndustrialNetworkCyberDefense
Chapter6.0 CyberdefensePartI—DesignandPlanning
6.1 DefenseinLayers
6.2 AccessControl
6.3 PrincipleofLeastPrivilege
6.4 NetworkSeparation
References
Chapter7.0 CyberdefensePartII—Technology
7.1 GuidancefromISA99TR1
7.2 FirewallsandBoundaryProtection
7.3 IntrusionDetection
7.4 VirusControl
7.5 EncryptionTechnologies
7.6 VirtualPrivateNetworks(VPNs)
7.7 AuthenticationandAuthorizationTechnologies
References
Chapter8.0 CyberdefensePartIII—People,Policies,andSecurityAssurance
8.1 ManagementActionsandResponsibility
8.2 WritingEffectiveSecurityDocumentation
8.3 AwarenessandTraining
8.4 IndustrialNetworkSecurityAssuranceProgram:SecurityChecklists
![Page 9: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/9.jpg)
8.5 SecurityAssurance:Audits
8.6 AddinginPhysicalSecurity
8.7 AddinginPersonnelSecurity
References
Chapter9.0 NewTopicsinIndustrialNetworkSecurity
9.1 RedTeaming:TestYourselfBeforeAdversariesTestYou
9.2 DifferentTypestoAnswerDifferentQuestions
9.3 RedTeamingIndustrialNetworks–Caution,It’sNottheSame!
9.4 SystemSecurityDemandsBothPhysicalSecurityandCybersecurity
9.5 TheTransportationConnection:PassengerRailandCybersecurity
References
Chapter10.0 DefendingIndustrialNetworks—CaseHistories
10.1 ALargeChemicalCompany
10.2 AnotherCompany’sStory—Procter&Gamble
AppendixA–Acronyms
AbouttheAuthor
![Page 10: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/10.jpg)
Preface
SomuchhashappenedsincethefirsteditionofIndustrialNetworkSecuritywaspublishedin1995.Thisareahasgone“mainstream”intermsofpublicawarenessoftheimportanceofIndustrialNetworkstoourcriticalinfrastructureandthethreattothemfromhackers,cyberspies,andcyberterrorists.
Forinstance,thestory“America’sGrowingRisk:CyberAttack”isfeaturedonthecoveroftheApril2009PopularMechanics.Andoneoftheleadstoriesonthefrontpageofthe8April2009editionofTheWallStreetJournalwas“ElectricityGridinU.S.PenetratedBySpies.”ThestorytalkedabouthowforeignpowershadmappedtheU.S.electricalgridandleftbehindsomerogueprogramsthatcouldbeactivatedremotelytodisruptthegrid.
The“BigR,”Regulation,hasreareditsheadintheelectricpowerindustry.TheNERC-CIPcontrolsystemcybersecuritystandardsforelectricpowergenerationandtransmissionentitiesarenowmandatedbytheU.S.government.
Commercial-off-the-shelf(COTS)hardwareandsoftware,asdescribedinChapter3,continuesitsmoveintoIndustrialNetworksaslegacyequipmentisphasedout.Andothersectors,suchaspassengerrail,describedthroughthewriter’seyesinthenewChapter9,arecominguptospeedonIndustrialNetworkSecurityasCOTSbecomecommonplaceinthatsectorcontrolsystems.
Consistentwiththefirstedition,anefforthasbeenmadetokeepthisbookintroductoryandeasy-to-read.Aswiththefirstedition,thiseditionisintendedforthetechnicallayman,manager,orautomationengineerwithoutacybersecuritybackground.Newcyberincidentsandupdatedinformationhavebeenaddedtothechapterswithoutchangingtheoriginalformat.
![Page 11: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/11.jpg)
1.0
IndustrialNetworkSecurity
1.1 WhatAreIndustrialNetworks?Todefineindustrialnetworksecurity,onefirsthastodefineindustrialnetworks.Forthepurposesofthisbook,industrialnetworksaretheinstrumentation,control,andautomationnetworksthatexistwithinthreeindustrialdomains:
• ChemicalProcessing–Theindustrialnetworksinthisdomainarecontrolsystemsthatoperateequipmentinchemicalplants,refineries,andotherindustriesthatinvolvecontinuousandbatchprocessing,suchasfoodandbeverage,pharmaceutical,pulpandpaper,andsoon.UsingtermsfromANSI/ISA-84.00.01-2004Part1(6),industrialnetworksincludetheBasicProcessControlSystem(BPCS)andtheSafetyInstrumentedSystems(SIS)thatprovidesafetybackup.
• Utilities–Theseindustrialnetworksservedistributionsystemsspreadoutoverlargegeographicareastoprovideessentialservices,suchaswater,wastewater,electricpower,andnaturalgas,tothepublicandindustry.UtilitygridsareusuallymonitoredandcontrolledbySupervisoryControlAndDataAcquisition(SCADA)systems.
• DiscreteManufacturing–Industrialnetworksthatserveplantsthatfabricatediscreteobjectsrangingfromautostozippers.
ThetermIndustrialAutomationandControlSystems(IACS)isusedbyISAinitscommitteenameandintherecentlyissuedstandardsandtechnicalreportseriesfromtheISA99IndustrialAutomationandControlSystemsSecuritystandardsandtechnicalcommittee(also,simplyISA99).ThistermiscloselyalliedwiththetermIndustrialNetworks.
Thestandard,ANSI/ISA-99.00.01-2007-SecurityforIndustrialAutomationandControlSystems,Part1(1),definesthetermIndustrialAutomationandControlSystemstoinclude“controlsystemsusedinmanufacturingandprocessingplantsandfacilities,buildingenvironmentalcontrolsystems,geographicallydispersedoperationssuchasutilities(i.e.,electricity,gas,andwater),pipelinesandpetroleumproductionanddistributionfacilities,andotherindustriesandapplicationssuchastransportationnetworks,thatuseautomatedorremotelycontrolledormonitoredassets.”Thisstandardwillbereferredtoas“ISA-99Part1”inthebook.
ThetechnicalreportANSI/ISA-TR99.00.01-2007SecurityTechnologiesforIndustrialAutomationandControlSystems(4)succeedsthe2004versionofthedocumentreferencedinthefirsteditionofthisbook.Thisreportwillbereferredtoas“ISA-99TR1.”Note:Atthetimeofthiswriting,Part2oftheISA-99standardhasjustbeenapproved.Part2is
![Page 12: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/12.jpg)
titledSecurityforIndustrialAutomationandControlSystems:EstablishinganIndustrialAutomationandControlSystemsSecurityProgram(5).
1.2 WhatIsIndustrialNetworkSecurity?Whenwespeakofindustrialnetworksecurity,wearereferringtotherapidlyexpandingfieldthatisconcernedwithhowtokeepindustrialnetworkssecure,and,byimplication,howtokeepthepeople,processes,andequipmentthatdependonthemsecure.Securemeansfreefromharmorpotentialharm,whetheritbephysicalorcyberdamagetotheindustrialnetworkcomponentsthemselves,ortheresultantdisruptionordamagetothingsthatdependonthecorrectfunctioningofindustrialnetworkstomeetproduction,quality,andsafetycriteria.
Harmtoindustrialnetworksandtotherelatedpeople,processes,orequipmentmightbethroughthefollowing:
• MaliciousActs–Deliberateactstodisruptserviceortocauseincorrectfunctioningofindustrialnetworks.Thesemightrangefroma“denial-of-service”attackagainstaHuman-MachineInterface(HMI)servertothedeliberatedownloadingofamodifiedladderlogicprogramtoaPLC(ProgrammableLogicController).
• AccidentalEvents–Thesemaybeanythingfroma“fat-fingered”employeehittingthewrongkeyandcrashingaservertoapowerlinesurge.
Whenwethinkofindustrialnetworksandcomputer-controlledequipment,weusuallythinkofwhatISA99documentscall“electronicsecurity,”butweshouldalsoincludesomeaspectsoftwootherbranchesofsecurity:physicalsecurityandpersonnelsecurity.TheseothertwobranchesofsecuritywillbeaddressedinChapter2.
Toillustratethedistinction,let’ssaywehaveadisgruntledemployeewhoventshisangerinachemicalplantand:
1. turnsaviruslooseonthecomputerworkstationthatrunstheHMIsoftware,allowingthevirustospreadthroughtheindustrialnetwork;
2. takesapipewrenchandbreaksaliquidlevelsightglassonastoragetank,causingtheliquidtoleakoutonthefloor;and
3. priesopenthedoortoanSISsystemcontrollerboxanddisablestheoverpressureshutdownbyinstallingjumpersbetweenisolatedconductorsandbypassingtheaudiblealarms.
Byourdefinition,acts1and3fallwithinourdefinitionofindustrialnetworksecurity.Act2isdeliberatesabotage,butitisphysicalsabotageofamechanicalindicatinginstrument,notofanindustrialnetwork.Act3involvessomephysicalactions,suchasbreakingthelockandinstallingjumpers,butthejumpersthenaltertheelectricalflowwithinanindustrialnetwork,aSISsystem.
Weacknowledgeandstresstheimportanceofphysicalprotectionofindustrialnetwork
![Page 13: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/13.jpg)
components,andalsothepersonnelsecuritythatappliestotheoperatorsofthesenetworks.However,physicalandpersonnelsecurityprotectivemeasureshavebeenaroundforalongtime,andinformationabouttheseprotectivemeasuresisreadilyavailableelsewhere.Chapter2introducesphysicalandpersonnelsecurityaspartoftheentiresecuritypicture;however,themajorityofthisbookcoverstheelectronicsecurityofindustrialnetworks.
TheISA99committeealsoacknowledgesthattheseotherbranchesofsecurity,suchasphysicalandpersonnelsecurity,arenecessarybutsimilarlystatesthatitsstandardsaremainlyconcernedwiththe“electronicsecurity”ofindustrialautomationandcontrolsystems.
1.3 TheBigPicture:CriticalInfrastructureProtectionItisbesttointroducethesubjectofCriticalInfrastructureProtectionfromahistoricalperspective.In1996,PresidentClintonissuedPDD63(PresidentialDecisionDirective63)onCriticalInfrastructureProtection(2),declaringthattheUnitedStateshadcriticalinfrastructurethatisvitaltothefunctioningofthenationandmustbeprotected.PDD63identifiedeightcriticalinfrastructuresectors,includingtheseinfrastructuresusingindustrialnetworks:
• GasandOilStorage&Delivery
• WaterSupplySystems
• ElectricalEnergy
Alongwiththesethreewerealsogovernmentoperations,bankingandfinance,transportation,telecommunications,andemergencyservices.
InFebruary2003,PresidentBushreleasedTheNationalStrategytoSecureCyberspace(3).Init,someadditionalcriticalsectorswerelistedthatuseindustrialnetworks,including:
• ChemicalIndustry
• DefenseIndustrialBase
• FoodProduction
Figure1-1showshowthoseoriginalandadditionalcriticalinfrastructuresectorsmaptothethreeindustrialdomains—chemicalprocessing,utilitiesanddiscretemanufacturing—wedescribedinSection1.1asusingindustrialnetworks.
![Page 14: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/14.jpg)
Figure1-1.IndustrialDomainvs.NationalCriticalInfrastructureAreasUsingIndustrialNetworks
ThelistofcriticalinfrastructuresectorshascontinuedtoevolvesinceFebruary2003,withthefederalgovernmentadding“criticalmanufacturing”tothelistin2008.
Aglanceathistoryshowshowmuchthecriticalinfrastructuresectorsdependoneachother—takeonecriticalsectorawayandothersmaycometumblingdownlikedominoes.TheNortheastBlackoutofAugust2003showedhowafailureofonesectormaycascadetoothers.WhenthepowerwentoutinCleveland,thewatersupplypumpsinthatcityalsoshutdown,sincetheyranonelectricity.Similarly,thetransportationsectorinNewYorkwasaffectedwhentrafficlightsceasedfunctioningandgasstationscouldn’tpumpgas,sincebothwereelectricallyoperated.
Whatconclusionscanwedrawfromthisdiscussionofcriticalinfrastructure?
Wecanconcludethatsecuringindustrialnetworksinourthreedomainsofinterestisaprerequisiteforsecuringcriticalinfrastructureatthenationallevel.Andthisistrueforallindustrializednations.Infact,themoreautomatedandcomputer-dependentanation’scriticalinfrastructureis,themoreitdependsondevelopingandapplyingindustrialnetworksecuritytoensureitsfunctioninginanewageofworldwideterrorism.
1.4 TheChallenge:“OpenandSecure”Let’slookatwhathashappenedinthefieldofindustrialnetworksinthelast12yearsorso.
• COTS.Proprietarysystemshavegivenwaytocommercialoff-the-shelf(COTS)hardwareandsoftwareinindustrialnetworks.NowweseeeverythingfromMicrosoftWindows®todifferentflavorsofLinuxandUnixforoperatingsystems,alongwithEthernet,TCP/IP,andwirelessprotocolsfornetworks.
• Connectivity.OnceCOTShardware,software,andnetworkcomponentsareusedinindustrialnetworks,thenextlogicalthingistoconnecttheindustrialnetworksandthebusinessnetworkssotheformerlyincompatiblesystemscancommunicate.ThebusinesssystemsareinvariablyhookeduptotheInternet.
• Web,WebServices,andWireless.Recentdevelopmentsincludetheabilityto
![Page 15: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/15.jpg)
accessaWebserverineveryintelligentelectronicdeviceandabrowseroneveryengineer’sofficedesktoptomonitorequipmentoperations.AndwirelessLANs(LocalAreaNetworks)offertheconvenienceofconnectingdeviceswithouthavingtoinstallexpensivecablingwithintheplant.
Allthesedevelopmentshaveopenedupoursystems,butthequestionis,“Canwebebothopenandsecure?”Beingopenandsecureisthe“HolyGrail”ofournewindustrialnetworksecuritydiscipline.Wewanttokeeptheoverwhelmingbusinessadvantagesofhavingopensystems,yetsecureoursystemsenoughtoensurethatourplantsandutilitygridsdon’tbecomereadytargetsforcyberattack.
1.5 Who’sWorkingonWhat?Forallpracticalpurposes,thefieldofindustrialnetworksecuritybeganinthelate1990s.TheSeptember11thattacksgreatlyacceleratedthepaceofactivity.Sincethen,abewilderingvarietyoforganizationswithstakesinsecuringindustrialnetworkshavegeareduptoworkonvariousaspectsoftheproblem.
Theorganizationsworkingonindustrialnetworksecuritymaybedividedintocategories:
• GovernmentOrganizations.IntheU.S.,governmentagenciesactiveinindustrialnetworksecurityincludetheNationalCyberSecurityDivision(NCSD)oftheDepartmentofHomelandSecurity(DHS),organizationswithintheDepartmentofEnergy(DoE),theDoENationalLaboratories(e.g.,Sandia,PacificNorthwest,andIdahoNational),theDepartmentofCommerceNationalInstituteofStandardsandTechnology(NIST),theFederalEnergyRegulationCommission(FERC),andtheGeneralAccountingOffice(GAO).Eachorganizationhassomestakeinprotectingtheindustrialnetworksthatmakeupportionsofthenation’scriticalinfrastructure.Someorganizations,suchasFERC,nowhaveregulatoryauthority,aswillbediscussedin1.6.
• Intheinternationalarena,governmentorganizationslikeCanada’sOfficeofCriticalInfrastructureProtectionandEmergencyPreparedness(OCIPEP)andBritain’sCentreforProtectionofNationalInfrastructure(CPNI)playasimilarroleinprotectingtheirnation’scriticalinfrastructure.
• NonprofitOrganizations.Theserangefrominternationalprofessionalandtechnicalsocietiesspanningindustrialsectors,likeISA,toU.S.-basedindustrysector-specificgroupsliketheNorthAmericanElectricReliabilityCorporation(NERC)forelectricpowerandtheAmericanWaterWorksAssociation(AWWA)forthewaterutilities.Includedamongthenonprofitsareschoolsanduniversitiesthathavecourses,seminars,andresearchanddevelopmentprogramsinindustrialnetworksecurity.
• For-ProfitEntities.Thevariouscorporationsthatarethevendorsandusersofindustrialnetworksarekeyindeterminingwhetherindustrialnetworksecurityproceduresandequipmentaredeveloped,commercialized,purchased,andusedsuccessfully.
![Page 16: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/16.jpg)
Withintheorganizationalcategorieslistedabovearetwoorganizationsthatdealwithindustrialnetworksecurity,workingattheinternationallevelacrossthethreeareasofchemicalprocessing,utilities,anddiscretemanufacturing.
Theseorganizationsare:
• ISA,throughtechnicalandstandardscommitteeslikeISA99,ManufacturingandControlSystemsSecurity.
• IEC(InternationalElectrotechnicalCommission),includingCommittee65forworkontheIEC62443NetworkandSystemSecurityStandards.
Theseorganizationsworkacrossindustrialareasand,therefore,manufacturingsectors.Forinstance,wepreviouslymentionedtheISA-99seriesofstandardsandtechnicalreportsthatdefinethebreadthof“IndustrialAutomationandControlSystems”as“appliedinthebroadestpossiblesense,encompassingalltypesofmanufacturingandprocessfacilitiesandsystemsinallindustriesineveryareaofmanufacturing.”
1.6 FederalRegulatoryAuthorityRecently,twofederalgroupshavebeengivenregulatoryauthorityoverindustrialnetworksecurityinthepublicandprivatesector.TheFederalEnergyRegulatoryCommissionhasbeengiventheauthoritytoregulatethecybersecurityofthetransmissiongrid,andithasexercisedthatauthoritybymakingtheNERCCIP(NorthAmericanReliabilityCorp.CriticalInfrastructureProtection)ConsensusIndustryStandardsintoofficialfederalregulationswithenforcementpenalties.TheDepartmentofHomelandSecuritywiththeirCFAT(ChemicalFacilityAnti-terrorism)Regulationsonthechemicalindustry,aremostlyconcernedwithphysicalsecuritybuthaveacybersecuritysection.Otherdepartmentsofthefederalgovernmentregulatingothercriticalinfrastructuresectorsmaywellgetintotheactinthefuture.
References1. ANSI/ISA-99.00.01-2007SecurityforIndustrialAutomationandControlSystems,
Part1.ISA,2007.
2. TheWhiteHouse.PresidentialDecisionDirective63.ProtectingAmerica’sCriticalInfrastructure.May22,1998.Retrieved11/11/2004from:http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.
3. TheWhiteHouse.NationalStrategytoSecureCyberspace.February2003.Retrieved11/11/2004from:http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf.
4. ANSI/ISA-TR99.00.01-2007SecurityTechnologiesforIndustrialAutomationandControlSystems.ISA,2007.
5. ANSI/ISA-99.00.01-2007SecurityforIndustrialAutomationandControlSystems:EstablishinganIndustrialAutomationandControlSystemsSecurityProgram,Part2.ISA,2007.
![Page 17: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/17.jpg)
6. ANSI/ISA-84.00.01-2004Part1FunctionalSafety:SafetyInstrumentedSystemsfortheProcessIndustrySector–Part1.ISA,2004.
![Page 18: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/18.jpg)
2.0
ASecurityBackgrounder
2.1 Physical,Cyber,andPersonnelSecurityWhenconsideringsecurityforbusinessandindustry,securitypractitionershavetraditionallydividedthemselvesintothreeareasofspecialization.Wedescribethesethreeareaswiththeaidoftwotermsusedfrequentlyinsecurity:
• Insiders.Thepeoplewhobelonginyourfacility,includingemployeesandinvitedcontractors,visitors,ordeliveryandservicepeople.
• Outsiders.Peoplewhodon’tbelonginyourfacility,whethertheyenterphysicallyorelectronically.Thiscategorycoverseveryonefromvendorsthroughhardenedcriminals!Uninvitedoutsidersinyourfacilityareintrudersandareguiltyoftrespassing,attheleast.
Keepingthesetermsinmind,andasmentionedinChapter1,thethreetraditionalareasofsecurityare:
• PhysicalSecurity.Guards,gates,locksandkeys,andotherwaystokeepoutsidersfrombecomingintrudersandinsidersfromgoingwheretheydon’tbelong.Thisistheoldestandmostestablishedbranchofsecurityandclaimsthehighestpercentageofsecurityprofessionals.
• PersonnelSecurity.Practitionershereareusuallyoccupiedwiththesequestions:“AretheoutsidersI’mabouttobringintomyplanttrustworthy?”and“MayIcontinuetoplacetrustinmyinsiders?”Thisareaofthesecurityprofessioncoverseverythingfromcriminalbackgroundchecksonnewemployeesandcontractorstoinvestigationofsecurityviolationsbyemployeesandperiodicbackgroundrechecksofexistinginsiders.
• Cybersecurity.Thiscategorycoversprevention,detection,andmitigationofaccidentalormaliciousactsonorinvolvingcomputersandnetworks.TheareanowknownasbusinessorITcybersecurityhasitsrootsinthefinancialandintelligencecommunitiesofthe1960sand70s.
IndustrialnetworksecurityisprimarilyITcybersecurityadaptedtoindustrialnetworks,butincludesimportantelementsofphysicalandpersonnelsecurityaswell.Forinstance,doesitmakeadifferenceifyourvaluableprocessrecipes,keptastradesecretsonyourcontrolnetwork,aretakenbyindustrialspieswho:
• hackintoyourindustrialnetworkthroughthecorporatefirewallandbusinessnetworkandthendownloadandsellthem?(acybersecurityincident),or
• pullupinavandisguisedaslegitimatemessengersfromyourcomputertape
![Page 19: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/19.jpg)
backupstoragefirmandgetanunwittingemployeetohandoveryourfreshlymadebackuptapescontainingthesametradesecrets(apersonnelsecurityincident),or
• breakintoyourplantlateatnight,cleverlybypassingtheburglaralarm,andwalkoutwiththeharddrivesfromyourcontrolserverscontainingtherecipes(aphysicalsecurityincident)?
Theneteffectisthesameinallthreeincidents—yoursecretsaregone!Infact,anindustrialspymaypurposely“casethejoint”andchooseanattackplanbasedonwhereyourdefensesareweakest.
Successfulpreventionofindustrialnetworkattacksinvolvesgettingknowledgeablespecialistsfromallthreeareasofsecuritytositaroundthetableanddiscusspossibleattacksandmeanstopreventthem.Brainstormingtechniquesmaybeused,withnotypeofattackdismissedas“toowildanidea”toconsider.
Forexample,beforetheSept.11,2001attacks,thephilosophydrivingairlinesecuritywas“hijackerswanttolive.”Wouldn’tithavebeenvaluabletoquestionthatassumptionintheyearsleadinguptoSeptember11andsay,“Butsupposethehijackerswanttodie?Whatcouldorwouldtheydothen?”
Inthiswriter’sexperienceinthecorporatesecurityworld,Iwouldsitatthelunchtablelisteningtocorporatesecurityinvestigatorstellstoriesofactiveinvestigations.Manyoftheirstorieswerebizarre,suchasemployeesusingtheircorporatecreditcardstopayforanythingfromexpensivepartsfortheirownmotorcyclestothousandsofdollarsinelectivesurgery!Anyrationalemployeewouldsay,“Don’tdothat,you’llgetcaught!”Didtheseemployeesthinkaboutconsequencesbeforetheywentaheadwiththeirplans?Maybe,buttheconsequencesdidn’tdeterthemfromgoingaheadanyway.
Let’sseeifwecanbrainstormascenariooffactorysabotage.Forexample,thesuccessfulsabotageofafactoryconveyorsystemmight(1)involveanunscrupuloussalesmanfromarivalconveyorcompanywhohasacriminalrecord(personnelsecurity).(2)Hestraysintotheproductionareawhileleftunattendedaftervisitingtheengineeringdepartment(physicalsecurity).(3)There,hedownloadsamodifiedladderlogicprogramfromhislaptoptotheconveyormachineryPLC(cybersecurity).Thatcausestheconveyortomysteriouslymalfunctionthenextday,makingapurchaseofhiscompany’srivalconveyorsystemmorelikelythenexttimehepaysasalescall!
Analysesofsecurityincidentsusuallyrevealachainofeventsthatleduptotheactualcriminalactivity.Ifsecuritymeasures,whethertheyinvolvephysical,personnel,orcybersecurityactivity,canbeintroducedtoprevent,detect,andrespondtothechainofactivitiesatanypoint,thereisagoodchancethefinalcriminalactivitycanbeprevented.
Intheconveyorsystemexample,wheremightsecurityhavebeenintroducedtointerruptthechainofeventsleadinguptotheconveyorsabotage?Wouldtheoutcomehavebeendifferentif:
• therivalconveyorcompanyhaddoneacriminalbackgroundcheckinthehiringphaseanddiscoveredthatthesalesmanhadacriminalrecord;or
![Page 20: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/20.jpg)
• thefactoryhewasvisitinghada“companyescortrequired”physicalsecuritypolicy,preventingthesalesmanfromwanderingintotheproductionareaalone;or
• thefactoryhadactivenetworksecuritymeasuresthatpreventedthesalesmanfromenteringthePLCnetworkanddownloadingamodifiedladderlogicprogram?
Ifanyofthesephysical,personnel,orcybersecuritymeasureshadbeeninforce,thefinaleventinthechain,theconveyor’smysteriousmalfunction,mighthavebeenprevented.
2.2 RiskAssessmentandITCybersecurityRiskassessmentistheprocessbywhichyouandyourmanagementteammakeeducateddecisionsaboutwhatcouldharmyourbusiness(threats),howlikelytheyaretooccur(likelihood),whatharmtheywoulddo(consequences),and,iftheriskisexcessive,whattodotolowertherisk(countermeasures).
Let’ssayyouaretheownerofalargefactorymakingwidgetsinaMidwesternstate,whichhappenstobein“TornadoAlley.”YourplantbuildingandattachedbusinessofficebuildingareasshowninFigure2-1:
Forinstance,forriskstotheofficebuildinganditscontents,suchasthebusinesscomputersystems,wecanillustratewhatonetypeofriskassessment—aquantitativeriskassessment—lookslike.Inthisexamplewewillconsideronephysicalandonecyberthreattotheofficebuildinganditscomputersystem,perFigure2-2.
Figure2-1.WidgetEnterprises,Inc.
Thefirst,amild-to-moderatetornado,representsaphysicalrisktotheofficebuildinganditscontents.Let’ssaythelikelihoodofamild-to-moderate(knownascategoryF0toF2)tornadohittingtheofficebuildingisonceevery20years(afairlydangerousneighborhood!).Thefigureassumestheconsequenceofthethreatoraveragedamagetotheasset(officebuilding)is$5million.Therefore,theannualriskfrommild-to-moderatetornadodamageis:
1event/20years×$5million/event=
0.05×5=
![Page 21: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/21.jpg)
$0.25million/yearatriskfromthistypeoftornado.
Nowwehaveameasureofannualriskintermsofdollars.Wecancompareitwiththeverydifferentriskof,let’ssay,aparticulartypeofcyberattackbyanindustrialspywhoseekstodownloadyourcarefullyguardeddatabaseofbestcustomersandwhattheytypicallyorderfromyou.
Figure2-2.OfficeBuilding–PhysicalandCyberRiskAssessment
Onceweenterthecyberrealm,doingaquantitativeriskassessmentraisesaproblem:unlikeweatherdamageoraphysicalsecurityissuelikerobbery,therearenotalotofhistoricalstatisticstodrawfromtogetlikelihoodnumbers.Butsomedataonthefrequencyofindustrialspyingofalltypesdoesexist,withon-averagelossbydifferentsizecompaniesandindustries.Thisdata,coupledwithlossdatafromyourfactory,mightenableyoutocomeupwithareasonableestimatesoyoucouldcontinuebeingquantitative(asopposedtoqualitative,whichisthealternative.Wewillfocusonqualitativeriskassessmentinanupcomingsection).
Let’sestimatethelikelihoodofthiseventatonecyber-theft(threat)everythreeyears,andthesalesyouwouldloseasaresultofthisinformationbeinggiventoyourcompetitors(consequence)at$10million.Then,fromthistypeofcyberevent:
1event/threeyears×$10million=$3.3million/yearatrisk.
Hereisthepowerofaquantitativeriskassessment.Forthefirsttime,wecancomparethecostofphysicaldamagetocyberdamageintermsthattopmanagementwillunderstand—dollars.Basedonthisriskassessment,wemayconcludethatthemonetaryriskofanindustrialspycyberattackisgreaterthanthemonetaryriskofatornado.Inlaterchapters,wewillseehowcountermeasuresorpreventiveremedies,suchasreinforcedconstructiontolimittornadodamage,canbeevaluatedagainstcalculatedrisktoseeiftheyareworthwhile.
Keepinmindthatourriskanalysishasbeensimplified.Usually,moretermsenterintoariskanalysis,and,asmentioned,gettinggoodnumbersorrangesofnumbersforaquantitativecyberriskassessmentmaybedifficult.
Thefollowingpeoplewillhavealotofinterestintheofficebuildingriskassessmentwejustmade:
![Page 22: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/22.jpg)
• Thebusinessowner,theCEO,andthegeneralmanagers
• ThePhysicalSecurityManagerandtheFacilitiesManager(whomaybethesameindividual)
• TheChiefInformationOfficer(CIO)andthepartoftheCIO’sorganizationresponsibleforbusinesssystemscybersecurity(perhapsanITcybersecuritymanager).
Let’sdrawanorganizationchart(seeFigure2-3)torepresentasimplifiedmanagementstructureforastand-alonefactory.(Notethatinamodernmulti-plantmanufacturingcorporation,numerous“dottedline”relationshipswouldexistbetweencorporateandplantmanagement.)
Figure2-3.OrganizationChart
TheITcybersecuritymanager,whoreportstotheCIO,isresponsibleforthecorporatefirewallsandIntranetandInternetaccess,andmighthavetheseITsecurityissuestodealwith:
• Web.Downloadingofpornographyorillegalcontentbyemployees.
• Email.Virusescomingin;spam.
• Remoteaccess.Allowingauthorizeduserstoconnectviamodempoolorvirtualprivatenetwork,andkeepingunauthorizedpeopleandhackersout.
• Unlicensedsoftware.Keepingemployeesfromusingunpaid-fororunapprovedsoftware.
ToaddresstheseproblemsandahostofotherITsecurityissues,theITcybersecuritymanagerdrawsonthefieldofbusinessorcommercialcybersecurity.Thisfield,termed“computerandnetworksecurity”inpriortimes,includesthefollowing:
• ITsecuritytechnology.Firewalls,antivirusprograms,andauditandsecuritydiagnosticprogramsandtools.
![Page 23: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/23.jpg)
• Trainedpersonnel.Speciallytrainedcomputersecuritypractitioners,holdingcertificationssuchasCertifiedInformationSystemSecurityProfessional(CISSP)orCertifiedInformationSystemsAuditor(CISA)andtrainedintheITsecuritybodyofknowledge.
• ITsecuritypolicies,processes,andprocedures.Publishedcybersecurityguidelinesandrecommendationsfromvariouscommercialcybersecurityorganizations.
Inshort,a“bodyofknowledge”isreadilyavailableforthisarea,whetherwecallitIT,commercial,orbusinesscybersecurity.
2.3 RiskAssessmentforthePlantNowthatwe’vecoveredthebusinessofficebuilding,let’stakealookatourwidgetproductionfactorybuilding(Figure2-4):
Figure2-4.InsidetheFactoryBuilding
Here,weseethetypeofindustrialnetworkwewouldexpecttoseeindiscretemanufacturing,withPLCs,HMIs,etc.
Thistime,let’sillustrateariskassessmentmoreappropriatetoaplantscenario,wherewemaynothaveaccesstorealisticnumbersorestimatesforthelikelihoodofaphysicalorcyberattack.Inaqualitativeriskassessment,relativityrankingssubstituteforabsolutenumbersorestimatesoflikelihoodandconsequences.Theoutputisaprioritizedlistofrisks,showingwhicharemoresubstantial.
Figures2-5and2-6givetheprocedureforaqualitativeassessmentandtheresultingriskmatrix.Weareevaluatingtwoscenarioshere.Thefirst—aphysicalattack—isasabotageoftheassemblylinebyadisgruntledemployeewithhandtools.ThesecondisacyberattacktosabotagethePLCnetworkthatrunstheassemblyline.
![Page 24: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/24.jpg)
Figure2-5.QualitativeRiskAssessmentExample
Asaresultoftheriskassessmentprocessshowninthesefigures,theriskassessmentteamconcludesthatscenario(b),thecyberattack,ismorethreateningthanscenario(a),thephysicalattack.
2.4 Who’sResponsibleforIndustrialNetworkSecurity?Nowwecometothequestion,“Who’sresponsibleforthe(1)physicalsecurityand(2)cybersecurityoftheindustrialnetwork?”
Let’slookatapossiblelistofcandidates.WithintheCIOorganization,theremightbeanITcybersecuritymanager,pertheorganizationalchartinFigure2-3.Withinthefactoryorganizationanyorallthefollowingmanagersandtechnicalpeoplemightbeinvolved:
• PlantManager
• ProductionManager
![Page 25: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/25.jpg)
Figure2-6.QualitativeRiskMatrix
• EngineeringManager
• AutomationandControlManager
• AutomationEngineer,Technician,andPlantOperator
• FacilitiesManager
• PhysicalSecurityManager
SowhodotheCEOanduppermanagementusuallythinkisresponsibleforindustrialnetworkphysicalandcybersecurity?Forthephysicalsecurityoftheindustrialnetwork,itmaybearguedthatwhoeverisinchargeofplantphysicalsecurity,suchastheFacilitiesorPhysicalSecurityManager,hasthisresponsibility.(Althoughtheplantsecurityguardsareusuallyguardingtheplantentrances,farawayfromtheproductionareaofthefactory,thismighttheoreticallycoverthedisgruntledemployeeattackingthePLCnetworkwithapipewrench!)
But,inmanyconferencediscussionstheauthorhasparticipatedin,theusualansweristhatiftheCEOandtopmanagementrealizethatindustrialnetworkcybersecurityisalegitimateconcernatall,theythinktheCIOandtheITcybersecuritymanagerhavethisareacovered.(Andtheyusuallypointtothecorporatefirewall,corporatecybersecuritypolicies,andthegamutofITsecuritycontrolstoproveit.)
ButifwethengototheCIOorganizationandasktheITcybersecuritymanagershowwelltheyarecoveringthis“newlyassigned”areaofindustrialnetworksecurity,thetypicalanswermightbetheyaretotallyunfamiliarwithcontrolsystems:“EngineeringandProductionhandlethat.”
Asmentioned,thefieldofindustrialnetworksecurityreallybeganinthelate1990sandthenacceleratedfollowingtheSeptember11attacks.SinceSeptember11,alotofprogresshasbeenmadeinthisfieldbythemanyorganizationslistedinSection1.5ofthisbook.
![Page 26: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/26.jpg)
However,incontrasttoITcybersecurity,thefieldisstillyoungandthereisonlyalimitedamountofknowledgeandexperiencetodrawupon.Andunlessacorporationhashadtheforesighttospecificallydesignateanindividualoragroup,oritsentireAutomationandControlEngineeringstaff,tohandlethisveryspecializedareaofindustrialnetworksecurity,therealanswertowhoisresponsibleforindustrialnetworksecurityis“noone!”
Unlikethecommercialcomputingprofession,whichhasincludedcybersecurityasalegitimateareaofstudyandpracticeformanyyears,theautomationandcontrolsareahasnottraditionallyhadmuchcontactwithanyareaofsecurity,especiallycybersecurity.Security,whetherphysical,personnel,orcyber,isjustnotinthecurriculumofthevastmajorityofengineeringandtechnicalschools.Itisslowlymakingitswayintothecurriculuminsomeuniversitiesintheformofindividualcoursesandseminars,butiscertainlynotinthemainstreamyet.
Manymanufacturingcorporationsthatdecidedtobuildanorganizationorentitytohandleindustrialnetworksecurityhaveformedacross-disciplinarytaskforce,committee,orpermanentgroup,consistingofpeopleand/orknowledgeandexperiencefromthefollowingplantorganizations:
• AutomationandControlsEngineering,Production,andMaintenance
• ITCybersecurity
• Safety(especiallyinahazardousworkplace,suchasachemicalplantorrefinery)
• PhysicalSecurity(facilities)
• HumanResources(forpersonnelsecuritymatters)
Onlywhenindustrialnetworksecurityisincludedaspartofanoverallsecurityeffortwilltheproperresources,leverage,andempowermentbeavailabletodothejobwell.Althoughgrassrootseffortsbycontrolengineerstosecuretheirindustrialnetworksarewell-intentionedandcommendable,theywillseldombeenoughtodothejob.Justaswithsafety,thefirststepstartswithownershipandcommitmentbyuppermanagement.
But,asmentioned,topmanagementmaynotrecognizeaclearneedforaneffortinthisarea.Abusinesscaseforindustrialnetworksecuritymayhavetobemadeandpresented.Thefollowingsectiongivessometipsonhowtodothis.
2.5 TipsforMakingtheBusinessCasetoUpperManagement
1. Don’tusecyber“tech-talk”toselltopmanagementonindustrialnetworksecurity.Instead,usealanguagetheyunder-stand—risks,consequences,andthecostofreducingtheriskversusthecostofdoingnothing.Asmuchaspossible,trytoputconsequencesindollarterms.
2. Don’tusethe“sky-is-falling”approachandconcentrateonlyontheworstcasescenario.Thatgetsoldfast.Instead,adduptheconsequencesofinaction—
![Page 27: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/27.jpg)
whetheritbeathreattosafety,losttradesecrets,downtime,etc.Evenbetter,trytoincludeallpossibleconsequencesinanitemizedscenario.
3. Dobeveryspecific.Ifproductiondowntimeisaconsequence,howmanydaysofdowntime?Whatwillthecostbe?Whatwillbethecostofgettingproductiongoingagain,ofcleaningupavirusfromtheindustrialnetwork,forinstance?
4. Dorealizethatyoucan’tprotecteverythingfromeverythreat.Countermeasurestoreducetheriskusuallycostmoney.Andthenecessityofspendingthemoneytopayforthesecountermeasureswillhavetobesoldtomanagement.(Thisisaprocesscalledriskmanagement,whichwewillcoverlaterinthisbook.)
5. Dousepubliclydocumentedcasesinwhichindustrywashitbycyberattacks.Somewell-documentedcasesofcyberattacksaredescribedinChapter4.Thendescribewhattheconsequenceswouldbeifasimilarattackhityourplantorindustry.
2.6 MakingtheBusinessCasewithDataHereisanexampleofhowabusinesscasewasmadeforasignificantITcybersecurityinvestment(1).
ATexasUniversitymedicalcentercybersecuritymanagercalculatedthecostofspamtohisorganizationat$1perspammessage,andthecostofrecoveringfromtheNimbdaoutbreakin2001at$1million.Onthebasisofthesenumbers,hesuccessfullyjustifiedtothechieffinancialofficerthepurchaseofspamfilteringandenterpriseantivirussoftwareandshowedhowthecountermeasureswouldmorethanpayforthemselves.Thebusinesscasewasmadewithhardbusinessdatafromhisorganization,indollars.
Asimilarapproachmightbeusedtoargueforindustrialnetworksecurity.Let’ssayyouareacontrolengineerusingCOTSsoftwareonyourindustrialnetworkandhavehadthegoodfortunenevertohavebeenhitbyavirusorworm.Ifyourcontrolnetworkispartofalargemultinationalcorporation,chancesarethatsomeportionoftheITnetworkinyourcorporationwashit.Anditprobablyhasdowntimeandnetworkrecoveryfiguresthatyoucanuseforyourestimates,aswellashorrorstories.
Byaskingthequestion“Ifthisattackhadhappenedtoourindustrialnetwork(s),whatwouldtheresultbein,say,Xnumberofserversdown,Ydaysoflostproduction,Zdaystocleanupandrecover?”Youmightmakeaconvincingcasethat,sincemajorvirus/wormattackshappenatleastseveraltimesayear,yourcompanymightavoidtheinevitablelossbyinstallingcountermeasuressuchasfirewalls,antivirussoftware,orotherproducts.
References1. Violino,B.“TexasUniversityCalculatesFinancialBenefitsofitsSpam,Virus
Defense.”InternetWeek.comarticle.October29,2003.Retrieved11/11/2004from:
![Page 28: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/28.jpg)
http://www.internetweek.com/showArticle.jhtml?articleID=15600902.
![Page 29: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/29.jpg)
3.0
COTSandConnectivity
3.1 UseofCOTSandOpenSystemsCommercial-off-the-shelf(COTS)describesthemovementofbusinessandcommercialcomputerandnetworkinghardwareandsoftwareintotheindustrialnetworkarea,displacingproprietarydevicesandapplications.Thistrendstarted10to15yearsagoandincludesthefollowing:
• Operatingsystems.MicrosoftWindowsNT®,Windows2000®,andWindowsXP®arebeingusedinindustrialnetworks.IntheUnixworld,flavorsofUnixincludingSunMicrosystems’Solaris®,IBM’sAIX®,andHewlett-Packard’sHPUX®,tonameafew,havealsomovedintoindustry.Mostrecently,theLinuxworldhasenteredindustrialnetworks.
• Databasesoftware,suchasMicrosoftSQLServer®andOracle®databases.
• Hardware,includingWindows®PCs,workstations,andservers,andUnixworkstationsandservers.
• NetworkingproductssuchasEthernetswitches,routers,andcabling.
• NetworkingprotocolsforTCP/IP-basedLANs,usingprotocolssuchasHTTP,SNMP,FTP,etc.
• Developmentlanguages,includingC++,MicrosoftVisualBasic.NET®,MicrosoftC#®,Sun’sJava®,etc.
• ObjectLinkingandEmbeddingforProcessControl(OPC).
• Internet,withstandardorcustombrowsersasprocessinterfacestowebserversinIEDs(IntelligentElectronicDevices).
• WirelessLANsusingtheIEEE802.11protocol.
3.2 ConnectivityOnceCOTSisusedinindustrialnetworks,thebusinesssidedemands,“Nowthatyouhaveopeneditup,connectitsowecantalk.”
Connectivityisdesired:
• betweenthecorporatebusinessnetworkandtheindustrialnetwork,
• forremoteaccesstotheindustrialnetworkfromoutsidethecorporatefirewall,and
• tovendors,customers,andotherbusinesspartnersfromtheindustrial
![Page 30: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/30.jpg)
network.
3.3 WhatYouGetthatYouDidn’tBargainForThemovementtoCOTSandconnectivitygivesyouamultitudeofbusinessadvantages,suchas:
• Standardization
• Compatibilitywithbusinesssystems
• Muchlowerpurchasecost
• Familiarinterfaces
• Lesstrainingtimeandeffort
Withtheseadvantages,youalsogetsome“baggage”tocontendwith:
1. Forcedupdatestosoftwarearemuchmorefrequentthanwiththeoriginalproprietarysystems.
2. Therearemillionsofextralinesofsoftwarecodeforamultitudeoffeatures,manynotwantedorneededinindustrialapplications.
3. TheindustrialworldisnotthebusinessdriverforCOTS.
4. Numeroussoftware-relatedqualityandsecurityissuesexist,inparttheresultofthedrivebyvendorstogetnewsoftwareoutthedoorquickly.
5. Thereisacontinualneedtoinstallpatchesforsoftwaresecurityandproperfunctionality.
Thesedrawbacksareseldomrealizedupfront,whenthesystemsarepurchased.
Thebusinessconceptcalled“totalcostofownership”enablesyoutorealisticallyevaluatethesesystemsbyaddingthecostofmaintenance,updates,patching,etc.,totheup-frontpurchaseorlicensingcostoverthelifeoftheinstalledsystem.Whendoingatotalcostofownershipanalysis,theselife-cyclecostsshouldbeincludedintheanalysis.ThisconceptisdiscussedinReference1.
ItisapparentthatsomeoftheeconomicbenefitsofmovingtoCOTSandconnectinguparenegatedbysomeofthedrawbacks.Forinstance,howmanyproprietaryindustrialnetworksoftwareprogramshaveeverbeenhitbyacomputervirusorworm?
RemediationofattackbyavirusorwormisahiddencostofusingCOTS,whichwillnotshowupduringpurchasebutwhichshouldbeincludedinatotalcostofownershipanalysis.Ifantivirussoftwareispurchasedtopreventthesecyberattacks,thecostofinstallingandmaintainingthissoftwareshouldalsobeincludedinthetotalcostofownershipanalysis.
References
![Page 31: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/31.jpg)
1. Emigh,Jacqueline,“TotalCostofOwnership.”Computer-world.comarticle.December20,1999.Retrieved11/11/2004from:http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,42717,00.html
![Page 32: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/32.jpg)
4.0
CybersecurityinaNutshell
4.1 SecurityIsaProcessSecurityisverysimilartosafetyinthatitisacontinualprocessratherthananendpoint.Acontrolnetworkthatissecuretodaymaybeinsecuretomorrow,becausehackersarealwaysthinkingupnewattacks.
Securingindustrialnetworksinvolvestechnology,buttechnologyisonlyoneingredientofthefinalmix.Successfulindustrialnetworksecurityisacarefullycomposedmixtureofthefollowing:
• Educatedandawareusers
• Appropriateorganizationalstructure
• Securitystrategymatchedtotheorganizationstructure
• Policiesandproceduresthatwork
• Auditandmeasurementprograms
• Securitytechnologyappropriatetotheabovemix,atalevelofsophisticationunderstoodbythosewhouseit
4.2 BasicPrinciplesandDefinitionsWecancarryoversomebasicprinciplesofcommercialcomputerandnetworksecuritytotheindustrialnetworkspace.ThefirstiscalledtheAICtriad.AICstandsforAvailability,Integrity,andConfidentiality.Figure4-1showstheseprinciplesasthepointsofatriangle:
Let’sstartwithavailability.Forindustrialnetworks,availabilitymeansthenetworkisfullyoperationalandavailabletousersandothermachineryandprocesseswhenneeded.Ifthesystemisnotoperating,ornotoperatingcorrectlyforanyreasonwhenitisneeded,thispropertyisnotsatisfied.Itcouldbeunavailableformanyreasons,suchasthefollowing:
![Page 33: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/33.jpg)
Figure4-1.TheAICTriad
• Anunintentionalusererrorcrashedthesystem.
• Thesystemhasacomputervirusorwasjusthackedbyaninsideroroutsider.
• Apowerfailurehasoccurred,andthebackupgeneratorisn’tsupplyingenoughpower.
• Thecomputerroomjustburnedtotheground.
CaseHistory1:LackofAvailabilityTheOmegaEngineeringlogicbomb:OmegaEngineeringisaninstrumentandcontrolvendorinNewJerseythatsufferedheavylossesinMay2000whenitfiredadisgruntledcomputersystemsadministrator(1).Beforeheleftthebuilding,theemployeeplanteda“logicbomb,”which,whenactivated,erasedOmega’sproductionsoftwareprograms.Healsostolethecompany’ssoftwarebackuptapesas“insurance”!
IttookOmegaEngineeringmonthstogetbackintoproductionafterthisincident.Thecompanysufferedheavyfinanciallosses,whiletheircompetitorsgainedgroundonthem.
ThenextAICfactorisintegrity.Integrityincomputersecuritymaybedefinedfromtwoangles:theintegrityofthedata,andtheintegrityofthecomputerhardwareandsoftwareitself.
Integrityofdatameansthatthereshouldbenoinadvertentormaliciousmodificationofdatawhileitisstoredorbeingprocessedonasystem.
Let’sapplythisconcepttoaSCADAsystemforagaspipeline.Ifaremotepressuresensoronthepipelinereads1000psig(processdata),andthatvalueisfaithfullytransmittedtothecentralgascontrolroomandshowsupas1000psigonthemaincontrolpanel,wehavedataintegrity.Ifthevalueshowsupas2000psigor500psig,wehaveaprocessdata
![Page 34: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/34.jpg)
integrityproblem!
Hardware/softwaresystemintegrityimpliesthatthehardwareandsoftwareversionsandconfigurationarecorrectatanygiventime,andonlyauthorizedchangesorupdateshavebeenmade.
Forinstance,hardware/softwareintegrityisflawedifanHMIapplicationwastestedonlywithapreviousreleaseofanoperatingsystem,andtheoperatingsystemsoftwareisupgradedorpatchedwithoutpropercompatibilitytestingandchangeauthorization.
ThethirdAICcomponentisconfidentiality—theabilitytokeepinformationonacomputersystemsecret.Itshouldbeaccessibleonlytopeopleauthorizedtoreceiveandviewandmodifythatinformation,andnooneelse.
Forinstance,achemicalorpharmaceuticalcorporationhasrecipes,formulas,andproductionmethodsitwantstokeepawayfromcompetitorsandtopreventtheinformationfrombecomingpublicknowledge.Thecompanyhasgonetogreatlengthstodeveloporacquirethisinformation.
CaseHistory2:TheftofTradeSecrets
AcaseinvolvingLucentTechnologies(2)illustratesthesignificanceofconfidentialityincomputersecurity.In2001,twoChinesenationalswereindictedforstealingproprietarytelecommunicationscomputercodewhileworkingatBellLabsinMurrayHill,NewJersey.Theywerefirstnoticedwhentheiremployerobservedportionsoftheproprietarycomputercodebeingemailedfromthecompany’snetwork.Theyweresuccessfullyconvictedinoneofthefirstcasesprosecutedunderthe1996FederalEconomicEspionageActprotectingtradesecrets.
4.3 BasicPrinciples:Identification,Authentication,andAuthorizationInadditiontotheAICtriad,threeotherimportantdefinitionsareimportantinclassiccomputerandnetworksecurity:identification,authentication,andauthorization.
Identificationanswersthequestion,“WhoamI?”IfIlogontomycomputerasuserDJT,thattellsthecomputerIamDavidJ.Teumim,alegitimateuserlistedinthepasswordfile.
Buthowdoesthecomputerdistinguishmefromanimposterposingasme?
Authenticationrequiresthatyou“proveit”byreinforcingyouridentity,usingoneormoreofthreepossibleauthenticationfactors:
• Somethingyouknow(apassword)
• Somethingyouhave(ahardwaretokenorkey)
• Somethingyouare(abiometric,likeyourvoiceprintorfingerprint)
Usingmorethanoneauthenticationfactorincreasessecurity.
![Page 35: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/35.jpg)
Forinstance,severalchemicalcompaniesuse“two-factorauthentication”tograntemployeesremoteaccesstoplantcomputersfromtheirhomes.Thehardwaretoken(somethingyouhave)displaysauniquenumberthatchangeseveryminuteaccordingtoarandompattern.Whentheremoteuserlogsin,heorsheentersthenumberonthetoken,alongwithafour-digitfixedPINnumber(somethingyouknow).Therandomnumberenteredbytheusermustmatchthepre-synchronizedrandomnumberonthecompany’scentralsecurityadministrationserver.Onlythenistheusergrantedremoteaccessrights.
Authorizationdealswithwhatyouraccessprivilegesare,onceyouhavesuccessfullyloggedontotheprotectedsystem.Whichsystemfeaturesmayyouuse?Whichsystemprogramsorfilesmayyouview,modify,delete,etc.?
Forinstance,inthecontrolroomofapetroleumrefinery,controlroomoperatorsmayhaveaccesstofunctionsrequiredfornormaloperation,butonlycontrolengineersmaybeauthorizedtoperformotherfunctions,likechangingHMIprogramming.
4.4 MoreCyberAttackCaseHistoriesThissectiondescribessomecontrolsystemattacksthathavebeendocumentedinthepress.
CaseHistory3:SCADAAttackThisincidentisaclassicinindustrialnetworksecurity,thefirstpubliclydocumentedcyberattackonacontrolsystem,inthiscase,awastewatertreatmentSCADAsysteminAustralia.
Inthisincident(3),a49-year-oldmanwhohadworkedforthesupplierthatinstalledacomputerizedSCADAsystemforthemunicipalwastewaterworkswasconvictedofacyberattackonthemunicipality’ssewagesystem.TheattacksentmillionsofgallonsofrawsewagespillingintolocalparksandriversinQueensland,Australia,causingconsiderabledamage.TheconvictedmanwascaughtwithradioequipmentandothercomputerapparatususedtohackintotheSCADAnetworkinhiscar.
CaseHistory4:ComputerWorminaNuclearPlantControlSystemInAugust2003,theNuclearRegulatoryCommission(NRC)issuedaninformationalerttoallnuclearplantoperatorsaboutasituationthatoccurredearlierin2003attheDavis-BessenuclearpowerplantinOhio(4),whichwasinfiltratedbytheSlammerworm.InascenarioalltoofamiliartoITcybersecurityexperts,thewormenteredtheplantbyaroundaboutroute.AT1communicationslinethatledtoanetworktowhichthecompany’scorporatebusinessnetworkwasconnectedbecametheconduitforthewormtoreachandcrashtheSafetyParameterDisplaySystem(SPDS).TheSPDSsystemisanindustrialnetworkthatdisplaysthestatusofcriticalreactorsafetymonitoringsensorssuchascoretemperature,coolantstatus,etc.Fortunately,theplantwasoffline,andabackupanalogsystemcouldbeusedwhilethedigitalsystemwasout.
![Page 36: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/36.jpg)
CaseHistory5:ComputerWormsInfectAutoManufacturingPlantInAugust,2005,thirteenDaimlerChryslerautomanufacturingplantswereknockedofflineforanhourbytwoInternetworms,idling50,000workers,whileinfectedWindows2000®systemswerepatched(5).TheZotobandPnPwormsinfectedsystemsintegraltothemanufacturingprocess.
CouldtheincidentsdescribedinCaseHistories3,4,and5havebeenprevented?Chancesareexcellentthatwithasufficientlyadvancedandwell-thought-outindustrialnetworksecurityprogram,theycouldhavebeen.However,eveninthebest-plannedschemes,thereisnofoolproofprogramtoensureyouwillneverhaveasecurityincident.Ifpreventionfailsandyoudohaveanincident,thegoalofindustrialnetworksecurityistodetectthethreatandmitigatethedamageasquicklyandefficientlyaspossible.
4.5 RiskAssessmentandRiskManagementRevisitedLet’sreturntoourdiscussionofriskassessment,beguninChapter2.
Supposewehaveanindustrialnetworkcontrollingourfactory’sassemblyline.Theassemblylinemachinerycanbeattackedphysically,byadisgruntledemployee,orbyanoutsidehackerwhocangetintothesystembyseveralmeans.
WeintroducedthesetermsinChapter2:
• Asset(Whatyouhavethatyouwanttoprotect.)
• Threat(Thepersonoreventthatcancauseharm.)
• Consequence(Theharmthatcanbecaused.)
• Likelihood(Howoftenthethreatisexpectedtocauseharmoveracertaintime.)
• Risk(Consequencesexpectedoveracertaintime.)
• Countermeasures(Waystoreducerisk.)
Let’snowlookatcyberthreatsinmoredetail,andaddanothertermtoourriskassessmentmodel:vulnerability.
4.6 CyberThreatsMilitary,lawenforcement,andITcybersecurityexpertstypicallybreakdownthecategoryofthreatsfurther,inwhatisknownas“threatanalysis.”
Wecanintroducethefollowingtermsandconcepts:
• Adversary(Whoishe,she,orit?Isitasingleperson,anorganization,oraterroristgroup?)
• Intent(Whatmotivatesthispersonororganization?Anger?Revenge?Money?)
![Page 37: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/37.jpg)
• Ability(Howcapableisyouradversary?Abletowritecustomscriptsforcyberattack?Ormerelycapableofdownloadingscriptsthatotherswrite,andthenrunningthem?)
• Target(Whatistheirimmediategoal?Theirultimategoal?)
Let’sconstructasimplechart,athreatmatrix,todescribetheseconceptsforseveralthreatagents(seeFigure4-2).
4.7 VulnerabilitiesAvulnerabilityisa“chinkinyourarmor,”aninvitingspotorsituationwhereanattackbyanadversaryislikelytosucceed.Forinstance,ifaburglartriesyourlockedfrontdoorandthengoesaroundtothebackdoorandfindsitunlocked,theunlockedbackdoorisavulnerability.
Figure4-2.AThreatMatrix
Inindustrialnetworksecurity,avulnerabilityisaplacewhereacyberattackercanbypasswhateverbuilt-indefensesanapplication,network,oroperatingsystemhasinordertogainprivilegesthatwouldnormallybeunavailable.Thisenablestheattackertoinsertactionsandcommands,orevenbecometheall-powerfulsystemadministratoronanoperatingsystemlikeWindows,oracquire“root”privilegesonaUnixbox.
UsingCOTShardware,software,andnetworkinginindustrialnetworksbringsintothecontrolsworldthesamevulnerabilitiesthatplaguetheInternetandthebusinesscomputingworld.COTSsoftwarevulnerabilitiesareduetothefollowing:
• Complexity.Operatingsystemsandapplicationsoftwarehavemillionsoflinesofcode.Onefigurequotedintheliteraturesaysthereisanaverageofonesoftwarebugper100linesofcode.Somefractionofthesebugswillbesecurityvulnerabilities.(Figureouthowmanysoftwarebugsareina40millionlineprogram!)
![Page 38: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/38.jpg)
• InadequateQualityAssurance.Softwaremanufacturersdonotalwayscatchthesequalityandsecurityflawsbeforetheygooutthedoorasproductioncode.Theymaythinkitsufficienttousesoftwarecustomersas“qualitytesters”andhavethemreportbugstobecorrectedinthenextsoftwarerevision.
• SpeedtoMarket.Competitionandconcentrationonnumerousnewfeaturesleadtorapid-firereleasesofnewsoftwareversions.
• LackofSellerLiability.Themajorityofcommercialsoftwarelicensesdonotholdthesellerresponsibleforanydamagetoyoursystemsfromsoftwarethatdoesnotfunctionproperly.(Contrastthatwiththeliabilityformanufacturersofcars,householdappliances,orairplanes.Iftheseproductscauseinjuryoreconomicdamage,arashoflawsuitsusuallyfollows,sometimesinvolvingpunitivedamages.)
• LackofSecurity-BasedDevelopmentToolsandLanguages.Thestandardsoftwaredevelopmentlanguages,suchasC,C++,andVisualBasic,werenotcomposedwithsecurityinmind.Addingsecurityfeatureswasfrequentlyanassignedorunassignedtaskleftuptotheprogrammer,whoisunderdevelopmenttimepressure.Thissituationisbeginningtochange,astherearenowseminars,books,andsomesoftwaretoolstohelpthedeveloperwritemoresecuresoftware.
Let’slooknextatthemostcommonCOTSsoftwareflawaffectingsecurity—thebufferoverflow.
4.8 ACommonCOTSVulnerability:TheBufferOverflowBufferoverflowscauseanestimated40percentoftheexploitablesoftwareflawsintheCOTSsoftwareenvironment.Sadtosay,theyhavebeenaroundformorethan20years.Weknowhowtofixthisflaw,butthedisciplinetoeliminatebufferoverflowshasnotpermeatedveryfarintoCOTSsoftwaredevelopment.
Inprogramminglanguages,suchastheClanguage,whenyourunafunction(whichissomewhatlikeasubroutine)fromthemainprogram,thememoryareadevotedtoyourfunctionwillcontaina“stack,”orbufferarea.Thestackcontainsthingssuchasthevaluesyouarecallingthefunctionwith,andthelocalvariablesyouwillbeusinginthefunction.Attheendoftheallottedbufferspaceforthefunctionisa“returnaddress”thattellsthecomputerwhatlineinthemainprogramtoreturntoafterithasfinishedrunningthefunction.
Suppose,intheClanguage,youwanttoasktheuserforinputviathekeyboardasataskforyourfunction.Sayyouwanttoasktheuserforhisorher“lastname,”andyoufigureitshouldbenomorethan20characterslong.
Youwouldassignavariablelike“Lastname”tohold20charactersmaximum.ButtheClanguagelacksaninherentmechanismforpreventingamalicioususerfromputtingintoomanycharacterswhentypinginput,andthecomputerwillacceptthoseextracharactersandallocatethoseextraandunexpectedcharactersto“Lastname”inthebuffer.
![Page 39: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/39.jpg)
Acleverhackercancraftaverylongstringofcharacters,followedbyashort,verycarefullyconstructedcommandthatoverwritestheoriginalreturnaddresssittinginmemoryattheendoftheallocatedbufferspace.Thenewreturnaddresstellsthecomputertoreturntoaplaceinthehacker’scode,nottothelegitimateaddressthatwasintheoriginalprogram.Thisoverrunsthebufferwhentheinputisgiven.
Ifthehackeriscleverenoughtocrafttherightcommandsinthatillegitimatestring,heorshecaninsertcommandsthatwillgive“root”privilegesonaUnixboxoradministratorprivilegesonaWindowsoperatingsystemwhenoverflowingcertainprograms.Essentially,thehackernow“owns”thesystem,withonebufferoverflowcommand.Notabadachievementforahackerwhocancrafttherightstring!
Thecleveroriginalhackerwhodiscoveredthebufferoverflowstringmaythenpublishthetechniquetoahackerwebsiteorbulletinboardforother,less-experienced“scriptkiddies”touse.
Aswehaveseen,despitethefactthatbufferoverflowshavebeenknownaboutformorethan20years,andprogrammingtechniqueshavebeendevelopedtofixthem,progressoneliminatingthemhasbeenslow.Newcodecomesouteverydaywithbufferoverflowvulnerabilitiesjustwaitingtobediscovered.Oncetheyarediscoveredinpublishedsoftwarecode(let’shopebysomeoneonthesecuritysideofthefenceandnotahacker),theonlyhopeisforthesoftwaresuppliertoissueacodefixor“patch”forsystemsadministratorstoapplybeforeanewcyberattacktakesadvantageofthevulnerability.
4.9 AttackerToolsandTechniquesLet’slookatsomeofthetoolsandtechniquesouradversariesuse:
• Viruses.ViruseshavebeenaroundsincetheadventofthePC.Theyspreadbyinfectingnewhostcomputerswiththeircode(whichcanbecarriedonaUSBflashdriveorCD),byaprogram,orabymacroforaspreadsheetorwordprocessingprogram.Aviruscanspreadbyemailifitcontainsanexecutableattachmentthatcanbeopened.
• Worms.Awormcontainsself-replicatingcodethatmayspreadthroughanetworklikeaLANortheInternet.Awormspreadscopiesofitselfanddoesnotneedhostsoftwaretospread.
• TrojanHorse.Thisisaprogramthatseemstodosomethingbeneficialwithonepartofthecode,whileahiddenpartofthecodedoessomethingmalicious.AnexampleofaTrojanHorsewouldbeascreensaverthatalsoemailsacopyoftheconfidentialdatafilesonyourcomputertoacompetitor!
• LogicBomb.Thissoftwareprogramliesdormantonacomputerharddriveuntilitisactivatedbyatrigger,suchasacertaindateorevent.Thenitactivatesandcausesmaliciousactivity.
• Denial-of-ServiceAttack.Thiskindofattack,usuallynetwork-based,overwhelmsaserverwithaflurryoffalserequestsforconnectionorservice,
![Page 40: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/40.jpg)
causingtheservertolockuporcrash.
• Botnets.Botnetsarenetworksofinfectedcomputersavailabletodothebiddingof“botherders”whorentouttheirhundredsorthousandofcompromisedcomputersforhackingorcoordinateddenial-of-serviceattacks.
Thehackingcommunityspreadsitsknow-howandwaresthroughavarietyofoutlets:
• Hackingwebsites.ThousandsofwebsitesacrosstheInternetofferadviceandcodeoneverythingfromstealingphoneservicetobreakingintowirelessnetworks.Suchsitesmayevenofferdownloadable“point-and-click”hackingtoolsforthenovice.
• BooksandCDs.Atmostlocalcomputershows,youcanfindinexpensiveCDsloadedwithhackers’toolsand“exploitcode.”
• ChatRoomsandBulletinBoards.ManyhackerswillbragabouttheirtechniquesandoffertosharetheminonlinechatroomslikeInternetRelayConnection(IRC).
4.10 AnatomyoftheSlammerWormNowthatwe’veseenhowouradversaries(disgruntledemployees,industrialspies,andhackers)cangettheirhandsontools(viruses,worms,networkscriptsthatexploitvulnerabilitiesinCOTScode),let’stakealookata2003wormcalledSlammerthatcausedthenuclearplantsafetydisplaymonitoringsystemshutdowndescribedinSection4.4.
TheSlammerwormcausedhavoc,bringingtheentireInternettoacrawlinjust15minutes.Theattackstartedwithasingledatapacket,aUserDatagramProtocol(UDP)packetof376bytestotal(muchsmallerthanpreviouswormssuchasCodeRed,at4KB,orNimbda,at60KB).IttargetedUDPport1434,theportthatMicrosoftSQL(StructuredQueryLanguage)Serverdatabasesoftwarelistensinon.Oncereceived,Slammeroverflowedthebufferwithspecializedcodethatspilledpastthe128bytesofmemoryreservedfortheinput.Itthenhadmachine-languagecodethatcausedthemachinetooverwriteitsowncodeandreprogramitselftosendoutaflurryofnew376-byteUDPpacketstoInternetIP(InternetProtocol)addressesitcalculatedusingarandomnumbergenerator.Thetimingwassuchthatthewormcoulddoublethenumberofinfectedhostsevery8.5seconds,bringingtheInternet,andcorporateLANsconnectedtoit,toacrawlastheavailablebandwidthwasusedup.
Astheprevioussectionindicates,theSlammerwormcloggedupinternalbandwidthattheDavis-Bessenuclearplantindustrialnetwork.Italsocausedconsiderabledamageelsewhere.A911callcenterinWashingtonStatethatusedtheSQLServerdatabasewaseffectivelyshutdown.Emergencydispatchershadtoresorttoacumbersomemanualproceduretomakedountilthesystemcouldbebroughtbackup.
AsynopsisofhowtheSlammerwormspreadisshowninFigure4-3.
![Page 41: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/41.jpg)
4.11 Who’sGuardingWhom?OnefinalobservationwilladdabitofironytoroundoutourdiscussionofCOTSsoftwarevulnerabilities.Let’sassumewehaveasoftware-basedfirewalltoprotectaninternalLANthatweconnectuptotheInternet.WeneedthisfirewalltopreventInternetbasedattackslikeworms,andothernetworkattacks,fromreachingourinternalhostsbecauseweknowthesoftwareonourinternalhostsonourLANmightbesusceptibleto(forexample)bufferoverflowattacks.
Figure4-3.HowtheSlammerWormOperates
Sooursoftware-basedfirewallis“guardingthegate”againstcyberattacksthatexploitbufferoverflowvulnerabilities.Thisgivesusawarmfeelingofsecurityuntilwefindoutthatourfirewallcodeitselfmaycontainbufferoverflowvulnerabilities!(Note:Securityresearchersregularlyfindandpublishinformationaboutsoftwarebugsandvulnerabilities[includingbufferoverflowattacks]withinsecuritysoftware,suchassoftware-basedfirewallsandantivirussoftware).
Oncethesevulnerabilitiesarefoundandpublished,theonlyalternativeforsecurity-conscioussystemsadministratorsistopatchandpatchagain.Thereisanareaofexpertisecalled“PatchManagement”thatisnowapplicabletoindustrialnetworkstoaddresshow,when,wheresoftwarepatchesshouldbeapplied.Withinindustrialnetworks,apatchmanagementprogramassumesaveryimportantrolebecausecriticalinfrastructureisinvolved.
References1. Ulsch,M.SecurityStrategiesforE-companies.Infosecuritymag.comcolumn“EC
DoesIt,”July2000.Retrieved11/11/2004from:http://infosecuritymag.techtarget.com/articles/july00/columns2_ec_doesit.shtml
![Page 42: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/42.jpg)
2. UnitedStatesDepartmentofJustice“FormerLucentEmployeesandCo-conspiratorIndictedinTheftofLucentTradeSecrets.”Cybercrime.govpressrelease,May31,2001.Retrieved11/11/2004from:http://www.cybercrime.gov/ComTriadIndict.htm
3. Schneier,B.TheRisksofCyberterrorism,Crimeresearch.orgarticletakenfromTheMezz.com,June19,2003.Retrieved11/11/2004from:http://216.239.39.104/custom?q=cache:uJQl__6DhAUJ:www.crime-research.org/news/2003/06/Mess1901.html+Schneier&hl=en&ie=UTF-8
4. Poulsen,K.SlammerWormCrashedOhioNukePlantNetwork,Securityfocus.comarticle,August19,2003.Retrieved11/11/2004from:http://www.securityfocus.com/news/6767
5. Roberts,P.F.Zotob,PnPWormsSlam13DaimlerChryslerPlants,August18,2005.Retrieved8/8/2009fromhttp://www.eweek.com/c/a/Security/Zotob-PnP-Worms-Slam-13-DaimlerChrysler-Plants/
![Page 43: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/43.jpg)
5.0
Countermeasures
5.1 BalancingtheRiskEquationwithCountermeasuresInourdiscussiononriskassessmentthusfar,wehavebeenaddingtermstoourlistofriskassessmentfactorsfrompreviouschapterstoarriveatthelistbelow:
• Asset
• Threat
• Consequence
• Likelihood
• Vulnerability
• Risk
• Countermeasures
Let’stakealookattheinterrelationshipsamongthefirstsixtermsinFigure5-1.Then,inFigure5-2,let’sseehowcountermeasuresfitin.
Nowthatwehaveillustratedtherelationshipsbetweentherisktermswithandwithoutcountermeasures,let’ssee,onamorepracticallevel,howcountermeasuresmightbeintroducedintoourquantitativeandqualitativeriskassessmentexamplesfromChapter2.
5.2 TheEffectofCountermeasureUseFigure2-2(Chapter2,Section2.2)showedasimpleriskassessmentillustrationfortheofficebuildingconnectedtothewidgetfactory.Init,weseethattherisk,orexpectedlossperyearfromamild-to-moderatetornadostrikingtheofficebuilding,is$.25million,or$250,000peryear.
![Page 44: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/44.jpg)
Figure5-1.RiskAssessmentBeforeCountermeasures
Figure5-2.RiskAssessmentAddingCountermeasures
Nowsupposewewanttointroduceacountermeasuretoreducetheexpectedlossperyear.Wecancomputethecostofreinforcingtheofficebuildingstructureandspreadthatcostoutoverthesamenumberofyearsasourriskassessmenttimeframefigure,20years.(Notethatthisisarathersimplisticanalysisintermsoftherealityoffinancingbuildingimprovements.)
Let’ssayreinforcingthewallsandrooftopreventtornadodamagewillcost$1million,andwedothistoday.Theriskevaluationforthereinforcedbuildingcoversthenext20years.So$1million/20years=$.05millionor$50,000costperyearfor20years.
Nowlet’scalculatethereductioninexpectedlossperyearbyreinforcingthebuilding.Ourriskwas$.25million,or$250,000peryear,sospending$50,000peryearoncountermeasureswillreduceriskby$250,000.(Note:inpractice,countermeasuresarerarely100percenteffective.Acertainamountofdamageriskperyear,termedresidualrisk,wouldprobablyexistdespiteyourbesteffortsatbuildingreinforcement.)
Notbad—wehavespent$50,000peryeartosave$250,000inrisk.Neglectingresidual
![Page 45: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/45.jpg)
risk,ournetsavingbyriskreductionis:
$250,000saved/year–$50,000spentoncountermeasures=$200,000/year.Itstilllookslikeagooddeal!
Figure5-3showstheriskassessmentforthebuildingafteraddingtornadocountermeasures.
Nowsupposeinsteadwespend$5milliontoreinforcethebuildingandevaluatethatover20years.Wouldthisbeagooddecision?Well,$5million/20years=$0.25million/year.Wewouldspend$250,000oncountermeasurestosave$250,000onannualrisk.Ournetsavingsinestimatedlossperyearwouldbezero!
Figure5-3.OfficeBuilding–PhysicalandCyberRiskAssessment
Wecanseethatweareinapowerfulpositionifwearefortunateenoughtohavehistoricalweatherdamagedatatodrawfromtosupportaquantitativeriskassessment.Wecancalculatewhenacountermeasurewillpayforitselfandatwhatpointitdoesnotmakeeconomicsense.
ThesametypeofanalysiscanbemadeforourindustrialcyberspyscenarioinFigure2-2.However,weshouldrememberthatourrisknumbersandtheeffectofcountermeasureswillbemoreestimatedand,therefore,moreopentovariability.
Let’sturntohowwecanevaluatetheeffectofcountermeasuresinaqualitativeriskassessment.Withaqualitativeriskassessment,wedonotdealdirectlyindollars.Instead,wedeterminewhichrisksaregreater,thenprioritizethespendingofourresourcesoncountermeasures.
Let’sgobacktothefactoryriskassessmentfromChapter2,Section2.3,andthequalitativeriskassessmentprocessandmatrixshowninFigures2-5and2-6.AsFigure2-6shows,scenario(a)(physicalattack)producesa“medium”riskrating,andscenario(b)(cyberattackonthePLCnetwork)producesa“high”riskrating.
Ifwecanintroducecountermeasurestodecreasethelikelihoodofacyberattack,thenwemightbeabletomovescenario(b)fromthe“high”riskzonetothe“medium”riskzone,alongsidescenario(a).WemightdothisbybetterisolatingthePLCnetworkfromtherest
![Page 46: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/46.jpg)
ofthecompanyandtheoutside,orbydecreasingcybervulnerabilities,orbymitigatingtheeffectsofasuccessfulcyberattackwithaquickerormorecompletedisasterrecoveryprogram.
Discussionmightfocusonwhichapproach(es)wouldlowerrisklevelmost,whatcountermeasure(s)touse,howeffectiveeachwouldbe,andsoon.Thecostofeachalternativecountermeasuremightbeestimated,forexample,alongwithhoweffectiveitwouldbeinreducingtotalrisk.
Sowhenweevaluatetheeffectofcountermeasuresinreducingtotalriskinaqualitativeriskassessment,wearereallygoingthroughaprocessanalogoustoourquantitativeexample.
Ariskmanagementstepnormallyfollowstheriskassessmentstep,withtheassessmentteamweighingtheresultsoftheriskassessmentstep.
Therearethreepossibleriskmanagementdecisionstheteamcanmakeoncetheyknowwhattherisksare:
• Accepttherisk
• Minimizeoreliminatetherisk
• Transfertherisk
Acceptingtheriskmeansessentiallytodonothing.Theenterprisechoosestolivewiththeriskandaccepttheconsequencesshouldithappen.
Minimizingoreliminatingtheriskmeanscountermeasureswillbeevaluatedandapplied.(Andtheresidualrisk,leftoveraftercountermeasuresareapplied,willbeaccepted).
Thethirdalternativetransferstherisktoanotherparty,suchasaninsurancecompany.Forinstance,theenterprisewillpayaninsurancepremiumforprotectionfromlossofsalesintheeventofasabotageattack.
Theremainderofthisbookdealswithconstructinganindustrialnetworkcyberdefense.Inotherwords,weareassumingthesecondriskmanagementoptionandfocusonminimizingoreliminatingrisk,ifpossible,byusingcountermeasures.
5.3 CreatinganIndustrialNetworkCyberDefenseAfterwehavedoneaqualitativeriskassessment,wemaydecidetogowiththesecondriskmanagementoptionandfocusonminimizingoreliminatingrisk,ifpossible,bytakingcountermeasures.Howdowegoaboutdecidingonwhatcountermeasuresareappropriateforindustrialnetworksinourchemicalplants,utilitygrids,andfactories?Chapters6–8ofthisbookdealwithconstructinganindustrialnetworkcyberdefense,butwe’lllookatitbrieflyhere.
Figure5-4summarizesthecontentsofChapters6through8.Itshowsthe“Countermeasures”blockfromFigure5-2,separatedintophysicalandpersonnelsecuritycountermeasures,togetherwiththetopicsofChapters6–8ascomponentsofanoverall
![Page 47: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/47.jpg)
cyberdefense.
AsshowninFigure5-4,agoodindustrialnetworkdefensecontainsthefollowing:
• DesignandPlanning
• Technology
• People,Policies,andAssurance
• PhysicalandPersonnelSecurityCountermeasuresandSupport
Figure5-4.CountermeasureComponents
Countermeasuresmayactinavarietyofways,asthefaceofthecountermeasuresblockofFigure5-2shows.Countermeasuresmayactto:
• deteranddetectthethreat(asabarkingwatchdogonthepremiseswoulddetectanddeteraburglar),
• minimizeavulnerability(asbarsonawindowwouldmakeforcedentrymoredifficult),and
• mitigatetheconsequences(aseffectivedisasterrecoveryplangetsahackedserverupandrunningagain).
![Page 48: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/48.jpg)
6.0
CyberdefensePartI—DesignandPlanning
6.1 DefenseinLayersTheprincipleofdefenseinlayersisthatonereliesonmanydifferentoverlappinglayerstopreventaworst-casescenario.Ifonelayerfails,thenextistheretotakeover,andsoon.
Tounderstandhowthisconceptmaybeappliedtoindustrialnetworksecurity,let’sfirstlookatthewaytheconceptisappliedinacommonchemicalprocessingapplicationthatincorporatesaSafetyInstrumentedSystem(SIS).
Onesimplepolymerizationprocessusestwohazardouschemicals,amonomer(chemicalA)andasecondreactant(chemicalB),whichmaybeaninitiatororcatalystforthereaction.Thereactionisexothermic,whichmeansheatisreleasedwhenthetwochemicalsarecombinedandbroughtuptoreactiontemperature.
Figure6-1showsanexampleofthesimplepolymerizationreactionsetup.Init,ourmonomer(chemicalA)flowsfromastoragetankontherightthroughacontrolvalveintothereactor,whereitcombineswithchemicalB,whichflowsfromthestoragetankontheleft,throughacontrolvalve,andtothereactor.Theprocessmaybesequential(i.e.,firstthemonomerischargedtothereactor,thenchemicalBisaddedslowlyduringtheactualreactionstep).
Awell-knownprocesssafetyhazardofpolymerizationisthepossibilityofa“thermalrunaway,”wherethereactionheatbuildsupinsidethereactorvessel,raisingthetemperatureandpressureofthereactionmixtureuntilitburststhereactorvessel,leadingtoanexplosion,fire,andhazardousfluidreleaseintothesurroundings.Theprocesssafetystrategyistokeepthereactionundercontrolbyremovingtheheatthatisgenerated,neverlettingitbuilduptothepointwherethereactionproducesmoreheatthancanberemoved.
Figure6-1.PolymerizationPlantExample
Reference(1)givesacasehistoryofapolymerizationreactorrunawayandexplosionthatwasinvestigatedbytheU.S.ChemicalSafetyandHazardInvestigationBoard.
![Page 49: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/49.jpg)
Tocounterthepossibilityofathermalrunaway,controlsystemssafetydesignuses“layereddefenses”(2).ProtectioninlayersformsthefoundationsofSISdesignbysuchspecificationsasANSI/ISA-84.00.01-2004,FunctionalSafety:SafetyInstrumentedSystemsfortheProcessIndustrySector,andIEC61508,FunctionalSafetyofElectrical/Electronic/ProgrammableElectronicSafety-RelatedSystems.Thesystemdesignercontainsthehazardsofthisprocessbysuccessivelayersofcontrolandmechanicalsystemsprotection,asshowninFigure6-2(3):
Thelayersofprotectionagainstarunawayreactionbeginwiththebasicprocesscontrolsystem(BPCS).IfcontroloftheprocessfromtheBPCSislostandthereactiontemperatureandpressuregotoohigh,then,inthenextlayer,alarmsonexcessivereactiontemperatureandpressurewillsound,requiringmanualactionbyoperatorstoshutdownthereactionprocess.
Figure6-2.LayersofProtectionAgainstaRunawayReaction
Iftheselayersfail—thealarmmalfunctions,theoperatorsdon’trespondorrespondincorrectly,etc.—thenthenextlayer,theSIS,willtakeover.Inourexample,thismightbedonebyshuttingofftheflowofreactantBand/orbyprovidingemergencycooling.
Thenextlayerismechanical(forexample,blowingtherupturedisktoreleasethereactioncontents).Afterthat,additionallayersmightincludeasecondarycontainmentsystem(dikes,etc.),and,finally,emergencyresponse,firstbytheplantandthenbythecommunity.
Theselayersofprotectionshouldbeasindependentaspossible,sothefailureofonelayerdoesnotaffecttheperformanceofthenext.
ASecurityExample
Nowlet’ssayourpolymerizationtakesplaceinasmallchemicalplantthathasanofficebuildinglocatedbesidethecontrolroomasshownonthesitelayoutinFigure6-3.(Inreality,thecontrolroomandofficebuildingshouldbelocatedasafedistancefromthereactionareaandchemicalstorage.)Notethatinthesafetyexample,thehazardwewereprotectingagainstaroseinsidethereactionvessel,andourlayersextendedoutwardaround
![Page 50: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/50.jpg)
it.Inthissecurityexample,weareprotectingfromtheoutsidein.
Figure6-3.PolymerPlantSiteLayout
Let’sincludethebusinessandcontrolnetworksinFigure6-3.Thebusinessnetworkwillservetheofficebuilding,andthecontrolroom/chemicalreactorareawillhaveaBasicProcessControlSystem(BPCS)networkandaSafetyInstrumentedSystem(SIS).
Let’ssayourtaskistoprotecttheofficenetwork,theBPCS,andtheSISfromahackerwhoisbentoncausingarunawayreactionbyusingtheInternettopenetratethechemicalplantthroughthefirewall.Aboveall,wewanttoprotecttheSIS,sinceitisacriticalsafetysystem.NextinimportancetotheprocessistheBPCSand,finally,thebusinesssystem.
DrawingaseriesofconcentricringsaroundfirsttheSIS,thenaroundtheBPCS,andfinallyaroundthebusinessnetwork,asshowninFigure6-4,willhelpusdiscussdefenseinlayersforsecurity.
Figure6-4.CyberDefenseinLayers
Acyberattackerwouldfirsthavetopenetratethecorporatefirewalltogettothebusiness
![Page 51: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/51.jpg)
network(LayerOne).ThenexttargetwouldbetheBPCSnetwork(LayerTwo),andfinallytheSIS(LayerThree).IfonlythebusinessnetworkandBPCSarecompromised,theSISandsubsequentsafetylayerswillacttopreventarunaway.IfboththeBPCSandtheSISarecompromised,arunawayismorelikely.Itcannowbepreventedonlybyadditionalprotectionlayerslikeoperatoractionormechanicalsafetydevicessuchasrupturedisksandsecondarycontainment.Ifallelsefails,theconsequenceswouldbedealtwiththroughemergencyresponse.
Foracybersecuritydefenseinlayerstobeeffective,eachlayershouldhaveitsowndefensesandnotmerely“sitby”passively.Forinstance,thebusinessnetworkmighthaveanintrusiondetection/protectionsystemtodetectandpreventcyberattacksfrombeyondthefirewall.
However,supposeweattachanexternalmodemtotheBPCSnetworkinFigure6-4,sotheprocessengineerscantelecommutetotheplantonweekendsandholidays.Whathappenstoourdefenseinlayersmodelnow?Ifanoutsidehacker,throughwardialingandpasswordguessing,canobtainentrytotheBPCSinonestepinsteadofhavingtohackinthroughthecorporatefirewall,hehaseffectivelybypassedLayerOneandisatLayerTwo.(Awardialerisacomputerprogramusedtoidentifyphonenumbersthatcanconnectwithamodem.)Evenworse,ifthereisamodemconnectionintoLayerThree,perhapstolettheSISvendorcommunicatewiththeSIS,thehackermightbypassbothLayersOneandTwotogainaccess.ThehackermightcommithiddensabotagetoLayerThree,perhapsbydeactivatingtheSIS.ThismightnotbecomeobviousuntiltheBPCSlosescontrolofthereaction,andtheSISisneededtobringthereactionbackintocontrol.
Thisbringsupanotherobservation:Eachlayerofdefenseiseffectiveonlyifthereisnoeasywaytobypassthelayer.
6.2 AccessControlAccesscontrolforindustrialnetworksistheimportantareaofdeterminingandenforcingwho(orwhatdeviceorsystem)hasaccesstothesystemassets,suchastheHMI,theprocesscontrolnetwork,thecontrollers,servers,etc.And,ifaperson,device,orsystemisallowedto“touch”thesesystemassets,accesscontrolspecifies:
• Whatistheirauthorizationlevel?
• Whatdataorsettingsmaytheychange,delete,add,etc.?
• Howwillthisbecontrolledandenforced?
Alongwithcyberaccesscontrol,theparallelareaofphysicalaccesscontrolwilldetermineandenforcewhocanwalkintothecontrolroomorotherphysicallocationwheretheindustrialnetworksarelocated.Tobetrulyeffective,cyberandphysicalaccesscontrolmustacttogether.
Solet’scontinuewithourillustrativeexampleofthesmallpolymerizationplantillustratedbyFigures6-1through6-4,andseehowaccesscontrolintegrateswiththe“defenseinlayers”model.
![Page 52: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/52.jpg)
Althoughitmightnotbetypicallythoughtofinthisfashionforadefenseinlayersmodel,wemightvisualizeLayerOneinthisexampleashavingtworegions:
1. Aperimeter,orboundary
2. Aninteriorarea
ItiseasytovisualizethesetwoLayerOneregionsintheofficeLANinFigure6-4.ThecorporatefirewallseparatestheofficeLANfromtheInternet.Thefirewallrepresentsregion1above,theperimeterorboundary,separatinginsidefromoutside.TheofficeLAN,ontheotherhand,extendingthroughtheofficebuildingandinterconnectingmanydifferentserversandworkstations,istheinteriorareaandrepresentsregion2.
Itisjustasimportanttothesuccessofthedefenseinlayersmodelfortheinteriorregion,theofficeLAN,tobe“hardened,”thatis,nottohaveobviousnetworkorhostvulnerabilities,asitisforthefirewalltobecorrectlyconfigured,monitored,andmaintained.WhathappenswithintheofficeLANiscrucialtomaintainingtheeffectivenessoftheperimeterprotectionofthefirewall.BoththeperimeterandtheinteriorofLayerOnemustacttogether.
Forexample,let’ssaythefirewallisconfiguredandoperatingperfectly.IfanofficeworkerreceivesapieceofmaliciousemailcontaininganexecutableofaTrojanHorse,hisorhermachinemaybe“takenover”andusedtolaunchattacksontheconnectingnetworks.SomeTrojanscanevenestablishanoutboundconnectionfromtheofficeLANhostthatwastakenoverthatgoesoutthroughthefirewalltothehacker’sserverontheInternet.Theoutgoingtrafficfromthemachinethathasbeentakenoverwilllooklikeaninnocentweb(http)connectioninitiatedbythatinternalhost.
Foranotherillustrationoftheconceptofdefenseinlayers,let’snowconsiderbothphysicalandcyberaccesscontrolofLayerTwo.Physicalaccesscontrolwouldregulatewhocancomeintothecontrolroom,whichmayhavealockeddoorwithonlyauthorizedemployeeshavingthekey,forinstance.Onceinsidethecontrolroom,anemployeewouldneedthepropercyberaccess,acorrectloginandpassword,toaccessBPCScontrolfunctions.Accesscontrolalsoincludesauthorizationlevels,whichmightallowcontrolengineerstochangeprocesssetpointsbutnotallowoperatorstoperformthesameactions.
Italsowouldbedesirabletohaveathirdpersonintheloop,acontrolnetworkadministrator,whowouldassignandadministerthelogins,passwords,andauthorizationlevelsinstepwithpersonnelchanges.Inthefollowingsectionsofthischapter,wewilldiscussdifferentsecurityaspectsthat,takentogether,leadtothesuccessofthedefenseinlayerssecuritystrategy.
Theabovediscussion,wherewevisualizeeachlayerofprotectionascomposedofaperimeterandaninteriorarea,isformalizedintheISA-99Part1standardasthe“zoneandconduit”methodforIndustrialNetworkSecurity.
Thezoneandconduitmethodbecomesthetoolforriskassessmentandthenriskmanagementandreduction.TheinteriorareacomprisingLayerOnebecomesthe“zone,”whererisklevelisuniform,andthecorporatefirewallconnectingLayerOnewiththe
![Page 53: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/53.jpg)
Internetbecomesthe“conduit.”ReadersarereferredtoISA-99Part1(4)forfurtherdetails.
6.3 PrincipleofLeastPrivilegeOneconceptwewillborrowfromITcybersecurityforuseinindustrialnetworkaccesscontroliscalled“theprincipleofleastprivilege,”alsoknownas“securitybydefault.”Intheory,thisprincipleisstraightforward,butinpractice,applyingthisprincipleisverydifficultinaconventionalplantcontrolroomwithoperators,supervisors,andengineersloggingontoconsolesusingatypicalsystemofuserloginsandpasswords.Ifweweretoapplytheprincipleofleastprivilegetoaccesscontrolinacontrolroom,wewoulddothefollowing:
• Startbydenyingeverything.Denyallaccessandauthorizationtoeverybody.
• Afterproperidentificationandauthentication,grantaccessandauthorizationprivileges(theabilitytodoauthorizedtasks)foronlythoseminimumsetsoffunctionseachindividualneedstodohisorherjob,andnomore.
• Removetheseaccessandauthorizationprivilegespromptlywhentheindividualnolongerneedsthem,suchasafteranewassignmentorjobrotation.
Manylongtimeemployeesintheprocessindustries“accumulate”passwords—andthereforeunneededaccessandauthorizationprivileges—astheyrotatethroughvariousjobs.Theprincipleofleastprivilegerequiresorganizationstokeeptrackofwhataccessandauthorizationprivilegesanemployeeneedstoperformpresenttasks,andtoallowauthorizationforthosefunctionsonly.
Ifanemployeeorcontractorleavesoristerminatedforcause,byfarthemostimportantaccesscontrolactiontoperformistoremoveallphysicalandcyberaccessandauthorizationprivilegesimmediately.Thismeansgettingbackorinvalidatingallphysicalaccesscards,keys,etc.,andimmediatelydeletingorinvalidatingtheirpasswordsandotherauthorizationsfromeverysystemtheyeverhadaccessto.Itisespeciallyimportanttoremovetheirabilityforremoteaccess(throughmodem,virtualprivatenetwork,etc.).Iftheyhadaccesstoanygrouporsharedaccounts,thosepasswordsshouldbechangedimmediately.
Applyingtheprincipleofleastprivilegeinpracticeisdifficult,ifnotimpossible,withouttherightaccesscontroltechnology.ThedifferenttypesofaccesscontroltechnologiesarecoveredinChapter7.Chapter7discussesrole-basedaccesscontrol,animportanttechnologytoenableadoptionoftheprincipleofleastprivilege,aswellastosimplifyandbettermanageidentification,authentication,andauthorization.
6.4 NetworkSeparationNetworkseparationisaperimeterorboundarydefense,whichwediscussedinSection6-2.Let’slookbackatFigure6-4,CyberDefenseinLayers,andlookattheconnectionbetweenourofficeLAN,inLayerOne,andtheBasicProcessControlSystem(BPCS).
TheprincipleofdefenseinlayersimpliesthatadirectofficeLAN-to-industrialnetwork
![Page 54: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/54.jpg)
connectionisnotagoodidea.AnyonehavingaccesstotheofficeLAN,whetheraccesswasobtainedlegitimatelyorillegally,nowhascompleteaccesstotheindustrialnetworkanditscomponents,includingHMIs,controlservers,etc.
Sowhatshouldourriskteamdoaboutadirectbusiness-to-controlsystemconnection,ifitexists?
ApplyingthebasicriskmanagementchoicesdetailedinChapter5-1,theriskteammayelectto:
1. accepttherisk,anddonothing,leavingadirectconnectiontotheindustrialnetwork;
2. partiallycloseoffthisaccesswithafirewall,filteringrouter,orotherrestriction;or
3. cuttheconnectionbetweenthebusinessandindustrialnetworkscompletely.
Mostcompaniesinthechemicalprocessing,utility,anddiscretemanufacturingindustriessaytheyneedsomeconnectivitybetweenthebusinessnetworkandindustrialnetworktosurvive.Thereisjusttoomuchbusinessadvantagefromhavingsomeformofconnectivityandinformationflow.
Inthewriter’sexperience,mostcompaniesstartedoutwithanunfetteredbusiness-to-industrialnetworkconnection.WhilesomecontinuetoelectOption1,accepttherisk,mostaregoingtoOption2,puttinginaninternalfirewallorothernetworkrestrictionsuchasafilteringrouter.
Chapter10presentsanaccountofthewayalargecompanyhashandledinternalbusiness-to-controlsystemconnections.
FewcompanieswillelectOption3,tocuttheconnection.However,somecompaniesthatneverconnectedtheindustrialandbusinessnetworkstobeginwithmaycontinuetoobservethatpolicy.
References1. U.S.ChemicalSafetyandHazardInvestigationBoardInvestigationReport–
ChemicalManufacturingIncident,ReportNo.1998-06-I-NJ.(April8,1998).Retrieved11/11/2004from:http://www.csb.gov/Completed_Investigations/docs/Final%20Morton%20Report.pdf
2. AmericanInstituteofChemicalEngineers(AIChE),CenterforChemicalProcessSafety.GuidelinesforSafeAutomationofChemicalProcesses.AIChE,1993.
3. AmericanInstituteofChemicalEngineers(AIChE),CenterforChemicalProcessSafety.GuidelinesforSafeAutomationofChemicalProcesses,Figure2-2.AIChE,1993.
4. ANSI/ISA-99.00.01-2007,SecurityforIndustrialAutomationandControlSystems,Part1.ResearchTrianglePark,ISA,2007.
![Page 55: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/55.jpg)
![Page 56: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/56.jpg)
7.0
CyberdefensePartII—Technology
7.1 GuidancefromISA99TR1TheANSI/ISA-TR99.00.01-2007–SecurityTechnologiesforIndustrialAutomationandControlSystemsstandardhasawealthofinformationonITsecuritytechnologyandhowitmaybeappliedtosecuringindustrialnetworks.Eachtechnologyissummarizedaccordingtothefollowingheadings:
• SecurityVulnerabilitiesAddressedbythisTechnology,Toolsand/orCountermeasures
• TypicalDeployment
• KnownIssuesandWeaknesses
• AssessmentforUseintheIACSEnvironmentSystems
• FutureDirections
• RecommendationsandGuidance
• InformationSourcesandReferenceMaterial
ThesectionsinthischaptercoversomeofthetechnologiesdescribedintheISA-99seriesofstandards.Ourcoverageofthesetechnologiesisintendedtobeageneralintroductiontothevarioustechnologiesandhowtheyareused,ratherthanadetailedtechnicalexplanation.
7.2 FirewallsandBoundaryProtectionAfirewallactsasa“gatekeeper”or“trafficcop”tofilterandblocktrafficfromonenetworkgoingtoanother.Let’slookattwocases,illustratedinFigure7-1:
![Page 57: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/57.jpg)
Figure7-1.FirewallIllustration
• Firewall“A”protectsthecorporationbusinessLANfromtheoutsideInternet.
• Firewall“B”isinternalandseparatesthebusinessLANfromtheindustrialnetwork.
Eachfirewallhasasetoffirewall“policies”(nottobeconfusedwiththehigher-levelsecuritypoliciesdescribedinChapter8)thatdetermineswhichhostsornetworksononesidemaytalktohostsornetworksontheotherside.
Itallboilsdowntoayes/nodecisionforeach,whethertopermitordenyeachattemptedconnection.
Asanexample,let’slookatclassesofusersinsideandoutsidethebusinessnetwork,asshowninFigure7-2,andwhatconnectionstheymightwanttoestablish.
![Page 58: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/58.jpg)
Figure7-2.SampleFirewallSetup
IfabusinessLANuserwantstoconnecttoanoutsidewebserver(thefirewall“listens”forattemptsatconnectionviathewebprotocolknownasHTTP),thisis“permitted”(unlessmanagementisclampingdownontoomuchoutsidewebsurfing!)
However,ifabusinessLANuserwantstoconnecttoanoutsidestreaming“RealAudio”server,perhapsthisconnectionwillbe“denied”byCorporateITcybersecurity.
Let’stakealookatattemptedtrafficgoingtheoppositedirection.Ifamachineontheoutside,host“hacker.com,”wantstoconnectfromtheoutsideInternettoaninsidebusinessLANworkstationorserver,thisshouldbeblockedor“denied.”MostcorporationshostawebserverinanintermediatezonecalledaDMZ(DemilitarizedZone)forlegitimateincomingtrafficsuchastogetsalesbulletinsandthelike.
SP99TR1goesontodescribethreedifferenttypesoffirewalls:
• PacketFilter
• ApplicationProxy
• StatefulInspection
Modernfirewallsmaybehardware-based(e.g.,afirewallappliancewithembeddedsoftware)orsoftware-based,runningasapplicationsoftwareonaWindowsorUnixoperatingsystem.Ifsoftware-basedfirewallsareused,theunderlyingoperatingsystemmustbehardened,asdescribedinChapter8,tobeeffective.
AnexampleofamodernchemicalcorporationusinginternalfirewallsisgiveninChapter9.
AlternateInternalBoundaryProtectionNearlyallcorporationswillhaveacorporatefirewall(FirewallAasshowninFigure7-1).However,somemayelectnottogowithafull-fledgedinternalfirewall(FirewallBinthe
![Page 59: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/59.jpg)
figure)toseparatecriticalinternalsystemsfromtheirbusinessLANsandintranets.Adegreeofprotectioncanbeprovidedbyusingarouterwithfilteringcapabilities.Forinstance,usingarouter’sAccessControlLists(ACLs),anetworkadministratorcanselectwhichhostsandnetworksononesideoftheroutercanconnectwithspecifichostsandnetworksontheothersideoftherouter,asdescribedearlierinthissectioninthediscussionoffirewallpolicies.
7.3 IntrusionDetectionIntrusiondetectorsmonitorcomputernetworksorcomputerhosts,lookingforpossibleintrusions.Therearetwogeneraltypesofintrusiondetectors:
• Network-based(NIDS–NetworkIntrusionDetectionSystem)
• Host-based(HIDS–HostIntrusionDetectionSystem)
Anetwork-basedintrusiondetectormaybeattachedtothenetworkitmonitorsbya“networksniffer”arrangement,oritmaybeembeddedintotheoperatingcodeofarouter,firewall,orstandaloneappliance.
Itmaylookforeitherorbothofthefollowingwarningsigns:
• Knownattacksignatures,recognizedfromanup-to-datedatabaseofknownattackssuchasworms.
• Networktrafficanomalies,changesintrafficpatternsthatarestatisticallysuspicious.Forinstance,heavyincomingtrafficonalittle-usedportorIPaddressmightindicateanattack.
Ahost-basedintrusiondetectorismountedonaparticularhostcomputer,suchasaworkstationorserver.Itmayperformaperiodicscanofallcrucialfilesonthehosttolookforsignsofunauthorizedalteration,whichmightindicateacompromiseofthehostsystembyanintruder.Thisactioniscalleda“fileintegritycheck.”Itmayalsomonitornetworktrafficinandoutofaparticularhost,orlookforsuspicioususagepatterns,whichmightindicateanintruderisatwork.
Figure7-3showshowatypicalNIDSandHIDSmightbedeployedinthecorporatenetworkexampledisplayedinFigure7-1.
![Page 60: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/60.jpg)
Figure7-3.IntrusionDetection
Figure7-3showstheNIDSdeployedtolistentoor“sniff”thenetworktrafficjustinsidethecorporatefirewall.ItlooksforsignaturesorpatternsofintrusionfromtheoutsideInternetpastthecorporatefirewall.
Ontheotherhand,theHIDSmonitorsonehost;inthiscase,thehostonthebusinessLAN.
TheactiontakenbyaNIDSorHIDSuponsensingapotentialbreak-incanvary,anywherefromsendinganemailtopagingasystemadministrator.
Anemergingvariationonintrusiondetectioniscalledintrusionprevention.Thisdetectorautomaticallytakesaprearrangedactionuponanysignofintrusion.Forinstance,iftheNIDSinFigure7-3weretodetectananomalyandcausethefirewalltoblocksomeoralltrafficintothebusinessnetworkfromtheInternet,itwouldbeactivelydoingintrusionpreventionratherthanthemorepassivenotificationthatcomeswithintrusiondetection.
OneconcernwithdeployingNIDSandHIDSisthetendencyforfalsealarms,orfalsepositives,whichtaketimeandefforttotrackdown.Justasyoudon’twantaburglaralarmtogooffbecauseitthinksthefamilypetisaburglar,minimizingfalsealarmsisnecessarywhendeployingthistechnology.
7.4 VirusControlSincetheadventofthePC,therehasbeenaconstantstrugglebetweenviruswritersandpeoplewhomakesoftwaretodetectandcontrolviruses.Overtheyears,newandmorecleverviruseshaveevolved,andantivirusresearchersareevolvingmorestrategiestospotandcleanthem.
Theviruspreventionanddetectioncycleisa“chaseyourtail”game.Morethan50,000
![Page 61: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/61.jpg)
virusesareknowntoexist.Alargenumberofthemare“zoo”viruses,whichexistincontrolledlaboratorycollectionsonly.Asweareonlytooaware,however,asignificantnumberof“inthewild”viruseshavebeenreleasedintocyberspaceandhavedonedamage.
Figure7-4showsthedilemmaantivirusresearchersface.
Figure7-4illustratesasituationinwhichaviruswritercreatesatotallynewvirus,oranewvariationonanoldvirus,andreleasesit“inthewild.”Somecomputersgetinfected,andtheirownerssendasampleofthenewviralinfectiontoanantivirusvendor’sresearchteam.
Withinafewhours,theantivirusteamhas“disassembled”theinnerworkingsofthevirusandcapturedthatvirus’sdistinctsignature,orcodepattern,asashortsequenceofbits.Theantivirusvendorthendistributesthatvirussignaturetoitscustomersasanupdateoftheirvirussignaturesfile.
Figure7-4.TheAntivirusCycle
Theproblemisthatthevirussignaturetheydevelopedisvalidonlyforthatparticularvirus.Viruswriterscan“tweak”avirustoalteritscodepatternandmakeanewversionthatwillgoundetected.Viruswritersmaygoasfarasbuyingseveralbrandsofvirusdetectionsoftwareinordertodownloadthelatestsignaturefileupdatesandchecktoseeiftheir“tweaked”virusisdetectable!
Thus,thereisaconstantrunningbattlebetweenviruswritersandtheantivirusresearchcommunity.
Severalantivirusproductstrytodetectnewvirusesforwhichnosignatureisyetavailable.Thisantivirussoftwarewatchesforunusualprogrambehaviororcombinationsofbehaviorsinanefforttoidentifyvirusesupfront,beforeinfection.
Antivirusprogramstypicallycontainthreeparts:
![Page 62: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/62.jpg)
1. TheGraphicalUserInterface(GUI).
2. TheEngine.Thiscontainsthescanningsoftware,whichcomparesfilesonthehostcomputerwiththelatestvirussignaturesfromthesignaturefile.
3. TheSignatureFile.Downloadedatregularintervals,sayeachday,itcontainssignaturesofthelatestvirusesandTrojans.
Virusesmayattackvariouslocationsinoperatingprogramsandmemory.Figure7-5showsjustafewofthemajorvirusesthathaveattackedinhistory,alongwiththetypeofattack.
Figure7-5.SomePastVirusAttacks
SomePastVirusAttacksVirusdetectionand/oreliminationmaybedeployedatthreelevels,ortiers,withintheindustrialnetwork:
• Attheperimeteroftheindustrialnetwork.Virusprotectionmaybebuiltintooraddedontofirewallproducts.
• Atthecontrolserverlevel.Servereditionsofantivirusproductsmaybeusedhere.
• AttheindividualworkstationorPClevel.Forinstance,theworkstationrunningtheHMIconsolemayhaveantivirussoftwaretoprotectagainstemployeesbringingindiskettes,flashdrives,orCDswithviruses.
Atpresent,thereisstillsomeresidualdiscussionaboutwhetherusingantivirussoftwareatthecontrolserverorworkstationlevelwillinterferewithproperoperation.Manycontrolvendorsapproveusingonlyspecificbrandsofantivirussoftwarethathavebeentestedfornon-interferencewithapplicationsoftware.Inaddition,thevendorsmayspecifythatonlycertainfeaturesoftheantivirussoftwaremaybeused,anditmustbeconfiguredacertainway.
In2006areporttitled,“UsingHost-BasedAntivirusSoftwareonIndustrialControl
![Page 63: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/63.jpg)
Systems”wasissued,describingtheresultsofatwo-yearDOENationalSCADATestBedstudywrittenonthesubjectofusinghost-basedantivirussoftwareoncontrolsystems,writtenbytheauthor,SteveHurd,andJoeFalcofromNIST(1).
Ifavirusisdetectedinrealtime,thenextquestionis:Whatistheplantoisolatethenetworksection,cleanthevirus,andthengetbackinoperation?Thisispartofanincidentresponseplanthatmustbesetup.
7.5 EncryptionTechnologiesEncryptiontechnologiesarethepracticalapplicationofthefieldofcryptography,whichmeans“secretwriting.”Cryptographyhasbeenusedinmanyformssinceancienttimestoconcealinformationlestitfallintothewronghands.Amessage,onceencrypted,appearsasgibberishandisofnousetoanadversaryunlesstheadversaryknowshowtoreverseordecrypttheencryptedmessage.
Tounderstandthebasicsofencryption,sometermsneedtobeintroduced:
• Plaintext.The“plainEnglish”versionofatextornumericalmessagetobeconcealed.
• Ciphertext.Theplaintexttransformedbyanencryptionalgorithm,usinganencryptionkey,intoamessagethatisunreadablewithoutbeingdecrypted.
• EncryptionAlgorithm.Themathematicalformulaorprocedureorotherformulathatwillconverttheplaintexttociphertext.
• EncryptionKey.Auniquecombinationofnumbersand/ordigitsthatisusedbytheencryptionalgorithmtoconvertplaintexttociphertext.
Let’sgiveasimpleexampleoftheuseofanencryptionalgorithmwithkey,attributedtoJuliusCaesarandhismethodof“secretwriting.”TheCaesarcipherusesaverysimplesecretkeyalgorithm,calledasubstitutioncipher.Wesubstitutenewlettersforeachletteroforiginaltexttomaketheoriginaltextillegible.
Supposewe’recommunicatingwiththebattlefield,andthemessagewewanttosendis:
ATTACKATDAWN
Ourencryptionalgorithmworksasfollows:Firstwewriteoutthelettersofthealphabet.Thenwewriteoutasecondalphabetbeneaththefirstalphabet,exceptweshiftitoneletterover:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXY
Startingfromthebottomalphabet,whereverwehaveanAinouroriginalmessage,welookdirectlyaboveitandsubstituteaB,inthetop(shifted)alphabet.SoouroriginalmessageATTACKATDAWNbecomestheunreadable
![Page 64: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/64.jpg)
BUUBDLBUEBXO
(Inpractice,wecaneliminatethespacesbetweenwordsaswell.)
Thekeytooursimplealphabetsubstitutionalgorithmisthenumber1.Weshiftedthealphabetoverbyonelettertoformciphertext.Wecouldjustaseasilyhaveshiftedthealphabetby2,sothatAwouldnowbecomeC,BwouldbecomeD,etc.
Caesar’sgeneralinthefield,receivingthecrypticmessageBUUBDLBUEBXOonlyneedstoknowthealgorithmandthekeytogetbacktheplaintextATTACKATDAWN.Usingthetwoalphabetsabove,thegeneralgoesfromtopalphabettobottom,reversingthewaytheencryptionwasperformed.
The“keyspace”isthenumberofuniquevaluesthekeycantake.Whatarepossiblevaluesofthekey?Well,wecanshiftthealphabetbyuptothenumberoflettersinthealphabet,25.(Ifweshift26,wecirclearoundthealphabetandcomebacktowherewestarted.)Sowehave25uniquekeysthatcanbeusedwiththissimplesubstitutionalgorithm.
IftheenemyfindsoutthealgorithmbeingusedistheCaesarcipher,hecantryabruteforceattackagainstthealgorithm,usingonemessageintheciphertexthehasmanagedtointercept:BUUBDLBUEXBO.
Bytryingeachuniquecombinationinthekeyspace,1-25,theenemycandiscoverthekeyused.Inourexample,ifhejusttriesthenumberone,theplaintextbecomesevident.
Ashasbeenmentioned,theCaesaralgorithmiscalledasecretkeyalgorithm.Onlythesenderandrecipientofthemessagemayknowthesecretkey.Ifanadversaryfindsout,allislost.
Writingsecurecryptographicalgorithmsisverydifficult.Thealgorithmmustberesistanttoanattackbyanalysis,calledcryptanalysis.Andthekeyspacemustbelargeenoughthatitwouldtaketoolongtofindthekeythroughtrialanderror(abruteforceattack).
Inourexample,ifdawnandtheattackcomebeforetheadversarycanfindtherightkeybytrialanderrororanyothermethod,thenthealgorithmwillhaveserveditspurpose.
Modern-daysecretkeyalgorithmsusemathematicalcalculationswithkeysizesdescribedintermsofbits.TheDataEncryptionStandard(DES)algorithm,whichisattheendofitsusefullife,uses56bits.AbruteforceattackonDESisverytimeconsumingbutachievablewithtoday’scomputingpower.ItisbeingsupersededbytheAdvancedEncryptionStandard(AES),whichusesuptoa256-bitkey.
Justlikethecat-and-mousecompetitionbetweenviruswritersandantivirusresearchers,thereisarunningcompetitionbetweencryptographers,whodevelopnewencryptionalgorithms,andpractitionersofcryptanalysis,whotrytobreakthembymanydifferentmeans.Atstakearebillionsofdollars—forinstance,ininterbankmoneytransfersthatmightbecompromisedifsomeoneonthewrongsidediscoversthekeyorhowtocrackthealgorithm.
PublicKeyvs.SecretKeyAlgorithms
![Page 65: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/65.jpg)
Secretkeyalgorithms,runningthegamutfromtheCaesarciphertoDESandAESalgorithms,aredesignedtopreserveconfidentiality.(RemembertheAICtriadoutlinedinChapter6?)Theconfidentialityofthedata(plaintext)ispreservedonlyaslongastheadversarydoesnothaveaccessto,ortheabilitytofigureout,thesecretkeybyabruteforceattackoranyothermethod.
Anotherformofcryptography,publickeycryptography,wasinventedin1978bythreeindividuals,forwhomitiscalledRSA:Rivest,Shamir,andAdelman.Itmaybeusedforbothauthenticationandconfidentiality.
Inpublickeycryptographyeachuserhastwokeys,ora“keypair.”Akeypairismadeupofapublickey,whichmaybegivenoutin“publicplaces,”andaprivatekey,whichmustbekeptsecretbytheuser.Thetwokeysaremathematicallyrelated.Figure7-6showshowpublickeycryptographymaybeusedtoensureconfidentiality.
Figure7-6.UsingPublicKeyforConfidentiality
ReferringtoFigure7-6,thereceivergeneratesakeypairandkeepstheprivatekeysecret,butsendsthepublickeytothesender,whowantstosendthereceiveraconfidentialmessage.
Thesenderencryptsaplaintextmessagewiththereceiver’spublickey,thensendstheencryptedmessagebacktothereceiver.Thereceiver,usingtheprivatekey,istheonlyonewhocandecryptthemessage.
Thisillustrationshowswecanuseapublickeyalgorithmtodothesamethingasasecretkeyalgorithm.Inpractice,though,usingapublickeyalgorithmtakesmuchmoreprocessingtime.Itwouldnotbepracticaltousepublickeytoencryptandsendlargeamountsofdata.Inpracticethepublickeyisusedincombinationwithasecretkeyforthispurpose.
Therealadvantageofpublickeyencryptionisthatitmaybeusedforauthentication.
Figure7-7showshowwemayhaveourusersauthenticateeachother.
![Page 66: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/66.jpg)
Figure7-7.UsingPublicKeyforAuthentication
ReferringtoFigure7-7,supposethereceiverwantstobesurethemessagereallycamefromthesender,notanimposter.Ifthesenderandreceiverhadeachgeneratedtheirownkeypairsandthenswappedpublickeys,thiswouldbeachievable.Thereceiverwouldhavethesender’spublickeytobeginwith.Thereceiverwouldaskthesenderto“sign”themessagewithhisorherprivatekey,creatingadigitalsignature.Uponreceivingthemessage,thereceiverwouldcheckthesender’sdigitalsignatureagainsttheircopyofthesender’spublickeytoseeiftheymatched.Iftheydid,themessageindeedcamefromtherealsender,notanimposter.
Aswecanseefromtheaboveexample,iftwousersgeneratekeypairs,theymaybeusedforbothauthentication(digitalsignature)andconfidentiality(encryption).
Inourpreviousexample,thesenderandreceiverhavemetinperson,knoweachother,and,therefore,havea“trustrelationship.”Butwhatifthesenderandreceiverhavenevermetandestablishedthattrustrelationship?Howdoesthereceiverknowthepublickeyreceivedoriginallyfromthesenderreallybelongstothesenderandnottoanimposter?
Theansweristoprovideapublickeyinfrastructure,orawayofcertifyingorguaranteeingthepublickeysaregenuineandreallybelongtotheauthenticsenders.Thisisusuallydonebyanoutsideagencysuchasabankorothercertifyingagency.Theoutsideagencycertifiesinsomewaytothereceiverthatthesenderisauthentic(byrequiringproofofidentity,forinstance)andthepublickeyisgenuine.
MessageIntegrityCheckingWeneedanothertypeofcryptographicalgorithmtocompleteourcryptotoolkit—analgorithmthatcanletusknowifamessagehasbeenalteredinanyway.Acryptographicchecksumdoesthisforus.Usinganalgorithm,itsumsuptheuniquepatternofonesandzeroescomprisingthebinaryrepresentationofamessage,generatingashortchecksum.
Intelecommunications,acyclicredundancycheck(CRC)isusedforthispurpose—aftereveryframeofdataacyclicredundancycheckiscomputedandtackedontotheendofthemessage.Computingacryptographicchecksumensuresthatthemessage/checksum
![Page 67: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/67.jpg)
correspondencecannotbetamperedwith.
Addingacryptographicchecksumtoourtoolkitgivesusmethodstoensureconfidentiality,authentication,andmessageintegrity.
ApplicationofCryptographytoIndustrialNetworkSecurityApplicationsusingcryptographyareenteringthefieldofindustrialnetworksecurityataslowpaceforthefollowingreasons:
1. Encryptionisacomplexsubjectandrequiresanunderstandingofthemathematicalbasisofthealgorithmsused.
2. Addingencryptiontoindustrialnetworkdatatransmissionsaddsprocessingtimetowhatmaybefullyutilizedmicroprocessorsandalsorequiresadditionalcommunicationsbandwidth.Whentalkingaboutresponsetimeinmillisecondsorfordeterministiccontrolapplications,thelatencyor“jitter”introducedcoulddelaycrucialcontrolevents.
3. Keymanagement.Generating,storing,anddistributingkeyscanbeadifficultprocess.Ifusingpublickeyinfrastructure(PKI),asuitablestructuremustbesetup.
7.6 VirtualPrivateNetworks(VPNs)VirtualprivatenetworksfulfillanimportantroleinthenetworkedworldandtheInternet.
UsingtheopenInternet,theyaredesignedtogiveprotectiontodatacommunicationequaltoorgreaterthansendingdataviaadedicatedphoneline.AVPNworksbysettingupasecuretunnelovertheInternetusinganencryptedconnection,andoffersthesethreecapabilities:
1. Identification,Authentication,andAuthorization(see7.7)
2. Integrityofinformationtransfer
3. Confidentiality
Figures7-8and7-9showtwowaysaVPNmightbesetup.
![Page 68: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/68.jpg)
Figure7-8.VPNConfiguration1
Figure7-9.VPNConfiguration2
Figure7-8showsaVPNconfigurationforgivingsecureremoteaccessacrosstheInternet.Here,remotehosts(saytwodifferentemployeesworkingathome)mayaccessacorporateprivatenetworksecurelybysettingupVPNstotheirlaptopcomputers.TheywouldlogintotheirlocalInternetServiceProviders(ISPs),gotothewebaddresssetupfortheircorporation’sVPNequippedfirewall,authenticatethemselves,andbegrantedaccess.
IntheconfigurationshowninFigure7-9,theVPNconnectionallowsprivatenetworkA,shieldedfromtheInternetbyFirewallA,toconnectsecurelywithprivatenetworkB,whichissimilarlyshieldedfromtheopenInternetbyFirewallB.
7.7 AuthenticationandAuthorizationTechnologiesInSection4.3wedealtwiththeissuesofIdentification,Authentication,andAuthorization.Weintroducedtheseconceptsasfollows:
• Identification=Whoareyou?
• Authentication=Proveit.
![Page 69: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/69.jpg)
• Authorization=Nowthatwe’veestablishedyouridentity,whatsetofaccessprivilegesdoyouhave?
Wealsointroducedthethreefactorsofauthenticationasthefollowing:
• Somethingyouknow
• Somethingyouhave
• Somethingyouare
Wecanuseanyfactorofauthenticationaloneorincombinationwithotherauthenticationfactorstohaveastrongerauthentication.
Incyberspace,usingsomethingyouknowtranslatesintousingapasswordorpassphrase.Apasswordisrelativelyshort,sayeightalphanumericcharacters,andapassphraseislonger.Thisisthemosttime-honoredandwidelyusedmethodofcyberauthentication.Thismethodassumesthesystemuserwillenterasecretandcrypticcombinationoflettersand/ornumbers,andthenwillrememberthemthenexttimeheorshewantstologontothesystem.
Anyonenotknowingthiscrypticcombinationoflettersandnumberswouldhavetogetthepasswordfromtheuserbytrickerysomehoworresorttobruteforceguessing,atrial-and-errormethodoftestingallpossiblecombinationsofnumbersandlettersthatmightmakeupapasswordorpassphrase.
Tobeeffective,passwordsorpassphrasesmust:
• Haveenoughcharacterssothetaskofabruteforcetrial-and-errorattackwouldbeprohibitivelytime-consuming;
• Notbeeasilyguessablebyanotherparty;
• Beretainedintheuser’smemoryonly,notwrittendownonslipsofpaper,stickynotes,etc.;and
• Bechangedatreasonableandregularintervals,sayonceortwicepermonth.
Authenticationwith“somethingyouhave”equatestoauthenticationwithakeyorhardwaretoken.Oneofthemostdirectwaystoprovideauthenticationisbyresortingtoaphysicalsecuritydevice,suchasalock,withakeycarriedbytheuser.
Theuserplugsinahardwaretokentogainaccess,perhapsoneintheformofanRadioFrequencyIdentificationDevice(RFID)oraUSBdongle.Anembedded-chipcardorasystemusingamagneticstripemaybeusedalso.
Authenticationwith“somethingyouare”bringsuptherapidlydevelopingareaofbiometrics—thetechnologyofverifyingidentitywithauniquephysicalattributethatisnoteasilyduplicated.Biometricidentificationcanincludethefollowing:
• HandGeometry
• Fingerprint
![Page 70: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/70.jpg)
• Voiceprint
• FaceRecognition
• SignatureRecognition
• IrisRecognition
Thefieldofbiometricshascomealongwayinthelastfewyears.Someoftheabovemethods,suchashandgeometry,havebeenusedinindustryfor20–30years;others,suchasfacerecognition,aremuchnewer.
Biometricsmaybeabusedaswellasusedproperly.
Whensystemdevelopershavetriedtousebiometricsforidentificationandauthenticationtogether,ratherthanforauthenticationalone,theyhavegenerallynotbeensuccessful.Reference(2)isanewsstoryofanattempttousefacerecognitiontocatchcriminalsbytheTampa,Florida,policedepartmentthatfailedtoproduceresults.
IncreasingtheFactorsofAuthenticationGreaterconfidenceintheauthenticationprocessmaybehadbyusingtwoormorefactorsofauthentication,eithermultipleinstancesofthesamefactorordifferentfactors.Forexample,inapopulartwo-factorauthenticationprocessreferredtoinSection4.3,atokenflashingaonetimepasswordthatchangeseachminutecanbeusedasacentralizedlog-inscreen,wheretheusermustinputapassphraseconsistingofauniquefour-characterPINthatdoesn’tchange(somethingyouknow)withtheone-timepassword(alsosomethingyouknow)displayedontheencryptiontokentologonandgetaccesstothecomputingservices.
AuthorizationFinally,let’stalkaboutauthorization.AsintroducedinSection4.3,onceauser(ordevice)isidentifiedandauthenticated,weneedsomewayofallocatingcertainaccessprivilegestothepersonordevice.Whataretheypermittedtodo?Whichfilesmaytheychange,delete,orcreate?
Historically,severalconceptualmodelsofauthorizationhavebeenusedbygovernmentandthemilitary,andbyindustry.
• MandatoryAccessControl.Thishasbeenusedinmilitaryandgovernmentcircles.Hereinformationfilesareclassified“Secret,”“TopSecret,”etc.,andonlypersonswiththematchingsecretortopsecretsecurityclearancemayhaveaccesstothesefiles.Controliscentralized,andbasedonarigidsetofaccesscontrolrules.
• DiscretionaryAccessControl.Thishasbeenusedcommonlyinindustryandcommercialcomputersystems.Here,whoever“owns”theinformationisempoweredtosetlimitsonwhomayaccesstheinformationandwhatprivilegestheyhavetomodifyit.
![Page 71: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/71.jpg)
• Role-BasedAccessControl.Thistypeofaccesscontrolshowsgreatpromiseforindustrialnetworkingsituations.Here,theusersaregroupedintoroles,dependingonwhattheirjobfunctionis.Forinstance,inabank,therolesmightbeteller,headteller,branchmanageretc.,withanumberofindividualsbelongingtoarolegroup.Onceemployeesareidentifiedandauthenticatedwithinthesystem,theirrolesdeterminetheirauthorizationprivileges,nottheirindividualidentities.Onecanseetheefficiencyadvantageif,forinstance,acentralizedrole-basedaccesscontrolsystemwereusedinalargeindustrialcontrolroom.Operators,shiftsupervisors,engineers,andtechnicianswouldeachbeinarolegroupthatwouldhavecertainfixedprivileges.Ifoneemployeeleavesandanotherarrives,eachonlyneedstoaddordeletetheirindividualidentitiestotheroleslistonthecentralizedserver,notaddordeletethemfromaccesscontrollistsonpiecesofindividualsystemsinthecontrollist.
Itshouldbeemphasizedthatidentification,authentication,andauthorizationdon’tpertainexclusivelytopeople.Asecureintelligentdevice,suchasacontrolsensororactuatororaPLConanetwork,mayneedtoidentifyitselftotherestofthecontrolnetworkasthe“realthing”andnotan“imposterdevice.”Andawholesubnetwork(forinstance,aremoteindustrialnetworksegment)mayneedtoidentifyitselftoanothernetwork.Identification,authentication,andauthorizationareformachines,devices,andindustrialnetworksegmentsaswellasforpeople.
References1. Falco,J.,Hurd,S.,andTeumim,D.“UsingHost-BasedAntivirusSoftwareon
IndustrialControlSystems.”NISTSpecialPublication1058(2006).
2. Bowman,L.M.“TampaDropsFace-RecognitionSystem.”Cnet.comarticle.August21,2003.Retrieved11/11/2004from:http://news.com.com/Tampa+drops+facerecognition+system/2100-1029_3-5066795.html
![Page 72: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/72.jpg)
8.0
CyberdefensePartIII—People,Policies,andSecurityAssurance
8.1 ManagementActionsandResponsibilityInChapter2,wesawthattobeeffective,industrialnetworksecurityhastobedrivenbytopmanagementandworkitswaydownthecorporation.Thealternative,a“grass-roots”effortbyautomationandcontrolengineering,maybecommendablebutwillprobablynotgettheattentionandresourcesitneedstosucceedinameasurableway.
Severalkeyfactorsarenecessarytodevelopameaningfulindustrialnetworksecurityorganizationandprogram.Twoofthesefactorsare:
• Leadershipcommitment.Industrialnetworksecurityneedsagenuineplaceintheorganization,aplacethatfitsinwithcorporategoalsforriskmanagementandforcorporateandITsecurity.Thismeanstopmanagementmustbecommitted,andthisoftenmeansaconvincingbusinesscasemustfirstbemade(seeChapter2).
• Anindustrialnetworksecuritycommittee,taskforce,orsimilarentity.ThisentitymaybecalledaProgramTeam.
ResourcesfortheProgramTeammustinclude:
• Personnel
• Budget
• Training
• Organizationalempowermentandauthority
• Acharter,usuallysomehigh-levelsecuritypoliciesthatdetailthemission,structure,goals,andresponsibilitiesoftheProgramTeam
• Afirstproject—asmodestorasambitiousasProgramTeamresourceswillallow
• Aplanforthefirstproject.
8.2 WritingEffectiveSecurityDocumentationSecuritydocumentationcreatesavehicleforinformingyourcompanyaboutrecommendedand/orrequiredpracticesforcybersecuritythatcanbereadandunderstoodbyreadersatalllevelsoftechnicalsophistication.Mostreaderswanttospendaslittletimeaspossiblewadingthroughinformationthatdoesnotapplytothemtogettowhat
![Page 73: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/73.jpg)
theyreallyneed.
Let’stalkaboutITcybersecuritybeforeweconsiderindustrialnetworks.TherearemanydifferentapproachestowritingsecuritydocumentsintheITworld,andtheresultingdocumentationmaybelabeleddifferentlyandbecomposedofdifferentsetsofinformationfromcompanytocompany.
Thewriter’spointofview,afterspendingmanyhoursinfruitlessdiscussionswithpeersoverwhichpieceofpapershouldbecalledbywhatname,isthattheissueisnotsomuchwhatnamewegivetoourdocumentsbutwhetherthedocuments,takentogether,conveytherequiredinformationinanefficientfashion.Also,doesthefinalsetofsecuritydocuments“hangtogether”andproduceacoherentframeworkforthevariousreaders?
Withthisintroductioninmind,let’slookatthebusinesssideofthecompanywedescribedinChapter2.AsetofITcybersecuritydocumentsforthebusinesssideofourwidgetfactorywouldaddresstheseissues,amongmanyothers:
• Web.Downloadingofpornographyorotherillegalcontentbyemployees.
• Email.Virusesandspamcominginwithemail.
• Remoteaccess.AllowingauthorizeduserstoconnectviamodemorVPNandkeepinghackersout.
• Unlicensedsoftware.Keepingemployeesfromusingunpaid-forsoftware.
Whatsortofsecuritydocumentationsystemisbesttoconveyalltherequiredsecurityinformation?ThewriterpresentsthefollowingITcybersecurityframeworkasonesystemthat“hangstogether.”Bynomeansisittheonlywaytoalsostructureasetofindustrialnetworksecuritydocuments,butitisacommonandprovenway.
Thissystemusesfourtypesofsecuritydocuments:
• SecurityPolicies
• SecurityStandards
• SecurityGuidelines
• SecurityProcedures
Classificationofsecuritydocumentsintothecategoriesabovedependsonthemessage,theintendedaudience,thedocument’stechnicalsophistication,andwhetherthemessageandinstructionsarerecommendedormandatory.
Let’sstartatthetopofthelist.Securitypolicyusuallycomesfromhighinthemanagementchainandisashortstatementofthecorporation’spositiononsecurityissues.Forinstance,itmaycomefromashighalevelastheCEOofthecompany,sayingsomethingsuchas,“ThiscorporationbelievesthatITcybersecurityiscrucialtothesuccessofthecompanyforthefollowingreasons:(listreasons).Therefore,wehaveassignedthe(nameofgroup),undertheleadershipof(nameortitleofpersonincharge),toberesponsibleforthisareaandtoreporttomeatregularintervals.”
![Page 74: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/74.jpg)
AmongITcybersecurityprofessionals,theterm“securitypolicy”mayalsobeusedatmuchlowerlevels.Forinstance,thesecuritypolicyforafirewallmaysimplybealistofrulesforsettingupafirewall.AmongITprofessionalsthismaybeanallowableusefor“securitypolicy,”butwemustclearlydifferentiatethisdocumentfromtheCEO’sproclamation!
Wewillshowhowtodothisinanupcomingfigure.Let’snowdefinethethreeothersecuritydocumentslistedabove:
• SecurityStandard.Adocumentthatismandatoryandprescriptive,describinghowtodealwithcybersecurityissues.Forexample,“AfirewallmustbeusedateveryconnectionfromthebusinessLANtotheInternet.”Itmayalsoincludeprovisionssuchasthelevelofapprovalnecessaryforelementsofthesystemnottobesubjecttoacertainpartoftherequirement.
• SecurityGuidelines.Adocumentthatdescribesrecommendedbutnotmandatorywaystosolvesecurityproblemsorsetsforthoptionsforsolvingproblems.
• SecurityProcedures.Detailedtechnicaldocumentsforaccomplishingsecuritytasksandmeantfortheemployeesdoingthework.Asecurityproceduremaybeamandatoryorrecommendedwaytoperformasecuritytask.
Next,let’screateaframeworkonwhichhangthefourtypesofsecuritydocumentswhileallowingfordifferentlevelsofsecuritypolicy.Figure8-1givessuchasecuritydocumentframework.
AsshowninFigure8-1,securitypoliciescascadefromthehighestlevel(CEOlevel)tomid-level(CIOorITcybersecurity)tolowlevel(forinstance,theindustrialnetworksecuritylevel).TheaforementionedProgramTeamthatdecidesandimplementssecuritywithintheindustrialnetworkboundarymightbeanexcellentchoicetowritethelow-levelsecuritypolicies.
![Page 75: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/75.jpg)
Figure8-1.ACybersecurityDocumentFramework
ConsideraspecificexamplefromourlistoftypicalITcybersecurityissues—Internetandemailusebyemployees.Atthetop(CEO)level,theremightbepolicieson“businessonly”useofInternetandemailbyemployees.Atmid-level(CIO),theremightbefurtherpolicyqualificationofwhatconstitutesbusiness-onlyuseoftheseresources,withstandards,guidelines,andprocedurestoenableandenforcethispolicy.
Finally,thelow-levelpolicydescribeshowInternetandemailaccesswillbeaddressedinsidetheindustrialnetworkboundary.
AmajorcybersecurityquestionmaybewhethertoallowcompanyemailandInternetconnectivitytoanycomputerconnectedtotheprocesscontrolnetwork,forfearofspreadingvirusesorTrojanhorsestocriticalprocessnetworks.
Somealternativesmightbeto:
1. allowcompanyemailandInternetconnectivitytoanyoperatororengineeringworkstation,asdesired;
2. allowcompanyemailandInternetconnectivityonlytocertaincontrolledandmonitoredworkstations;or
3. notallowanycompanyemailorInternetconnectivitytoanycomputerontheprocesscontrolnetwork.(Thisisthemostrestrictivesecuritypolicy,andtheapproachfavoredbythewriter.)
However,analternatemeansofprovidingemailandInternetaccesswithinthecontrolroomistoextendthebusinessLANintothecontrolroomasaparallel,“air-gapped”network,andhavededicatedbusinessworkstationsforoperators.Thisway,businessnetworkconnectivityisprovidedwithoutdirectprocesscontrolnetworkaccess.
Butlet’ssayalternative2ischosen.Thesecuritydocumentsmightbeframedaroundthe
![Page 76: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/76.jpg)
mechanismandinfrastructuretoprovidethissolution.
TheSecurityPolicywouldsimplystatethatonlycertaindesignatedandcontrolledworkstationsontheprocesscontrolnetworkcouldbeusedforInternetandemail.
ASecurityStandardmightspecifythetypeandnumberofworkstationallowed,whowillsettheseup,theconfiguration,methodofmonitoring,auditing,etc.
ASecurityProceduremightbetheinstructionstotheIT/ControlEngineeringstaffonexactlyhowtosetuptheseworkstations.
Akeyfeatureofthesecuritydocumentframeworkisthatonegroupofreadersisnotburdenedwithunnecessarydetailmeantforanothergroupofreaders.Thepolicydocumenthasnoneedforthetechnicaldetailsofhowtosetuptheworkstation.Thissecuritydocumentframeworkismodular,concise,andprovidesfordifferentdocumentsfordifferentclassesofreaders.
8.3 AwarenessandTrainingOneareaofsecuritythatisfrequentlyoverlookedisindustrialnetworksecurityawarenessandtrainingforalltheusersofasystemorgroupofsystems.
Securityawarenessisaccomplishedwhenindustrialnetworkusersunderstandtheneedforsecurity,thethreatsandvulnerabilitiesinageneralway,thesecuritycountermeasuresandwhytheyaredesignedthewaytheyare,andhowthelackofsecureoperationofthesesystemswillaffecttheirjobsandthecompany’sbottomline.
Itisimportanttorepeatawarenesssessionstoregularlyremindemployees,contractors,andotherusersofthesystemofthesemattersandtokeepthemuptodateonchanges.
Someformatsforawarenesssessionswithemployeesmightbe:
• Livesecuritytalksorpresentations
• Printedmaterials,suchasbrochures,posters,etc.
Thesecurityawarenessprogramisforeverybody—allwhowilluseorcomeincontactwiththesystems.Ontheotherhand,securitytrainingisspecific.Securitytopicsmaybepresentedinself-taughtsessionsorinmoreformalclassroomsessions.Forinstance,trainingnewengineersonthemethodforsecureremoteaccessoveraVPNmightbeasuitabletopicfora“hands-on”trainingsession.
8.4 IndustrialNetworkSecurityAssuranceProgram:SecurityChecklistsSecuritychecklistsarelistsofroutineactivitiesthatmustbecompletedtoaccomplishacertainsecuritygoal,suchassecuringahostornetwork.Theyareusedextensivelyforday-to-dayactivitiesinITcybersecurityandmayalsobeusedforindustrialnetworksecuritytasks.Let’slookatsomefunctionssecuritychecklistsprovideinITcybersecurity.
OnewayCOTSsoftwarecanbevulnerabletocyberattackisbyhavingopenportsand
![Page 77: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/77.jpg)
servicesonthehostcomputerthataren’tbeingused,therebyopeningavenuesofattack.Thisismuchlikeleavingmanydoorsinabigbuildingunlockedeventhoughnooneusesthesedoors.
COTSoperatingsystems,wheninstalled“outofthebox,”frequentlyleaveservices(fromwebserverstoexotic,little-usedservices)andportsopenbydefault.Itistheoppositeofthebasicsecurityprinciple—thePrincipleofLeastPrivilege—describedpreviously.Ifportsandservicesarenotclosedinasystematicprocedure,theseopendoorsmakecyber-attackeasier.
AnotherwayCOTSsoftwaremayinvitecyberattackisbyleavingunpatchedvulnerabilities.Asdiscussedpreviously,manyvulnerabilitiesinCOTSsoftwareforbusinessandindustrialnetworkapplicationsarecodedintothesoftwareduringthedevelopmentprocessandthennotcaughtinacodeinspectionorqualityassuranceeffortbeforerelease.WesawinChapter4thatasimplebufferoverflowconditionisresponsibleformanysecurityvulnerabilities.
Unfortunately,thesevulnerabilitiesarethenfoundoneatatimebysecurityresearchersorbythehackingcommunity.Ifavulnerabilityiscaughtbyasecurityresearcher,perhapsafterausercomplaint,theresearchershouldworkwiththevendortoensurethatapatchisdevelopedandavailableatthesametimeasthevulnerabilityismadepublic.
Thisgivesconscientioussystemadministratorstimetodownloadthepatchfromthevendor’swebsiteandfixtheirsystems,hopefullybeforeanewvirusorwormtargetingthatvulnerabilitycanbeinventedbyahacker.
Vendorsandnon-profitsecurityorganizationshavesecuritychecklistsandevenautomatedsystemconfigurationtoolstoidentifyandclosetheunneededportsandservicesdescribedabove,aswellastocheckonsecuritypatchlevelandinstallation,inastep-by-stepfashion.
Thisprocessofpatchingvulnerabilitiesandturningoffunneededportsandservicesforyourcomputersandnetworkequipmentisknownas“hostandnetworkhardening.”
Anexampleofacoordinatedhostandnetworksecurityhardeningprojectisaprogrambegunin2003bytheNationalInstituteofStandardsandTechnology(NIST).NISTbegantogatherandputintoadatabasemanydifferentsecuritychecklistsandautomatedconfigurationtoolsetsfurnishedbysuchcompaniesandorganizationsasMicrosoft,theNationalSecurityAgency(NSA),andothers.(1)
Theconceptofhostandnetworkhardeningandsecuritychecklistsmayalsobeappliedtoindustrialnetworksecurity.Someapplicationsmightinclude:
• checkinganindustrialnetworksecurityconfigurationbeforeputtingitintoproductionmodeor
• hardeningaWindowsorUnixhostbeforeconnectingittoanindustrialnetwork.
BeforeusinganITsecuritychecklistforanindustrialnetwork,oneadditionalstepis
![Page 78: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/78.jpg)
necessary:lettingtheindustrialnetworkvendorreviewandtestthechecklistactivities,includingclosingportsandservicesandapplyingpatches,toensurethatchecklistactivitiesarecompatiblewiththeapplicationsoftwareasinstalled.Figure8-2givesasimpleflowchartthatincludesthisextrastep.
Figure8-2.IndustrialNetworkHardeningFlowchart
Once“blessed”bytheindustrialnetworkvendorasinFigure8-2,securitychecklistsmaybeveryeasilyincorporatedintothesecuritydocumentframeworkoutlinedpreviously,atthelevelofstandards,guidelines,orprocedures.Theywillsavetime,improveuniformityandconsistencyofsecurityefforts,andhelpensurethatorganizationalknowledgeofindustrialnetworksecurityisnotlostifkeypeopleleavethecompany.
8.5 SecurityAssurance:AuditsSecurityauditsarealsofrequentlyusedinITcybersecurityasameansof:
• checkingthatchangestoanetwork’ssetupandconfigurationaresatisfactoryandagreewithestablishedsecurityproceduresbeforeallowingthenetworktobeputintonormaloperation,
• reviewingsecuritylogs,frequentlywiththeaidofsoftwareaudittoolstoautomatethelogscanningprocedure,andlookingforsignsofanintrusionorcompromise,and
• performinganoutsideandindependentauditonthenormaloperationofsecurityfeaturesbysystemsadministratorsorothers.
Usually,auditorsarespeciallytrainedinITcybersecuritytechniques.OneorganizationthattrainsITcybersecurityauditorsistheInformationSystemsAuditandControlAssociation(ISACA).AuditorswiththecertificationISACAsponsors,whoareknownasCertifiedInformationSystemsAuditors(CISA),areskilledinavarietyofauditingmethodologiesforvariousITsystemsandapplications.
Inasimilarvein,anindustrialnetworkalsoneedsaperiodicaudittoensurethatsecuritycountermeasuresaresetup,configured,andoperatingproperly.
![Page 79: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/79.jpg)
Thegoaloftheindustrialnetworksecurityauditoristofindoutifthecountermeasuresdesignedintothesystemarestilloperatingeffectively,thewaytheyweredesignedandintendedtooperate,orifmaintenancehasfallenoffandthecountermeasureshavenotbeenupdated,yieldinganineffectivecyberdefense.
8.6 AddinginPhysicalSecurityAsChapter2emphasizes,physicalsecurityplaysamajorroleinthesecuritydefenseofanysegmentoftheindustrialplant,includingtheindustrialnetwork.Physicalsecuritycountermeasurestopreventordeterunauthorizedentryand/oraccessincludemeasuressuchaslocksondoorsandwindows,fences,andsecurityguards.Countermeasurestodetectunauthorizedintrusionsincludeburglarandintrusionalarms,closed-circuitTV(CCTV)cameras,andvideorecordersforthosecameras.MorerecentlytherearevideoanalyticssoftwarepackagesforCCTVsystems,whichcanalertoperatorstosuspiciousorunauthorizedmovementsofpeopleinrestrictedareas,etc.Physicalsecurityhasbeenaroundforhundredsofyears,andquiteanumberofsophisticatedphysicalsecuritydevicesareonthemarket.
Therearemanygoodsourcesofinformationonphysicalsecurityinaplantenvironment.TheAmericanChemistryCouncil(ACC)hasafairamountofmaterialonphysicalsecurityinitspublication“SiteSecurityGuidelinesfortheU.S.ChemicalIndustry.”(3)
ASISInternational,aninternationalorganizationofsecuritymanagementprofessionals,hasawealthofgoodarticlesandresourcesonphysicalsecurityonitswebsite(4),includingarticlesfromitsmonthlymagazine,SecurityManagement.
ButperhapsthebestadviceonphysicalsecurityfortheindustrialnetworksecurityProgramTeamisalsotheeasiesttofollow:AsurgedinChapter2,includearepresentativeofphysicalsecurityorfacilitiesmanagementinriskassessmentandotheractivitiesoftheindustrialnetworksecurityTeam.Withoutphysicalsecurityrepresentation,animportantperspectivewillbemissing.
8.7 AddinginPersonnelSecurityLikephysicalsecurity,personnelsecurityisanotherimportantcomponentnecessarytoroundouttheindustrialnetworksecuritydefenseforanindustrialplant.Someofthemorecommonpersonnelsecuritycontrolsincludethefollowing:
• Backgroundscreeningchecksbeforehiringemployeesandcontractors.Thesemayincludecriminalrecordchecks,creditchecks,drivingrecords,educationrecords,etc.
• Aclearstatementofcompanysecuritypoliciesandthesecuritybehaviorexpectedofemployeesandcontractors.
• Companytermsandconditionsofemployment,includingmeasuressuchasemployeerightsandresponsibilitiesanddetailingoffensestosecuritypolicies,disciplinaryactions,etc.
![Page 80: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/80.jpg)
• Incidentinvestigation.Manybigbreachesofsecurityareprecededbysmallbreaches.Allsecurityrelatedincidentsshouldbeinvestigatedandtheindividualsinvolvedmonitoredforindicationsoffurthersecurityviolations.
• Recheckingemployees’andcontractors’backgroundsperiodically,especiallyafterasecurityviolation.Thisshouldbedoneinlinewithcompanypersonnelpolicies.
Aswithphysicalsecurity,personnelsecurityhasbeenaroundalongtime.Therearemanyresourcesoutthere,andmanypractitioners.ThepreviouslymentionedACC“GuidetoSecurityatFixedChemicalSites”hasanumberofpersonnelsecurityguidelinesandrecommendations.But,asmentionedpreviouslyinSection8.7regardingthefieldofphysicalsecurity,thebestadvicethewritercangivewithpersonnelsecurityissimplytohaverepresentativesofpersonnelsecurity,whethertheHRdepartmentormanagementoranothergroup,sittingatthetablewhentheriskassessmentteamortheindustrialnetworksecurityProgramTeammeets,andtomakesurethattheirpointofviewisincluded.
References1. ComputerSecurityResourceCenter(CSRC)SecurityChecklistforCommercialIT
Products.NationalInstituteofStandardsandTechnology.Lastupdated10/19/2004.Retrieved11/11/2004fromhttp://csrc.nist.gov/checklists/.
2. Kirk,M.“EligibleReceiver”fromPBSFrontlinedocumentary“CYBERWAR!”OriginallyBroadcast4/23/2003.Retrieved11/11/2004fromhttp://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/.
3. AmericanChemistryCouncil,ChlorineInstitute,andSyntheticOrganicChemicalManufacturersAssociationSiteSecurityGuidelinesfortheU.S.ChemicalIndustry.10/2001.
4. ASISInternationalWebsite.Retrieved11/11/2004fromwww.asisonline.org.
5. Kaplan,D.“AttackCodeReleasedforSCADASoftwareVulnerability.”SCMagazinearticle,Sep.8,2008,Retrieved8/30/2009fromhttp://www.scmagazineus.com/Attack-code-released-for-SCADA-software-vulnerability/PrintArticle/116387/.
![Page 81: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/81.jpg)
9.0
NewTopicsinIndustrialNetworkSecurity
9.1 RedTeaming:TestYourselfBeforeAdversariesTestYouRedteamingtracesitsrootstowarfarewherecommandersneedtotestandrefinetheirowndefensesandbattleplanstoferretoutweaknesses,studyadversarytactics,andimprovetheirstrategies.Sincethisbookcoversindustrialnetworks,ourfocuswillbeoncyberredteamingusedtoevaluatesecurityquestionsrelatedtothesesystems.Cyberredteaminghasstrongtiestobothnetworkvulnerabilityassessmentandpenetrationtesting.
Cyberredteaming,asyoumightexpect,isaratheryoungfield,butitismaturingasredteamshavebeguntocollaborate,exchangingideas,sharingtools,anddevelopingnewtechniques.Overtime,differentgroupshavecometousecyberredteaminginoneformoranother,applyingittoanswerdifferentquestions(e.g.,Aremypersonnelpreparedtodefendmynetworkfromacyberattack?andWhichofseveralsecurityapplianceswillbestprotectmynetwork?),andindifferentdomains(e.g.,cyberandphysical).
Butwhatexactlyisredteaming?Akeyfactoristhatredteamingismission-driven.
Manydifferentgroupsperformredteamingandusedifferingterminology,techniques,andprocesses:commercialsecurityfirms,variousmilitaryunitsandgovernmentagencies,andnationallaboratories.Ifonewantstounderstandagroupthatperformsredteamassessmentsthenfirstonemustunderstandwhatthatgroupmeansbyredteaming.Forinstance,SandiaNationalLaboratories’InformationDesignAssuranceRedTeam(IDART™)groupdefinesredteamingas“authorized,adversary-basedassessmentfordefensivepurposes.”TheIDARTgroupadvocatesthatredteamassessmentsbeperformedthroughoutanycybersystemlifecyclebutespeciallyinthedesignanddevelopmentphasewherecooperativeredteamassessmentscostless,andcriticalvulnerabilitiescanbeuncoveredandmitigatedmoreeasily.
9.2 DifferentTypestoAnswerDifferentQuestionsTheIDARTgrouphasbeenredteamingfortheU.S.governmentandcommercialcustomerssince1996andiswidelyknownintheredteamcommunity.IDARTidentifieseightuniquetypesofredteamingthatcanbeperformedindividuallyorcanbecombinedwithothertypes.Theyarequicktopointoutthatcareful,detailedplanningofaredteamassessmentrequiressignificantcommunicationbetweenassessmentcustomersandtheirredteam.Experiencedredteamsshouldprovidetheircustomerswithtechnicaloptionsforanefficientandeffectiveassessmentprocessthataddressestheircustomers’securityconcerns.
TheeighttypesofredteamingidentifiedbyIDARTintheirRedTeamingforProgram
![Page 82: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/82.jpg)
Managerscourseare:
1. Designassurance(toimproveneworexistingsystemdesigns)
2. Hypothesistesting(tomeasureperformanceagainstawell-formedhypothesis)
3. Redteamgaming(toevaluateadversaryattackdecisionmakinginagivenscenario)
4. Behavioralanalysis(toanalyzeadversariesinordertoidentifyindicationsandwarnings)
5. Benchmarking(toproduceaperformancebaselinethathelpsmeasureprogress)
6. Operational(totestpersonnelreadinessanddefensivetactics,techniques,andprocedures)
7. Analytical(toformallymeasureandcompareavailableadversarycoursesofaction)
8. Penetrationtesting(todeterminewhetherandbywhatmeansanadversarycancompromisesystemsecurity).
9.3 RedTeamingIndustrialNetworks–Caution,It’sNottheSame!Mostredteamsdon’tassessindustrialnetworksbecausetheylackthespecializedknowledgeandtrainingrequiredtoassessthesensitivecomponentsfoundinindustrialnetworks.Industrialnetworksprovidecriticalreal-timeornearreal-timecontroloverphysicalprocesses,andcyberredteamingsometimesresultsinintentionaloraccidentaldenials-of-service.Activenetworkassessments(includingpenetrationtesting)shouldalmostneverbeconductedinaproductioncontrolsystemorcontrolsystemnetwork.
Whereacontrolnetworkinterfaceswithabusinessnetwork,cyberassessmentteamsshouldbeexpertinunderstanding(andverifying)thenetworkboundariesandhowtrafficispassedbetweenthenetworks.Vulnerabilityscansandnetworkfoot-printingactivitiesroutinelyexecutedbybothnetworkadministratorsandindependentassessmentteamsintraditionalITnetworkscanhaveextremelyadverseimpactsonindustrialnetworks.
Insteadofconventionalactiveassessments,industrialnetworkstakeholdersmustenableassessments(includingredteaming)byusingpassivetechniquesandisolatedtestsystemsandnetworks.Still,integratingredteamassessmentsintoindustrialnetworkenvironmentsdemonstratesanaggressive,proactive,security-consciousculture.Thekeystosuccessarewhatformofredteamingisimplemented,whoisontheteam,andthataresponsible,safestrategyisadoptedtoprotectagainstaccidentaldamageand/ordisruptiontothenetwork.
9.4 SystemSecurityDemandsBothPhysicalSecurityandCybersecurity
![Page 83: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/83.jpg)
Physicalsecuritysystemsareevolvingtobeincreasinglydependentoncybersystemsandinformationtechnology.Forinstance,physicalaccesscontrolsystemsatsensitivemilitary,government,andcommercialinstallationsusecomputers,sensors,communicationsnetworks,databases,andotherelectronicinformationtechnology.SuchsecuritysystemnetworksarenearlyindistinguishablefromanyotherkindofITnetwork.
Indeed,newindustrialnetworkstandards,suchasthosecontainedinNERCCIP,mandatephysicalsecuritysystemshavinggreatercapabilities.Thesesystemscontainfunctionality(likestreamingvideo)thatrequirebandwidththatisnotfoundina24-Kbprocesscontrolline,butwhichisfoundina100-to1000-Mbbusinessnetwork.
Oneeasysolutionfornetworkownersistorunthephysicalsecuritycommunicationsthroughthebusinessnetwork,andperhapsestablishaWiFiconnectionforremotesensors.Theproblemisthatifsomeoneissuccessfulincompromisingthebusinessnetwork,theyarenowwithinstrikingdistanceofthephysicalsecuritysystem.Anotherapproachmightbetorunsomeorallofthephysicalsecuritysystemcommunicationsthroughthecontrolsystemsnetwork.Insomeinstancesthiscanworkwell,butinothersitcanrepresentabigrisktothecontrolsystemsnetwork.
Thebottomlineis,giventheemergingtrendinphysicalprotectionsystems–incorporatingCOTSnetworkingtechnologiesandcommunicationsprotocols–acapableadversary(outsiderorinsider)isbutastone’sthrowawayfromchangingaphysicalsecuritydatabaseandlettingsomebodyinsideasensitivefacilitywhomyoudon’twantinside.
Becauseattacksagainstanykindofsystemornetworkcanusephysicalmeans,cybermeans,orboth,acomprehensiveapproachtosecurityrequiresassessmentsofbothphysicalsecurityandcybersecurity.Evenmore,systemdefendersmustunderstandtheconceptofblendedattacks,wherebyanattackerusesphysicalmeanstoenablecyberattacks,andcybermeanstoenablephysicalattacks.Systemownersanddefendersshouldconsiderthatcyberredteamingtheirindustrialandadministrativenetworkswithoutalsoredteamingtheirphysicalsecurityisinadequate.
Finally,performingredteamassessmentsisnotataskforamateurs.Evenprofessionalsecurityorganizationsthatlackspecificexperienceinredteamingshouldconsultwithexperiencedredteamstoconsideravarietyofassessmentquestions,options,recommendedpractices,legalities,andlessonslearnedbeforeattemptingtoimplementaredteamassessment.
9.5 TheTransportationConnection:PassengerRailandCybersecurityBy2005manyindustrysectors,suchasoilandgas,chemicals,andelectricpowerwerealreadyawareof,andworkingon,aspectsofindustrialnetworksecurity.Muchofthecriticalinfrastructureinthesesectorsisprivatelyowned;whataboutpubliclyownedinfrastructure,suchasinthetransportationsector,particularlypassengerrail?
ThepassengerrailindustryintheUnitedStateshasaninterestingvarietyofsystems.Itcontainssomeoftheoldestandlargestsubwaysystemsintheworld,includingNewYork
![Page 84: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/84.jpg)
CityTransit.TothatonemayaddshowpiecesubwaysystemslikeWashington,D.C.’sWMATA,new,sleeklightrailsystemssuchasHoustonMetro,andadvancedpeople-moverandcommuterrail.
Passengerrail,aswithothercriticalsectorsmentionedearlierinthisbook,hasnotbeenwithoutitscyberincidents.Forinstance:
• In2003acomputervirusshutdowntheCSXsystem.Amtraktrains,whichnormallyusethefreightcompany’srails,werelikewiseshutdownforhours.(1)
• In2007a14-year-oldPolishteenagerinthecityofLodzhackedintothecity’stramsystem,causingtwostreetcarstocollidehead-onandsendingpassengerstothehospital.(2)
• In2006inToronto,ahackerchangedtheelectronicpassengeradvertisingontrainsignboardstodisplayadisparagingcommentaboutCanada’sprimeminister.(3)
Inthesummerof2005,thewriterapproachedAPTA,theAmericanPublicTransportationAssociation,withaproposal.APTAisthetradeassociationforNorthAmerica’spassengerrailandbuspublictransitagenciesandassociatedindustry.Publictransit,coveringeverythingfrombigcitysubwaysandcommuterrailtonewerlightraillines,wasundergoingachangeincontrolsystemsfromoldelectromechanicalrelayandserialcommunicationssystemstomodernindustrialnetworksusingPLCs,fiberoptics,wideareanetworks(WANS),andInternetprotocol(IP)-basedcommunication.WouldAPTAbeinterestedinjumpingonthesamebandwagonastheindustriesmentionedabove,andsupportacontrolsecurityinitiative?
ThewriterrecallsthemeetingwithAPTA’sstaffattheirWashington,DCheadquarters:“Ihadtheusualarticlesaboutcontrolsystemsecurity,concerningcomputervirusesandworms,andIwasmakingmoderateprogress,whenIdecideditwastimetopulloutmyheavyammunition:acopyof2600,theHackersQuarterly,Spring2005edition,freelyavailableinmanybigbookstores.
ThispublicationhadaarticleonhackingtheMetroCard®farecollectionsystem,whichisusedbyanumberofbigcitysubwaysystems.Theauthorofthe2600articlehadreverseengineeredtheinformationencodedonthemagneticstripesonthesecards,andresearchedtheoriginalpatentsonthesystemtogainknowledgeofthetechnicaldetails.Itwasafulldescriptionofthesystem,howthecardsareencoded(andhowtodecodethem),howtheoreticallythecardscouldbeoverwritten(withadisclaimertotheeffectthattheauthorsurelywouldn’twantanyoftheirreaderstodoanythingillegalsuchastryingtochangetheamountstoredonthecardsandtrytousethem!).Inall,thearticlewasveryprofessionallydone,andwouldhavemadeanytechnicaleditorproud.”
Thatarticledidit!IhadmadeasaleonthevalueofindustrialnetworksecuritytoAPTA.Withsomemoreawarenessandorganizationalefforts,theAPTA“ControlandCommunicationsSecurityWorkingGroup”wascreatedandfunded.Atthetimeofthiswriting,Part1oftheRecommendedPractice“SecuringControlandCommunications
![Page 85: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/85.jpg)
SystemsinTransitEnvironments”isintheballoting/approvalstage.Part1containsgettingorganizedandbackgroundinformationfortransitagencies,upthroughriskassessment.Part2willfollow,whichwillcontaindevelopingasecurityplananddesigning,installing,andmaintainingsecuritycontrols.
References1. Hancock,D.“VirusDisruptsTrainSignals.”CBSNews.comarticle,8/21/2003.
Retrieved8/2/2009fromhttp://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml.
2. Leyden,J.“PolishTeenDerailsTramafterHackingTrainNetwork.”TheRegister,1/11/2008.Retrieved8/2/2009fromhttp://www.theregister.co.uk/2008/01/11/tram_hack/print.html.
3. Leyden,J.“HackersLibelCanadianPrimeMinisteronTrainSigns.”TheRegister,5/3/2006.Retrieved8/2/2009fromhttp://www.theregister.co.uk/2006/05/03/canadian_train_sign_hack/.
Note:Mr.JohnClemofSandiaNationalLaboratorieswasamajorcontributortothematerialinSections9.1–9.4.
![Page 86: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/86.jpg)
10.0
DefendingIndustrialNetworks—CaseHistories
10.1 ALargeChemicalCompanyInthissection,wewilltakealookatacasehistoryofalargemultinationalcorporationinaddingindustrialnetworksecuritytoitscontrolnetworks.
Thefigureswewillusetoillustratethisstoryhavebeentakenfromslidesgivenbythiscompanyatapastconference.
Figure10-1showsthetypicalsituationinthecompanyasfarasindustrialnetworkswereconcernedbeforetheindustrialnetworksecuritypush.
Here,weseethatthebusinessLANsandtheprocesscontrolnetwork(theProcessControlLANinthediagram)wereblendedtogether,makingupacorporateIntranet.
Therevisednetworkarchitecture,afteranintensivecampaigntoisolatetheprocesscontrolnetwork,isshowninFigure10-2.The“E-Pass”notationonthediagramwillbeexplainedlaterinthissection.
HereweseeacompletereengineeringtoseparatethebusinessLAN,orIntranet,fromtheProcessControlNetwork(PCN).IfwereferbacktoChapter6,thedesignandplanningphilosophyofdefenseinlayerswasappliedtoseparatethebusinessLANandtheProcessControlNetworkusingafirewall.
![Page 87: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/87.jpg)
Figure10-1.Pre-ExistingSecurityControlsNote–E-Pass=TwoFactorAuthentication(RSA)
Figure10-3showshowseveralfirewalloptionsweretriedbythecompany,andthelow-cost“SOHO”typeappliance(singleoffice/homeoffice)wasrejected.Amoderate-sizeenterpriselevelfirewallwasselected.
Itisimportanttomentionthatthecompanydidnotattempttodothisinternalfirewalladdition/networkseparationexclusivelyin-house.Rather,thecompanychosetopartnerwithaManagedFirewallProvider,anexternalvendorthatsuppliedthefirewallsandprovidedoffsitemonitoringandfirewallexpertiseforthecompany’splantnetworksaroundtheworld.TheManagedFirewallProviderconceptisusedinthebusinessworldbymanymediumandlargecompaniesthatdonotwanttodotheentirejobin-house.
![Page 88: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/88.jpg)
Figure10-2.NewPerimeter-BasedSecurityControls
Figure10-4showshowcommunicationtypicallyflowsacrosstheinternalfirewallfromthe“clean”processsidetothebusinesssideforsuchthingsasbackups,OPCdataupdates,antivirussignaturefileupdates,andsoon.
Figure10-5givesaperformancesummary,basedonthenumberofinstalledfirewalls(morethan60).Asthefigurementions,thenecessaryprocesscommunicationswerehandledwithnothroughputissues,andtheconclusionisthat“standardITfirewalltechnologycanbeusedforprocesscontrolapplications”.
![Page 89: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/89.jpg)
Figure10-3.FirewallCharacteristics
Let’snowturnourattentiontothecaption“E-pass”thatismentionedinFigures10-1and10-2.E-Passisatwo-factorremoteaccessauthenticationmethodusedcorporate-wideatthiscompany.Thetechnologyissuppliedbyacommercialcybersecurityprovider,RSA.AsyouwillnoticeinFigures10-1and10-2,thediagramsmention“E-PassRequired,”or“E-PassNotRequired,”or“E-PassMaybeRequiredtoAccessCertainAssets.”
TheRSAtoken-based,two-factorauthenticationschemeusesacentralizedserverthatisqueriedtosecurelyauthenticatethatremoteusersarewhotheysaytheyare.Accessrightstohostsonthenetworkareprovidedbytheapplicationsand/orinternalprocesscontrolfirewall.
![Page 90: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/90.jpg)
Figure10-4.TypicalCommunications
Figure10-5.Performance
Tosummarize,thiscasehistoryshowsthatalargecorporationwithplantsacrosstheglobewasabletoverysuccessfullyapplysomefundamentalstrategiesofindustrialnetworksecurityandseparatetheirProcessControlNetworksoffwithfirewalls.
10.2 AnotherCompany’sStory—Procter&GambleInthissection,wewilllookatacasehistoryfromasecondlargecorporation,Procter&Gamble.Thistimewewillfocusonhowalargecompanyviewsindustrialnetworksecurityrisksandperformsaqualitativeriskanalysis,aswasdescribedinChapter2.The
![Page 91: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/91.jpg)
figurestoillustratethisstorywereprovidedbyDaveMills,aTechnologyLeaderinProcter&Gamble’sCorporateEngineeringorganization.
Figure10-6showsageneralmodelfordevelopingariskmanagementprocessforemergingareasofrisk.AtProcter&Gamble,thismodelwashelpful,butrealityprovedmorecomplicated.Inordertoobtainthehumanresourcestoperformthequalitativeriskassessment,aninitialscreeningassessmentwasneededtopersuademanagementthatamorein-depthstudywasjustified.TheRiskReductionProgramappearsfairlylinearinFigure10-6,but,inreality,thesecuritygoalsandstandardsweredevelopedinparallelwiththesecuritycontrols.Ifyouaredevelopingariskmanagementprogramwhileyouareexperiencingtherisks,youoftendon’thavethetimetoperformeachstepinseries.
DealingwithriskisnotanewphenomenonatProcter&Gambleorotherlargecorporations.Riskinmoretraditionalandfamiliarareashasbeenanalyzed,evaluated,andmanagedforyears.Whatisnewaretheuniquesecurityrisksassociatedwithmodernindustrialnetworksandhowtobringthatrisk“intothefold”alongsideotherriskmanagementprograms.
Figure10-6.Background-RiskManagement(CourtesyofProcter&Gamble)
Figure10-7showstheexistingriskdisciplinesthatindustrialnetworksecuritycutsacrossatP&G:BusinessContinuityPlanning(BCP),ITSecurity(IT)andHealth,SafetyandEnvironment(HS&E).
Figure10-8showshowProcter&Gamblewoundupwithaspecificriskassessmentmethodology:FacilitatedRiskAssessmentProcess(FRAP).TheprimarycustomerwastheInformationSecurityorganization,andthiswasthemethodologytheyhadthemostexperiencewith.
OneofthemainpointsDaveMillsstressedisthatthewholeriskassessmentdiscussionisbynaturedifferentfordifferentcompanies,asdifferentcompanieshaveuniqueproducts,
![Page 92: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/92.jpg)
manufacturinglocations,manufacturinghazards,andprobablydifferingthreatprofiles.Onthe“soft”side,corporatecultureandpersonnelmanagementissuesmustbetakenintoaccountwhenperforminganindustrialnetworksecurityriskassessmentthatmatchesyourcompany.
Figure10-7.RiskAreasbyDiscipline(CourtesyofProcter&Gamble)
Figure10-8.RiskAnalysisMethodologies(CourtesyofProcter&Gamble
ManythankstoDaveMillsandProcter&GambleEngineeringforallowingtheirstorytobepublished.
![Page 93: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/93.jpg)
AppendixA–Acronyms
ACC AmericanChemistryCouncil
AIC Availability,Integrity,andConfidentiality
AIChE AmericanInstituteofChemicalEngineers
AWWA AmericanWaterWorksAssociation
BCIT BritishColumbiaInstituteofTechnology
BPCS BasicProcessControlSystem
CCPS CenterforChemicalProcessSafety
CIDX ChemicalIndustryDataExchange
CIO ChiefInformationOfficer
CISA CertifiedInformationSystemsAuditor
CISSP CertifiedInformationSystemSecurityProfessional
COTS CommercialOffTheShelf
DCS DistributedControlSystems
DHS DepartmentofHomelandSecurity
DoE DepartmentofEnergy
FERC FederalEnergyRegulationCommission
GAO GeneralAccountingOffice
GUI GraphicalUserInterface
HMI HumanMachineInterface
IDE IntelligentElectronicDevice
M&CS ManufacturingandControlSystems
NERC NationalElectricalReliabilityCouncil
NIST NationalInstituteofStandardsandTechnology
NISCC NationalInfrastructureSecurityCo-ordinationCenter
NRC NuclearRegulatoryCommission
OCIPEP OfficeofCriticalInfrastructureProtectionandEmergencyPreparedness
OPC ObjectLinkingandEmbeddingforProcessControl
PCSRF ProcessControlSecurityRequirementsForum
PLC ProgrammableLogicControllers
![Page 94: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/94.jpg)
SCADA SupervisoryControlandDataAcquisition
SIS SafetyInstrumentedSystems
SPDS SafetyParameterDisplaySystem
TCP/IP TransmissionControlProtocol/InternetProtocol
![Page 95: Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network Security.pdfIndustrial Network Security 1.1 What Are Industrial Networks? To define industrial network](https://reader034.vdocuments.net/reader034/viewer/2022042202/5ea2c51298da1e1f873f432a/html5/thumbnails/95.jpg)
AbouttheAuthor
DavidJ.Teumim’sbackgroundincludescorporatesecurityandwebprojectmanagementpositionswithAgereSystemsandLucentTechnologies,alongwith15yearsofprocess,project,control,andsafetyworkforUnionCarbideCorp,BritishOxygen,andAT&T.
HisassociationwithISAbeganinearly2002whenhechairedISA’sfirsttechnicalconferenceonIndustrialNetworkSecurityinPhiladelphia,PA,andtaughtthefirstISAseminaronthissubject.
Since2004,hisfirm,TeumimTechnical,LLC,hasprovidedindustryoutreachforthreeU.S.DepartmentofEnergyNationalSCADATestBedprojects,consultingforSandiaNationalLaboratories.Morerecently,hehaschairedanAmericanPublicTransportationAssociation’sWorkingGrouponControlandCommunicationsSecurity.
Teumimholdsamaster’sdegreeinchemicalengineeringandiscertifiedasaCertifiedInformationSystemSecurityProfessional(CISSP).HeresidesinAllentown,PA.