Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Automation
Cutting Edge Cybersecurity
May 2018
Volume IX
Introduction
Last year, Automation.com introduced the first of the Cybersecurity series of Advancing Au-
tomation eBooks. Unfortunately, during that intervening time cyber threats have continued
to evolve and even the biggest businesses are struggling to cope. Big names like Facebook,
Equifax and Yahoo have all experienced breeches over the last year, and reminded the industri-
al world how vital it is to stay up-to-date and informed on all the latest trends and technologies
that can protect industrial facility. That’s why Automation.com has compiled a new edition of
our Cybersecurity eBook to deliver the necessary information needed to ensure the strongest
possible safeguards for any facility and facilitate future planning to keep one step ahead of
the next cyberattack
With valuable insights for both managers and floor personnel, IT and OT, new and experienced
professionals, this eBook series continues to keep you securely on the cutting-edge.
Table of Contents
By: Scott Coleman Until you have accurately mapped the network,
Director of Product Management and Marketing there is no way of assuring that all points of entry
Owl Cyber Defense Solutions, LLC into the OT network are secured, including connec-
tions to other networks within your organization.
Therefore it is vital to take the time to thoroughly
assess, map, and understand the literal ins and outs
Modern advancements in industrial control systems of your OT network, whether it is performed internal-
(ICS) enable marked improvements in efficiency, ly or by a respected third party. This mapping often
production, reliability, and safety, all through in- proves incredibly useful not just for securing ICSs,
creased use of “smart” assets and digital commu- but also for any number of cybersecurity or opera-
nications. However, this has led to a dependency tional projects you may consider.
on communication technology that is seemingly at
odds with the ever increasing pressure to enhance
cybersecurity in ICS networks.
1. Map and identify all external connections The DHS recommends that organizations, “Isolate
within the OT network architecture ICS networks from any untrusted networks, espe-
5. Lock down any remaining two-way As part of a layered, “defense in depth” cybersecu-
connections with defense in depth rity strategy for ICS communications, a variety of
tools are employed, from role-based access con-
Most likely, some business or support operations trols, multi-factor authentication, whitelisting, and
are going to require a two-way external connection. more. Beyond these baseline tools, the two major
Whether it’s for remote command and control, error transfer technologies used to control access points
remediation, or some other critical purpose, it’s not within OT networks, firewalls (software-based) and
always possible to eliminate two-way external con- data diodes (hardware-based) provide the strongest
nections completely, but it’s vital that these remain- means to secure ICS communications. Yet it’s im-
ing connections be heavily controlled. portant to point out the fundamental differences and
reasons for using both of these tools, either together
“Limit any accesses that remain,” says the DHS. or separately, and in different situations, to increase
“Some adversaries are effective at gaining remote the security of your ICS systems.
access into control systems, finding obscure ac-
cess vectors, even ‘hidden back doors’ intentionally Software solutions, such as firewalls, are highly
created by system operators. Remove such ac- versatile cybersecurity tools that can be augment-
cesses wherever possible, especially modems as ed with a number of security information and event
these are fundamentally insecure. … If bidirectional management (SIEM) capabilities, from intrusion
communication is necessary, then use a single open detection to deep packet inspection. They are ideal
port over a restricted network path.” This can be for those connections which must be two-way in
accomplished through a highly secured firewall, or order for business operations to function proper-
a specialized bilateral data diode implementation, ly. However, they are also inherently vulnerable to
using one data diode for each direction in and out of configuration changes, bugs, and they will always
the network. require regular updates (or replacement) to stop new
and emerging threats.
In addition, the DHS advises against any kind of
persistent connections, especially from third parties Hardware-enforced solutions utilize physical com-
(or the Internet) – “Do not allow remote persistent ponents to prevent access to secured networks. For
vendor connections into the control network.” instance, data diodes contain specialized circuitry
Keep in Mind
@owlcyberdefense
www.owlcyberdefense.com
Critical Industries Need Continuous
ICS Security Monitoring
By: Sid Snitkins, chief information and security officers (CISOs), and
Vice President, Cybersecurity Services active defenders in corporate security operations
centers (SOCs) are also interested in the real-time
ARC, in collaboration with Nozomi Networks plant security visibility these solutions provide.
Suppliers support these needs and are working to
extend integration with popular cyber-defense tools.
Operators of critical infrastructure need the risk
mitigation provided by continuous ICS security ARC discussed these issues with Nozomi Networks
monitoring. The potential safety, environmental, executives during a recent briefing. As we learned,
compliance, and business continuity impacts of critical infrastructure operators around the world use
an incident make it critical to avoid all unnecessary the company’s SCADAguardian platform to moni-
risks. Critical infrastructure operations are also tar- tor their ICS cybersecurity in real time and detect
gets of sophisticated, well-resourced attack teams threats.
that can easily overcome basic cyber defenses.
Critical Infrastructure Needs Prudent
Keywords Cybersecurity
Anomaly and Breach Detection, Continuous ICS ARC’s Industrial Cybersecurity Maturity Model
Security Monitoring, Nozomi Networks illustrates the importance of continuous ICS security
monitoring. We developed this model to help indus-
trial managers understand cybersecurity challenges
Summary without having to become cybersecurity experts. It
also provides a way for managers to understand
Most industrial managers recognize that a cyber
cybersecurity investments with respect to cyber
incident could jeopardize the safety, continuity, and
risks and the costbenefits of different technologies.
profitability of their operations. Many have invested
in basic defensive technologies, like anti-malware
software and firewalls, and best practices rec-
ommended by automation suppliers and security
consultants. This should protect operations from
common hackers and may be adequate for low-risk
operations that can tolerate disruptions. But it is not
enough for critical infrastructure facilities facing the
threat of advanced, targeted attacks. These organi-
zations need to continuously monitor systems and
investigate any suspicious behavior.
Government and industry ICS cybersecurity guide- • Anomaly Detection – automatic detection of
lines and standards generally focus on getting suspicious system behavior with a low rate of
companies to invest in at least a minimum level of false positives. This includes identifying ICS and
protection against common cyber-attack scenarios. process problems. An ideal solution automatically
This roughly equates to the first three steps in ARC’s learns normal behavior, helps companies establish
model and may be adequate for companies in low- a secure baseline, and leverages signature detec-
risk industries and regions or those that can tolerate tion to rapidly detect known threats
some process disruptions.
• Alerts – alerting with information about the nature
Operators of critical infrastructure don’t have this of the suspicious activity and the cyber assets
luxury. They need the additional risk mitigation pro- involved. An ideal solution provides incident cor-
vided by the higher steps in ARC’s model. relation that combine alerts from a single attack
The potential safety, environmental, compliance, and into one incident to speed incident response and
business continuity impact of an incident in these minimize operator “alert fatigue”
operations demands that all unnecessary
risks be avoided. Recent incidents, particularly in • Dashboard – a user-friendly dashboard that
power networks, show that critical infrastructure provides a clear overview of system status and
operations are also targets of sophisticated, well- enables easy, ad hoc access to all security infor-
resourced attack teams that can easily overcome mation and message flows. An ideal solution
basic cyber defenses. does this through drillable network diagrams with
inquiry capabilities
Requirements for Continuous ICS
Security Monitoring • Integration – bi-directional integration with security
information and event management (SIEM) and
IT cybersecurity teams have many tools for monitor- other security applications to enable security
ing the security of business systems. But continu- teams to compare information from a variety
ous ICS security monitoring has unique challenges of sources
and constraints that typically demand a built-for-
purpose solution. Following are ARC’s requirements • Scalability – supports all ICS cyber assets
for an acceptable ICS solution: regardless of how they are spread across different
ICS Integrations
Automation applications
Real-time Process Analytics Engine Config. files, PCAPs
Protocol SDK
Deep Packet Inspection & Protocol Analysis
Extend protocol support
Continuous ICS security monitoring provides the For further information or to provide feedback on
visibility that defenders need to manage today’s so- this article, please contact your account manag-
phisticated attacks. Our review of Nozomi Networks er or the author at srsnitkin@arcweb.com. ARC
illustrates that good solutions are available and ARC Views are published and copyrighted by ARC
encourages operators to consider how this technol- Advisory Group. The information is proprietary to
ogy might improve their cybersecurity program and ARC and no part of it may be reproduced without
provide related operational benefits. prior permission from ARC.
ICS Cybersecurity
The Best Threat Detection
Rapidly Detect Cyber Incidents and Process
Anomalies with Hybrid Threat Detection
Operational Visibility
Superior Asset Discovery and Real-time Network Modeling
Discover, Map and Monitor Network and
Processes with pioneering AI
nozominetworks.com
Case Study:
How’s Our Industrial Cybersecurity? Ask OT!
By: Katherine Brocklehurst time enlarges and exposes new attack surfaces,
Senior Director which employee errors, malicious insiders or threat
actors can leverage to inflict physical and financial
Claroty harm.
Caption: Mobile Offshore Drilling units (MODUs) are used in the exploration and development wells, and are divided to Jack-ups,
that reside on shallow water sea bed, and floaters (drilling ships and semisubmersibles) for mid and deep-water drilling. Standard
drilling ship and semisubmersible, John’s environment includes four major independent OT networks each managed by external con-
tractors, and each differ from one another in equipment vendor and communication protocols.
view of their network gave the OT personnel a fresh commands and logic for the PLC itself per protocol.
perspective on their cyber risks when previously “This level of granularity was an eye-opener for all of
they were highly confident that everything was us,” John has said.
known, tested and accounted for, with “low-risk”
of disruption. PASSIVE V. ACTIVE ASSET DISCOVERY
Understanding Industrial Communications
Engineering workstations and other industrial
and Protocols equipment like HMIs and data historians can
John’s ICS vendors and the communications occur- often operate on Windows or Linux operating
ring across his environment required a platform that systems and can frequently tolerate a more active
could read and understand the specialized industrial IT-style approach to asset discovery such as pings,
protocols, legacy equipment and serial connectivi- probes, network utilities, and modern network
protocol techniques.
ty. They also learned how typical IT-type protocols
such as SSH were also being heavily used. The However, Industrial Control Systems (ICS) can
platform had to be vendor-neutral, IT-aware, but be highly sensitive these methods. Therefore, a
really purpose-built for the OT environment require- passive approach is typically required to not only
ments. Among many challenges, it needed to really detect and identify the devices but to also under-
know how each vendor’s Human Machine Interface stand what they communicate with and how.
(HMI) consoles were interacting with the ICS, even
down to the level of seeing the I/O, knowing which -powerengineeringint.com article, Sept 2016
PLC they were attached to, and understanding valid
claroty.com
Securing Industrial Control Systems:
The Challenge, and a Common-sense Solution
By: Jeff Foley and real-time data transfer. Determinism describes
Business Development Manager a known, measurable parameter for the speed and
reliability of signals in the network and ICSs require
Siemens low to zero latency in response time and low to zero
variance in that response time (aka, “jitter”). As a
result, OT networks have different Quality of Service
Industrial control systems (ICSs) across numerous (QoS) considerations than IT networks, depending
industry verticals are increasingly migrating from se- on the specific industry vertical employing the ICS.
rial communications to Internet Protocol (IP)-based
communications as Operational Technology (OT) Traditionally, ICSs were standalone systems and,
networks are integrated with Information Technology thus, secure from network-based threats. The trend
(IT) networks for enhanced performance, reliability, from serial-based networks to IP-based networks
efficiencies and other operational advantages. has introduced potential vulnerabilities common to
ICSs in critical infrastructure sectors such as power
The convergence of OT and IT networks, however, and energy, transit, manufacturing, and advanced
has introduced new challenges and vulnerabilities traffic control. ICSs in these sectors are increasingly
to ICSs. Because ICSs monitor and control phys- vulnerable to cybersecurity attacks, with potential-
ical processes in the real world, they have more ly devastating impacts to brands, businesses, and
stringent response requirements for determinism public safety.
important than the others; all layers play a role in other elements of a defense in depth strategy to
defense in depth. But it is helpful to use Figure 1 to thwart cyber attacks. Firewalls provide monitoring
envision how the layers relate to each other and to a and control of network traffic according to security
holistic strategy. rules. VPNs encrypt data traffic between central and
peripheral computing units on a network.
The devices and data that comprise IT and ICS sys-
tems sit at the core, where access controls ensure System integrity
that only the right person with proper authorization To both protect existing knowledge and prevent
can interact with this layer in the right place and unauthorized access to your automation processes
time. Solutions must be proven, scalable, and intui- protecting the integrity of your IT and ICS systems
tive for end users, while meeting national and global is imperative. Protection of application firmware and
cybersecurity requirements and standards, including system/host software is a key part of maintaining
those for encryption. system integrity. This can be done by system hard-
ening, regular patch management, and other integri-
Plant security ty protection methods.
Plant security goes hand-in-hand with cybersecurity
and starts with conventional building access and ex- Perhaps most importantly, the human element
tends to securing of sensitive areas by means of key involved with the implementation, maintenance, and
cards, locks, and security cameras. Plant security operation of these systems is crucial to defense-in-
includes processes and guidelines for comprehen- depth. By raising awareness of proper cybersecurity
sive plant protection. These range from risk analysis policies and procedures through proper training, the
and the implementation and monitoring of suitable workforce can be prepared to meet cyber threats.
measures to regular updates.
Siemens’ deep expertise in ICS cybersecurity
Network security Siemens’ heritage is predominantly based in oper-
The network layer must be protected by firewalls, ational technologies and, thus, in ICSs, with deep
virtual private networks (VPNs) and network intru- knowledge of the IT environment, cybersecurity, and
sion detection capabilities that work in concert with related industry verticals. Its suite of proven cyber-
C-level support can make it happen Many pundits and experts in the field say that itis
not an issue of “IF” but rather a matter of “WHEN”
The successful deployment of industrial cybersecu-
a security incident occurs. Bringing the IT and OT
rity initiative must leverage resources from both IT
worlds into the same orbit will help ensure that when
and OT. To bring IT and OT staff together and unify
an incident occurs, that the organization can weath-
security thinking and practices, organizations need
er the storm and in fact thrive amid the chaos.
to create a culture of collaboration between both
camps for the common good of the business.
The bus modules get higher speeds than competitor offerings because the latter uses
slow one-by-one SPI — and series connections to the coupler. In contrast, parallel I/
O connections in the iR-series iBus to the coupler is efficient without incurring higher
costs. These offerings have strong noise resistance as well.
Soft PLCs are software programs that run real-time tasks on computers — multitask-
ing functions normally associated with traditional PLCs. Chief among these are I/O
and discrete and PID control with networking, data handling, and computational
capabilities.
Omission of the separate PLC makes for a more compact design. There’s also internal
communication between the controller HMI’s dedicated display logic and dedicated
control logic, which makes for faster display of data — and the ability to monitor
controls directly from the display.
Because IEC 61131-3 and CODESYS let system programmers mix programming
languages for projects, there’s optimization of code — so a programmer
might use ladder-diagram logic for basic interdependent machine functions
alongside structured text to run interpolated tasks that are more complicated
(to give one example).