Tag Archive for: Security

Posts

DoublePulsar – Worse Than WannaCry

In a world still reeling from the recent WannaCry attacks, who wants to hear about something even worse?  Nobody, really.  And yet, according to a recent article in the New York Times, A Cyberattack ‘the World Isn’t Ready For’, the worse may be yet to come—and we’d better be prepared.

Reporting on conversations with security expert Mr. Ben-Oni of IDT Corporation in Newark, NJ, the Times said that thousands of systems worldwide have been infected with a virus that was stolen from the NSA at the same time as the WannaCry virus.  The difference is that this second cyber weapon, DoublePulsar, can enter a system without being detected by any current anti-virus software. It then inserts diabolical tools into the very kernel of the operating system, leaving an open “back door” for the hacker to do whatever they want with the computer, such as tracking activities or stealing user credentials.

“The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”

The concern is that DoublePulsar can remain hidden, providing a platform from which hackers can launch attacks at any time.  It may already be running on systems in hospitals, utility companies, power infrastructure, transportation networks, and more.  Ben-Oni had secured IDT’s system with three full sets of firewalls, antivirus software, and intrusion detection systems.  And still the company was successfully attacked, through the home modem of a contractor.

Closing the Door on DoublePulsar

Severity of the threat aside, this scenario points out once again the inherent weakness of relying on a VPN to secure an Industrial IoT system.  Had that contractor been connecting to a power plant, an oil pipeline, or a manufacturing plant over a VPN, it is likely that DoublePulsar could have installed itself throughout the system.  As we have explained in our white paper Access Your Data, Not Your Network, this is because a VPN expands the plant’s security perimeter to include any outside user who accesses it.

This threat of attack underscores the importance of the secure-by-design architecture that Skkynet’s software and services embody.  By keeping all firewalls closed, a cyber weapon like DoublePulsar cannot penetrate an industrial system, even if it should happen to infect a contractor or employee.  SkkyHub provides this kind of secure remote access to data from industrial systems, without using a VPN.

Growing IIoT Security Risks

As the Industrial Internet of Things (IIoT) grows, the security risks grow as well, according to a recent article by Jeff Dorsch in Semiconductor Engineering. According to his sources, the use of the IIoT is expanding both in the amount of new implementations, as well as how the data is being used. In addition to the traditional SCADA-like applications of machine-to-machine (M2M) connectivity, monitoring, and remote connectivity applications, it seems that more and more the IIoT is being used to power a data-driven approach to increasing production efficiency. Using big data tools and technologies, companies can employ better and more sophisticated analytics on industrial process data, thereby enhancing operational performance based on real-time data.

With the increase in use of the IIoT comes a corresponding increase in the potential for risk.  Looking at big picture, Robert Lee, CEO of Dragos, and a national cybersecurity fellow at New America commented, “There are two larger problems that have to be dealt with. First, there are not enough security experts. There are about 500 people in the United States with security expertise in industrial control systems. There are only about 1,000 worldwide. And second, most people don’t understand the threats that are out there because they never existed in the industrial space.”

Both of these problems are real, and need to be addressed.  And is often the case in issues of security, the human factor is closely intertwined with both. On the one hand, there is a crying need for security experts world wide, and on the other hand the man on the street, or in our case factory floor, control room, or corporate office, needs to quickly get up to speed on the unique security risks and challenges of providing data from live production systems over the Internet.

Addressing the Problems

As we see it, correctly addressing the second problem can help mitigate the first one.  When we understand deeply the nature of the Internet, as well as how the industrial space may be particularly vulnerable to security threats from it, then we are in a position to build security directly into control system design.  A secure-by-design approach provides a platform on which a secure IIoT system can run.

Like any well-designed tool, from electric cars to smart phones, the system should be easy to use.  When the platform on which a system runs is secure by design, it should not require someone with security expertise to run it.  The expertise is designed-in.  Of course, the human factor is always there.  Users will need to keep their guard up—properly handling passwords, restricting physical access, and adhering to company policies.  But they should also have confidence in knowing that security has been designed into system they are working on.

Thus, the most effective use of our world’s limited security manpower and resources is to focus them on understanding the unique security challenges of the IIoT, and then on designing industrial systems that address these challenges. This has been our approach at Skkynet, and we find it satisfying to be able to provide a secure IIoT platform that anyone can use.  We are confident that through this approach, as the IIoT continues to grow, the security risks will actually diminish for our users.

Secure by Design for IIoT

Securing the Industrial IoT is a big design challenge, but one that must be met. Although the original builders of industrial systems did not anticipate a need for Internet connectivity, companies now see the value of connecting to their plants, pipelines, and remote devices, often over the Internet. The looming question: How to maintain a high level of security for a mission-critical system while allowing remote access to the data?

As you can imagine the answer is not simple.  What’s called for is a totally new approach, one that is secure by design.  This blog entry, published on the ARC Advisory’s Industrial IoT/Industrie 4.0 Viewpoints blog, gives an overview of why standard industrial system architecture is not adequate to ensure the security of plant data on the Internet, and introduces the two main considerations that must go into creating a more secure design.

Don’t WannaCry on your Industrial IoT System

Pretty much anyone who has a computer or listens to the news has heard about the WannaCry virus that swept across the world a few days ago, installing itself on computers in businesses, hospitals, government agencies, and homes, encrypting hard drives and demanding ransom payments.  After scrambling to ensure that our operating systems are up-to-date and protected against this latest threat, the question soon comes up: How can we protect ourselves against similar threats in the future?

“How?” indeed.  That would seem difficult.  Our reliance on networked computers for business and personal use is fully entrenched, and business/personal PCs will remain vulnerable for the foreseeable future.  In the industrial arena, some may conclude this latest attack is yet another reason to hold off on their IoT strategy.  Or, at least: “You should use a VPN to keep it safe.”

And yet neither of these instincts is necessarily correct because (i) it is possible to build a secure Industrial IoT (“IIoT”) system, and (ii) VPN is not the way to do it.  Industrial control systems may use the same underlying operating systems as PCs but they are different in one critical aspect.  They exchange real-time control data, not files and emails.

How WannaCry Got In

WannaCry comes in two parts – an email “bomb” that exploits your anti-virus software and a “worm” that propagates throughout your network by exploiting configuration weaknesses and operating system bugs.  The special danger of WannaCry is that it can infect a computer through email even if you never open the email message.  Once WannaCry arrives through email, the worm takes over to attack the rest of the computers on your network.

The worm portion of the virus spreads itself by finding other machines on the network.  According to analysis of the code by Zammis Clark at Malwarebytes Labs, “After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. … The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue.” (the bug that the virus exploits)

If there is no open port on the other computer, the virus cannot spread.  But the VPN is not much help here.  If anyone on the VPN is struck by the virus, then every machine on the LAN is exposed.  Suppose you have an IIoT system connecting a corporate office to a process control system over a VPN.  If the virus activates on any of the connected machines in the IT department, it can easily propagate itself to any of the connected machines on the industrial LAN.

How to Keep WannaCry Out

The tongue-in-cheek answer is “don’t use email”.  More seriously, industrial systems and IT systems should be separated from one another.  There is no need to read email from the industrial LAN.  Don’t install email software on your industrial computers, and don’t allow email traffic through your firewall.

But industrial systems still need to communicate their data.  How can you reach the data without exposing the industrial network?  The solution is spelled out in detail in the latest white paper from Cogent (a Skkynet company) titled: Access Your Data, Not Your Network. This paper explains why the traditional architecture of industrial systems is not suitable for secure Industrial IoT or Industrie 4.0 applications, and discusses the inherent risks of using a VPN.  But most important, it introduces the best approach for secure IIoT and Industrie 4.0, which is to provide access to industrial data without exposing the network at all.

Specifically, the Skkynet-provisioned devices and the DataHub can make outbound connections to SkkyHub without opening any firewall ports.  These connections are robust channels that support bidirectional, real-time communications for doing monitoring and supervisory control.  The WannaCry virus or anything similar cannot spread into this system because they can’t see anything to infect.  The devices on the network are completely invisible.  Skkynet’s approach provides access to the data only, not to the network.

Cyber Security: Over 90% of IIoT Experts Express Concerns

Respondents to the 2017 Industrial Internet of Things Security Survey by Tripwire paint a pretty bleak picture of cyber security for the Industrial IoT (IIoT).  Among the more than 400 IT professionals responsible for securing their companies against IIoT-related threats, 96% said they expect to see an increase in cyber attacks in the coming year.  At the same time, less than 50% of them feel prepared for those attacks.

This is cause for concern, according to David Meltzer, chief technology officer at Tripwire, who said, Industry professionals know that the Industrial Internet of Things security is a problem today. More than half of the respondents said they don’t feel prepared to detect and stop cyber attacks against IIoT.

At the same time, 90% of these same IIoT experts expect the use of IIoT to increase.  They acknowledge that innovation must go forward, and that the benefits of the IIoT outweigh the costs.  Two out of three of them recognize the need to protect against cyber attacks, despite the fact that less than half of them feel prepared for attacks on insecure IIoT devices.

The Industrial Internet of Things ultimately delivers value to organizations, and that’s why we’re seeing an increase in deployments, said Meltzer.  Security can’t be an industry of ‘no’ in the face of innovation, and businesses can’t be effective without addressing risks. The apparent contradiction of known risks and continued deployment demonstrates that security and operations need to coordinate on these issues.

Meltzer points out that the consequences of insecure IoT implementations leading to a cyber attack are far more severe for industrial applications.  Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes, he said.  The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example – cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.

Here at Skkynet, we could not agree more. It was this kind of thinking that led us to develop our secure-by-design SkkyHub service. Those who understand the risks of the IIoT and the difficulty of securing it using conventional IT or OT approaches recognize the value of what we are doing. We invite every survey participant and anyone else who wants to get the most out of the IIoT to see for themselves how these concerns fall away when using an IIoT platform that is secure by design.

IIoT: Choose the right tools for the job

Note: This article was originally published in Plant Services magazine.

The American poet Carl Sandburg wrote, “They will go far and see much, and they will never be any good for sitting with the sitters and knitting with the knitters.” As true today as it was almost 100 years ago, those who sit tight and stick to their knitting rarely accomplish much. Right now in the world of manufacturing and industry, a new horizon is opening up: the industrial internet of things (IIoT). Are you curious? Do you want to go far and see how much you can do with it, or will you just sit back and knit?

Even from a distance, the benefits of the IIoT are visible. Plant Services contributing editor Sheila Kennedy highlighted many of them in August in her article Yes, IIoT can drive operational improvements. Put briefly, the IIoT offers a number of ways to optimize your system performance by providing data-driven insights into your processes. Among other things, you can see how well your assets are performing, implement predictive maintenance, simplify logistics, coordinate procurement, and drive down resource costs.

OK, you may say, that all sounds fine. Suppose I am interested. How will it work? Can the IIoT fit with my current system? How much will all of this cost? What about security? And supposing I do want to build IIoT connectivity and capabilities in my plant, how should I get started? Should our company try this on our own, or should we seek expert outside guidance or assistance?

Who builds it?

Taking the last question first, building your own system from scratch may not be the best way, according to those who have tried it. A recent Machina Research survey, “Lessons Learned from Early Adopters of the IoT,” shows that most early adopters in the IoT space who took a do-it-yourself approach found the task to be more complicated to implement than they had expected. “When asked about primary concerns around IoT, adopters have some insight that nonadopters just don’t yet have,” the report’s authors wrote. “Adopters point to ‘complexity of the IoT solution’ as the largest concern around IoT, a concern that nonadopters have yet to consider fully.”

On the other hand, if you do decide to bring in an expert, you’ll have to decide who is most qualified for the job. In her blog post “The IIoT Integrators Are Coming“, Stephanie Neil at AutomationWorld claims that control system integrators are not gearing up for the IIoT quickly enough and that SIs from the IT world are stepping in to fill the gap. They are more than happy to bring their experience implementing IoT for IT applications to the OT world. Naturally, some OT system integrators see things quite differently. They point out that it is easier for an OT company to add IoT to its portfolio than for an IoT company operating in the IT space to learn industrial process control. Jeff Miller of Avid Solutions wrote a blog post titled “We Are Ready for IIoT” to make the case that control system integrators are gearing up for the task.

The right tools for the job

Whomever you choose, an in-house team or a system integrator, you can save a lot of time and money by not reinventing the wheel. You can benefit by using tools, and you’ll want to choose the right ones. Because the IIoT looks a lot like SCADA, some may be tempted to continue using the same tools. This can be a mistake, though, because industrial data communications software was not built for the open spaces of the Internet.

Take security, for example. The IIoT presents security challenges that industrial system designers never contemplated. First, there is the obvious need to eliminate the chance of attack from outside the perimeter. But there’s also a need to protect the system and its data from inside as well. Using designed-for-IT approaches like Microsoft’s RDP or a VPN may seem like the logical choice, but Microsoft Developer Clemens Vasters raises valid concerns in a paper titled “Internet of Things: Is VPN a False Friend?” Useful as they are for the purposes for which they were designed, RDPs and VPNs give each user the keys to the kingdom – access to applications and data far beyond what they might need or what you might want them to see. The 2014 attack on Target via a VPN shows how dangerous and costly that can be.

What is needed is a secure-by-design technology that does not rely on a VPN and keeps all firewall ports closed. This can be done by making outbound-only connections to a secure cloud service. This design exposes zero attack surface and makes your system invisible to hackers. At the same time, it allows for bidirectional data communication through reverse proxies, which corporate IT departments are increasingly recommending as a standard for ensuring the security of OT systems. Needless to say, developing this kind of technology from scratch is not a project for your average plant engineering team. Instead, you can get the most out of your team and keep costs down by using a tool designed for the job.

The tool you choose should also support real-time data throughput speeds at scant milliseconds above network or Internet latencies. Ad-hoc approaches like collecting process data in an SQL database and then accessing it from the cloud will slow down your applications like a sloth at the DMV in “Zootopia.” You won’t get the response you need. Just because you may be using the Internet is no reason to compromise on speed.

And the tool should be convenient. It should fit unobtrusively and connect seamlessly with any new or existing system, with no need for programming and no dependencies. If the outside network or the Internet goes down, your primary control system should experience no effect whatsoever. The IIoT should be considered as data access or at most supervisory control. All low-level control should be completely isolated.

Start gradually

With the IIoT team assembled and tools in hand, start gradually. There is no need to tackle a huge project. Pick the low-hanging fruit. Kennedy suggests identifying functionality that is already close to the IIoT and using components that are easy to access. You may be able to connect sensors, monitors, or other devices in different locations and aggregate their data or even bridge their data sets.

A well-designed, cloud-based IIoT system does not require much upfront investment in time or money. As long as you work with a provider who offers a monthly subscription, you should be able to start a pilot project for as little as $100 per month. And if the service is reasonably complete, it should only take a few days to get up and running. Of course, you’ll need to ensure that such a system meets your specific needs, whether that means offering data archiving options, web-based HMI, access to analytics packages, or something else.

The adage “well begun is half done” applies here. If you work with a good team, choose the right tools, and start with something manageable, chances are you will succeed. Once you’ve got some initial experience, the next project can be more elaborate and ambitious, and the one after that even more so. Soon you will be going far and seeing for yourself what the IIoT can do for you and your bottom line.