Security by Design

“Security by Design is strongly needed to reduce risk,” said Maximillian G. Koń, CEO at WisePlant, in a recent article in Advancing Automation: Industrial Cybersecurity. He tells how so many industrial automation and control systems were created decades ago, long before the idea of sending plant data to IT or the cloud was ever dreamed of. He says that security weaknesses were generated “during system design, engineering, construction, installation, commissioning, operation, maintenance, and retirement.” And he warns that security must be inherent in the system, not simply added as an afterthought.

Wake-Up Call

To illustrate his point, Koń tells the story of the S.S. Eastland, a passenger ship that sailed the Great Lakes at the beginning of the last century. The ship was not well-designed to start with, having problems with stability. After the sinking of the Titanic, new safety regulations required installing enough lifeboats on any ship to hold all the passengers it was rated for. The owner of the S.S. Eastland complied, and soon the vessel had a full set of new lifeboats, mounted above the upper decks.

However, the ship was not designed for this additional weight so high above the center of gravity. One tragic day as several thousand people were boarding for a pleasure cruise, the Eastland began listing heavily, and then suddenly rolled over and sank, right next to the pier, in 20 feet of water. Over 800 people were lost.

To avoid such tragedies in the industrial realm, Koń lays out an Industrial Cybersecurity Program that follows a security by design approach in three phases: Assess, Implement, and Maintain. When discussing the Implement phase, Koń talks about “bolt-on security vs. built-in security.” He says that existing systems must use bolt-on security, while new systems can be designed with built-in security. Although this principle makes sense, it begs the question: Why should existing systems have to settle for bolt-on security?

A New Approach

Most traditional technologies do require bolt-on security. But a new approach to data communication, Skkynet’s DHTP protocol, supports software and services that are secure by design and ideal for Industrial IoT and IT-to-OT applications. This security-by-design implementation works equally well for new or existing systems, providing the best of both worlds. Rather than adding security to an existing system, it connects that system to a complete, stand-alone, secure-by-design IoT implementation.  It’s almost like enveloping a ship in some kind of new, sink-proof technology, rather than simply adding lifeboats.

With Skkynet’s technology, the enterprise can keep its legacy equipment and SCADA systems as long as needed, and yet provide secure access to live production data for authorized parties―on-premise or in the cloud. Whenever new hardware is acquired, it can be phased in as necessary, with no disruption to data links between shop floor and top floor.

The important thing is the principle: Security by Design. Security is not something that can be bolted on at the end. It needs to be an integral, built-in part of the design of hardware, software, and industrial control systems. Let’s take to heart the lesson of the S.S. Eastland, and keep our systems on an even keel. With the right technology and approach, Industrial IoT and IT-to-OT data communication can be as secure as the air-gapped systems of yesteryear.

Ransomware Attacks – Choosing an Easy Way Out?

What would you do—right now—if your computer screen locked up and a message appeared, “Your files and data have been encrypted with a strong military algorithm. You have 3 days to pay for our decoder to get your data back.” What if it wasn’t your personal computer at all, but a company computer? What if you owned the company?

In a recent BBC video, reporter Joe Tidy describes the bold response that Norsk Hydro of Sweden made to that kind of a ransomware attack. Rather than succumbing to the hackers’ demands, the 35,000 employees at the company switched over to paper-based operations for days and weeks until the computers could come back online. Salespeople had to work on the factory floor and finance staff made sandwiches, but production in the 170 plants worldwide continued almost unabated.

“I think in general it’s a very bad idea to pay,” Jo De Vliegher, a company spokesperson, told the BBC. “It fuels an industry. It’s probably financing other sorts of crimes.”

Much as we may admire Norsk Hydro’s strong response, the attack and its after-effects cost the company over 50 million dollars. Small wonder that ransomware attacks on businesses have increased by 500% in the past year, according to some sources, and that ransom demands can be in seven figures.

Pay or Perish?

Unfortunately, these circumstances leave some companies with little choice—it’s pay or perish. A survey conducted by Small Business Trends shows that 55% of all SMBs would pay the ransom. It is hard to blame them when another recent report shows that 60% of small companies that sustain a cyber attack go out of business within six months. On the other hand, experts point out that paying the ransom may not solve the problem, since the attacker still may not release the data, or may release part of it and demand more money for the rest.

A Better Solution

Of course, a better solution is to secure your system against ransomware attacks. For a company’s IT department, all of the standard security guidelines apply, as well as ensuring backups of any data needed to run the company. OT (Operations Technology) systems that are increasingly being accessed from outside need to pay special attention. Threats like ransomware attacks that may have seemed irrelevant to an air-gapped system years ago take center stage when OT gets connected to IT. Even with a VPN, any virus that can propagate within IT can make its way into OT.

Strong, closed firewalls are essential, and DMZs can be very useful. In this environment, Skkynet’s secure-by-design software and services allow companies to access their production data without compromising on security. Rather than waiting until after an attack has occurred, the easiest and most cost-effective way to deal with a ransomware attack is to prevent it from happening in the first place.

IoT for All

With each passing year the IoT (Internet of Things) becomes more familiar, more of a household word. What once seemed a futuristic dream—having billions of devices connected and chattering over the Internet—is now almost taken for granted. Case in point is the IoT For All website whose very name speaks volumes. It seems that everyone is using or at least touched by IoT in one way or another.

At the beginning of the year, IoT For All published an article Where Is IoT Headed in 2019? that collects and distills the thoughts of industry experts regarding the near future for the IoT. Although not specific to Industrial IoT, there was significant discussion on several themes that are of interest to us here at Skkynet:

Secure by Design

Several experts have predicted that the rapid development of the IoT with little attention being paid to security will lead to widespread attacks in the coming year—often directed at industrial and infrastructure targets. At the same time, they lament the lack of robust security solutions built into hardware, software, and services. James Goepel, CEO and General Counsel for Fathom Cyber mentioned new regulations in California that mandate a secure-by-design approach to the IoT. “I think we’re going to see many more states, and possibly the federal government, following California’s lead and creating legislation that imposes new cybersecurity-by-design requirements on IoT manufacturers,” he said. Skkynet’s customers will be ready, as they have been employing our secure-by-design approach to the IoT for years.

Edge and Hybrid Computing

This year “will be a defining year for edge and hybrid computing strategies as IoT and the global network of sensors pile on more data than the average cloud has had to handle in the past,” according to Alan Conboy, working in the Office of the CTO at Scale Computing. “This transition will officially crown edge computing as the next big thing.” This has certainly been our experience. As interest in edge computing grows, we are seeing a corresponding demand for Skkynet’s edge computing and hybrid cloud solutions.

Remote Access

“Experienced engineers are hard to find and those they do have can only visit so many remote sites in a year. Enabled by 5G and the speed with which data can travel through the air, AR (augmented reality) will enable engineers-in-training to be able to have instant intelligence about a device on which they may be working just by pointing their tablet towards it,” said Jeff Travers, Head of IoT Connectivity Management at Ericsson. Much of this remote connectivity will depend on secure, real-time, two-way data flow. Again, Skkynet’s unique approach to Industrial IoT solves problems that many managers and executives are only now beginning to realize exist.

In short, the future continues to brighten for IoT in general, and Industrial IoT in particular. At least part of our mission is to make the move to IoT as smooth and easy as possible. We want it to become the logical choice for anyone who considers it—so that it really does become IoT for all.

The Kaspersky Report: It’s Not Really About OPC UA, a leading online publisher of automation-related content, recently ran a commentary on a new report from Kaspersky Labs about OPC UA. The Kaspersky report identified 17 critical security flaws in OPC UA software. But although the Kaspersky methodology may be sound, the commentary in suggested caution in drawing conclusions.

It turns out that the flaws noted by Kaspersky were simply because an OPC UA must listen for connections on a network, just like any other server on a TCP/IP network. The real problem is deeper, according to the commentary. Put simply, the standard approach to industrial data communications is not suitable for untrusted networks like the Internet. A better solution is not to allow any inbound connections at all.

Skkynet’s Approach Calms Recent Security Concerns

Eyebrows were raised among the industrial automation community last week when the well-known Kaspersky Labs issued a report titled OPC UA Security Analysis that lists 17 security issues in the OPC UA protocol and products. While we see no reason to doubt their methodology, we take a different approach to the question.

As we see it, the real issue is not the OPC UA protocol itself. OPC UA was created to allow client/server networking for industrial communication. The flaws that Kaspersky identified were visible on an OPC UA server that, by definition, is listening for network connections from OPC UA clients. Any application that listens for connections on a network can equally be a point of attack for a malicious hacker. This is not unique to OPC UA—it is a fact of the design of TCP/IP networks. Period.

Think about it. How did Kaspersky Labs discover the vulnerabilities in OPC UA and related products? Using a technique called “fuzzing”, they used a specially-constructed client application to send a rapid-fire barrage of messages at the UA server, each of which was slightly altered, or “mutated”, in some way from a standard message. Sooner or later one of these messages would crash the server or uncover an exploitable vulnerability. This technique can be used on any network-connected server, like a web server, VPN server, RDP server or vendor-supplied remote access server.

We would argue that Kaspersky Labs was searching for symptoms while overlooking the cause. What the report does not address, and indeed it is so obvious that it is easily overlooked, is that this kind of attack can only succeed if the intruder has access to the server in the first place. All software has bugs. Any program exposed to the Internet is fair game. However, as long as your servers are running on a trusted network and you keep all inbound firewall ports closed, you don’t run the risk of an attack from outside, no matter how persistent or devious the attacker may be.

The Real Problem

The real problem is that the standard approach to industrial data communications is not suitable for untrusted networks like the Internet. We are used to a client on the user side connecting into a server at the data source―after all that’s the classic server-client architecture. But for Industrial IoT this approach poses a serious risk because the client is often outside the trusted plant network. It needs an open firewall port into the plant to connect. This design itself is the fundamental reason for the security problem. Rather than expecting protocols or software to be bug-free and invulnerable to attack, it makes more sense to find a more secure design approach altogether.

A Better Approach

A better approach is not to allow any inbound connections at all. The whole Kaspersky Lab scenario was built on repeated client connections into the server network. What if the server (over which the attacker has no control) connects out to the client? If you can establish only outbound connections from a data source to a data user, then the entire threat vector is eliminated. With all inbound firewall ports closed, the plant network and all of its OPC UA servers become invisible. And you can’t attack something that you can’t see.

This is Skkynet’s approach. It is running in production systems worldwide, and it is fully compatible with OPC UA. By keeping OPC UA servers within the trusted network, and keeping all firewall ports closed, Skkynet’s approach enables secure Industrial IoT connectivity, while still reaping the benefits of OPC UA in the plant.

Note: A version of this article was recently published on the website.

IIoT Security: Attacks Grow More Likely, Users Unaware

A few weeks ago hackers of industrial systems reached a new milestone. For the first time in history, someone was able to break into the safety shutdown system of a critical infrastructure facility. Roaming undetected through the system for an unknown amount of time, the hackers finally got stopped when they inadvertently put some controllers into a “fail-safe” mode that shut down other processes, which alerted plant staff that something was wrong.

The danger was not just in the safety mechanisms themselves, but for the whole plant. “Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks,” said cyber experts interviewed by Reuters.

Plan Ahead

That facility was lucky this time around. What about next time? What about the next plant? Rather than relying on luck, it is better to plan for the future. As attacks grow more likely, those systems that are secure by design, that offer zero attack surface, that are undetectable on the Internet, stand a much better chance. This has always been Skkynet’s approach, and as the threats increase, it makes more and more sense.

In fact, the industrial world is largely unprepared for these kinds of attacks. Having evolved for decades cut off from the Internet, until recently there has been little need to change. And a surprising number of users seem unwilling to acknowledge the risks. According to a recent article in ARS Technica, hundreds of companies across Europe are running a popular model of Siemens PLC (Programmable logic controller) with TCP port 102 open to the Internet. “It’s an open goal,” commented security researcher Kevin Beaumont.

Government Mandates

The situation has attracted the attention of governments, who realize the need to protect critical infrastructure for the sake of their citizens. The United Kingdom has issued a new directive authorizing regulators to inspect cyber security precautions taken by energy, transport, water and health companies, reports the BBC. The National Cyber Security Centre has published guidelines, and companies that fail to comply are liable for fines of up to 17 million pounds. “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” said Margot James, Minister for Digital.

IT to OT Challenges

What has brought all of this into focus over the past few years has been the increased awareness of a need for process data outside of the production facility. Companies are recognizing the value of the data in their OT (operational technology) systems, and want to integrate it into their IT systems to help cut costs and improve overall efficiency for the company as a whole. What they may not realize is that the tools of IT were not designed for the world of OT, and the security practices of OT are not adequate for the Internet.

The WannaCry virus that affected many companies worldwide last year is a case in point. Companies using VPNs to protect their IT-to-OT connections found out first-hand that a VPN merely extends the security perimeter of the plant out into an insecure world. A breach in an employee email can expose the whole plant to the threat of a shutdown. “WannaCry is the personification of why computers on the corporate networks should not be directly connected to OT networks,” according to Gartner Analyst Barika Pace in a recent report, Why IIoT Security Leaders Should Worry About Cyberattacks Like WannaCry, January 30, 2018. “It is also the reflection of the inevitable convergence of IT and OT. Based on your risk tolerance and operational process, segmentation, where possible, is still critical.”

Segment Your Systems

By segmentation, Pace means dividing networks into security zones, and maintaining security between each zone through the use of firewalls, DMZs, data diodes and other similar technologies to ensure that if one system gets hacked, it cannot affect others. Segmentation is part of a secure-by-design approach that Skkynet endorses and provides. Our software and services offer a way to connect IT and OT systems through DMZs or the cloud without opening any outbound firewall ports.

A Siemens PLC in this kind of segmented system could be accessed by authorized parties, and exchange data in both directions, without opening TCP port 102 to the Internet. Managers of critical infrastructure that implement this secure-by-design approach to segmentation are not only ready for government inspection, they have taken the best precaution against those who would intrude, hack, and attack their mission-critical systems.

As attacks on critical infrastructure become more likely, users must become aware, and prepare. The acknowledged benefits of IIoT need not entail unnecessary risk—securing an industrial system can be done, and done well. A big step is to segment your OT system though a secure-by-design approach, such as that offered by Skkynet.