Thursday, April 3, 2014
<this is an older blog from another site to which I post>
In a special report, the Washington Post focused on zero-day attacks and how they can happen. In particular, the report spends time on two case studies. The first focuses on the Shodan search engine, which, in 2009, took on a project to map the devices linked to the Internet and exposed the fact that many Industrial Control Systems (ICSs) were connected and incredibly vulnerable to hackers. The second case study is the 2010 Stuxnet attack on an Iranian nuclear processing facility in which an infected thumb drive located four zero-day spots in the ICS and caused centrifuges to self-destruct. Attacks such as these on ICS keep security experts up at night, for good reason.
ICSs are a complex problem because they were never designed or intended to be integrated with the business network thereby potentially exposing the process controls to the internet. They were built with an intentional “air gap” to provide security. Now, however, as budgets decline almost universally and business are leveraging sustainability to drive operations efficiencies, businesses increasingly are adding “smarts” to their systems for buildings, fleets, plant operations, supply chains. These smart systems are often networked together as part of efforts to reduce workforces, lower costs and increase efficiencies. Because configuring these networks and the devices that comprise them is incredibly complex, the ICSs are inadvertently being connected to the Internet leaving them vulnerable to attack.
Security professionals who want to protect ICSs have a special challenge. The systems generally are decades old and do not allow for automated discovery of their configurations and interconnections. And yet, you can't protect what you don't understand.
Fortunately, the situation is not as impossible as it sounds. Choosing between business efficiencies and Cybersecurity is not necessary. The answer to fighting zero-day attacks and malicious activity in this era of budget minimization is to "do the right things" when it comes to security. This means covering all the bases and remaining vigilant. It means being smart about smart systems. It means being creative. For example, although traditional network mapping is not possible for ICS, security experts can leverage maintenance management systems and records to get a more clear idea of how the environment has evolved and where the subsystems are connected; to identify where the ingress and egress points in the system are located; and to perform periodic risk assessments of the system. Awareness of where the vulnerable systems are, and truly knowing how the components are connected, will shed light on potential holes in the ICS environment that may lead to exposure of vulnerabilities to the outside world. Performing assessments with a consequential risk basis will also help identify the systems, subsystems and components that wield the most impact if compromised. This allows the security professional to take action in mitigating these conditions. In the ICS arena, there are many times where simply remediating the vulnerability is not an option. Therefore, alternative mitigation strategies may need to be employed.
These steps (and a little creativity) can help to locate zero-day vulnerabilities, manage the risks associated with new and emerging “smart” systems, and derive savings by operating more sustainably.