Issue link: https://securitytechnologyexecutive.epubxp.com/i/107544
equipment such as older PLCs, DCSs and RTUs (remote terminal units) were not designed to elegantly handle malformed or heavy network traffic. In order to ensure reliable production, Industrial-specific firewalls were, and still are, used to permit only messaging required for operations. The risk of an external cyberattack — especially one targeted at industry — was considered minimal, until the rise of terrorism in the new millennium and the disclosure of the game-changing Stuxnet malware in 2010, which specifically disrupted the centrifuges used for uranium enrichment at Iran's Natanz nuclear facility, thus proving that industrial sabotage by malware is possible. Stuxnet was successfully introduced into an apparently air-gapped facility with the use of a USB key. Its discovery and the public release of its design had multiple impacts: Stuxnet Legacy 1 – Security researcher focus on industrial systems: Stuxnet's fame drew security researchers' attention to hacking industrial systems. In 2011, more industrial control system vulnerabilities were made public — many with exploit codes available on the internet — than in the entire previous decade. Stuxnet Legacy 2 – New advanced persistent threats target industry: Stuxnet's design provided a toolkit for other sophisticated malware known as advanced persistent threats (APTs); however, unlike Stuxnet that targeted an industrial process, recent APTs have been focusing on industrial espionage to steal business information. APTs are hard to detect, they can hide and collect data for years, and the losses resulting from them are financial- and reputation-related rather than safety or environmental incidents. Critical infrastructure such as financial services has been dealing with APTs for years, but they are new to the industrial space. An example is the Night Dragon attacks that stole business information from petro-chemical companies in North America, including energy contract information, oil field bids and production data. Stuxnet Legacy 3 – Focusing cyber terrorism in the United States and the Middle East: According to a June 2012 article in The New York Times, Stuxnet was attributed to a joint U.S./Israeli intelligence operation called "Operation Olympic Games" started under President George W. Bush and expanded under President Barack Obama. As word spreads, attacks from nation states, criminals or other hackers will increase. Particularly for security executives with facilities in the United States or the Middle East, now is the time to renew your industrial cyber security efforts. The Impact A successful attack on an industrial network could mean production losses, significant safety or environmental issues or the theft of intellectual property, including information obtained from the enterprise network. Indeed, the industrial network could be the simplest backdoor to your enterprise network. With reliable, continuous production a high priority, www.SecurityInfoWatch.com industrial networking devices with usable lives of 10 to 20 years and restrained spending, the solution is not the wholesale replacement of equipment. Security Best Practices A combination of best practices using technologies designed for industrial security, and a focused effort is effective in mitigating industrial system attacks. It is important that your security staff is familiar with industrial security standards. No matter what industry you are in, the ISA IEC 62443 (formerly ISA-99) standard should apply. Major oil, gas and chemical companies such as Exxon, Dow and Dupont are using it and its strategies are often used successfully in the field. Particular industries also have their own standards, such as NERC CIP for the North American power industry. The NERC not only develops reliability standards, it assesses adequacy, monitors the system and educates, trains and certifies industrial personnel. Unlike IEC 62443, which is a voluntary standard, NERC CIP has enforcement powers. Here are seven steps to ICS and SCADA security, which condenses numerous industry standards and best practice documents. The result is an easy-to-follow process (Download a white paper detailing this process at http:// web.tofinosecurity.com/download-7-steps/): 1. Assess existing systems: Understand risk and prioritize vulnerabilities. 2. Document policies and procedures: Determine your organization's position regarding ICS and develop company-specific policies. 3. Train personnel and contractors: Develop and institute policy awareness and training programs. 4. Segment the control system network: Create distinct network segments and isolate critical parts of the system. 5. Control access to the system: Provide physical and logistical access controls. Advanced Persistent Threat (APT) attacks targeting critical infrastrucure like dams have become common. SECURITY TECHNOLOGY EXECUTIVE • January/February 2013 29