Every process requires detail, precision and collaboration. If all of the components of the process aren’t working together, it fails. And that can result in catastrophe. As an example, let’s consider a relatively simple machine and one of its primary components: the bicycle and, more specifically, its wheels.
As long as its rider expends the energy, a bicycle’s wheels will keep spinning, thus carrying the rider from point A to point B without incident. But every sub-component of that primary part must remain in sync. With a finely tuned racing bike, if even one spoke bends or breaks, the wheel first begins to wobble, and if the wobble isn’t addressed, it will fail. And then…catastrophe.
Therefore, the bicycle’s rider needs to be in harmony with the entirety of the machine and the bike-riding process. By fully understanding every dynamic, he or she can ensure a safe, smooth journey. But understanding the dynamics– and to keep the bike moving gracefully forward– requires certain levels of education, good practice and a commitment to changing performance.
While this isn’t a perfect analogy, when it comes to confronting new, advanced and aggressive cyber assaults on our industrial control and safety systems, this is what the process automation and industrial manufacturing industry must keep in mind today.
To ensure we reach our destination safely and without incident, no one organization can stand on its own. Instead, like a finely tuned racer, every component needs to work together, applying their knowledge, technical know-how and experience, so we are all better able first to contemplate and understand new threat vectors and, second, to anticipate and combat dangerous, new cyber incursions.
Most of us have read reports about the malware various industry cybersecurity vendors and the U.S. Department of Homeland Security have dubbed Triton, Trisis and Hatman. But if not, here are the broad strokes: An unnamed end user suffered a highly sophisticated and prolonged cyber-attack, which resulted in a safe plant shutdown in August 2017. Through sophisticated cyber-attack methodologies we had never seen before, a 10-year old Tricon controller was breached. However, the safety system detected an anomaly and behaved as it was supposed to: It took the plant to a safe state, protecting the end-user from any harm.
Security professionals quickly began to investigate the incident, whereupon they noticed the malware. They learned the malware had been deployed on the safety instrumented system engineering workstation. They were also able to determine that the distributed control system had also been compromised, which was even more disturbing.
Since then, all evidence indicates that multiple site and process security lapses were exploited, which ultimately enabled the attacker(s) to gain remote connectivity to the safety controller, from which the attack was initiated. No single vulnerability caused or enabled the attack. The attack’s sophistication, as well as the attack vector, demonstrate that the incident is not unique to any specific controller; it could have been carried out on any industrial system.
Given that the Triton incident, for the first time, allows us to truly envision attackers having the ability to manipulate the DCS while reprogramming the SIS controllers, the global industrial process and manufacturing industry must heed this as a warning. Concerns about the possibility of attacks on industrial systems in the era of the IIoT are escalating, and they extend across industries and broader society. The message has never been more clear: when it comes to cybersecurity, the industry needs to come together. There is simply too much at stake.
Our industry is conservative and continues to take the “if it ain’t broke, don’t fix it” approach, and that has to change. We all need to take ownership to develop a stronger cybersecurity culture, which, in my view, could be accomplished in three measures.
First, vendors have to reinforce their commitments to making their products stronger and to educating end users on what they need to do to adhere to security best practices at their sites. Part of that means educating ourselves on the landscape and how today’s threat vectors are already impacting critical infrastructure. Take the Ukrainian power grid attacks as examples. There, in consecutive years (2015 and 2016), two different utilities were attacked via the same exact vector, crippling power grids and leaving large swaths of the populace without heat during the most brutal parts of winter. Those attacks were strong lessons, but we in the industry still aren’t learning.
Second, we have to come together to put into place stronger unifying standards and practices. While much needs to be discussed when it comes to standards, the simplest first step is to ensure our systems are consistently up to date. The Wannacry attack is a perfect example because the eternal blue vulnerability exposed from the NSA leak was easily avoidable if companies had simply patched their systems. Yes, it was a Zero Day, but Microsoft had identified the vulnerability and provided a patch two months before Zero Day hit. Anyone who waited too long to update their systems was obviously and unnecessarily in peril.
We also need to focus on education, especially awareness. Everyone in the industry needs constant and recurring education on what to do and what not to do when it comes to cybersecurity.
We should all have in place ongoing reminders to drive general awareness. Everyone in the industrial workforce needs to understand password policies, BYOD policies, how appropriate-use methodology works and why it is there. They need to know the difference between a phishing attack and a standard e-mail attack, the difference between a virus and a malware attack. Organizations should even run simulated penetration tests, where they send e-mail to groups of associates to test them on their security acumen.
In this era of increased connectivity, everyone– not just security professionals, but workers across the entire manufacturing enterprise– needs to understand potential attacks and have the wherewithal to protect themselves and their company.
Third, we have to drive new levels of cross-industry collaboration and openness. That is why we need to call for an impartial industry group or consortium to create a better understanding of the severe intensity of the threat and then help create a culture where everyone knows security is a part of his or her everyday job.
In a detailed analysis of the Triton incident, ARC Advisory Group’s Larry O’Brien wrote: “In the face of increasingly bold, innovative attacks, perpetrated by malicious actors who have unlimited time, resources and funding, every vendor, end user, third-party provider and systems integrator needs to take part in open conversations and drive new approaches that allow installed and new technology to combat the highest level cyber-attacks.”
He couldn’t be more correct. Driving true change to improve industry’s cybersecurity culture requires a commitment to transparency that promotes openness across competitive lines. This problem isn’t limited to a single company, industry or region. It’s an international threat to public safety that can only be addressed and resolved through collaboration– collaboration that goes beyond borders and competitive interests.
Like the finely tuned racing bike I mentioned at top, by working together to understand and improve every dynamic, the industry can experience a safe, smooth, incident-free journey. This is the only way we can ensure the safety and security of our global infrastructure and the long-term protection of the people, communities and environment we serve.