Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 6
Basics of Cyber security

In a modern environment, there are several types of communications: wire (plant and outside telephone), fiber optic (data and voice), radio (pagers and mobile radios), and satellite upload and download links. All are susceptible to interference and attack including tapping and monitoring (may be illegal, but when has that stopped anyone with mal intent?), signal interruption (jamming, cutting lines, establishing false commands), spoofing and misdirection (think radio commands and requests for assistance or misdirection), and introduction of viruses, worms, etc. through these channels into the other hardware and software that operate both analog and digital equipment.

Communications Life Cycle

All communications security goes through a life cycle, and this life cycle is only a slight modification of the basic security life cycle, which has been presented before in a previous chapter. It indicates the need for continuous review and improvement (Fig. 6.1).

c6-fig-0001 — **Figure 6.1** The security life cycle.

The process of cyber security is continuous; it must be continuously updated. As new programs and cyber intruders develop and exploit new vulnerabilities in computer programs and systems, the network defenders have a continuous struggle to defeat their attempts. High-profile attacks by China and private hackers have exposed vulnerability in even the best and most secure systems including the New York Stock Exchange, the major credit card companies, and many of the major banking and financial houses. Some data breaches are made public; most of them, however, are not unless vital information is compromised.

A recent study by Symantec’s research arm Norton indicated that in 2012 there were 18 victims of cyber crime per second or a total of 1.5 million victims per day. The total value of cyber crime worldwide is $110 billion USD/year.¹ According to the report, approximately 40% of the people affected by cyber crime do not use strong passwords. Additionally, there are malware and other programs where the unsuspecting are enticed into accessing websites that implant tracking cookies or programs that log keystrokes and lock the user’s computer.

Some Solutions to the Problem of Cyber crime

There is no one solution to the problem of cyber crime because of the changing nature of the problem. Increasingly, more and more of cyber crime is accessed through mobile devices by individuals who use their cellular phones on public networks. But, businesses are equally vulnerable, and networks are getting harder to defend as they become more complex.

The following general recommendations should be incorporated into any company in an effort to provide basic cyber security. These are some of the basic elements, and the list is far from all-inclusive, but it does address the basic elements.

General recommendations

Have a written policy on communications about the purpose of the communications and the types of communications that will and will not be permitted on company machines.²
Analyze and plan the types of communications your company wants and needs. This should include such elements a spectrum use and types of CCTV and radios used within a plant.
Study and analyze the appropriate equipment for your system—it should permit implementation of the written policies.
Enforce the policy. Internet tools including key logging, packet sniffing, and similar programs are legitimate ways of finding out what employees are doing including reading e-mails. However, make it clear to the employees as they are hired what the policy is, what will be tolerated, and what will happen if violations are encountered.
Once the equipment is in place, then it must be operated, managed, and maintained. Nothing is as frustrating as an unreliable company-wide Internet or intranet system.
Back up the system regularly and also remotely.
Keep personnel and sensitive files on separate dedicated restricted computers. Employee information and salary data and associate materials must be safeguarded. In the event of a system penetration, the data should be secure.
Employ a security encryption system for sensitive and business-related data. Even relatively simple encryption systems can make stolen data worthless.
Radio communications and Wi-Fi and all broadcast information should be encrypted. This should include telemetry signals from sensors and other process control sensors.
Change passwords regularly. Most people do not remember passwords from 1 day to the next, even when they create them. There are electronic methods that will enable employees to keep sensitive passwords on read-only flash drives.
Decide which computers should have hardware-permitting input by CD, DVD, or flash drive. Operator consoles and other sensitive areas should not have removable drives nor flash drives where software can be added or removed.
Central operating systems and networks are, in general, a good thing because they promote efficiency—but they may also represent a potential for security breaches, especially if someone can access critical functions and programs from outside the company.
Critical operations and processes used in plant control should have supervisory access only from specific computers.
Operator consoles should not have Internet access. Operators with Internet access can be distracted from process monitoring during their work shift if the Internet is available.
If the system is designed properly and tested periodically, it should be able to detect intrusions—but that requires a willingness to test the security of the system.
Every site should have a security assessment team that includes inside and outside professionals.
The security assessment should also include a threat/risk assessment that reboots the assessment process again when there is something that causes new or different threats and risks.

Communications Security

Some of the first philosophical questions that must be answered when looking at a secure communications system are where the communications are taking place, who is generating information, what information they are generating, and who needs to receive the information.

The purpose of a communications system is to facilitate an interchange of ideas, which may be mobile or not, and collect and distribute them collectively to where they are to be acted upon. Some examples include:

The shipping department must be able to connect to the receiving department for routing vehicles. Both must be able to communicate with the guard station and warehouse to authorize the receipt and storage of a shipment.
The telephone system provides a central nexus for all communications in the plant (Centrex, Switchboard, or something else).
The guards must be able to summon assistance when required much like the fire brigade and the crash cart and ambulance.

Communications as Transactions

When we start to look at the communications as transactions, they take on a different view. In that manner, we can prioritize their importance and relate the facilities to their purpose. Communications transaction security requires both the sender and the recipient to be secure. Are the following secure and practical and why?

Guard making rounds communicates to central dispatch in front of the plant.
Guard calling for help on the telephone.
Laboratory calling production operations with results of tests.
Central communications station next to the boilers in the plant use the plant stack as antennas for plant-wide communications.
Workers are summoned by pagers.
Workers and guards informed of problems by plant radio from central station.
General manager phones a worker in another building to come to a meeting.
Lila (purchasing) phones Mary in shipping.

Telephone System Security

Some or all of the following questions should be asked and answered if one is to have a secure telephone system:

Are the communications centralized through one vulnerable area such as a telephone trunk line and PBX switchboard, or are they distributed?
Where is the central trunk line located with respect to the plant?
Is the central communications line accessible outside the plant? Is the phone cable buried and is the switch box in a hidden location?
How easily can someone with mal intent gain access to the phones, and how easily can they be disrupted or monitored?
If a telephone truck showed up at the front gate or parked at the central switchboard or junction box, unannounced, would anyone notice?
If the local phone company had valid credentials, would your guard force allow them entry into the plant without checking with the telephone company dispatch to verify that the persons were legitimate and without being aware of a communications problem where outside help had been called in?

Radio Communications

Every large plant uses a plant radio, some use cellular telephones, and others still use pagers. Analog systems are easier to break into and spoof than digital systems, but there are still a lot of analog systems in use. The following should be tested:

Is the central radio secure or vulnerable to attack and being disabled from within or without the plant fence?
Can anyone with a radio of the right frequency gain access to (monitor or interrupt) plant communications?
Are plant public broadcasts (all radio) transmissions encrypted or in plain language?
How easy would it be to steal or duplicate a plant radio?
If you have a centralized dispatch system, do you have a backup location in case of an emergency? Does that alternative station have the same capabilities that the regular station has? In other words, is it a full duplicate station and does it have full capabilities? Is it used and maintained periodically just to make sure it is functioning?
Would a power failure cripple your ability to communicate either with inside or outside facilities?
Would an attack that destroys the plant radio house eliminate your ability to obtain plant-wide assistance or summon or control the workforce?
Is there an alternative method of summoning outside assistance if the main trunk telephone line is cut?
What happens if the local cellular telephone tower is destroyed? Or what happens if someone attempts to use cell phone jammers?

Digital Communications

Many plants have common systems that are wide open to attack from the Internet and other sources. Just because the transaction involved in digital exchange is usually incomprehensible to our ears and eyes does not mean that the digital transactions are unimportant. Transactions between machines are much like human transactions, in that there are a call and response to initiate the transaction and code checking when the recipient recognizes that the transaction is directed toward it. Then, there are an interchange of data and a closure agreement when both parties sign off.

Sometimes, the conversation is dedicated (telephone and SCADA), other conversations are continuous and do not sign off, and some digital conversations are shared, while others are not. It all depends upon how the data are transmitted, the devices, and the encoding. We often do not pay attention to it, because it is automatic. An example is the old dial-up modem. When it connected with the service provider, it provided a code of dial tones, and then when the provider responded, the system would produce something that sounded like static but that is digital communication.

When we examine the challenges of providing adequate cyber security and the integration of World Wide Web pages and websites into a server, even by e-mail rerouting, it is easy to see how attacks can take place via the Internet and through digital and analog communications via Wi-Fi and wired communications. The variety of digital attacks alone are virtually endless. A recently established website put up by T-Mobile (Deutsche Telekom) lists the type of attacks occurring each second of the day. A recent study by SYMANTEC (INTERNET SECURITY THREAT REPORT -2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf) indicates that businesses have a 1:3 to a 1:5 chance of being cyber attacked, (and that is based on the attacks that were caught and foiled). A similar report by Shane Shutte in September 2014 (http://realbusiness.co.uk/article/27859-there-are-now-117339-cyber-attacks-per-day) indicated that there are about 1.4 cyber attacks per second, but the article is unclear as to whether that was just for the United Kingdom or worldwide. Other statistics have indicated that the worldwide number of attacks is between 3 and 4 attacks per second. It is important for any company to train their employees to avoid the various traps and malicious e-mail scams and web-based programs that are prevalent on the Internet. Every company needs a very good firewall and IT department to keep their Internet functioning.

Cyber security

Vulnerability assessment

The basic principles for cyber security are the same as with physical and general security. It starts with a vulnerability assessment, but we also need to recognize the transactional nature of the communications. The elements of that vulnerability assessment start with the following:

Risk assessment and threat identification
Assessing probability of attack
Identifying and ranking the criticality of the communications transactions
Identifying the most critical and the associated costs if they are interrupted or lost
Identifying the effective actions required for their prevention and the associated costs
Evaluating the costs of prevention against the benefits obtained
Documenting the findings and preparing an action plan
Implementing the action plan and monitoring the results.

Unknowns and alternatives

There are a number of challenges to this approach including a significant lack of current and in-house data (we do not know what we do not know!)—we lack information about the criticality and nature of both the information and the nature of the communications until we complete the assessment and do not know which controls or communications or cyber controls are critical.

We also lack information about effective alternatives and have to realize that uncertainty and lack of information are a constant in that the Internet and computer systems are both growing and dynamic, that our efforts represent a snapshot in time, and that we probably will have to repeat the assessment in response to changing operating systems and changing hardware.

The difficulty with the development of alternatives lies in the costing precision of the alternatives. In industry, cost is not the only factor but is an important factor. Evaluation of alternatives requires some guesswork, and the greater the focus on development of a precise alternative scenario, the more expensive it becomes to develop that scenario. Preparation of accurate cost estimates for evaluation of alternative scenarios is often very difficult, time-consuming, and expensive because it requires evaluation of a number of factors.

Among those factors are process evaluation and costing, lost alternatives costs, and human and machine effectiveness (efficiency) calculations (there is no given standard).

How to Perform the Vulnerability Assessment

There are any number of ways a vulnerability assessment can fail, most notably when the credentials of the assessment team are questioned or when senior management says, “I don’t like it,” “This can’t be right!,” or “I don’t believe it!”

There are a number of things that an assessment team must do in order to have a chance at developing an assessment that will be considered and utilized. These critical success factors include the following:

Critical success factors

Obtain senior management support and involvement.
Define the scope of the assessment.
Approve action plans after they are developed.
Designate focal points and task force.
Preferably one individual who is familiar with company policies and procedures and the “way things are done.”
Individual serves as coordinator for centralizing information and directing resources.
Weekly group meetings.
Involve those responsible for collection and management and use of data.
Designated focal points enhance the quality of the development and efficiency of the risk assessment.
Tools and programs should be evaluated by those who will use them.
Development techniques can be cross applied to other areas.
Insure that language and meanings of terms are consistent throughout the development process and across the plant.
Insure that reports are delivered on time and in standardized formats.
Insure that expectations of senior executives are met.
Involve specialists:
- Involve specialist disciplines such as engineering, business, and operators as well as IT people.
- Business managers often have the best understanding of the criticality and sensitivity of business operations and of data systems supporting them.
- Technical and security people often understand existing system designs and vulnerabilities.
- Include auditors and financial people.
- Equipment vendors probably should be excluded at these meetings because they have specialized agenda.
- Where possible, conduct risk assessments with in-house personnel.
- Team approach used to conduct external risk evaluation from federal agencies and CERT (Carnegie Mellon Computer Emergency Response Team) (www.cert.org).
- Hold business units responsible for initiating and conducting their own risk assessments.
- Limit the scope of individual assessments.
- Limit the scope to individual business units rather than a large all-encompassing scope.
- Segment operations into logical units.
- Different operations have different risk levels.
- Identify shared risks with associated infrastructure—that is, e-mail, common files, common programs, etc.
- Document and maintain results.
- Force accountability for managers.
- Make auditing performance easier.
- Provide a starting point for subsequent assessments.

Optimum assessment team size

This stated, it is probably best to have an assessment team that is between 5 and 10 persons. Too few and the job becomes enormous; too many and the group becomes unwieldy to manage.

The vulnerability assessment process will report and develop procedures to help reduce or eliminate cyber vulnerabilities. Because this is often part of corporate “policy and procedures” (P&P) and will wind up in the P&P book, it must be a formal written set of statements that clearly outline the steps to take in response to real vulnerabilities or situations.

Communications Procedure Design: Hints and Helps

A written procedure must be clear, in plain language, and easily understood, even if that means redundant with respect to some actions.
Do not let your legal team anywhere near the procedures because they will screw it up by applying legal principles and arcane language.
Procedures, especially those that involve the entire company, must be consistent across diverse business units.
Must be developed in concert with others rather than in isolation (no need for “reinventing the wheel”).
Keep in mind that the sharing of information, especially about real or perceived vulnerabilities and attacks, is important.
Identify parties responsible for initiating and conducting risk assessments.
Determine who has to participate.
Get agreement on steps to be taken.
Determine in advance, if possible, how disagreements are to be resolved.
Identify which approvals are required.
Determine how the assessment is to be documented.
Determine how documentation is to be maintained.
Determine who gets the reports.
Determine who can authorize recommendations.
Standardize reporting formats, that is, tables, lists, questionnaires, and standard reports: KISS, or keep it simple, stupid!

Benefits: Identified

The identified benefits from providing a cyber security risk assessment and developing policies and procedures to address those risks include identifying the risks on a continuing basis; helping employees and personnel understand the business; helping employees avoid risky behaviors and practices; alerting employees to be aware of suspicious events and practices coming in via e-mail, Internet, and other forms of digital communications; and providing an effective way to communicate risk information to specific business units.

Example

The following is a risk assessment process diagram developed for a chemical company (Fig. 6.2).

Figure 6.2 Risk assessment team assignments for a chemical company.

One large chemical company has a risk cyber risk assessment policy in line with their general risk assessment policy. The oil company reported that they initiated a risk assessment every 3 years or after any significant loss or incident. In either case, they notify their regional corporate security coordinator/manager (RCSM) to start the process. The regional security coordinator initiates the process with the corporate security who reviews the budget and project documentation. The RSCM develops the risk assessment team, involves the business unit managers and other executives, and prepares a risk assessment execution plan.

A risk assessment team composed of five to eight persons is formed, and they select a leader from a different business unit within the company to insure objectivity. The assessment team conducts interviews and develops a risk assessment plan. The plan is iterative in nature and the final plan must receive approval from the business unit manager.

Meanwhile, an independent group at the corporate level (sponsored by corporate security) develops additional risk information and feeds it to the team. The team develops a risk assessment baseline that includes external threats, internal threats, system-induced threats, and other threats.

The risk assessment team effort should be between 1 and 2 weeks but less than a month. Between 60 and 75% of the team’s efforts are directed at collection of the data; the balance is for the preparation of the report. The team will conduct 30–50 interviews, with each interview being at least 1 hour to explore the issues. Written submissions and examples are encouraged as long as the information is not too volumetric to handle. Team members may not interview coworkers to maintain objectivity.

The last phase of the team effort is to develop at least 10 or more problem scenarios and must consider the ways in which current procedures and applications may compromise security and resources and damage the company. The team must also consider the possibility of disclosure of confidential information, loss of data, inability to communicate with outside and internal resources, and operations. Developed scenarios may include employee motivations for disclosure of proprietary information or secrets for personal gain or for relief of financial stress. The written report is then tabulated in a threat matrix as shown in the following.

Cyber Threat Matrix: Categories of Loss and Frequency

Categories of loss I through IV:

Death, loss of critical information, system disruption, or severe environmental or other damages
Severe injury, loss of proprietary information, occupational illness, and major system or environmental damage
Minor injury, minor occupational illness, and minor damage
Less than minor injury, occupational illness, or less than minor system or environmental damage

Categories of frequencies A–E:

Frequent, possibility of frequent incidents
Probable, possible isolated incidents
Occasional, possibility of occurrence sometime
Remote, unlikely
Improbable, virtually impossible
The threat matrix looks like this (Fig. 6.3):

c6-fig-0003 — **Figure 6.3** Threat matrix for cyber security occurrences.

For each occurrence, a ranking and a rating are developed, and alternatively, internal software is used to help develop corrective actions based on a list of security controls and provides related cost estimates. The team should develop a list of possible corrective actions.

For each scenario requiring risk reduction, the team should identify one or more corrective actions from the list of alternatives they have developed and then select the most effective correction action based on the effectiveness of possible control in reducing probability or severity of incident and cost.

Finally, the team should develop corrective actions and prepare an exit briefing and a draft report that each team leader reviews. When all the changes are finalized, the report is implemented and the changes are submitted to middle management for their consideration and implementation. Middle management will receive the report and implement the changes. Corporate security will monitor the progress of the implementation changes.

Setting up Internet Security

Internet vulnerability is potentially one of the greatest threats to cyber security. Through a combination of e-mail, web browsers, and other programs, there are substantial security holes in any web-based system. They include (i) Trojan horses, (ii) worms, (iii) malware, (iv) denial of service, (v) attacks, (vi) keystroke loggers, and whatever new that is under development at any given moment. According to various sources on the Internet, even JPEG files and other types of graphic elements can contain hidden controls that can corrupt or take over a computer’s operating system.

Part of the problem is that the Internet Explorer is particularly vulnerable precisely because it is integral to the Windows operating system and is impractical to remove or disable the system. Apple systems are harder to attack because the registers in the operating system are individual to the machines, whereas Windows registry files are all similar.

External versus internal testing

Many computer security professionals recommend starting with an external Internet assessment for the purpose of checking the vulnerabilities of the computer system and individual computers. The external assessment is also known as a “perimeter test,” and it is conducted from outside the network. This emulates hacker attacks, seeking ways in which the system can be penetrated.

A second type of test is the internal test, “and emulates the threat experienced from internal staff, consultants, disgruntled employees, or, in the event of unauthorized physical access or a compromise of the perimeter security. These internal threats comprise more than 60% of the total threat portfolio.³” An Internet assessment will not address every threat to your network, but may catch most of them. Threats from remote access servers and connections to third parties are generally not detected by the assessment.

Security focus

Starting with the customer’s own website(s), they are mined for information about the customer. The primary objective is to derive the DNS domain names that the target uses and map them to the IP addresses to be investigated. DNS domain names often come from the e-mail address or the company’s name.

Using search engines, search all instances of the company’s name. This provides links to the company’s own site (from which DNS domain information can be easily derived) and provides information about mergers and acquisitions, partnerships, and company structures.

Using a tool like HTTrack, dump all the relevant websites to disk. Then scan those files to extract all mails and HTTP links, and parse them to extract more DNS domains.

Browser and domain security

Use the various domain registries. Tools like geektools.com, register.com, and others can often be used:

To verify whether the domains we have identified actually belong to the organization being assessed.
To extract any additional information that may be recorded in a specific domain’s record.
For example, you will often find that the technical contact for a given domain has provided an e-mail address at a different domain. The second domain then automatically falls under the spotlight as a potential part of the assessment.

Some of the registries provide for wildcard searches. Such a search can help to identify all the domains that may be associated with the company ABC Apples Inc., for example. The object and output of this work is a comprehensive list of DNS domains that are relevant to the target company. It may require several searches and trials and revisions to get a complete list.

One of the first things that an attacker is looking for is the IP/name mapping for the target company. Name server and mail exchange records often contain this information. Because the IP addresses tend to be grouped together, it is often easy to find the range of addresses for a specific network. This makes it easy for an intruder to conduct a “ping” scan to find out which specific IP addresses are active.

Almost every machine on the Internet works with a series of little Internet locations called ports. Ports are used to receive incoming traffic for a specific service or application. Each port on a machine has a number, and there are 65,536 possible port numbers. An IP address can be probed using a “port scanner,” a freely available software utility that tries to establish a connection to every port in a specified range.

If a network is on the Internet, there are a number of possible active ports through which an attack can occur. Assuming that an IP address is active on the Internet, for a reason, the most likely port addresses are mail servers on port 25, web servers on ports 80 or 443, a Microsoft client on port 139, remote mail server on port 587, and a DNS server on port 53.

An intruder or hacker can access a network in any number of ways. Configuration errors and mismatches between various software components may provide an entry to the system. In some instances, a “stack overflow” occurs when a program or subprogram uses excessive amounts of memory beyond the allocated amount. This type of error can be accidental or deliberate and may be caused by an infinite loop program that is very easy to write. Because programs are complex, a minor transfer error can cause an opening that is exploitable. Also, programmers have been known to leave “backdoors” in their programs for the purpose of service, correction, and access without having to go through the program authentication.

http://www.SecurityFocus.com and http://www.SecuriTeam.com contain information on security vulnerabilities. An Internet search engine will also be able to return operating system vulnerabilities, allowing one to exploit those areas if they have not been blocked or disabled. There are also vulnerability scanners that check for installation of best practices on a system and best configuration for desired results. Companies like ESET, Symantec, McAfee, and BindView all make vulnerability scanners although they have different names. There are even some open-source scanners that are freeware, such as Nessus from Renaud Deraison. Currently, a search engine listing for network vulnerability scanners returned with 730,000 hits or potential sources to investigate.

Data encryption

The issue of data security can be a complex one. Data encryption is often time-consuming and carries an overhead, but it can prevent an outsider from seeing critical data. That said, it is not necessary to encrypt everything, and the network and communications analysis should indicate the types of communications that should be encrypted and those that should not. For example, a highly sensitive e-mail between coworkers might be encrypted, especially if it or the attachments contain business-sensitive information. This requires a “two-key” type of security system where only the person receiving the message can decrypt it.⁴ Management of a secure communications system while maintaining a network with wide access is often a challenge. Most security professionals will recommend a 128 bit key encryption system.

A part of the company’s security and intranet system should also address encryption for any devices that operate or that can be controlled over a network. It must support both sensor and control systems and node-to-node communications directly or through intermediaries. In industrial control systems, all of the communications models of common field I/O programming must be supportable, and the system must insure that the failure or compromising of a single node will not bring down the other nodes or the system.

Authentication is also a significant part of the system. Generally, a dual-band system for control systems where the authentication is transmitted by a different mode such as radio or cable or infrared systems generally insures control system security. The importance of this issue cannot be stressed strongly enough. In order to be secure, the data transmission rate between sensors and control points should be high and should be able detect loss of information packets and loss of synchronization.

Cyber security Tools

The US Department of Homeland Security has developed the following tools for use. Some may be export controlled. The National Cyber Security Division’s Control Systems Security Program (CSSP) (http://www.sans.org/press/dhs-inl-win-ncia.php) is designed to reduce cyber risks. They have developed the following tools:

Catalog of Control Systems Security: Recommendations for Standards Development.
Control System Cyber Security Self-Assessment Tool (CS2SAT).
CSSP documents in conjunction with the Industrial Control Systems Cyber Emergency Response Team (funded by the US Department of Homeland Security) (ics-cert.us-cert.gov/csstandards.html#control). Cyber Security Procurement Language for Control Systems.
The ISA Automation Standards Compliance Institute is a licensed distributor of the CS2SAT program. The program will assist SCADA and process control system users in improving their security.

Notes

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.