In a modern environment, there are several types of communications: wire (plant and outside telephone), fiber optic (data and voice), radio (pagers and mobile radios), and satellite upload and download links. All are susceptible to interference and attack including tapping and monitoring (may be illegal, but when has that stopped anyone with mal intent?), signal interruption (jamming, cutting lines, establishing false commands), spoofing and misdirection (think radio commands and requests for assistance or misdirection), and introduction of viruses, worms, etc. through these channels into the other hardware and software that operate both analog and digital equipment.
All communications security goes through a life cycle, and this life cycle is only a slight modification of the basic security life cycle, which has been presented before in a previous chapter. It indicates the need for continuous review and improvement (Fig. 6.1).
The process of cyber security is continuous; it must be continuously updated. As new programs and cyber intruders develop and exploit new vulnerabilities in computer programs and systems, the network defenders have a continuous struggle to defeat their attempts. High-profile attacks by China and private hackers have exposed vulnerability in even the best and most secure systems including the New York Stock Exchange, the major credit card companies, and many of the major banking and financial houses. Some data breaches are made public; most of them, however, are not unless vital information is compromised.
A recent study by Symantec’s research arm Norton indicated that in 2012 there were 18 victims of cyber crime per second or a total of 1.5 million victims per day. The total value of cyber crime worldwide is $110 billion USD/year.1 According to the report, approximately 40% of the people affected by cyber crime do not use strong passwords. Additionally, there are malware and other programs where the unsuspecting are enticed into accessing websites that implant tracking cookies or programs that log keystrokes and lock the user’s computer.
There is no one solution to the problem of cyber crime because of the changing nature of the problem. Increasingly, more and more of cyber crime is accessed through mobile devices by individuals who use their cellular phones on public networks. But, businesses are equally vulnerable, and networks are getting harder to defend as they become more complex.
The following general recommendations should be incorporated into any company in an effort to provide basic cyber security. These are some of the basic elements, and the list is far from all-inclusive, but it does address the basic elements.
Some of the first philosophical questions that must be answered when looking at a secure communications system are where the communications are taking place, who is generating information, what information they are generating, and who needs to receive the information.
The purpose of a communications system is to facilitate an interchange of ideas, which may be mobile or not, and collect and distribute them collectively to where they are to be acted upon. Some examples include:
When we start to look at the communications as transactions, they take on a different view. In that manner, we can prioritize their importance and relate the facilities to their purpose. Communications transaction security requires both the sender and the recipient to be secure. Are the following secure and practical and why?
Some or all of the following questions should be asked and answered if one is to have a secure telephone system:
Every large plant uses a plant radio, some use cellular telephones, and others still use pagers. Analog systems are easier to break into and spoof than digital systems, but there are still a lot of analog systems in use. The following should be tested:
Many plants have common systems that are wide open to attack from the Internet and other sources. Just because the transaction involved in digital exchange is usually incomprehensible to our ears and eyes does not mean that the digital transactions are unimportant. Transactions between machines are much like human transactions, in that there are a call and response to initiate the transaction and code checking when the recipient recognizes that the transaction is directed toward it. Then, there are an interchange of data and a closure agreement when both parties sign off.
Sometimes, the conversation is dedicated (telephone and SCADA), other conversations are continuous and do not sign off, and some digital conversations are shared, while others are not. It all depends upon how the data are transmitted, the devices, and the encoding. We often do not pay attention to it, because it is automatic. An example is the old dial-up modem. When it connected with the service provider, it provided a code of dial tones, and then when the provider responded, the system would produce something that sounded like static but that is digital communication.
When we examine the challenges of providing adequate cyber security and the integration of World Wide Web pages and websites into a server, even by e-mail rerouting, it is easy to see how attacks can take place via the Internet and through digital and analog communications via Wi-Fi and wired communications. The variety of digital attacks alone are virtually endless. A recently established website put up by T-Mobile (Deutsche Telekom) lists the type of attacks occurring each second of the day. A recent study by SYMANTEC (INTERNET SECURITY THREAT REPORT -2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf) indicates that businesses have a 1:3 to a 1:5 chance of being cyber attacked, (and that is based on the attacks that were caught and foiled). A similar report by Shane Shutte in September 2014 (http://realbusiness.co.uk/article/27859-there-are-now-117339-cyber-attacks-per-day) indicated that there are about 1.4 cyber attacks per second, but the article is unclear as to whether that was just for the United Kingdom or worldwide. Other statistics have indicated that the worldwide number of attacks is between 3 and 4 attacks per second. It is important for any company to train their employees to avoid the various traps and malicious e-mail scams and web-based programs that are prevalent on the Internet. Every company needs a very good firewall and IT department to keep their Internet functioning.
The basic principles for cyber security are the same as with physical and general security. It starts with a vulnerability assessment, but we also need to recognize the transactional nature of the communications. The elements of that vulnerability assessment start with the following:
There are a number of challenges to this approach including a significant lack of current and in-house data (we do not know what we do not know!)—we lack information about the criticality and nature of both the information and the nature of the communications until we complete the assessment and do not know which controls or communications or cyber controls are critical.
We also lack information about effective alternatives and have to realize that uncertainty and lack of information are a constant in that the Internet and computer systems are both growing and dynamic, that our efforts represent a snapshot in time, and that we probably will have to repeat the assessment in response to changing operating systems and changing hardware.
The difficulty with the development of alternatives lies in the costing precision of the alternatives. In industry, cost is not the only factor but is an important factor. Evaluation of alternatives requires some guesswork, and the greater the focus on development of a precise alternative scenario, the more expensive it becomes to develop that scenario. Preparation of accurate cost estimates for evaluation of alternative scenarios is often very difficult, time-consuming, and expensive because it requires evaluation of a number of factors.
Among those factors are process evaluation and costing, lost alternatives costs, and human and machine effectiveness (efficiency) calculations (there is no given standard).
There are any number of ways a vulnerability assessment can fail, most notably when the credentials of the assessment team are questioned or when senior management says, “I don’t like it,” “This can’t be right!,” or “I don’t believe it!”
There are a number of things that an assessment team must do in order to have a chance at developing an assessment that will be considered and utilized. These critical success factors include the following:
This stated, it is probably best to have an assessment team that is between 5 and 10 persons. Too few and the job becomes enormous; too many and the group becomes unwieldy to manage.
The vulnerability assessment process will report and develop procedures to help reduce or eliminate cyber vulnerabilities. Because this is often part of corporate “policy and procedures” (P&P) and will wind up in the P&P book, it must be a formal written set of statements that clearly outline the steps to take in response to real vulnerabilities or situations.
The identified benefits from providing a cyber security risk assessment and developing policies and procedures to address those risks include identifying the risks on a continuing basis; helping employees and personnel understand the business; helping employees avoid risky behaviors and practices; alerting employees to be aware of suspicious events and practices coming in via e-mail, Internet, and other forms of digital communications; and providing an effective way to communicate risk information to specific business units.
Categories of loss I through IV:
Categories of frequencies A–E:
The threat matrix looks like this (Fig. 6.3):
For each occurrence, a ranking and a rating are developed, and alternatively, internal software is used to help develop corrective actions based on a list of security controls and provides related cost estimates. The team should develop a list of possible corrective actions.
For each scenario requiring risk reduction, the team should identify one or more corrective actions from the list of alternatives they have developed and then select the most effective correction action based on the effectiveness of possible control in reducing probability or severity of incident and cost.
Finally, the team should develop corrective actions and prepare an exit briefing and a draft report that each team leader reviews. When all the changes are finalized, the report is implemented and the changes are submitted to middle management for their consideration and implementation. Middle management will receive the report and implement the changes. Corporate security will monitor the progress of the implementation changes.
Internet vulnerability is potentially one of the greatest threats to cyber security. Through a combination of e-mail, web browsers, and other programs, there are substantial security holes in any web-based system. They include (i) Trojan horses, (ii) worms, (iii) malware, (iv) denial of service, (v) attacks, (vi) keystroke loggers, and whatever new that is under development at any given moment. According to various sources on the Internet, even JPEG files and other types of graphic elements can contain hidden controls that can corrupt or take over a computer’s operating system.
Part of the problem is that the Internet Explorer is particularly vulnerable precisely because it is integral to the Windows operating system and is impractical to remove or disable the system. Apple systems are harder to attack because the registers in the operating system are individual to the machines, whereas Windows registry files are all similar.
Many computer security professionals recommend starting with an external Internet assessment for the purpose of checking the vulnerabilities of the computer system and individual computers. The external assessment is also known as a “perimeter test,” and it is conducted from outside the network. This emulates hacker attacks, seeking ways in which the system can be penetrated.
A second type of test is the internal test, “and emulates the threat experienced from internal staff, consultants, disgruntled employees, or, in the event of unauthorized physical access or a compromise of the perimeter security. These internal threats comprise more than 60% of the total threat portfolio.3” An Internet assessment will not address every threat to your network, but may catch most of them. Threats from remote access servers and connections to third parties are generally not detected by the assessment.
Starting with the customer’s own website(s), they are mined for information about the customer. The primary objective is to derive the DNS domain names that the target uses and map them to the IP addresses to be investigated. DNS domain names often come from the e-mail address or the company’s name.
Using search engines, search all instances of the company’s name. This provides links to the company’s own site (from which DNS domain information can be easily derived) and provides information about mergers and acquisitions, partnerships, and company structures.
Using a tool like HTTrack, dump all the relevant websites to disk. Then scan those files to extract all mails and HTTP links, and parse them to extract more DNS domains.
Use the various domain registries. Tools like geektools.com, register.com, and others can often be used:
Some of the registries provide for wildcard searches. Such a search can help to identify all the domains that may be associated with the company ABC Apples Inc., for example. The object and output of this work is a comprehensive list of DNS domains that are relevant to the target company. It may require several searches and trials and revisions to get a complete list.
One of the first things that an attacker is looking for is the IP/name mapping for the target company. Name server and mail exchange records often contain this information. Because the IP addresses tend to be grouped together, it is often easy to find the range of addresses for a specific network. This makes it easy for an intruder to conduct a “ping” scan to find out which specific IP addresses are active.
Almost every machine on the Internet works with a series of little Internet locations called ports. Ports are used to receive incoming traffic for a specific service or application. Each port on a machine has a number, and there are 65,536 possible port numbers. An IP address can be probed using a “port scanner,” a freely available software utility that tries to establish a connection to every port in a specified range.
If a network is on the Internet, there are a number of possible active ports through which an attack can occur. Assuming that an IP address is active on the Internet, for a reason, the most likely port addresses are mail servers on port 25, web servers on ports 80 or 443, a Microsoft client on port 139, remote mail server on port 587, and a DNS server on port 53.
An intruder or hacker can access a network in any number of ways. Configuration errors and mismatches between various software components may provide an entry to the system. In some instances, a “stack overflow” occurs when a program or subprogram uses excessive amounts of memory beyond the allocated amount. This type of error can be accidental or deliberate and may be caused by an infinite loop program that is very easy to write. Because programs are complex, a minor transfer error can cause an opening that is exploitable. Also, programmers have been known to leave “backdoors” in their programs for the purpose of service, correction, and access without having to go through the program authentication.
http://www.SecurityFocus.com and http://www.SecuriTeam.com contain information on security vulnerabilities. An Internet search engine will also be able to return operating system vulnerabilities, allowing one to exploit those areas if they have not been blocked or disabled. There are also vulnerability scanners that check for installation of best practices on a system and best configuration for desired results. Companies like ESET, Symantec, McAfee, and BindView all make vulnerability scanners although they have different names. There are even some open-source scanners that are freeware, such as Nessus from Renaud Deraison. Currently, a search engine listing for network vulnerability scanners returned with 730,000 hits or potential sources to investigate.
The issue of data security can be a complex one. Data encryption is often time-consuming and carries an overhead, but it can prevent an outsider from seeing critical data. That said, it is not necessary to encrypt everything, and the network and communications analysis should indicate the types of communications that should be encrypted and those that should not. For example, a highly sensitive e-mail between coworkers might be encrypted, especially if it or the attachments contain business-sensitive information. This requires a “two-key” type of security system where only the person receiving the message can decrypt it.4 Management of a secure communications system while maintaining a network with wide access is often a challenge. Most security professionals will recommend a 128 bit key encryption system.
A part of the company’s security and intranet system should also address encryption for any devices that operate or that can be controlled over a network. It must support both sensor and control systems and node-to-node communications directly or through intermediaries. In industrial control systems, all of the communications models of common field I/O programming must be supportable, and the system must insure that the failure or compromising of a single node will not bring down the other nodes or the system.
Authentication is also a significant part of the system. Generally, a dual-band system for control systems where the authentication is transmitted by a different mode such as radio or cable or infrared systems generally insures control system security. The importance of this issue cannot be stressed strongly enough. In order to be secure, the data transmission rate between sensors and control points should be high and should be able detect loss of information packets and loss of synchronization.
The US Department of Homeland Security has developed the following tools for use. Some may be export controlled. The National Cyber Security Division’s Control Systems Security Program (CSSP) (http://www.sans.org/press/dhs-inl-win-ncia.php) is designed to reduce cyber risks. They have developed the following tools:
Control System Cyber Security Self-Assessment Tool (CS2SAT).