Control System Simulator Helps Operators Learn to Fight Hackers

Control System Simulator Helps Operators Learn to Fight Hackers

Simulators are great training tools. It sure beats flying 777s around for your annual pilot recert. Gaming technology has become so good along with many other technologies, that operators of process plants and machinery should be well trained to respond appropriately to any emergency.

Georgia Institute of Technology sent this information about an advancement in simulation for operator training. Good stuff.

A simulator that comes complete with a virtual explosion could help the operators of chemical processing plants – and other industrial facilities – learn to detect attacks by hackers bent on causing mayhem. The simulator will also help students and researchers understand better the security issues of industrial control systems.

This flow chart shows data flows within a simulated chemical processing facility.

 

Facilities such as electric power networks, manufacturing operations and water purification plants are among the potential targets for malicious actors because they use programmable logic controllers (PLCs) to open and close valves, redirect electricity flows and manage large pieces of machinery. Efforts are underway to secure these facilities, and helping operators become more skilled at detecting potential attacks is a key part of improving security.

Screen captures show a simulated explosion in a chemical processing plant precipitated by a cyberattack on the system.

“The goal is to give operators, researchers and students experience with attacking systems, detecting attacks and also seeing the consequences of manipulating the physical processes in these systems,” said Raheem Beyah, the Motorola Foundation Professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This system allows operators to learn what kinds of things will happen. Our goal is to make sure the good guys get this experience so they can respond appropriately.”

Details of the simulator were presented August 8 at Black Hat USA 2018, and August 13 at the 2018 USENIX Workshop on Advances in Security Education. The simulator was developed in part by Atlanta security startup company Fortiphyd Logic, and supported by the Georgia Research Alliance.

The simulated chemical processing plant, known as the Graphical Realism Framework for Industrial Control Simulations (GRFICS), allows users to play the roles of both attackers and defenders – with separate views provided. The attackers might take control of valves in the plant to build up pressure in a reaction vessel to cause an explosion. The defenders have to watch for signs of attack and make sure security systems remain operational.

Screen capture shows a chemical processing plant in which critical parameters are rising due to false process data and control commands injected by an attacker.

Of great concern is the “man-in-the-middle” attack in which a bad actor breaks into the facility’s control system – and also takes control of the sensors and instruments that provide feedback to the operators. By gaining control of sensors and valve position indicators, the attacker could send false readings that would reassure the operators – while the damage proceeded.

“The pressure and reactant levels could be made to seem normal to the operators, while the pressure is building toward a dangerous point,” Beyah said. Though the readings may appear normal, however, a knowledgeable operator might still detect clues that the system has been attacked. “The more the operators know the process, the harder it will be to fool them,” he said.

The GRFICS system was built using an existing chemical processing plant simulator, as well as a 3D video gaming engine running on Linux virtual machines. At its heart is the software that runs PLCs, which can be changed out to represent different types of controllers appropriate to a range of facilities. The human-machine interface can also be altered as needed to show a realistic operator control panel monitoring reaction parameters and valve controller positions.

“This is a complete virtual network, so you can set up your own entry detection rules and play on the defensive side to see whether or not your defenses are detecting the attacks,” said David Formby, a Georgia Tech postdoctoral researcher who has launched Fortiphyd Logic with Beyah to develop industrial control security products. “We provide access to simulated physical systems that allow students and operators to repeatedly study different parameters and scenarios.”

GRFICS is currently available as an open source, free download for use by classes or individuals. It runs on a laptop, but because of heavy use of graphics, requires considerable processing power and memory. An online version is planned, and future versions will simulate the electric power grid, water and wastewater treatment facilities, manufacturing facilities and other users of PLCs.

Formby hopes GRFICS will expand the number of people who have experience with the security of industrial control systems.

“We want to open this space up to more people,” he said. “It’s very difficult now to find people who have the right experience. We haven’t seen many attacks on these systems yet, but that’s not because they are secure. The barrier for people who want to work in the cyber-physical security space is high right now, and we want to lower that.”

Beyah and Formby have been working for several years to increase awareness of the vulnerabilities inherent in industrial control systems. While the community still has more to do, Beyah is encouraged.

“Several years ago, we talked to a lot of process control engineers as part of the NSF’s I-Corps program,” he said. “It was clear that for many of these folks then, security was not a major concern. But we’ve seen changes, and lots of people are now taking system security seriously.”

Schneider Electric Foxboro Holds Conference, Details Strategy

Schneider Electric Foxboro Holds Conference, Details Strategy

Foxboro and Triconex looks to be on the path to health under Schneider Electric. Its annual user conference is this week in San Antonio. I‘d love to be there, but personally more important is “grandparent duty” that I’m on this week. So, I had the opportunity to talk with Gary Freburger, leader of the group, and Peter Martin, VP of marketing, to get an update and view of what I’ll be missing.

Gary Freburger began with the market rebounding due to current oil pricing. Business is starting to get strong. IA product line has done well and the process business also did well going up 6% in the first half of the year. He’s expecting majority of growth over the next two years. Schneider Electric is still investing around EcoStruxure system. Foxboro is continuing on the path they discussed with us at the last user conference—how to get more value from control systems going from “necessary evil” to value add in the eyes of customer executives. The strategy is to turn data and connectivity into a business driver. The goal is enabling better decisions and improving profitability.

Freburger discussed cooperating with OPAF for a comprehensive strategy. Then he dropped in an interesting tidbit—cooperation with AVEVA. I’ve wondered about how AVEVA with the inclusion of previous Schneider Electric software would work with the Foxboro side of things. He told me they now have and end-to-end relationship to improve time to market. He noted as oil prices dropped customers thought “what can I afford to do?” Now, all have reset expectations. As oil prices rebound, they have not changed expectations. Some interesting applications and strategies include AVEVA auto populate control system, digital twin of facility, operations feedback our systems to AVEVA’s, then customer asset management upgrade works easier.

Martin discussed how Schneider is trying to change the question—from how to do control to how do we help customers solve problems that impact business? He pointed out that they’ve been doing digitization for years. What’s new is how to drive this new approach. 40 years ago controls was a solution-driven business; then with digitization the industry went from solutions to technology-driven. The times now require a need to flip flop. Solutions oriented but with today’s portfolios taking it to a much higher level. The speed of industrial business has increased—what was stable, e.g. cost of electricity—is stable no longer. The speed means IT world can’t keep up. Built-in real-time accounting control helps plants go beyond control to profitability. Foxboro is still dedicated to taking the use of technology to the next level.

During the conference (while I am writing from the forests in southern Ohio while the grandkids are in bed), Schneider Electric announced the release of EcoStruxure Foxboro DCS Control Software 7.1.With expanded capabilities and an enhanced HMI, the updated software simplifies engineering and enhances the user experience, while expanding the ability of EcoStruxure Foxboro DCS to drive measurable operational profitability improvements, safely.

The EcoStruxure Foxboro DCS is an open, interoperable and future-proof process automation system that provides highly accurate and effective control over a manufacturing plant’s operational profitability. It is the only process control system that provides measurable operational profitability improvements and a future-proof architecture, enabling a measurable 100 percent ROI in less than one year.

EcoStruxure is Schneider Electric’s open, interoperable, IoT-enabled system architecture and platform. This includes Connected Products, Edge Control, and Apps, Analytics and Services. EcoStruxure has been deployed in 480,000+ sites, with the support of 20,000+ system integrators and developers, connecting over 1.6 million assets under management through 40+ digital services.

EcoStruxure Foxboro DCS Control Software 7.1 runs on Windows 10 and Windows Server 2016, to provide maximum flexibility while ensuring robust cybersecurity. When planning upgrades, Schneider Electric customers can mix Windows XP, Windows 7 and Windows 10 on the same system, allowing flexibility in scheduling and timing for upgrades. Customers can upgrade individual sections of the plant in any order, at any pace, to best accommodate plant production schedules. With Microsoft support for Windows 7 due to end in 2020, transitioning to Windows 10 allows EcoStruxure Foxboro DCS customers to benefit from the strongest operating system with the most up-to-date cybersecurity features.

Among other new and updated features, the continuously current EcoStruxure Foxboro DCS Control Software 7.1 now includes:

• EcoStruxure Field Device Expert that improves efficiency, safety and profitability, while considerably reducing time for startup and restarts. It includes:

◦ Intelligent Commissioning Wizard, to reduce commissioning time up to 75 percent by automating HART device commissioning and documentation processes.

◦ Device Replacement Wizard to significantly reduce time and expertise to replace or commission HART devices, either individually or in bulk.

◦ Bundled HART DD library for increased security, faster device deployment, eradication of version mismatch and elimination of cybersecurity risks previously created by moving documents from the HART consortium web page into the system.

• New HMI Bulk Graphics Editor for increased operational efficiency and reliability by greatly reducing engineering hours and improving quality during testing. Use in major projects shows that replicating hundreds of displays with the new Bulk Graphics Editor saves months of man hours and improves quality by delivering highly predictable results. The Bulk Graphics Editor makes migrating from the classic FoxView HMI to the new Foxboro DCS Control HMI easier, requiring far fewer engineering hours, which reduces the time and cost to transition between technologies.

• Control Editors Activity Monitor for increased efficiency by improving communication, workflow and collaboration.

• Real-time asset health condition monitoring for increased reliability.

• Future-proof technology supporting the latest FTD 2.0 standard, which improves compatibility with digitized field devices from Schneider Electric and third-party vendors.

• New migration path, along with the new HMI Bulk Graphics Editor, simplifies the transition from existing FoxView HMI displays to the EcoStruxure Foxboro DCS Control Software 7.1 HMI platform for a continuously current and future-proof system. An upgrade migration path is available from previous Control Software Versions 5.x, 6.x and 7.0. After upgrading, users can tap into newer technologies that improve productivity, cybersecurity, efficiency and profitability.

National Cybersecurity Wars Require IoT Supplier Response

National Cybersecurity Wars Require IoT Supplier Response

Critical infrastructure control systems have been under cyber attack for years. Need we mention Stuxnet, the attack that brought the issue to the public eye? Pressure has been mounting on controls, automation, and IoT suppliers to protect a nation’s assets.

Siemens and eight partners signed a joint charter for greater cybersecurity at a recent Munich conference.

Highlights include:

  • Ten action areas for greater cybersecurity
  • Call for dedicated government ministries and chief information security officers
  • Independent certification for critical infrastructures and solutions in the Internet of Things

The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. In addition to Siemens and the Munich Security Conference (MSC), the companies Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom are signing the Charter. The initiative is further welcomed by Canadian foreign minister and G7 representative Chrystia Freeland as well as witnessed by Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small and Medium-sized Enterprises.

“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens President and CEO Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”

The Charter delineates 10 action areas in cybersecurity where governments and businesses must both become active. It calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer at companies. It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – above all, where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, security and data protection functions are to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The Charter’s signatories also call for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives.

“Secure digital networks are the critical infrastructure underpinning our interconnected world,” said Canadian foreign minister Chrystia Freeland. “Canada welcomes the efforts of these key industry players to help create a safer cyberspace. Cybersecurity will certainly be a focus of Canada’s G7 presidency year.‎”‎ The matter is also a top priority for the Munich Security Conference. “Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, Chairman of the Munich Security Conference. “But the companies that are in the forefront of envisioning and designing the future of cyberspace must develop and implement the standards. That’s why the Charter is so important. Together with our partners, we want to advance the topic and help define its content,” he added.

According to the ENISA Threat Landscape Report, cybersecurity attacks caused damage totaling more than €560 billion worldwide in 2016 alone. For some European countries, the damage was equivalent to 1.6 percent of the gross domestic product. And in a digitalized world, the threats to cybersecurity are steadily growing: According to Gartner, 8.4 billion networked devices were in use in 2017 – a 31-percent increase over 2016. By 2020, the figure is expected to reach 20.4 billion.

Embedded and Edge Capture Attention At ARC Forum

Embedded and Edge Capture Attention At ARC Forum

I was so busy during the ARC Advisory Group Industry Forum last week, that I just couldn’t find time to write coherently. The keyword was digital supplemented by embedded, edge, IIoT, security, and transformation.

The Forum attracted perhaps not only its largest attendance but also its largest attendance of end users. The things that appeal to me are those that fit into the Industrial Internet of Things the most. Here are two related new product releases. The first one involves embedding HMI/SCADA software and the second involves using that embedded software in addition to many other technologies for an edge device.

First is the announcement from Inductive Automation concerning the creation of its Ignition Onboard program. The program involves device manufacturers embedding Ignition and Ignition Edge software in the devices they manufacture.

The program includes Ignition Onboard and Ignition Edge Onboard. Ignition by Inductive Automation is an industrial application platform with tools for building solutions in human-machine interface (HMI), supervisory control and data acquisition (SCADA), and the Industrial Internet of Things (IIoT). Ignition Edge is a line of lightweight, limited, low-cost Ignition software products which empower solutions designed for edge-of-network use.

“Device manufacturers have joined Ignition Onboard in response to their customers’ demands for an all-in-one solution that contains hardware and software at a reasonable price,” said Don Pearson, chief strategy officer for Inductive Automation. “These are companies that understand the importance of building a strong IIoT, and we’re very happy to be collaborating with them.”

The other announcement came from Opto 22. This is a significant advance in edge devices for industrial and SCADA applications.
The new groov EPIC system from Opto 22 combines I/O, control, data processing, and visualization into one secure, maintainable, edge-of-network industrial system. groov EPIC lets engineers and developers focus on delivering value, not on triaging loosely connected components.

“We are a company of engineers inspired and driven to create products that unleash our customers’ imaginations,” says Mark Engman, Opto 22 CEO. “groov EPIC is a culmination of that mission, a response to industry requests to more wholly integrate IT and OT technologies, simplify development and deployment, and provide a platform for long-term growth now and well into the future.”

Combining reimagined intelligent I/O with an embedded Linux real-time controller, gateway functions, and an integrated display, groov EPIC offers field-proven industrial hardware design with a modern software ensemble, to produce the results that visionary engineers want today.

Connecting legacy systems, controlling processes and automating machines, subscribing to web services and creating mashups, acquiring and publishing data, visualizing that data wherever it is needed, and mobilizing operators—all of these are now within reach. In addition, groov EPIC simplifies commissioning and wiring and helps engineers develop rapidly and deploy quickly.

“The groov EPIC system incorporates in one unit everything needed to connect and control field and operational devices and data, through on-premises IT databases, spreadsheets and other software, to cloud storage and services—and back again,” says Benson Hougland, Opto 22 vice president of Marketing & Product Strategy. “This ability to easily exchange data and use it where needed opens opportunities automation engineers have not had until now. This is a truly new system that builds on the past but looks fundamentally to the future of our industry.”

Of particular interest to original equipment manufacturers (OEMs) will be optional access to the Linux operating system through secure shell (SSH). This access, along with toolchains and interpreters for Java, C/C++, Python, JavaScript/Node.js, and more, allows OEM developers to execute their own custom developed applications on this ruggedized, edge processing control system.

The main point of discussion between Benson and me lately is whether Sparkplug (from the developer of MQTT) is adequate for IoT applications. He favors the lightweight (technical, not pejorative) protocol or I tend to favor OPC UA over MQTT as a better overall solution due to its interoperability. But that’s OK. He and I have had these technical discussions for almost 20 years now. I love pushback, and I think Benson does as well. It raises the energy level.

Industrial Cyber Security Holds Center Stage At Year’s End

Industrial Cyber Security Holds Center Stage At Year’s End

Last week I wrote about the cyber attack on a safety integrated system probably in Saudi Arabia. There has been another attack. When media relations people saw that I had written about cyber security, I started receiving more releases.

Cyber security

Here is some additional commentary by Eddie Habibi, CEO and founder of PAS Global. That company has moved strongly from alarm management investing heavily in building a cyber security practice.

“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance.  Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents.  They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.

The TRITON (a.k.a. TRISIS) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls – namely air gapping and security by obscurity – are no longer sufficiently effective.  As TRITON targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.

One of the first steps companies must take is to get better visibility into the cyber assets in their plants. Eighty percent of the assets in a plant are outside of traditional IT cybersecurity programs.  This is clearly unacceptable given the threat landscape we face today. Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities.  Otherwise, malware such as TRITON will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”

Cyber security challenges for practitioners

Part of my daily contact with PAS Global’s PR person included this tidbit from Habibi.

With these seismic attacks looming over manufacturing plants/facilities and other critical infrastructure, PAS Global has identified the top 8 critical challenges ICS directors are facing:

  • Lack of overall visibility of ICS vulnerabilities
    Vulnerability exploits are under reported
  • False sense of security in many ICS environments
  • More disclosures than capacity to investigate
  • Limited visibility into ICS vulnerabilities and risks
  • Vulnerability investigation is manual and research-intensive
  • Limited visibility into vulnerability remediation effectiveness
  • Manual, inconsistent patch management

HatMan Malware

And this from Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana:

ICS-CERT’s analysis of the HatMan malware revealed some interesting and novel tidbits. Not only did the actor develop a ‘more traditional PC-based component that interacts with the safety PLC,’ but the malware also contained components specifically designed to compromise the safety device itself, which allowed changes to the device firmware. The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed. Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already? Current recommended mitigations promote defense-in-depth strategies. While these are absolutely pieces of the puzzle, things like network monitoring and segmentation alone are clearly not sufficient when the bad actors keep getting in and doing bad things to both the devices and the data contained therein. We have to do better about both defending the network AND protecting the devices themselves.”

Link to How Mocana Protects graphic on Dropbox.

Yet more cyber attacks in the news

Further communications from the agency for PAS Global. I appreciate the humor. “I didn’t want you to go a day without hearing from me. What a concerning week we are having for critical infrastructure!”

The warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.

“We’ve seen a seven-fold increase in the number of cyberattacks on industrial control systems (ICS) since 2010. What makes this increase particularly alarming is the enhanced level of sophistication of the attacks and the success they have shown in achieving their goals.

The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities. Critical infrastructure security is clearly not trending in the right direction. 

The simple fact is that 80% of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel.  If we cannot see these assets, how can we hope to secure them?  If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”

Meanwhile, here is another defense

Most experts I talk with discuss the need for a defense-in-depth strategy. Occasionally entrepreneurs in the field wax enthusiastically about their particular solution. Albert Rooyakkers is one of those intense entrepreneurs who has designed an industrial control product with cyber security at the heart of the design.

Here is the latest news from Bedrock Automation.

It has announced Bedrock Open Secure Automation (OSA) firmware will include intrinsic Anomaly Detection (AD).  Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time t0 detect intrusions and anomalous behavior.

“Preventing control system intrusion is fundamental to holistic cyber security.  In addition, users need to know when the system security is being challenged.  This is the role of anomaly detection.  At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers.  Bedrock Anomaly Detection includes the following functionality: 

  • Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
  • Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
  • System Time Monitoring, which detects attempts to manipulate log files to conceal malicious activity
  • Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
  • Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions.  Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.

Anomalous behavior detected at the controller level signifies a high likelihood of a cyber security event. Embedding detection into the controller provides advanced cyber defense while reducing complexity and lifecycle cost.  Bedrock AD will be standard on all Bedrock systems and is available as a free firmware upgrade to installed systems as part of Cybershield 3.0 in March 2018.

Follow

Follow this blog

Get every new post delivered right to your inbox.