by Gary Mintchell | Sep 6, 2016 | News, Security
Siemens invited a couple of writers to the Cincinnati area headquarters of PLM and a Cyber Security Center of Excellence to witness an internal presentation to Siemens employees. The presentation included both an overview of cyber security and the Siemens response plus Siemens’ plans to build a sizable business in the area. I was there along with safety and security writer Greg Hale.
Eric Spiegel, President and CEO, Siemens USA, kicked off the day with a presentation on the importance of cyber security and Siemens’ intent to build the business. In fact, Spiegel noted, “We want to grow the cyber security services in the US at 2x market speed. Cyber was a small part of our business, but we see much potential for growth.”
Spiegel related, “I was at a White House meeting in the situation room, had a chance to meet the President. He talked to me directly about the need to protect critical infrastructure.” Spiegel continued that hacking is top of mind in this area. Recognizing Siemens’ own strategies in the area, he continued, “If digitalization is important for the future of manufacturing, then cyber security is also important. Attacks on critical manufacturing are becoming more frequent and intense. Two-thirds of CEOs rank cyber security as one of the top two things on their agenda. In response, we have 50 differentiated service offerings in cyber today.”
Cyber Security Golden Nuggets
Joanna Burkey, U.S. CISO, moderated the first panel discussion which was more technical in nature. She suggested to look for what she called “Golden Nuggets”, that is, places where a risk-based approach suggests vulnerabilities. For example, she noted, one is source code.
Siemens began the effort to uncover these golden nuggets and then decided to take what it learned to its customers. When Siemens goes out to a customer to consult on cyber risks, it follows a process that includes mapping IT assets (for example, SAP, end points, encryption), developing an asset classification system, designing an holistic protection process coordinating with business, IT, and vendors.
Siemens has identified about 700 of these golden nuggets and is in the process of mitigating 121 of them. It expects the number to grow to about 1,000.
Rolf Reinema, Head of Technology Field, added that protecting Intellectual Property goes beyond hardware and software, but it also includes algorithms. In process industries, these might be called recipes residing in a processor. “OT attacks are complex. Having so much legacy equipment creates vulnerabilities.” Then he left us with this sobering thought, “If a hacker shows they can attack, they’ll ask for a substantial deposit of bitcoins so that they won’t carry out the attack.” Think of the blackmail you could be open to.
Udo Wirtz, Head of Technology Field, calls the Internet the new company Intranet. “We are shining a light in a cave, we now can see some of the problems where five years ago not so much.” Wirtz also addressed phishing attacks. These attacks are still an important problem tricking people into clicking on what looks like a legitimate link which instead gives the hacker access to user accounts and even administrative rights. “So they are phishing all of us,” he concluded.
In March the FBI came to Siemens and GE and said that both had been contacted by Facebook. It seems that someone was “friending” employees on Facebook and building an innocuous relationship. Then they sent a link that turned out to be malicious. “It used to be stupid to click on a link. But today the messages are so sophisticated that it is hard to tell legitimate from phishing.”
Growing Cyber Security as a Business
The next session was a Marketing Panel addressing how Siemens will move cyber from internal to a customer service. Rajiv Sivaraman, VP and Head of Plant Security Services, said that given the development of digital manufacturing, cyber is high on the enterprise list. Siemens is laying foundations for taking customers on a journey to awareness. Answering the question about scaling the business, Sivaraman noted a progression of going from consulting and “hand-holding” to ultimately scaling to managed services. Siemens is also checking out partners for both C-Level and operations level consulting.
Ken Geisler, VP of Strategy & Markets, Energy Management Digital Grid, reported grid suppliers do have compliance requirements. As they grow many more points of access, e.g., smart meters on homes, there is growing concern for cyber security. Cyber is a huge potential market with many competitors.
Judy Marks, Executive Vice President, Global Solutions, Dresser-Rand, A Siemens Business, says that with the oil & gas market it’s all about business and enterprise risk. Especially with the exposure of offshore facilities. They also have the challenge of operating in a heterogeneous environment. Siemens, through acquisitions, is now a leading service provider to O&G and plans to leverage that into growing the cyber business.
In his first year at Siemens, Leo Simonovich, Director, Global Cyber Strategy, said operations is the new frontier for attacks. Of all attacks, 30% are targeting of coming from OT. Customers are turning to Siemens “because we understand that environment. We can secure the technology stack.” Another sobering thought, your chances of an attack? 100%.
Jeremy Bryant, Head of PD PA secure networking solution business, added that customers (and Siemens) need to be worried about inside-out attacks as well as outside-in.
Overall, a profitable day in Cincinnati to learn what Siemens was up to. Several of the majors have some type of cyber division or initiative. Siemens appears to be ahead of that pack right now. As a user, you should be happy that suppliers are developing solutions to help in the battle.
by Gary Mintchell | Feb 24, 2016 | Automation, News, Security
This partnership enhances both OT and IT cyber security for industrial smart manufacturing networks. 
SCADAfence, a pioneer in securing industrial networks in smart manufacturing industries, announced Feb. 24 an alliance with Check Point Software Technologies Ltd. This collaboration mitigates the inherent risks for manufacturers, such as operational downtime, process manipulation and theft of intellectual property, that can come with connecting operation technology (OT) networks with traditional information technology (IT) networks, in the pharmaceutical, chemical, automotive and food & beverage industries.
“We are excited to join forces with Check Point to provide manufacturers with a holistic solution that effectively protects IT/OT environments,” said Yoni Shohet, Co-founder and CEO of SCADAfence. “Together, we have developed a platform that strikes the perfect balance between security and availability by ensuring operational continuity while maximizing the pace of manufacturing.”
While combining OT and IT environments reduces costs and improves productivity for smart manufacturing companies, connecting the two environments opens OT networks to an array of risks, from malicious malware to non-malicious human error. The integration of SCADAfence’s solution and Check Point’s security solutions for IT and OT creates a comprehensive, risk-free security solution for entire industrial networks and provides security administrators with a single pane of glass for IT and OT security incidents.
With SCADAfence’s passive, non-intrusive solution, administrators and operators have visibility of day-to-day industrial operations and real-time detection of cyber-attacks. Smart manufacturers can also leverage the technology to improve their planning of IT/OT network separation, and internal OT segmentation within industrial networks.
“Check Point’s ICS/SCADA cyber security solutions provide advanced threat prevention paired with ruggedized appliance options and comprehensive protocol support with full visibility and granular control of SCADA traffic in order to ensure vital industrial assets are never compromised,” said Alon Kantor, vice president of business development, Check Point. “We are pleased to have SCADAfence join us in offering an augmented solution to help keep customers one step ahead in securing these critical infrastructure and industrial control organizations”
by Gary Mintchell | Dec 7, 2015 | Automation, News, Security
SCADA devices and networks remain a prime target for cyber attacks. Everything I’ve written has approached cybersecurity from a different angle. This is the first solution that has come my way that uses a deception approach.
Attivo Networks announced Dec. 7, 2015 a release of its deception-based Attivo BOTsink solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world. Cyberattacks on these targets can and have resulted in disruption of critical local, regional, and national government and commercial infrastructures. As a result, when they are breached, the impact on societies they serve stands to be catastrophic.
According to a study by the Pew Internet and American Life Project, 60 percent of the technology experts interviewed believe that a major cyberattack will happen. The damages to property and ensuing theft will amount tens of billions of dollars, and the loss of life will be significant.
Scalable SCADA protection
“We are proud to be the first in the industry to provide customers a globally scalable, deception-based threat detection solution for SCADA protection,” emphasizes Tushar Kothari, CEO of Attivo Networks. “Many of our customers from the energy industry have requested the extension of our Attivo Deception Platform into their production and manufacturing control networks so they can get real-time visibility and the ability to promptly identify and remediate infected devices. As one stated, ‘a breach on those networks can be catastrophic and Attivo wants to do everything we can to prevent a disaster or risk to lives.”
SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker.
Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.
Situational awareness
“Industrial systems have increasingly come under scrutiny from both attackers and defenders,” said Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). “Situational awareness is the focus of the ICS-ISAC and its membership, including the ability for asset owners to detect and respond to incidents on their systems.”
These devices generally have long lifecycles creating an exposed environment driven by equipment that is less hardened and patches made infrequently. Additionally, because of their critical functions, SCADA devices cannot be taken offline frequently or for any length of time. This, along with costs that can run into the millions for every hour the network is offline, has made patching very difficult, often as infrequent as once a year, leaving many industrial facilities open to attacks. These risks are quite large considering these devices are found everywhere in electrical facilities, food processing, manufacturing, on-board ships, transportations and more.
“Companies operating in critical infrastructures like energy, utilities, nuclear, oil and gas know that they are not only vulnerable to the same security issues faced by most enterprises, they have the added enticement as a rich target for cyber terrorism,” stated Tony Dao, Director Information Technology, Aspect Engineering Group. “They recognize that securing their industrial control processes is not only critical to them, but to the institutions they serve. A loss would not only have repercussions throughout their economic sector but throughout the entire economy.”
The vulnerabilities begin with the use of default passwords, hard-coded encryption keys, and a lack of firmware updates, which pave the way for attackers to gain access and take control of industrial devices. Traditional perimeter-based solutions are designed to detect attacks on these devices by looking for suspicious attack behavior based on known signature patterns. SCADA supervisory systems are computers running normal Windows operating systems and are susceptible to zero day attacks, in which there are no known signatures or software patches. Several vulnerabilities also exist in the standard and proprietary protocols within Logic Controllers. Popular protocols include MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control).
Deception technology
Attivo Networks takes a different approach to detecting cyber attacks on ICS- SCADA devices. Instead of relying on signatures or known attack patterns, Attivo uses deception technology to lure the attackers to a BOTsink engagement device. Customers have the flexibility to install their own Open Platform Communications (OPC) software while running popular protocols and PLC devices on the BOTsink solution making it indistinguishable from production SCADA devices. This provides real-time detection of BOTs and advanced persistent threats (APTs) that are conducting reconnaissance to mount their attacks on critical facility and energy networks. Additionally, BOTsink forensics capture information including new device connections, issued commands and connection termination, enabling administrators to study the attacker’s tools, techniques, and information on infected devices that need remediation.
The Attivo SCADA solution is provided through a custom software image that runs on its BOTsink appliance or virtual machine. SCADA BOTsink deployment and management are provided through the Attivo Central Manager, which provides global central device management and threat intelligence dashboards and reporting.
“To a significant degree, the growing security problems impacting industrial control systems have originated from the fact that ICSs are increasingly less and less isolated from outside networks and systems, and ICSs are now more susceptible and vulnerable to attacks,” comments Ruggero Contu, Research Director at Gartner in his Market Trends: Industrial Control System Security, 2015 report. “At the heart of this change is the demand to integrate enterprise IT systems to operational technology, and for remote connectivity.”
Check out this whiter paper. Dynamic Deception for Industrial Automation and Control Systems
