No one understood or more succinctly described strategies and philosophies of war than the great Chinese general, Sun Tzu.
Despite living and penning these words of wisdom almost 2700 years ago, leaders of today still apply the tactics described in the Art of War in in the technology-driven world we live in today.
Sun Tzu also said, “To know your Enemy, you must become your Enemy.” Now as a control engineer working for a reputable organization no one is advocating that you become a dark web hacker to understand the challenge you are facing when creating security for PLCs, but there is value at understanding who the enemy is and what their motivation and techniques may be.
When PLC’s developed in the early 1970’s replaced relays in control systems for automotive assembly lines and rapidly adopted and integrated across the industrial landscape security was entirely physical as there was no access to these systems outside a given facility. Times have obviously changed dramatically.
Advances in technologies involving M2M communications has given organizations access to massive amounts of data that can be translated into actionable information leading to better and more timely decision making. The rise of IoT has quickly brought access to this volume of valuable data over the internet. Machines can now be connected anywhere on the planet. This increased connectivity and access has also greatly increased the vulnerability of networks and the machines and PLCs utilizing them.
No matter what industry a Control Engineer is designing or developing a system with PLCs, security has come to the forefront and must be a top concern and consideration during all phases of design and implementation. So, who and what constitute the primary threats in the machine builder environment for Control Engineers utilizing PLCs? Here are some considerations:
Malware has been the primary cause of most disruptive and destructive attacks over the last decade. Hacktivist would target an organization or industry based on their own beliefs with a goal of causing massive disruption and destruction. An often-cited example is the 2010 Stuxnet malware attack on the Natanz nuclear facility in Iran that resulted in the destruction of 1000 centrifuges. Over the past few years we have seen a rise in the number of attacks utilizing Ransomware to hold organizations as well as individuals sensitive or proprietary data hostage. Unless exorbitant payments were made the victim’s information or digital assets would be destroyed or leaked to the public.
In sports, the cheaters and dopers always seem to be one step ahead of the regulatory agencies trying to maintain a level playing field. The Academy Award winning documentary Icarus illustrates just how far individuals and states will go to cheat the system and stay ahead of doping controls. The same is true of hackers. It is much easier for any hacker to take advantage of the cracks in a new emerging technology than it is for an organization or industry to create impenetrable security measures.
These threats used to emanate mainly from small groups of hackers hiding in the shadows. Today organized crime groups and even state-sponsored action constitute the greatest threats. Syndicates have the money and the muscle to employ the most accomplished hackers on the planet, who are all available for a price. The proliferation of nation-grade malware has put these powerful weapons in the hands of individuals who can inflict as much harm as a rogue nation.
Change is Constant
Today, attacks tend to happen quickly and are relatively short in duration. Even though a breach can usually be eliminated swiftly, the fallout and damage can be more far-reaching and lasting. While attacks against infrastructure such as the electrical grid or water supplies could pose an imminent threat to human lives, those targeting consumer data can be equally as devastating. A company or industry’s reputation may never recover in the wake of such an event.
Markets and Industries are moving quickly. Companies are seeking to be innovators or disruptors and are racing to be first to market and are under intense pressure to perform. We are now in the midst of the rapidly emerging 4th Industrial Revolution and continue to see Moore’s Law on display as technology and innovation continue to accelerate at a dizzying pace. What constituted state-of the-art security in any industry 12-18 months ago can be woefully obsolete today.
Even though it may be impossible to eliminate all security breaches in systems and devices, machine builders can never rest on their laurels and have to remain proactively vigilant to maintain the best PLC security that can be incorporated into a design. These are the new battle lines in 21st century digital warfare. Sun Tzu said, “Invincibility lies in the defense.” How strong is your defense?
• Although it may not actually connect to the internet, a control system is unsafe. Contrary to popular belief, a modem connection could also experience intrusion and a hack.
• Wireless networks, laptop computers, and trusted vendor connections could be other sources of connections in which people may be likely to overlook.
• Keep in mind that the majority of IT departments are unaware of factory automation equipment, including CNCs, CPUs, PCBs, robotics parts and, last but not least, PLCs.
• Piggybacking off of the last point, IT departments’ lack of experience with the aforementioned equipment, along with their lack of experience with industrial standards and scalable processes indicate that they should not be in-charge and responsible for a company’s PLC security. Nobody wants an annoyed employee to make inappropriate changes to a PLC’s communication highway.
• Hackers do not necessarily need to understand PLC or SCADA to block PC-to-PLC communication. They absolutely do not need to understand a PLC or SCADA system to cause operational or programming issues.
• Often times, control systems, including ones that many PLCs integrate with, use Microsoft Windows, which is very popular amongst hackers.
• Some PLCs crash simply by pinging an IP address, like what happened at the Brown’s Ferry Nuclear Plant, which is located in upstate Alabama. Since the incident in 2006, the plant has undergone numerous security, operational, and management improvements.
In conclusion, when a security breach occurs, regardless of the specifics, understanding that time is of the essence will help smooth over most incidents. Trusting who has access to a control systems environment and thumb drive is crucial. If someone has access to the control system environment and thumb drive, ensure they’re well-qualified and up-to-speed with their team and/or company.
Written by Joseph Zulick from MRO Electric and Supply.