March 28, 2024

The Russians are Coming! (and so are their friends)
SECURITY SESSIONS

by William T. (Tim) Shaw, PhD, CISSP / CIEH / CPT
Have you heard the one about the Chinese hackers that attacked the honeypot that was designed to look like a municipal water utility control system and got caught in the act? Sorry, that's not actually the start of a joke, it is an actual fact, and not one that ought to make you laugh. In the last few years cyber security researchers, corporate IT organizations, and government agencies have identified a huge number of illegal entries into corporate systems, networks and computers by highly skilled hackers believed to be part of a Chinese military operation. If you don't take cyber security seriously your systems and networks could be next.

William T. (Tim) Shaw
PhD, CISSP / CIEH / CPT

I believe that I am not an alarmist (others may differ in their opinions) and I like to see the facts before I go off on a rant. But the evidence of widespread cyber meddling by foreign nation states, activist groups, and terrorist groups is growing every day and hardly a week goes by where we don’t hear about yet another hacking attempt or hacking success that was eventually discovered to the amazement of all involved. Some of this activity is even being perpetrated against high-tech companies and companies who are in the business of cyber security and who you would expect to be secure.

In my opening paragraph I mentioned a ‘honeypot’ and maybe I should explain. Since remotely attacking a computer system mainly involves sending specially crafted messages and examining the responses it is possible to create a simulation of a real system that responds in the way the actual system would, leading the attackers to believe that they are attacking the real deal. A well designed honeypot can fool even expert hackers up to a point; hopefully long enough to gather information about how the attackers are trying to exploit the simulation and even who they are. Researchers, government laboratories such as Idaho National Labs, and other organizations, have staged numerous honeypots designed to look like commercial industrial automation systems in an effort to collect information on attack methods and attack sources. The higher-fidelity honeypots even incorporate cyber security mechanisms to make them look more realistic and to fend off the amateurs while presenting a tempting target to the serious threat agents.

It is pretty well documented that the Chinese government (via their military) and other governments with a bone to pick with the USA (such as Russia), along with international terrorist groups in the Middle East have developed cyber warfare teams and have them busily probing our defenses. But the focus of these efforts is only partially on our government organizations and military. A growing majority of them are aimed at our critical infrastructure and associated computer-based automation systems (particularly DCS and SCADA systems). Terrorist groups would like to take control of critical automation systems and networks in order to generate a newsworthy ‘incident’, preferably with as much murder and mayhem as is possible – which is what terrorism is all about after all. The nation states tend to want to gather (steal) technology and intellectual property and to establish backdoors into critical systems so that if they needed to create a problem for us some day (or just threaten us with one) they would have the ability to do so. Imagine if we threatened to block a Chinese invasion of Taiwan and they threatened to take down our power grid and the water supplies of all major cities if we interfered. I wouldn’t like to be the one making that call. I prefer to be one of those making sure that such unpalatable contingencies never arise.

You may be wondering if we have comparable or even superior military cyber capabilities and, if so, why don’t we use them to take out the perpetrators? Why can’t the government make the problem go away? Why not just disconnect evil countries from the Internet? Well, I don’t have time for a civics lesson here, or a lengthy discussion of international law, but at least you need to understand that even though we may have invented the Internet we don’t own it and we don’t control all of it. We may well have branches of the military and other government agencies with significant cyber expertise, but they are constrained by our own laws and international treaties.

Many people would probably be thinking “but we have had years to get protections in place so why is this still happening? Have the hackers developed super-human powers??” The sad fact is that even though there have been government warnings about the need for cyber security far too many organizations just ignored the warnings and hoped for the best. After all wouldn’t Microsoft eventually send out some security patches and make all of these problems go away? Can’t Cisco sell us a magic box that will keep the bad guys at bay? Other organizations just played the probabilistic risk assessment game and proved (to themselves at least) that the actual risk was so small that they could not make a business case to justify putting any effort or funding into cyber protections. Yet still other organizations asked the simple question: “what is the minimal effort I can expend to prove to regulators and underwriters that we have addressed cyber security?” and then used the answers to that pondering as the basis for their cyber security efforts.

I am not saying that everyone and every organization are guilty of these evasions, but far too many are. I have been in plants recently where they are still arguing about isolating the plant network from the corporate networks, because that makes it hard (or impossible) for corporate IT to remotely administer things at the plant site. Hackers love it when you keep weak and persistent remote access mechanisms in place. What makes it convenient for corporate IT also makes it easier for hackers. Some of the facilities I have been in recently still permit remote dial-in access to control systems. There are even plants where people still carry around USB ‘thumb drives’ and plug them into any system or device they want, with no concern about what they may contain or where they have been. We know better, but for whatever reasons we don’t implement the measures that this knowledge dictates taking.

America and Americans have always had a problem with getting our act together before the disaster hits. We are the world’s best at rushing in to rescue, recover, and restore after disaster strikes, but amazingly bad at up-front preparedness. We seem to believe that “it won’t happen here” and don’t prepare. Then we get smacked in the face by floods, hurricanes, droughts, and yes, cyber attacks. Far too many of our industrial automation systems are still far too vulnerable to cyber attack and infiltration simply because nothing much has been done to protect them. The surprising facts about successful cyber attacks are that a substantial number of them are based on exploiting vulnerabilities that we already know how to fix.

One of the reasons that we are in this fix is that corporations have grown information hungry and demand real-time data from around the enterprise in order to feed business optimization models. Plant automation systems used to be isolated and data required by corporate applications was delivered on magnetic tape or floppy disks. Today, too many plant automation networks are directly connected to a corporate network with minimal protections between the two. The ISA’s SP.99 committee and NIST came together several years back to issue SP 800-82 which provides guidance on separating plant and corporate networks using a ‘DMZ’ approach.

The problem is that this strategy isolates corporate IT from reaching into plant systems and networks which means that plants need more local IT support. I recently saw a plant where the DMZ contained a dozen different servers, with the only reason for their being positioned in the DMZ was so that corporate IT could administer them. Placing a bunch of inadequately hardened servers in the DMZ totally defeats the purpose of having a DMZ. It’s like placing a bunch of bridges over a river and only guarding some of them and then wondering how unauthorized people are getting across.

Time and time again I see cost avoidance or reduction being used to justify minimal or poor cyber security. At least up to the point where a corporation is subjected to a successful cyber attack, and then the check books come out. I am reminded of visiting a plant and talking to the I&C engineer who was given the task of putting some cyber security in place, but not provided with time and funding to get any specialized training. He proudly showed me the firewall that he had placed between the corporate network and the plant network. When I asked him about the access control rules he told me “only I have access to this firewall.” So I tried again and asked about the security policies and he told me “our policy is that only I can support the firewall.” On my third try I asked if he had programmed any settings and configuration into the firewall and he told me that “it came out of the box already programmed.” He then added that when he put it in place everything kept working so he didn’t think he should change anything in the configuration. We dumped the ACL rule list and as I feared there were only two factory default rules, one for in-coming messages and one for out-going messages: ’Permit All.’ Essentially the firewall was a wire, but the poor engineer didn’t have the training to know that he had no protections in place. Up to that point he had been sure that his plant was protected because he had installed a firewall. Now that’s a real joke.

Come on people, we can do better than this! But that will have to be the subject matter for a future column.

About the author

Dr. Shaw is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (C|EH) a Certified Penetration Tester (CPT) and has been active in designing and installing industrial automation for more than 35 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. Shaw has also developed, and is also an instructor for, a number of ISA courses. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.