During the many years of my association with industrial control and plant automation systems, I, like my most other professional colleagues, have worked on the assumption that controller systems must meet industrial companies’ functional requirements; accuracy, safety & reliability, and robustness & repeatability. Industrial companies invest in control & instrumentation systems not only to secure health, safety, and environment (HSE) protection, but also to improve plant asset performance, plant availability, and profitability.
The recent advent of Stuxnet, Flame, Duqu, Havex, and such other malwares have exposed the vulnerability of industrial control systems to cyber-attacks, and thus have opened the Pandora’s Box. Cyberthreats, posing serious challenges not only to industries but also to nation states, are a reality.
In my report “Reports on Industrial Control Systems’ Cyber Security,” I have compiled few articles that are written to create the necessary awareness among the critical infrastructure industries about the real nature of the threats and to provide some suggestions both to industrial control and plat automation vendors and end-users to initiate countermeasures.
2. Contents
- Industrial Control Systems: Functional Safety and
Cyber-security
- Industrial Control Systems: Cyber Security
Imperatives
- Cyber Vulnerabilities Distract Industrial Companies’
Focus on Core Activities
- Cyber Security: Troubling Questions
- Havex Demolishes the Myth of Trusted Sites
- Can India Protect itself from Cyber Threats?
- Industrial Control Systems’ Cyber Security
3. Industrial Control Systems: Functional Safety
and Cyber-security
[Published in Industrial Automation October 2013 issue]
Manufacturing companies, while investing in automation systems, seek to automate the manufacturing
operations for achieving efficient & consistent production, meet the health, safety, and environmental
protection objectives, realize productivity improvements, agility, responsiveness, and gain
competitiveness. Automation involves massive real-time data gathering, analysis, and storing,
retrieving, & sharing of information; and in these areas, information and communication technologies
are extremely powerful. The automation industry, recognizing the benefits of leveraging the
information and communication technologies (ICT), incorporated processing and communication
features of ICT in automation systems. The industry took big strides in leveraging ICT to enhance
analytical capabilities & self-diagnostic features, improve operator interfaces & collaboration, store and
retrieve historical information, and such others.
ICT’s ever Increasing Role in Automation and Manufacturing
The ever increasing power and reliability of microprocessors and rapid advances in the software
technology provided the necessary impetus to the automation industry to develop distributed control
systems (DCS) and Safety Instrumented systems (SIS) for use in process industries, PLC for discrete
industry applications, and SCADA for operating pipelines and electrical transmission & distribution, and
such others. The industry also developed intelligent industrial robots to perform hazardous operations
that one hand enhanced operations safety and on the other improved productivity.
The adoption of information and communication technologies also helped the automation industry to
integrate broadly not only various automation systems such as DCS, PLC, SIS, and SCADA and their
subsystems but also automation systems with enterprise solutions. It adopted digital communication in
place of the conventional analogue signal transmission to connect field devices to control systems. After
protracted deliberations, the IEC committee developed the required standards governing the computer
network protocols used in real-time distributed controls. Because of the need to use different
technologies for meeting the application requirements, it became necessary for the IEC standard
IEC61158 to include multiple technologies. In the process control domain, both Fieldbus and Profibus
technologies are commonly used. Recent trends indicate wider use of Ethernet-based industrial
communication systems even at device levels. This trend will gain further momentum as the
manufacturing industry becomes more efficient and leaner.
4. While avid discussions are taking place about Internet of Things and cyber-physical systems in the
international conferences and industry events, ensuring industrial control systems’ functional safety and
cyber security is emerging as a major challenge.
Cyber Security is Integral to Functional Safety
Many of the production processes are hazardous and complex and this spurred the automation industry
to develop safety devices and control systems suited to work in such environments and for performing
critical control functions such as fail-safe plant shutdown and such others. In case an operational
problem (including shutdown) occurs in a plant, a well-designed Safety Instrumented System (SIS)
controls the plant so that it does not lead to adverse safety, health, and environmental consequences.
While SIS operates independent of other control systems that control the plant operations and performs
Safety Instrumented Functions (SIF), it is composed of the same types of control elements such as
transmitters, actuators, and others.
At the completion of the engineering design, a plant project team with process experts performs HAZOP
study involving systematic, rigorous, procedural reviews to identify possible hazards and establish Safety
Integrity Levels (SIL) for the safety instrumented systems to achieve the required integrity and reliability.
International standard IEC 61511 provides guidance to end-users on the application of Safety
Instrumented Systems in the process industries and this standard is based on IEC 61508, a generic
standard for design, construction, and operation of electrical/electronic/programmable electronic
systems. Other industry sectors also have standards that are based on IEC 61508, such as IEC 62061
(machinery systems), IEC 62425 (for railway signaling systems), IEC 61513 (for nuclear systems), and ISO
26262 (for road vehicles). The increasing use of robotics is driving the use of EN ISO 13849-1 for
ensuring machine safety. EN ISO 13849-1 standard covers both mechanical and electronic safety
components.
While the automation industry has taken major steps in developing industrial control systems and
standards that ensure operational and functional safety, the recent incidents such as the Stuxnet attack
have exposed their inherent vulnerabilities to cyber threats. These threats, viewed in the context of the
extensive role of cyber-physical systems (CPS) in the manufacturing facilities of the future, look
ominous. Fundamentally, automation systems are built to meet the productivity and business needs of
the manufacturing industry. Securing the control systems from cyber-attack was not envisaged earlier
as part of the requirement criteria and as such was not on the radar screen of automation companies
and standards’ committees. However, the growing recognition that cyber threats are real calls for
recognizing the need to ensure secure functioning of the control systems even in the event of cyber-
attacks. It has to be recognized that cyber Security is integral to functional safety.
The report, prepared under the coordination of the German Government’s Federal Ministry of
Education and Research & Federal Ministry of Economics and Technology, looks at the future
manufacturing landscape - symbolically referred to as Industry 4.0. While highlighting on one hand the
extensive use of technology such as Cyber-physical systems (CPS), the report identifies key action areas
5. that need extensive research and development. Among others, the action areas include standardization
and reference architecture, safety and security, and design, training and continuing professional
development.
Roadmap for Ensuring Cyber Security
While automation companies may have to go back to their drawing boards to design automation
systems that include security as one of the manufacturing industries’ fundamental requirements,
manufacturing companies have their tasks cut to secure their present. Vigilance & readiness and ability
to identify cyber-attacks and quickly recover & nullify the effects of the cyber-attacks are crucial to
achieve a fair degree of protection. The way forward for them is to carry out security audit, vulnerability
assessment, and penetration testing as they develop and implement defense-in-depth strategies at both
the company and national level. The most important thing is to be aware of the threats, take serious
note of the same, and plan & implement counter measures. Almost all automation suppliers have
established dedicated teams to address the cyber security challenges and end users must begin to
engage with them more proactively. In order to safeguard their future, end users must include
necessary contractual clauses as part of procurement specifications. Automation suppliers, on their
part, must offer control systems that have strong security features to ensure protection from cyber-
attacks.
While protecting the enterprise begins with implementing the proper work related systems such as
access control and ensuring adherence to cyber security standards, such as ICS: ISA-99 & IEC 62443 and
ISO/IEC 27001, it is essential for the manufacturing company to create an in-house industrial control-
system cyber security team. The industrial control-system cyber security challenges are different from
ensuring data security. Therefore, it is necessary for the team to consist of experts in automation
process technologies in addition to experts in information and communication technologies. What is
crucially important is to make a beginning by creating the in-house industrial control-system cyber
security team that is charged with the responsibility to carry out security audit, vulnerability assessment,
and penetration testing, evolve solutions, and implement them. The team may seek the support of
technology solution providers and competent system integrators having the appropriate skills in
industrial control-system cyber security.
The Government of India, has designated ‘National Critical Information Infrastructure Protection Centre’
(NCIIPC) of National Technical Research Organization (NTRO) as the nodal agency under Section 70A(1)
of the Information Technology (Amendment) Act 2008 for taking all measures including associated
Research and Development for the protection of the country’s Critical Information Infrastructure (CII). It
has authorized NCIIPC “to take all necessary measures to facilitate protection of CII, from unauthorized
access, modification, use, disclosure, disruption, incapacitation, or destruction, through coherent
coordination, synergy, and raising information security awareness among all stakeholders” and
mandated it with the vision “to facilitate safe, secure, and resilient Information Infrastructure for Critical
Sectors in the country.”
6. Some of the tasks assigned to NCIIPC include among others the following: facilitate capacity building
towards creation of highly skilled manpower through engaging premier institutes such as IISc, NITs, and
others including private/non-government partners working on CIIP; facilitate thematic workshops and
information security awareness and training programs. Without qualified and trained professionals and
their deployment plans, these initiatives would remain non-starters.
While the nodal agency NCIIPC, working in conjunction with industry and global organizations, develops
long-term strategies and approaches, it is important for the companies operating in critical
infrastructure industries to initiate appropriate measures to fully comprehend the serious threats and
counter measures in the interim. Critical infrastructure industries, such as communications, electric and
water utilities, oil and gas, transportation, and others play a crucial role in ensuring not only the
country’s economic wellbeing but also its territorial integrity and therefore they are most vulnerable.
"Incorporate cyber risks into existing risk management and governance processes. Cyber security is NOT
implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level.
Managing cyber security risk as part of an organization’s governance, risk management, and business
continuity frameworks provides the strategic framework for managing cyber security risk throughout
the enterprise,” is the US Department of Homeland Security’s advice to CEOs. This advice holds true not
only for CEOs of US companies but also for domestic companies.
7. Industrial Control Systems: Cyber Security
Imperatives
[Published in Industrial Automation April 2013 issue]
With the information technology having emerged as the underlying technology supporting the industrial
control systems, automation companies took a quantum leap in leveraging IT to improve control
systems’ functionality performance, operator interfaces, archive historical information, improve
communication and analytical capabilities, self-diagnostic features, and such others. Initially, industrial
control systems used proprietary hardware and software platforms and operated on standalone mode,
but as microprocessors and other devices, used in enterprise and other commercial applications,
became more powerful, reliable, and robust, automation suppliers began to deploy them extensively in
automation systems. This trend apart, with enterprises demanding seamless flow of information from
plant floor to boardroom and vice versa, integration of automation systems with enterprise solutions
became an accepted practice. This further spurred the increased use of commercially available off-the-
shelf technologies in industrial control systems as they facilitated easier collaboration among
manufacturing IT solutions.
While this trend continued, securing the safety of control systems took a back seat, but recent cyber-
attacks as Stuxnet, Flame, Duqu, and such others acted as a wakeup call to both suppliers and end-user
industries and exposed the vulnerabilities of control systems to such attacks. According to some
sources, India is one among the affected countries and many infrastructure industries, such as oil and
gas refineries, electric power grids, railways, and others face the threat.
Ensuring ICS Security through Defense-in-Depth Strategies
Infrastructure industries rely upon Industrial Control Systems (ICS), such as Distributed Control Systems
(DCS), Programmable Logic Controls (PLC), Safety Instrumented Systems (SIS) used for plant safety
shutdown, and Supervisory Control and Data Acquisition Systems (SCADA) to ensure not only plant asset
performance, but also to provide health, safety, and environment (HSE) protection in industries. Control
system malfunctioning can lead to serious consequences. While at the affected-industry level control
system, malfunctioning could result in production losses, loss of intellectual property, and risking the
lives of employees, at the national level the consequences could be catastrophic. It is important to
understand that some incidents could result in cascading and escalating effects and cyber attackers
could trigger such incidents. For example, the electric grid could be manipulated to collapse with a view
to disrupt almost all other services, such as communication and transportation. The modus operandi of
cyber-attack through control systems is to deliberately cause the malfunctioning of control systems. It is
a new weapon that is still under development, and therefore one could expect it to emerge more
8. sophisticated. Both the captains of the automation industry and critical manufacturing verticals could
only ignore these developments at their peril. Hence, it is imperative for process industries in the
country to become aware and comprehend the magnitude of cyber threats and the high risks to which
they are exposed. They must take appropriate remedial actions including the creation of comprehensive
cyber-security programs to develop and adopt defense-in-depth strategies.
Homeland Securities Report ‘Recommended Practice: Improving Industrial Control Systems’ states,
“Cyber security, from a defense-in-depth perspective, is not just about deploying specific technologies
to counter certain risks. An effective security program for an organization will depend on its adherence
and willingness to accept security as a constant constraint on all cyber activities. Implementing an
effective defense-in-depth strategy will require taking a holistic approach and leveraging all of an
organization’s resources in order to provide effective layers of protection.”
Roadmap to Overcome Vulnerabilities of Control Systems
The control system, at the broadest level, has innumerable nodes spanning numerous field devices, IO
cards, communication buses, controllers, and operator interfaces. Typically, field devices are accessible
through dedicated lines, handheld devices or other communication protocols including wireless. A
cyber attacker, by gaining unauthorized access to the filed devices, can cause their malfunctioning by
changing their characteristics and/or behavior and thereby manipulate the entire plant or the enterprise
control. Additionally, the control system architecture has numerous servers, engineering stations,
human machine interface terminals, and such others. By gaining access to them, a cyber-attacker can
manipulate operator and controller actions and data driven applications. Similarly, by gaining access to
communication buses, an attacker could gain complete control over the network and manipulate the
flow of information and command signals.
The multitude of information technology and automation devices found in the control system
architecture are certainly robust from functional and operating environment perspectives but not
necessarily from the perspective of tamper proofing them to prevent manipulation. Overcoming the
control system cyber-security challenges would call for automation suppliers to assess afresh the
industrial-control system architecture and all its subsystems and components in the context of their
vulnerabilities to cyber-attacks. It is essential for automation vendors to collaborate with other
stakeholders including standards organizations to reevaluate the readiness to meet the challenge head-
on and quickly develop and offer appropriate solutions with the help of collaborative partners working
in domains, such as smart firewall, endpoint security, safe coding certification, and others. There exists
significant scope for domestic software service providers, such as TCS, Cognizant, Wipro, HCL
Technologies, and others to play their role.
In the long-term, automation vendors have to introduce a range of control system offerings, which
inherently have built-in strong security features to protect them from malicious attacks. They may have
to offer add-on packages with configurable options to meet the needs of customers using the existing
and erstwhile control systems. As it stands now, the potential attackers probably are a few steps ahead
and this necessitates immediate and concerted efforts from automation suppliers and their stakeholders
9. to develop their defenses. While almost all automation suppliers have established dedicated teams to
address the cyber-security concerns, they need to lead from the front to reassure end users and protect
their in ICS from being hijacked for meeting malicious objectives. End users have invested in ICS to
protect their plants from the adverse safety, health, and environmental consequences.
The Role of Automation Suppliers, Infrastructure Industries, and the
State
The escalating awareness about the vulnerabilities of control systems is forcing automation suppliers to
find, on one hand, some near-term solutions and, on the other, go back to their drawing boards to
design and engineer automation systems that includes security as one the fundamental requirements.
Another important mindset change that is required is to move away from the misconception that cyber
threats are purely IT related. It calls for a top down approach with CEOs of manufacturing companies
realizing the true nature of cyber threats on one hand and on the other automation companies to create
necessary awareness among end users about the control system vulnerabilities and offer appropriate
solutions. However, ensuring security from cyber-attacks calls for policy initiatives not only from
enterprises and industry organizations but also at national and global levels. How critical it is to
formulate national level policies aimed at protecting the critical infrastructure industries from possible
cyber-attacks could be gauged from the fact that the President of the United States issued an Executive
Order on February 12, 2013 to improve the critical infrastructure cyber security. The Executive Order is
the result of recognizing the cyber threat to critical infrastructure as one of the most serious national
security challenges.
Positive Developments
Government of India’s Inter Departmental Information Security Task Force (ISTF) has set up Indian
Computer Emergency Response Team (CERT-In) to respond to the cyber security incidents and take
steps to prevent recurrence of the same.
While the Honeywell Industrial Cyber Security workshop, recently held at Kolkata, is a welcome initiative
in this direction, the need of the hour is for more such workshops by other suppliers. From the
industrial companies’ perspectives, it is necessary for them to initiate specific actions to begin with to
gain awareness and evaluate risks and subsequently move forward to carry out security audit,
vulnerability assessment, and penetration testing, and develop set of policies and procedures, and crisis
management program. Protecting the enterprise begins with implementing straight forward proper
work related systems, such as access control and ensuring adherence to cyber security standards.
Eternal vigilance and the readiness and ability of the enterprise to identify, recover, and nullify the
effects of the cyber-attack are key to achieve fair degree of protection. These apart, the ability and
preparedness to initiate counter measures to recover quickly from the attack are also critical. The most
important thing is to be aware of the threats, take serious note of the same, and plan & implement
counter measures.
10. o the United Nations Environment Program’s, report “Sustainable, resource efficient cities – Making it
happen,” compared to over half of the world’s population residing in cities now, by 2050 almost 80 per
cent would be living in cities.
11. Cyber Vulnerabilities Distract Industrial
Companies’ Focus on Core Activities
[Published in Industrial Automation July 2014 issue]
The role of manufacturing information technology as a business enabler is well recognized. It began with
manufacturing companies leveraging information technology in their finance and human resource
departments to perform transactional functions, such as maintenance of accounts, preparation of
financial statements, personnel records, and others. Often a company created an electronic data
processing department with few information technology professionals playing a supporting role.
Information technology also made its way into hardcore production operations through instrumentation
and control systems. Over the years, this trend expanded and information technology became pervasive
to emerge as a powerful tool in the hands of manufacturing enterprises pursuing productivity
improvements and business excellence. Information Technology solutions’ span expanded beyond
enterprises to interconnect all economic, industrial, and other activities. Further convergence of
information and communication technologies provided the additional spur.
While these trends have generally have been positive, the ICT technology has a serious downside too. It
is its vulnerability to cyber-attacks, and such threats are increasing by the day. It is important to note
that cyber threats go far beyond the often-reported web site and phishing attacks; it now includes
advance persistent threats and such others. Advanced persistent threat (APT) is a continuous computer
hacking process often orchestrated by hackers to target a specific entity including nations with business
or political intent. It uses sophisticated techniques by planting malware that uses the vulnerabilities in
the systems. It may use external command and control to continuously monitor, manipulate, and
threaten the target’s information technology systems. The Stuxnet, which targeted the nuclear
centrifuges in is a typical example of APT.
Comprehending the implications of cyber-attacks
The cyber-attacks are not limited to banks and ATMs but include manufacturing and especially the
critical infrastructure industries, such as electric power and water utilities, transportation, and
communications and such others. In an interconnected world, such attacks can be catastrophic.
Concerned about the lack of necessary awareness and preparedness among the stakeholders about the
potential consequences, the US President Barack Obama had to issue the Executive Order for improving
the Critical Infrastructure Cybersecurity. The section 1 of the Executive Order relating to policy
highlights, “The cyber threat to critical infrastructure ….represents one of the most serious national
security challenges we must confront. The national and economic security of the United States
12. depends on the reliable functioning of the Nation’s critical infrastructure in the face of such
threats.”
Industrial companies are yet to be fully comprehend the implications of cyber-attacks, such as zero-day
attacks and advance persistent threats on their own enterprises and on national security. Despite
malwares, such as Stuxnet, Flame, Duqu, and others, having exposed the vulnerabilities of industrial
control systems to cyber-attacks, lack of awareness about the true nature of such threats among the
industrial companies exits. Ironically, the very same industrial companies might have made significant
investments in protecting their traditional information technology infrastructure! The general
perception among most industrial companies is that their control systems, which all these years
operated in obscurity, are safe from cyber threats. It is a myth!
The spate of recent happenings in the cyber world clearly establishes that companies have to come to
terms with the new reality and act swiftly. Are the manufacturing companies ready is however the moot
question. Probably, the answer is ‘no’ and manufacturing companies may find themselves caught on the
wrong foot. Let us look, for example, at the recent announcements about the Heartbleed vulnerability
and Microsoft’s withdrawal of support to Windows XP operating system. While the former is a newly
discovered threat vector, the later was only a reconfirmation of the earlier deadline.
Advisories and notifications – Industrial Companies caught on wrong
foot
According to the ICS-CERT Advisory (ICSA-14-105-3) released recently some of the Siemens Industrial
Products that may be working in critical infrastructure sectors such as chemical, critical manufacturing,
energy, food and agriculture, and water and wastewater systems are vulnerable to OpenSSL Heartbleed.
Regarding the impact, the Advisory states, “a successful ‘Heartbleed’ exploit of the affected products by
an attacker with network access could allow attackers to read sensitive data (to include private keys and
user credentials) from the process memory.” It adds that the impact to individual organizations would
depend on many factors that are unique to each organization. ICS-CERT recommends that organizations
evaluate the impact of this vulnerability based on their operational environment, architecture, and
product implementation.
Siemens in its Security Advisory ‘SSA-635659: Heartbleed Vulnerability in Siemens Industrial Products’
says, “The ‘Heartbleed’ vulnerability in the OpenSSL cryptographic software library (CVE-2014-0160)
affects several Siemens industrial products and goes on to add ‘Siemens is working on updates for the
affected products…’ and that the company already provides updates for two of the affected products
which fix this vulnerability. The company’s update on the mitigation for two of the affected product
includes steps such as disabling the web server or limiting web server access to trusted networks only,
disabling FTPS, and such others.
While the ICS-CERT notification that says that hackers with even low skills would be able to exploit this
vulnerability and even from remote with tools that are publicly available is worrisome, end users’
challenges in handling such situations and in implementing mitigation measures suggested by the
13. supplier of industrial products are more troubling. My heart bleeds for end users, the manufacturing
companies!
The ICS-CERT advisory also encourages asset owners to take defensive measures that include minimizing
the network exposure for all control system devices and/or systems and locating control system
networks and remote devices behind firewalls and isolating them from the business network.
Additionally the advisory suggests use of Virtual Private Networks (VPNs) when remote access is
required and adds a rider that VPNs may have vulnerabilities.
Microsoft notification is about the withdrawal of technical support or security patches and updates for
the Windows XP operating system, with effect from April 8, 2014. Those, who had not switched over to
later versions of operating systems or taken Microsoft’s extended support, which too is available for an
additional 15 months only, face a perilous future beyond that date. According to the company’s
notification it is very important for customers and partners to migrate to a modern operating system;
the available Microsoft options are Windows 7 or Windows 8.1. Explaining further, Microsoft says that
systems running Windows XP after April 8, 2014 should be considered as not protected. In other words,
persisting with the use of Windows XP beyond the deadline could result in increasing the cyber security
risks, as no new security patches for vulnerabilities would be available. The implied meaning is, either
upgrade to a newer operating system or buy a new computer; if you want to buy some additional time
then Microsoft would do you a favor but at additional cost – not a small sum as the UK government
signed the deal that cost almost £5.6 million.
Asset owner challenges in ensuring control systems’ cyber security
However, implementing some of the suggestions contained in the above-mentioned advisories and
notifications pose challenges to many of the asset owners who are purely users of industrial control
products, which are an integral part of much larger complex plant and enterprise automation system-
architecture. Compared to enterprise applications where potential disruptions are manageable, the
implementing challenges are more serious in Industrial control applications, which demand low
downtime and involve customization. In the case of enterprise applications, it is possible to take a
backup, shut down the system, apply patches or updates, and then restart. However, in the case of real
time control systems in critical infrastructure industries, which require 24x7 availability, shutdown has
to be a scheduled operation with adequate planning. Often migrations and applying updates may call for
redeveloping control applications involving additional efforts, interoperability testing to ensure that the
software update works and is compatible with legacy subsystems, and unbudgeted expenses. Additional
hardware upgrade required, if existing hardware does not meet system requirements, and the need to
monitor and evaluate the stream of patches and updates that flood almost on continuous basis are the
other caveats.
Some of the troubling questions that arise are; do end users - industrial companies - have the necessary
expertise to effectively implement corrective measures on their own without the support of the
supplier?; what are the consequences of a successful cyber-attack and who bears the costs?; and such
others. More pertinently, how prepared are supplier companies to provide support to their clients in
14. addressing the cybersecurity challenges or would they take a subtle hands-off position. One,
unfortunately, gets the message that supplier companies have subtly transferred to responsibility to
asset owners. It is interesting to note that the ICS-CERT advisory, ICSA-14-105-3 also talks only of
encouraging asset owners and does not provide any direction to control system and related information
technology suppliers. Looking beyond, should industrial companies make budget provisions for such
incidents in terms of maintenance time and costs, and evolve the necessary command and control
reporting structure to quickly handle situations that may arise in future. The moot point is how can asset
owners focus on their core business, for example generating and distributing electricity, when the non-
core activity of protecting their information technology and control system infrastructure, distracts their
in-house resources.
15. Cyber Security: Troubling Questions
[Published in Industry 2.0 May 2014 issue]
While information and communication technology continues to contribute in connecting the world and
shaping our lives in ways never thought of before, its downside is beginning to cast dark shadows.
Hackers and cyber criminals are not only exploiting the vulnerabilities but also the technology as a
cyber-weapon which, in the words of the US President, can take down vital banking systems, trigger a
financial crisis, and bring businesses, cities, & entire regions to a standstill. Serious players, including
State-managed actors, with high degree of cyber hacking skills, sophistication, and resources, have
joined the erstwhile criminals, whose primary interest was in seeking financial gain through fraud. While
cyber hacking has extended beyond stealing intellectual property or identity to include sabotaging
businesses and disrupting nation’s critical infrastructure industries, such as electric power, water
utilities, transportation and others, the number of vulnerabilities discovered and notified is also on the
increase.
While the report that came out of the joint efforts between the World Economic Forum and McKinsey &
Company talks about the frequent occurrences of highly visible information and data breaches and their
impact, many Nation States have begun to deliberate about the offensive capabilities of cyber-attacks
on their critical infrastructure to destabilize economic & livelihood activities and defense capabilities.
While the recent vulnerability alerts relating to Microsoft Internet Explorer and Heartbleed are a few
examples of information and data breaches whose ramifications raise serious discussions, President
Barack Obama’s Executive Order highlights the need to secure the critical infrastructure sector from
cyber threats as they present the US the most serious national security challenge. It is cyber threats’
new avatar and such threats hold true for India and other countries as well. Stuxnet, Duqu Flame, and
Shamoon are the examples of the threats that confront Nation States and their critical infrastructure
industries. Stuxnet is the first known-malware to explicitly attack industrial control systems and in the
reported case of an Iranian nuclear facility, the malware destroyed centrifuges. Duqu, on the other
hand, gathers information and does not interfere with industrial operations. Flame can record audio,
screenshots, keyboard activities, and network traffic and sends the data along with locally stored
documents to one of several command and control servers that are scattered around the world. The
program then awaits further instructions from these servers. A virus, called Shamoon, attacked Saudi
Aramco’s computer systems that resulted in the shut down the company’s internal corporate network,
disabling employees’ e-mail and Internet access.
Reverting to the customary information and data related breaches, according to information available in
the public domain, the Internet Explorer vulnerability allows a remote, unauthenticated attacker to
16. exploit the vulnerability to install programs and view, change or delete data as well as create new
accounts with full user rights and IE versions 6 through 11 are affected.
US-CERT announced on April 10, 2014 in its advisory about “Heartbleed” OpenSSL vulnerability that can
potentially impact internet communications and transmissions that were otherwise intended to be
encrypted. It adds further that cyber-criminals could exploit this vulnerability to intercept and decrypt
previously encrypted information. Going further, the ICS-CERT Advisory (ICSA-14-105-3) released
recently highlights the more worrisome impact of the Heartbleed vulnerability. According to the ICS-
CERT Advisory, some of the Siemens Industrial Products that may be working in critical infrastructure
sectors such as chemical, critical manufacturing, energy, food and agriculture, and water & wastewater
systems are vulnerable to OpenSSL Heartbleed.
Going beyond the President Obama’s Executive Order that focuses on the cyber threat perception to the
Nation States, the US Department of Homeland Security had advised CEOs that cyber security risk
management should form an organization’s governance and risk management strategies. The recent
cyber incidents or advisories about vulnerabilities clearly establish that companies have to come to
terms with the new reality and act swiftly. Some of the troubling questions that arise due to cyber
security issues; do end users have the necessary expertise to effectively implement corrective measures
on their own without the support of suppliers?; In case of a cyber-breach, who bears the responsibility
and the costs?; and such others. More pertinently, how prepared are supplier companies to provide
support to their clients in addressing the cybersecurity challenges or are they taking a subtle hands-off
position. Unfortunately, one gets the impression that supplier companies are not proactive in tackling
cyber security issues and have subtly transferred to responsibility to asset owners. Looking beyond,
should industrial companies make budget provisions for such incidents in terms of maintenance time
and costs, and evolve the necessary command and control reporting structure to quickly handle
situations that may arise in future. The moot point is how can asset owners focus on their core business,
for example generating and distributing electricity or making life-saving medicines, when the non-core
activity of protecting their information technology and control system infrastructure, distracts their in-
house resources.
Few days back, Target Corp, a retail giant, announced that its CEO Gregg Steinhafel had stepped down
and according to industry observers, the ouster may be due to the massive data breach that the
company suffered few months back. The data breach that occurred during 2013 holiday shopping period
resulted in the compromise of approximately 40 million credit and debit cards and the personal
information of millions of customers. The company’s CEO had taken the ultimate responsibility. The
boards can pin the responsibility on the CEOs but what are the resources that CEOs have at their
command to effectively prevent cyber-attacks? Can suppliers touch their hearts and say that they are
not responsible?
17. Havex Demolishes the Myth of Trusted
Sites
[Published in Industrial Automation August 2014 issue]
While information technology professionals were developing faster more-powerful user-friendly
computers and applications, some others, who were equally competent in the technology, began to
indulge in hacking computers and computer systems. In the early years, their primary motivation was
the thrill of discovering and exploiting loopholes to proclaim their skills or for personal gains. Identifying
vulnerabilities and exploiting them was more of a pastime and less of a profession, mostly indulged at
personal level or by small groups. Now, the scenario has changed and is very different; cyber hacking has
become a profession; some practice it with bona fide intentions while others with mala fide goals.
Serious groups, with very high stakes and huge resources, have come to the center stage with the goal
of exploiting the cyber vulnerabilities to carry out espionage and to leverage them as a powerful
destructive weapon to take down critical assets and cause disruption. The target of cyber-attacks go
beyond the attacks on IT infrastructure and enterprise systems and includes the control systems, such as
the supervisory control and data acquisition systems, distributed control systems, and programmable
logic controls. Such attacks can result in shutting down of power plants & water utilities and in
disrupting communication & transportation services. They possess high degree of cyber hacking skills,
sophistication, and resources. Today, the cyber-attacks could come from state actors or other unknown
groups acting at the behest of others for strategic purposes. The canvas is so wide that it is even difficult
to imagine the scope of the future cyber-attacks much less prepare an effective defense against them.
Out comes Havex RAT from the Pandora’s Box
The perpetrators of Stuxnet have opened the Pandora’s Box of cyber warfare and Havex RAT is the latest
to come of it. Security firms, Symantec and F-Secure, have released information about the malware
Dragonfly / Havex. According to Symantec, the targets of Dragonfly include energy grid operators, major
electricity generation firms, and petroleum pipeline operators and it attacks industry industrial control
systems. According to available reports, Symantec has notified affected victims and relevant national
authorities that handle and respond to Internet security incidents such as the Computer Emergency
Response Centers (CERT) and Department of Homeland Securities. In the public domain, there is no
information about alerts or advisories from any of the ICS suppliers.
The new malware, like Stuxnet, infects industrial control systems (ICS). It uses the remote access Trojan
(RAT) and according to the reports available in the public domain, the malware uses websites of
18. software companies including ICS/SCADA suppliers to install malware versions of legitimate apps in
targeted systems.
Following the alerts from the security firms, ICS-CERT has reported of the possible Havex Trojan
infection of the software installers on at least three industrial control system (ICS) vendor web sites. The
Remote Access Trojan (RAT) communicates with a Command and Control (C&C) servers. It further states
that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC
platforms to intermittently crash. This could have a denial of service effect on applications that are
reliant on OPC communications.
Havex includes a data-harvesting component and a trojanized software installer. The trojanized software
installer can drop and execute files without the user of control systems and their vendors being aware of
this. By this, the attacker gains access and the means to control of the target systems. The target
systems may be controlling the operations of critical infrastructure industries. The data-harvesting
component, acting as an intelligence-collecting tool, gathers details about the operating systems,
connected devices, such as the connected control system devices, network, vendor information, tag
numbers, and similar others and sends them back to the command and control centers (C&C) for
attackers analysis. It also has credential-harvesting tool that gathers password details to aid further
subversive actions. It is a sophisticated attack and only time would reveal the true implications of Havex
RAT.
With the information that the malware collects, the organization behind Havex RAT will have all the
necessary information to attack the critical infrastructure firms that it is interested in targeting. It has
the tag numbers of the important regulated parameters, passwords necessary to change the set points,
and details of the operating systems and hence their known vulnerabilities. With these operating details
available, it would not be a big challenge for the cyber criminals to sabotage the operation of the
targeted infrastructure firms.
The myth of trusted sites
This modus operandi has established that it is possible to infiltrate the trusted sources and take control
of them to embed the malware right into the software, which users rely upon. While from hackers
perspective it is a smart modus operandi, from an end users’ perspective it is body blow because the
cyber criminals have successfully breached the trusted servers and implanted the malware into them. In
other words, ICS users cannot even trust the sites on which they that depend on for their software
updates, patches, and such others. Havex has demolished the myth of trusted sites. There exists no
more a trusted site, at least for the time being!
The mitigation strategies recommended in the related alerts or advisories include measures such as
implementing IT best security best practices, using strong passwords, ensuring all operating systems and
public facing machines to have the latest versions and security patches, and similar others. While it is
agreed, that these are mandatory cyber security measures, it is not clear how they would serve the
19. purpose if the malware steals the passwords and makes its entry through trusted sites on which end
users ultimately depend on installing patches!
It is time for the thought leaders from the IT and automation industries to introspect and chart out a
new roadmap so that they can provide in the near future control systems that are built on security as
the cornerstone – control systems that are inherently more resilient to cyber-attacks. Their silence
cannot wish away the cyber threats.
20. Can India Protect itself from Cyber Threats?
[Published in Deccan Herald on July 21, 2014]
Just think of series of incidents taking place in quick succession across the country that cripples power &
water supplies and communication and transportation services to understand their debilitating effects
on our lives. A cyber-attack can trigger all these and many more catastrophic incidents that will have
grave consequences. This is not a preamble to a science fiction but a depiction of things happening in
the cyberspace. While most of us are well aware of how information technology is transforming our lives
in positive ways, many are not cognizant of its down side, the cyber vulnerabilities. Highly skilled and
organized cyber attackers, which include nation states as well, have developed cyber weapons that
target critical infrastructure assets. It is important for India, which is in the process of building critical
infrastructure assets as part of its economic growth ambitions, to reckon with its geo-political
compulsions, recognize the true nature of the threats, and develop strategies to secure their protection
from cyberattacks.
The recent revelations of Edward Snowden and reports on Stuxnet, Duqu, Flame, Shamoon, Dragonfly
and similar others provide us a glimpse of how cyberspace is emerging as the major battleground to
gather intelligence and launch subversive activities. The cyber weapons are low-cost and yet very
powerful that possess both offensive and defensive capabilities. They can effectively take down critical
assets on which a country’s national and economic security depends.
Cyber threat perceptions
The consequences of cyber-attacks are truly serious and that necessitated President Barak Obama to
issue an executive order on this issue for improving the US Critical Infrastructure Cyber Security. The
blog ‘”The Comprehensive National Cybersecurity Initiative” on www.whitehouse.gov says that the
President has identified cybersecurity as one of the most serious economic and national security
challenges that confronts the US. He adds that the government and the country are not adequately
prepared to counter them. If what is widely written in numerous articles and reports are true, then the
US was involved with Stuxnet, a malware that crippled the Iranian centrifuges; therefore, the US
President knows best about the true implications of cyber-attacks in their new manifestations.
According to the recent poll conducted by Defense News Leadership and underwritten by United
Technologies, almost half of US national security leaders who responded to the poll are of the opinion
that cyber warfare as the most serious threat facing the United States. Israel’s Major General Aviv
Kochavi, speaking at the annual conference of the Institute for National Security Studies in Tel Aviv, said,
“Cyber, in my modest opinion, will soon be revealed to be the biggest revolution in warfare, more than
gunpowder and the utilization of air power in the last century.” David Cameron, Briton’s Prime Minister,
writing in The Telegraph, has warned that the country faces changing threats in the form of global
21. terrorism and unseen cyber criminals who can target the country from abroad and pledged £1.1 billion
for defense to fight cyber terrorists.
Cyberattack targets control systems and critical infrastructure assets
Stuxnet, a computer malware that targeted industrial sites in Iran – a uranium enrichment plant - is a
good example of a cyberattack on critical national assets. Stuxnet successfully destroyed the centrifuges
by changing, without the knowledge of the uranium enrichment plant-operators, the set point at which
the centrifuges are supposed to rotate. It is the first known reported case of a malware that explicitly
and successfully attacked the industrial control systems. While it established the offensive capabilities of
cyberattack, the most recent discovered malware dragonfly shows the information gathering activities
in the cyberspace that could be a precursor to launch cyberattacks in future.
Security firms, Symantec and F-Secure, have recently released information about the malware Dragonfly
/ Havex RAT. According to Symantec, the targets of Dragonfly include energy grid operators, major
electricity generation firms, and petroleum pipeline operators and it attacks industry industrial control
systems. It uses the ‘remote access Trojan’ (RAT) and according to the reports available in the public
domain, the malware uses websites of software companies including ICS suppliers to install malware
versions of legitimate apps in targeted systems.
The Trojan communicates with a Command and Control (C&C) servers. It can drop and execute files
without the user of control systems and their vendors being aware of this. By this, the attacker gains
access and the means to control of the target systems. The target systems control the operations of
critical infrastructure industries. The data-harvesting component, acting as an intelligence-collecting
tool, gathers details about the operating systems, connected devices, such as the connected control
system devices, network, vendor information, tag (identification) numbers, and similar others and sends
them back to the command and control centers for further analysis of hackers. It also has credential-
harvesting tool that gathers password details to aid further subversive actions. It is a sophisticated
attack and only time would reveal the true implications of Dragonfly.
The ICS-CERT of the US reports of the infection of the software installers on at least three ICS vendor
web sites. It further states that ICS-CERT testing has determined that the malware payload has caused
multiple common OPC platforms to intermittently crash. This could have a denial of service effect on
applications that are reliant on OPC communications. The OPC acronym comes from "OLE (Object
Linking and Embedding) for Process Control” and is a software interface standard.
With the information that the malware collects, the organization behind Dragonfly has all the necessary
information to attack at will the critical infrastructure companies that it is interested in targeting. It has
the tag numbers of the important regulated parameters, passwords necessary to change the set points,
and details of the operating systems and hence their known vulnerabilities. With these operating details
available, it would not be a big challenge for the cyber criminals to sabotage the operation of the
targeted infrastructure companies engaged in producing electricity, distributing water supply, operating
airports and rail transportation, providing communication services, and such others.
22. Is India doing enough?
Groups possessing high degree of cyber hacking skills, sophistication, and resources are involved in such
activities. They include even state actors or other groups acting at their behest or on behalf of non-state
actors. The canvas is so wide that it is even difficult to imagine the scope of the future cyber-attacks
much less prepare an effective defense against them.
While all countries face cyber threats, India because of its geo-political compulsions is highly vulnerable.
Except for the information that the Stuxnet malware has infected a large number of installations in India
and that the government has authorized ‘National Critical Information Infrastructure Protection Centre’
(NCIIPC) to take all necessary measures to facilitate safe, secure, and resilient Information Infrastructure
for Critical Sectors in the country no other information is available in the public domain. NCIIPC is under
of National Technical Research Organization (NTRO).
Additionally, the government of India’s Inter Departmental Information Security Task Force (ISTF) has
set up Indian Computer Emergency Response Team (CERT-In) to respond to the cyber security incidents
and take steps to prevent recurrence of the same. Lack of credible information about the measures that
NCIIPC is taking in protecting the country from cyber threats is a cause of concern. NCIIPC’s charter
mandates that it should “raise information security awareness among all stakeholders” and it is failing in
its duty by its silence.
While almost all leading Computer Emergency Response Teams (CERT) are regularly issuing alerts about
the vulnerabilities, it is annoying to find that even the website of its Indian counterpart (CERT-In) is not
accessible most of the time. In matters such as the cyber security threats to the country’s critical
infrastructure industry, it is critical to get all stakeholders on the same page and a certain degree of
openness is absolutely necessary to create necessary awareness and ensure their commitment to take
appropriate actions.
More proactive measures such as organizing seminars and training workshops, involving the academia in
starting appropriate courses, initiating a dialogue with the information technology companies and
seeking their involvement in software testing are needed to prepare the country for future eventualities.
Creating awareness among the critical infrastructure industries so that they are future ready for such
contingencies is critically important.
In my opinion, self-reliance is the way forward while fully collaborating with all the global initiatives.
Based on the success achieved in space and nuclear technologies thanks to domestic institutions such as
Indian Space Research Organization and Bhabha Atomic Research Center, it is time for the policy makers
to initiate appropriate measures.
23. Industrial Control Systems’ Cyber Security
[Published in Honeywell’s ‘isolve’ Issue26]
During the many years of my association with the control and instrumentation (C&I) industry, I have
worked on the assumption that controllers and instruments must meet industrial companies’ functional
requirements; accuracy, safety & reliability, and robustness & repeatability. Industrial companies
invested in C&I systems not only to secure health, safety, and environment (HSE) protection, but also to
improve plant asset performance and profitability.
Information Technology and Industrial Control Systems
With the information technology (IT) emerging as the underlying technology supporting the industrial
control systems, C&I companies took big strides and leveraged IT to improve control systems’
functionality performance, operator interfaces, archive historical information, improve communication
and analytical capabilities, self-diagnostic features, and such others. They enhanced the performance of
control and instrumentation systems and made them user friendly and functionality rich by leveraging
the power of the IT. While they enhanced the functional safety of the control systems measured in
terms of mean-time-to-failure, availability, and such other factors, what was lost sight of was to secure
the control systems from cyber criminals manipulating them to malfunction. True, such acts were not
foreseen and unthinkable when automation companies were beginning to leverage the power of
information technology to introduce industrial control systems, such as distributed control systems
(DCS), supervisory control and data acquisition systems (SCADA), programmable logic controllers (PLC),
but the situation has changed drastically since then. However, things have changed since then.
ICS Vulnerabilities Get Exposed
The recent advent of Stuxnet, Flame, Duqu, and such other malwares have exposed the vulnerability of
industrial control systems to cyber-attacks, and thus have opened the Pandora’s Box. We cannot wish
away the ground reality, and cyber threats, posing serious challenges not only to industries but also to
nation states, are here to stay. The only way forward is to accept the reality of such threats and take
remedial actions. Vigilance, readiness, and the ability of the enterprises and the country to initiate
measures to prevent cyber-attacks through industrial control systems are vital to address these threats.
While the threat perceptions keep escalating, the smug feeling that they would pass away or chances of
attack are remote or that we would escape the agony continues to linger among many enterprises,
especially among manufacturing companies in India. These are false and dangerous assumptions.
A control system, at the broadest level, has innumerable nodes spanning numerous field devices, IO
cards, communication buses, controllers, and operator interfaces. Typically, field devices are accessible
24. through dedicated lines, handheld devices or other communication protocols including wireless. A
cyber attacker, by gaining unauthorized access to the filed devices, can cause their malfunctioning by
changing their characteristics and/or behavior and thereby manipulate the entire plant or the enterprise
control. Additionally, the control system architecture has numerous servers, engineering stations,
human machine interface terminals, and such others. By gaining access to them, a cyber-attacker can
manipulate operator and controller actions and data driven applications. Similarly, by gaining access to
communication buses, an attacker could gain complete control over the network and manipulate the
flow of information and command signals.
Protection Calls for Two-pronged Approach
Protecting the infrastructure industries from cyber-attacks would call for a two-pronged approach;
automation suppliers’ initiatives on one hand to create awareness among end users about the threats
and, on the other, offer appropriate solutions, and end users to initiate counter measures to secure
protection from such attacks.
Automation Suppliers’ Initiatives
Honeywell Industrial Cyber Security workshop, recently held at Kolkata for the company’s clients, is a
welcome initiative in this direction. According to the agenda, the workshop covered various topics, such
as the recent cyber security incidents, security standards for ICS: ISA-99 & IEC 62443, ISO/IEC 27001,
various government regulatory initiatives, Cyber Security Management system (CSMS), selected security
counter-measures, and the portfolio of Honeywell Cyber Security Services. The need of the hour is for
more such workshops by other suppliers to create necessary awareness about improving industrial
control systems from a defense-in-depth perspective among end users. While almost all automation
suppliers have established dedicated teams to address the cyber-security concerns, they need to lead
from the front to reassure end users and protect their in ICS from being hijacked for meeting malicious
objectives.
End Users’ Initiatives
In addition, it is necessary for automation suppliers to assess afresh the industrial-control system
architecture and all its subsystems and components in the context of their vulnerabilities to cyber-
attacks. It is essential for automation vendors to collaborate with other stakeholders including
governmental nodal agencies, such as Government of India’s Inter Departmental Information Security
Task Force (ISTF) and its arm Indian Computer Emergency Response Team (CERT-In) and the industry
association bodies. Automation suppliers must also quickly develop and offer appropriate solutions with
the help of collaborative partners working in domains, such as smart firewall, endpoint security, safe
coding certification, and others. In the long-term, automation vendors have to introduce a range of
control system offerings, which inherently have built-in strong security features to protect them from
the malicious attacks. They may have to offer add-on packages with configurable options to meet the
needs of customers using the existing and erstwhile control systems.
25. From the industrial companies’ perspectives, it is necessary for them to initiate specific actions
beginning with gaining awareness, evaluating risks, and subsequently moving forward to carry out
security audit, vulnerability assessment, and penetration testing, develop set of policies and procedures,
and crisis management programs. Protecting the enterprise begins with implementing straight forward
proper work related systems, such as access control and ensuring adherence to cyber security
standards. The ability and preparedness to initiate counter measures to recover quickly from the attack
are also critical. The most important thing is to be aware of the threats, take serious note of the same,
and plan & implement counter measures.
The US Department of Homeland Security had this as one out of the five advices to CEOs and this advice
is equally valid to CEOs of domestic companies. "Incorporate cyber risks into existing risk management
and governance processes. Cyber security is NOT implementing a checklist of requirements; rather it is
managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s
governance, risk management, and business continuity frameworks provides the strategic framework
for managing cyber security risk throughout the enterprise.”