In a previous blog post I wrote about the Internet of Things getting hacked. As the IIoT ramps up and we continue to connect more devices to networks, we increase our industrial assets' exposure to cyber attacks. And we all need to start thinking about cyber security first, not as an afterthought.
It's everyone's responsibility to plan for cyber security, starting when you first evaluate industrial assets for purchase.
Here are five checklist items to think about before connecting any industrial device to a network. No, this is not an exhaustive list, but frankly I don't want take up that much of your time. (You're welcome!) This is good starting point, though.
1. Secure your data: encryption
In the early days of the Internet, communication sent across the world wide web was often transmitted in human-readable plain text.
But plain text made it easy for malicious hackers and vicious script kiddies to intercept network traffic and extract sensitive information, such as grandma's bank account numbers, your dad's super-secret passwords, and so on.
Eventually system developers and operators in the IT (information technology) sector transitioned to data transmission using cryptography. In industry, it's time we do the same. ASAP, please.
The terms cryptography and encryption are often used interchangeably, but in fact they are different. Cryptography is the science of secret communication or data transmission. Encryption is a component of that science. Like in that great movie The Imitation Game about the Enigma machine.
For data to be securely transmitted between industrial assets, that data must be transmitted using encryption, with a cipher that is difficult to crack. Rough translation: your password or cipher shouldn't be the word password, or even password spelled backwards or any other word you might find in a dictionary, your birthday, or anything easily guessed.
The cipher is the process or algorithm that makes information hidden or secret. To make that information accessible again requires a code or key to decrypt it. Essentially, encryption ciphers convert human-readable data into erroneous data that can only be converted back using the correct key or code.
The most prevalent forms of encryption in IT today are TLS (transportation layer security) and SSL (secure socket layer). TLS is essentially a newer version of SSL. TLS is used to encapsulate traffic over HTTP and SMTP, the protocols used for web browsing and sending email, respectively.
So when you consider acquiring industrial assets that will go on your network, make sure data security has been accounted for and that the asset supports the latest form of TLS or SSL encryption for data transfer and communication.
2. Lock it down: port and service configuration
As Internet communication capabilities are added to industrial assets, assets may be open to do more than you want. It’s important to limit Internet communication services to only those your application requires. Automation.com has a great article discussing some additional ideas on security in process control (please don't ever connect your PLC or PAC directly to the Internet, ever).
For example, if the industrial asset has the Simple Network Management Protocol (SNMP) enabled, but operators don’t need that protocol, disable it and shut down the TCP or UDP port the protocol uses.
You can take security a step further by disabling protocols like Internet Control Message Protocol (ICMP), the protocol used to ping or identify nodes on a network.
If an attacker is unable to ping a system to discover it, the attack is slowed down and it is less likely a vulnerability will be exploited before your network's intrusion detection system spots the attackers breach. What!? Your industrial network doesn't have an intrusion detection system? Good God, man, that's like playing the game hot potato with yourself with a lit stick of dynamite. Take a look at this article from TechTarget.com on several FREE intrusion detection systems (I know, free software, what a strange and foreign concept).
The same concept applies for services running on the industrial asset. If your application does not require the service, lock the industrial asset down by disabling unnecessary network services. In other words, if your application doesn't need it, turn it off.
Again, start from the perspective of turning everything off and then enabling only what you absolutely need...after you've installed your intrusion detection system. During vendor evaluation and qualification, make sure all available ports, services, and protocols can be enabled or disabled depending on what your application requires.
3. Keep 'em out: network access
When communicating on a network, modern IT systems can be configured to allow access only from specific IP addresses or ranges of IP addresses.
Some systems take this a step further by allowing connections only from specific IP addresses on specific ports or using specific protocols. You can get pretty granular with this stuff.
When evaluating new industrial assets, verify that the system has some method of locking down connectivity to it based on source IP address and/or TCP or UDP port number.
4. Know who's rapping at your door: authentication
In network security we need to reach a careful balance between security and availability. Our objective in employing cyber security practices is not to make information completely inaccessible, but instead to mitigate risk, reduce threats, and decrease the opportunity attackers have to execute exploits on industrial assets.
Two related methods we can use to mitigate risk are authentication and logging of users who access the asset.
Industrial assets must include some form of user authentication. Not only should a user attempting to access the asset be prompted for a password or passphrase that is authenticated by the industrial asset itself, but that authentication should also be run against a central authentication server.
Two of the most common authentication servers available today are Active Directory from Microsoft, which uses a form of Lightweight Directory Access Protocol (LDAP, commonly used in Linux/Unix environments), and SecurID/Radius servers.
In cases where a very high level of user authentication is required, usernames and passwords are not enough. Instead, implement a three-factor authentication mechanism. Three-factor authentication is based on:
- Something the user has, such as a SecurID token, a little gadget typically worn on a user's physical access badge. (What!? You don't have a physical access control system!? See my note above about juggling dynamite.) The token automatically generates an access code to be authenticated against, for example, a Radius server.
- Something the user knows, such as a password or passphrase.
- Something the user is, such as a fingerprint or retinal scan. Think biometric authenticaton here.
5. Cyber forensics: logging
In addition to authentication, keep a log of user activity. Logging mitigates risk because users know their actions are tracked, and it helps determine the extent of damage if a security breach does occur.
If a breach takes place, forensic information security professionals will use the log data to help determine the exposure level and the risks the asset or organization is facing as a result of the breach.
When you choose industrial assets, look for some type of user logging. If it's not available on the asset itself, make sure you can provide logging locally.
Summing It All Up
If you're juggling dynamite, it's time to take a new approach. The above information certainly isn't an exhaustive list of best practices for using industrial assets securely, nor a complete list of features to include in product design. But it’s a solid foundation for determining a vendor’s level of due diligence related to cyber security.
Is cyber security on your vendor's radar? Find out by asking them about the features above. If you want to take a deeper dive into learning about how attackers go about breaching your network defenses, take a look at the Basics of Penetration Testing from the SANS Institute.
This is a good starting point for developing an evaluation matrix when you’re looking for future industrial asset investments. Want to learn more about passwords, security, etc.?