Plausible deniability is not a security strategy

Beware, you may have been instructed by a lawyer to not read this article.

12/30/2013


Recently I became aware of several attorneys and legal departments advising managers to stay unaware of control system cyber vulnerabilities outside of specific information provided by their vendors. Why? If the vendor states that a system is secure, then the asset owner and operator may be able to claim ignorance and avoid legal liabilities associated with loss of life or the unavailability of a critical asset.

This plausible deniability approach is not a security strategy for several reasons. First, many ICS (industrial control system) protocols (e.g., Modbus/TCP, DNP3, Profinet, EtherNet/IP, BACnet, etc.) are highly vulnerable due to no authentication, poor authentication, the owner’s chosen implementation, and poor vendor implementation within the cyber asset. Consider recent vulnerabilities identified by Adam Crain and Chris Sistrunk with DNP3 (ICSA-13-291-01 and others), and expectations of more to come with Modbus/TCP. Second, a quick Google search of “control system vulnerabilities” yields 2.4 million hits. Third, new ICS cyber asset vulnerabilities are coming to light with ICS-CERT notices increasing rapidly.

So ask yourself, are you better off pursuing due diligence and trying to build adequate levels of protection, or should you hope to hide behind the plausible deniability defense? Your vendor might not help you with the latter. Many now issue disclaimers pushing responsibility back on you. They warn that their system must be placed within a secure zone of your facility and point at standards and organizations like NIST 800-82, ISA 99 / IEC 62443, IEEE, NEI, AGA, NNSA, ISO 27001, API, ChemITC, individual governments, and several more that I probably missed.

Hide, or defend yourself?

Think about your role at your facility. Most companies want to ensure a level of profitability through a safe, reliable, and available operation. Your personal desire is food, shelter, and a safe environment for you and maybe a family. The world has changed with threat agents increasing in number and capabilities. Some are sponsored by major military powers. You may have to be the change agent that brings about a cultural shift toward a serious defensive strategy.

I recall when that responsibility fell on me many years ago. My early attempts to sell cyber security at a U.S. Department of Energy National Laboratory failed horribly. I did not connect my efforts to the mission of the laboratory or convince our Nobel Prize-winning scientists. The scientists wanted high availability of their research so that they could collaborate with the world, and my firewalls were interfering. Eventually, we put security in terms they understood. Instead of just focusing on cyber attacks, we explained, “What if someone were to manipulate your data, release your data early, or under a different brand?”

The thought of personal discrediting got their attention and they asked for security controls. The lesson: Every control system environment is different based upon corporate motives and ownership. You need to identify what will sell security in to your organization. Don’t wait for somebody else—you do it, and do it now.

This very minute, somebody is preparing cyber attacks against control systems. Your company and your livelihood may be at risk if someone does not step up. Seek out an opportunity to start a change, if not at your work, maybe where you live. Many control systems impact your environment: fresh water, natural gas, electricity, traffic control, your automobile, and the food supply. Attend a city council meeting and ask what is being done to protect your local water supply. Ask your auto mechanic about the latest firmware update to your ECU or ABS.

Cyber space is now a battlefield, and there is no plausible way to deny that ICSs are vulnerable. Take steps to protect yours: inventory your assets, document their communication patterns and the logic operating them. Look at the people accessing and managing them. Are there reasonable restrictions to operational, cyber, and physical activity? Establishing baselines of normal operation helps you determine when there is something unusual.

Basic security principles apply whether you’re dealing with physical or cyber security. Once you have the tools, you will begin to develop a sixth sense about what’s happening in your networks. Overcoming budgetary restrictions and political resistance may take some doing, but you might be the thing that makes a difference.

Matt Luallen is founder of Cybati, a security training and consulting organization. 

ONLINE

Control Engineering has extended the time available to access Matt Luallen’s 13-part cyber security training course at no charge, including PDHs

https://cybati.org

Follow security vulnerability announcements at http://ics-cert.us-cert.gov/standards-and-references 



GREGORY , TX, United States, 12/30/13 02:03 PM:

Burying one's head in the sand and denying the existance of potential vulnerability has never been a viable approach. Leave it to the "legal eagles" and "bean counters" to turn a deaf ear to reasoning. I guess action plan is to file lengthly litigation and feather their financial coffers. A proactive approach in dealing with cyber threats is always the best course of action.
Tim , TX, United States, 12/30/13 04:07 PM:

Thanks Matt, and thanks for the link to the 13 part series. I didn't need another reason to dislike lawyers but thanks for that also. Looking forward to the course.
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.