Cyber security vulnerability assessment

The first step in creating an effective defense is figuring out where the vulnerabilities are in the system. This is a difficult but necessary process, and it never ends.


Security at the device level, Control Engineering December 2011 issue article graphicCompanies that decide to undertake a cyber security program often falter right out of the starting blocks because they don’t begin by addressing some of the most basic concepts of security. Without that knowledge it is impossible to plan, and without a plan, the results will be haphazard at best and will likely make things worse. A sensible approach needs to begin with a basic understanding of what vulnerabilities may exist in your systems. Such an analysis is conceptually straightforward, but it can get complex in practice if not executed well. In most situations it is painful because companies often discover that the situation is worse than they thought.

One of the first steps is to determine what security standard(s) or guidance you need to be addressing. There are a few possibilities with a history of addressing control system components, such as NERC CIP-005, CIP-007, INGAA, CPNI, and DHS CFATS. Your industry and the nature of your processes will guide this decision. You might think that choosing a standard is too “high-altitude” when what you really want to do is go out and start buying firewalls, but consider this analogy: Let’s say you want to build a food processing plant, so you want to use sanitary practices. If you don’t know how groups like 3-A and the FDA have established sanitary practices, there’s little chance you will end up with a facility that will pass inspection. The same goes for plant safety systems. You can fix some obvious hazards, but eventually you need the guidance that a standard gives.

Understanding system vulnerabilities is at the center of any larger strategy to minimize risks and protect assets. Courtesy: Cybati

Next, you need to convince yourself that vulnerability assessment is not an event. It is a process that goes on constantly. You need to think about it every day because your systems are not static, nor are the threats. Plug yourself into information feeds from cyber security groups, beginning with the DHS ICS-CERT. This will help keep you up-to-date and suggest directions for your own analysis.

A painful process

Probably the part of the process that companies find the most painful, physically and psychologically, is taking an inventory of all your cyber assets, how they’re connected, and how they’re programmed. This can be a monumental task if you don’t have much documentation or what you have isn’t current. But it means everything:

• Servers
• Network switches
• User terminals
• Desktop and laptop PCs
• PLCs and controllers
• Terminal racks
• Wireless transmitters and receivers
• Mobile devices on the network, and
• Everything else.

Once you’ve found all those devices, document what software is installed on each, and how they’re interconnected. Yes, it may be a huge job, but it is absolutely necessary.  This includes not just servers like file, database, print, and web but also applications like Microsoft Word and even system firmware. Once compiled, your documentation must be updated every time you change anything, including software patches and updates. Otherwise, there is no possible way you will be able to block all the points that a creative hacker might find.

In a perfect world, this shouldn’t be a significant undertaking at all, because all of this would already exist and be up-to-the-minute. However, I’ve never seen it. No company has everything complete and current, so don’t think you’re alone.

Performing this process is easier if you have a plan:

Talk to your people—The individuals who work with your networks may be very familiar with specific parts of your systems, and may have some ideas of where vulnerabilities exist. Make sure your discussions don’t turn into interrogations if you want cooperation. Also make certain that you have a process in place to keep all of this documentation protected. The last thing you want is to perform the vulnerability analysis and have this information end up in the wrong hands. 

Review your documentation—Anything is better than nothing. Even outdated and incomplete diagrams can serve as a starting point and be revised.

Review device configurations—This can be a very tedious process, but you need to know all the software that’s running in your facility, down to the revision level. Finding the answer may be difficult in situations where the code in a particular area or machine is from an OEM or system integrator. Such a third-party supplier might not want to divulge that information, although more are beginning to understand the need for it in this context. This exercise might be a good time to get rid of things that shouldn’t be there, like that MP3 player installed on a control room terminal.

Trace wires—Buy some kneepads and start crawling around under tables and looking behind racks. You need to see where the connections are, and what connections might exist that you don’t know about. There are all sorts of reasons why somebody thought tying various devices together was a good idea, and you need to find them.

Analyze network traffic—When you see how things are really interacting on your networks, it can alert you to all sorts of things. You need to know what is talking to what, because these communication channels need to be controlled and directed. Where does this VPN go? What new channels needed to be created when we changed ownership?

Analyze wireless traffic—While you can trace wires, wireless can go anywhere. Begin by determining how many and which frequencies you’re using. Bluetooth, 802.11, Zigbee, 900 MHz, and more are possibilities. This is especially critical since breaking into your network may require nothing more than buying the same kind of wireless repeater someone installed to replace damaged wiring.

Once your documentation gets into better shape, test yourself. Get out in the plant and run audits to see if the diagram matches reality. If the diagram says five connections should be coming out of that switch, why are there six? Pick a cable and make sure you can find it on the plan. Does this firewall have the correct rules installed? If you flunk any of those tests, you need to take a hard look at the work so far.

The next level

More sophisticated analysis can begin once your documentation is in order. Look at your systems and ask yourself some questions:

What processes and tools can operate manually? What happens if you are subject to an attack or other system failure? Do you have the possibility to run anything independently in manual mode? If you’re stuck in a degraded situation, that ability can be the difference between continuing to produce and being shut down completely.

How many of your systems share infrastructure? Are you networked more tightly than you should be? Keeping some separation between parts of the plant or production units can help isolate problems and minimize the effects of an intrusion.

How “flat” is your security? If you have a remote terminal at a location that is normally unmanned, the level of physical and cyber security at this location should probably be higher than it is for the control room within your plant. The level of security should reflect the potential for intrusion.

What security weaknesses are baked into various devices within your plant? There are likely many devices on your networks that have little protection on their own. PLCs have default passwords and even hard-corded passwords, all the solutions implemented by a vendor may use the same architecture for each client (even down to the MAC address), or data exchanged via clear text. If those can’t be changed, such devices will require extra network protection.

Look at your systems with the idea of trying to make something malfunction or break on purpose. Can you force a valve to open or close? Can you make a pump start when it shouldn’t? If a hacker is trying to break into your plant, this is the kind of thing that could happen.

Can a less critical (and less protected) system serve as a gateway to something important? Look at how various systems are interconnected. A low-level system may have little protection because the possibility of causing mayhem is small. While that is appropriate, you have to make sure the low-level system cannot offer the means to infiltrate something more critical.

Industrial realities

Engineers who work in IT environments look at industrial networks and usually ask why we don’t use some basic security techniques common to office and commercial systems. The fact is that much industrial equipment is pretty weak. If a hacker can reach a PLC, it’s probably a soft target. That means our networks have to be hardened at multiple levels; otherwise, someone breaking through a perimeter will have little trouble moving around and causing problems, potentially even placing someone’s life at risk.

This is one of the reasons why knowing your networks inside-out is so important. You have to be able to out-think a hacker, finding possible weaknesses and fixing them before someone on the outside can take advantage of an opening. You’ll never be completely secure, but with some coordinated efforts, you may be able to stay one step ahead.

Matt Luallen is founder of Cybati, a cyber security training and consulting organization, and is a frequent contributor to CFE Media.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me