Security in automation: Smartphone might be the greatest threat

Smartphones have made access to information easy and thus increase security risk for critical information. It requires constant and holistic attention to understand the patterns of attacks and raise awareness with organizations.

By Arslan Ul Haq and Taimoor Shabbir Khan, Intech Process Automation April 28, 2015

It’s a world of convenience in our hands, isn’t it? In a few taps, in a couple of swipes, people have access to all the information about what matters the most to them. Smartphones have indeed made access to information easy and fast because they have become personal computers that people travel around with all the time. It’s a treasure full of valuable and, at times, critical information.

Such a treasure, as people assume, should be well guarded. Users would go the extra mile to ensure their information security and so would the app developers. Well, fasten the seat belts and hear the truth.

How secure are smartphone systems?

An IBM sponsored study titled "The State of Mobile Application Insecurity" published in February 2015 has shown that a whopping "40% of the large companies aren’t taking proper precautions to secure mobile apps that they build for customers, and organizations are poorly protecting mobile devices-both corporate and those you bring to work." The study further shows that 33% of the companies never test their apps and 50% of the companies devoted absolutely no budget dollars toward mobile security, with the average organization spending $34 million each year on mobile app development.

The oil and gas industry, the field the authors work in, is no different when it comes to taking cyber security precautions. A recent survey conducted by Fox IT and Oil & Gas IQ about cyber security in the oil and gas industry revealed some very disturbing results. While companies in the oil and gas industry are aware, "That they need to take security measures against cyber threats like Advanced Persistent Threats (APTs) and hacktivism, with 90% confirming that it is vital to respond to a cyber-security incident within hours, the majority have not taken decisive action to safeguard themselves." A staggering 60% do not have an incident response plan in case of cyber disaster and only 11% are fully confident that they can handle hacks properly. Thirty-seven percent indicate that they are "not confident" with their cyber security measures and 45% indicate that they are "somewhat confident." Twenty-three percent indicate that they are not actively monitoring their network and 19% have not segregated their information technology (IT) network from their operational technology (OT) network.

Therefore, one shouldn’t be surprised to see that the number of reported cyber attacks on oil and gas companies in 2013 were in excess of 6500-a 179% increase from the year before as shown by a study from PwC. 

Attack precedents and patterns

The heirs to the throne of Stuxtnet (the worm that hit Iranian centrifuges) and Shamoon (the virus that hit Saudi Aramco) have arrived with even deadlier force. The ongoing attack campaign against control systems called Dragonfly (aka Energetic Bear/Crouching Yeti) targeted energy grid operators, electricity generation firms, petroleum pipeline operators, and industrial control system (ICS) equipment manufacturers across the US, Spain, France, Italy, Germany, Turkey, and Poland, according to Symantec’s report, "Dragonfly: Cyberspionage Attacks Against Energy Suppliers," published on July 7, 2014. The cyber attack on Mexico’s state energy company Petroleos Mexicanos (Pemex) allegedly by Iran-backed hackers also targeted 50 companies and government organizations including commercial airlines. In both these attacks, the perpetrators looked for and found vulnerabilities that could be used in physical attacks.

A certain pattern can be identified from both of these attacks, which are quite similar in execution. For example, in case of the Dragonfly, Symantec outlines three phases of the attack:

  1. "The first phase of Dragonfly’s attacks consisted of the group sending malware in phishing emails to personnel in target firms.
  2. In the second phase, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in the energy sector in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer.
  3. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers."

Dragonfly uses two main pieces of malware, backdoor.oldrea and trojan.karagany, in its attack; both are remote access tools (RATs) providing the attackers with access and control of compromised systems.

Guy walks into his workplace—with a smartphone!

And amidst this chaos, imagine an oil and gas (or for that matter, any industrial) employee walking into his work place with a smartphone in his hand!

One can’t deny the utility of these marvels of technology. Smartphones have become prolific in industrial enterprises, and with the constant flow of data, staying up to date with critical information has become significant. With the advent of emerging mega-trends in the industry like industrial Internet, digital oilfield, and Internet of Things (IoT), more and more data is being generated and floated by instruments rather than people. Solutions providers have now begun to furnish customized mobile applications that give instant access to energy, production, and related critical information and analytics where real-time and historical data, KPIs, alarms, trends, scorecards, and GEO SCADA visualization is made available on almost all platforms.

So in essence, smartphones are no different from the personal computer, and that magnifies the threat in comparison to a PC. All the work-related tasks that you can perform on a PC can be performed easily on a smartphone. There is no difference between the two for the user. And there is no difference between the two for the attacker. The higher frequency of accessing and sending information from a smartphone (as compared to a PC), and the disregard for security measures on the smartphone from the user as well as the enterprise, makes the smartphone an ideal target for the attackers to infiltrate your enterprise and threaten your systems.

The diagram below outlines one of the many attack scenarios where a smartphone infected by a dedicated hacker can cause damage to the enterprise systems (regardless of whether it is outside the enterprise firewall or behind the firewall). We have to remember that a hacker will always do his homework to at least have an educated guess about the software, hardware, update versions, and all related information that he requires to prepare the malicious code and, consequently, the infected device.

Step 1: The attacker, via the infected smartphone, passes through the enterprise firewall and accesses email server via information sent by the infected user sending infected data or data request to a workstation on the enterprise network.

Step 2: The workstation, recognizing the attacker as a legitimate user, responds to the request, hence establishing two-way communication that the attacker desired and in the process also leaving a back door. It also allows him to establish connection with the DNS, web, and database server.

Steps 3 and 4: With the necessary connections now established, the attacker can request or send data to an engineering workstation in the control station network behind the industrial control system (ICS) firewall. The ICS firewall will also recognize him as a legitimate user. Step 2 repeats, only this time in the all-critical control system network.

Steps 5 and 6: The attacker, now able to communicate with the control systems, has access to critical information and may well have the ability to cause physical damage as well.

In the above scenario, even though if the infected smartphone user is restricted by access privileges, he can provide essential footprinting and in the process helps the attacker to identify other potential targets with higher levels of access privileges.

Five elements for better security

A vast majority of experts agree that the smartphone is one of the biggest threats to an enterprise’s systems because it is the most exposed, most insecure, and most frequently used device. To ensure better security, adopt a strategy composed of the following key elements:

  1. The right policies: Ask yourself whether your organization has the right policy (or a policy at all) that provides guidelines to employees about smartphone usage. Are your employees aware of the threat to their smartphones and, consequently, to your enterprise’s systems?
  2. The right plans: What is your strategy to implement the policy and ensure that the implementation is consistent throughout? Is your smartphone security plan designed to protect and support the technologies of today and the future?
  3. The right products: Do you have the right products to implement your smartphone security plan? Can they provide the desired level of security, performance, and quality of service that you desire?
  4. The right processes: How will you manage your smartphone security infrastructure and ensure constant monitoring, testing, and adaptation?
  5. The right people: Do you have the right people who have the skill set that forms a strategic fit between your policies and plans and your products and processes? 

Smartphone security remains a tricky issue for organizations. Attackers can only be battled by instigating an organization-wide cultural drive that promotes smartphone security consciousness, responsibility, and responsiveness. It requires constant and holistic attention because hackers are relentlessly following where the money and information are.

Arslan Ul Haq is an engineer and control system specialist at Intech Process Automation; Taimoor Shabbir Khan is a marketing executive at Intech Process Automation. Intech Process Automation is a CFE Media content partner. Edited by Joy Chang, digital project manager, jchang@cfemedia.com 

Intech Process Automation is a CSIA member as of 6/30/2015

Original content can be found at Oil and Gas Engineering.