Isolation of Everything

9 January 2016

I am currently preparing a presentation on IT security matters for the plant safety group of the Verband der Chemischen Industrie (VCI). Plant safety and IT security are closely linked, in particular because more and more safety equipment (e.g. safety relief valves) have built-in computers and networking options which allow data gathering and remote configuration and testing up to a certain extend.

To create awareness for the new challenges I searched for examples of successful cyber-attacks in the process industry. Stuxnet comes immediately into mind but is somewhat behind the times. In December 2014 a cyber-attack on a German steel mill was widely reported in the press.

On January 8, 2015 Kim Zetter wrote in WIRED ‘A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever’. A post from Greg Masters in SC Magazine on December 23, 2014 was titled ‘Cyberattack fells German iron plant’.

An attacker has to pass some hurdles to get from the Internet to the Process Control System. Usually Process Control Systems (PCS) are well protected by a cascade of firewalls which isolate the control systems from the process plant network and the process plant network from the office network.

But, as in many other cases, the starting point was a phishing attack. In the BSI publication ‘The State of IT Security in Germany 2014’ published on December 17, 2014 we read:

The attackers used spear phishing e-mails in tandem with sophisticated social engineering to gain initial access to the steel mill’s office network. From there they worked their way progressively into the production networks.

The sentence ‘From there they worked their way progressively into the production networks.’ is of particular interest. It indicates a problem that is widely ignored by the plant operators because the firewalls give them a false sense of security.

For simplifying IT operations very often the same Active Directory is used for managing the Windows accounts of the plant operators in the office network and the plant network. But network isolation and segmentation by firewalls blocks traffic only on the OSI layers 1 .. 3, not on layer 7, where Active Directory works. Once an attacker manages to get on the office network it’s only a matter of time when he finds an operator account that grants him access to the plant network.

Thus a first step towards enhanced security in process plants is to isolate the Active Directories in the office and the plant network. In addition, access to email and internet from the plant network must be blocked, if possible with technical means.

The general design principle is ‘Isolation of Everything’ – Cyber attackers raise only a weary smile (LOL) at the Layer over Layer (LoL) approach with firewalls.

Have a good weekend.

4 thoughts on “Isolation of Everything

  1. Connie Sweet Sky

    Dear Klaus,
    I appreciate the work you’re doing. It is 1/12/2016. Today I received a cryptic message
    from (I’m in California)…Nothing was in the body except a pale green rectangle. I did not download the image. The site announced that it had been hacked and everyone’s emails and passwords had been stolen. The site claimed to have changed them.
    So I requested a new password link, accessed my account which I hadn’t used in quite awhile and deleted it. Later, I decided to update Windows Defender and let it do a slow, deep search.
    Sure enough, so far, one Peals D!Plock has been found and quarantined. That is how I found your site, googling to find out what the Trojan does. I don’t think I got it from an email, but since I don’t know where it came from…. I never open attachments or zips, etc. In 1998, I WAS doing that and lost everything off my hard drive 3 times! My computer repairman raised hades with me! Since then, I am always very, very careful. Since I don’t remember my password for, I’m going to change the passwords on the sites I frequent as I read that the hackers will now search for it on sites and attempt to hack into my accounts.

    Last summer, I got an email from Walmart advising that they were mailing out the two computers I’d just ordered online. WHHHAAAAT?? I called them right away and they gave me the information. They had tried to change my email address, but the notice was sent before they had a chance, but the address was sent to a trucking agency in Los Angeles County. I’m in Orange County. I looked up the address Walmart gave me and found a phone # for the trucking business. The woman who answered told me she was the owner, but hadn’t been at that location in five years. Also, she was getting calls from people with Walmart credit cards asking what happened to the merchandise they’d bought. Walmart wouldn’t do anything for her because she wasn’t the party with the loss! Neither would the police for the same reason.
    She said an LA cop at church was going to help her. I then found her address changed to another trucking name. I googled it and it had taken over the names of other trucking company addresses literally all over the STATE! I passed all that along to her in an email so the policeman she knew could un checks. I canceled my Walmart accounty.

    Also, last summer I was at Starbucks in Long Beach, California and went to Netflix to watch a movie. Someone else was in the middle of watching a movie on my account! And had added on two more email addresses to my account! I called Netflix and the phone rep immediately shut them out. He told me that they could be anywhere in the world. I canceled my netflix account.

    I’ve learned about Stuxnet on Netflix at a friend’s house this week. It’s already obsolete?
    The info on Quantum calculations was over my heads, but somewhat understandable…being in 2 places at the same time at the microlevel. Someday they’ll just swim in between the molecules and atoms, perhaps like in a photon pinball machine.

    Nice reading your posts!

  2. Connie Sweet Sky

    Klaus, cyber crime can come from anywhere around the globe! That’s what makes the internet so unique and, perhaps, so troublesome at times. The netflix rep told me those people who hacked into my account could be anywhere watching that action movie via my account! Someone signed into my yahoo mail account 7 days ago from Pennsylvania! I’m in California. I did change my password, but it had been the same since 2007 with no problems. It’s like lightning striking…BAM! and it’s gone again!!

Comments are closed.