Tag Archives: Cyber-Attacks

Isolation of Everything

9 January 2016

I am currently preparing a presentation on IT security matters for the plant safety group of the Verband der Chemischen Industrie (VCI). Plant safety and IT security are closely linked, in particular because more and more safety equipment (e.g. safety relief valves) have built-in computers and networking options which allow data gathering and remote configuration and testing up to a certain extend.

To create awareness for the new challenges I searched for examples of successful cyber-attacks in the process industry. Stuxnet comes immediately into mind but is somewhat behind the times. In December 2014 a cyber-attack on a German steel mill was widely reported in the press.

On January 8, 2015 Kim Zetter wrote in WIRED ‘A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever’. A post from Greg Masters in SC Magazine on December 23, 2014 was titled ‘Cyberattack fells German iron plant’.

An attacker has to pass some hurdles to get from the Internet to the Process Control System. Usually Process Control Systems (PCS) are well protected by a cascade of firewalls which isolate the control systems from the process plant network and the process plant network from the office network.

But, as in many other cases, the starting point was a phishing attack. In the BSI publication ‘The State of IT Security in Germany 2014’ published on December 17, 2014 we read:

The attackers used spear phishing e-mails in tandem with sophisticated social engineering to gain initial access to the steel mill’s office network. From there they worked their way progressively into the production networks.

The sentence ‘From there they worked their way progressively into the production networks.’ is of particular interest. It indicates a problem that is widely ignored by the plant operators because the firewalls give them a false sense of security.

For simplifying IT operations very often the same Active Directory is used for managing the Windows accounts of the plant operators in the office network and the plant network. But network isolation and segmentation by firewalls blocks traffic only on the OSI layers 1 .. 3, not on layer 7, where Active Directory works. Once an attacker manages to get on the office network it’s only a matter of time when he finds an operator account that grants him access to the plant network.

Thus a first step towards enhanced security in process plants is to isolate the Active Directories in the office and the plant network. In addition, access to email and internet from the plant network must be blocked, if possible with technical means.

The general design principle is ‘Isolation of Everything’ – Cyber attackers raise only a weary smile (LOL) at the Layer over Layer (LoL) approach with firewalls.

Have a good weekend.

Advertisements

A mere detection strategy will fail in the defense of cyber-attacks. Just like a mere prevention strategy.

10 May 2015

Article ‘Falling Off the End of the Cyber Kill Chain’, published by Anup Ghosh, Founder and CEO at Invincea, in the May edition of The Cyber Intelligencer is worth to read and comment.

For years now detection is praised from all cyber defense experts and system vendors as the spearhead in the defense of cyber-attacks. Gartner Security Analyst Neil MacDonald’s puts it succinctly in his tweet: ‘Prevent you may, Detect you must!’

Just set up a SIEM system and record any events from any server, database, firewall, application server, network, etc. With big data methods your data scientist will find every small hint to a cyber-attack from this universe of data, in the best case only some minutes after the attack happened, in the worst case some month later or never. In the meantime the cyber attackers will quietly copy your intellectual property.

A mere detection strategy in the defense of cyber-attacks is doomed to failure, just like a mere prevention strategy.

Just a short example. Let us assume that your Windows 2012 member servers are well protected, with the latest security features configured and the latest patches installed. One of your administrators becomes a victim of a phishing attack. An attacker steals the password for the administrator account of one of your member servers and signs in to the system. He debugs the LSASS process to get access to the password hashes or the plain text password or runs a DLL injection attack against the LSASS process.

Both events are recorded in the event log of the member server. Both events are hints to cyber-attacks and must be directly investigated. But it is very likely that these events are never investigated because no one checks the logs in time.

But if your SIEM system regularly collects the critical events from your member servers the attacks are detected within minutes and proper measures can be taken.

In my opinion a successful defense strategy requires a finely balanced mixture of both detection and prevention. SIEM comes into play when all other protection measures have failed. It should be neither the first nor the sole line of defense.

Take care!