In the past, cyber attacks were more inconvenient than dangerous or life-threatening. Sure, Internet access might be interrupted, data and records could be lost, and credit card numbers and money might be stolen, but there was no risk of physical harm, right? Well, it’s past time to reconsider. When the lights go out and electricity is lost during a utility’s grid outage, or oil and gas or chemical plants can’t shut down safely due to losing power and risk hazardous releases or explosions, the impact of today’s cyber attacks can quickly go from annoying to potentially injurious or even lethal. Just as with any supplier of essential services, drug and chemical manufacturers are facing the new reality that days, weeks or months of unplanned downtime due to malware can put lives at risk.
“Many organizations have increased their cybersecurity awareness following high-profile attacks such as WannaCry, NotPetya and Triton/Trisis, and we’ve seen many organizations launching larger initiatives, and investing in protecting their businesses,” says Jacob Chapman, Director, Industrial IT and Cybersecurity at Grantek, a CSIA-certified system integrator (SI) and business consultant headquartered in Burlington, Ontario, Canada. “It’s a rapidly evolving space in the industry. As time goes on the amount of systems at risk, and the sophistication of attacks, are both increasing. When inquiring about Grantek’s cybersecurity assessment process, people used to ask about network connectivity, but now they want to know about asset inventories and threat assessments because they’re doing more cybersecurity related homework before contacting us.”
CIS from SANS
Chapman reports Grantek recommends the CIS Critical Security Controls for Effective Cyber Defense, which were originally known as the SANS Top 20 Critical Security Controls, because they were developed by the SANS Institute, though it’s now owned and maintained by the Center for Internet Security.
“We follow CIS Critical Security Controls because they’re logical, all the way to Step 20, which is penetration testing and red team exercises,” says Chapman. “Customers ask about these, but we stress laying the groundwork first, and performing continuous vulnerability assessments and remediation until they become part of the organization’s culture. Too many organizations starting to address cybersecurity believe it’s a just a technology change that can be upgraded into, but that’s not the case, and will not be successful in the long-term. However, the first two steps let users know about their threat landscape, and just doing the top five can eliminate 80% of cyber threats from a technology perspective.” These first five steps are:
Inventory authorized and unauthorized devices;
Inventory of authorized and unauthorized software;
Secure configurations for hardware and software on mobile devices, laptops, workstations and servers;
Continuous vulnerability assessment and remediation; and
Controlled use of administrative privileges.
Chapman explains these and the remaining 15 steps and sub-steps in the CIS Critical Security Controls lineup show users how to protect their applications, even though multiplying Ethernet-based, Internet protocol (IP) networks and connections have created avenues cyber probes, intrusions and malware can access before pivoting and staging attacks. “This is why vulnerability assessments and remediation such as patching policies are needed,” says Chapman. “Users need access to networks and data, but you can’t grant it carte blanche, which means administrative privileges must be controlled.”
Chocolate and conveyors
Chapman adds that Grantek recently worked on a chocolate liquor application that was looking at upgrading its legacy Siemens PCS7 controls, which included performing a cybersecurity risk assessment (RA), and deciding whether to retain their Windows XP software for another year. “We identified vulnerabilities, including business and plant connections,” he says. “However, more than year and half ago, this client decided not to act, and a year ago, they were hit with a crypto-worm ransomware attack that transmitted itself between systems, took down all their production, cost a lot of money, and sacrificed a lot of brand recognition.”
Grantek helped the chocolate company recover, restore production, and reassess and remediate its sites. “We identified legacy and unsupported hardware and software, and built a lifecycle budget for switching out old components,” adds Chapman. “To implement a defense-in-depth approach to reduce risk, we isolated assets that couldn’t be fixed right now by using a separate virtual local area network (VLAN) and firewalled their communications.”
Likewise, Chapman adds that Grantek also recently partnered with Panduit Professional Services to upgrade the network infrastructure serving 5,000 feet of conveyors delivering coal and limestone to an electric utility’s 20-acre, coal-fired plant with two 400-MW generating unit, and remove ash for recycling. This ship unloading, storage, generation and disposal material handling system uses distributed I/O that relied on 20-year-old, outdated Allen-Bradley PLC-5 controllers, running on a ControlNet network and coaxial cables, which were equally outdated and unable to accept new equipment and other updates. The challenge was to upgrade that infrastructure to an Ethernet-based infrastructure with designed-in security rather than simply adding it on.
Panduit conducted a physical network assessment, and upgraded from Level 1 to Level 3, while Grantek provided a logical assessment and network design, access layer mapping, project management services, training and cybersecurity services. The design also detailed network architecture, IP/VLAN details and firewall rules. Grantek also configured and tested the network switches before delivery to ensure rapid deployment during commissioning. The result was a $4.7-million, single-mode, star-topology, fiber-optic backbone and Ethernet network that was installed with Panduit’s Quick Deploy service, which also added Rockwell Automation’s ControlLogix controllers and Stratix Ethernet switches, and Cisco’s switch distribution layer.
“The network for the conveyors didn’t have cybersecurity before, but needed it now for the new controls, monitoring and other tools it was adding,” says Chapman. “The plant’s ship unloading equipment also upgraded to a unidirectional, narrow-bear antenna, natively encrypted IEEE 802.11 wireless communications, and Thin Manager software to improve reliability and reduce interference. The main lesson with a cybersecurity effort is don’t get overwhelmed to the point of inaction. Just start with a good cybersecurity risk assessment (RA), and begin to invest in hardware and software where it makes the most sense.”