Tag Archives: #pauto

Is Malware the Achilles Heel of the IIoT?

Insiderlogo3Is Malware the Achilles Heel of the IIoT?
By Walt Boyes

(Originally published in the December 2017 Industrial Automation and Process Control INSIDER)

The big appeal of the Industrial Internet of Things is the potential vast increase of meaningful information we could obtain by increasing the sheer number of sensors and the analytical methodologies of Big Data and the latest visualization tools for working with that data. The central axiom of the IIoT is that this information will be used to operate plants and even entire enterprises much more profitably.

There are some obvious problems with this axiom, It is pretty glaring that you have to collect the right information. It doesn’t help to add 100 or 1000 sensors to a process if the values of those sensors aren’t critical information. The problems don’t stop there.

We have pointed out before that the cost of sensors must decrease dramatically be- fore the IIoT can become a reality. I remember hearing a friend from Shell saying that if they needed a measurement, they’d be willing to pay for it. The flip side of that is that if the cost of making those measurements goes down substantially, the impetus for needing the measurement goes up.

But the real issue that IIoT boosters don’t want to talk about is security.
There are two basic schools of thought about IIoT security. One is that nobody would try to penetrate a network through its edge devices. The other is that the problem is so large that it is basically unsolvable, so who cares.

The first school of thought is the same old “security by obscurity” nonsense. Our concepts of cyber security have been formed by network-centric security experts. There have been some lonely security researchers, like Joe Weiss, and others like the INSIDER who have been pointing this bias out for years. And for years, we have noticed a steadily growing number of “security researchers” at Blackhat and other gatherings, who have concentrated their research on network penetration through the sensor network.

The other school of thought is much more pervasive and even more insidious. This claim is the reason that there is always the next patch coming out for software. You can’t solve the problem because there are always smarter black hats.

Somehow, it seems to us, that both schools of thought are missing the point. Which is that if the potential users of the Industrial Internet of Things see that from a cost-benefit viewpoint the potential loss from an attack far outweighs the potential gain from all that beautiful information, adoption of the IIoT will stall.

We are already seeing this in the commercial IoT world. Sales of Nest thermostats and household control systems have stalled. People are concerned. Now, with the latest revelations about inherent design flaws in Intel, AMD, and other processor chips, they are becoming frightened. All they can see to do is to pray that nobody ever attacks them. And we see the same fear in the industrial space.
So, if the IIoT is to be a success, we have to focus on two things. First and foremost, we need to make security inherent in every de- vice and the firmware and software that runs on them, from field sensor to process controller to MES and ERP systems.

And, second, we need to focus on providing the right information at the right time, or there will be no value add with the IIoT.
End users vote with their feet, and their dollars, pounds, euros, pesos and yuan. For all the ballyhooed new IIoT centric plants, there are dozens more built to the old standards, because we are sure that they work, and the perceived risk is less.

Change the risk and the IIoT will grow to its potential.

If you liked this content, and want to see more, visit http://www.spitzerandboyes.com/insider to subscribe.

 

HIMA talks SIS Cyber

Insiderlogo3HIMA, the largest independent safety instrumented system manufacturer, today released this press release:

(Houston, TX, January 11, 2018)

In late 2017 the ICS cybersecurity specialist Dragos announced that a safety controller (SIS) of a HIMA competitor in a process facility in the Middle East had been targeted by a new malware attack and successfully hacked. The SIS was compromised, leading to a shutdown of the facility. The professional execution of the attack again clearly shows that facility operators need to take the subject of cybersecurity very seriously. HIMA, a leading global independent vendor of smart safety solutions for the process industry, therefore offers to provide expert consulting on the subject of cybersecurity in safety-critical systems.

The above-mentioned cyberattack represents a new dimension of cyber threats to critical infrastructure. According to current knowledge, it was specifically planned and designed to target the SIS of a particular manufacturer. This sort of attack on a SIS, the first ever seen worldwide, is very sophisticated and only possible with significant effort.

Dr Alexander Horch, Vice President Research, Development & Product Management at HIMA, comments: “The incident with our competitor should serve as a wake-up call for all of us and further enhance awareness of the subject of cybersecurity in the industry. Work processes and organizational deficiencies are by far the most common areas of vulnerability for successful cyberattacks. System interfaces that remain open during operation and can be used to program the systems concerned, for example, give attackers a potential point of access. We urgently advise facility operators to not rely solely on cyber safe components, but instead to establish a comprehensive security concept for their own facilities.”

To achieve maximum safety and security, it is especially important for facility operators to implement the requirements of the standards for functional safety and automation security (IEC 61511 and IEC 62443) for physical separation between process control systems and safety and security systems.

In addition to providing automation solutions conforming to relevant national and international standards, HIMA supports plant engineers and operators in developing security concepts for the entire life cycle.
“For facility operators it is important to constantly keep an eye on potential forms of manipulation. In this regard, safety-critical applications are fundamentally different from other industrial PLC or office applications. Considerable expertise is necessary to ensure cybersecurity in safety applications. Maintaining and constantly refining security often poses a challenge to facility operators. It is therefore advisable to draw on the services of experienced safety and security experts in order to jointly develop and implement effective concepts”, says Heiko Schween, a security expert at HIMA.

December 2017 INSIDER discusses cyber-badness

Insiderlogo3The December 2017 INSIDER has been released. The cover story, “Extreme Badness from Malware and Design Flaws Impact Industry” discusses the two cyber issues impacting the ICS community that surfaced in late December: the Triton Exploit and Spectre and Meltdown. The INSIDER has been discussing this for years, and your editor and Joe Weiss beat the drum for years at Control magazine. The late Robert Adamski called something like the Triton Exploit “Adamski’s Nightmare.” It has been infecting my dreams since 2004, and I am pleased to pass it along to you. If you aren’t afraid yet, you haven’t been paying attention.

In the Health Watch, NIck Denbow and I look at the state of the Automation Industry through the lens of ABB, and we take a look at Endress+Hauser’s alliances, distribution, and newest product and what it means for Millenials as they become engineers and operators.

Rajabahadur Arcot’s article, “India’s expanding economy and emerging growth opportunities” rounds out the last issue of 2017.

If you’re not a subscriber, visit Become an INSIDER and subscribe. Individual subscriptions are $500 per year…that works out to less than $40 a month for the best news and commentary in the industry. Corporate subscriptions are also available. Contact David Spitzer for details.

 

 

 

Happy Holidays!

Insiderlogo3The staff of the INSIDER and Spitzer and Boyes LLC want to wish you all Happy Holidays, whichever tradition you follow. May your holidays be merry, and may your next year be better than this one. We hope your lives are filled with love and plenty, and your families be happy and secure.

With All Our Best Wishes!

 

 

Schneider Releases Triconex Malware Advisory

Insiderlogo3From the Schneider Electric announcement:
Malware Discovered Affecting Triconex Safety Controllers V1.1 December 14, 2017
Overview
____________________________________________________________________________
Schneider Electric is aware of a directed incident affecting a single customer’s Triconex Tricon safety shutdown system.
____________________________________________________________________________
We are working closely with our customer, independent cybersecurity organizations and ICS- CERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors. It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment.
Triconex user documentation contains detailed security guidelines and recommendations on how to protect Triconex systems from attack. We strongly encourage all our customers to follow these recommendations regarding product use and security, as well as apply and follow industry-recognized cybersecurity best practices at all times to protect their installations:
• Ensure the cybersecurity features in Triconex solutions are always enabled;
• Never leave the front panel key position in the “Program” mode when not actively
configuring the controller;
• And ensure all TriStation terminals, safety controllers and the safety network are isolated
from the rest of the plant communication channels.
Also, review and assess your site’s cyber preparedness. Schneider Electric is a proponent of the NIST Cyber Security Framework and is ready to assist should this be necessary.
The Schneider Electric Product Security Office continues to work with ICS-CERT and will update this advisory as more information becomes available.
Details
The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.

Emerson Acquires New Temperature Company

Insiderlogo3No, not Emerson Automation Solutions, it’s Emerson Commercial and Residential Solutions. It is automation, just not process. This is an example of the pervasiveness of automation, and how the Industrial Internet of Things can be applied to supply chain management, including preservation ing the cold chain.

This is more important than it sounds. Here’s a simple example. Years ago, Haagen Dazs ice cream wanted to extend distribution to the West Coast. The attempt almost failed. The ice cream tasted terrible when it got to LA and San Francisco. Finally, Ball Datatrace encapsulated temperature dataloggers were inserted directly into the ice cream containers. What was happening was that the truckers were turning off the reefers to save money on fuel. So the ice cream melted and re-froze. Yuk! Preserving the cold chain was critical to their business expansion.

From the article in the St. Louis Business Journal:

Emerson is acquiring Cooper-Atkins, a manufacturer of temperature management devices for the foodservice, healthcare and industrial markets.

Middlefield, Connecticut-based Cooper-Atkins makes automated temperature management and monitoring products for restaurants, supermarkets and other establishments that prepare and store food. The company’s offerings will complement Emerson’s existing global cold chain business, which includes its ProAct Services portfolio for supermarkets and Cargo Solutions business for tracking perishable cargo.

Terms of the deal were not disclosed.

Major Cyber Attack on SIS Systems–and we told you so!

Insiderlogo3The late Bob Adamski didn’t live to see his prediction from the early 2000s come true, but it has. Here are some of the reports:

From FireEye, on 12/14/17:

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

And on 12/15,

New TRITON ICS Malware is Bold and Important

Bob and I, and Joe Weiss, have been continuously predicting this development since at least 2004. Yet it is now 2017, and the systems are still vulnerable. This is stupid.

Although the attack apparently only accidentally shut down the plant, during a search for operational data, the attack could have easily been used to destroy the plant utterly by spoofing the SIS system and using it to cause extremely unsafe conditions leading to catastrophic accidents.

At some point, somebody has to be willing to recognize how fragile OT systems are, really, and how easily they can be disrupted. It is said that our civilization is three days from anarchy. The late Dr. Jerry Pournelle, inventor of the Star Wars Defense for Ronald Reagan, said we were three weeks from cannibalism if the lights went out and stayed out.

This is seriously dangerous, folks, and I am tired, and Joe Weiss is tired, and Bob Adamski was tired before he died, of being told we are fear-mongering. We aren’t. And now we can prove it.

 

 

 

Nobody Is Doing Anything About Cyber Security

Insiderlogo3At the INSIDER we’ve been saying this for years. The adoption of even basic cyber security actions in the industrial space is very low. Many companies believe that they are “pretty safe” because they are relatively obscure. But I recall a conversation with the head of IT of a regional potato chip company about 7 or 8 years ago: “I never thought anybody would cyber attack us. We make potato chips, for God’s sake.”

Honeywell, which has maintained a very high emphasis on cyber security in the industrial environment for over a decade now, sponsored a report by LNS Research on adoption of cyber security practices.

Here’s the press release with the study’s findings. All we can say is, “Wake up, people!”

The issue has gone beyond lack of knowledge. As Joy Ward, Spitzer and Boyes LLC’s director of research says, if you put together a good intellectual argument, and nobody is buying, you are looking at high emotional barriers. She recommends doing some serious qualitative research to determine what those barriers are, so that the intellectual argument can be adjusted and become effective.

Either that, or we need to prepare for a cyber disaster of enormous proportions.

 

HONEYWELL SURVEY SHOWS LOW ADOPTION OF INDUSTRIAL CYBER SECURITY MEASURES

Almost two thirds of surveyed companies don’t monitor for suspicious behavior

HOUSTON, December 6, 2017 – Honeywell (NYSE: HON) today released a new study showing industrial companies are not moving quickly to adopt cyber security measures to protect their data and operations, even as attacks have increased around the globe.
The survey – Putting Industrial Cyber Security at the Top of the CEO Agenda – was conducted by LNS Research and sponsored by Honeywell. It polled 130 strategic decision makers from industrial companies about their approach to the Industrial Internet of Things (IIoT), and their use of industrial cyber security technologies and practices. Among the findings were:
• More than half of respondents reported working in an industrial facility that already has had a cyber security breach.
• 45% of the responding companies still do not have an accountable enterprise leader for cyber security.
• Only 37% are monitoring for suspicious behavior.
• Although many companies are conducting regular risk assessments, 20% are not doing them at all.
“Decision makers are more aware of threats and some progress has been made to address them, but this report reinforces that cyber security fundamentals haven’t been adopted by a significant portion of the industrial community,” said Jeff Zindel, vice president and general manager, Honeywell Industrial Cyber Security. “In order to take advantage of the tremendous benefits of industrial digital transformation and IIoT, companies must improve their cyber security defenses and adapt to the heightened threat landscape now.”
The study suggests these three immediate actions for any industrial organization to capture the value of the new technologies:
1. Making industrial cyber security part of digital transformation strategies;
2. Driving best practice adoption across people, processes and technology, from access controls to risk monitoring, and tap external cyber expertise to fill gaps
3. Focusing on empowering leaders and building an organizational structure that breaks down the silos between IT and OT.
“Cyber security needs to be part of every CEO’s agenda to ensure the effective, immediate and long-term deployment of strategies and technologies such as IIoT,” said Matthew Littlefield, president and principal analyst, LNS Research. “In short, in order for a business to succeed on its digital transformation journey, it needs to succeed with industrial cyber security.”
LNS Research is a global leader in research and advisory for digital transformation of industry, delivering technology insights for business executives. Its analysts focus on identifying the metrics, leadership, business process, and technology capabilities effecting change.
​Honeywell’s industrial cyber security technologies and expertise address many of the issues identified in the LNS Research study. For more information, please visit https://hwll.co/uhrgs and www.becybersecure.com.

 

PR Wall of Shame: Don’t Misspell the Client’s Name!

Last week, my eye was caught by an email sent by one of the large industry magazines on behalf of a client. It was hawking a white paper that someone from the client had either written or had had ghosted for them. The problem wasn’t the content, it was the fact that the client’s email address had been misspelled and hysterically so.

I notified a couple of executives at the client company, and didn’t think about it again, until this morning when I received another white paper pushing email from the same magazine, again with the client’s name misspelled.

Come on, folks! Doing it once is (barely) acceptable— everybody makes misteaks. But twice? That’s worthy of the Wall of Shame.

I sincerely hope that the client, who is always very concerned about loss of face, gets their money back on this one.

The INSIDER for August 2017 emailed yesterday!

I’ve been fighting off a flu bug, so it was a few days later than I wanted it to be…but it is out. I will be posting some articles from it throughout the month, but if you want to read them now, visit http://www.spitzerandboyes.com/insider to subscribe.

The cover story in the August INSIDER is an Insider Special Report on “Cyber Security in the Age of the Industrial Internet of Things.” I think you will find it thought provoking.