What you can do: Fortunately, solutions that automate data collection and also provide correlation capabilities are available — enabling staff to easily and quickly find the events of interest to them, regardless of the endpoint type, without having to wade through mountains of raw data.
Without the right tools in place, a plant manager may lack complete information and, thus, may get an inaccurate picture of the site’s security and compliance state — and that obviously can precipitate other, bigger problems. Using the appropriate solutions designed for plant environments can greatly help a manager make operational assessments with much greater visibility, accuracy and completeness.
NOT DETECTING ANOMALIES
Closely related to the data overload issue is the inability to spot atypical activities occurring on control systems and network segments. Zero-day attacks (i.e., ones that target system vulnerabilities that are unknown at the time of the attack) can devastate control systems. Because there’s no patch or fix at the ready, great damage often can result.
Many people underestimate the lag time between the launch of an attack and when the patch to the control system is completed. For example, an unknown vulnerability can exist in business and plant environments for several weeks, months or even years before it’s noticed. Once the vulnerability has been discovered, the vendor of the operating system or application should create and release a patch within days or weeks — although this sometimes takes months or longer. Then, the control system vendor must test and approve the patch or hot fix for its system, which can incur a significant additional delay. And finally, once the patch reaches the plant, installation often has to wait due to availability requirements. If plant managers aren’t sweating during every hour, day and week that passes during these often-extended periods, they should be because their critical control systems potentially are exposed and vulnerable.
A prime example of this was the Nitro attacks, which are thought to have started in early 2011 but weren’t discovered until late that year. They targeted 29 companies in the chemical sector alone, and appeared to be an effort to steal intellectual property. Attacks such as these are known as advanced persistent threats or APTs. They are designed to be very stealthy as they slowly accomplish what they’re intended to do. APTs generally are nation-state sponsored and often target industrial environments such as chemical plants. They are extremely difficult to detect.
What you can do: A great tip for helping to detect these types of attacks is to ensure the continuous monitoring of the plant environment, including the control systems and networks. Monitoring not just security and operational events but also the configurations on each endpoint enables establishing a baseline for normal activity. When an activity out of the norm occurs, staff can be quickly alerted to determine its nature. This is similar to exception-based alerting and reporting, and is a great tool for identifying changes in the plant environment. Exception-based tools also are generally automated and designed to reduce the resource overhead for day-to-day security and compliance requirements.
WORKFLOW LIFECYCLE INTEGRATION
Many plant managers will stop at the collection step and declare their security and compliance efforts a success. However, data collection is just the first step. To be truly successful, plant personnel must be able to collect, analyze and then act on the security and compliance data that have been gathered. By continually iterating over and acting upon the data, a site can track and improve its security and compliance efforts over time.
For example, logging failed logons provides no value by itself. Without an analysis of these events, the plant won’t know of the failed attempts. In addition, if the failures are malicious or the events are from a service configured to use an expired password, they could indicate potential availability issues with the application.
Similarly, just logging events to meet a compliance requirement won’t suffice. How will someone know when log data collection fails or if there’s a gap in the collection? Without tracking the dates, times and failures of log collection, the plant leaves itself vulnerable to a compliance deficiency.
What you can do: Rely on automation for lifecycle integration. Without automation, the data collection, the data analysis and the response processes quickly become unmanageable and unsustainable. All too often, they’re done on a manual and "as needed" basis, if at all, and generally must be repeated in another six to twelve months — giving the plant manager only a snapshot in time of the status of the plant.
Old approaches to control system design and security are becoming increasingly ineffective in the face of major technology trends and business changes. Forward-thinking plant managers must find effective ways to overcome these new security and operational challenges.
The first step is recognizing that, in many areas of plant security, what has worked in the past likely won’t work in the future. So, it’s crucial to explore new options and develop effective business cases for investing in next-generation plant security technologies. By embracing the changes taking place in the chemical industry and adopting new solutions to address them, plant managers will be able to mitigate risks and capitalize on the terrific opportunities that lie ahead.
JACOB KITCHEL is senior manager of security and compliance for Industrial Defender, Foxborough, Mass. MICHAEL PICCALO is director of customer solutions for Industrial Defender. E-mail them at firstname.lastname@example.org