One recent Saturday, I took my four-year-old son to his soccer game. I sat in the stands with Kevin, the father of some of the other children. Kevin is a lead process engineer for a large chemical plant in Texas City, Texas. He stays extremely busy at the plant, and on this particular day he looked more exhausted than usual. Kevin explained that his family had been up since dawn volunteering at a charity event his company had sponsored. He mentioned that it was good exposure for his company, which is recognized for sponsoring events for this well-known charity.
As with most friends, Kevin and I always ask how work is going and what’s new. He proceeded to tell me about his company’s push for better cyber security. His firm already had installed firewalls to segment its production process networks and now was taking steps to establish an electronic perimeter around its production process assets, such as the distributed control system. At the moment the company was alerting its staff about the dangers of e-mail “phishing” attacks. I told Kevin that was “a good start” to driving all employees’ cyber security awareness. My comment piqued his curiosity. He asked what else a malicious person could do to gain access to the plant’s process networks and assets?
Phishing or “spear phishing” attacks have received a lot of attention over the past several years. Spear phishing is especially effective because these e-mails are directed to individuals about whom the attacker has some knowledge, such as the intended victim’s line of work, company or personal interests. Companies have started informing employees of the tactics used by attackers and, as a result, predators are beginning to use different methods, such as a watering hole attack.
“Watering hole” describes the method to deliver an attack. The attack might be an infected webpage intended to deliver malware, a link on the webpage designed to redirect the user to a compromised website, or free software that contains malicious code. The common goal is to obtain access to and compromise the victim’s workstation. Attackers prefer a workplace workstation but a compromised company laptop or home personal computer that is used to connect to a company network through a VPN [virtual private network] tunnel is just as good. After all, chances are the targeted user visits the same websites both at home and at work.
Watering hole attackers rely on the intended target to come to them rather than phish for their victims. Predators stake out the watering hole, waiting for their prey to visit. Attackers can use a company’s newsletter or associations to identify potential watering holes. For example, Kevin’s company is known for sponsoring certain charities and proudly mentions this on its website and in newsletters and press releases. Charitable groups or non-profit organizations might not have the same stringent cyber-security controls in place as a chemical company. Even a company’s credit union could be a good watering hole stake-out; an online banking portal may boast “secure online banking” because of some security controls — but all it takes is a single security vulnerability on a webpage, so these types of websites are prime watering holes.
For example, in January 2013, the U.S. Department of Homeland Security’s Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) learned of watering hole attacks against the Council of Foreign Relations and Capstone Turbine Corporation where attackers compromised websites with malware directed at visitors to those sites. ICS-CERT was concerned that sophisticated attackers could leverage this technique to target owners of critical infrastructure assets.
Kevin was intrigued by the idea of a watering hole attack and said he was glad there was a firewall between the business local area network and the process network. Unfortunately, I explained to my friend, most companies fail to properly identify and protect all their assets that may rank high as targets. A plant training simulator is a good example. Whether in the chemical, energy or nuclear industry, regulations that place stringent cyber-security controls on critical assets exclude most simulators. That’s why a simulator can be a perfect way for an attacker to gain the necessary knowledge of the plant to exploit critical assets. Although plant training simulators don’t directly connect to critical assets, they do contain valuable information; regrettably, they sometimes are maintained by the training group, corporate IT, a designated engineering group or an outsourced entity, all of which might not place adequate emphasis on cyber security.
Additional assets, whether regulated or unregulated, that often go unprotected are support systems such as heating/ventilating/air conditioning, electrical and fire suppression. As plants modernize, they often put such support systems on a network. If compromised, these systems could lead to safety risks or result in system shutdowns.
THE BEST DEFENSE
Now that I had explained to Kevin a particular attack method and potential targets, it was time to describe the solution — a holistic approach to cyber security. Understanding new ideas or concepts can be difficult for companies and their employees. The problem is compounded when the concepts are introduced with little or no guidance.
A site cyber-security assessment is a great starting point for any company to begin taking a holistic approach to cyber security. The scope of the evaluation can range from a particular process network with limited assets to an entire site with multiple process networks. A thorough site assessment will focus on all aspects of the company’s security posture and emphasize security best practices. The following are some high-level areas that a site assessment should examine:
• Security policies and procedures. These are the documents that govern the corporate and industrial environment. They need review for thoroughness and possible gaps.
• Security awareness and training. E-mails containing appropriate posters or alerting employees to potential cyber threats can help build awareness. Most companies conduct generic cyber-security training for all employees. Job-specific training is even more effective.
• Company personnel and contractors. Interviews with staff and contractors establish a real baseline for cyber-security awareness and help determine the level of compliance with company policies and procedures.
• Cyber asset identification. Creating a list of critical assets and their support systems enables comparison with existing documentation.
• Systems management. This includes contingency planning, incident response with remediation plans, patch and software management, and configuration control (physical and logical).
• Physical security. Only authorized personnel should have physical access to the critical assets.
• Electronic security. This category includes firewall and intrusion prevention system (IPS) rules, access control list, network configurations and anti-malware software.
• Monitoring. Network traffic, security-device audit logs and electronic audit logs from critical assets require monitoring 24/7. Periodic vulnerability network and workstation scans, in addition to vendor and industry notifications of vulnerabilities, provide a proactive approach to monitoring. A proper security infrastructure can handle monitoring.
Successfully preventing a watering hole attack demands use of multiple areas of security. Training and awareness would be the first level of defense. Vigilant employees are less likely to fall victim to such attacks. The second level of defense would be a properly configured IPS or host intrusion detection system that would disallow the downloading of suspected malware to a corporate workstation or laptop. A third level of defense — proactive monitoring — would help detect anomalous network or workstation behavior.
Stopping all attacks at the first or second level is unlikely. That’s why properly identifying and protecting critical assets and their support systems is crucial. Because watering hole vulnerabilities, as discussed earlier, might come in through an employee’s home computer, for example, a policy stating that only corporate-owned laptops may access the business network by VPN might help minimize the risk. Another control would be a jump server (i.e., a hardened and monitored device with tightly controlled and checked user access) placed between the business network and process network.
As for Kevin, he closely noted everything I said, and brought it back to his company. “If we had had this discussion 12 months ago, we would have planned our strategy differently,” he said. “Since the cyber security landscape is constantly changing, it seems like the only and best way to effectively defend against attacks is to apply cyber security in a holistic fashion.”
STEPHEN SANTEE, CISM, CISSP, is program manager for critical infrastructure services for Exitech, Maryville, Tenn. When this article was written, he was a senior consultant for critical infrastructure and security practice for Invensys, Houston. E-mail him at firstname.lastname@example.org.