Authored by Dirk Sweigart, MESA Cybersecurity Working Group Chairman
In February of this year, I had Covid 19 symptoms and tested positive. How did that happen? I social- distanced, wore a mask, dramatically limited my interactions with others, washed my hands regularly and thought I was protecting myself. I thought I was reasonably “disconnected.” Turns out, I was not.
You may think your manufacturing systems or industrial control systems are similarly “disconnected.” However, you may not be aware of the number of factors working against your assumption that can make it essentially moot. After all, as I am proof, it only takes one time.
What are these factors? Here are some potential “back-channels” into your systems that could allow this to occur.
Almost any time you connect a device to a USB port anywhere on the disconnected network, you could be breaking the disconnect. If any USB ports are open, anywhere on the controls or manufacturing network, then connecting a device, even just to charge it, is breaching the barrier. You are no longer disconnected. An operator plugs his cell phone into a USB port to charge it…the use of peripherals can break the disconnect.
Are there devices that use wireless in use within the network? If so, unless access is tightly managed, wireless can be a place where the disconnect is broken. Sometimes devices are added to a network (maybe temporarily) and they have wireless enabled on them. Have you ever connected a laptop to work on the disconnected network and have wireless enabled on the laptop? Printers sometimes have wireless available. The use of wireless can break the disconnect.
Sharing the wired network – does your control system ever share a switch with another network? This is sometimes done for convenience, cost or by an IT department (perhaps without realizing they are breaking the disconnect) and perhaps using a VLAN. Sharing switches with other networks can break the disconnect.
Even if you connect a workstation that is not actively connected to a wireless network, it may have been connected (and\or infected) recently. After all, how are you going to get software updates or new configuration into your disconnected network? Connecting external devices such as laptops to the disconnected network can break the disconnect.
It is not unusual, especially during the pandemic, for methods of remote access to the control or manufacturing systems to be set up. Knowledge of the existence of these may be closely held and they may also be connected only when needed. Regardless, these remote access techniques represent a break in the “disconnected” paradigm.
Perhaps what is meant by “disconnected” is actually “lightly” connected. The manufacturing or controls networks may have only a single point of access protected by a firewall that is tightly locked for in-bound traffic. Being actually connected by a firewall device, even one tightly controlled, is not disconnected. Also, pay attention to both the inbound and OUTBOUND firewall rules if you are using a common stateful firewall. If you lock down inbound requests but not outbound requests, you may have internal connections being made to e-mail or websites where malware can be encountered and introduced into your “disconnected” network.
This is not to say that you must find and kill all these new back-channels. Just be aware that they often do exist and evaluate your risks accordingly. You can maintain that “it won’t happen to me”, but don’t believe the myth that it’s because you’re disconnected. Cough, cough!