Authored by Dirk Sweigart, MESA Cybersecurity Working Group Chairman
In February of this year, I had Covid 19 symptoms and tested
positive. How did that happen? I social- distanced, wore a mask,
dramatically limited my interactions with others, washed my hands regularly and
thought I was protecting myself. I
thought I was reasonably “disconnected.”
Turns out, I was not.
You may think your manufacturing systems or industrial
control systems are similarly “disconnected.”
However, you may not be aware of the number of factors working against
your assumption that can make it essentially moot. After all, as I am proof, it only takes one
time.
What are these factors?
Here are some potential “back-channels” into your systems that could
allow this to occur.
Almost any time you connect a device to a USB port anywhere
on the disconnected network, you could be breaking the disconnect. If any USB ports are open, anywhere on the
controls or manufacturing network, then connecting a device, even just to
charge it, is breaching the barrier. You
are no longer disconnected. An operator
plugs his cell phone into a USB port to charge it…the use of peripherals
can break the disconnect.
Are there devices that use wireless in use within the
network? If so, unless access is tightly
managed, wireless can be a place where the disconnect is broken. Sometimes devices are added to a network
(maybe temporarily) and they have wireless enabled on them. Have you ever connected a laptop to work on
the disconnected network and have wireless enabled on the laptop? Printers sometimes have wireless
available. The use of wireless
can break the disconnect.
Sharing the wired network – does your control system ever
share a switch with another network?
This is sometimes done for convenience, cost or by an IT department
(perhaps without realizing they are breaking the disconnect) and perhaps using
a VLAN. Sharing switches with other
networks can break the disconnect.
Even if you connect a workstation that is not actively
connected to a wireless network, it may have been connected (and\or infected)
recently. After all, how are you going
to get software updates or new configuration into your disconnected network? Connecting external devices such as
laptops to the disconnected network can break the disconnect.
It is not unusual, especially during the pandemic, for
methods of remote access to the control or manufacturing systems to be set
up. Knowledge of the existence of these
may be closely held and they may also be connected only when needed. Regardless, these remote access techniques
represent a break in the “disconnected” paradigm.
Perhaps what is meant by “disconnected” is actually
“lightly” connected. The manufacturing
or controls networks may have only a single point of access protected by a
firewall that is tightly locked for in-bound traffic. Being actually connected by a firewall
device, even one tightly controlled, is not disconnected. Also, pay attention to both the inbound and
OUTBOUND firewall rules if you are using a common stateful firewall. If you
lock down inbound requests but not outbound requests, you may have internal
connections being made to e-mail or websites where malware can be encountered
and introduced into your “disconnected” network.
This is not to say that you must find and kill all these new back-channels. Just be aware that they often do exist and evaluate your risks accordingly. You can maintain that “it won’t happen to me”, but don’t believe the myth that it’s because you’re disconnected. Cough, cough!
No comments:
Post a Comment