Myth – We are An Unlikely Target

 Authored by Dirk Sweigart, MESA Cybersecurity Working Group Chairman 

The Colonial Pipeline, Iranian Centrifuges, large financial companies and large companies in general, big cities – these are the notable targets of cyber attackers.  Seen within this context, it is easy to assume that your company is an unlikely target for a cyberattack and therefore, does not need to be stringent about protecting your manufacturing systems.  Let us explode this myth.

First, some attackers are simply opportunistic.  They don’t know the potential value of an intrusion because they don’t really know the inner workings of your company.  They prey on the weak or the poorly protected.  They may choose you as a target almost at random. 

The best way to become an unlikely target is to strengthen your cyber posture.  The analogy is of the two hikers who encounter a bear coming towards them. As one begins to hike off, the other stops to put on his running shoes.  The first hiker says, “what are you doing, we need to outrun that bear!” The second hiker says “no, I only need to outrun you!”

Strengthening your defenses (or providing defense in depth) can make you a less desirable target (too much work relative to other targets) and therefore, a less likely target.

Second, your company may unwittingly become a target because of the actions of your employees.  Depending on what is permitted to be while done on the job, your company may become a target due to successful phishing, websites with embedded malware, or the installation and use of compromised software by your employees or contractors.  These methods do not care that you’re supposed to be unlikely – they look for the careless.  Good employee training and strong policies and practices can make this less likely but cannot remove the possibility.  

Last of all, you may believe that your industry or what you make is not “interesting enough” to attract any attention.  Maybe you operate a small municipal water treatment plant, or make small plastic parts, pencils, metal rods or other “cogs in the wheel.”  Surely, operations such as these would be unlikely targets?  Please re-read the first point and then consider what the company has that is of value that could be lost or compromised.  Every manufacturing operation has something of value that could be lost, even if it is simply lost production.  If it is of value, it can make you a target.

Following that line of reason, consider that risk is a combination of threat and consequences.  You may believe you’re an unlikely target but what is the value of your company, your process or your intellectual property?  Even if you believe the likelihood is low, can you afford the consequences if the unlikely event occurs? ID Agent says 60 percent of companies go out of business within six months following a cyberattack.  This is due to the long and lingering cost of recovery, the loss of revenue and the on-going unrepairable reputation damage.  

The conclusion is that you can make this myth a reality for your company if you work at it.  Practicing defense in depth, having good designs and implementation, maintaining good training, policies and practices and having a strong cyber posture can reduce the risk of having to address a successful cyberattack on your manufacturing.  You can become an unlikely target and outrun the bear. 

https://www.idagent.com/60-percent-of-companies-go-out-of-business-after-a-cyberattack

The MESA Cybersecurity Working Group focuses on current topics at the intersection between cybersecurity and manufacturing systems.  Stay tuned for more on these topics or reach to our Working Group for expertise and valuable networking.

About the Author

Dirk Sweigart, CISSP, PMP (Applied Control Engineering, Inc.) is an MES Solutions Manager and Cybersecurity Expert at Applied Control Engineering, Inc in Newark, DE.  He has over thirty years experience developing systems for process control, SCADA, MES and business applications with DuPont, INVISTA, Koch Industries and ACE.  Dirk also teaches cybersecurity and SCADA at the Wilmington University graduate school.  He is an information member of the ISA-95 Committee and a member of the MESA Cybersecurity Working Group.  You can reach him at sweigartd@ace-net.com.

Cybersecurity Myths - We Are Disconnected

Authored by Dirk Sweigart, MESA Cybersecurity Working Group Chairman 

In February of this year, I had Covid 19 symptoms and tested positive.  How did that happen?  I social- distanced, wore a mask, dramatically limited my interactions with others, washed my hands regularly and thought I was protecting myself.  I thought I was reasonably “disconnected.”  Turns out, I was not.

You may think your manufacturing systems or industrial control systems are similarly “disconnected.”  However, you may not be aware of the number of factors working against your assumption that can make it essentially moot.  After all, as I am proof, it only takes one time.

What are these factors?  Here are some potential “back-channels” into your systems that could allow this to occur.

Almost any time you connect a device to a USB port anywhere on the disconnected network, you could be breaking the disconnect.  If any USB ports are open, anywhere on the controls or manufacturing network, then connecting a device, even just to charge it, is breaching the barrier.  You are no longer disconnected.  An operator plugs his cell phone into a USB port to charge it…the use of peripherals can break the disconnect.  

Are there devices that use wireless in use within the network?  If so, unless access is tightly managed, wireless can be a place where the disconnect is broken.  Sometimes devices are added to a network (maybe temporarily) and they have wireless enabled on them.  Have you ever connected a laptop to work on the disconnected network and have wireless enabled on the laptop?  Printers sometimes have wireless available.  The use of wireless can break the disconnect.

Sharing the wired network – does your control system ever share a switch with another network?  This is sometimes done for convenience, cost or by an IT department (perhaps without realizing they are breaking the disconnect) and perhaps using a VLAN.  Sharing switches with other networks can break the disconnect.

Even if you connect a workstation that is not actively connected to a wireless network, it may have been connected (and\or infected) recently.  After all, how are you going to get software updates or new configuration into your disconnected network?  Connecting external devices such as laptops to the disconnected network can break the disconnect. 

It is not unusual, especially during the pandemic, for methods of remote access to the control or manufacturing systems to be set up.  Knowledge of the existence of these may be closely held and they may also be connected only when needed.  Regardless, these remote access techniques represent a break in the “disconnected” paradigm. 

Perhaps what is meant by “disconnected” is actually “lightly” connected.  The manufacturing or controls networks may have only a single point of access protected by a firewall that is tightly locked for in-bound traffic.  Being actually connected by a firewall device, even one tightly controlled, is not disconnected.  Also, pay attention to both the inbound and OUTBOUND firewall rules if you are using a common stateful firewall. If you lock down inbound requests but not outbound requests, you may have internal connections being made to e-mail or websites where malware can be encountered and introduced into your “disconnected” network.

This is not to say that you must find and kill all these new back-channels. Just be aware that they often do exist and evaluate your risks accordingly.  You can maintain that “it won’t happen to me”, but don’t believe the myth that it’s because you’re disconnected. Cough, cough!

About the Author

Dirk Sweigart, CISSP, PMP (Applied Control Engineering, Inc.) is an MES Solutions Manager and Cybersecurity Expert at Applied Control Engineering, Inc in Newark, DE.  He has over thirty years experience developing systems for process control, SCADA, MES and business applications with DuPont, INVISTA, Koch Industries and ACE.  Dirk also teaches cybersecurity and SCADA at the Wilmington University graduate school.  He is an information member of the ISA-95 Committee and a member of the MESA Cybersecurity Working Group.  You can reach him at sweigartd@ace-net.com.

Two-Factor Authentication – Uses and Misses

By Dirk Sweigart, CISSP, PMP, Cybersecurity Working Group Member

A key part of securing assets is establishing the identity of an individual who wishes to access that asset in some way.  We need to be sure that the person who is making the request is who he or she claims to be.  The asset can be a control system, a building, a VPN or an application, to name a few.  Two-factor authentication is becoming relatively common as a method of confirming that identity.