Payback of management misinformed by excess - PCs in the industrial environment
By Bernardo Ramos, IT security expert
A few weeks ago media around the world alarmed citizens with a "Ransomware" attack which they called "Wannacry". It had blocked lots of computers of some major companies around the world
Shortly afterwards the same media again alarmed us with a new wave of even more sophisticated attacks of the same type. Now they explained that Russia had used a cyber weapon called "Petya" to attack Ukraine with possible unpredictable effects in other countries.
Enterprise executives are not usually concerned with issues such as cybersecurity on a daily basis, but there are two circumstances that cause them to focus on it
- A cyberattack to their own company that closely touches the executive level or appears in the media
- An outstanding news in the general media warning of a threat to corporate cybersecurity
When these circumstances are activated, and the Management puts his focus on cybersecurity, there is a risk of a "Perfect Storm"
- Executive management reacts in terms of spasmodic impulses causing overreaction
- IT Managers receive instructions that go beyond their usual control procedures
- Experts are requested to carry out checks and verifications that have not been foreseen and which require a significant overexertion.
- All this process is done hastily, in a time frame incompatible with a rigorous analysis of the situation
- As a result of these verifications appear reports that, when interpreted without a minimum of technical knowledge, generate a great alarm at the executive level, who erroneously conclude that their company is more exposed than the others
- This generates a series of instructions to correct the situation that are exaggerated and go against logic and common sense
On the occasion of some recent attacks widely publicized in the mass media around the world, many computer managers of industrial companies may have been immersed in one of these "Perfect Storms" when addressing the cybersecurity of their computer equipment in industrial environments
We will address in this article the special problem of cybersecurity of computer equipment in the industrial environment.
In industrial companies there are three types of PCs depending on their use and the organization of their support.
The cybersecurity treatment is different for each of these three types.
Three different specific approaches are required to address cybersecurity
- Corporate PCs, dedicated to office automation and management applications, like ERP, CRM, etc.
- In most large companies these PCs are all configured according to a standard model and are integrated into a network that allows them to be centrally managed with tools that deal with security, inventory, remote software distribution, etc.
- The organization in charge of its support is integrated in the IS&T Department and is often outsourced
- Their Security is under the responsibility of the Chief Information Security Officer (CISO)
- PCs used to control manufacturing automats (industrial PCs)
- They are generally associated with a few editors of process control programs
- The organization in charge of their support is usually integrated in the Technical / Engineering Direction than in the IS&T Department
- Their safety is under the responsibility of the Control Systems Security Manager
- Protection against cyber attacks is generally based on their isolation from outside and depends to a great extent on the instructions of providers of the process control applications they use, as they may stop working, with a direct impact on the Production, if any parameter of the operating system of the server or personal computer in which they run are changed.
- Other non-standard PCs used in industrial environments (Laboratory PCs and others)
- Laboratory PCs connected to analysis instruments (chromatographs, etc.)
- PCs used in physical access control systems
- Pc used in truck weighing control systems
- Management of telephone servers, etc.
In this article, we will mainly analyze this third type of computer equipment, whose support is much less organized than the previous two and is often non-existent.
We will start with some questions to characterize these PCs
Why cannot they be standard corporate PCs?
Because of the programs they use
- They are only compatible with certain versions of the Windows operating system
- They are non-evolutionary and therefore need to maintain the same initial configuration throughout their lifetime
Because they are often used to manage specific devices that need special configurations.
- Chromatographs and other laboratory devices
- Industrial Scales
- Lathes and doors
- etc.
What risks do these PCs face?
Availability:
- This is the most important risk because, often, the continuity of production depends on them
- More than half of these devices are critical to production
Integrity:
- Sabotage, etc. This risk is relatively unlikely because it corresponds to specifically organized attacks and requires access to the equipment, either physically or across the network.
- Being installed in restricted access environments and generally without outside connectivity, they are relatively far from the scope of hackers.
Confidentiality:
- The information manipulated in each one of these individual PCs is limited and its value isolated very low
We will use some hypothetical data to illustrate our study. The data will of course vary depending on the specific sector of each company. We will describe here a case that could correspond to a company in the chemical, pharmaceutical or food sector, that is to say a continuous process industry
Description of the hypothetical case
Volume
The number of PCs of this type is usually between 5 and 15 percent of the number of corporate PCs, being closer to 15% when the resources dedicated to research and development by the company is greater
- The greatest concentration of these PCs occurs in research and development centers, and this means that, in general, there is a more or less robust local organization, although always with much less resources for their support than those available for the equivalent in Corporate PCs
- In industrial plants the number of these equipment is usually much smaller, although their criticality is very high.
- This criticality in general has not been formally established, so protection measures are usually zero or very scarce.
- The responsibility of these equipment is usually divided among different services in the plant.
- As a consequence of the lack of concentration of responsibility and their relatively small volume, there is usually no IT expert in charge of these equipment and its support, always in reactive mode after incident, is usually done by the IS&T people in charge of corporate PCs support who are not formally in charge of them.
Most of these PCs use obsolete versions of the operating system that are no more supported by the manufacturer.
- According to our experience, 75% of these PCs use a version of the operating system that is not supported and for which the manufacturer no longer publishes security fixes.
- Only 25% of these PCs run officially supported versions of the operating system, which does not mean that they systematically apply security updates, as we will see later.
Distribution between Servers and clients
- 99% of these PCs are PC clients
- Less than 1% are servers
- Servers are mainly found in research and development centers
- Servers often have security updates applied and are usually protected with antivirus
Connectivity to the corporate network and outside
- Most of these PCs, mainly in industrial plants, outside the research centers, are not connected to the corporate network
- Many of them operate totally isolated
- Others are connected to each other to share certain resources (printers or some server) but those local networks are not connected outside
- In research centers, the need to share information and work with the information obtained, makes connectivity the norm, although some measure of segmentation of the network is usually implemented, either through VLAN, or using Firewalls.
- PC of this type directly connected to the corporate network are scarce, although they pose a significant risk
Organization
From the responsibility point of view
- In the research centers there is usually one responsible for the computer infrastructure in charge of all these equipment and, at least one IT expert
- In factories, there is usually no IT expert in charge of these equipment. On the other hand, as indicated above, the responsibility is often shared among several people locally.
Organization for support
In the research centers there is at least one computer expert who is dedicated to the support of these equipment and the networks that group them together.
- Computer experts in charge of corporate PCs usually act for the support as a backup solution.
In industrial plants, in general, there is no computer expert in charge of these equipment
- Corporate computer IT experts often intervene on demand without having any specific responsibility for these equipment
- Most of these PCs in factories are not usually updated because their responsible do not dare to take the risk of malfunctioning.
These PCs are almost always associated with a specific application and an analysis instrument that is the core of the complete system
- The PC represents the least significant part of the system
- The whole set, PC, application and analysis instrument, are under the support of the supplier through a maintenance contract in many cases
- In a significant number of cases, there is no maintenance contract
How these PCs are usually protected?
1.- Through isolation, with different solutions
Many of them are not connected to any network
Others are connected to the corporate network in a limited way
- By segmenting the network using different VLANs and restricting traffic among them
- In other cases these PCs are separated from the corporate network by means of a Firewall, which limits and controls the traffic between the two worlds.
- These Firewalls are normally managed by IT Security staff integrated in IS&T department.
In some cases, exceptions can exist where one of these devices is directly connected to the corporate network without any restrictions
- These cases are those that pose the highest risk
Connectivity to the outside world is often provided by the corporate network. It is very rare the case of computers of this type connected directly to the Internet.
2.- Using antivirus
In many cases the use of an antivirus is discouraged or directly prohibited by the publisher of the application
One of the difficulties, both for antivirus and for security updates is the need for an Internet connection to get them every day.
- The most correct solution is to go through the corporate network, relying on the infrastructure used for corporate PCs, although it requires a specific solution through a firewall.
The fact that PCs of this type existing in the same center use many different versions of the operating system adds an additional difficulty because it is difficult, and sometimes impossible to find a version of the antivirus client that is compatible with all of them.
3.- Applying Security Updates published by manufacturers
This is systematic, in general, for servers
This is not done for most PCs
- It is frequent to hear of bad experiences after one of these updates
- As many of these PCs are highly sensitive for operating production units any upgrade requires a testing phase and the possibility of running back, what supposes a very expensive process
- Sometimes, because of way these PCs are used, it is difficult to find a window of time available to perform the operation.
- Those responsible for these PCs are extremely reluctant to "touch" these equipment
- Most people involved in the operation and use of these PCs think that, due to the limited connectivity of these devices, the risk associated to the unavailability after an upgrade is greater than the risk of cyber attack
4.- During the last years responsible attitudes in the use of these PCs from the cybersecurity point of view have been developed
Limitation of connectivity
Very restricted use of USB memory devices and always with controlled devices
Restricted access to equipment
What improvements could be introduced to protect these equipment?
Maintain an inventory of these PCs and classify them according to their level of risk, focusing primarily on those that pose a greater risk
- Servers
- PCs connected to the corporate network
- PCs connected to the Internet
Be sure to apply the appropriate protection measures for these PCs and servers
- Security Updates regularly applied
- Antivirus updated
- Use of current operating system versions supported by the publisher
To write, publish and push good practices to be applied for the protection of these equipment
- Connectivity restricted to the minimum necessary, isolation of equipment
- Strict rules for using USB devices
- Antivirus when possible
- Security updates when possible
- Use of current versions of the operating system whenever possible
And in case of an imminent cybersecurity threat, what do we do?
Maintain an updated inventory of these equipment
Perform a specific risk analysis
Establish a plan of action consistent with risk analysis
Conclusion
In any industrial enterprise there will always be a significant number of PCs in an irregular situation regarding cybersecurity
If we try to approach these PCs from the perspective of traditional computing, we will enter a vicious circle of frustration and waste
It is important to address this phenomenon before the appearance in the media of a cybersecurity threat sensitizes the Executive Management and creates a perfect storm as described at the beginning
If we have an up-to-date inventory of these equipment, including explanations of why we cannot put all of them in compliance, we will be able to:
- Respond quickly to the Executive Management,
- Demonstrate that the issue is studied and under control and
- Stop spasmodic action typical of these alarmist situations