The cyber Threat
Hardly a week goes by without news of another big company being hacked. The list of victimized corporations keeps growing as retailers, such as Home Depot and Target, admit their point-of-sale devices exposed customers’ sensitive information. Recently, JP Morgan also confessed its customers’ private contact information had been compromised. With the media spotlight on major banks and big-box stores, businesses in other industries might think they are immune to a cyber attack.
“I’ve talked with CEOs who say, ‘We’re just a—print or food manufacturing, you name it—company. We don’t have any secrets, and there is no value in our data,’” says Shawn Henry, president and CSO of Crowdstrike Services. “Companies think because they aren’t a financial company or retailer they are safe, and that is absolutely wrong.”
He says hackers are not just stealing credit card information, but much more data than most people think. “They are stealing intellectual property, research and development data, corporate strategies, acquisitions and merger information,” he says. Henry, a retired FBI executive assistant director specializing in cybersecurity, explains cyber attackers want to know where you are headed as a company, what you are investing in and where you are going geographically.
A 2013 report released by IBM Managed Security Services states that after analyzing millions of security events detected annually in any one of its clients’ systems, it found an average of 73,400 attacks in a single organization over the course of a year. Its analysis of the industries most targeted revealed manufacturing was at the top, followed by finance and insurance.
According to the 2014 Center for Strategic and International Studies (CSIS) report, “Net Losses: Estimating the Global Cost of Cybercrime,” the estimated annual cost to the global economy from cybercrime is more than $400 billion.
“The key thing to keep in mind is that most threats to companies have nothing to do with any particular company’s business model,” says Mike Muscatell, information security manager for Snyder’s-Lance, Inc. “What most of us in the industry are seeing on a daily basis are the continuous exploits of vulnerable systems within all types of business.”
“Food and beverage companies will not be spared from the growing number of risks cybersecurity experts are wrestling with in other corporate vectors,” adds Jasper Graham, senior vice president with UK cyber intelligence startup Darktrace. “Nor will it have a reprieve from the need to look inwards and truly understand what data it cannot afford to have stolen.”
Understanding the threat
Henry says that to understand the threat, a company has to understand who is trying to access its data and why. He breaks the adversaries down into three main groups, although he says the types of cyber attackers are vast. The first group is made up of nation-states that have electronic espionage programs in place to inform the overseeing government. “They allow these countries to be more competitive in the marketplace,” Henry explains. “They are absolutely stealing intellectual property across every industry sector.”
The second group is comprised of organized crime adversaries that typically target banks and retailers. They seek personally identifiable information and hack into bank accounts, Henry says. However, they also will encrypt data and extort companies before providing access to their own information, essentially holding data for ransom.
The third group is made up of “hacktivist” groups. They are politically or ideologically motivated, such as a radical animal rights group waging a war against a food manufacturer based on some perception of how animals are treated. Just as an activist group might physically attack a company, so could they attack it electronically.
“They might deface a website, or they could knock a whole organization offline,” Henry states. “[Food and beverage] companies are not immune.”
Assessing the vulnerabilities
“The food and beverage industry is ripe for a major attack and becoming another headline due to its extremely broad number of players and the even larger number of companies it interacts with on a daily basis to keep things functioning,” says Graham.
“Most food and beverage processors know they should do something about data protection, but don’t do enough,” according to Ken Keiser, principal cybersecurity consultant for Siemens. “The first step in any cybersecurity improvement is to do an assessment of the equipment and policies currently in place.” A good resource for forming this evaluation is the National Institute of Standards Technology’s “Framework for Improving Critical Infrastructure” report released last February, which is designed to provide an organization a risk-based approach to systematically identify, assess and manage its cybersecurity risk.
Richard Clark, marketing specialist at Schneider Electric Invensys InduSoft, says processors can use the study to help conduct a detailed risk analysis for their plant and control system network and establish a baseline for how secure the systems actually are.
“Once it is known where the vulnerabilities are, then cost-benefit analyses are usually performed to determine the risk vs. reward of mitigating the various vulnerabilities,” he says. For example, if a plant has wireless devices on the floor, it is extremely important for mobile security guidance and recommendations to be strictly adhered to. Designing new applications with security also should be a primary consideration.
“Common control system wireless vulnerabilities need to be mitigated within the plant if wireless devices are to be employed,” Clark adds. “Portable devices may need to employ InduSoft Mobile Access, Secure Viewers, IPsec, VPNs or other external applicable security appliances and firewalls specifically designed for use with control system protocols.”
According to Clark, standard IT security safeguards can be easily circumvented when a hacker phishes across a LAN for control system protocols and signatures. “Indeed, many past successful control system attacks and espionage have been conducted with full IT security protocols in place,” he observes. “InduSoft products are built and customer implementation recommendations are made with layered security in mind.”
“Wireless capability introduces many avenues for malware to get into the plant and for intellectual property to escape the plant,” says Keiser. “When implementing wireless, a plant can implement encryptions or lockouts to lower the risk of this happening.”
Another vulnerability to consider arises from the growing use of online storage services, also known as cloud storage. “Folks are flocking to these services in the name of convenience and unfortunately completely ignoring the security implications when utilizing a cloud storage solution,” explains Muscatell, who describes the threat posed by people using company computers to access personal accounts. “The fear is that if someone were to leave the company with that data on that personal cloud storage solution, the company has little recourse in retrieving or even knowing about it.”
Snyder’s-Lance has implemented a private cloud-style solution that replaces the use of personal cloud storage. However, the concern around external storage devices still remains. Muscatell says a data loss prevention system would help mitigate that risk.
When it comes to remote diagnostic and plant monitoring capacity, Keiser says it can be a useful tool, but “the fact that data is leaving the plant is a concern.” Thus, the proper setup of remote diagnostics is crucial in preventing intellectual property information from being sent out.
“When working with an internal or external remote diagnostic service provider, the plant should ensure the data that’s leaving the plant is encrypted. The data at rest at the provider’s location should also be protected,” Keiser says.
Clark says remote diagnostics and monitoring can be achieved by using approved mobile devices inside the plant, as well as Thin Clients and secure viewers or InduSoft Mobile Access (MA) for plant metrics and mobile dashboards.
“Maintenance personnel within the plant find machine and production line repairs and tuning are greatly enhanced and made more efficient by the use of these devices, even though they may be of a generic nature [devices supporting an HTML5 browser],” Clark says. “Mobile security protocols, such as fencing, local machine and area barcoding, and user authentication and privilege help properly secure them.”
Defense and detection strategies
What can food and beverage processors do to enhance the security of their data? Companies should go beyond defensive moves, Henry advises, and assume adversaries are already there.
“Detection is the best defense,” he says. “Detect the adversaries, and then take action.” If left unnoticed, adversaries can pilfer data and monitor communications for many months or sometimes years before they are caught. However, Henry says being proactive and detecting them early can mitigate the risk.
Graham believes companies should be concerned about three areas in their networks—the outer edge, the interactive users and the protected servers. “The outer interconnecting part of a network must be hardened as much as possible, while the user and server environments must be modeled and tracked over time through behavioral technologies,” he says. “It is only with a combination of these concepts that an administrator even has a fighting chance these days.”
Keiser says to successfully secure company information, a mix of technical and corporate cultural solutions must be put in place. For example, a technical security solution would be software or hardware that automatically protects the network or device on the network, such as a firewall. “Other solutions for protecting intellectual property would be human based, like specific policies and procedures that must be followed by employees,” he says.
Exemplifying this mixed approach are two data protection methods recommended by Matthew Fordenwalt, manager of business consulting at Rockwell Automation—layered security and “defense-in-depth.”
“Industrial control system security relies on layers of security using multiple controls, methods and techniques that work together to help protect a system,” says Fordenwalt. “For enhanced protection, a defense-in-depth security strategy is applied to a system design to complement layered security technical and non-technical protective measures.”
For instance, he says companies should not only restrict physical and electronic access to control system equipment, they should also ensure firewalls block non-essential traffic. Additionally, they should follow a regimented and timely patch management process for all products, as well as frequently changing product passwords and using anti-malware on control system PCs.
Muscatell says a person accessing the Internet on a company laptop or desktop computer could come across a website that contains malicious code, but to detect and block the threat, a solution should already be in place.
“Simply put, have a bouncer at the front and back doors,” he says. Then, if you have something watching what is coming in via websites or email, the threat cannot get through. “Phishing attacks are still one of the best ways to gain access to a system. While there are solutions that provide the ability to capture and detect those types of threats in the email, many are missed.”
If something does sneak through the front door, such as a person clicking on a malicious link in an email, before that threat gets into the company’s network, another system should be in place to detect and block it. “For those types of situations, very effective solutions are available,” Muscatell continues. “By taking this approach at Snyder’s-Lance, we have effectively reduced the number of malware-related incidents by 60 percent, but we still have more work to do.”
Clark says early detection and mitigation can prevent the loss of company data and sensitive records. “It is important to install control system security procedures and equipment, build authorization and authentication into the system and continually monitor for known issues and system behavior that is not normal, including log checking and the implementation of devices and appliances that help maintain the system’s security integrity.”
Fordenwalt says a defense-in-depth security program helps detect a security breach, but after-the-fact detection technologies have limitations. “Next-gen breach detection is solving the challenge of how to analyze a great variety of data in high volume, and at great velocity, to determine potential breaches,” he states. “Solutions in the marketplace are beginning to marry big-data techniques, such as machine learning, with deep cybersecurity expertise to profile and understand user and machine behavior patterns, enabling them to detect the new breed of attacks.”
He adds that using these types of third-party security solutions with Rockwell Automation products, such as FactoryTalk Security, FactoryTalk AssetCentre and Studio 5000, will provide manufacturers the ability to identify changes and breaches in their systems.
Data breach response
In the event a problem does occur, Henry says it is imperative for companies to have a data breach plan that outlines response strategies. “Companies have a fire plan if there is a fire, and they have a contingency plan if there is some type of catastrophic event,” he says. “They must have the same type of plan in place for a cybersecurity breach.”
If companies do not yet have a data breach plan, Rockwell Automation’s Fordenwalt has some advice for putting one together. (See article on Incident-response plans on page 63.) After the incident, but before a full system recovery, Fordenwalt suggests remediation efforts should be employed to fix the source of the problem.
“This may include the eradication of any malware left on the system, removal or replacement of vulnerable equipment, reconfiguration and patching of equipment or software and possible access cancellation for certain personnel,” Fordenwalt says.
“Like any incident response, you have your various levels of an incident,” says Muscatell. “If a computer controlling or attached to a SCADA system has malware on it, then the response would be in line with how the organization handles malware/virus threats.” He developed a malware response team consisting of select members of different IT groups to improve not only the response to a threat, but also reduce the amount of time spent performing remediation. (See article on Sample incident response on page 64.)
“Simple issues can be handled in house, such as a wrong access level for a certain employee,” Clark says. “More serious breaches involving outside or unknown actors should be immediately referred to the local FBI office, which will likely get ICS-CERT [the Industrial Control Systems Cyber Emergency Response Team] involved.”
“Recovery should include retrieving the backup data that has been archived,” adds Keiser. “In some cases, another site may need to be ready to take over if the primary site is down for a long period of time. There are no guarantees when it comes to industrial cybersecurity.”
To ensure a similar cybersecurity event does not happen again, Fordenwalt says a “lesson learned” exercise should be held soon after. In this, the following key questions should be answered: What components were affected? What operating systems were affected? How was access gained? What damage was done, and what could have been done to prevent it? What are the network’s vulnerabilities, and what might have been done to prevent the incident and/or detect it earlier?
Momentum in the industry
The importance of cybersecurity has been underscored by the recent actions of industry associations and vendors. The 2014 President of the International Society of Automation (ISA) Peggie Koon says a comprehensive workforce development strategy is being implemented to train and prepare those responsible for protecting the critical industrial infrastructure, which is the biggest target and at the greatest risk of cyber attacks. ISA created ISA 62443, a set of standards specifically to help secure industrial automation and control systems.
“ISA’s leadership in industrial cybersecurity extends well beyond the standards by leveraging the vast expertise and knowledge from the ISA/IEC 62443 program,” explains Patrick Gouhin, ISA executive director and CEO. “This has led to programs for the training, certification and continuing education of those who must understand the complexities and interactions of advanced automation and control systems while protecting critical infrastructure and the industrial base.”
Additionally, companies might want to consider becoming a member of the FBI’s InfraGard program, which provides industry-specific threat information.
“I have joined InfraGard on behalf of Snyder’s-Lance, Inc.,” says Muscatell. “I belong to a number of other organizations, but have found the information provided by InfraGard is much more targeted to our specific industry when talking about cybersecurity.”
With this surge of cybersecurity awareness, Graham says resources are finally being made available. New tools arming IT security departments against the threat, along with governmental information such as the NIST’s Framework report on network security best practices, are helping to keep attacks from being successful. “This information, combined with emerging technologies that experienced experts within companies can use to monitor their networks, users and devices, will turn the tide,” he says.
Before a data breach occurs, every company should have a plan to address this type of event. Rockwell Automation’s business consulting manager Matthew Fordenwalt developed the following core principles to guide companies in creating—and implementing—incident-response plans:
- Assign an executive to take responsibility for the plan and integrating incident-response efforts across business units and geographies.
- Develop a taxonomy of risks, threats and potential failure modes. Refresh it continually on the basis of changes in the threat environment.
- Develop easily accessible quick-response guides for likely scenarios.
- Establish processes for making major decisions, such as when to isolate compromised areas of the network.
- Maintain relationships with key external stakeholders, such as ICS-CERT.
- Maintain service-level agreements and relationships with external breach-remediation providers and experts.
- Ensure documentation of response plans is available to the entire organization and is routinely refreshed.
- Ensure all staff members understand their roles and responsibilities in the event of a cyber incident.
- Identify the individuals who are critical to incident response and ensure redundancy.
- Train, practice and run simulated breaches.
An effective incident-response plan ultimately relies on executive sponsorship. When a successful cyber attack occurs, and the scale and impact of the breach comes to light, the first question customers, shareholders and regulators will ask is, “What did this company do to prepare?” Execute your incident-response plan to contain and remediate the problem.
Sample incident response from Snyder’s-Lance
Mike Muscatell, information security manager for Snyder’s-Lance, Inc., developed the following standard process in response to a possible high or critical event:
- Determine the incident’s cause based on information gathered during the investigation.
- Determine how the attack was executed.
- Determine any immediate workaround steps to resume critical business (if possible).
- Remove the threat.
- Perform a vulnerability assessment and remediate vulnerabilities.
- Return systems to a trusted state.
- Compare the system against the original baseline gathered during the preparation phase.
- Have business units test the service/system to verify functionality.
- Restore the system to the production environment.
- Perform ongoing system monitoring to ensure system integrity and detect any incident recurrence.