Belden : The ICS “Subversive Six”- Unseen Risk Points in Your Industrial Networks

Self-described 'Mr. Potatohead,' aka Sean McBride, gave a keynote address on Thursday, October 13, 2016 in Orlando, Florida at Belden's annual Industrial Ethernet Infrastructure Design Seminar (IEIDS).

Sean McBride, Lead Analyst for Critical Infrastructure at iSight begins his keynote at Belden's IEIDS event.

Sean is the lead analyst for critical infrastructure at iSight, specialists in securing industrial control systems (ICS) and operations environments. iSight was acquired by FireEye in January 2016.

It was a privilege to hear Sean speak live (he's excellent, dynamic and relevant. If you ever have a chance to hear him live - be sure to catch it). Sean gave an exceptional keynote drawn from both his life experiences in the Idaho potato industry and from his years in forensic and analyst work to help secure critical infrastructure and industrial control systems.

Sean masterfully wove his talk from the fields of Idaho to the control floor of industrial businesses we can all relate to. Speaking firsthand, he highlighted the potentially 'unseen' risks within potato farming and harvesting processes.

Image from Sean McBride's talk relevant to potential risks in potato processing machinery used in Idaho. Image reference www.mysafetysign.com

The ICS 'Subversive Six'

The 'Subversive Six' is a name he uses to describe the unseen risks within our own industrial infrastructures. For each of these he shared current trends and what risks iSight/FireEye have visibility from their vantage point of world surveillance and analysis.

• Unauthenticated protocols - many of the most commonly used industrial protocols for communications with ICS are unauthenticated. Sean highlighted that many groups and hacker communities his organization tracks around the world have invested a lot of time to learn the inner workings of these protocols and the equipment using them. Since the protocols and equipment were not designed with security in mind, this is an often 'unseen' area of vulnerability that can cause disruption (such as modifying set points or function codes, altering firmware and even having the capacity to start or stop the PLC). Passing mention was made of Tofino - Tofino Xenon Industrial Security Appliance can assist in securing industrial protocols and protect the potentially vulnerable ICS assets within industrial networks.

• Outdated Hardware - Many ICS are not built to handle the volume and traffic types coming across industrial networks today. Sean noted the reasonably well-known incident related by the U.S. Nuclear Regulatory Commission (NRC) where in 2006 PLCs and VFDs at Brown's Ferry Nuclear Generating Station malfunctioned as a result of excessive network traffic. Digital Bond also documents instances of equipment that should be decommissioned due to age. (Again, self-serving plug - Tofino Xenon helps with this issue also.)
• Weak Password Management - Yes, what ICS talk would be complete without this topic? This is an area every single industrial organization could take action upon today to identify and mitigate. (Not in Sean's talk). However, Sean highlighted a well-known group of Russian security researchers who maintain the website www.scadastrangelove.org and have made it a study to document all default and hard-coded passwords within ICS/SCADA equipment. One vendor's PLCs have 7 hardcoded passwords. Sean asked - at what point do vendors and developers need to take some ownership? Good question.

• Weak File Integrity Checks - In March 2016, researchers demonstrated a PLC worm that spread from one Siemens PLC to another by simply modifying control logic. Other PLCs using unencrypted protocols are susceptible to similar attacks and firmware updates have become a favorite target of outsiders. (Self-serving plug - Tripwire, acquired by Belden two years ago is well-known for having pioneered the field of File Integrity Monitoring (FIM) and is a useful help here. Sean didn't highlight Tripwire however.)

• Vulnerable Windows Operating Systems - This one is relevant from the standpoint that two of the most widely used Microsoft Windows versions - XP and 2003 Server have been dropped from Microsoft support. Those 'end-of-life/no more patches or alerts' dates were April 2014 for Microsoft Windows XP and April 2015 for Microsoft Windows 2003 Server. Sean's point here is that just because you're not receiving alerts, don't think there aren't weaknesses or vulnerabilities that can be easily exploited in these OS.

• Undocumented Third Party Relationships - This is important. You hear about 'Supply Chain' vulnerabilities and 'you're only as secure as your weakest link' but Sean highlighted that if a vulnerability exists or surfaces against Windows 7, you can bet that it may have applicability to older OS. You're just not getting notified because those older system OS - Windows XP, embedded versions and Windows 2003 aren't sending notifications. Further, there are targeted exploit kits available and in widespread use that heavily leverage a multiple of the known CVEs (Common Vulnerabilities and Exposures).

  Note - for reference, those of you interested in researching ICS vulnerabilities, exposure, and applicability to your environment, Mitre is an organization that monitors vulnerabilities and makes a database available http://cve.mitre.org/ and NIST - the National Institute of Standards and Technology also maintains the NVD - the National Vulnerabilities Database at this location https://nvd.nist.gov/ . ICS-CERT will issue advisories and frequently references applicable CVEs for ICS environments.

An example of a relevant ICS-CERT Advisory, referencing details ICS operations staff should prioritize based on ICS-CERT advice. This is a critical concern and relevant to older post-support Microsoft OS from Microsoft. Click here for larger image.

Summary

There were many excellent talks delivered at Belden's IEIDS event and the attendees had selection of several tracks to attend depending on their needs and interests. However, Mr. Potatohead stole the show - bringing a highly relatable talk that created industrial cyber security awareness, gave details to back it up and incited the listeners to take action. Belden's IEIDS engineering attendees felt compelled to learn more and the attendees mobbed him after the event with questions.

Immediately following his keynote, Sean led a session on ICS Hot Spots which was also a fascinating delve into the world of ICS security analysis.

If you'd like to learn more about the IEIDS for next year this blog shares all the details.

Related Content to Download

Related Links

Cyber Security Resources

Belden IEI Design Seminar

Industrial Ethernet Certification Training Information