Axians Network S1 E2
00:00:22] Welcome to another episode of Axians Networks, where today we’ll be discussing cyber security in the industrial sector.
[00:00:29] Here with me today are Thomas Means So. Thomas is a senior consultant at the advisory group. Thomas is part of the automation team that are covering this industry related topics across Europe. His focus is are distributed control systems, function of safety, I.T. security, energy efficiency, and the physical components between the field instruments and the control room. Thomas also specialises in process automation trends, technical customer expectations and market research. Thomas has a strong background in the process market and is speaking to us live from his offices in Germany today. Welcome, Thomas. Welcome, everybody. And we also have, and I should say, very privileged to have the eminent Lee Fisher of Juniper Networks. And Lee, you’ve been described as an I.T. security guru, and I think that’s fair to say from what we’re going to hear today. And you have more than 20 years at the sharp end of it, a noted public speaker, I should say, and it said your passion and style to say my, my, my feel woefully inadequate of my show today that stand out in the sometimes staid world of network security prior to joining Jennifer Lee has held positions across DR Solomon’s McAfee, Hewlett Packard to mention a few and now heads up the Juniper Network security business across Ymir. Welcome.
[00:01:48] Uh, thank you very much for inviting me. So to position why we’re here today, we’re going to jump straight in. So industrial automation and control systems, I AIX may I call them AIX?
[00:02:00] OK, you can call them whatever you like.
[00:02:03] So this is a general term describing automation systems responsible for data acquisition, visualisation and control of industrial processes. So it’s machines that do things. Yeah. And so found in various industrial industrial sectors. So chemical plants, car production lines or in critical infrastructure such as water utilities, power utilities, they play a critical role in maintaining the continuity of the industrial process. But they also serve, as I understand it, to ensure functional and technical safety, preventing large industrial accidents and environmental disasters. But without the right level of security, one could argue that they themselves are a disaster waiting to happen. So if you wouldn’t mind, could you just sort of bring to life or paint a picture of what we’re talking about here?
[00:02:52] Yeah. Yeah, sure.
[00:02:54] I mean, effectively, most of the the things that make things the things that actually keep our water and lights on at night, the things that actually we rely on in terms of, you know, the automation of equipment, in terms of production lines, assemblies, in terms of, you know, energy supplies, water supplies, the cleanliness of the water, all of those things that are connected and do something on it in a business or some form of critical infrastructure, they slowly over time become more and more less stovepipes or less air gapped from from what is the IoT world today. And they’ve coalesced. So they’ve come together. So is there. And their businesses are doing that because of an operational sort of efficiency and cost saving perspective. And of course, in the process of doing that, the new inherent risks and, you know, in summary, really and well, I’m sure will dive into some of this detail later. You know, there’s evidence now going back over, what, 12, 13 years in the sort of scale and scope of these threats that are coming out, these industrialised control surfaces and systems in terms of the attacks and the opportunity that’s there for cyber criminals and state actors to exploit. And and there’s lots of evidence of that’s underway today.
[00:04:11] And I think we are going to cover that as we go through today. And Thomas, reading the ARC Advisory Group’s website, it’s clear that digital transformation in the industrial sector has already begun. Now, whether we call it the industrial Internet of Things Iot or Injury 4.0, industrial companies have already begun to use the available technologies to completely reimagine their business model. So if a lot of those companies, there’s benefits and opportunity here to improve asset performance, to provide new service offerings, improve operational efficiency and completely new ways of offering value to their customers. But that all comes with risk, as we’ve just been hearing about. So how does the ARC Advisory Group help customers identify and incorporate the latest industrial Internet of Things related developments, if you like, and best practises to stay protected in this evolving threat landscape?
[00:05:05] OK, David, thank you. That is really a long question. So let me start let me start 30 years ago. So ASIC was founded in the US, in the Boston area. And since that we are working together with asset owners and users, automation suppliers and software companies, really to provide market intelligence with a strong focus on automation applications. And today, 30 years later, these sibai into incidents and cyber threats are really serious. And as you said before, the process related industry belongs to the critical infrastructure. If somebody takes over control from the old scientist can have a dramatic impact. And and we are really providing market service, first best practises, talking to the automation suppliers, to the software companies, adding value, CyberSource. Security value to the asset owners and end users that said they know what’s available in the in the industry and of course, we are tracking seriously the threat landscape. So we are we are providing information what is maybe, uh, maybe a risky attack and and what kind of preparation is necessary for the asset owners to withstand?
[00:06:35] OK, so there are clearly security risks there, and what we do know is over the last 10 to 15 years, the industrial automation and control systems have become more vulnerable to the security risk. And I think we were discussing earlier than you do you did reference it earlier that the heavy use of commercial off the shelf technology such as Microsoft Windows, Esequiel Ethernet means that these control systems are now just as vulnerable as our IoT systems are to viruses, worms, Trojans. And in fact, you know, there’s been much publicised attention in recent years. Can you reference a few real world incidents here that underline the point we’re trying to make?
[00:07:14] Yeah, I mean, again, if you dig below the surface is actually turns out there’s actually quite a few sort of individual threats as well. I mean, if you go back in time, you know, there’s evidence that said that the this journey that we’re at today actually started as far back as 2005 when some of the components were originally being put together for what maybe later turned into Stuxnet, things like that. I think a lot of the audience may or may not have known about in terms of the attacks that were aimed at the Iranian nuclear production facilities. But, you know, there’s there’s additional. So, I mean, there’s a whole series of sexy names associated with these threats. There always are. I don’t know exactly where they always plot them from, but black energy, black energy to black energy three, each of these is sort of slowly enhanced and evolved. The actual capabilities in these threats going back from, I think, 2007, the original one was just a DDoS tool. So we deny access to the types of technology. But then Black Energy two and three started to actually take that concept a little further in understanding what’s on somebodies network. So what Industrial Control Technologies is an organisation using the version three of that started to actually get a little bit further by having some sort of remote control or capabilities back to a some sort of centralised point from afar. And it was not the original operator, somebody else. You’ve got a lot of other threats that were surfaced. The was another one that appeared in 2013 that was actually interesting, the leverage the what we call a watering hole opportunity in the sense that these these criminals went after the technologies that the operators were likely to be using. And that was fine by attacking the technology on the vendors websites. So they hacked in and actually change the software that someone would download if they were actually legitimately using this technology. It’s called a watering hole. It’s like they’d go to where they these vendors were likely to end up and then through that started to actually cause significant disruption. One of them was related to Ukrainian sort of potentially state orientated attacks by Russia in 2015 that actually attacked Ukrainians power grid. There was another attack essentially that was surfaced last year, Krak crash override, as it was called, that actually was responsible potentially for damaging, again, the Ukrainian infrastructure. So about a quarter of a million people were lost, had no power. And then most recent sort of threats that we’re seeing today, Triton or Tristesse of any other name for it, is essentially a threat that looks to actually attack one thing that you were talking about earlier, which was the actual safety technologies associated with their safety information systems that were actually there to help and govern this technology that organisations are using deliberately to actually do something else to them. So there’s a whole range of threats that we’ve seen evolving over that period of time. And actually, the interesting thing is, you know, a lot of the a lot of the loss becomes a lot of state orientated sort of conversations. Is it is it the Americans and the Israelis going after Iran or is it the Russians going after the Ukraine? These are interesting conversations which couldn’t possibly come if you can’t cover today. But the reality is what’s actually going to affect, I think most organisations is actually, you know, look at where the cyber criminals make money today and that’s in ransomware and that’s holding an organisation to ransom and denying them access to some form of technology or data inside their business. So I think that what we’re seeing on this evolutionary path is eventually we’ll get to a point where all manufacturers potentially or anyone in the supply chain potentially could effectively be held to ransom by those organisations being denied access to their infrastructure. So stopping production, production lines and everything else. So so there’s you know, the threat is maturing at the same time as industry is adopting more open standards. And that’s what really we need a cautionary tale towards its don’t just do this blindly. There’s lots of standards which we’ll touch on now coming along which are there to help advise and. Governors and we just need to listen and look at these prices.
[00:11:38] So, Thomas, would you would you like to respond to Lee?
[00:11:41] Yes, of course. First of all, I think Lee summarised the situation fantastically. But but really, let let us keep in mind and let us agree, this cannot be reduced to a secure technology. Only we need really, uh, these humans, the processes and technology in place and these three things, they have to, um, they have to be set up in a secure way.
[00:12:10] That means we have to train the people. We have to define the right processes, and we have to install and use the secure technology to Steve to achieve a decent level of security. So that is my initial response to to Lee’s statement. But coming back to your to your question, David. Uh, yes, we have some independent research, and this is important here because so much, uh, rumour is going on on the Web. So it is it is really important to get some independent research institutes where we get solid data from. And and one fantastic search is C AIX. So I thought this is a cyber response team of the Department of Homeland Security in the US and they are really analysing the critical infrastructure every year. And the latest data we can get to see financial year 2016 and say did one hundred and thirty assessments there off fifty percent of these assessments targeting the design architecture. And that is absolutely in line what what Lee already said.
[00:13:20] So if the, uh, Department of Homeland Security did these assessments, they find 700 critical discoveries really in the critical infrastructure network. And again, the critical infrastructure, uh, is is a conglomerate of the energy industry, the logistic and transportation, the water and waste industry and, of course, government networks. And I think, um, this is this kind of assessment will be done year by year. And we see always an increasing number of of incidents, because if you compare the 2016 results against the 2015 results, you easily find out 2015 from the attack outside water and wastewater and the energy industry, they were under attack.
[00:14:17] But in 2016, obviously, the attackers, they changed their scenario, their strategy a little bit. And they’re now targeting, again, water and wastewater and energy. But they found as new industries the chemical industry and, of course, as the general communication. So as we can see, it becomes more and more tricky to withstand, uh, the attack us, uh, sophisticated, uh, incidents. And because of that, let’s say all the end users and asset owners, they have to take really responsibility to secure the applications up to a decent level. And that is, of course, necessary to withstand, uh, against the threat landscape.
[00:15:05] Tried trying to tie those two pieces together. I mean, the strategy of these cyber criminals is going to change. And they’re probably going after the money a little bit in terms of the organisations, which they they are under attack. And the point here, though, is that with the sort of potential extent of the problem, you’d have thought that more industrial companies would take the necessary steps to protect themselves. But statistics tell us that is not the case and specifically the industrial sector, which will take as a whole treaties as a whole. And it’s lacking when it comes to cybersecurity. So what are the barriers and why are these companies not putting in place the necessary security to protect themselves against the cyber attack?
[00:15:48] I think, you know, there’s there’s so many answers to that one. David, I wish there was just one. And we could apply the the silver bullet. Right. To fix it. But the truth is, is that it’s a multifaceted answer there. Yeah, I think actually Thomas pointed and illustrated in response to my initial point one of the key issues, and that’s people, you know, if we look at where does the first of all, for any attack to be successful, they have to launch here. They have to get it inside that organisation. And actually, it’s the human squidgy bits that I think that the prime target here, the initial easy target where the lowest hanging fruit in the sense of creating something that we’re likely to be tempted by to open and run. I mean, this is this is a known attack model actually works or it put something on a USB stick and leave it in a about. People are people, and so he’s absolutely right, if we can’t fix this issue, then actually what the rest of the scenario is that we’re putting in place is a consequence of that. And so we can’t changes overnight. It’s about continuous education. It’s about understanding how we actually think about what it is that we’re doing with electronic communications coming into the business, what we do regarding opening content, where we go online, what sort of what we trust inside the business is also then down to some layers around that in terms of our behaviour, some of the technology aspects, in terms of what equipment do you actually have, what’s its purpose, what’s its role for you, how is it segmented away from other parts of the business? You know, these are actually difficult challenges for organisations to first identify what what they’re using on their network and then secondly, how to actually protect it and against an adversary that is continuously changing its attack as well. They don’t sit still. In fact, most of the things that you talked about there were actually they’re finding their feet. This is baby steps. What we’re seeing at the minute, this is a fertile opportunity. And then over the next few years for them to go after, because to date, what we’ve seen is, you know, what happens in terms of most organisations is the threat vector is an email that will come in, maybe a phishing email. Someone is targeting you specifically with something you’re likely to open. It runs on a machine and then it’s hoping to find other windows based, usually machines inside the network. Wow. Is that the best way for them in the future or is the is the is the access to what they’re looking to achieve achieve by attacking another Windows human who PC with a human on it? And the reality is, is that as we’ve already seen by a number of these attacks, that I now they’re actually going after the things that you and I aren’t sitting at in terms of an interface. They’re actually targeting a piece of equipment that’s producing something or creating something or pumping something and so on, that we can’t say that we can’t see. And if unless unless we’re sitting there doing this or talking up, making sure on a production line it’s going right, talk for something, for example, to make sure it’s tight first for suitable for a quality of goods that they’re creating. Well, how are we going to validate that? You know, one of the if we go back to the critical aspects of all tenants of security, confidentiality, integrity and availability, you know, this is this is talking about is it is all we able to provide and ensure the integrity of the business and the actual systems that are going to respond to information and controls coming to them. And, you know, are we validating that there are actually those controls are legitimate from people inside the business? You know, one of the recommended guidelines that we’ve seen from the Department of Homeland Security and in filicide, IC six to double for three, which is a standard specifically designed to look after ISIS security, is let’s make sure that the devices that are talking to and giving control and instructions to the equipment that you’re using is in a specific, dedicated tunnel. You know, it shouldn’t come from anywhere else. And so it’s very difficult for organisations to keep on top of all these changes that are happening at the same time. So I wish there was a is the answer I’ve got. It is called this. And let’s do this and we’re safe. The reality is it’s going to take several lessons, several iterations of this and a continuous learning curve on behalf of us, the users, the implementing of these technologies and of course, the cyber criminals teaching is these lessons.
[00:20:10] But that is the inherent problem here, is that it’s an evolving risk. Yeah. And it’s always going to change. But we’ve had a conversation before, the three of us, and we’ve just mentioned there the Department of Homeland Security, and they’ve actually issued some guidance, which about defence effectiveness. Thomas, would you want to pick this up?
[00:20:29] Yes, of course. Because DHS really they analyse 2014 and 2015, the cyber attacks. And again, they analysed several hundreds. And they they they really they came up with with, uh, let’s say was a best practise for the NSA doughnut’s, um, because they said, uh, if the asset owners have used 2014 and 15, really seven strategists, just just seven strategy used 98, 98 percent of the attacks, uh, could have been prevented. And and again, this is not brand new because it goes back to the year 2014 and 15. But they said if implementation if if application, white listing and proper patch management and of course, and reduce of the attack surface and manage the authentification to the control system and of course, uh, secure the remote. Excesses and monitor and respond to anomalies if these seven tasks are combined in the right way, again, 98 percent of these incidents could have been prevented. I think that is a strong statement. And Lee explains that before. But I like to add, implementing security is not a one off. It is a constant process. That means if we implement something today, we have to monitor the effectiveness and have maybe to to to change it according to the threat landscape in future. That means we have to audit our security system frequently to to to really be prepared against the latest threat landscape and against all these kind of attacks.
[00:22:30] Seems to me sitting here that the humans of the problem here, are we doing our job well?
[00:22:36] Yeah, exactly. It seems it sort of seems a simple thing. If we if we carried out those things that we should do and took advice and heeded that advice and executed upon that advice, we wouldn’t have the problems that we have. There we go.
[00:22:47] We seem to, um, but but also, you know, in terms of difficulty, I’m thinking of all the parts of the manufacturing lifecycle here and some of which I believe there are five if if each one of those internally disparate.
[00:23:04] So manufacturing lifecycle is disparate in most I’m talking about here, the production, the transportation that we use and then recycling and and as as it goes around. And so where these things are linked together, surely if one one of those parts of that cycle is inefficient, has been massive inefficiencies and security, that’s just going to be the weakest link in the chain and everything’s going to fall down. So so how how do you measure security performance across the supply chain or know which we can agree would be disparate? And and how do you sustain those gains that you make if you do get that together when you suddenly have changes in that supply chain?
[00:23:42] So that, again, seems to be very fallible and very human side. Oh, yeah. And it’s also very another another one of your large Cloud sorry. You you assume because we know how do I solve the world. No, no. You know, we’re getting our money’s worth. Yeah. Yeah, yeah. You’re right.
[00:23:58] So so what you’re basically saying is, you know, in many ways, you know, from an IT perspective, let’s put it this way, because I think it might be a nice bridge is you know, we’ve been talking about secure dev ops for a good couple of years now. And what you’re talking about is, you know, not just in developing code in a secure way. You know, we started with Microsoft trusted computing in the early noughties. I believe it was. But, you know, we’re still we’re still learning and doing that now in terms of just just software code, actually, what you’re inferring there is, you know, a whole new development, manufacturing and production base. And the word critical in critical national infrastructure is an important word and shouldn’t be overlooked. But these these sectors, too, need to start to apply these things from an end and perspective. And that’s really what you’re referring to here, is there is an end to end cycle that we need to do it and it has to have and incorporated an iterative process to have improvement through that way. You know, Thomas talked about it and touched on it a little earlier when he talked about the 98 percent, you know, and that these doing these practical things will actually minimise that attack surface. There’s also a shift that’s happening already in I.T. security that we shouldn’t overlook here. It needs to be brought around and that is behaviour. You know, it’s creating a model of normality. And in fact, this is one of their recommended guidelines as well. So it’s not like I’m plucking something out of the air here either. But essentially, if the more you understand the nature of the business, the more you understand the nature of these systems and what they should and shouldn’t be doing, then effectively, it’s easier to identify when something starts to go wrong. And if a centrifuge, for example, has a thresh, a red line limit, a spinning up at a certain RPM per minute, then if they if you notice that that’s actually gone, it was recording. Now, are you listening to that or are you tracking that? Is there something that you should be doing in response to that? This capability is there and it’s a case really starting to leverage behavioural technologies as well as a way of helping the these managers who have got to look after it, because there’s so much for organisations to be dealing with now in terms of their digital footprint, in terms of threats, that it’s difficult for these guys. And it varies usually a very small team of skills and personnel to be able to respond in time. And so while you’ve got that time window there, that’s the two percent that we’re referring to, there’s something will slip by and it’s about having the relevant capabilities in place that identify and catch those things that you can’t stop by doing best practise all the time, you know, and it’s incredibly difficult. But effectively, we’re looking for an end to end sort of cycle here of being able to, you know, look after this in its entire lifecycle, not just an abstract part of it.
[00:26:53] You were just talking about monitoring machines behaviour. Yeah. Yeah. Okay, yeah.
[00:27:02] I’ll give you a real example. And it wasn’t specific. This is a threat. There wasn’t specifically targeting, you know, industrial control services, but it’s exactly the same type of challenge that we’re talking about here. And it gets a nice example and everyone will usually recognise one, a cry. Okay. Want to try a piece of ransomware which started last year? Essentially, what we were talking about was a threat that came onto a business and stopped people accessing systems, stopped people accessing systems. Well, if it’s a. You know, from a digital point of view, you know, that’s that’s the capability we’re talking about now from attacking the industrial threat and effectively, how would you do? What you’re doing is you’re looking instead of looking at identifying a bad thing for exactly what this binary piece of code is, you’re looking for the behaviour. So the behavioural traits that were being exhibited by this piece of ransomware really should have been identified and stopped. So it’s the behaviour of things that matter. What something does is more important than what something is like. And it’s basically we start we need to start leveraging this technology more in the future, which kind of nicely brings me onto investment.
[00:28:08] And in so much, you know, typically, how much would customers be looking to invest to secure themselves against cybercrime?
[00:28:17] I’m going to ask, um, Thomas, um, would you like to respond to that question, please?
[00:28:23] Yes, we have we have conducted a research on this topic and we really summarise the rough estimate of costs in control systems. And first of all, we lost at sea control system in small, medium and large systems. So these smaller systems, they represent an investment of roughly 30000 U.S. dollars, a medium system represent 125. And the largest systems they represent three hundred fifty thousand. So if we following the security procedures, according to the guidelines, the six two four, four, three or the next framework, typically you have to add application, white listing. You have to do frequent patch management, you have to use authentification systems.
[00:29:10] You have to secure all the remote interfaces and accesses, and maybe you monitor anomalies in your communication line. And really the surprise was if you analyse these three d.c.’s system size as regards investment of security cost, not not much cost, this is really necessary to to secure systems. So at the end, we got for the small system, a value of, uh, less than five percent of the initial investment is required to secure such a system, three percent for the medium sized system and less than 2.5 of the large system. I think there really is this kind of in investment is a very good investment because it guarantees the effectiveness and the availability and integrity of the system. And, of course, uh, is a safe functionality. And so, again, I think it is not a question of capital expenditure. It goes back to human behaviour and again, processes, because you you have to have the right processes, uh, to to to use this, uh, investment in the right way. Percentage of revenue and percentage of Nonno, percent of the initial the initial CapEx capital expenditure. Again, if I say for a small system, you need less than five percent on top of the initial investment. If the initial investment was 30000 euros, you need less than five percent additionally to secure this kind of control system.
[00:30:59] Sounds like good money investing when it does.
[00:31:02] Do you think how how little that it seems that we need to be investing?
[00:31:06] That’s a bit of a no brainer. And then if we look at human element being a majority of the problem, it seems almost that it’s a relatively easy thing to fix.
[00:31:17] Yeah, no, I agree. I agree.
[00:31:19] I think and I think one of the highlights really the difficulty in the human piece, you know, because it is only a five percent investment. So why not why are we not implementing it? Well, the reality is a lot of that technology that, um, with Thomas was just describing, most organisations have acquired that type of technology somewhere else in their business already. So his question is approaching the end of the people put the put in place the actual necessarily checks and balances to make sure that you’re actually acting in the way that the best practise guides us. Because, again, the best practise is the the actual technology exists, therefore, and the investment is relatively small, as we’ve just heard. So the key question is it goes right to the beginning to what Thomas’s point was all about. What are the humans doing? What are we doing?
[00:32:07] Yeah, and in terms of principle practise, we’ve talked about and heard a lot of the principles behind, um, how we can improve cybersecurity.
[00:32:16] And but that’s that’s all well and good.
[00:32:19] But I think a lot of the valuable assistance, if we can call it that, will come from case studies, will come from learning by mistakes. Yes. But, you know, these are not readily advertised because people don’t like to sort of say, wow, we just been just been hit and stuff go missing. And so that might not be so easy to do.
[00:32:39] And Thomas, is there a sort of a guidance or in sort of maturity, cybersecurity, maturity, planning that that arc and talks about?
[00:32:50] Yes, we developed in our international forums, together with the asset owners and end users and system integrator partners, really a maturity model where we can support the asset owners again on the on the processes, on the education of the humans and of course, on the available security technology. And if we have consolidated all this information in a little best practise guidelines, which we provide to our consulting customers and helping them really to implement and prioritise the security, let’s say, integration into the control environment, because this has to be done always bespoke according to the threat landscape and of course, according to the installed control system, because we can we can offer only a rule of thumb and we can we can provide checklists where where we where and users can ask themselves, hey, are we doing the right things here and are we doing things right?
[00:33:57] But Axians, this is at least a consolidation of the favourite guidelines and standards, the six to four, four, three. And in this framework, and it is something which is really practical to use for system integrators and asset owners.
[00:34:15] So sadly, we’re out of time. But what are the incredibly interesting, thought provoking and serious subject? I’m sure we could talk for many hours more. My thanks to our guests today, Thomas Menz and Lee Fisher. My name is David. I think this was an Axians network production for Disruptive Live. Thank you for watching. And we’ll see you next time.