While most of cybersecurity's initial threats and best-practice solutions have remained consistent over the years, some malware types have periodically gained popularity, usually because they're easy for hackers or criminals to copy and redistribute for financial gain. One of the most prevalent lately is different types of ransomware, which usually invades PCs and lock up their computing capabilities until money is paid to the attacker.
"The malware that's had the biggest impact on ICSs in the past several years is ransomware, such as WannaCry that launched in 2017, encrypts data running on Windows operating systems, and demands Bitcoin payments," says Mariam Coladonato, lead product marketing specialist for networking and security at Phoenix Contact. "Ransomware is typically created for regular operating systems, so it isn't dedicated to ICSs, but it can still break them. It takes advantage of lacking cybersecurity measures, so even on a simple control application, it's crucial to block vulnerable ports from anything else."
Beyond closing network pathways, Coladonato reports the most effective way to stop ransomware is training and retraining employees to not open suspicious emails, which are still one of the main routes ransomware takes to access computers and their operating systems. "People are still clicking on the wrong messages and attachments, so training continues to be the best way to improve cybersecurity," she says. "We've also seen greater use of QR codes during the pandemic. Users scan them with the photo apps on their smart phones, and are redirected to items like restaurant menus. However, some malicious minds are capitalizing on this new method, and putting fake QR code stickers on top of the original. They still redirect you to menus, but also directing users to malicious websites that could contain malware."
Trick, click—and retrain
Ashok Patel, global network architect at Owens Corning in Toledo, Ohio, adds: "The number one entry point for intruders is still tricking users into clicking on and releasing unauthorized code, so even though we secure our borders with routers and servers, we train our staff, contractors, vendors and everyone in the field. In fact, anyone who comes into our plant must watch a video of the minimum cybersecurity practices they need to know. We had one contractor, who said the best way to program a PLC was to connect his own hub and PC. However, when that PC was found to be the one causing security problems, he had to get trained, too, and he was only allowed to connect to a designated port and contractor VLAN, which is the same access level required for any outsider coming to our network." Patel co-presented "Defending systems against sophisticated attacks" at ARC Advisory Group's Industry Forum 2020 in Orlando earlier this year.
Once intruders research and find a way into a network, Patel reports their third task is to maintain the link they've established back to their own computing hub. "This viable communications link is very key for intruders because it can perform peer-to-peer tunneling, transfer sensitive data to their connections and servers, and help them link to other connected systems. Unfortunately, many users don't know all the devices they're connected to. We're working on ours, and for some, we have a full inventory of every connected device on our network, including at the switch level and traffic level. Once a hacker gets connected, we may not know all he assets they're taking data from, which is why it's even more important to do asset discoveries, educate staff, and deploy next-generation antivirus software and firewalls."
Because process operators and engineers are busy maintaining production, and cybersecurity projects go away when staff turns over, Patel adds that Owens Corning's security group has established a security operations center (SOC) for its servers and networks. However, the next problem was deciding if OT or IT was in charge of it. "We just put the cybersecurity domain on top of both IT and OT, so the SOC manages not just he networks, but also the servers and desktops. This collaboration by OT and IT began at a high level, so many plants are still working on it."
Simplicity enables secure links
To help users shore up their defenses, Coladonato adds that Phoenix Contact is also training more of its personnel to help them configure their devices and networks to follow IEC 62443's cybersecurity recommendations, manage their networks with anomaly and intrusion detection, and simplify their systems to make cybersecurity easier to implement and maintain.
For example, Black Label Services, in Windsor, Colo., had been using port-forwarding rules to mask publicly hosted Internet protocol (IP) addresses. This enabled simple 3G and 4G connections without a VPN for a SCADA system managing an upstream oil and gas producer's remote well pads in the Denver-Julesburg shale formation. However, the lengthy and complex port-forwarding rules created vulnerabilities on the operations technology (OT) side because they were stored in an Excel file. This meant the firm's IT department had no way to turn off access to the application, so they couldn't implement a secure succession plan for internal employees or outside contractors and suppliers.
The oil and gas company enlisted Black Label to help it add firewalls to its SCADA connections and retain access to its local area network (LAN) via secure, remote links, so its staff could configure and troubleshoot automation equipment at its wellsites, which also require devices with wide operating temperature ranges and Class 1, Division 2 ratings. Meanwhile, its IT staff needed to control access to these systems as part of their succession planning.
Because it's one of Phoenix Contact's system integrator partners, Black Label implemented its TC mGuard RS4000 security module on the 4G Verizon network used by the oil and gas company's wellsites. The device can establish an intelligent firewall and up to 250 Internet protocol security (IPsec)-encrypted VPN tunnels, so the project integration teams used it to create three VPN connections. One of the VPN tunnels is accessible via mGuard Secure VPN Client software. The other two are redundant connections to mGuard Centerport devices that can only be accessed by the client's internal data collection network via one-to-one NAT routing to the VPN IPs.
This new infrastructure let Black Label implement mGuard Device Management (MDM) software, so the oil and gas firm's IT department could manage and control all their networked devices from a central location, while mGuard Secure Cloud (mSC) service gives the company's field technicians secure, remote access, and documents all of its connections. These upgrades eliminated the need for the client's publicly hosted IP addresses and port-forwarding rules, and improved cybersecurity, while allowing users to connect to their SCADA system via the cellular network. This also lets the client control remote access to its sites, and quickly add or remove users.,
"Previously, we couldn't communicate remotely with many devices on the wellpads because the software didn't allow ports to be specified," says Nathan Means, programming and R&D manager at Black Label. "Now information on the site is accessible remotely.”
Ransomware is widely regarded at the most common way for malware to penetrate computers and networks. Recipients of emails, social media messages or even QR codes are tricked into clicking on attachments or are redirected to websites that download malicious code, which then affects their computers, networks and related systems. However, some of the best ways to prevent ransomware intrusions and attacks are the same as best practices for protecting control systems and networks. More entries are always possible, but here are some of the basics:
- Recruit a cross-departmental team and secure management buy-in for an organization-wide cybersecurity effort.
- Inventory all hardware, software and network links for the application or facility for which the team is responsible. Use in-person, manual accounting and software-based active and passive discovery methods to identify open or unused Ethernet ports, wireless links or other avenues for intrusions, and disable them.
- Train and routinely retrain staff to think before opening emails or other communications, and check return addresses or otherwise make sure they're from authentic senders and sources, especially before opening attachments.
- Require users to employ strong passwords, routinely update them, and do the same for other authentications, such as using strong spam filtering.
- Configure email and messaging apps to block unfamiliar files formats or extensions.
- Develop a software patching policy with specific procedures that address and seek to reconcile both operations technology (OT) and information technology (IT) priorities.
- After evaluating and separating business, manufacturing and control networks into functional sub-networks with firewalls, maintain appropriate firewall configurations such as scanning compressed files, and upgrade packet inspection capabilities and device intelligence when available.
- Prevent consumer/business-style app or software features, such as auto play, file sharing or remote desktop services, from running on plant-floors, production areas or in the field.
- Grant the least amount of network access and privileges required by users and applications based on their roles, functions and the jobs they need to perform. Maintain and update a list of known and authorized users and applications, and disallow others.
Use traffic evaluation, anomaly detection and intrusion/threat detection software to identify unusual network behavior and possible malware.