Protecting Your Control System From Cyber Attacks

We are joined by Ilan Shaya, an expert in the industrial control system security space. He is here to share his insights on security including the biggest risks to OT networks, the common ways cyber attackers gain access to facilities, finding gaps in the security landscape, and best-practice strategies to protect your organization. Ilan also shares some attack stories, cost-effective preventive measures, current trends in cyber defense, and where cyber security for the OT market is headed. Hear about intrusion detection systems (IDS) solutions, including the Sparta Module that ICS developed.

SPARTA Demo Video: https://inductiveautomation.wistia.com/medias/vjajq0ox6b

“Don't wait until your facility is breached; take protection measures as soon as you can.” – Ilan Shaya

Bio:
Ilan Shaya is the Co-Founder and CEO of ICS Security. With over 20 years of experience in industrial control systems, Ilan is a well-known consultant and opinion leader in the field. He has over 12 years of experience in managing companies, and is also the founder of Smart Logic. Ilan also serves as a consultant and designer for governmental entities and enterprise customers such as the Israeli Air Force, the Weizmann Institute, ICL, Delek, and Enerjisa – the Turkish electrical company.

Episode Transcript:

00:00
Kevin: Hello everyone, I'm Kevin McClusky, and welcome to Inductive Conversations. In case you don't know me, I'm Co-­Director of Sales Engineering at Inductive Automation. I have a deep technical background, including a focus on security, and I've been with the company for around 10 years. Actually, I think I just passed my 11-­year mark.

00:18
Kevin: It's my pleasure to be here today with ICS Security, who are experts in industrial control systems’ security space. We're about to talk about security, including risks, opportunities, options in our space, and wrap it up with little insight into industry trends and market movements. Thanks for being here.

00:37
Ilan: You're welcome, Kevin, it's great to be here. Thanks for hosting me.

00:40
Kevin: Sure thing. Can you tell us a little bit about you? Can you give us a short background? And frankly, why should they be listening to you today?

00:51
Ilan: Sure. I'm Ilan, CEO of ICS Security, a company that develops security protection measures for industrial control systems. I have more than 20 years of experience in industrial control systems and securing them. I serve as a consultant and designer for governmental entities and enterprise customers such as the Israeli Air Force, such as the Weizmann Institute. I've done vulnerability assessment for Enerjisa, the biggest Turkish electrical company, after it suffered from multiple attacks. We developed and conducted the largest and most comprehensive cybersecurity training course for industrial control systems. It was sold to Singapore Ministry of Defense, Japan Ministry of Economy, and several other companies.

01:35
Ilan: ICS Security consists of some very talented cyber experts, veterans of the elite Israeli divisions, 8200, Matzav. These guys were brought up eating and breathing cyber from the day they were born.

01:52
Kevin: Thanks, yeah, I'm glad you talked a little bit about your company there too. You've certainly done some very impressive things. And I'm excited to talk to you about everything that we're about to talk about the other day, partially because of all that experience. As everyone is probably aware, Inductive Automation has a very strong focus on security. We develop Ignition to be as secure as possible, however, as secure to make Ignition for an organization, there's a lot more to an overall security landscape. Let's jump right in and talk about the things that could affect everyone. So, Ilan, in your opinion, what are the biggest current risks for OT networks and what should our listeners be aware of? Can you lay out what an attacker would like to accomplish and what typical strategies for this might look like?

02:43
Ilan: There are two major risks. One, stopping production. Currently, the biggest risk for each facility is to lose the ability to continue normal operations. The attacker wants to stop the facility operations and more important, he wants to keep the facility in that state as long as he can. In order to do that, he must be extremely sophisticated.

03:06
Kevin: Sure, yeah. And everyone wants to keep those things from happening. If I was the attacker, how is this possible? How can this be achieved?

03:17
Ilan: There are several ways. Short of physically destroying a facility, a cyber attack can be a choice for an attacker that can accomplish either goal. Cyber compromise can either be used to shut down a facility or perform cyber espionage, which leads us to the second risk.

03:35
Ilan: The second risk which is frequently carried out by countries is to gain access to the organization information that is saved on the corporate network through the OT network since we know that is currently an easier way. In some facilities, the attackers transfers all operation stations to microphone and cameras. When we talk about gaining access to critical information, we are talking about information such as process information, recipes, list of customers, revenues, prices, company strategies and much more.

04:08
Kevin: Yeah, those are certainly things that every company wants to protect. So once again, in the view of the attacker, if I'm putting my black hat on, what do I need to do as an attacker, just so that we can take a look at this from the other side in terms of understanding what we need to protect ourselves from? So from the attackers' point of view, what is done to get to these things?

04:36
Ilan: First, he needs to gain access to the facility. Second, he needs to study the facility operation, scan the network type of PLCs, protocols, try to upload the process. Thirdly, he needs to prepare a specific attack. Plan the attack with a malware, schedule it to launch at a specific time, cover his tracks and leave.

05:00
Kevin: So the first step there is gaining access. How specifically can an attacker gain access?

05:05
Ilan: The attacker will try to find the weakest point in the facility. One can be an open internet channel for integrated support. He will try to brute­force passwords of the VPN client. Two, can be from the IT network. In some facilities, the operation recipes and management information are needed to be reflected on the IT side. Three, gain physical access to the facility and implant the malware. As we know, a facility is much bigger geographically than an office building. For example, power distribution, water distribution, every small site is a small control network that’s connected to the remote central control room. Four, gain access through the integrated support PC that arrives physically to the facility. And five, in some cases, we know at least of two such cases, is to send an infected PC station or even a PLC.

06:06
Kevin: That's certainly a lot of possibilities here. So securing all of those seems like something that would be important to me. Would you say that's a fair statement, Ilan?

06:17
Ilan: Unfortunately, yes. There are many ways to gain access to a control system.

06:21
Kevin: So if we back up a little bit for those listeners who aren't quite as familiar with some of these security concepts, would you mind laying out the basics here? What are the typical layers of factory or facility architecture?

06:34
Ilan: There are four major layers in the OT network. First is the network layer, active, which are active switches, firewalls, IDSs and passive, which are cables 10BASE-­T ... Second, we have the OS layer, operating system layer. Third, the application layer, all applications running in the PCs. And then the fourth layer is the hardware or the equipment layer. PCs, servers, PLCs, RTUs.

07:05
Kevin: And so in that layer topology that you just laid out, Ignition is part of that application layer?

07:11
Ilan: Yes, Ignition is part of it.

07:13
Kevin: So even when Ignition is secured, and maybe this is obvious, but is that true that you would need to consider securing all those other layers as well?

07:23
Ilan: Yes, Ignition can be configured to be very secure, but Ignition is only part of the network element. Ignition sits on an OS, that sits on a server that is connected to the network which uses switches and firewalls; all these elements are potential doors to access the control network. For example, if you have a submarine that's extremely solid but it's built with screen doors, well, you see the problem?

07:51
Kevin: Sure, yeah. I know you and your company have a lot of experience in this space without disclosing anything you shouldn't, can you give us a peek behind the curtain to the battlefield, if you will, what are some of the attacks that your customers have experienced?

08:07
Ilan: Well, I can only tell you about the ones that have been reported publicly.

08:11
Kevin: Okay, that's fair.

08:13
Ilan: Iran suffered from several cyber attacks that caused explosions over the past few months in their chemical facilities, in their underground uranium enrichment facilities. Their sea port in Natanz, in Bushehr, their Turkish power plants were shut down last year, later they found out that the attacker was Russian. A large beverage company that we all know was attacked in April this year, even the Israeli Water Corporation was attacked last month.

08:41
Kevin: For these cyber attacks, what's the most common attack vector? Can you give me an example of how one of the attackers actually got in?

08:50
Ilan: Of course, the most common way to get in is through the IT network using phishing email or exploiting new PC vulnerabilities due to being connected to the internet. Then the next level is sending infected PCs or PLCs. A very sophisticated attack that I heard about happened when the attackers gained access through a beverage machine that is connected to the internet in order to receive credit card information. There are even more sophisticated attacks, sophisticated methods that I prefer not to describe.

09:25
Kevin: I'm guessing you have a lot of NDAs in place with customers.

09:29
Ilan: Yes, you're guessing right.

09:31
Kevin: Well, we respect that, we have a lot of NDAs with customers ourselves, so it's very important. I think that everyone would like to avoid these types of situations, a lot of our listeners use Ignition in similar settings, and it sounds like being able to bring a security­-minded approach to these situations could certainly be helpful.

09:53
Ilan: Of course, if folks across the organization has considered security at the right levels, most of those situations could have been avoided.

10:02
Kevin: Yeah, sure, it also sounds to me like an engineer or integration company who is taking security seriously and bringing recommendations to projects might have a leg up on others and be very valuable to these organizations. What kind of actions would you recommend to an integrator or an engineer? And what kind of actions does the facility need to take if they have gaps in their security landscape, especially on the OT side?

10:28
Ilan: My first recommendation is to isolate the network from the internet and from the corporate network. If you can't do that, make sure you only have one point that goes out from the OT network. Harden this point to the maximum, ask what it is used for, only transmitting information, receiving information such as manufacturing recipes, or maybe it is used for an integrated support. There are different protection measures to take for every need. For example, a power plant only needs to send out the power production information in order to charge its customer. So the best way for that case is to use a data diode. My second recommendation is to install OT­-based protection measures on the network. Installing ICS, IDS. By the way, ICS stands for industrial control system, and IDS, intrusion detection system. Of course an antivirus is okay, but an ICS, IDS is much more effective if you want to protect the OT network.

11:34
Kevin: And when we're talking ICS, and we also are talking OT or an OT network, those are generally the same thing, right? So an industrial control network, an ICS, would be the network that OT technology runs over. Is that a fair statement?

11:50
Ilan: Yes, Kevin it's the same meaning, sometimes I use ICS, industrial control system, and sometimes I use OT, operational technology.

12:00
Kevin: Sure. Great, thanks for clarifying that. Now, I know you do a lot in the security space and your time is very valuable, it wouldn't be right for me to ask you to join us here without at least giving you a chance to plug your solution. Can you tell us a little bit about the module that you've written for Ignition?

12:16
Ilan: Thank you, Kevin, for the opportunity. The module is called SPARTA, an acronym for SCADA Protection and Real Time Alerts. It is a network IDS and host IPS. Once the module is installed, it can prevent 90% of the previously mentioned attacks. It is listed on Inductive Automation’s website in the Module Showcase. It has several powerful mechanisms that can prevent an attacker from penetrating the system from scanning the system and attacking it. It is also used as an asset management system that shows all the network elements in a very cool, graphical way.

12:53
Kevin: So the module acts as an installer for your main security software?

12:58
Ilan: Yes, it is.

13:00
Kevin: Alright, and that covers both the OS layer and the network layer, if I got that right. Is that accurate?

13:07
Ilan: Yes. In the OS layer, the module prevents any other process, but Ignition processes, from running. And in the network layer, it uses an intrusion detection system that analyzes the network and triggers an alert for any deviation from the normal behavior.

13:24
Kevin: If our listeners aren't familiar, an IDS is a really cool piece of technology. So basically, an IDS, an intrusion detection system detects intruders, it's what it sounds like right there, but it does it using really sophisticated means. There are a number of them that are on the market, and some of them are super simple, but I believe that one that you have here, Ilan, and that your company has developed, is one of the more sophisticated ones, right?

13:57
Ilan: Well, thank you for the compliment, Kevin. It's a very sophisticated product. Its biggest advantage is that it's deployed on the server, unlike all other IDSs that are located on the network as an appliance and requires tremendous effort only for the installation. In addition, none of the IDSs on the market can prevent an attack because of the problematic location they are in.

14:26
Kevin: Sure, yeah. So if I jump back to asking about the module: So if I actually install that, that will put the solution in place on the Ignition server?

14:35
Ilan: Yes, on one hand, it will protect the server from being attacked, and on the other hand, it will prevent the server from being used as an attacker.

14:44
Kevin: And if I want to protect all of my systems that are running Ignition clients?

14:49
Ilan: No need to worry. SPARTA, once installed, is deployed on the server and on the clients.

14:54
Kevin: Does that apply to both Vision and Perspective?

14:57
Ilan: It does, but on Perspective, you need to manually install it.

15:00
Kevin: So when you install the module on the Ignition gateway, any Vision clients that are open or that are launched are automatically protected? And then any Perspective clients, you run around — or Perspective sessions, as we often call them — you'd run around and install on those systems and it will plug right into the architecture in the same way?

15:23
Ilan: Exactly. On Vision clients, it is automatically deployed and you're immediately protected. But in Perspective clients, you need to manually install it.

15:32
Kevin: Well, that's great. That makes sense to me from a technology standpoint, too, because Perspective's running inside a web browser so there's no — We don't have a plug-­in inside Ignition, so there's no real way to distribute software to that. But when you're running Vision, it's a full desktop application so it has access directly to that. So yeah, you're doing as much as you can for the user as possible, that's great. But as far as the Ignition Edge goes, it doesn't support installing additional modules just because of how it's designed from Inductive Automation, but I can do the same thing as Perspective clients, right? I could just install this alongside Ignition Edge on those systems if I want to?

16:11
Ilan: Yes, there is a specific SPARTA installer for Ignition Edge as well.

16:15
Kevin: Great! So now, I wouldn't be doing my job if I didn't ask, aren't there other solutions out there in this space? What makes your solution different?

16:24
Ilan: Actually, I'm glad you asked [chuckle]. As far as we know, there is no similar cyber solution. It is patent-protected, and you can quote me on that. There is no prevention solution for OT networks other than SPARTA. In the application layer, there are what we call endpoint security, which are actually antiviruses and whitelisting application. They are designed for the corporate network. In the network layer, there are several ICS, IDSs, but all of them require a long installation and switches adaptation. Not all factories have suitable switches, and you also need to accept a new foreign element on the network. SPARTA does not need any prerequisites. Five minutes of installation, and you are protected.

17:14
Kevin: Well, great! As mentioned before, if you listeners want to find the module, there's a listing on the module showcase on our website. And Ilan, I heard you might have a quick demonstration video available, as well?

17:27
Ilan: We sure do. It's a few minutes video that shows how to install it and how it works.

17:33
Kevin: That sounds great! We'll be sure to link it from this podcast. If you happen to be listening on iTunes or another service, you can just navigate over to our website and we'll definitely have a link there. Thanks again for talking about the things your company's doing.

17:47
Kevin: Just from me to you, the listener, I think there's a ton of value in having a security mindset around these type of things, not only because it can create that differentiation that we were talking about a little bit earlier, where as an integrator or as an end user, if security is part of your repertoire, that that's going to make you more valuable. But also because of all the possibilities of attacks, having your network secured, having your OS layer secured, having the different pieces inside your overall architecture secured is something that's very important. We have a cybersecurity team on our side that is responsible for our organization's securing of different things. And we definitely see security as one of those critical pieces for any company. And the OT side is no different than the IT side in terms of needing to be secured. One of the best parts of talking to experts in these spaces is getting a peek at what's coming next. Ilan, if you would indulge me for a moment, what would you say are some of the most important trends in terms of cyber defense currently?

19:06
Ilan: A cybersecurity for OT system is the trend. Ten years ago, no one talked about cybersecurity for their OT network. Nowadays, people gain a lot of knowledge, and they are focusing on each layer and how they can protect each layer. They have more and more knowledge of endpoint security, of network security. Five years ago, they just asked, "Please secure my network." Now, they request, "I would like an IDS. I would like an IDS that can protect these specific protocols, internet IP protocol, BACnet, or a Modbus protocol. I would like to have a data diode, which would protect the network. It will only allow traffic of one side." The trend is now securing the OT network with more and more knowledge. I think because they suffered from attacks or their friends suffered from attacks, their colleagues and no one published it, but we're all in the same arena. So they share information, they share secret information, "You know, I've been attacked. This facility has been attacked." So the trend is how to secure and how to make it better and better.

20:30
Kevin: Your answer is very close to my heart in some ways because we have had a lot of customers who we've had conversations with and we've seen the exact same thing that you're talking about where OT security used to be an afterthought. OT security was something where they said, "Well, we're just gonna lockdown the network. People from corporate aren't going to be able to get in. People from our central network, people from the office, it's protected by firewall so we don't have to worry about things on the OT network at all. It's its own separate entity." And with the OT/IT convergence that we've been seeing with IT networks starting to be responsible for ... IT departments are responsible for the OT networks at this point in a lot of organizations. And there's a lot of personnel that shared that it takes a lot of the security and has started pushing it down onto the OT side not only because it's more important because it's all the more connected. Also, because you have the right folks who are security-minded, saying, "What have we been doing for all these years? This has been a terrible situation where there hasn't been any OT security, and we need to do something about this." And now we have the security experts on staff who are now also managing these OT networks.

21:53
Ilan: Yes, I totally agree with you, Kevin.

21:55
Kevin: Yeah. One other thing that's been interesting to me is that a lot of the time in the past, we've seen some of these devices. So you have all these different PLCs that are out there that traditionally haven't had any security on them. You've had things that had traffic that couldn't be encrypted. You'd have protocols like DCOM that require you to have 30,000 ports open on a system, which is just, from a network security standpoint, a terrible thing. And these have just been accepted as, that's how you do it, and that's how it's always been done. And we finally have folks coming in, not only saying, "You shouldn't do that," but now saying, "You can't do that." And it's really forced a lot of folks to start taking a look at these questions that we've been talking about here today, saying, "How do I secure this network? How do I secure these systems? How do I provide more security on this side?" Because not only do we need it, we've always needed it, but at this point, it's something that we can't get around. We have to put in place because people are demanding it. And people have really woken up to the fact that security is a critical piece of all of this, of the whole picture, of manufacturing, of OT systems, SCADA systems and all of that just in general.

23:12
Ilan: Especially when we talk about critical infrastructures. Critical infrastructures are dictated from the government using guidelines and regulations to protect their OT network facilities. These guidelines sometimes consist of more than 1000 activities to take.

23:30
Kevin: Yeah. Yeah, absolutely. So Ilan, I love talking to you here. And I could probably talk to you here all day about this topic, but we're actually to our last question. The one last question that I have for you is, in your opinion, just taking a look at all this, owning a company that does security, being someone who's on the forefront of this technology, where would you say the market is going?

23:58
Ilan: The market is currently going toward more accurate cybersecurity solutions. After gaining the knowledge for the past few years, cyber secured PLCs, encrypted network protection abilities, such as SPARTA, new secured industrial protocols, not only OPC UA but also secured Modbus. I also believe that Network IDSs prices will drop down from 25Ks to less than five.

24:28
Kevin: Alright, well, thank you for your insight. That brings us to the end of our interview here today. Do you have any final thought you'd like to leave our listeners with?

24:37
Ilan: My thoughts are, there are thousands of attacks on facilities every day. No one talks about it because they are concerned about their reputation. My suggestion is, don't wait until your facility is breached; take protection measures as soon as you can. It is divided into two. One, actions to take. Create policies followed by strategy that requires manpower and resources. Two, the technological protection measures. Prices range between $3000 to hundreds of thousands of dollars. My recommendation: Start and take action now.

25:16
Kevin: Ilan, I think that is great advice. Thank you so much. It's truly been a pleasure.

25:22
Ilan: Thank you. It was my pleasure.

25:24
Kevin: And for you, the listener, I'd like to say from all of us at Inductive Automation, thanks for listening. Tune in next time for the next episode of Inductive Conversations. This has been Kevin McClusky. To all you trailblazers out there, keep innovating. Ignition wouldn't be what it is without the vibrant community that you're part of. Thanks for joining us today. Until next time.