Advice from the Field: Industry Best Practices from ABS Group Cybersecurity Practitioners
In an era where data breaches loom and threat actors are more persistent than ever, cybersecurity has become a critical concern industry-wide. To shed light on best practices in different sectors, our seasoned cyber practitioners share insights and advice for safeguarding your organization's OT assets.
Blake Benson, Senior Cyber Practice Lead
Picture this: it’s three o’clock in the morning, and you’re on a ship or a rig; maybe you’re a technician or a control engineer and you see a USB port. You’re connected to the Wi-Fi, and you’ve been watching videos, but now your phone is on 1%. You think to yourself, “Perfect timing!”, before plugging your phone into the open port. While seemingly harmless, this simple connection can lead to the introduction of critical worms and other malware to vessel systems that could halt or otherwise impact operations. And yes, this scenario is more common than you think; so much so that I’ve seen crews glue the USB ports when a physical USB port blocker is not handy!
The potential for these small (but dangerous) mistakes should push us to see and plan for the bigger picture—the security of vessels from cybersecurity attacks. The first thing I always ask vessel owners and operators is what policies, if any, do they have in place to prevent or reduce the risk of cybersecurity attacks. Generally, marathon crews are new to cyber, so step one is to help develop custom marathon-specific cyber policies. This is generally done through vulnerability assessment that can help to identify top risks. Some of the latest industry guidelines, such as those published by the U.S. Coast Guard and IMO 2021, are tailored assessments for Operational Technology (OT). For more mature OT cybersecurity programs, one of our recommendations is to have a vendor maintenance plan to help ensure that vendors are scanning their hardware and internal devices before they ever plug anything into a critical control system on board, even if it's their own equipment.
Once a crew’s eyes are opened to these threats, and they realize how operationally damning malware can be, they can start to understand how there is no room for error. Furthermore, they can begin to understand the reasons behind the cybersecurity measures we recommend. When you have a crew buy into the necessary changes, a lot of these processes and policies will begin to iron themselves out organically, including the small (but potentially dangerous) things like charging their phones.
In the maritime industry, people are around operating stations and equipment for endless hours; it’s essentially their home. And with crews rotating often, there is often a revolving door of vendors and antiquated systems and equipment—some level of a mature cybersecurity program should not only be implemented but embraced.
Ben Sterling, Global Head of Global Director of ICS Cybersecurity
When it comes to cybersecurity at your power plant, are you vigilant? Do your people and vendors consistently follow all the processes in place? Do they have the necessary questioning attitude? Furthermore, have tools that can support continuous monitoring been well established? Vigilance is required across the board to remain resilient to breaches, including buy-in from the people side of an effective security strategy. Let’s look at two.
An employee is conducting a routine walkdown. There is a trusted vendor on-site assisting with water treatment, and their Conex container has something coming out of it—an antenna.
In scenario A, the observant employee inquiries about this and eventually finds that this antenna is connected to a cell modem with a public IP address directly connected to an HMI, with no firewall enabled on the HMI. In short, they discover that your balance of plant networks is exposed and open to potential attack. In scenario B, the employee finds it odd but says nothing—and the gate is left wide open.
There are several lessons we can learn from this, but I want to focus on Management of Change (MOC) and how that can be tied into a monitoring program. Many processes, such as vendor management and their lack of effectiveness, are due to the burden of manually logging every modification or maintenance change during routine plant operations. This often requires plant operations and engineering to have an understanding of the implications of the changes that they are approving of that they simply do not have. In many cases, organizations don’t have visibility into what their vendors are doing to their OT systems and devices, changes that unintentionally result in compromising perimeter protections of sensitive networks. Configuration management, alongside a thorough monitoring program, will allow you to not only track and see the necessary modifications that need to be made but also help you understand the true impact that vendors or well-intentioned plant personnel could have on your security.
Your people and processes are part of good cybersecurity hygiene for preventive action. But humans are fallible. Implementing technical barriers, like 24/7 monitoring and automated processes for tracking configuration and system changes, will undoubtedly increase your odds of success.
Derek Stubbs, Director of OT Cybersecurity Consulting
Let's take a trip. Today, we're headed to a legacy refined products terminal. Like any other day at the terminal, top-loading trucks that carry hazardous refined products like diesel, jet fuel and various gasoline blends are at loading racks. The loading arms above them prepare to deposit the designated products at a significant flow rate. On this particular day, half the loading rack is undergoing modernization and maintenance. A truck is situated under one of the operational loading arms, and the product appears to be depositing into the truck like normal. However, invisible to the loading operators, the maintenance project has disabled some key digital safeguards.
We know that the significant flow rate at which the material is deposited can cause a charge and a charge and cause sparks. Sparks can cause fires. "Evacuate!" we hear as we watch the fire suppression system kick in and quickly contain the fire engulfing the truck’s loading tank. Now, all we can do is wait and watch for the fire to go out.
Still trying to figure out what went wrong? Based on a similar real-life incident, this kind of situation results from a poor safety ecosystem, bad planning and poor technology management. Loading racks contain both manual and digital safety mechanisms. Because of the modernization and maintenance going on, some of these safety automations may be disabled. One such automation that could be disabled is a Programmable Logic Controller (PLC) feature responsible for preventing loading operations when grounding conditions aren’t met. All these circumstances can combine to create a perfect storm that could have been avoided.
Situations like these remind us how much safe operations depend on an ecosystem of procedural, mechanical, electrical and digital safeguards working together. Technology and cybersecurity are small but essential elements of being a good steward of your ecosystem. Our personnel at ABS Group consists of a blend of cyber, engineering and process experts who will work to help you better ensure that events like the one we just discussed don't happen. Without an assessment team on your side, trouble can be provoked by improperly managed technology, creating explosive results.
Harshal Patil, ISCO Cybersecurity Lead
What happens when a critical infrastructure facility unknowingly becomes a transmitter of a cyber-attack? The answer is simple: multi-industry chaos. The reality is that this happens more often than you'd think. If a maritime or power plant asset (part of critical infrastructure) faces a cyber attack, it will likely delay goods or cause power blackouts and further spread the attack, placing other industries in danger. This is why it's highly beneficial for these critical infrastructure facilities to utilize an Industrial Security Operations Center (ISOC).
Before I can explain the practical defensive nature of an ISOC for a critical infrastructure facility, it's essential to understand that there are two kinds of cyber-attacks: Targeted and Untargeted. Targeted attacks are directed toward specific targets and are often premeditated attempts at disrupting mission-critical systems to steal data or use it for purposes outside the original intent. Untargeted attacks are not intended for or directed at the victim but result from the attacker pursuing other targets in the same or different industry.
Critical infrastructure facilities gain protection from these attacks through effective Information Technology (IT) and OT security. IT is mainly used at the enterprise level, involving computers that conduct operational-related tasks like logistics, and operational personnel assignment. OTs are devices specifically intended to help with the critical mission of the facility.
While conducting cybersecurity assessments at critical infrastructure facilities, some cybersecurity findings that we have witnessed are:
- Charging a phone on an available mission-critical OT system’ USB port.
- Using SMBv1 (Server Message Block) protocol on printers that interface with OT system. The SMBv1 protocol poses a security risk as it has been exploited in various cyber attacks.
- Remote maintenance sessions left open and unattended even after the work has been completed.
These findings can be attributed to the following factors:
- Lack of cybersecurity training.
- Detailed Hardware and Software Inventory is not developed or did not exist.
- Lack of a robust Software Management of Change.
- Critical ICS USB ports were not protected from unauthorized access.
- Control system software changes by 3rd party vendors and portable devices used for implementing these changes were not monitored and controlled by using a formal policy.
- ICS network monitoring for suspicious and potentially disruptive cybersecurity activity was not observed.
- A formal ICS cybersecurity incident response plan and procedure were not documented.
While implementing training and software MOC can help mitigate some of the findings, other vulnerabilities are difficult to spot and many times go undetected. This is where the ISOC comes in handy. The ISOC gives these critical system facilities around-the-clock monitoring with the help of technology, industry and other in-house experts who practice 24/7 preventative maintenance with no interference to operations.
Nowadays, everyone wants to see data in real-time, so it's easier to feel relaxed when sending data from remote facilities to the company’s central office and vice versa as it will be continuously monitored by the ISOC. Additionally, if the critical infrastructure facilities utilized preliminary efforts toward cybersecurity (such as cybersecurity training) to deepen awareness of protective measures and implemented an ISOC, then critical system facilities around the world could significantly reduce the chances for attack.