Industrial IT Security Can No Longer Rely on Fortress Building

The Stuxnet Virus has opened our eyes. As more and more IT based devices have made their way into industrial settings, the protection of these devices from those wanting to do harm has not kept up the pace. In the front office environment, many layers of protection technologies have evolved, but in the industrial environment we have hung on to just one tool. Build a BIG wall; a fortress.

History has many lessons on this. China built a long one that spanned almost the width of their nation. The Europeans made an art form out of building tall encompassing ones (the Royal Family’s Windsor castle in England is a great example of this). But these alone proved to not be enough to thwart every intruder. They had to start getting creative. They added arrow slit openings in the wall to deter low level attacks, and watchtowers to see the siege arriving. They added ditches or moats at the base of the walls to keep enemies from climbing or digging under them. They discovered defense in depth. Break through one defensive strategy and the next one is there to greet you (rather impolitely, of course).

The Stuxnet virus was created for a singular purpose. It attacked the Siemens  S7 PLC and their WinCC SCADA software. But all the mechanisms it used to get there make EVERY industrial system from EVERY industrial manufacturer vulnerable. It easily found ways around the existing “great wall” of IT security systems by hitching a ride on USB memory sticks. It exploited common vulnerabilities in the Windows environment, and was smart enough to remove itself after only 3 replications – to avoid detection. It learned things as it went, as well. Each iteration was remembering how its previous iterations got there, learning your whole network along the way. It was very patient as it cruised along until it ultimately made it to the programmed target. It would not take much effort to change that target to any number of other industrial devices. And while the USB stick was a convenient choice for transport, people have even found ways to embed this virus into a PDF file. Wireless connectivity is also a serious concern for intrusion. The wall is almost useless by itself when the intruder gets walked through the door.

The argument used to be made that there was an “air gap” between the industrial devices and the obviously vulnerable front office devices that were all connected to the rest of the world. But that is mostly gone in today’s world of interconnectivity and open platforms. Industrial devices protected solely by strict IT policy or singular firewall equipment that says “nothing gets past my wall” have proven to be vulnerable. While good IT policy is essential, the policies that govern PCs sitting on an accountant’s desk do not work on Automation Control Systems. It takes a collaborative effort between IT and operations to develop an effective policy for defending your floor level control systems.

There is a growing contingent of hackers out there that see opportunity and potential “pay days” by taking out the competition, or want to make a statement against corporations. Do you think that you will never be a target of these hackers? Up to 80% of the Stuxnet virus infections were collateral damage, not even the intended target. Now is the time to take a look your “defense in depth” strategy for IT security in your industrial environment, before it is too late. Give us a call!

This article was written by Patti Engineering Vice President, Dave Foster. You can e-mail Dave with questions or comments at: DFoster@PattiEng.com.