Networking

Cyber threats require access

Authenticate users at every level

By Jeremy Pollard, CET

Boy, did I ever scare a bunch of people. Again.

I gave my “One door to the floor” remote access presentation at ISA’s International Instrumentation Symposium in Houston in early November. I came in eight seconds under my allotted time and was really happy with the way it went.

I was to deliver a fundamental view on cybersecurity with remote access as a focal point. I believe I met the mark.

RELATED GUIDE: Control design for smart machines

If a firmware update was intentionally obtained and modified by a threat actor and was emailed to you and it looked legitimate, you would probably apply the update.

The audience was fairly well-versed in the needs for cybersecurity, but the remote-access flavor was a bit different for them, I thought.

The main crux of my argument is risk assessment and user and/or device authentication, which most almost always do using a VPN and a password. The CIA has shown us that VPNs cannot be relied on by themselves, which is why you are seeing the big push for end-point security protection software.

MobiKEY from Route1 authenticates the user because the user has MobiKEY. Simple, I know, but it was not lost on the audience.

“How do you make sure that who is accessing our network is authorized?” A common question.

I introduced the concepts of why we need to think about validating the who. Imagine a laptop that was stolen or left in the backseat of a taxi or Uber car is then used to hack the company it belongs to. Social engineering can get to things such as passwords, since many opportunities arise because the target laptop may be just that—targeted; or it may be simply a random act.

Regardless of the how, the network only knows that it is a laptop that has the credentials to access assets on that network.

That’s why user authentication at every level is of utmost importance.

The RSA cryptosystem and YubiKEY have advantages over passwords, as does MobiKEY, but most simply don’t get why using only a password is so wrong.

The use of multi-factor authentication is a must. TeamViewer offers it as an option, when in fact it should be mandatory. I opened a lot of minds with a balanced view of necessity and fear.

Then the panel discussion afterward led by Peter Fuhr happened. And I got more afraid then I already was.

He works with Oak Ridge National Laboratory and is in contact with many government agencies. He said there’s a bill in the U.S. Senate that contemplates making into law that critical infrastructure return to the days of analog control.

There was dead silence in the room, like, no way that could never happen. And while that may be true, it tells a story of not being able to trust what we are doing now to protect our infrastructure.

Fuhr held court for an hour with a slide show that had metrics I didn’t even know existed. It was very impressive yet mind-opening all at the same time.

There were many topics and things my research had found that not surprisingly were very accurate. Vendors are selling convenience, which I have mentioned before. Use our hardware or software VPN, but the endpoint protection to prevent malware from travelling through the tunnel is on you, the user.

Some vendors are selling complexity, which creates more problems than it solves. As previously mentioned, there is a definite lack of comfort and trust in the ICS security arena. Adding another firewall was mentioned many times, and that adds to the complexity.

So, I get a link sent to me about the threat attack surfaces we can expect to see in the next year, and the first one that grabbed was a malware explosion based on firmware updates and patches. The report was by Giovanni Vigna from the computer science department at University of California, Santa Barbara.

Then I remembered seeing something about that last year, which really didn’t get much attention. There was a software update file circulating, which was reported by Industrial Safety and Security Source (www.isssource.com) in July 2016. Of course, it wasn’t a valid or official update file. Some, I am sure, downloaded the patch and got infected. It can be that easy.

The real issue is real updates. If a firmware update was intentionally obtained and modified by a threat actor and was emailed to you and it looked legitimate, you would probably apply the update. The PLC you updated is now exposed.

The report suggests that firmware malware will be on the rise. Siemens has already been hit with logic-controller malware that was not Stuxnet-related.

Real-time cyber attack vectors also can be seen at map.norsecorp.com. In the past, the main target has been the Federal Aviation Administration systems in Missouri.

I was pleased to see my research was accurate and validated by the information that Fuhr disseminated. I was scared then and am more afraid now. Be vigilant, people.