Maintaining robust defenses from cyber-attacks is a priority for manufacturers. They rely on their automation suppliers to provide security-hardened technologies and cybersecurity services to help defend against new attacks and maintain resiliency and robustness over time. One key element in robustness is quickly finding, fixing and distributing patches for newly discovered vulnerabilities.
Industrial control systems (ICS) such as the DeltaV distributed control system have many layers of protections based on the IEC 62443 family of standards for how control systems should be developed, deployed, and maintained to dramatically enhance the cybersecurity of these installed systems. The Cybersecurity Guidebook for Process Control outlines steps to take to protect assets from cybersecurity threats.
At the recent ICS Cyber Security Conference, Emerson’s Neil Peterson (right) and CyberX‘s Phil Neray (left) presented, ICS Security Researchers & Automation Vendors: Building Mutual Trust. They discussed a real-world example of how security researchers uncovered a vulnerability in an ICS product and worked cooperatively with the ICS supplier including: how contact was made, responsible vulnerability disclosure, patch development & distribution, and finally public disclosure of the vulnerability via ICS-CERT (Industrial Control System Cyber Emergency Response Team).
CyberX provides an industrial cybersecurity platform for ICS asset discovery, identifying critical risks and attack vectors, and continuous network monitoring with behavioral anomaly detection and threat intelligence. In the course of enhancing their embedded analytics to support diverse industrial protocols, including proprietary protocols, they sometimes uncover vulnerabilities in ICS devices. They then work with the ICS suppliers to fix the vulnerabilities.
During this research, the CyberX team uncovered a vulnerability in the DeltaV control system. They communicated this vulnerability through ICS-CERT to inform Emerson’s DeltaV technology organization and start the responsible disclosure process.
After ICS-CERT connected the CyberX and DeltaV teams together, a video of the vulnerability was shown to clearly show the exploit and timing to perform.
The DeltaV product security incident response team performed root cause analysis, identified the solution, developed a patch, and fully tested across all the currently supported DeltaV versions. Once this testing was performed across all these versions, DeltaV users were provided patches to eliminate the vulnerability.
Once this communication and patching process had occurred, ICS-CERT made public disclosure of the vulnerability. This collaboration between cybersecurity platform and ICS suppliers followed a responsible disclosure path where the solution could be identified, developed, fully tested and deployed before a disclosure was made.
Cybersecurity is fundamental to Emerson control and SCADA systems. Neil described how the DeltaV system has gone through the rigorous ISASecure System Security Assurance certification process. DeltaV v14.3 will be the first ICS to attain ISASecure System Security Assurance Level 1 certified. The ISASecure standards are based on the ISA/IEC 62443-3-3, 62443-4-1 and 62443-4-2 standards.
Phil shared vulnerability data that CyberX recently published based on real-world traffic captured from more than 850 production ICS networks across all industrial sectors worldwide. The data uncovered the myth of an air gap between control systems and the internet, finding that 40% of sites have at least one direct connection to the internet. Also, 69% were using plain-text passwords instead of fully encrypted ones. And 53% were on versions of Windows operating system that are no longer supported from a vulnerability and patch management perspective. Read the full CyberX IIoT & ICS Risk Report on these findings.
When evaluating and improving your cybersecurity defenses, make sure to work with your supplier to develop adequate defense-in-depth strategies, work processes, training, and ongoing support. Just as continuous monitoring of process variables is critical for process control and safety applications, so is ongoing cyber-defense monitoring. As Neil explained in this session, continuous monitoring is essential for immediately detecting if and when cyber attackers have compromised your control network—so you can stop them in the early phases of a breach, before they can cause any real damage.