Blog / The Assumption of Cyber Security – Because Only Authorized Folks Should Be There
As is often the case, the inspiration for what my next newsletter was going to be about came to me while reading a news article. Sometimes it happens while listening to a Help Desk call or during a conversation about something, but this time it was a press report. The story was published by a consortium of Security researchers about the difficulties they encounter when reporting about product or software vulnerabilities, etc. They were interesting.
While IoT was on the pain points’ list, the experience was inconsistent (sometimes bad/sometimes good.) The area where researchers consistently ran into issues was reporting about vulnerabilities with industrial control equipment, and getting it repaired. The problems that they would often encounter were things like:
– No bug bounty programs
– No reported method for reporting vulnerabilities
– Little or no response to reports on vulnerabilities
– Vulnerabilities remaining non-patched, despite reports
With IoT devices, it makes sense. When an IoT speaker runs $20, your profit margins are so small you need to save money wherever possible. Industrial control equipment is a LOT more expensive. The low-end stuff that you would find in a small water treatment plant costs as much as a car with the setups from a large factory running multiple millions of dollars.
It seems like the organizations that build this equipment put a lot of reliance on the end customers’ ability to secure the location, as well as the network. I have performed work in multiple water treatment plants in Northern Alberta, and I can say the same thing for all of them:
1) The Exterior Security was (at worst) decent.
By this I mean that gaining unauthorized access to the interior would take some effort and skill. Usually, the Exterior Physical Security was reasonably well taken care of.
2) The Interior Security was close to non-existent.
Assuming Exterior Security was breached, a bad actor would have free run of the place, both in terms of physical access and computer/network access (switches attached to walls out in the open; stuff like that.)
3) A Firewall connected to the Internet was the extent of the Network Security.
Other than installing a firewall to protect from Internet cyber-attacks, no additional network Security steps were taken. The firewalls tended to be small and lacking in features, because these locations don’t have very fast Internet connections. The computer which was set-up to control the water treatment plant often didn’t have an Antivirus installation (since it can interfere with the control software) and wouldn’t even get regular updates (slow Internet and once again, it could cause certain troubles with the control software.)
From a computer standpoint, sites such as water treatment plants tend to be small. They will have one computer (maybe two), the controller system itself, maybe an HVAC, and that is it. Combine that with a small firewall (since there is not much traffic) and maybe a single unmanned switch, and it should seem like a great place to save a few bucks in your IT budget.
But what are the risks, really?
The two biggest risks (in terms of computers) are that the device set-up to talk to the WTP control system and a network device get compromised, which can connect to the controller. The risk of someone hacking through an external service to get inside is smaller (unless someone doesn’t set-up the firewall properly and does something like open SCADA communications to the entire Internet.)
So how do you address these?
Well, the very first thing to do is to segregate the network. This should come as no surprise. The system that controls a water treatment plant, the HVAC (if there is one) and the device that talks to the controller should be locked up in their own private network. If anything could be allowed to connect to that network, it should be for very specific, well documented reasons.
The second thing is to deal with that computer set-up to talk to the controller. There need to be very strict policies & procedures in place to govern its use. It should only be used for specific, business reasons. Also, the configuration should be as hardened as possible.
Sounds good right? Well, yes and no. Now we have the problem of what to do about people bringing personal devices or mobile business devices onto the location.
For personal devices, do what you would do at your main office location, providing a WiFi network they can use to connect to the Internet.
For business devices, provide a WiFi network with credentials and configurations that are similar to what you have in your main office, as well as designated places for all the devices to be physically connected.
Back all this up with proper policies, procedures and monitoring. Plan it carefully and implement it properly. This means allocating the necessary space to correctly place and secure your networking equipment.
It’s not about being paranoid, or overly protective. This is simply identifying and acknowledging a real, potential risk, and taking appropriate steps to try and prevent a mishap from occurring. It’s easy to take Security too far. It’s even easier not to take it far enough. Do not assume the electronics in a location are secure, simply because you’ve taken some steps to keep people off the premises. Finally, do not assume that the vendor is going to take a proactive, reactive, or even active approach to Security.
If you have questions about Monitoring Your Computer Equipment, please reach out to a TRINUS Account Manager for stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.