Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Networks

Improve legacy critical infrastructure protection

  • Robert Fairfax
  • August 13, 2021
Image courtesy: Brett Sayles
Image courtesy: Brett Sayles
Total
0
Shares
0
0
0
0

Distributed network protocol 3.0 (DNP3) is the second most-widely used serial communications protocol in industrial control systems (ICS), after Modbus. As EPRI (Electric Power Research Institute) mentioned in a 2019 technical update: “it is the most widely used utility communications protocol in North America” and is used to enable communication between components in process automation systems.

It is used in supervisory control and data acquisition (SCADA) systems for data acquisition equipment to communicate with control equipment. It was originally built for the electrical grid but is now also used for oil and gas, water and sewage, transportation, and more. DNP3 empowers operators to track device levels such as current, voltage, alarm status, device control or breaker status in order to detect any issue arising. The protocol was developed in 1993 with no built-in security (no authentication nor encryption) and with the common set of function codes and data types, making it an attack vector of interest for hackers to plan spoofing or eavesdropping attacks.

In terms of cybersecurity for operation technology (OT) networks, people tend to focus on the transmission control protocol/internet protocol (TCP/IP) level because that’s what most commercial solutions offer. In the past, it was easier to just ignore serial communications security because there was no way to safely or securely identify what was happening at the lower level since data being polled from SCADA was often from TCP/IP connected devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs). Recent attacks on critical energy have underscored the importance of re-examining utility cybersecurity – an important aspect of this effort are the DNP3-connected devices widely used across the utility sector.

The problem we face with digital transformation is all assets are being connected to the internet. This means nothing is fully secure and if an adversary gains access to any part of a network, they can traverse into more critical operations and cause significant downtime, damage assets or even become a threat to human safety. Following the recent attacks on the water supply chain in Oldsmar, Florida and now Colonial Pipeline, we need to improve our cybersecurity posture regarding critical infrastructure.

According to reports, Colonial Pipeline did not need to take their system offline but could have done so as a precaution if their IT/OT systems are inter-connected. In this scenario, the ransomware attack targeted the IT side but could have pivoted to the pipeline operations on the OT side. Can we be sure that once Mandiant/FireEye have concluded their investigation, the attackers no longer have a foothold in the network? It is known that hackers like to stay in systems they worked so hard to get control of.

One step to improve cybersecurity for critical systems that rely on legacy controls is to monitor serial communications, level 0/1 of the Purdue Model, to help with early detection. It is one way to detect an attack if a system is already compromised.

Those communications at the lower level can be trusted to carry reliable, untouched data because that is where the physical devices are communicating, rather than at the Level 2 and above where the data could have been altered. That data could show the direct communication between a PLC and a breaker, such as directing it to open or close that breaker. If you are monitoring it, it is possible that a bad actor has already modified it; meaning it is n­ot representative of what is happening at the physical process level.

For example, Stuxnet carried out a false feedback attack on an human-machine interface (HMI) that targeted the nuclear program in Iran. It is a computer worm that targeted PLCs and ordered the centrifuges to run at a faster pace than normal. However, because the feedback to the HMI was falsified, the operators observed normal traffic and were not able to see how fast they were running.

Another example is the BlackEnergy attack on the Ukrainian power grid in December 2015. The attacker took control of the HMI, switched off breakers and changed the password so the operator wouldn’t be able to log in. This caused over 230,000 people to lose electricity for up to 6 hours. The operators had to control the breakers manually to restore power. In the US, many power grid control systems don’t have manual backups, which would make it even more challenging to restore service in such a situation.

Critical infrastructure has become a big target and we realize more and more how insecure it is by the day. The SolarWinds and Microsoft hacks have also proven, yet again, we are not prepared to defend ourselves against such threats. SolarWinds infected many companies but “has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries.”

We are far from being cyber-secure and need to upgrade our cyber practices to fight the increasing number of attacks we face today. Those attacks are become more and more harmful and a threat to human safety. We should update cybersecurity procedures towards new options that can help close the loop to monitor and protect all levels of the Purdue model to be more secure, without ignoring the lower levels.

As seen with SolarWinds, many organizations are already compromised, and attackers are lurking in networks while planning an attack. Even after an attack, there is always a possibility that hackers may stay in the environment to steal more files, read e-mails or even plan another attack. Do not assume the system is safe because any system could be targeted. To be secure, at a minimum, users should monitor what is happening in the network as much as possible in order to detect such stealthy compromises. It’s not a guarantee of anything, but it will provide some comfort.

This article originally appeared on Cynalytica. Cynalytica is a CFE Media content partner.

Cynalytica, Inc., is a partner member of the Control System Integrators Association (CSIA). For more, visit the company profile on the Industrial Automation Exchange.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Robert Fairfax

Rob Fairfax, financial officer, Cynalytica

Related Topics
  • CFE Content
  • Featured
Previous Article
  • IT/OT

The Next Industrial Control Systems: Expert Interview Series, Albert Rooyakkers, Bedrock Automation

  • Gary Cohen
  • August 13, 2021
Read More
Next Article
Many wonder where to start when attempting to protect embedded systems in OT cybersecurity? Here are some great places to start.
  • Threats & Vulnerabilities

How the American Jobs Plan could improve critical infrastructure cybersecurity

  • Robert Fairfax
  • August 16, 2021
Read More
You May Also Like
Courtesy of: CFE Media and Technology
Read More

Throwback attack: The U.S. hits Russia with the first logic bomb attack

Cybersecurity Locks
Read More

Throwback attack: Kevin Poulsen wins a Porsche (and hacks the U.S. government)

Read More

Throwback Attack: Hacker steals source code for Half-Life 2 video game

Courtesy: CFE Media
Read More

Throwback Attack: Petya, the red skull of ransomware

Test 2 Alt Text
Read More

Throwback Attack: ILOVEYOU, a love letter no one wanted

Read More

Throwback Attack: The Morris Worm launches the first major attack on the internet

Image courtesy: Brett Sayles
Read More

Throwback Attack: Teamsters refuse to pay after Labor Day cyberattack

Read More

I’m sorry, we’re closed: Why most ransomware attacks happen out of hours

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Berkeley Internet Name Domain (BIND) - May 19, 2022
  • Mitsubishi Electric - May 19, 2022
  • Apache - May 16, 2022
  • CISA - May 16, 2022
  • Joint Cybersecurity Advisory - May 17, 2022

RECENT NEWS

  • Throwback Attack: Hackers attempt to flood Israeli water supply with chlorine
  • Will CISA recommend securing industrial control systems?
  • How to implement layered industrial cybersecurity in volatile times
  • Throwback Attack: DDoS attacks are born in the Big Ten
  • Improve two-factor authentication system security

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT