Cybersecurity in the power industry has taken center stage. First the FBI warned energy companies of targeted activity by hackers, while email phishing issues and even an attack modifying safety instrumentation systems were uncovered. Protecting your facility and affiliated substations, personnel, and processes is every service provider’s requirement, and doesn’t need to be overwhelming, according to Eric Knapp, director of strategic innovation, Honeywell Industrial Cyber Security. Recent research from the Honeywell team reminds critical infrastructure providers that portable media devices are a good place to start for effective defense-in-depth cybersecurity measures.
How do you see threats facing companies in the power industry?
Threats to utilities are real and, unfortunately, the industrial cybersecurity resilience at many such companies is still shockingly low. When we perform cybersecurity assessments across industrial companies, we find everything from control system passwords posted in clear view on sticky notes, to outdated encryption methods, to a lack of any USB device control.
What are some key threat vectors?
Your employees and maintenance personnel might be inadvertently introducing threats into your control system network, most notably through portable media. These USB-based devices might include a thumb drive or external storage device, for example. While many personnel have to carry these around to deliver updates to remote systems, our new research implies that facilities have no control mechanisms in place, and they’re setting themselves up for a major outage. Decades old malware is getting in on these USB devices, not to mention newer hacking techniques that allow outsiders to take over a system remotely.
What is the new research you’re referring to?
We just completed an analysis of USB usage across industrial facilities, the Honeywell Industrial USB Threat Report, and the data included power industry usage. We extracted the data from a proprietary, globally deployed Honeywell security platform called Secure Media Exchange (SMX), which essentially checks USBs for bad behavior or malicious files. Since the data is straight out of our security systems, we can see “in the wild,” real-world usage of portable media in industrial environments, and can verify that the USB threat is significant.
What are the important findings from this research?
The data showed much more serious threats than we expected, and taken together, the results indicate that a number of these threats were targeted and intentional. Of the 50 industrial locations we studied around the world, nearly half (44%) faced threats from removable USB media devices. More than 25 percent of the threats detected had the potential to cause a major disruption to plant operations.
On the one hand, this research confirms what we have suspected for years — that USB threats are real for industrial operators. On the other hand, what is surprising is the scope and severity of the threats, many of which can lead to serious and dangerous situations at sites that handle industrial processes. For example, we found that 1 in 4 of threats blocked (26 percent) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.
This sounds like alarming data. How serious is this threat?
While the threat is real and the risk must be addressed, our intention is to simply present the data so others can compare and contrast with their internal data, and hopefully take appropriate security measures. Sometimes just seeing the data helps educate business leaders who might not be cybersecurity experts to help them prioritize risk reduction before an outage ever occurs.
At Honeywell, while we have been helping customers for decades when it comes to industrial cybersecurity, this is the first time we have invested the time and effort needed to carefully analyze this type of SMX data. We also hope the work helps the wider industrial cybersecurity research community, whether academics, internal cybersecurity analysts at companies, or non-profit threat information-sharing organizations. This global community often works together to improve threat prevention for our industries, and we appreciate much of the work they have done as well. Since we have been deeply studying USB usage, and now that we have objective data, we thought it made sense to share what we know with others.
What is actionable for a company in the power industry in terms of improving cybersecurity?
Specific to preventing USB threats, we noted several recommendations in the report. These include leveraging scalable technical solutions, since no human alone can manage USB usage across dozens of sites. You need automated threat intelligence, useful reporting, and certainly the ability to spot human interface device (HID) attacks attempted through USBs. Unfortunately, outdated security systems only look for malware and file infections, and there are far more dangerous and advanced ways USBs are exploited, as the report explains (see also its glossary of attacks). We also recommend you review your control system network segmentation, to ensure you prioritize asset security based on criticality, and to ensure no uncontrolled outbound activity is possible. Keeping software patches updated may sound routine, but it is also very important for stopping attackers from exploiting known vulnerabilities.
Beyond that at a more strategic level for your CIO or CISO, it helps tremendously to consider using an industrial cybersecurity maturity model to plot your overall position. Where are you now, and where do you want to be? Especially if you work with specialized OT consultants, you can get help to design, implement, and even manage the programs that get you from here to there.
For many in the power industry, it is difficult to add headcount or find staff that can fully prioritize security. In those cases, we recommend you don’t wait. Find the right managed security services partner and start layering in your defenses. As the National Institute of Standards and Technology (NIST) has stated, defense in depth is essential, since no single control measure will resolve all risk. Any step is better than no step, so don’t get overwhelmed. Use data to get informed and start prioritizing risks and related control measures, whether that is adding USB security checks at every control room, or starting regular assessments. We hope our research helps in this effort.
About the author: Eric D. Knapp is Global Director of Cyber Security Solutions and Technology for HPS and a recognized expert in industrial control systems cyber security. Eric has more than 20 years of experience in Information Technology, specializing in industrial automation technologies, infrastructure security, and applied Ethernet protocols, as well as the design and implementation of Intrusion Prevention Systems and Security Information and Event Management Systems in both enterprise and industrial networks.
He has held senior technology positions at NitroSecurity, Intel Security/McAfee, and Wurldtech, and currently acts as the North American Technical Advisor to the Industrial Cyber Security Center.