Cybersecurity: Seven Steps to Effectively Defend Industrial Control Systems

Industrial Cybersecurity
Seven steps toward industrial cybersecurity.
Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems.

If system owners had implemented the strategies outlined in this paper, 98 percent of incidents ICS-CERT responded to in FY 2014 and FY 2015 would have been prevented. The remaining 2 percent could have been identified with increased monitoring and a robust incident response.

1. IMPLEMENT APPLICATION WHITELISTING

Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. The static nature of some systems, such as database servers and human-machine interface (HMI) computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments.

Example: ICS-CERT recently responded to an incident where the victim had to rebuild the network from scratch at great expense. A particular malware compromised over 80 percent of its assets. Antivirus software was ineffective; the malware had a 0 percent detection rate on VirusTotal. AWL would have provided notification and blocked the malware execution.

2. ENSURE PROPER CONFIGURATION/PATCH MANAGEMENT

Adversaries target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure.
Such a program will start with an accurate baseline and asset inventory to track what patches are needed. It will prioritize patching and configuration management of “PC-architecture” machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these. Infected laptops are a significant malware vector. Such a program will limit connection of external laptops to the control network and preferably supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems.

Example: ICS-CERT responded to a Stuxnet infection at a power generation facility. The root cause of the infection was a vendor laptop.

Use best practices when downloading software and patches destined for your control network. Take measures to avoid “watering hole” attacks. Use a web Domain Name System (DNS) reputation system. Get updates from authenticated vendor sites. Validate the authenticity of downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path, and use these to authenticate. Don’t load updates from unverified sources.

Example: HAVEX spread by infecting patches. With an out-of-band communication path for patch hashes, such as a blast email, users could have validated that the patches were not authentic.

3. REDUCE YOUR ATTACK SURFACE AREA

Isolate ICS networks from any untrusted networks, especially the Internet.b Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path.

Example: As of 2014, ICS-CERT was aware of 82,000 cases of industrial control systems hardware or software directly accessible from the public Internet. ICS-CERT has encountered numerous cases where direct or nearly direct Internet access enabled a breach. Examples include a US Crime Lab, a Dam, The Sochi Olympic stadium, and numerous water utilities.

4. BUILD A DEFENDABLE ENVIRONMENT

Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly.

Example: In one ICS-CERT case, a nuclear asset owner failed to scan media entering a Level 3 facility. On exit, the media was scanned, and a virus was detected. Because the asset owner had implemented logical enclaving, only six systems were put at risk and had to be remediated. Had enclaving not been implemented, hundreds of hosts would have needed to be remediated.

If one-way data transfer from a secure zone to a less secure zone is required, consider using approved removable media instead of a network connection. If real-time data transfer is required, consider using optical separation technologies. This allows replication of data without putting the control system at risk.

Example: In one ICS-CERT case, a pipeline operator had directly connected the corporate network to the control network, because the billing unit had asserted it needed metering data. After being informed of a breach by ICS-CERT, the asset owner removed the connection. It took the billing department 4 days to notice the connection had been lost, clearly demonstrating that real-time data were not needed.

5. MANAGE AUTHENTICATION

Adversaries are increasingly focusing on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence than exploiting vulnerabilities or executing malware. Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties. If passwords are necessary, implement secure password policies stressing length over complexity. For all accounts, including system and non-interactive accounts, ensure credentials are unique, and change all passwords at least every 90 days.

Require separate credentials for corporate and control network zones and store these in separate trust stores. Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks.

Example: One US Government agency used the same password across the environment for local administrator accounts. This allowed an adversary to easily move laterally across all systems.

6. IMPLEMENT SECURE REMOTE ACCESS

Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses wherever possible, especially modems as these are fundamentally insecure.
Limit any accesses that remain. Where possible, implement “monitoring only” access enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Do not allow remote persistent vendor connections into the control network. Require any remote access be operator controlled, time limited, and procedurally similar to “lock out, tag out.” Use the same remote access paths for vendor and employee connections; don’t allow double standards. Use two-factor authentication if possible, avoiding schemes where both tokens are similar types and can be easily stolen (e.g., password and soft certificate).

Example: Following these guidelines would have prevented the BlackEnergy intrusions. BlackEnergy required communications paths for initial compromise, installation and “plug in” installation.

7. MONITOR AND RESPOND

Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response.
Consider establishing monitoring programs in the following five key places:
  1. Watch IP traffic on ICS boundaries for abnormal or suspicious communications.
  2. Monitor IP traffic within the control network for malicious connections or content.
  3. Use host-based products to detect malicious software and attack attempts.
  4. Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls.
  5. Watch account/user administration actions to detect access control manipulation.
Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for malware, disabling affected user accounts, isolating suspect systems, and an immediate 100 percent password reset. Such a plan may also define escalation triggers and actions, including incident response, investigation, and public affairs activities.
Have a restoration plan, including having “gold disks” ready to restore systems to known good states.

Example: Attackers render Windows®d based devices in a control network inoperative by wiping hard drive contents. Recent attacks against Saudi AramcoTMe and Sony Pictures demonstrate that quick restoration of such computers is key to restoring an attacked network to an operational state.

Defense against the modern threat requires applying measures to protect not only the perimeter but also the interior. While no system is 100 percent secure, implementing the seven key strategies discussed in this paper can greatly improve the security posture of ICSs.

DISCLAIMER

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

ACKNOWLEDGMENT

This document “Seven Steps to Effectively Defend Industrial Control Systems” was written in collaboration, with contributions from subject matter experts working at the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).

Using Eductors for Non-Powered Tank Mixing

eductor for tank mixing
Eductor for tank mixing
(courtesy of Jacoby Tarbox)
An eductor is a pump that uses a fluid to perform the work of pumping another fluid (or solid). The fluid doing the work is termed the motive fluid, and the fluid being pumped is the suction fluid. The motive fluid employed can be liquid. gas or steam. The suction fluid can be liquid. gas or steam. Other names for eductors include jet pumps, ejectors, Venturi pumps, siphon pumps, steam siphons, and injector pumps. Eductors operate on basic principles of flow dynamics.

Eductors require no power, which means no moving parts. The design of the eductor creates pressure differential allowing fluid to flow naturally within the device - creating suction, mixing, and pushing the liquid throughout the tank.

In-line eductors are the next generation of jet pumps, ejectors, and Venturi pumps providing in-line mixing, pumping, or heating in various process lines. Eductors reduce costs as there are no moving parts and require no direct power.

The video below, while marketing oriented, does a great job at demonstrating how tank mixing is accomplished efficiently and thoroughly with an array of eductors by calculating tank size and volume along with material properties to develop a mixing profile.


For more information, contact:

Mead O'Brien
(800) 892-2769
www.meadobrien.com

Theory of Operation for MOVs (Motor Operated Valves)

Limitorque SMB MOV
Limitorque SMB MOV
This presentation, provided by the NRC, provides an introductory look at motor operated valves, with a focus on the manufacturer Limitorque. The document includes the theory of operation of MOVs, plus descriptions of valve types, such as gate, globe, ball, plug and butterfly.

This document also provides detailed descriptions of Limitorque SMB actuators and Limitorque SB actuators with full assembly and subassembly breakdown and illustrations.




Document provided by NRC.gov

Configuring a Foxboro PH10 Sensor Using the Foxboro 876PH Transmitter

pH Sensors and ORP Sensors
pH and ORP Sensor
(courtesy of Foxboro)
The PH10 DolpHin® Series pH Sensors and ORP10 DolpHin Series ORP Sensors are suitable for a wide range of pH and ORP measurement applications. They are designed for use with Foxboro® brand 875PH, 873PH, and 873DPX Analyzers, and 876PH Intelligent Transmitters and 870ITPH Transmitters. Some can also be used with 873APH Analyzers. When used with 875PH Analyzers or 876PH and 870ITPH Transmitters, they provide the additional capability of on-line diagnostics to signal the user if any of several common sensor faults occur.

The sensors are available with a choice of temperature compensation and cable termination. They are available with an internal pre-amplifer for use up to 150 m (500 ft) and with a Smart sensor for use up to 100 m (328 ft) from the analyzer or transmitter. The sensors can be mounted to the process in a number of ways. They have a 3/4-inch external NPT connection on both the electrode and cable end. The sensors can be inserted directly into the process line or tank or mounted through a variety of accessories including bushings, tees, flow chambers, and ball valves/insertion assemblies.The sensors are available in both analog and Smart versions.

These industry-leading sensors are already proven in countless installations including chemicals, pulp & paper, all kinds of industry and municipal water/wastewater treatment, metals/mining, and food and dairy applications worldwide.

The Foxboro® brand Model 876PH is a 2-wire loop powered intelligent transmitter that, when used with appropriate electrochemical sensors, provides measurement, local display, and transmission of pH, ORP (Oxidation-Reduction Potential), or ISE (Ion Selective Electrode) concentration. The transmitter outputs a HART digital signal and a 4 to 20 mA analog output. Versions are available for use with both analog and Smart (digital) sensors.

This video demonstrates how to correctly configure a Foxboro® PH10 sensor using the Foxboro® 876PH Transmitter.



Form ore information, contact:

Mead O'Brien
www.meadobrien.com
(800) 892-2769

The Rack and Pinion Style Pneumatic Valve Actuator

Automax Actuator
Rack & Pinion Actuator
(courtesy of Flowserve Automax)
Three primary kinds of valve actuators are commonly used: pneumatic, hydraulic, and electric.

Pneumatic actuators can be further categorized as scotch yoke design, vane design, and the subject of this post - rack and pinion actuators.

Rack and pinion actuators provide a rotational movement designed to open and close quarter-turn valves such as ball, butterfly, or plug valves and also for operating industrial or commercial dampers.
internal of rack and pinion actuator

The rotational movement of a rack and pinion actuator is accomplished via linear motion and two gears. A circular gear, referred to a “pinion” engages the teeth of a linear gear “bar” referred to as the “rack”.

Pneumatic actuators use pistons that are attached to the rack. As air or spring power is applied the to pistons, the rack is “pushed” inward or “pulled” outward. This linear movement is transferred to the rotary pinion gear (in both directions) providing bi-directional rotation.

rack and pinion
Visual of rack and pinion
(courtesy of Wikipedia)
Rack and pinion actuators pistons can be pressurized with air, gas, or oil to provide the linear the movement that spins the pinion gear. To rotate the pinion gear in the opposite direction, the air, gas, or oil must be redirected to the other sides of the piston, or use coil springs as the energy source for rotation. Rack and pinion actuators using springs are referred to as "spring-return actuators". Actuators that rely on opposite side pressurization of the rack are referred to as "direct acting".

Most actuators are designed for 100-degree travel with clockwise and counterclockwise travel adjustment for open and closed positions. World standard ISO mounting pad are commonly available to provide ease and flexibility in direct valve installation.

NAMUR mounting dimensions on actuator pneumatic port connections and on actuator accessory holes and drive shaft are also common design features to make adding pilot valves and accessories more convenient.

actuated valve
Fully automated valve with rack
and pinion actuator, solenoid, and
limit switch.
Pneumatic pneumatic rack and pinion actuators are compact and save space. They are reliable, durable and provide a good life cycle. There are many brands of rack and pinion actuators on the market, all with subtle differences in piston seals, shaft seals, spring design and body designs.

For more information on any pneumatic or electric valve automation project, contact:

Mead O’Brien, Inc.
www.meadobrien.com
10800 Midwest Industrial Blvd
St. Louis, Missouri 63132
Phone (314) 423-5161
Toll Free (800) 874-9655
Fax (314) 423-5707
Email: meadstl@meadobrien.com

Pneumatic Instruments

pneumatic transmitters
Pneumatic transmitters
(courtesy of Foxboro)
Air pressure may be used as an alternative signaling medium to electricity. Imagine a pressure transmitter designed to output a variable air pressure according to its calibration rather than a variable electric current. Such a transmitter would have to be supplied with a source of constant-pressure compressed air instead of an electric voltage, and the resulting output signal would be conveyed to the indicator via tubing instead of wires:


The indicator in this case would be a special pressure gauge, calibrated to read in units of process pressure although actuated by the pressure of clean compressed air from the transmitter instead of directly by process fluid. The most common range of air pressure for industrial pneumatic instruments is 3 to 15 PSI. An output pressure of 3 PSI represents the low end of the process measurement scale and an output pressure of 15 PSI represents the high end of the measurement scale. Applied to the previous example of a transmitter calibrated to a range of 0 to 250 PSI, a lack of process pressure would result in the transmitter outputting a 3 PSI air signal and full process pressure would result in an air signal of 15 PSI. The face of this special “receiver” gauge would be labeled from 0 to 250 PSI, while the actual mechanism would operate on the 3 to 15 PSI range output by the transmitter. As with the 4-20 mA loop, the end-user need not know how the information gets transmitted from the process to the indicator. The 3-15 PSI signal medium is once again transparent to the operator.

Typically, a 3 PSI pressure value represents 0% of scale, a 15 PSI pressure value represents 100% of scale, and any pressure value in between 3 and 15 PSI represents a commensurate percentage in between 0% and 100%. The following table shows the corresponding current and percentage values for each 25% increment between 0% and 100%. Every instrument technician tasked with maintaining 3-15 PSI pneumatic instruments commits these values to memory, because they are referenced so often:

Using the Foxboro model 13A pneumatic differential pressure transmitter as an example, the video below highlights the major design elements of pneumatic transmitters, including an overview of "maximum working pressure" versus "maximum measurement range" pressure.

The Foxboro model 13A pneumatic d/p cell transmitters measure differential pressure and transmit a proportional pneumatic output signal.


The information above is attributed to Tony Kuphaldt and is licensed under the Creative Commons Attribution 3.0.

Mead O'Brien: Steam and Hot Water System Experts


Let Mead O’Brien help you create a sustainable Steam Trap Management Process!
  • Trained Survey Technicians 
  • Traps located and identified, tagged with SS tag #, and data logged with up to 27 fields of useful data per trap 
  • Executive summary, Failed trap report with steam & dollar losses, detailed Log sheets, and Recommendations are all provided in a professional report. 
  • Monitoring options presented for critical service applications 
  • Steam flow measurement design 
  • Heat recovery potential 
  • Training options in a live steam lab 
Realize the Savings Now!
  • Reduce steam & condensate losses 
  • Reduce loss of boiler chemicals 
  • Improve heat transfer performance 
  • Prevent coil and heat exchanger damage 
  • Minimize water hammer hazards 


Mead O’Brien and Armstrong, more than 85 years of Steam & Hot Water System Optimization

  • Steam Distribution
  • Process Heat Transfer and Control
  • Condensate Return
  • Heat Recovery Opportunities
  • Process, Ambient & Combustion Air
  • Steam Trap Surveys & Database Creation 
  • Humidification Assessment
  • Application issues
    • - Coil Freezing Issues
    • - Poor Heat Transfer & Steam Control - Water Hammer Issues
    • - High Backpressure
  • Steam & Condensate Measurements, Control & Monitoring

Learning Systems:

  • Armstrong University
  • Over 125 web-based courses 
  • Mead O’Brien Live Steam Lab
  • Content Tailored for Plant Need