Skip navigation
All Places > Security > Blog > Authors Bryan Owen

Security

3 Posts authored by: Bryan Owen Employee

The New Year is here already and with it marks the 10th annual Digital Bond S4 conference on industrial control system security.  Experts shared a mostly optimistic mood for OT security in 2017.  A summary of main stage highlights are below.  We’ll comment on technical deep dives and our capture the flag contest in subsequent posts (spoiler alert: clean shirts for us, ‘pie in the face’ flag still stands!).

 

Optimism stems from market leaders releasing new generations of security hardened solutions. Security development lifecycle (SDL) investments are bearing fruit and ushering in a welcome shift in technology.  At last, critical infrastructure providers can plot a course of upgrades and sunset their fragile, ‘insecure by design’ systems.

OSIsoft and the modern PI Server have contributed to this wide spread optimism with major releases in 2015 and PI API 2016 for Windows Integrated Security.  SDL hardened application code on Windows Server core along with reference architecture using high availability and web application services for PI visualization is a very effective defensive strategy for the PI System.

Some of the S4 presentations documented the high cost of ‘digital carelessness’ with case studies on ransomware affecting industrial control systems to the ongoing targeted attacks on Ukrainian critical infrastructure. It appears no amount of bolt-on security solutions can keep pace with threats.

The US Department of Justice National Security Division and global law enforcement have ramped up activities following breaches in central banking (Bangladesh) and the SWIFT global financial network. Banking was once considered sacrosanct. Domestically, we observe the Federal Trade Commission filing a complaint against DLINK for failure to take reasonable steps to secure routers and Internet-protocol cameras. This is perhaps a ‘shot over the bow’ that all IoT solution providers will be watching.

Richard Clarke (former National Coordinator for Security, Infrastructure Protection and Counter-terrorism) called for regulators to impose a deadline for addressing critical infrastructure protection. While conceding an unfavorable political climate to force such a mandate, Clarke cited Y2K as model for accelerating massive updates.

Whether you believe Y2K was a preemptive success or over blown farce, the example has an interesting parallel with SDL because remediation was also code centric. A key distinction however is identification of potential issues. Testing for Y2K was straight forward, however this isn’t the case for cyber security.

Methods for assessing software reliability and security are potentially endless. Our objectives this year include metrics to monitor SDL processes.  We are also studying ways to catalog and publish industry benchmark reports such as Microsoft binskim, Cyber-ITL.org, and Mozilla Observatory. 

Adoption rate of hardened software versions in the field is still an elusive metric. In the meantime we have initiatives designed to provide you with improved visibility over your PI System infrastructure and health. You can learn more and provide ideas in just a few months during UC 2017 in San Francisco!

In provisioning a PI System for an independent cyber security assessment later in Q4 the team is tasked with deploying a lab that closely mimics a professionally managed enterprise security infrastructure.

 

Why? The stakeholders in this project aren’t so interested in theoretical defenses as much as being able to make informed decisions about baseline defensibility. For instance, understanding the level of effort to address residual risks is useful in evaluating TCO. 

 

So we return to the task of building out a lab to match a professional security infrastructure. The obvious answer is to follow industry benchmarks.  Coincidently, the tools and benchmarks we selected are recently summarized at ADsecurity.org by Sean Metcalf @PyroTek3 – Thanks Sean!

» Securing Windows Workstations: Developing a Secure Baseline » Active Directory Security

 

It’s great to see this kind of guidance condensed in a straight forward manner.  The advice is centric to Windows Workstations. About the only difference we plan for the PI System servers including PI Coresight is to deploy in 'Server Core' mode by removing the GUI.  Server Core mode is the Microsoft default and recommended by OSIsoft.  Although not yet a majority statistic, we do observe PI System deployments are increasingly taking advantage of Server Core (mostly because there is less patching .

 

My overall confidence in a Windows 2012 R2 baseline selection for this project is good.  Our teams in the field observe most enterprises deploy PI Systems on hardened images customized by IT, hardly any enterprise runs with Windows default settings.  Please add comments if there is a different baseline we should be considering for this kind of independent assessment or imagine what you would like to have should we make the PI System available as a virtual image.

The summer of 2016 set new highs for cyber security regulation. In North America, a strengthened version of critical infrastructure protection (CIP) standards for the bulk electric system became enforceable. The Federal Energy Regulatory Commission also issued Order 829 to address supply chain risk management for industrial control systems. In Europe, the strict Network and Information Security (NIS) directive passed parliament and starts the clock for compliance deadlines affecting member states and their critical infrastructure operators.

 

The penalty structure for NERC CIP can be as high as $1m per day per violation. NIS Directive allows for fines of up to €10m.  As a result we observe companies investing in serious cyber security programs. We are especially interested in finding ways to make your security team more effective.

 

Effective incident response is a common theme across these regulatory standards. Perhaps law is following industry hype ‘Be prepared, not scared’ and the FBI’s ‘there are two types of companies: those that have been hacked and those that don't know it yet’. Or perhaps the standards attempt to codify simple wisdom like Ben Franklin’s ‘An ounce of prevention is worth a pound of cure.’

 

In terms of OSIsoft:

  • What incident response triggers are relevant to the PI System? 
  • Are there opportunities for collaboration on incident response activities?

 

These high level questions and others are in scope of a cyber security project with Chevron. Initial findings suggest incident response for industrial control systems is far from trivial - especially amongst large organizations.

Ryan Cheff, Oronite Manufacturing Technical Architect, shares insights on the project in this joint presentation at the OSIsoft User Conference 2016. You can find the presentation here.

 

Aspects of the NIS Directive will be discussed in more detail next month during the EMEA Users Conference 2016 in Berlin.  The session on NIS is part of the Industrial IT track on day 2. Please reach out should your company be interested in exploring partnership on NIS requirements.

 

The summer of cyber bow-ties shows the PI System as part of a kill chain that helps you defend industrial control systems. Working in partnership we can better address your needs for effective incident response.