SecurityWeek has talked to representatives of industrial giants Siemens and Rockwell Automation to find out how they help customers address some of the most pressing cybersecurity challenges.
Cyberattacks can cause significant disruptions and losses for organizations that rely on industrial control systems (ICS) or other operational technology (OT), whether they directly target ICS, such as in the case of the recent water sector attacks, or they indirectly impact ICS, such as in the case of ransomware attacks, where impact may spill over from the IT environment.
Siemens ProductCERT, which manages security issues related to Siemens products and services, told SecurityWeek that it commonly sees cyberattacks resulting in privacy breaches and a production halt.
The root cause in many incidents is related to missing or poor password security, which is often a result of integrators using no password or the same — often simple — password in multiple instances in an effort to simplify servicing.
Siemens’ security experts often see systems that have not been updated for years, as well as systems that are not protected and exposed to the internet.
The industrial giant’s investigations typically reveal a focus on the IT environment around the OT components, rather than attackers exploiting vulnerabilities in the OT components themselves.
Yet, Siemens ProductCERT is aware that the exploitation of a vulnerability in a product used by many organizations worldwide can be devastating, as shown by the 2017 WannaCry ransomware attack, which mostly hit IT systems but also represented a risk to ICS.
The WannaCry attack, which exploited an SMB vulnerability dubbed EternalBlue, impacted medical devices from several vendors, including Siemens, which released patches at the time to prevent exploitation.
The same EternalBlue exploit was used a few weeks after the WannaCry attack in the NotPetya malware attack, which caused significant losses for many big companies.
For Joshua Newton, who deals with product security in Rockwell Automation’s Lifecycle Services group, the NotPetya attack is the best example of a significant attack hitting ICS environments, as the cyberattack disrupted the entire operations of manufacturers and had a serious impact on the global supply chain.
“In most circumstances, the IT network is the attack vector, and unpatched or End of Life industrial control system Windows operating systems make easy targets to cause disruption if not damage,” Newton told SecurityWeek.
It’s clear from these statements that global events such as WannaCry and NotPetya are a top concern for industrial automation giants. So what are Siemens — specifically its ProductCERT team — and Rockwell Automation doing to help protect customers against such incidents?
ICS was initially not designed with cybersecurity in mind — with many arguing that such devices cannot be hacked due to being completely isolated from the rest of the network — but the convergence between IT and OT and the increasing need to access industrial systems remotely has led to ICS vendors taking a new approach and investing significant resources in cybersecurity.
In addition to creating in-house cybersecurity teams and units providing security services and solutions to customers, industrial giants such as Siemens and Rockwell Automation have teamed up with specialized firms for comprehensive industrial cybersecurity.
Siemens, for instance, has been working with Palo Alto Networks and Nozomi Networks, while Rockwell has been working with Claroty, Dragos and Fortinet, and even acquired ICS/OT security company Verve last year.
For the Siemens ProductCERT unit the goal is to increase transparency and help customers make informed decisions in terms of vulnerability handling.
Siemens ProductCERT publishes security advisories every Patch Tuesday, addressing hundreds of vulnerabilities every year, which, it says, is testament of the company’s focus on security rather than an indication that its products are more vulnerable than the ones of other vendors.
“The number of security issues that are found, handled, and disclosed to integrators and customers by Siemens is comparable to major IT vendors and outshines most OT vendors,” Siemens ProductCERT said.
ProductCERT has been working with other product teams to scale the vulnerability handling process using automation while keeping up with new standards and customers’ needs.
Specifically, Siemens’ advisories are available in a machine-readable CSAF format in an effort to support automated processes.
“Customers who are interested in the security of their system can now have the clarity that without patching and upgrading, a severe number of vulnerabilities pile up in their installation in a very short time,” Siemens’ ProductCERT team said.
It added, “This documented state of their system is important. Management can now weigh it against the cost of updating and decide. Without proper transparency of vulnerabilities, the people responsible for the system would be blind in that regard.”
Ultimately, however, it’s still up to the customer whether they deploy security patches, and many industrial organizations are still hesitant due to the potential disruptions caused by updates.
First, Siemens ProductCERT noted, the evaluation of a vulnerability’s impact and exposure along the supply chain can be an expensive task that often needs to be carried out manually. “The industry is yet to discover a more efficient way to achieve this goal,” it said.
“Even after investing budget on creating awareness about the current security posture and state of software security patches, applying the identified patches can be challenging as availability of the systems may be impacted,” Siemens ProductCERT explained. “The great variety of types of patches between manufacturers also implies the risk of introducing incompatibilities into a previously working system. Along with this there is also the concern that certain configurations might be affected as the vendor has no way of assuring that all possible scenarios are maintained specially for legacy systems.”
“We also need to take into consideration that the most important hesitation seems to be related to financial and business requirements. Maintaining and updating infrastructure is seen as a cost factor and not as an inherent necessity to keep the business alive,” it added. “And there is no incentive or mandate for any maintenance window for patching.”
Rockwell Automation addressed a different aspect of ICS/OT security: convincing customers to take security seriously and invest in it.
First, convincing customers to allocate funds for OT cybersecurity, which, according to Rockwell’s Newton, is really a conversation about risk.
“The cost of an event, based on the potential impact on production. This is something that can be quantified. During my years as an OT Network Security Consultant, these were conversations based on qualitative assumptions and were used to make real-time design decisions. Customers are becoming more sophisticated, however, and are shifting to a more quantitative, data-driven justification for risk profiling,” Newton explained.
Travis Tidwell, senior sales executive in Rockwell Automation’s Cyber Security Services unit, provided an example from the trenches.
“Recently, at a leading consumer goods manufacturer, we performed risk assessments at the plants, interviewed plant level stakeholders, strategized with the CISO, reviewed plant network architectures, and distilled this work down to identify their highest risk items,” Tidwell said. “Because a business case was made, the team was able to create and approve a budget and security program based on these efforts.”
A bigger issue is convincing customers to swap out old and insecure equipment and getting them past the ‘it doesn’t need to be replaced as long as it still works’ mentality, which is prevalent in many industrial organizations.
“This is still a risk conversation but is more challenging in some ways,” Newton said. “Under most circumstances, upgrading control systems is not simple. Families of control systems are tightly woven into their version support and functionality and will usually require an entire system to be upgraded, not just a single device.”
Tidwell added, “Additionally, an equipment modernization project will typically fall under the Plant Manager’s budget and may require collaboration between the Plant Manager and the CISO to fund the project. Implementing security controls are most likely less expensive than a modernization project. Hence, security controls may need to be put in place while working on a plan for the larger modernization project.”
Which leads to convincing organizations to deploy cybersecurity products and assuring them that they will not cause disruption to industrial processes.
“Historically, the methodology has been to avoid implementing security controls that have the ability to impact production or be the cause of plant downtime. This is why Intrusion Detection Systems (IDS) such as Claroty and Dragos have been so popular. Another popular method has been segmentation, but we have to always educate that segmentation is not a security control in of itself, but an enabler for implementation of security controls,” Newton said.
“However, there are customers in the last few years that have been maturing into more preventative controls such as Endpoint Detection & Response (EDR) and Next-Gen Firewall features that have the ability to block potentially malicious activity,” he added.
On the other hand, the expert says this is still a prevailing challenge. “The OT environment still struggles with the most basic measures to reduce risk such as patching and updates. Even trusted OT cyber security consultants with a proven track record are typically not enough,” Newton explained.
The best approach, according to Newton, “is through Proof of Concept (PoC) engagements where a representative subset of the system is tested with a security technology and through the success of that PoC, trust can be slowly built.”
Related: Critical Vulnerabilities Expose mbNET.mini, Helmholz Industrial Routers to Attacks
Related: Palo Alto Networks Adds New Capabilities to OT Security Solution
Related: SIGA Launches OT Threat Detection and Response Suite