I don’t know whether you’ve noticed recently, but the number of cybersecurity alerts issued by CISA (Cybersecurity and Infrastructure Security Agency) seems to be increasing at an alarming rate.  The latest alert I’ve seen now relates to GPS tracking systems for children.  A device which is supposed to keep your children, pets, and elderly loved-ones safe, which has been sold online in the hundreds of thousands, now appears to have a number of vulnerabilities that can potentially be exploited by attackers.  This was just one notification I saw, which was closely followed by one regarding a nation state issued malware attack from North Korea: ELECTRICFISH and BADCALL, referred to as HIDDEN COBRA.  

According to CISA, the malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the target system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the threat agent to bypass the compromised system’s required authentication to reach outside of the network.  These are just an example of the type of alerts coming out of CISA and I’m sure, like me, many of you receive these updates on a daily basis.

Therefore, when it comes to plant networks and control systems, how secure are they, really? It’s been almost three years since IEC61511 was updated to include Clause 8.2.4 requiring a cybersecurity assessment to be carried out on Safety Instrumented Systems (SIS) but how many companies have really done this?  Many end users I’ve talked to believe that it is the responsibility of the automation vendors to take care of this and trust them to undertake this task.  However, it’s not the automation contractor’s responsibility to do this; it falls on the end users.  Even then, many automation contractors will take care of their equipment via hardening or the use of custom firewalls, but this doesn’t extend to the remaining network and network devices.  Another myth that we’ve come across, here at exida, is that if the SIS is “air-gapped” and runs anti-virus software, then there’s no need to worry and/or do anything.  This couldn’t be further from the truth.  The fact is that anti-virus needs to be updated frequently, which won’t happen with a SIS or Basic Process Control System (BPCS), plus a SIS will require some means of programming and/or communication.  These are potential vulnerability points and for this reason it’s very important to ensure the SIS is properly protected from any potential cyber incursions.  Another myth is that a cybersecurity assessment will cost $50,000 or more, which again isn’t true.  It’s true that some consulting firms have created this perception but again a high-level assessment can be done in just one or two days at site. The cost will be far less and can be managed via Opex budgets, with minimal investment. Therefore, can you afford not to do this?

If you have an existing control system, with SIS and BPCS, that’s not been evaluated, then it may be a good idea to consider undertaking a cybersecurity assessment.  If you’d like to know more about how to achieve this and to meet the IEC61511 requirements, then look out for the upcoming, free, webinar on this subject.