I am not sure if this would fit best as a Pro-tip or How not to... article. However, I think may be a worthwhile investment in making a new series, dedicated to some very basic cyber security stuff.
Back to main course... A lot of people want to tie Internet of Things (IoT), machine learning (ML) or artificial intelligence (AI) into their automation systems. Inevitably, this is initiated by a sales guy who talks to the procurement people or an engineer from corporate with bold and exotic promises. These include (but are not limited to)...
These all have a number of positive points. Someone else takes a significant load off your back, it is all automated and lower cost than having someone manually deal with your system and they are certainly going to catch things you would miss, if you have a large enough system.
But let us cover the downsides. Most industrial systems have at least one or two legacy PLCs that you cannot secure (SLCs, S5s, etc.) Many smaller systems do not separate their IT and OT networks, meaning people getting access to a single port on the system suddenly have access to absolutely everything there and you may not have the staff to run in manual during your moment on the receiving end of a cyber attack.
A friend just came back from WEFTEC and told me each of the sales guys said "The application is read only and cannot talk to your devices." I verified that it was a network connection with him, then reviewed how TCP works.
Me: Hi Alfred! I would like to see how you are doing today.
Him: Hi Nick! I think you just said "I would like to see how you are doing today." Can you confirm?
Me: Hi Alfred! I confirm.
TCP has to respond. It cannot not respond and get a communication. (More on TCP and UDP here, here and here.)
Anyway, the networked version of this conversation (using MODBUS as an example) is more like this...
AI: Hey Variable Frequency Drive (VFD)! Can I get all MODBUS addresses between 1 & 30, offset to 6400?
VFD: Hey AI! I think you said "Can I get all MODBUS addresses between 1 & 30, offset to 6400?"
AI: Yes!
If you have a firewall in between, the conversation looks like this (which is better).
AI: Hey Variable Frequency Drive (VFD)! Can I get all MODBUS addresses between 1 & 30, offset to 6400?
Firewall: Communications from the AI to the VFD are on a whitelist. I will pass this along!
VFD: Hey AI! I think you said "Can I get all MODBUS addresses between 1 & 30, offset to 6400?"
Firewall: That seems like a perfectly reasonable request, as you are responding to a whitelisted request. I will pass this along!
AI: Yes!
A simple adversary getting in could be blocked by this. For example...
Adversary: Hey VFD! Can you write 0 to all MODBUS addresses between 5 & 42?
Firewall: This communication is not on the ACL. I will drop the packet.
Imagine the networked address a few years in after an adversary gets into your vendor's networks. (A clever adversary would break in on the vendor's end, as they already know they are patched into your juicy systems and outside the firewall.
Corrupted AI: Hey VFD! Can you write 0 to all MODBUS addresses between 5 & 42?
Firewall: That seems like a perfectly reasonable request, as you are already allowed to talk MODBUS to the VFD. I will pass this along!
VFD: Hey AI! I think you said "Can you write 0 to all MODBUS addresses between 5 & 42?"
Firewall: This is a response to an approved communication. I will let it through.
Corrupted AI: Yes!
You can imagine verbal, human-to-human conversations later on...
Operators: Why are all the pumps tripping?
Plant staff: Why is SCADA saying "All our base are belong to us?"
IT: We are definitely hacked. Who has backups?
Corporate: How many IT and plant staff are getting fired for this?
Legal: Who knows how to buy Bitcoin?
In the event you are working in a large factory with skilled IT gals/guys from corporate, minimal redundancy and are competing on the free-market, there is probably a good case for implementing at least one of these. However, if you are in critical infrastructure, or a smaller facility, or one without high end IT gals/guys, I would think twice before tying these in. The job you save may be your own!
Comments