Editor’s note: The following was originally posted on Schneider Electric’s blog. With their permission, and because this is an important topic, we decided to republish it here for our readers. We applaud Schneider Electric for their willingness to address this attack against one of their customers head-on, without flinching, and stepping up to foster an environment of cooperation in the IIoT security industry. By promoting the development and adoption of standards, collaboration, and shared best practices they show themselves to be a good citizen in the digital world. Too many times victims of cyber attacks choose to shy away from addressing the problem, opting instead to keep everything quiet so as to avoid ruffling the feathers of their Board or their investors. As security practitioners, we need to move past this paradigm and work collectively to solve these ever-increasing threats.
Guest Contributor: Andrew Kling, CSSLP, Director of Cyber Security and Architecture at Schneider Electric
One year ago cybersecurity experts discovered the world’s first known cyberattack on a safety instrumented system. Some called it Triton. Others named it TRISIS. Still others, Hatman. Yet regardless of the name, everyone agrees that it prompted a call to action for every industrial process and manufacturing enterprise in the era of the Industrial Internet of Things (IIoT). What was once considered theoretical became a real threat to every industrial safety system, everywhere in the world, no matter who designed, engineered, built or operates it.
Where do we go from here?
As a director of cybersecurity and architecture at Schneider Electric, I have been intimately involved in the Triton investigation, exploration of the attack’s industry-wide implications, and steps to strengthen resiliency both in the here and now and for tomorrow. I am encouraged by the progress made over the last year, yet there is more work ahead. In fact, building cybersecurity resilience is an ongoing pursuit if we’re to ensure the reliability and safety of assets in an increasingly digital world.
As we reflect on the lessons of Triton and what we can do to combat future threats, Schneider Electric continues to encourage a three-pronged approach to creating a stronger global cyberculture:
- Aggressive “cybersecurity by design,” including cyber hardening of platforms on the part of designers and engineers and throughout the entire supply chain, along with rapid adoption and education on best practices and procedures on the part of plant operators and owners.
- Consistent and widespread adherence to global security standards across the operational technology spectrum.
- Open and honest collaboration among plant asset owners, suppliers, designers, engineers, plant operators, third-party providers, integrators, standards bodies and government agencies around the world.
Thinking beyond the technology
Fifteen years ago, before the advent of the IIoT, the cyber threats we face today were unimaginable. In the case of Triton, the Schneider Electric controller at the targeted facility performed as designed, bringing the plant to a safe state via a shutdown and thus averting a disaster. The subsequent investigation identified security lapses onsite, however, that allowed the perpetrator (recently identified as Xenotime) to infiltrate the system via more sophisticated means than our industry had seen previously. It’s now clear that to shut the door on future, Triton-like attacks, adopting an end-to-end security approach is critical — from product design to installation to rigorous onsite operations.Triton-Infographic-
Call to action for strict standards and adherence
The need to update legacy systems and processes is clear. But Triton also exposed the urgency for suppliers, designers, engineers, industrial plant operators/owners, third-party providers, integrators, standards bodies, and government agencies around the world to adopt and adhere to cybersecurity standards for process control systems. One of those is IEC 62443, a rigorous standard for industrial automation technology that safeguards operations across multiple layers. And there are others, such as the French GTCSI (ANSSI) standard and ISO 27001.
In addition to standards, we must look holistically at the current threatscape. Standards often advise a methodical, hierarchal approach to security, whereby vulnerabilities are ranked in order from high to low risk. A device directly connected to a controller, for example, is “high risk,” and “low risk” vulnerabilities are those such as malicious emails with an embedded link. When it comes to advanced persistent threats (APT) such as that carried out by Xenotime, however, the full spectrum of vulnerabilities – from low to high risk – is likely being exploited simultaneously. Addressing them one at a time is simply insufficient. In addition to taking a wider-view stance, we can build effective defenses by:
- Finding and eliminating our most severe vulnerabilities, no matter how the risk is tiered;
- Scrutinizing the techniques used by the APT groups and, in turn, defending against those attack vectors as well; and
- working together as an industry to move forward safety in the digital landscape.
Addressing the shift from theory to reality
The presence of malicious attacks at this level is our new reality. We have the means to ward off “successful” attacks — as well as build and advance a resilient “detect and response” cybersecurity strategy across all levels of an industrial enterprise — but only if we take immediate, collective action. Now is the time for this collaborative effort.
I’ll be sharing additional thoughts on preventing cyberattacks in this blog series. Up next, we’ll examine current legislation and its role in the prevention of future attacks.
For more insight from Schneider Electric on cybersecurity, download our whitepaper: “Cybersecurity Best Practices”.
Author: Andy has over thirty years of software development experience. He has worked in the Industrial Control Systems (ICS) development organization at Schneider Electric since 2001. Andy has ushered the Schneider Electric Process Automation Development team to the first in the world ISA Secure – Secure Development Lifecycle Assurance certification for three development sites on three different continents. In this responsibility Andy is chartered with improving our Secure Development Lifecycle adoption, ensuring that cybersecurity requirements are part of every project that is executed.