Blog

Many companies today offer cyber security services. With the veritable smattering of assessment services, red-team services, network design, NERC CIP (the list goes on), companies can quickly find ordering services can be about as complex as ordering your favorite coffee at your favorite chain coffee store. The question that MUST be asked is, “are you getting FULL value for your money?”

In a recent evaluation, we were called in after a NERC CIP compliance report had previously been generated. Given that this report was executed many months ago, the company had already started taking a number of key steps towards NERC CIP compliance. The CIO of the company, however, grew concerned that they might be missing some key elements when it came to the industrial network. His concerns were well founded.

Though the assessment team did find a number of potential issues with the industrial network, they really missed the bulk of the potential problems. The previous assessment team led the client to believe that most of their problems could be solved with simple network measures and better physical security. While the work was not bad or poorly executed, it was just insufficient for the industrial environment. Commonly available open source and even commercial tools generate too many false positives, miss many potential negatives, and are not protocol aware of the specific industrial protocols, and they completely fail to identify issues on non Ethernet based networks.

Our assessment quickly zeroed in on a number of key problems. In fact, we found four main vectors of attack that were previously undiscovered. Running industrial protocol specific tests and leveraging experience in device testing, we were able to very quickly identify multiple attack vectors that represented very serious downtime and potential safety issues for this customer. Beyond theory (where many must stop), we were able to clearly demonstrate and show just how such failures occur, and what the failure mode and criticality would be. The client’s jaws dropped, and the CIO’s suspicions were confirmed… they have more work to do.

Security evaluations must focus on the gamut of potential issues. While most any company can look at policies, procedures, physical security, operating system security, network security, and other well known security issues.. these are only part of the equation. Using IT type tools and methodologies to evaluate industrial networks represents only half of the picture. Driving towards the device completes the image and allows for true identification and remediation of security threats that can stop production.