Use shopfloor penetration testing to avoid hacking risk

The sabotage was said to have been perpetrated by at least one worker with access to the computer system. Intelligence Online said the alleged Iranian network "had focused on Aramco's facilities, particularly the control systems of the Ghawar oil field and the Ras Tanura refinery,” the largest oil field and crude export refinery in the world.

In the UK, GAMBICA has formed an industrial network security group to help counter the threats of viruses, industrial sabotage and terrorism.

"Defence-in-depth is what’s needed; because there’s no single solution to industrial network security – it’s systematic,” reveals Steve Brambley, deputy director of GAMBICA.

"Industrial networks are rarely managed in the same way as enterprise networks. Office applications are typically managed by an IT department using its approved security methods while the industrial side tends to be managed by an engineering department without necessarily involving the IT team.”

For example, it’s not uncommon for a PC controlling a manufacturing cell to be running an old version of Windows, such as XP, without an internet connection. Later in its life, the engineering department may decide it wants to connect some manufacturing cells to get production information out onto the IT network.

This can introduce vulnerability if the cells are managed by a PC with an old, un-updated version of Windows. Industrial network systems should be dealt with differently from IT networks in a business.

The most common way to estimate risk and produce a plan of action for countering that risk is penetration testing. This is a series of simulated attacks on a plant performed on behalf of the company by ethical ‘white hat’ hackers to evaluate its security.

Perhaps the most important thing that plant management can do to protect itself against the threat that data breaches represent is change its attitude towards them. A security breach isn’t just another piece of data on a system. Many companies seem to entirely  fail to recognise the intrinsic value of an individual’s name, telephone number, address and password – and any other details they hold.

Part of the problem is that recognising the value of data takes time. There’s a resource cost associated with training people and putting in place good data handling procedures. Good practice means that people have to spend more time actually handling data to ensure its integrity. Adopting a more appropriate attitude towards data is a continual process.

There’s no question that every industrial plant needs an information security programme in 2013 but plant managers can start small and improve later. The key is to take the first step.

One of the important things to understand about data security is that it’s not just an IT issue. However, if you create a phrase by putting any word in front of ‘information,’ most people will simply read ‘IT’ or ‘technology’.

In reality, 75% of plant security is about people and most security breaches aren’t the result of an IT process being lax. They are the result of human error caused by socially engineered attacks. These could be as simple as breaching a plant building by talking your way past the cleaners.

The key is to deliberately catch the target doing something stupid and take advantage of that. As part of one penetration testing process, Hedgehog Security offered chocolate to a company’s staff in exchange for their intranet passwords, saying it was a test being imposed by management to see who had kept an accurate record. Nearly 10% of the people approached willingly passed on their data.

One would not necessarily have to be that sophisticated though. Standing by a printer and picking up random prints can provide an intelligent hacker with all the information they need to attempt a serious attack.

Being aware of this problem is one of many ways of averting what could potentially be the biggest issue your plant faces in 2013 – industrial security.