Manufacturers are being urged to regularly asses their network infrastructure, and to close all possible opportunities for hackers. Alan Johnson reports.
IN a room full of manufacturers, it would be hard to find anyone who would admit their companies’ computers are not adequately protected from computer hackers.
However, Dick Bussiere, Principal Architect with Tenable Network Security, believes they would all be disappointed to know the truth.
He admits most manufacturers’ networks are fairly well defended on the perimeter. “But like an Oreo cookie, they are hard on the outside but soft and mushy on the inside,” Bussiere told Manufacturers’ Monthly.
He said there are a couple of areas most organisations are not doing a good job with, “which to a large degree gets down to cyber hygiene”.
Number one issue, Bussiere believes, is that manufacturers and companies in general don’t proactively perform vulnerability assessments on their network infrastructure.
“The second issue is that network infrastructures are not being monitored to be able to detect whether or not those infrastructures have been compromised. If they were, they would significantly reduce threats and obviously reduce risks to their organisation,” he said.
Bussiere said performing vulnerability assessments on a frequent basis should be standard across the manufacturing industry.
“Yet with the possible exception of companies who are forced to do it, such as large financial organisations, most companies only do it on annual basis, when in fact vulnerabilities are presently disclosed at around 130 every week of the year,” he said.
“So if manufacturers are only doing an assessment once a year, they are open to thousands of vulnerabilities, with each one of them having the potential to be a breach waiting to happen.”
Bussiere recommended companies run their vulnerability assessments on a monthly basis as a bare minimum and tracking what they are able to fix.
“The other dimension to it is performing some kind of monitoring function to determine if a breach has been made, by observing unusual communication patterns for example.”
Common breaches
Bussiere said the most common attempt to breach networks at the moment is via phishing attacks, where someone clicks on an email that contains an infected Word or PDF document.
He said the problem arises when someone falls for this phishing attack and is working on a system that has not been adequately patched.
“This is a very common way companies are hacked,” he said.
Bussiere said manufacturers should also pay attention to their industrial control network, such as SCADA and ICS.
“They need to focus on the segregation between that critical operational real time network infrastructure and the company’s common office network infrastructure,” he said.
“All too frequently on my travels, I see little attention focused on ensuring that the control system is well segregated. If not, it has the potential for major problems if the control network became breached somehow.”
He said these phishing attacks can often be very targeted, often trying to find out all a company’s financial information.
“Hence the importance of good cyber hygiene as these phishing attacks generally rely on some kind of vulnerability being on the victim’s system and an exploitation of that vulnerability,” he said.
Need for visibility
Bussiere said having good visibility of a company’s network from a vulnerability perspective is critical.
“This allows companies to identify the vulnerabilities that an attacker can take advantage of, and get those areas patched,” he said.
And not just software vulnerability, Bussiere said there can be any number of items that exist on a network that companies don’t know about.
“It could be a legacy system or maybe a virtual machine someone fired up years ago,” he said.
He said it is also important for manufacturers to identify all the assets that are on their networks.
“Networks have been around for over 25 years now, and over that time most have been built out where things get inserted that no one knows about, and/or things get forgotten about,” he said.
“Any operator of a large industrial control system will tell you ‘we don’t know everything that is on this network’.”
He said having visibility, by being able to audit everything that is on the network and identify its purpose, is a very important part of good cyber hygiene.
“Companies should bring everything under management, under patch control, and ruthlessly rip things out that shouldn’t be there.”
Bussiere said it’s very important manufacturers design their network on the assumption that it is going to be compromised.
“If they do that they will start to practice good cyber hygiene. And having that attitude will force them to instrument their network so that they have the ability to detect compromises relatively early in their life cycle so they can mitigate or eliminate the compromise well before serious damage can occur,” he said.
Passwords
Somewhat controversially, Bussiere believes computer passwords are obsolete today.
“In most cases they are a very soft spot, and can be easily compromised through a phishing attack through social engineering,” he said.
For sensitive operations, he advises manufacturers to use two-factor authentication, which adds a second level of authentication to an account log-in.
“Because even if an adversary manages to get a person’s password, with two-factor authentication it’s normally not enough for that outsider to get in,” he said.
In conclusion, Bussiere advised manufacturers not to just look at IT security as a necessary evil. “It is essential,” he said.