Guest Column | July 10, 2014

Water Cybersecurity: ‘Dragonfly' Prompts Lockdown Of Windows-Based Industrial Control Systems

DarianSlywka

By Darian Slywka, eWON sa

With the most recent cyber espionage campaign of the “Dragonfly” group publically identified as having used various malware tools including Havex (Backdoor.Oldrea) and the Energetic Bear RAT (Remote Access Tool), both of which specifically target control systems, now is the perfect opportunity to harden those Microsoft Windows-based industrial control systems (ICS). Just as important is hardening those computers that connect either directly or remotely to those systems.

Both malware applications mentioned above act as a back door for the attackers to gain access to a victim’s computer, potentially allowing them to extract data, perform monitoring and control, and install further malware on the compromised computer.

Use a “defense in depth” approach including multiple layers of security controls placed throughout the control system. This should include the normal cybersecurity fundamentals such as protocol scanning, deep packet analysis, firewalls, intrusion detection systems (IDS or IPS), host intrusion protections systems (HIPS), segmenting traffic (VLANS), policies, user access controls, physical access controls, backups, redundancy, training, contingency plans and other standard concepts available in the reference links below.

With regard to securing a Windows-based control system computer, the following concepts need to be addressed;

  • Anti-executable software that prevents the install or execution of any program that isn't pre-approved.
  • Endpoint security including firewalls, antivirus, anti-malware, external device (USB) monitoring or disabling, and sandboxing.
  • Encrypt all data communications using virtual private networks (VPN) between a central SCADA or control system computer and other remote sites and users.
  • Manage user remote access to the system properly.
  • Run in limited user mode.
  • Limit administrator access.
  • Use appropriate role and policy management to prevent unauthorized activity.
  • Whenever possible, limit network access to specific IP addresses or ranges.
  • Segment traffic, use VLANs.
  • Remove software packages and applications that are not required.
  • Install updates and patches.
  • Use real-time alerting, monitoring, and detection software to log all activity.
  • Compartmentalize and segregate customer account reporting, data historians, and billing.
  • Partner with reputable companies and vendors that have established themselves as leaders in their respective fields and can provide solutions you require.

Every water system owner wants to deliver safe, potable water in a reliable manner while meeting the requirements of both state and federal regulators. Failure to address vulnerabilities can potentially open an attack vector to compromise the ability for a system owner to achieve those goals.

Additional resources: AWWA Cyber security and Guidance Tool, National Institute of Standards and Technology (NIST) SP800-82 Guide to Industrial Control Systems (ICS) Security

About the author: Darian Slywka is the Western Channel Manager for eWON, a Belgium-based industrial remote connectivity company providing secure solutions to OEMs, integrators, and infrastructure projects. His background and education includes environmental engineering, cybersecurity, and business development. He is licensed in water treatment and water distribution and holds numerous certifications in technology, networking, and more. Find him at http://darians.info

© 2014 Darian Slywka licensed under CC BY-ND 4.0.

Image credit: "Dragonfly on Deck," Cecil Sanders © 2008, used under an Attribution 2.0 Generic license: https://creativecommons.org/licenses/by/2.0/