Cisco Blogs


Cisco Blog > Internet of Everything

HAVEX Proves (Again) that the Airgap is a Myth: Time for Real Cybersecurity in ICS Environments

July 3, 2014 at 7:00 am PST

The HAVEX worm is making the rounds again. As Cisco first reported back in September 2013, HAVEX specifically targets supervisory control and data acquisition (SCADA), industrial control system (ICS), and other operational technology (OT) environments. In the case of HAVEX, the energy industry, and specifically power plants based in Europe, seems to be the primary target. See Cisco’s security blog post for technical details on this latest variant.

When I discuss security with those managing SCADA, ICS and other OT environments, I almost always get the feedback that cybersecurity isn’t required, because their systems are physically separated from the open Internet. This practice, referred to in ICS circles as the “airgap”, is the way ICS networks have been protected since the beginning of time; and truth be told, it’s been tremendously effective for decades. The problem is, the reality of the airgap began to disappear several years ago, and today is really just a myth.

Today, networks of all types are more connected than ever before. Gone are the days where only information technology (IT) networks are connected, completely separated from OT networks.  OT networks are no longer islands unto themselves, cut off from the outside world. Technology trends such as the Internet of Things (IoT) have changed all of that. To gain business efficiencies and streamline operations, today’s manufacturing plants, field area networks, and other OT environments are connected to the outside world via wired and wireless communications – in multiple places throughout the system! As a result, these industrial environments are every bit as open to hackers and other cyber threats as their IT counterparts. The main difference, of course, is that most organizations have relatively weak cybersecurity controls in these environments because of the continued belief that an airgap segregates them from the outside world, thereby insulating them from cyber attacks. This naivety makes OT environments an easier target.

The authors of HAVEX certainly understand that OT environments are connected, since the method of transmission is via a downloadable Trojan installed on the websites of several ICS/SCADA manufacturers. What’s considered a very old trick in the IT world is still relatively new to those in OT.

It’s absolutely essential that organizations with ICS environments fully understand and embrace the fact that IT and OT are simply different environments within a single extended network. As such, cybersecurity needs to be implemented across both to produce a comprehensive security solution for the entire extended network. The most important way to securely embrace IoT is for IT and OT to work together as a team. By each relinquishing just a bit of control, IT can retain centralized control over the extended network – but with differentiated policies that recognize the specialized needs of OT environments.

We’ll never completely bulletproof our systems, but with comprehensive security solutions applied across the extended network that provide protection before, during, and after an attack, organizations can protect themselves from most of what’s out there. A significant step in the right direction is to understand that the airgap is gone forever; it’s time to protect our OT environments every bit as much as we protect our IT environments.

Tags: , , , , , , , , , , , , ,

Summary: The Extended Network Requires Security That’s the Same, Only Different

April 23, 2014 at 6:40 am PST

Information Technology (IT) and Operational Technology (OT) networks have historically been completely separate, with users of each living in blissful isolation. But the Internet of Things (IoT) is changing all of that! In the IoT paradigm, IT and OT professionals will need to work together to drive pervasive security across the extended network. The same security tools will need to be applied consistently across the extended network, but with differentiated policy enforcement to account for differences between the two environments.

Read the full blog post to learn more.

Tags: , ,

Energy Networking Convergence Part 1 – The Journey From Serial to IP

This is the first of a four part series on the convergence of IT and OT (Operational Technologies)

Part 2 will cover the impact of the transition to IP on Physical Security and the convergence of Physical and Cyber Security.

Part 3 will discuss the convergence of IT and OT -- Operational Technology of all types outside the traditional realm of Information Processing.

Part 4 will look at how to actually make the transition to a converged IT/OT infrastructure and tips on overcoming the challenges.

Those of us in the Energy Industry know that the utilities segment is in transition. The network architecture, in particular,  is undergoing change -- change that will bring challenges as well as opportunities for both Cisco and our customers.

Almost every communication application started as point to point serial — including computer communications.  But the simple geometry problem of how many lines are needed to connect every vertex (node) of a polygon to every other vertex [ n(n-3)/2 if you’re curious ] shows that as the number of nodes grows, connecting each one to every other one quickly becomes infeasible.

HAK22620 - for webThe need to interconnect more and more devices lead to multi-drop or bus topologies and challenges of how to deal with sorting out who gets to talk when and the solutions of token passing, polling and TDM.

Circuit switching was a big breakthrough developed out of necessity as the number of telephone handsets exploded. Interestingly enough, look at the hierarchical topology of trunking and local switching and you may recognize analog similarity to NAT.

Initial application of networking often occurs as the use of Ethernet to replace serial communication with flat, layer-2 networks, to interconnect multiple nodes with polling and TDM used exactly as they were in serial systems.  That’s where most SCADA systems still live today and why there are relatively few monitored points, limited by how quickly the polling loop can be traversed.  Imagine trying to run the internet that way?

Fast forward and almost every industry and industrial application that started off as serial or circuit switched has migrated or is migrating to packet switched as IP packet technology has made astonishing progress along the price/performance curve.

High performance IP is now able to offer latency performance that used to require dedicated connections.  Along with IP have come the tools to manage, diagnose, repair and secure the communication network.  Relative to the billions of dollars invested by companies around the world in tools, security, management, etc. for IP, the investments being made in securing and improving serial or TDM are almost nonexistent.

Globally, Service Providers who built their industry on circuit switched analog and TDM are terminating those services as they move to complete their transition to IP.

Cisco continues to play a key role in transitioning serial/TDM technology to IP, helping customers get full benefit of the robust performance and security capabilities and features IP offers.  Customers who have received End of Service notices for Framerelay are scrambling to find alternatives and at the same time achieve regulatory compliance.

As Operation Technology groups outside of IT increasingly use IT Information & Communication Technology (ICT), they need the same capabilities as IT.

What does this mean for Cisco and our customers?

Relationships with the business, including the operations side of the business are key.  Budget is increasingly in the hands of the business rather than IT. As a result, Cisco and our customers’  IT departments are increasingly collaborating with the operational side of the business -- especially the OT, or ‘Operational Technologies’ part of our customer’s organization.

Cisco has specialized industry sales support teams in a group called CVA (Cisco Value Acceleration) Group, which I’m a part of, as well as Cisco Advanced Services and other Cisco Business Units (especially the IOTG, or Internet of Things Group) along with groups such as the Cisco Global Industries Center of Expertise (GICE) to understand the trends, business imperatives and compelling events creating opportunity with customers.

If you’d like to know more about these groups, Read More »

Tags: , , , , , , , ,

Manufacturing in America – Turning the Corner

April 9, 2014 at 9:51 am PST

What does manufacturing mean to America? While there may be no quantitative right answer to that question, in my opinion, manufacturing is the creation of new jobs, the empowering of individuals, and teamwork that helps make dreams a reality. Manufacturing has long been wrongly perceived as a dirt and grime industry that lacks the appeal necessary to build and grow a strongly educated workforce, vital to our nation’s industrial and economic growth.

Recently, I watched a video released by the National Association of Manufacturers (NAM) titled, “What Manufacturing Means to America.” The video addresses the current state of the manufacturing industry and provides fresh insight into utilizing the skill and talent of America’s workforce. It shows that with the right education and skills, manufacturing can be the key to a better future and making dreams come true. Read More »

Tags: , , ,

No matter how harsh is your work environment, Cisco has you covered

Cisco_IndustrialEthernetSwitches_2 27 14“Neither snow nor rain nor heat nor gloom of night stays these couriers from the swift completion of their appointed rounds.” – Popular US Postal Service motto

Many of my US colleagues have told me that they grew up hearing the phrase above and thinking how reliable their mail service is, even under the harshest conditions, they always got their mail. We in Cisco think that your network should be as reliable and resilient, and work under all conditions, particularly now when the Internet of Things (IoT) requires a level of resiliency at a scale never imagined before, and under conditions beyond what the traditional datacenter or wiring closet can offer.

These days, one of the challenges that the Internet of Things has to deal with is that it “…is already connecting the physical world today, but the real world, unlike the digital world, is much more uncertain and variable. We have to connect objects in unpredictable environments, often subject to Mother Nature or just the movement of our earth and its inhabitants…”

In fact Cisco defines the Internet of Things as “the intelligent connectivity of physical devices driving massive gains in efficiency, business growth and quality of life.”

In order to establish intelligent connectivity to physical devices, networking equipment have to be able to coexist in the same environmental in which the physical device are operating.

Very often, these physical devices are operating in harsh environments both from a temperature prospective (like in a smelting furnace or in a mining field located in Siberia), from a dustiness prospective (like in a cement production plant), from a vibrations prospective (like on a train or on a mining truck) etc.

To properly operate in these environments networking devices have to be specifically designed with highly ruggedized casing to protect the device’s internal components, and with specific connectors to avoid any possible water penetration or to get unplugged because of hard vibrations.

We’re excited to announce today an extension of our Industrial Ethernet portfolio adding a new series of IE2000 IP67 switches! Read More »

Tags: , , , , , , , , , , , ,