THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 16 – Vendor Back Door
An industrial site has outsourced a remote support function to a control system component A software developer at a software vendor inserts a back door into software used on industrial control systems networks. The software may be ICS software or may be driver, management, operating system, networking, or other software used by ICS components. The back door may have been installed with the approval of the software vendor as a “support mechanism” or may have been installed surreptitiously by a software developer with malicious intent. The software checks the vendor website weekly for software updates and notifies the user through a message on the screen when an update is available. The software also, unknown to the end user, creates a persistent connection to the update notification website when the website so instructs, and permits personnel with access to the website to operate the machine on the ICS network remotely. Hacktivist class attackers discover this back door and compromise the vendor’s software update website with a password phishing attack. The attackers then use the back door to impair operations at industrial sites associated with businesses the hacktivists have imagined that they have some complaint against. Note that antivirus systems are unlikely to discover this back door, since this is not the autonomously propagating kind of malware that AV systems are designed to discover. Sandboxing systems are unlikely to discover it either, since the only network aware behavior observable by those systems is a periodic call to a legitimate vendor’s software update site asking for update instructions.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.