The Unseen Threat
Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries.
However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters.
A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.
This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.
DRAWING THE LINES
Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP.
Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.
A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.
ELECTRONIC PERIMETERS
A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.
Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.
Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.
Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.
Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.
A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.
Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.
An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.
Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations.
The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.
Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.
The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals.
Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.
Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.
Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS.