The term “attack surface” is security jargon for the sum of your security risk exposure. It is the aggregate of all known, unknown, reachable and potentially exploitable weaknesses and vulnerabilities across the organization. All organizations regardless of industry have an attack surface.Fortunately, awareness of weaknesses, prioritization of risk, and layered defenses can reduce the attack surface and limit disruption, enhance predictable operations, and lower business risk.What is the Human Attack Surface in ICS Environments?“Securing the human” is easy to overlook. Simply defined, the human attack surface is the sum of all exploitable security holes or gaps created by humans within your ICS operations environment.Human behaviors in ICS realms are no different than those within many professional settings. A significant difference is that errors or negligence can have serious physical consequences even with safety instrumented systems in place.
Plant operations and process control engineers generally do not prioritize ICS security in their environments and rely on techniques such as airgaps, perimeter firewalls, and safety instrumented systems for protection. The poster above from the SANS Institute characterizes common risks and exploitable weaknesses to consider.Examples of human factors influencing the size of your attack surface and directly related to cyber and business risk include a lack of ICS security knowledge, resistance to change (or choosing to bypass security rules/policies to avert disruption), ICS systems connected directly to the Internet (for maintenance, software updates or just unaware), susceptibility to social engineering, unsupervised insider privilege, opportunities for operator error or negligence, awareness training for email security, worker absence (such as due to illness, quitting, death, retirement), and a lack of ICS security policies or training.Here are a few real incidents (there are many) of risky behaviors contributing to human attack surface risk within ICS environments:Charging cell phones or other mobile devices on ICS USB ports (employees and contractors)Letting family or other personnel connect to the hidden wireless router in the plant kitchen so they can connect to the Internet (web surfing, kids and adults playing video games)Not having an appropriate process or simply forgetting to disable former employee or contractor access to facilities and cyber assets after those persons leave the site or companyConnecting to plant networks and resources after executing an unsafe connection to public Wi-Fi (such as at Starbucks without virtual private network (VPN) protection)Use of infected USB memory sticks on ICS or other systems that haven’t been hardened against auto-execution or auto-runPeriodically trouble-shooting or “taking care of things” by modifying or updating firmware or asset configurations without letting others know (both employees and contractors)Doing email on engineering workstations, often with access to HMI consoles from those same workstations and without knowing email security risks.Allowing persons known and unknown to piggy-back in on the first person’s access card (both employees and contractors)Practical Starting Points to Reduce Your Human Attack SurfaceIf you’d like to begin to scope and reduce your human attack surface, here are a few areas to focus upon first that will give you strong gains:1. Know Who Has Physical and Cyber AccessWhen considering the scope of your human attack surface, be sure to count all the people who have or had access to physical and cyber assets. This is a broader group than just employees. It should include contractors, maintenance and facility workers, industrial equipment manufacturers, system integrators, consultants, supply chain partners, etc.To Do: Establish and enforce procedures to discontinue physical and cyber access for employees and non-employees. This will rightly involve participation of the IT team, human resources, and likely those who monitor physical access.2. Securing Email and Training PersonnelOver 90 percent of all malware (including ransomware) targets humans and their desktops according to the Q2 2017 malware review and research report by PhishMe, an email filtering company. Phishing and spear phishing are among the most common ways to infect systems for a whole array of purposes, from locking users out of their systems to stealing login and password credentials to gaining access to critical assets such as HMI, PLCs and potentially causing disruption or harm.To Do: Consider acquisition of technology to help filter out suspicious emails and train your personnel on secure email practices if email is allowed within your ICS environments. In a bigger effort, you should consider a full ICS security program with email security awareness as one of many important components.3. Social Engineering Awareness TrainingSocial engineering has become so common and successful that it deserves its own category of attack surface. Social engineering relies heavily on human interaction and involves tricking people into breaking normal security procedures by giving up personally identifying information or corporate details.Popular social engineering techniques rely on a person’s willingness to be helpful and lack of attention to detail when they’re in a hurry (like not noticing a slightly misspelled URL or website that could indicate malicious intent). These methods often have a tone of urgency that can cause recipients to miss obvious clues. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.There are many variants of social engineering that also involve social media such as Facebook, Twitter, and LinkedIn. They also use text messages sent from cell phones. After research and possibly a few phone calls, social engineers can craft spear phishing emails that cause the C-suite, privileged users, and field technicians to fall prey.To Do: Reducing the social engineering attack surface will require educating employees about typical techniques and how to recognize them. This facet of the human attack surface is constantly changing and will require monitoring for trends that may apply to your industry, locale, or employee type. This information can help employees recognize interactions that could lead to compromise, disruption, and operations downtime.SummaryOne of the great strengths of highly secure organizations is their emphasis on communicating security awareness, cyber-physical risks, and safety principles to their employees, partners, supply chain, and even their customers (as when using the web to gain secure access to pay their utility bill.)Many exploits reaching into ICS environments are directed at humans as a starting point. As such, reducing your human attack surface should be part of a comprehensive ICS security program.