1 year ago

2017-11 How to use cyberattacks to increase security

  • Text
  • Cyberattacks
  • Honeypot
  • Industrial
  • Auvesy
  • Landau
  • Pfalz
  • Switches
  • Hacker
  • Attacks
  • Fichtenstrasse


How to use cyberattacks to increase security guidance. Anyone interested in the honeypot scenario described in this article should develop it in consultation with their company IT department and advisors. Only they will be able to confirm that there is no additional risk to data or hardware and that no liabilities are incurred. Liability for damage or loss resulting from any action that increases risk is typically borne by the person who took the action. Allowing a cyberattack In the industrial environment—and especially in critical infrastructures (CRITIS)—cybersecurity has become an extremely high priority. In this context, anything that can be done to warn of hacker activity and/or learn about hacker tactics is worth considering. So if, paradoxical though it may seem, we have decided to allow a cyberattack as a defensive strategy, where could we start? Automated environments typically have numerous controllers, robots, drives, HMIs etc. connected to a network. Network switches are used to connect components to the server, monitor data traffic and route it to where it is needed. Their data-routing functions, together with their access management functions make switches a classic target for cyberattacks, and, as such, the ideal honeypot. A switch as a honeypot Network switches perform essential functions in connecting robots, drives, PLCs and other devices to the industrial network. As a result, their firmware and configuration are vitally important and should be well-protected: Switch firmware is, similarly to operating systems, subject to manufacturer modifications and updates. The configuration of a switch encompasses a range of settings including which ports are used for which data traffic flowing to and from which connected devices. Fig. 2: Switch management with the data management system versiondog © AUVESY GmbH · Fichtenstrasse 38 B · 76829 Landau in der Pfalz · Germany Last updated: 20 Nov 2017 Page 2 of 4

How to use cyberattacks to increase security Attackers who want to do damage within a network can manipulate the network communication of a switch. Switches are often used by hackers to establish a connection with a component, e.g. by opening and closing ports. In this way, erroneous data can be routed. Being a favourite targets of hackers is what makes network switches so suitable as honeypots. One scenario involves installing a superfluous switch in the industrial network. This switch is set up to look attractive, but, as it has no real function, it can be completely left alone by company staff, all of whom are informed of its actual purpose. With no changes at all being made internally, any changes that are made to the switch must have been made by an unauthorised external party. Fig. 3: How data backups/versions are classified according to content, storage and identifier in order to facilitate fast disaster recovery in production The trick is to detect these changes as quickly as possible. This is where a data management system can be used. But this system will need to have the capability to regularly and automatically check the state of the switch, detect even the smallest change, then alert the appropriate personnel without delay. Any manipulation might be an attack in itself, or it could be the preparation for an attack. Either way, early warning will help avoid damage or loss, and detailed inspection of the changes will reveal the tactics being used. A data management system versiondog is a data management system that is installed on computers connected to the industrial network of a manufacturing or CRITIS facility in order to manage change and safeguard data. It easily fulfils the criteria required by this honeypot scenario with its backup and compare functions. While it does not replace other network security measures, such as firewalls IDS systems and IPS systems, it can be used alongside them as a valuable extra layer of security. This is because it can be set to automatically and precisely compare current device data to previous device data at regular intervals. For the network switch in our honeypot scenario, the focus will be on ports, which could allow a hacker to gain access to automation equipment and potentially wreak havoc. © AUVESY GmbH · Fichtenstrasse 38 B · 76829 Landau in der Pfalz · Germany Last updated: 20 Nov 2017 Page 3 of 4

versiondog Factsheets collection

© Copyright 2018 AUVESY GmbH - All rights reserved.