Dropbox security breach revealed

Dropbox’s Vice President of engineering has admitted that the spamming of many of the cloud service provider’s clients in recent weeks has been traced to an employee password re-use breach: Cryptzone says this highlights the dangers of using the same password for both business and personal usage.

“Most governance experts – ourselves included – will tell you to use different passwords for different systems, but this case is one of those “wake-up-and-smell-the-coffee” moments for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities,” said Grant Taylor, European Vice President of Cryptzone, the IT threat mitigation specialist.

“We would go further and argue that people should not be using Dropbox for many business purposes. CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation’s sphere of control. Free services by their very nature don’t have the features to facilitate corporate control and management.”

The problem here, the Cryptzone European VP says, is that members of staff, particularly the young, tend to blur the lines between work and play – and whilst it is perfectly understandable for them to use the convenience of a service like Dropbox to access work files at their leisure, their managers need to explain that when it comes to corporate data, such practices simply are not acceptable in today’s regulatory environment.

If corporate information is moved to personal accounts in contradiction to corporate policies, you’re dead in the water as far the boss is concerned. Apart from disciplinary action for the individual, their employer could be looking at investigation from regulatory bodies possibly resulting in severe fines. So when seeking to improve work/life balance, don’t just think convenience, think risk, he says.

Dropbox says it has plans to roll out additional security measures that should help users protect their Dropbox accounts even if users (or employees, assumedly) lose account passwords, including two-factor authentication (Dropbox says this will be coming “in a few weeks”), and new automated mechanisms to help identity suspicious activity, as well as a page that lets users examine all active logins.

New and enhanced drivers for KEPServerEX

Kepware Technologies has announced the release of KEPServerEX 5.8, a major upgrade that includes new drivers, and several new features aimed at helping existing customers on Kepware’s support and maintenance program to improve their business operations, performance, and security.

To expand existing connectivity, KEPServerEX now features a new Allen-Bradley ControlLogix Unsolicited Driver, which greatly expands connectivity for plant wide optimization.  Also included in this release are advanced communications and infrastructure improvements to more fully integrate with Fisher ROC and ROC Plus Controllers providing customers with enhanced interoperability.  

Accompanying the KEPServerEX 5.8 release are updates for Kepware’s LinkMaster 3.0, RedundancyMaster 2.0 and ClientAce 3.5.  LinkMaster and RedundancyMaster are now fully supported on Windows 7/Vista and Windows Server 2008/2003 and have incorporated the same Kepware licensing and service support model as KEPServerEX V5. ClientAce 3.5 has been updated to include support for Visual Studio 2010 and contains additional sample code.

“Kepware customers expect us to deliver robust products and services based on our continuing commitment to research and development and focus on quality,” said Tony Paine, president and ceo of Kepware Technologies.  “The release of KEPServerEX 5.8 reflects our on-going efforts to enhance our products for our existing customers and allow them to solve their ever changing business challenges.”

KEPServerEX 5.8 also includes the addition of Modbus Channel Serialization, enhanced Device Level Communication Diagnostics to aid with performance tuning and assist with troubleshooting.  For security and regulatory control, KEPServerEX now delivers optimized event logging, finer user management control and allows the user to control whether or not client applications can directly access device memory.

Kepware Technologies has developed a wide range of communication and interoperability software solutions for the automation industry. Kepware solutions allow the connection of disparate software and hardware systems, providing applications with quality, ease of use, and high performance. In-depth experience with software design, development, support, and maintenance allows Kepware to provide high-performance communications software without sacrificing quality and ease of use. See more on www.kepware.com.

Security segmentation protection using Innominate mGuard firewalls.

Innominate mGuard firewall installation

ZF Sachs, an international automotive supplier for drive and chassis components, headquartered in Schweinfurt in Germany, has permanently improved the security of its industrial networks, by introducing a decentralized security architecture with industrial firewalls.

The requirement for stronger security in the production plants was primarily because of virus problems in the office network. Compared to the manageable risk of an office computer infection, the risk potential for production facilities was considered to be significantly higher. In order to minimize the risk of possible disturbances or even production downtimes through faulty accesses or malware, ZF Sachs decided to implement additional security precautions.

Decentralized security philosophy

The task of the new security architecture was to protect the production plants from both undesirable external and internal accesses and limit the spread of infiltrating virus attacks.

Sealing off the office network from the production network was considered to be the most suitable strategy; this was carried out with a large firewall and structured security architecture (defense in depth), with which critical individual systems could also be safeguarded. The control and filtering of network traffic through firewalls took on a key role. More perfectly organized and distributed protection, along with the greater degree of flexibility for a typical industry network design and lower investment/operating costs: all these factors argued in favor of a decentralized architecture with firewalls. The segmentation through VLAN-compatible switches into logically separated segments was evaluated and rejected, as virtual LANs were considered to be too difficult to control from a security point of view.

The automation technology and machine maintenance departments were responsible for the implementation, in coordination with the IT department. Along with the use of virus scanners in the production area, the most important measure became the segmentation of the production network into small and manageable machine networks. The assignment was conducted spatially based on building zones with additional Profinet components for individual installations. A total of 40 decentralized machine networks were implemented and each of these subnetworks was secured by an mGuard firewall from Phoenix Contact and Innominate.

“We evaluated different firewall security products under two main criteria. Industrial suitability with an extended temperature range was particularly important to us. We also needed a solution that could be integrated – as flexibly as possible and with a low level of complexity – into our automation component environment,” says Asmund Hey, head of automation technology for ZF Sachs technical services, in explaining the choice of the mGuard security solution.

Setting up decentralized firewalls

The implementation of the decentralized security architecture was based on the network structure plan. This describes the individual network segments and contains specifications concerning which device is attached to which port, as well as which IP addresses, MAC addresses, firmware version and product designations are given.

“To ensure that the decentralized architecture with 40 individual machine networks did not lead to greater configuration and operative effort, we first developed a basic set of common firewall rules for all subnetworks as an overriding control. The implementation was relatively simple,” reports Asmund Hey. For the rollout, the master parameters were read out from a memory chip upon start-up and applied to the subnetwork. This meant that most of the requirements were already covered. Only individual rules had to be added for special cases, e.g. for controller access to office server shares.

A three-month introductory and learning phase followed start-up, allowing any missing accesses or ports to be included. “During this phase, we realized how important a careful network architecture plan is. The more time invested here, the smaller the correction effort will be later. We also discovered the advantages of central device management,” says Asmund Hey, listing the most important experiences gained during the start-up.

Automation technology requirements

Various requirements need to be taken into account when setting up the decentralized security architecture. The production facility with Profinet components needed to be sealed off from disturbances from the network. The “8HP” (a torque converter for 8-gear automatic transmissions) requires TCP/IP communication on the level of Profinet protocols. In the process, a good deal of IP addresses had to be managed and a clear segmentation and sealing-off were necessary for the field bus components. As a jitter period of less than a microsecond is given for the response time behavior of the components in real time, they had to be consistently sealed off in a network to prevent disturbances like the typical broadcast. Therefore a dedicated network segment was reserved for the 8HP. A further requirement was 1:1 NAT (network address translation) for DNC (distributed numerical control) machines. This concerned the software for the distribution of the DNC programs running in the office network. Since the mGuard components support 1:1 NAT, no adjustments to the internal address space of the machines were necessary for the software.

Setting up port forwarding was a further important requirement, as central databases had to be accessed from the outside in the plant stations. Strict outgoing rules were also necessary. The spatial separation of plants leads to a distribution of the software and process data, which must then be centrally merged again on a server. Access to the central server is enabled through rules in the central firewalls, but any other uncontrolled access is prevented.

Decentralized firewalls have increased security

The mGuard security solution has been used at ZF Sachs for two years now. The decentralized firewalls in new plants or in plants with Profinet components are now equipped to protect against disturbances. “The decentralized networks run smoothly. There is nothing that halts the automation technology and operation continues largely without maintenance. We also successfully protected several older machines without virus protection from disturbances and attacks. Thanks to the segmentation, any virus brought in by a technician has not been able to spread into the network,” says Asmund Hey in summing up his experiences. And he has a good comparison, as the virus problem continues to be present in the office area or in old machines without firewall protection. Asmund Hey emphasizes that a secure production flow is also guaranteed when other network components fail. If this is the case, the firewall protects the plants from disruptive broadcasts or defective packages.

“The experiences we’ve had with the launch, operation and the security standard attained through the decentralized firewalls have all been very good. This is probably also due to the excellent support provided by Innominate. The response times are short, and if we have ideas or improvement suggestions, these are normally included in one of the next versions,” says Asmund Hey in describing the collaboration.

Further improvements are planned

One of the extensions under way now is setting up a central administration for the decentralized machine networks. Goals include standardization to the largest extent possible, uniform configuration and an easier administration of the networks. To this end, the Innominate Device Manager (IDM) is being introduced, which provides the status information of all administered components for a central monitoring. Finished configurations or updates can be transferred from the IDM to the decentralized firewalls. And a high degree of automation for the configuration of individual devices can be obtained through its template and inheritance technology.

Another project is related to the use of mGuards for remote maintenance. The plant manufacturer, but also the internal test equipment design, requires remote maintenance access. The employees at ZF Sachs have longstanding experience with remote maintenance. Through the new security architecture with the machines behind the firewall, however, a new solution needs to be found that is aligned with the altered security rules. The secure remote access via VPNs is therefore a highly interesting additional benefit provided by the mGuard protection.

About ZF Sachs

As the driveline and chassis components division of ZF Friedrichshafen AG, ZF Sachs AG is headquartered in Schweinfurt / Germany and employs a staff of 16,500 workers around the world. For more than 100 years, ZF Sachs has been a renowned partner of the automotive industry. Its products are not only used with traditional applications in cars, commercial vehicles, rail, construction and agricultural technology, but also in motorsports.

“I would rather lose money than trust”

September 23, 2011, marks the 150th birthday of Robert Bosch. “I would rather lose money than trust” is one of his best known sayings. Values such as credibility, reliability, and legality formed the basis of his entrepreneurial action – and have lost none of their validity for the company he founded. They are the compass for the Bosch Group’s innovative strength, quality standards, international orientation, and corporate social responsibility. In combination with these, they form the basis for ensuring the company’s lasting business success, as well as its ability to meet the challenges of the future, just as Robert Bosch would have wanted. Apart from the 150th anniversary of the birth of its founder, Robert Bosch GmbH is celebrating its 125th anniversary this year.

Turning a workshop into an international industrial enterprise

Robert Bosch was born on September 23, 1861, in Albeck near Ulm in southern Germany. Following an apprenticeship as a precision mechanic, and after having worked for several companies outside Germany, he opened his “Workshop for Precision Mechanics and Electrical Engineering” in Stuttgart on November 15, 1886. Referring to these early years, he once said: “My business, which was originally very small, gradually began to develop more swiftly after long and painstaking efforts.” Even then, this success was due to his innovative drive and high quality standards. The construction of a low-voltage magneto ignition device for vehicle engines in 1897 was the start of a long list of Bosch innovations. But It was its successor system, the high-voltage magneto ignition system launched by Bosch in 1902, that was the decisive commercial breakthrough for the young company. Under the guidance of Robert Bosch, the company developed a whole series of technical and technological innovations that made people’s everyday life and work significantly safer, more comfortable and more efficient. Examples include windshield wipers, the diesel injection pump, and power drills and drivers.

 

Bosch founded its first agency outside Germany in 1898, in the United Kingdom. This was the start of global expansion, with new branch offices and manufacturing sites being set up around the world. The early decision to nurture the company’s global presence and transform the business into a successful worldwide development, manufacturing, and sales network was one of the most important strategic initiatives undertaken by Robert Bosch.

Responsibility and social commitment

Robert Bosch was a socially minded entrepreneur. “Employer and employee are equally dependent on the fate of their company,” he wrote in an essay dating from 1920. In 1906, when he became one of the first employers to introduce an eight-hour working day, he was once again well ahead of his time. By shortening working hours, Robert Bosch eased the burden on his workers, and at the same time increased productivity by introducing a second shift. In other words, this was an entrepreneurial decision that benefited both the company and the workforce in equal measure. Apart from making several donations for civic initiatives and charitable causes, Robert Bosch also endowed a hospital in Stuttgart, which still bears his name to this day. In addition, the occupational and further training of his associates was an issue of the utmost importance to Robert Bosch. In 1913, he set up his own apprenticeship department with a training workshop. Associate training and qualification still command an important position at Bosch to this day. In September 2011, some 1,500 young people began a career at Bosch in Germany. In 2010 alone, each associate worldwide attended an average of two training courses.

His last will – still relevant today

Robert Bosch died in Stuttgart on March 12, 1942. In his will, he set out the fundamental guidelines for his successors. The financial independence and autonomy of Robert Bosch GmbH were especially important for him, since they would secure the company’s long-term success in the future as well. After the end of the second world war, Robert Bosch’s legacy paved the way for his company’s renewed rise to a global supplier of technology and services – in 2011, it is expected that the company’s roughly 300,000 associates will generate sales of more than 50 billion euros. The company’s successful rise has been marked by technological progress and corporate social responsibility – just as the company founder would have wanted.

How secure is your Automation System architecture?

Stuxnet has given us a wakeup call and we now need to take a fresh approach to how data is transferred and managed within all industrial control systems,” says Chris Evans of Mitsubishi Electric.

Last year’s incident involving the Stuxnet malware has shown that a typical automation architecture has weak points and vulnerabilities when it comes to security and this is leading many companies to question the traditional methods used to move information around and from the plant/asset to the enterprise level. While Stuxnet was targeted at one particular plant, it has far wider implications.

The stuxnet virus changed the point of attack in the business from the seemingly very secure top end to the somewhat vulnerable middle ground. So, are we seeing the start of a revolution?

Certainly, when business managers understand the implications of “doing nothing” then it is inevitable that changes to system architectures will follow.

Stuxnet was a malicious and targeted attack, which is very difficult to protect against.

The structure of the virus is now in the public domain, so mutations of stuxnet remain a threat and it is realistic to assume that ‘copycat’ malware will appear in the coming years targeted at a whole range of plant and applications.

However most incidents are not as sophisticated as Stuxnet, but they can still have wide ranging consequences for the businesses under attack.

There are two fundamental factors to consider, “probability” and “risk” and it is the analysis of these two elements which should shape any organisation’s security strategy going forward.

It is generally accepted that “gateway PCs” found in many automation architectures, represent weak points and are vulnerable to potential malware attacks from “the outside” and also from CDs and USB sticks.

Many of these PCs are used as networked workstations and therefore often contain the software to change and program the PLCs beneath this layer. This makes them an attractive target for anyone wishing to disrupt operations. Couple to this is the fact that many of these PCs have in the past been poorly maintained in terms of security patches and often contain unsupported legacy versions of operating systems, raising the risk factor considerably.

These gateway PCs were originally included to provide visualisation/control (SCADA etc), data/alarm logging and the link between the plant/asset and the enterprise systems. Initially PLC technology was not capable of delivering these requirements in an acceptable way, in other words, there was no alternative to this architecture.

Clearly from an operational point of view, these requirements are still fundamental delivery points for any system architecture but there are now alternatives to the traditional methods.

Mitigation or Change?

Many IT security companies can provide products and services to mitigate against attacks on PC based systems. These solutions are fine and coupled with a good business security regime can help protect the perceived weak points in any architecture.

However it is important to understand that many of the recent cyber security offerings in the automation arena have concentrated on dealing with the problem rather than exploring how to minimise the problem happening in the first place!

A New Way Forward

Over the last few years the more innovative companies have been developing technology which challenges the traditional automation architecture, so that they can offer a robust environment whilst delivering the operational requirements needed.

The basis of the new approach is to develop a solution which offers direct connection from the plant/asset to the enterprise systems within a ruggedized industrial form factor.

These systems are non PC based and are therefore not susceptible to the same operating system legacy issues that are found in a traditional PC based system.

This is complemented by the simultaneous development of intelligent solutions to provide data and alarm logging to be carried out locally at the PLC.

This technology has created the possibility of removing the gateway PC from the topology altogether. “But what about visualisation and control?” I hear you ask.

Well this is a fair question and there is no crusade here to remove SCADA/visualisation from the system but there are other ways of achieving the same criteria.

If data and alarm logging is happening directly at the PLC, then visualisation and control could be achieved by intelligent HMIs. Significantly, these HMIs do not have to be running a Windows operating system.

If SCADA PC nodes simply must exist, then moving the critical data/alarm logging to the local PLC means that the SCADA node can be the control and visualisation element of the system, whilst protecting this vital information in a more robust PLC environment. This is a simple but effective change in architecture that offers a viable alternative to traditional methods.

Mitigation techniques can then be deployed to minimise the risk with respect to the PC based SCADA or visualisation system. By using these techniques and technology the link between plant/asset and the enterprise can be achieved directly from the PLC level, thus minimising the risk.

Best of Both Worlds

It would appear that, as is often the case, the best approach to this new generation of malware threat is a multithreaded combination of a good set of mitigation techniques and “best practices” with a willingness to look at new innovative architectures to achieve the operational requirements but also reduce the inherent risk. Perhaps more than ever, good advice from acknowledged experts, an open mind, and awareness of current and potent new issues are critical.

The essential hardware

Mitsubishi’s “C Controller” range of automation solutions offers a flexible, secure, ruggedized environment that can house multiple “apps” to perform complex and challenging tasks. The C Controller forms part of the integrated iQ Platform and provides a non-PC based system that is not susceptible to the same operating system legacy issues that are found in a traditional PC based system.

The C Controller platform has enabled a whole host of solutions to be developed including a distributed secure database application and various connection options from asset to enterprise level, interfacing to SAP, Oracle, DB2 and other business systems solutions. This coupled with intelligent solutions to provide data and alarm logging to be carried out locally at the PLC, means that Mitsubishi can offer a secure, alternative architecture to traditional automation system topologies

This article was submitted by Chris Evans of Mitsubishi Electric.

Developments with UPS systems at Chloride

Last summer, ABB and Emerson had a bidding battle when both tried to buy the Chloride Group, based in the UK: the company has now become part of Emerson Network Power. Chloride supplies uninterruptible power supply (UPS) systems to major market sectors such as IT services (data centres), finance houses, telecommunications systems providers, as well as energy/oil and gas, transport and retail operations. Chloride recently launched an enhanced version of their Chloride 80-NET UPS, now available with up to 0.5MW capacity, which uses semiconductors (such as IGBTs – insulated-gate bipolar transistors, as also used on electric vehicles) to eliminate all transformers. The replacement of the typical phase shifting transformers by digital, near instantaneous control of voltage and current gives full input power factor correction (input PF>0.99), and can reduce the input current drawn by up to 20%, consequently reducing the required switchgear ratings and cable sizes, to maximize the usable power from the supply.  With the high conversion efficiency (98%) compared to traditional UPS systems at 94%, and low total harmonic distortion, the development has major commercial implications for data centres and the like.

Reduced total project costs

Lamberto Tassara, president of Chloride products and services for Emerson Network Power, said “The technology solves two major problems for data centres. Firstly, it frees them from the limited availability of grid power, and secondly it significantly cuts the capital costs and achieves high energy efficiency.”Rob Tanzer, technical support manager for Chloride AC Power explains “From the end-user perspective, 1MW worth of 98% efficient double conversion UPS will save around GBP100,000 per year in electricity bills alone. While the technologies in the actual UPS units make them more costly, a complete power protection package incorporating those technologies will be much cheaper, because since the transformerless UPS operates at near unity input power, the specifications of gensets, cabling and switchgear can be cut by around 20%, and UK Government Enhanced Capital Allowances can effectively cut up to 28% off project costs.”

Projects for the process industry

Process industry power quality requirements have tended to be less demanding than those of data centres etc, but with the growth of digital control, and high value production processes, even the Chloride 80-NET UPS technology has been applied to these industrial processes, such as refineries. Clients quoted on the Chloride website include BP, Total and EDF. Tanzer goes on to suggest that there are other technology developments in UPS systems that are suitable for process industry use. “Where incremental growth of capacity is required, or very low loads may be encountered, the technology to watch is Chloride Trinergy. It is scalable to between 200kW and 9.6MW, and the technology, introduced in the past year, is really rather special, representing something of a departure for the UPS industry. Whilst it is a double conversion UPS, it has the capacity to use its output inverter as an active harmonic filter, drawing directly from the grid but remaining connected to the batteries. If mains power deteriorates or fails, Trinergy has the capacity to provide the same protection as double conversion technologies, but with throughput losses of around 2% (based on UK mains power quality), which, because it is modular, it is able to sustain even when subjected to loads of as little as 20%.”

Entering the USA market?

Interestingly, the press release for the Chloride 80-NET UPS announces that it is launched everywhere in the world, except North America. In January 1999 Chloride acquired Oneac, which was to “provide a vital introduction into the US market for UPS and power conditioning”. This was followed by an August 2002 announcement of “an investment programme in research and development in order to access the important US power protection marketplace for 3 phase UPS”. It is likely that there will be a stronger emphasis on sorting out these products for the USA and Canada, now that the company wears an Emerson logo!

Stuxnet updates: October

Following reports that the Stuxnet code has been published on the internet, for anyone with malicious intent to copy as they desire, Norman Data Defense systems warn that it is more important than ever to review security systems in use on industrial SCADA systems. A webinar will be aired on 28th October to discuss this further.
David Robinson, UK and Ireland country manager, Norman Data Defense said: ‘It was just a matter of time before the Stuxnet code was published on the web for anyone, with even the most basic knowledge of coding, to alter and potentially wreak havoc on the industry. Now is the time to review IT security, no matter how small the risk. This is big news.’
‘This new type of virus has a boot file built-in and now that the code is in the hands of any malware writer it could mutate very quickly’ added Robinson, who will host a webinar on the subject on 28th October at 2pm BST at www.norman.com. Robinson has fifteen years experience working with companies such as Mistubishi, Rockwell and Intelluition working on SCADA and plant intelligence software.
But it’s not just memory sticks that can spread this virus. ‘These days anyone with a laptop or a device that connects remotely to a wireless network inside a company’s firewall, is putting that company at risk. It will just be a matter of time before Stuxnet or its successors are evolved to wreak havoc on control systems and any other system that the user connects to if their laptop or portable device is infected.’
Norman Data Defense recently carried out research among ordinary workers and found that over half of people surveyed are more cautious with security issues when using their own PC/laptop that they are with their work one. And over three quarters of people would expect a pop up to appear on their screen to alert them to a breach of security which of course is not always going to happen.
Microsoft has issued patches to help users on Windows systems to protect themselves against Stuxnet, but, warns Robinson: ‘My fear is that, with patch management protocols rarely in place in a control system environment, these warnings will go unheeded.’