Protecting Industrial Internet Applications
Bayshore Network Case Study
Today’s utilities, factories and other infrastructure are exposed to high risk. The software that controls many of these entities is not protected. In the last 20 years, the way industrial environments operate has completely changed. Many industrial systems were designed with permissive set-ups that assume only the “right people” in the “right place” would ever give instructions. Past systems were not built with exposure to the internet in mind, and as a result they relied on this “air gap” to limit access to onlyauthorized personnel within the organization. The rate of innovation within technology and wireless systems has outpaced the rate of development in security features. Control centers have gotten better – high tech displays and more capability, but this has led to an exposure to untrusted environments… and in many cases this threat has not been addressed.
Bayshore Networks is a cyber security solutions provider that serves to fill this need in the industrial internet application space. They provide security solutions to factories and industrial controls, without forcing them to completely overhaul their systems. Their products help industries – like water and energy providers – secure data transfer within these environments. Bayshore’s unidirectional data diode, SCADAfuse, provides a bridge to enable communications from the facility to the controller’s platform securely.
Their Need
Bayshore’s product, SCADAfuse, protects SCADA (Supervisory Control and Data Acquisition) systems, i.e. the “control systems” of the plant or data center. SCADA systems are networks of computers and devices that monitor and control a plant’s systems, and allow operators to see and make changes to the state of the system, via graphical user interfaces (GUIs).
In a utility or factory, SCADA systems convert raw data received from sensors, gauges and pressure monitors into information and dashboards that are easier for controllers and operators to understand. These dashboards are control centers and provide the means to monitor and adjust settings. The dashboard applications are often exposed to the web. A hacker gaining unauthorized access to the control centers of power or water plants can issue dangerous instructions and initiate destructive activities and can potentially lock legitimate users out. While hacking techniques have become more refined, most data centers have no industrial control security policies in place. Hackers can discover vulnerable systems simply by scanning for them across the Internet, then penetrate them by using dictionaries of known passwords. This leaves the most critical pieces of a region’s power and water at risk.
SCADAfuse is the unidirectional data diode that serves as the “last line of defense” a control center has and utilizes a Windows graphical front end. The graphical front end is also exposed to potential attack, and Bayshore sought out a solution to protect this layer of their product.
Penetration Testing
Prior to protecting the GUI of SCADAfuse, the application was sent to a 3rd party pen testing team in Spain. The team was able to penetrate and compromise the tool, tampering with the application, and in the words of a developer “walked all over the code.”
After seeing the results of this pen test, the engineers chose PreEmptive Protection as the best way to mitigate reverse engineering and code tampering threats. By obfuscating the graphical front end of SCADAfuse, Bayshore was able to protect the exposed endpoint from bad actors entering through this vulnerable point.
Solution
After using Dotfuscator, the Windows front-end was no longer exposed. Even the developers who wrote the original code could not read the protected code after attempting to reverse engineer it. The program was understandable only to the developers and not to the outside world.
When asked about what factors contributed to choosing Dotfuscator, the lead Product Development Specialist described his ideal product: “I look for optimization of my time always. I don’t want to become an expert in any product. I just want to know enough to get it to do what I need it to do. And then not have to deal with it anymore. That’s the perfect product.” He went on to say, “The reason I chose to go with Dotfuscator is – since it’s been around for so long, I figured it was my best chance for success. It seems like you [PreEmptive] have the most history with Visual Studio. Comparing your competitors’ sheet with your sheet, it seems you had a richer feature set.”
Bayshore Technologies provides innovative security solutions to their clients. At PreEmptive, we take pride when another security solutions provider chooses our products to integrate into their product. Securing data centers, utility controls, and factory operating systems requires a multi-layered security strategy, and we are happy to contribute to one small part of it.
Visit our resources page for a PDF version of this case study.