Justin Lowe

• 
  CONTROL Magazine | Main Homepage | |... - [Cached Version]
  Published on: 3/1/2004    Last Visited: 2/24/2005  

  Justin Lowe, a security analyst at PA Consulting, explains it best: “There is no silver bullet,†he says. “A suite of security measures are required but only around 30% of the solution is technical.

• 
  CONTROL Magazine | Main Homepage | |... - [Cached Version]
  Published on: 4/12/2005    Last Visited: 4/26/2005  

  Star turns were Gary Sevounts, director of Power, Energy and Utilities with Symantec in the US; Justin Lowe, principal consultant with PA Consulting Group; and Eric Byres of the British Columbia Institute of Technology.
  ...
  Lowe and Byres, it will be recalled, are the joint authors of ‘The Myths and Facts behind Cyber Security Risks for Industrial Control Systems,†the report published earlier this year which highlighted how the principal focus of cyber security measures needed to switch from internal to external threats, since the latter now accounted for 70% of cyber attacks.
  ...
  Although much of the current concern about security stems from the increasing tendency to link manufacturing and corporate systems, it's worth noting that, according to Lowe, only 43% of infections with worms and viruses currently gain access via the corporate network, the remaining majority come through various back doors into the manufacturing system itself.Particularly worrying trends, he believed are the growing reliance on outsourcing which results in key parts of the PC network being outsourced, although they remain physically connected, and the increasing use of wireless without adequate security precautions.
  
  Interesting Consequences Lowe repeated the warning that the hacker community is taking an increasing interest in industrial systems, recent hacker conferences in the UK having included presentations on industrial protocols such as Modbus.Hackers are taking an increasing interest in industrial systems because of the challenges they present and, perhaps most worryingly, because “the consequences are so much more interesting.â€
  
  Perhaps the most serious threat currently arises from the time which elapses between security patches being issued by Microsoft and those patches being validated and implemented on industrial systems.
  
  According to Lowe, those wishing to exploit security loopholes are able to reverse engineer a patch and hence identify the vulnerability it is designed to address within a matter of days, while the time to implement the patch on a typical industrial system is of the order of months, during which time all such systems are open to attack.Lowe seemed to be reluctant to put the blame onto Microsoft itself, pointing out that it has never claimed that Windows is anything other than a generic computing platform, but it is clear that automation software vendors, regulatory authorities and end users need to address more effective solutions as a matter of urgency.At least one delegate to the conference from the pharmaceutical industry planned to go straight back and break the links between his organization's manufacturing and corporate systems immediately, said Lowe.
  
  On-going Process Stressing that cyber security is an ongoing process rather than something which can be implemented and forgotten, Lowe detailed a series of measures which should form the basis of a cyber security strategy for industrial users, beginning with a business risk assessment and the implementation of short and longer term improvements.

• 
  Digital Energy Journal - [Cached Version]
  Last Visited: 1/11/2007  

  - Ian Henderson, advisor on process control digital security with BP, gave a joint presentation with Justin Lowe, managing consultant with PA Consulting Group, about ... >>more

• 
  Hackers target utilities' control systems - [Cached Version]
  Published on: 10/20/2004    Last Visited: 10/20/2004  

  If people hack into electricity distribution and water systems, there could also be a big impact," said Justin Lowe, principal consultant at PA Consulting.
  
  The research, based on an analysis of incidents reported anonymously by process manufacturers, is the first to use hard statistics to assess the risks.It will be published at the VDE Process Industry Congress in Berlin.
  
  The findings have shown that the number of recorded attacks against plant control systems has risen sharply over the past three years as more manufacturers replace specialist control systems with networked Windows-based devices.
  
  Control devices, which can be accessed over the internet through wireless links or dedicated telephone lines, either for programming or to feed back management data, have left plants much more vulnerable to electronic attack, said Lowe.
  
  Manufacturers and control systems suppliers have not been as quick to develop technology such as firewalls, anti-virus systems and intrusion detection systems as other parts of the IT industry, because until now the risks have been less clear, said PA.
  
  Control equipment suppliers have been reluctant to allow their customers to apply patches to control systems without accreditation testing - a process that can take up to nine months.This is understandable because a mistake in a patch could result in serious damage to a plant.
  
  However, Lowe said this is of little help when hackers can create worms to attack new vulnerabilities in a matter of days.
  ...
  The greatest hacking risks come from former employers or contractors with specialist expertise in control equipment, but a hacker without specialist knowledge could place a plant at risk by launching a denial of service attack, said Lowe.

• 
  Industrial Strength Security? - [Cached Version]
  Last Visited: 12/8/2004  

  And that's why securing industrial information systems should be on your 2005 to-do list, says the PA Consulting Group's Justin Lowe, an industrial process control engineer who has spent the past several years focused on the security of these systems.
  ...
  The number of reported information security incidents affecting industrial systems rose sharply after 2001, according to a study by Lowe and British Columbia Institute of Technology cybersecurity researcher Eric Byres.
  ...
  Meanwhile, garden-variety hackers are turning their attention to industrial networks, which they view as more challenging and rewarding break-in targets, says Lowe."It could have more interesting effects, and once you're in there it's possibly easier because the systems are not as secured," he adds.
  
  With the exception of an insider, such as a former employee, a hacker gaining access to an industrial network might not be able to target the precise control system to open a valve to cause a chemical spill.But such knowledge wouldn't necessarily be required "to cause some serious havoc," Lowe says.Think of the Northeastern blackout of 2003.
  ...
  Byres and Lowe classified Reed's Soviet cyberwarfare story in their study as a "likely but unconfirmed" example of real-world damage from a cyberattack.
  ...
  Source: Justin Lowe, PA Consulting Group

• 
  Industrial Strength Security? - [Cached Version]
  Published on: 1/19/2005    Last Visited: 1/19/2005  

  And that's why securing industrial information systems should be on your 2005 to-do list, says the PA Consulting Group's Justin Lowe, an industrial process control engineer who has spent the past several years focused on the security of these systems.
  ...
  The number of reported information security incidents affecting industrial systems rose sharply after 2001, according to a study by Lowe and British Columbia Institute of Technology cybersecurity researcher Eric Byres.
  ...
  Meanwhile, garden-variety hackers are turning their attention to industrial networks, which they view as more challenging and rewarding break-in targets, says Lowe."It could have more interesting effects, and once you're in there it's possibly easier because the systems are not as secured," he adds.
  
  With the exception of an insider, such as a former employee, a hacker gaining access to an industrial network might not be able to target the precise control system to open a valve to cause a chemical spill.But such knowledge wouldn't necessarily be required "to cause some serious havoc," Lowe says.Think of the Northeastern blackout of 2003.
  ...
  Byres and Lowe classified Reed's Soviet cyberwarfare story in their study as a "likely but unconfirmed" example of real-world damage from a cyberattack.
  ...
  Source: Justin Lowe, PA Consulting Group

• 
  Managers should not be tempted by discounted wireless... - [Cached Version]
  Published on: 3/19/2004    Last Visited: 11/9/2004  

  But this can be a false economy if it opens up a manufacturing plant to attacks from computer viruses or hackers, said Justin Lowe, principal consultant at PA Consulting.
  
  "Manufacturers need to examine the risks, examine their systems, identify the potential source of an attack, find out the impact of an attack and discover how they are putting themselves at risk," Lowe said.
  
  However, securing control systems is far from straightforward.Simply plugging firewalls or anti-virus software designed for IT systems into a control system is not an option - the risks are too great.
  
  "There is one example of a security monitoring firm that did a network scan and crashed all the PCs in a production plant, causing millions of dollars of lost production.You need to be careful how these technologies are deployed," Lowe said.
  
  Solving the problem requires process manufacturers to encourage plant engineers and IT staff to work together to develop security countermeasures.
  
  "Many of the standard security technologies in IT can be used in control systems, but they need to be carefully monitored and designed.It is not just a case of putting in a standard IT solution," Lowe said.
  
  A mixture of firewalls, virus protection, segregated networks and intrusion monitoring should protect process manufacturers from attack.
  
  "You also need to train plant operators.Its not just a matter of throwing a firewall into a system," Lowe said.

• 
  Manufacturing Excellence 2004 News - [Cached Version]
  Published on: 5/2/2004    Last Visited: 11/22/2007  

  Justin Lowe (PA Consulting Group)

• 
  PA Consulting Group - 2004 - Article about PA -... - [Cached Version]
  Published on: 10/19/2004    Last Visited: 6/24/2006  

  But this can be a false economy if it opens up a manufacturing plant to attacks from computer viruses or hackers, said Justin Lowe, principal consultant at PA Consulting.
  
  "Manufacturers need to examine the risks, examine their systems, identify the potential source of an attack, find out the impact of an attack and discover how they are putting themselves at risk," Lowe said.
  
  "There is one example of a security monitoring firm that did a network scan and crashed all the PCs in a production plant, causing millions of dollars of lost production.You need to be careful how these technologies are deployed," Lowe said.
  
  Solving the problem requires process manufacturers to encourage plant engineers and IT staff to work together to develop security countermeasures.
  
  "Many of the standard security technologies in IT can be used in control systems, but they need to be carefully monitored and designed.It is not just a case of putting in a standard IT solution," Lowe said.
  
  "You also need to train plant operators.Its not just a matter of throwing a firewall into a system," Lowe said.

Page:  1 2