What's Wrong With IT-style Cybersecurity Approaches?
It's no longer surprising to learn about serious security breaches at even the largest companies. Whether it's a cyberattack carried out by hackers or some negligence that exposes employee or customer data, IT security has more challenges than ever.
By Andrew Ginter
It's no longer surprising to learn about serious security breaches at even the largest companies. Whether it's a cyberattack carried out by hackers or some negligence that exposes employee or customer data, IT security has more challenges than ever. Data breaches are troublesome, and they can be costly for any company, both financially and in terms of reputation. That's only information, though. What happens when this kind of compromise allows a hack into industrial control systems (ICS) in critical industrial infrastructures?
These systems control powerful, expensive industrial processes, such as power plants and water purification systems, that modern societies depend on to maintain a high standard of living. Any unauthorized and unqualified operation of these powerful tools, however briefly, is considered an unacceptable risk; after all, unlike compromised computers on IT networks, costly industrial equipment cannot be "restored from backup" if it is mis-operated or damaged. Last year, for example, hackers broke through firewalls to compromise the control system for a blast furnace at a steel mill in Germany. The breach resulted in massive damage to the furnace, but fortunately there were no injuries reported.
IT security "defense in depth" practices have long been held up as the gold standard for control system security programs, but experts recently have been adjusting this advice. IT security programs assume Internet-facing firewalls are fundamentally porous because those firewalls must, by design, permit thousands or sometimes millions of electronic mail messages, Web pages and other content to flow into protected networks every day. Control system firewalls are equally porous; while they may not forward electronic mail into the control system, all firewalls forward messages. Control system firewalls exchange messages between control system networks and corporate networks that are, from time to time, compromised. Every one of these messages may contain an attack. Every path through a firewall that allows data to flow either into or out of a protected network also allows attacks into the protected network.
IT security further assumes that, in spite of our best efforts, the software inside our networks can be breached. All software has bugs and security vulnerabilities; for evidence of this look at how many security updates are issued for software on IT networks every week. IT's conclusion then, is that all IT networks will eventually be compromised, either by common malware or by more sophisticated attacks. The IT gold standard, therefore, concludes that intrusion detection is the pinnacle of any defense-in-depth program. Intrusion detection systems monitor IT networks and enable IT security experts to search, find and restore compromised computers.
Increasingly, experts are recognizing that this approach is less than optimal for industrial control systems. Intrusion detection, investigation and remediation takes time--anywhere from hours at best, to weeks and months at worst. On an industrial network, for that entire time, an unauthorized, untrained, unqualified attacker has remote control of equipment on a control system network. Again, this is almost always regarded as an unacceptable risk. Intrusion detection is still seen as the pinnacle of a defense-in-depth program on control system networks, but experts are recognizing that this pinnacle must be supported by a comparatively much stronger foundation of intrusion prevention capability.
This problem becomes more pronounced as more businesses outsource data analytics and other functions to the cloud, with only layers of firewalls and a "demilitarized zone" intermediate network or two, protecting industrial networks from threats on the Internet.
Unidirectional Security Gateways are the alternative to porous-by-design firewalls being deployed widely in industrial control systems. The gateways replicate relational database, historian database and other servers from industrial networks to corporate networks in real time, so corporate users and applications have continuous access to live industrial data. At the same time, the gateways physically prevent any attack or any message from returning into the industrial networks. Even one layer of Unidirectional Gateways in a layered, defense-in-depth network architecture is enough to break the chain of attack and infection from the Internet and from corporate networks. The gateways enable real-time data access for corporate systems, Web servers, cell phones, cloud services and others, without putting the industrial network at risk.
Unidirectional gateway technologies and products have come into widespread use, especially in the field of electric power generation. Experts in many fields are updating best practice advice to reflect this comparatively new technology and its contributions to security programs.
France's ANSSI ICS security standards, published last year, are the latest example. The ANSSI standards plainly forbid the use of firewalls to connect control and corporate networks for control system networks in the most societally important critical infrastructures. American standards are heading in that direction, as well. The North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) V5 standards reward users of unidirectional gateways with simplified compliance rules. The latest draft NIST 800-82 standard is also adding new material to position unidirectional gateways within control system defense-in-depth programs.
Just as computers and software only become more complex and more capable over time, cyber-attacks only become more sophisticated, driving updates to our security programs and practices. With one standards body after another adding unidirectional security gateways to their advice, the time has come for all control system security practitioners to consider the technology. The time has come to ask: "Are any of our control systems or industrial equipment expendable enough to be protected any more by firewalls alone?"
About the author: Andrew Ginter is vice president of Industrial Security at Waterfall Security Solutions. He has managed the development of commercial products for computer networking, industrial control systems, control system to enterprise middleware and industrial cyber security. Ginter is currently the co-chair of the ISA SP-99 WG1 working group and represents Waterfall Security Solutions to NIST, NERC-CIP, other ISA SP-99 working groups, and other standards bodies. He writes and speaks on industrial control system cyber security topics.