Firewalls are seen as pillars of both business-focused and industrial, control-system-focused cybersecurity programs. But how secure are firewalls really? Firewalls have been with us for 25 years. While firewall limitations are well known to both black-hat and white-hat experts, those limitations are not as well known to everyday security practitioners.
This article catalogs 13 classes of attacks, which target firewalls, or target the systems that firewalls are supposed to protect. Each attack description is written as if the objective was to penetrate only one layer of firewalls. In practice, firewalls are deployed in many layers separating the Internet from industrial control and safety networks. The descriptions, though, generally describe only an attack through one layer each, the thinking being that if one layer of firewalls can be breached, then new attacks can be mounted on the next layer of firewalls in the layered defensive architecture.
Rather than simply sow fear, uncertainty, and doubt, we also evaluate a handful of alternatives and compensating measures. A “green” grade means the measure blocks nearly all attacks in the class. “Yellow” means only some of the attacks can be blocked. “Red” means the measure is largely ineffective for this class of attack. For intrusion detection technologies, the green/yellow/red grades mean the technology can detect nearly all, some, or none of the attacks in the class.
The alternatives and compensating measures are:
2-FACT: 2-factor authentication is the use of biometrics, smart cards, or some other measure in addition to a password to identify and authenticate individuals seeking to access protected equipment. 2-factor authentication is used regularly on remote access mechanisms for industrial networks but is used much less commonly inside industrial networks, in part because of concerns about slowing down emergency response in safety emergencies.
ENC: Encryption is the use of cryptosystems to protect either the confidentiality or authenticity of data communications mechanisms. Encryption is starting to be used fairly routinely in client/server interfaces for modern control systems, and these are the communications most likely to pass through a firewall. Encryption is occasionally used when data must pass across wireless networks or wide-area networks. Encryption tends not to be used when communicating between distributed control system (DCS) software and programmable logic controllers (PLCs) or other devices.
RULES: Firewalls themselves can protect against some attacks if their configurations and rules are improved or made more specific.
HIDS: Host intrusion detection and intrusion prevention systems can detect and/or prevent certain classes of suspicious activities. Anti-virus systems, application control/whitelisting systems, removable device controls, and file-change monitoring all fit here. These are all technologies intended to harden the typically “soft interior” of control networks.
NIDS: Network intrusion detection and intrusion prevention systems can detect and/or prevent certain classes of suspicious communications. These systems may be separate appliances, or they may be built into firewalls. These systems may be signature-based systems or may be learning-based or anomaly-based systems as well.
PATCH: Security update programs or “patch” programs regularly test and install updated versions of software and operating systems to repair the software defects, which are security vulnerabilities. Patch programs are particularly challenging for change-controlled networks because of the risks to safety and to reliability that are inherent in any changes to executable code.
UGW: Unidirectional security gateways allow information to flow out of a protected industrial network but are physically unable to send any attack or communication at all back into the industrial network. The gateways replicate industrial servers to business networks. Business applications and business users access only the replica servers.
Andrew Ginter is the director of industrial security at Waterfall Security Solutions. Andrew spent 25 years developing – and leading the development of – control system software products, control system to ERP middleware products, and industrial cybersecurity products. Andrew represents Waterfall to ISA99, NERC-CIP, and other cybersecurity standards bodies and writes and speaks frequently on industrial cybersecurity topics. Contact Andrew at firstname.lastname@example.org.
A version of this article first appeared at InTech magazine.