A Single Cyber Defense is the Weakest Form of Cyber Protection

A Single Cyber Defense is the Weakest Form of Cyber Protection

This article was written by Eric J. Byres, a well-known industry expert in the field of industrial cybersecurity and chair of the ISA99 Security Technologies Working Group.

The past two years have been a real wake-up call for the industrial automation industry. For the first time ever, it has been the target of sophisticated cyber-attacks like Stuxnet, Night Dragon and Duqu.

The most destructive post-Stuxnet threat is the malicious malware known as Shamoon. As with Stuxnet, Duqu, and Flame, it targeted organizations in the Middle East, in this case Saudi Aramco, Qatar’s RasGas, and likely other oil and gas concerns in the region. It is a new species, however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal information as Flame and Duqu did.Keeping Your Computer Safe

Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes, those numbers are correct!) workstations of Saudi Aramco (and who knows how many more at other firms). It is believed to have been launched by a single disgruntled employee working inside the corporate firewall.

What Shamoon and the others teach us is that relying on a single defensive solution (like a single Internet firewall) exposes a system to a single point of failure. No matter how well-designed or strong that single defense is, either resourceful adversaries or Murphy’s Law eventually results in the defense malfunctioning or being bypassed. When that happens, the entire system is wide open to attack. A far more effective strategy for reliable security is called “Defense in Depth.”

Back to the basics

The Defense in Depth strategy is not something unique to ICS/SCADA security. In fact, it is not even unique to cyber security. It is a military strategy that has been around since days of the Romans. If you search the Internet, the first definition you will find is the military one on Wikipedia:

Defense in Depth (also known as deep or elastic defense) is a military strategy; it seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, defense in depth relies on the tendency of an attack to lose momentum over a period of time or as it covers a larger area.

Defense in Depth for banking security

Unfortunately, if you want to secure your control system, the above definition does not help you much. So let us look at security in a bank and see what we can learn.

Ever wonder what it is that makes a typical bank so much more secure than a home or convenience store? It is not because banks have stronger steel doors or armed guards. Those help a bit, but are quickly offset by the fact that a bank’s adversaries (i.e., professional bank robbers) are also better armed and more determined than the typical house burglar.

The first answer is that a bank employs multiple security measures to maximize its security. For example, just to name a few defenses, a typical bank has steel doors, bulletproof windows, security guards, room-sized safes, security boxes, alarm systems, cameras, and security-trained tellers. Even more important, not only are there more defensive layers at a bank, but each layer is designed to address a specific type of threat at the point where it is employed.

For example, bank doors are effective, but simple, security devices. They are either locked or unlocked. They either grant or deny access to customers on an all-or-nothing basis—regardless of what a visitor looks like or how the visitor behaves.

One layer up is the security guards—they perform access control to “clean” the general flow of people into the bank. They ensure that access to the bank is for people who have a legitimate need to be there and will “behave” within expected norms. They regard each visitor based on specific criteria, such as wearing a mask, suspicious behavior, acting erratically, etc.

At yet another level, the tellers, security box keys, passwords, etc. keep these pre-screened customers from accessing other accounts or information. Rather than worrying if a visitor should or should not be in the bank, the tellers and passwords present a different layer of security: account security. These measures “filter” what account access individual customers are allowed, based on who they are.

Multiple differentiated layers

The bank analogy points out three important aspects of Defense in Depth:

  • Multiple layers of defense. Do not rely completely on a single point of security, no matter how good.
  • Differentiated layers of defense. Make sure that each of the security layers is slightly different. This ensures that just because an attacker finds a way past the first layer, they do not have the magic key for getting past all the subsequent defenses.
  • Context- and threat-specific layers of defense. Each of the defenses should be designed to be context- and threat-specific.

This last point is the most subtle and perhaps the most important. Going back to the bank example, note that banks do not simply have additional security guards at every level. Banks understand that threats come in different flavors, ranging from the desperate drug addict with a gun to the sophisticated fraud artist. Thus for the banks, each defensive layer is optimized to deal with a specific class of threats.

Designing for the threat

So what does this have to do with security on the plant floor? Like the bank, the SCADA/ICS system can be exposed to a variety of different security threats, ranging from disgruntled employees, to computer malware, denial of service attacks, and information theft. Each needs to be considered and defended against.

For example, a boundary firewall can act like the bank guard, so that network messages using specified protocols are either permitted or denied access into the control network. This is ideal for keeping the bulk attacks out, particularly the average IT worm or the common denial of service attack.

Deeper into the control system, more sophisticated SCADA-aware firewalls can observe the traffic beyond the obvious protocol types. This allows defenses based on the behavior and context of the systems using these protocols on the control network. For example, if an operator station computer suddenly starts trying to program a PLC, then perhaps a worm like Stuxnet or a disgruntled employee is at work. These attacks need to be immediately blocked and alarms raised to prevent serious risk to the system.

Finally, servers and controllers with a robust security implementation can act like a well-trained bank teller. After a user successfully connects to a server or controller, the security configuration ensures they only get access to the specific applications and data they are supposed to have access to. Attempts to access other services or data should be blocked and logged.

As with the steel doors, the bank guard, and the teller example, the perimeter firewall providing the boundary security, the SCADA/ICS firewall providing the internal security, and the server providing the application security are an essential team. For example, a firewall can block millions of randomly malformed messages directed at a control system as part of a Denial of Service (DoS) attack. At the same time, deep packet inspection and user authentication checks can prevent an attacker or worm inside the firewall making changes that might risk property or lives.

Providing reliable security for the plant floor

Depending upon a single defense, such as perimeter firewall, is building a security solution based on a single point of failure. Make sure that your facility has a proper Defense in Depth design where the network, control devices, and systems are collectively hardened-thereby providing reliable security for the plant floor.

Eric Byres3

About the Author
Eric Byres, CTO and VP Engineering of Tofino Security (part of Hirschmann, a Belden Brand), is a well-known industry expert in the field of industrial cybersecurity and is chair of the ISA99 Security Technologies Working Group, chair of the ISA99 Cyber Threat Gap Analysis Task Group and Canadian representative for IEC TC65/WG13, a standards effort focusing on an international framework for the protection of process facilities from cyberattack. Eric was recognized for his contributions to the automation industry when honored by the International Society of Automation (ISA) as an ISA Fellow for his outstanding achievements in science and engineering. Contact Eric at: eric.byres@belden.com.

A version of this article originally was published at InTech magazine.


How to Protect Water and Wastewater Facilities from Cyberattack

How to Protect Water and Wastewater Facilities from Cyberattack

This guest post is authored by David Mattes, founder of Asguard Networks of Seattle, Wash. 

“If you aren’t scared yet, you haven’t been paying attention.”  So goes the aphorism for modern times, and it applies equally well to industrial cybersecurity.  Conclusive proof is hard to come by, but consider the supporting evidence: U.S. presidential executive orders, vulnerabilities markets for ICS, U.S. Secretary of Defense warnings of a “cyber Pearl Harbor”, extremely low patch uptake for ICS/IT automation components, vast and varied ICS CERT warnings, Internet census reports of huge populations of exposed ICS systems.  Before Stuxnet, stories like this just didn’t get any attention if they were even published.  All industries are affected.  Water and wastewater environments are no different, and in fact are particularly attractive to threat actors not only because they are the foundation of advanced societies, but because they are easy targets.

Security with Lock

Because water and wastewater environments are critical infrastructure that have stringent availability and quality requirements, operators have a duty to protect these systems from cyberattack.  When trying to balance the surety with the risk, there are many challenges that have opposing forces, and network connectivity is a classic example of trying to make progress in one domain (e.g. reduced downtime), while backsliding in another (e.g. cyber risk exposure).

Despite the cybersecurity challenges associated with increasing connectivity, industry and government organizations are making steady progress.  How do you get caught up on the progress on security standards and best practices?  How does this progress turn into actionable steps you can take at your utility to strengthen the cybersecurity and increase the robustness of your industrial systems?  These are tough questions to answer, but ultimately this is where the rubber meets the road.  This is a big responsibility.  Are you up for it?  I hope so, because we all depend on you for our high quality of life.

To stay current, you have to get involved in the discussions that are happening.  The hardest step is the first step.  Beyond this, simply keep going.  The ISA participates in the cybersecurity discussion with ISA 99, ISA Secure, and ISA 100.  The U.S. government has some great resources, including ICS-CERT, ICSJWG, NIST Special Publications (SP 800-82 focuses on ICS Security).  If you work for a water utility, DHS offers free ICS Security trainingSANS also provides training and resources (20 critical security controls).  Most large North American electric utilities are regulated by FERC, and the CIP standards published by NERC are worthwhile reading, at least from the perspective of what may eventually happen in the water industry.  Finally, there are various LinkedIn groups with active discussions about ICS security.

My cybersecurity focus is on standards and solutions for network segmentation, which seeks to minimize network connectivity to the absolute minimum.  As Ralph Langner, the researcher who cracked the Stuxnet code, discusses in his book Robust Control System Networks, automation systems are not well-suited to large, flat and open networks.  Network segmentation is about applying the principle of least privilege to network communications, and when implemented in automation networks, you can achieve environments that are more robust, resilient and secure.

The ISA TR100.15.01 document presents an architecture model that describes how to segment, secure, and manage communications over trusted and untrusted networks.  When combined with the IF-MAP and ICS Security standards from the Trusted Computing Group (TCG) and the Host Identity Protocol (HIP) from the Internet Engineering Task Force (IETF), a picture emerges of how to create scalable, manageable, industrial cybersecurity products that are a natural fit for water utilities.

What makes a good fit?  A security solution must be “secure by default,” easy to use, flexible to changing environments, self-documenting and integrate well with other defensive layers.  Most importantly, a security solution must support and enhance the availability, robustness and resiliency of the automation systems.  By supporting our water resources, you play a vital role in our great society.  As part of this responsibility, I challenge you to stay abreast of the cybersecurity issues and challenges facing your industry, and standards-based solutions that can make a real difference.  Together we can rise to the occasion.

David Mattes

About the Author
David Mattes founded Asguard Networks to create products that address the challenge of managing connectivity and information security for industrial control systems (ICS). Prior to Asguard Networks, David spent 13 years in Boeing’s R&D organization. At Boeing, David focused on ICS security issues, particularly on the challenge of segmenting connectivity for ICS devices into private networks and securely connecting them to and through Boeing’s enterprise networks. David was the co-creator and technical and implementation lead on an architecture that not only satisfied Boeing’s InfoSec governance and security requirements, but also met the needs of the end users. He received a master’s degree in electrical engineering from the University of Washington and a bachelor’s degree in electrical engineering from the University of New Mexico. Contact David at mattes@asguardnetworks.com.

Pin It on Pinterest