February 2015, Vol. 242, No. 2
Features
How Network Segmentation Improves Operational Security For Pipelines
Network segmentation is a fundamental component of cybersecurity, yet it is so difficult to implement in a gas and pipeline environment. There is flawed thinking in part due to an industry-wide focus on perimeter security, a carryover from the days of air gap protection.
As industrial systems continue to evolve and pipelines become more distributed, there are more requirements for greater connectivity between internal systems within the distributed environment. As a result, more traffic must be allowed through the perimeter, and if perimeter access isn’t denied outright, it isn’t really a gap. A more flexible approach is required.
The flaw is that the term “perimeter” implies one big shell around an entire system, within which there are many devices in many zones, with different security levels and conduits, all unmanaged. In other words, the traditional definition of perimeter security does not mean the same level of granular access controls that a properly enforced conduit provides.
Perimeter security is able to properly secure zones, if the proper requirements are applied. Every zone has a logical perimeter that defines it. If all information flows are forced to cross this boundary via appropriate cybersecurity measures, then each conduit is made more secure. In order to secure a system with many zones:
1. Many perimeters need to be created.
2. Appropriate security controls must be in place around each perimeter, to inspect flows.
3. These controls must map different policies to different information flows to properly protect each flow and conduit.
Using these criteria, it becomes obvious that, while there are many ways to segment zones and enforce perimeter security, they are not always feasible or adequate.
For example, traditional segmentation mechanisms using VLANs or routing would either prohibit the amount of zone separation (by using too few devices), or become unduly complex (requiring massive network redesign to accommodate VLANs and IP subnetting). Too simple, and the right security is not implemented in the right places; too complex, and the risk of misconfiguration can result in less effective security and unintentional vulnerability. The complexity of highly sub-networked or VLAN-separated systems also requires administrative overhead from operations teams already strapped for IT skills and resources.
And finally, ICS vendors may dictate specific designs of layer-2 and layer-3 configurations, making the implementation of new network segmentation contractually impossible. In other words, traditional segmentation is not feasible for deep segmentation of pipeline infrastructure.
Routing can enforce the security of information flows, as can VLANs. However, this security is not absolute, and these paths remain susceptible to attack. Generally, the higher up on the OSI stack, the more difficult the attack. VLAN ‘hopping’ is a relatively simple task that renders VLANs inherently insecure. Routers are more difficult to circumvent and application layer controls are hardest to overcome. Therefore, while VLAN and network segmentation can be effective, it is not entirely adequate for industrial systems.
The necessity for a secure segmentation of the network is the crux of the issue. Zones and conduits exist to restrict access to and between systems in an effort to improve the security and reliability of the overall systems. If the information flow is not secure, the zone is moot. If the logical perimeter does not adequately control access to its devices, the system remains vulnerable.
To deploy an enterprise-class IT security device in a pipeline environment to separate two discrete control zones would be to pound a square peg into a round hole. It would also be difficult to justify. The device would be costly, cumbersome and may in many cases disrupt industrial communications due to latency and performance characteristics that are not tuned for sensitive industrial networks. Typically, there is undue complexity to help products differentiate themselves in the highly competitive enterprise security market.
The answer is not to develop entirely new tools, but to make existing cyber security tools more relevant. To do so, we must first look at the tools that are available and then determine how to make them more appropriate to industrial control systems.
The basic requirement is simple: limit the network traffic allowed into and out of any given zone. This task is easily accomplished with a firewall, using bi-directional traffic filters to prune out unwanted traffic on unwanted ports. It is a good idea and a necessary one as industry mandates require the use of a firewall or similar technology for this purpose. Because firewalls filter IP traffic, they can also filter industrial control traffic running atop IP.
While a firewall will narrow the scope of legitimate traffic to what is authorized, even legitimate traffic needs to be inspected more closely. Network-based exploits, denial of service attacks and insider attacks from disgruntled employees all utilize legitimate traffic in illegitimate ways. Deep packet inspection helps by looking into packets for an indication of malicious intent.
Content filtering (a feature in next-generation firewalls) looks at the application contents rather than simply matching packet contents to determine if an application is being misused (e.g. preventing access to a specific URL instead of blocking all web traffic).
However, content filters are intended for web content and email, not industrial applications. Therefore, most application-layer firewalls lack the ability to make decisions upon the specialized application-layer protocols used within industrial systems. Although industrial protocols ride atop TCP/IP, they establish their own application sessions, enact their own controls, and carry their own payloads.
To become relevant, the firewall must be able to understand these industrial applications, track application-layer sessions, and make decisions accordingly. To become highly relevant, the firewall should allow unwanted or unnecessary features to be disabled by default, so that they are more easily deployed and maintained in an environment staffed by operations managers and not IT managers.
With these modifications a firewall device can effectively protect the pipeline infrastructure and secure zones. Using relevant cybersecurity mechanisms, the complex network access policies that are required can finally be enforced. Through extensive filtering (using next generation firewalls that understand the nature of ICS application-layer protocols), the control network can be essentially “whitelisted.”
Filtering the contents of industrial protocols provides highly granular control, capable of defining acceptable protocols, authorized devices and authorized tasks. If the firewall can act transparently (i.e., without altering or impacting IP communications), then it becomes feasible to enable zone-level separation without reconfiguring the network.
Such a firewall is much more practical for OT managers and staff because it will not interfere with approved control system designs. Therefore, zoning can finally be well defined and implemented by pipeline operators.
This necessary first step toward a mature cybersecurity profile – the separation of systems into functional groups – will do more for security, reliability and safety than almost any available security measure. Properly established zones and conduits will make unauthorized access to (and exploitation of) critical devices more difficult.
They will help to isolate functional systems to minimize the impact of an incident. Perhaps most importantly, they will create a strong architecture foundation upon which more sophisticated security controls can be built.
Author: Kenneth Tom joined Wurldtech, which produces the Achilles Industrial Next Gen Firewall, in September 2013 as a senior product manager, with product management and product marketing responsibilities. Prior to joining Wurldtech, he led the product marketing efforts at Juniper Networks for the SRX Series Services Gateway product line, and product marketing and product management efforts at companies including McAfee, Check Point Software Technologies and 3Com.
Comments