In December 2014, the industrial control system (ICS) security community learned of the latest serious attack against a control system. The attack targeted a German steel mill, which reported massive damage to a blast furnace as a result. The attack was a classic persistent targeted attack (PTA): a spear-phishing attack gained a foothold on the corporate network, which enabled the attackers to work their way into the control system network by remote control.
According to Germany’s Federal Office for Information Security, the attackers had a strong knowledge of both corporate information technology (IT) security technologies and of the steel mill’s industrial control system technologies.
There is increasing concern among pipelines and utilities regarding this kind of cyber-threat. Modern PTAs routinely defeat all IT-centric software security mechanisms, and sabotage is increasingly the motive of such attacks, not espionage. The recent Sony and Saudi Aramco “erase the hard disk” attacks are prominent examples of this new cyber-sabotage focus, as is the continued increase in “ransomware” attacks, where malware encrypts hard drives and only decrypts the drives if a ransom is paid.
The widespread capability to breach network defenses, coupled with an increasing trend toward sabotage, does not bode well for the safe and reliable operation of our pipelines and control systems.
IT Approach to Security
For the last decade, IT security best practices have been held up as the gold standard for control-system security programs. “If only we could find a way to apply IT security practices to control systems,” we were told, “then all would be well.” In the last several years, experts recognized that not only are control system networks more difficult to secure than IT networks due to of reliability, safety and other imperatives, but control system networks really do need a substantially different approach to security.
The IT approach to security starts by recognizing that firewalls at IT perimeters are porous. These firewalls allow Web page requests to pass out of IT networks into the Internet, and allow Web pages and electronic mail back into the networks. Firewalls routinely exchange messages with a variety of data sources and remote users on the open Internet.
Some of these incoming messages, emails and Web pages contain attacks. Firewalls do what they can to identify and block attacks, but no firewall is, or can ever be, perfect. Attacks always get through firewalls. All of this is by design – IT firewalls are designed to be porous, to forward messages.
Inside an IT network is a complex maze of security systems, all of which are software. Unfortunately, complexity is the enemy of security. The more complex a software system becomes, the more security vulnerabilities that system contains. Fundamentally, all software has vulnerabilities, and all software can be hacked. Combine this with a constant stream of attacks trickling into IT networks through IT firewalls, and it is inevitable that every IT network on the planet will be compromised, regularly.
IT security responds to this inevitability of compromise with intrusion detection systems (IDS), trained incident response teams, detailed forensics and regularly tested backup and recovery systems. Intrusion detection experts represent “eyes on glass” – our experts pitted against “their” experts. Our IDS experts find the intrusions, and our response teams eliminate them.
But all this takes time. A recent Ponemon survey showed malicious breaches took an average of 80 days to detect, and even longer to remediate. The average compromised IT network remains compromised for months.
Applying IT Best Practices
When we apply the IT philosophy to control system networks, what is the result? IT-style firewalls between IT and ICS networks, with intervening demilitarized zone (DMZ) networks, provide a path for attackers to reach from the Internet through intervening networks, right into control system networks. Internally, control systems generally have poorer security systems than IT networks, and, as a result, are even easier targets than IT networks. Like IT networks then, it is inevitable that firewall-protected control system networks will be compromised.
What does such a compromised control network mean? It means an unauthorized, unqualified intruder has remote control of our pipeline. The average such compromise lasts months. Is this an acceptable risk?
Natural gas and other pipelines are complex, powerful, physical processes. Owners and operators generally see even the briefest mis-operation of pipeline assets as an unacceptable risk. Such mis-operation though, is what IT-standard security yields, by design, when applied to pipeline control systems. Our problem is that damaged pumps and valves cannot be “restored from backup,” and public safety risks are unacceptable.
Changing ICS Security Practices
In the last several years, experts have been re-evaluating the approach to control system security. Given that the ICS network interiors are notoriously difficult to secure, and given how long it takes to detect compromised equipment, why does it make sense to permit messages and attacks to flow into ICS networks through porous-by-design firewalls? Increasingly, experts are recommending unidirectional security gateways at ICS network perimeters, as an alternative to firewalls.
Unidirectional gateways incorporate hardware components that physically permit information to flow in only one direction; it is physically impossible to send any information through the gateway hardware in the “wrong” direction. The gateways are deployed routinely to allow corporate networks to monitor the operation of control system networks, without ever sending any information, query, message or attack back into the monitored ICS networks.
Better yet, even in the direction the gateways permit information to flow, the gateways never forward messages. Instead, the gateways extract information from servers on the industrial network, and populate replica servers on corporate networks for corporate users to query. No message seen by the ICS side of a gateway is ever forwarded out to the corporate network.
More specifically, the gateways render modern, remote-control attacks impossible. No status message from any malware is ever forwarded to the corporate network, and the physics of the gateways prevents any remote control network command from entering into a protected control system network.
USB Thumb Drives
What about USB thumb drives? When the Stuxnet scare was all the news, many ICS security practitioners outright banned the use of USB thumb drives because Stuxnet spread through thumb drives. Some experts even advised connecting all ICS networks to IT networks through firewalls to reduce the temptation to use USB devices.
Such advice is seriously misguided; it amounts to telling us that rather than putting bars on our windows, we should open the barn door wide so nobody is ever tempted to come in through the windows. Stuxnet spread through industrial firewalls as easily as it propagated via USB sticks. The worm spread over SQL Server messages that firewalls were configured to allow into industrial networks. Why would an attacker bother trying to deceive an insider into carrying a USB stick into a facility, if that attacker could simply piggy-back an attack on seemingly innocent messages the firewall is designed to permit through to the industrial network?
With unidirectional security gateways in place, the firewall “barn door” is well and truly closed. With the gateways in place, investments in removable device controls, media-cleansing stations and “bring your own device” training and awareness can finally bear fruit. No such investments make any sense if remote-control attacks can simply be forwarded in messages passing through firewalls.
Best Practices Changing
In the last several years, this emerging understanding of ICS security has been expressed in a number of standards and guidelines.
In 2014, France’s Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) published new control system security standards that took evolving expert opinions into account. The ANSSI standards require at least unidirectional protections on connections between the most sensitive ICS networks and any less-sensitive network, and forbid any kind of Internet-based remote control to the most sensitive ICS networks as well.
The 2013 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Version 5 (CIP V5) standards recognized unidirectional gateways as stronger than firewalls. NERC CIP V5 recognizes the strength of the gateways by reducing the set of security controls required to be applied to cyber-systems protected exclusively by the gateways. The latest draft of the National Institute of Standards and Technology (NIST) 800-82 standard for control system security similarly contains paragraphs of discussions of unidirectional gateways and their role in security ICS networks.
Are Pipeline Assets Expendable?
This evolution of advice and standards is no surprise. It is a truism of cybersecurity that cyberattacks only become more sophisticated over time, and so our defenses must continue to evolve as well. Modern ICS security advice asks us to consider whether forwarding attack-bearing messages through firewalls into ICS networks still makes sense. Some experts are starting to call advice and standards permitting IT/ICS firewalls in critical-infrastructure contexts “firewall loopholes.” Firewalls make it easy to provide an illusion of security, to give the impression that something useful has been done, while impairing attacks very little in practice.
The day of the ICS/IT firewall has passed; modern attacks push through such firewalls at will. As security practitioners, we must consider how long we are willing to leave an attacker with remote control of compromised equipment on our pipelines. How long are we willing to risk mis-operation of our physical assets? We all need to start asking, “Which of our pipelines, pumps and control systems are so expendable that we can afford to protect them with only firewalls?”
Author: Andrew Ginter is vice president of Industrial Security at Waterfall Security Solutions. He has managed the development of commercial products for computer networking, industrial control systems, control system to enterprise middleware and industrial cybersecurity. Ginter is co-chair of the ISA SP-99 WG1 working group.