Wide Awake at the Wheel:
Trusting the Sender and Receiver in ICS and SCADA Systems
ABSTRACT
INTRODUCTION
What do these environments have in common?
•  Railway switches
•  Air traffic control
•  Nuclear power and processing facilities
•  Water power and reservoir management
•  Autonomous transportation
•  Harbor and port authorities
We exchange text messages with our friends and family
all the time. Their numbers are listed in our contacts and
based on the contact photo and the way our friends reply, we assume we know who we’re texting with. Sometimes, though, a random text will appear – just a phone
number and a message. Probably something like “good
morning you ☺” or “hey girl!” You can see the number the
message came from, but who is on the other end of the
keypad? As a human, you can use your powers of logic,
intuition, and reverse phone lookup to determine who is
the sender of the unknown message. But how do machines distinguish? How do programs know if the command they are receiving is from a known and trusted
source?
In an effort to modernize, devices controlling these kinds
of systems have been added to a network. In many of
the systems installed years ago, factory installed passwords or hard-coded credentials are typical. Technician
turnover, multiple users, and ease of use are all considerations that make these accommodations popular.
Culture is a factor, too. Change comes slowly to industries that have used the same protocols and the same
technologies for decades.
Existing protection methods like physical security, perimeter security and encryption only go so far, and have
known and exploited weaknesses. Plants continue to
modernize and add devices to networks, while the culture and attitudes at these same plants take much longer to accept technological advancements. As attackers
become more sophisticated, which they do with every
attempt, a fundamental change in protection is necessary to ensure the safety and security of the fundamental
services citizens rely on for their well-being. Moreover,
the advancements need to be simple to use or invisible
to technicians so they are easily adopted.
Malicious actors know this and are becoming more
sophisticated and increasing the number and variety of
attacks they use. Data interception, DDoS, data alteration, and cyber “drive-by shooting” are being used by
individuals, groups, and nation-states depending on their
strategic goals. The Department of Homeland Security
reports that industrial control systems were subject to at
least 245 attacks in 2014.
Why does it seem so simple to find and attack these
systems? Because it is. The search engine Shodan can
find any open device with an IP address
within a geographic range. Even
a Google search with specific technical criteria (called
dorking) can return a list of
open devices. Once the
device is known, penetrating the network
and installing malware involves just
SmartData from SertintyONE creates self-protecting
data objects that enhance existing cyber
security protocols and makes any
transmission usable and recognizable to users or devices
that have been previously
identified and authenticated. Any unauthorized entity will never
be able to access
or recognize a
SmartData object.
1
www.SertintyONE.com
(cont’d)
a few more clicks. The entire identification and infiltration
of an ICS/SCADA system can take less than a day.
security is that it adds time, cost and complexity. And
any news feed will show us that a layered network is not
impenetrable.
Until recently, conventional wisdom dictated that even
though system security was weak, attackers needed a
high level of skill to manipulate the devices they found.
That belief has been shattered with the recent research
of Reid Wightman at Digital Bond Labs. Presenting at the
S4 Conference in January 2016, he found at least 4 companies making variable speed drives that don’t require
authentication to get read/write capability. The motor
makers intentionally make it easy for operators to find out
the maximum motor speed – to make safe speed maintenance easy. Malicious actors can find the maximum
safe speed and override it without leaving a trace. If that
motor is cooling a nuclear power facility or if it is holding
back a reservoir, the public threat is greater and more
damaging than any financial data breach.
Encryption programs can obscure massive amounts of
data. Often, an application will encrypt its own output,
like a protected pdf. Encryption like this is a secondary
feature of the application and while effective at a surface
level, may not keep out a motivated interloper. Total disk
encryption, managed by an external application, is where
many organizations are moving. Any of these encryption
methods require key management protocols. When multiple encryption methods are used, multiple keys must
be managed, stored securely, and retrieved immediately.
The major drawback to encryption methods is that they
exchange public keys which subjects data to exfiltration,
and encryption can significantly slow down performance.
The ultimate goal is for legitimate parties to execute
timely commands and have devices recognize only
legitimate requests while defending themselves from
imposters. Protection at the data layer does not rely on
external applications, networks, or operating systems.
Self protecting data, or SmartData by SertintyONE, is
recognizable and useful only to aware applications with
legitimate credentials and validated users.
In this landscape, knowing who to trust and which
commands to execute become vitally important. How
can ICS and SCADA systems remain operational with an
impeccable level of availability when a single malicious
actor can apparently take command of systems with
ease? The industry cannot move backward into a state of
full manual operation. It should not remove devices from
the network when the benefits of networking outweigh
the risk of remaining online. The solution lies in ensuring
systems know which commands are trustworthy and
should be executed and which should be ignored and
reported. Let’s look at what’s going right and what can be
enhanced.
SmartData Neutralizes Threats
In ICS environments, there is implied trust. That means
any command received is a good command. Using the
example of a train, we assume that Console A sends a
command to Train B. “Slow down! Curve ahead!”
THE STATE OF THE ART
Utilities and critical infrastructure systems excel at physical security. You needn’t look further than your nearest
airport. Physical barriers, card readers, physical searches, credentials, and employee behavior all play a role in
maintaining the integrity of access to systems.
Console A
>Curve ahead
>Slow down!
The same organizations are also getting better at perimeter security for protecting internal networks. Layered
network security with firewalls, system anti-virus programs, and console anti-virus programs offer specialized ways to prevent unwanted access to systems. Like
completing a video game, an attacker must successfully
solve each level before getting to the ultimate prize –
control of the system. The drawback to layered network
www.SertintyONE.com
System
B
FIGURE 1
2
(cont’d)
If a malicious actor were to intercept the command,
and wanted to cause havoc, he could replace the good
command with his own command “Full speed ahead!”
Using today’s systems, the train would not know that the
replaced command is bad, because it looks legitimate.
Console A
>Curve ahead
>Slow down!
When using SmartData, the user at Console A must log
in and irrefutably prove his identity before issuing any
command. In addition, the identity of the sender and the
identity of the receiver must be included in the header of
the command. This smart command is unrecognizable
to any person, process, or machine other than the participants included in the command.
System
B
ed
pt
ce
d
er
t
ce
In
pla
Re
Imposter C
FIGURE 2
>Full Speed Ahead!
When the SmartData-aware train receives any command,
it will first view the header to determine:
•  is the sender known and trusted?
•  from which device did the command
originate?
•  is the timeframe of the command within
a reasonable range?
Console A
When evaluating the legitimate command, the train determines all the important factors to be true and follows
the command to slow down. In the case of the bad message, not only does the train determine important factors
to be false, it recognizes that the command is not in a
SmartData form. Furthermore, a malicious actor would be
unable to recognize a command cloaked as SmartData.
When using SmartData, key logging, packet interception,
and command spoofing all become irrelevant. SmartData objects are recognizable only to SmartData-aware
applications. Even then, only authorized and legitimate
users of that particular SmartData object are able to see
what’s inside.
>Curve ahead
>Slow down!
ed
pt
ce
d
er
ce
Int
a
l
p
Re
Imposter C
System
B
>This command isn’t trustworthy
>Taking emergency action
>Unless trusted command is provided now
>Full Speed Ahead!
FIGURE 3
How do SmartData-aware devices know which actor gave a command? Certainty comes from the authentication
method used in SmartData protocols. Unlike most authentication which requires a login ID and password and perhaps
another code for multi factor authentication, SmartData authentication relies on a series of prompts and responses that
are unique to individuals or machines. Prompts and responses are impervious to social engineering and administrators
can select a minimum number of prompts and responses required to authenticate. In addition, multi-vector authentication is a built-in option.
SmartData objects carry authentication, encryption, and rules for access with them. When an authenticated user or device is logged in, they are able to access the data they need without managing encryption keys, which are buried deep
throughout the SmartData object. Nothing about the contents of the object is ever shared publicly and only authorized
and authenticated users will ever see and be able to use the contents.
3
www.SertintyONE.com
(cont’d)
Because it is not dependent on network, operating system, or application, SmartData can drop in to any environment
and start protecting data as soon as it’s installed. With no other change than the installation of SmartData technology,
critical systems and their operation become as secure as when physical isolation was the only method of protection.
SmartData technology works with native applications so that technicians and machines can be logged in, authenticated and otherwise unaware that SmartData is working on their behalf. Anyone outside will be unable to comprehend
the packets they see. Systems become impervious to code injection or other attacks where illegitimate commands are
given to legitimate devices. The bottom line: control of systems, control of your environment, control of outcomes is
never relinquished.
SUMMARY
WHO WE ARE
SertintyONE® is a software development company
focused on protecting confidential, proprietary and
personal data. Our development initiatives are aimed at
ensuring the right person has the right information at the
right time, irrespective of the user, device, network or
operating system. We are headquartered in Nashville,
Tennessee.
SmartData ensures that only legitimate users and legitimate devices are able to execute commands. SmartData makes any system impervious to malicious actors and
protects not only the integrity of operations but any data
associated with a facility, including research, personnel
data, emails, or financials. SmartData accomplishes this in
a way that enhances existing security protocols, does not
impact performance, and is nearly invisible to legitimate
authenticated parties.
SertintyONE Corporation
Nashville, TN
(855) 313-6032
Without a fundamental change in the way critical infrastructure industries protect themselves from individuals,
groups, or nation-states with ulterior motives, even the
best physical and layered security will not prevent a
disaster. Beyond the inconvenience of a multi-day power
outage or the hazard of traffic signal corruption, there is
real potential for mass chaos and loss of life. Each unsuccessful attack teaches the attacker something new.
Each attempt becomes more sophisticated and potentially more devastating.
www.SertintyONE.com
SmartData works regardless of network, operating
system, or application. SmartData is self-protecting data. Let SertintyONE show you how your ICS
and SCADA systems can grow to be fully mature
SmartData aware systems.
Contact the sales team for an evaluation of
your existing trusted sender/receiver scheme
and more information about how SmartData
can fit into your existing structure.
[email protected]
www.SertintyONE.com
4