ICS Security:
Beyond the Firewall
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
Table of Contents
1.
Introduction .......................................................................................................................................... 3
2.
IT Security: Preventing Data Loss & Unauthorized Access ............................................................ 4
3.
ICS Security: Machine-to-Machine (M2M) Reliability ....................................................................... 6
4.
Secure Your Most Critical Assets ...................................................................................................... 7
5.
CyberFence Security ........................................................................................................................... 8
1.
Data Encryption ........................................................................................................................... 8
2.
DarkNode Technology ................................................................................................................ 9
3.
Port Authentication & Access Control ...................................................................................... 9
4.
Firewall ......................................................................................................................................... 9
5.
Application-Level Parsing and Deep Packet Inspection ......................................................... 9
6.
Alerting & Reporting ................................................................................................................. 10
7.
Preventing Attacks & Mitigations ............................................................................................ 10
6.
Summary ............................................................................................................................................. 11
Ultra Electronics, 3eTI © 2015
2
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
1. Introduction
When the terms ‘cyber’ or ‘cyber security’ are used, most think first of PCs, the Internet, and hackers
stealing data. This association is problematic, particularly in the context of an industrial control system
(ICS) environment. The use of PCs, Ethernet, and IP messaging within the industrial community has
made an ICS look more like a traditional IT network. As a result, there is increasing pressure within ICS
organizations to allow IT departments to perform more cyber-related services in the ICS domain, such as
network management and cyber security. While there is nothing inherently flawed in this approach, it
may lack the necessary appreciation of the operational differences between ICS and IT relative to cyberrisk management. Risk management is the cornerstone of cyber security, and a flawed approach can
result in uncorrected and unacceptable risks.
The cyber world is made up of four key assets: data, devices, networks, and people. Cyber security is
about ensuring the protection and integrated operation of all these elements. A weakness in the
protection of one asset can impact the others.
Ultra Electronics, 3eTI © 2015
3
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
IT networks are dynamic and unpredictable by nature and this is how signature based protection has
developed into next-generation firewalls type solutions where ‘blacklist’ approaches are effective.
Industrial control system (ICS) networks are fundamentally different from IT networks; they are planned,
static, and predictable. ICSs require reliability and availability. Securing these networks necessitates
limiting communications between and amongst machines to only what is legitimate and safe, or
predicted. In these systems whitelist approaches provide the best protection.
IT security vendors view the ICS space as a new marketplace for their IT security solutions, not realizing
that the constraints and assumptions that exist in the IT space are diametrically opposed to the dynamics
that rule the ICS space. The reasons requiring next-generation firewalls in IT security do not apply to the
ICS environment. Trusting in their effectiveness will leave operators and systems at risk. This paper will
outline why it is time to look beyond the firewall.
2. IT Security: Preventing Data Loss & Unauthorized Access
Personal computers and corporate IT networks were developed to improve the productivity and
performance of their users' activities, and to improve business productivity. As a result, IT networks are
dynamic and unpredictable, mimicking the nature of the underlying business activities. Individual users
come and go, devices are moved, and applications and services change frequently. In the course of a
normal day, IT communications occur among myriad endpoints using constantly changing services and
protocols. Yesterday’s email becomes today’s SMS and tomorrow’s instant message. Humans are not
machines, applying code to conversation types, audiences and frequency will stifle productivity. If IT
inhibits users' ability to communicate in performing their job, business suffers and the IT process or
practitioner is replaced. This dynamic has created a strong incentive for IT departments to ensure users
are happy and productive.
Securing IT networks requires training the user to minimize risky behavior, and to identify and prevent
bad activity. This is how signature-based protection was developed, evolving from simple port filtering
firewalls to signature-based next-generation firewalls. In these systems blacklist approaches are the
best compromise.
The increasing reliance on IT as part of a business’s activities, both to store intellectual property and to
deliver products and services, has made these systems attack targets. In many organizations, the most
valuable corporate asset is data, more so than the devices the data resides in, or even the people that
use it. A business’s reputation, competitive edge, and intellectual property can all be destroyed if its
data is lost or stolen. This reality has created a strong incentive for IT departments to prevent data loss
and unauthorized access to sensitive data.
As a result, IT departments are driven by two competing requirements. First, they must allow users and
the business to be as productive as possible by giving them access to the business’s data. Second,
they must also prevent data loss and unauthorized exposure. Over time, IT departments have become
adept at enabling access to data while closely monitoring activity. If any risky, unauthorized, or known
bad activity occurs, a common and reasonable response is to cut the cables and stop business
Ultra Electronics, 3eTI © 2015
4
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
activities to prevent further data-loss and quarantine any malicious activity. The networks, devices, and
people are impacted in favor of saving the data.
This is the signature-based protection methodology. It operates on the principle that controlling normal
human activity in the cyber realm is impossible. So instead it focuses on blocking what is known to be
malevolent such as emails to new contacts, new program installations and other risky behavior, while
monitoring the network for things that can go wrong. However, because there are always new ways to do
things wrong, and new ways to exploit systems, IT departments have a never-ending task to keep up with
what they know and define to be bad.
To illustrate, we can look at the evolution of
the common firewall. At the dawn of
computing, there were no firewalls in our cyber
systems. Anyone could communicate with
anyone. This allowed users to interact freely
and more quickly, but also opened channels to
external attacks on sensitive internal systems.
Then firewalls begun to proliferate, controlling
the flow from external to internal while also
allowing internal to external exchanges. Users
could reach out, but attackers could not reach
in. With an end to easy and direct methods for
accessing internal systems, attackers
developed alternative tactics for infiltrating
networks such as infecting emails, documents
and USB sticks, among others. Once inside,
they could then disguise their activities as
being from an approved user and reach
deeper into external systems. They could also
reach from the inside out to infiltrate the data
and receive additional instructions.
Faced with the competing requirements of
allowing and optimizing legitimate data usage
while identifying and blocking threats, the IT security industry created next-generation firewalls. These
devices prioritized the identification of different traffic streams in an attempt to identify malicious traffic
masquerading as legitimate traffic in order to then block it.
The resulting dependency on the next-generation firewall now obliges IT departments to continuously tweak
their firewall rules and signatures to stay ahead of the attackers who are constantly inventing new ways to
camouflage their exploits. There is no foreseeable end to this pursuit on the part of IT, as these teams
cannot restrict legitimate user traffic to avoid incurring data loss without also impairing fully efficient
business processes.
Ultra Electronics, 3eTI © 2015
5
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
3. ICS Security: Machine-to-Machine (M2M) Reliability
While an ICS may in many ways emulate an IT system, complete with PC devices, networks, and people,
it has fundamentally different drivers. Computers are used within the ICS to improve reliability and
consistency. It is not the data in the system that is the most important aspect of an ICS, but rather the
actions of the devices. In an IT system, the data is consumed and parsed by users; an email arrives and
a user responds. In an ICS, the data is acted upon by devices; a sensor reading arrives and a PLC
modifies its output. Within an ICS, it is not the data that is the most important aspect of the cyber system.
It is the devices because they control the processes and output of the business. Within a power station, a
user may choose to shut the plant down in the face of an attack or incident, but it is the devices that close
the valves, stop the motors, and slow the pumps. Also, while most of the communication in an IT system
supports user-to-user activity, in an ICS the communication is primarily machine-to-machine. An operator
specifies a set-point, but it is the machines that work together to execute that set-point. Like a rock
dropped into a pond, the initial action may be caused by a user but the devices carry the ripples
throughout the rest of the system.
In terms of cyber security this is a critical distinction. If the majority of communications occur between
devices rather than users, and it is the devices, not the data, that are the most important cyber-asset,
then the compromises made in IT security no longer apply. Owners and users of ICSs know this, and it is
why they place a priority on their communications’ availability over its confidentiality.
Instead of being dynamic in nature, as IT systems are, ICSs typically are planned, static, and predictable.
Devices talk to other devices using the same protocols and messages day in and day out. Reliability and
consistency are attained through repetition and minor adjustments rather than wholesale or ad hoc
change. Unpredictable behavior induces unreliable performance in the control system which impacts
business efficiency and ultimately an organization's bottom line. This is why operators and maintainers of
ICSs are accustomed to following strict procedures that instruct them on what to do, rather being given an
ever increasing list of actions not to do. The procedures laid out are proven and their efficacy is
guaranteed to preserve ongoing operation of processes.
If unpredictable or dynamic change is impactful to an ICS, then an ICS cyber-attack is one that creates
unpredictable or dynamic changes or communications. This could be as simple as a compromised device
sending out malformed packets, or as sophisticated as advanced malware that rewrites a PLC’s firmware.
In either case, the attack is causing unauthorized and potentially damaging activity. Securing an ICS,
therefore, requires activity to be restricted to only what is known safe.
An ICS can be impacted by a non-targeted and non-ICS specific cyber-attack. Such has been seen time
and again, as when IT malware such as the Slammer worm or Conficker infects a control system and
floods the network with traffic. This flood of illegitimate traffic unintentionally crashed devices (PLCs or
RTUs) on the network and impacted processes.
An ICS also can also be impacted by a targeted, ICS specific cyber-attack such as Stuxnet. The malware
uses legitimate communications to intentionally modify a device’s operation causing it to operate in an
unsafe manner.
The ultimate vulnerability in both cases is not in the infected PC (that was merely the attack vector), but
rather in the PLC/RTU device. ICS devices should not respond to, or be impacted by, unauthorized
Ultra Electronics, 3eTI © 2015
6
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
intentional or unintentional activity. We know how an ICS device should operate, therefore, if we limit its
actions and instructions to only safe and legitimate ones, an attacker cannot damage the devices or the
process the devices are controlling.
Instead of minimizing the unauthorized loss of data, as in an IT system, ICS cyber security is focused on
minimizing an attacker’s ability to disrupt versus damage.
To accomplish this, ICS cyber security should focus less on detecting and mitigating known bad behavior,
and more on limiting and enforcing only known good behavior. If we allow only good behavior, it doesn’t
matter whether the attack has been seen before or uses a zero-day vulnerability, ultimately the attack will
fail to force devices to deviate from known safe and legitimate activities.
Change occurs rarely within an ICS, and when it does it is planned and anticipated. Therefore it is
possible and highly desired to whitelist what can run on a device, whitelist which devices can
communicate, and whitelist what they can transmit. Unlike humans, machines don’t mind saying the same
thing every day to the same devices at the same time. In fact this is highly beneficial to the business.
Therefore, whitelisting rather than black-listing or signature based filtering is the only method to ensure
complete and comprehensive ICS cyber security, and prioritizes safety and reliability above all else. We
don’t give our operators a manual outlining all the things they shouldn’t do, we shouldn’t require our
security devices to operate that way either.
4. Secure Your Most Critical Assets
As we have made clear in industrial control systems the most critical cyber component between data,
devices, networks, and people are the devices. ICS cyber security should for this reason be focused on
maintaining the reliability and safe operation of our ICS devices.
When we review the constantly growing list of vulnerabilities reported on the ICS-CERT’s alerts and
advisories pages, we will see that many of the non-PC related vulnerabilities are robustness related. That
is, if a malformed packet is sent, also known as a poison packet, to one of these devices it causes the
device to crash. This is particularly prevalent in systems that use complex control protocols such as DNP3
or BACnet. We saw the Energetic Bear ICS campaign in 2014 use the Havex malware to send malicious
OPC messages crashing many implementations. This is a failure of robustness in our industrial control
devices. Whether an attack is intentional or unintentional, the reality is that unauthorized code can and will
get into our control networks. Our cyber-security mission should be to ensure that even when it does, that
malware cannot cause our devices to crash or behave outside of their normal operation.
In many cases IT security vendors see the ICS space as a new marketplace for their IT security solutions.
Although well intentioned, they often don’t realize that the constraints and assumptions in the IT security
space, that make signature-based solutions so attractive, do not exist in the ICS space. Instead the ICS
community should be requiring security solutions that only allow legitimate and well-formed messages to be
sent. The traffic classification capabilities of next-generation firewalls are not required in the ICS space. We
know what protocols and messages are crossing our networks we don’t need to identify them.
Ultra Electronics, 3eTI © 2015
7
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
Instead the requirement is to ensure that those
messages do not cause the device to crash (the
message was not malformed) or does not
instruct the device to perform in an unsafe
manner. This is where protocol parsing is
required. The security device analyzing the
traffic not only needs the capability to inspect
the entire message (via deep-packetinspection), it also needs to understand what is
being sent. It must fundamentally understand
the protocol and detect when a message, while
legitimately formed or not, is actually asking the
device to do something outside of its normal
operational parameters.
If we can control which devices can
communicate with each other, and how and
what the messages convey, we then have a
known set of permitted actions. Having the
ability to ensure that using only those messages
are used means the uptime and reliability of the
process cannot be damaged only disrupted.
5. CyberFence Security
CyberFence combines a number of different capabilities to create a tailored cyber-defense. As each
industrial deployment is unique and reflects unique threats, vulnerabilities, critical assets, and risk appetites,
it requires individual solutions tailored to specific needs. There are always those attacks that can bypass
static defenses, which is why guards are needed manning the walls proactively looking for attacks and
responding to them through, for example, deep packet inspection and heuristic analysis. Combining layers
of static and active defenses creates solid defense-in-depth protection.
1. Data Encryption
CyberFence provides user-data end-to-end encryption. This means that any data sent by a user via a
CyberFence series device will be encrypted from the source all the way to its destination. No attacker on
the network between the CyberFence series devices will be able to intercept, manipulate, or participate in
the communications. 3eTI uses only government-grade and FIPS validated encryption algorithms and key
management solutions, and performs its encryption in hardware to ensure low latency.
Ultra Electronics, 3eTI © 2015
8
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
2. DarkNode Technology
DarkNode Technology allows the CyberFence series device to operate stealthily on the network, invisible to
attackers and users alike. An attacker scanning the network or inspecting traffic cannot detect the presence
of the CyberFence series device. This enables quick and easy deployment as the device is transparent on
the network, requiring no additional network configuration. It also stymies attackers as the only indication
that they will have of a CyberFence series device is that their attacks are failing, and they cannot tell why.
3. Port Authentication & Access Control
CyberFence implements 802.1x port authentication on all its user data ports. It is capable of not only
authenticating itself to whatever network it is connected into, but more importantly the user can control what
devices are allowed to connect to the CyberFence device and communicate through the encrypted tunnel.
If a network does not implement port authentication but the user would still like to control logical access to
the network, then access control policies can be used. The user can control what devices are authorized to
connect to a CyberFence series device’s given ports based on MAC address. While this does not provide a
cryptographically authenticated method it does prevent unsophisticated attackers or accidental connections
to the wrong ports.
4. Firewall
Even if users have authorization to communicate through the CyberFence series device it doesn’t mean
that they obtain the authority to communicate to everyone and everywhere on the network. CyberFence
implements a firewall that can control where users are allowed to communicate and which protocols they
can use. This ensures that any critical device behind a CyberFence series product can control who can
communicate with it, and is not left open to anyone on the network to connect to. The CyberFence series
provides critical devices with an endpoint firewall that can not only protect the device from the network, but
also protect the network against any compromised device attempting to form unauthorized connections.
Firewall alerts can both be securely logged and remotely distributed so that security systems can be
immediately alerted to any unauthorized or anomalous connection attempts.
5. Application-Level Parsing and Deep Packet Inspection
Firewalls have historically been used to control who can talk to whom, but not what was being said.
However, this is an issue within critical control and automation systems. If an authenticated system such as
a SCADA server or HMI becomes compromised it would be allowed to communicate through the firewall to
launch an attack on a critical system. CyberFence series devices solve this issue by looking at the entire
contents of a packet rather than just the header in what is known as deep-packet-inspection (DPI). Coupled
with an application protocol awareness, a CyberFence series device can allow or reject a packet based on if
it is well formed, appropriate, or within allowable limits. CyberFence devices understand the industrial
protocols being analyzed which means they can give the user the ability to restrict actions and commands
to only what is required.
Ultra Electronics, 3eTI © 2015
9
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
6. Alerting & Reporting
One of the main reasons why industrial control and automation environments are vulnerable to cyber-attack
is that operators do not have any situational awareness about what is happening in their control networks.
Users know what actions they perform on an HMI, and they can see the actions a controller has on the
environment (e.g. a PLC), but they don’t know if the action being performed is what they specified in the
HMI. Many cyber-attacks can either manipulate control or manipulate the view to deceive an operator as to
which processes are active or taking place. An attack can even make it seem as though the control system
or controller (e.g. a PLC) is malfunctioning when it is operating correctly by taking commands from malware
rather than the control system.
The CyberFence series is designed to provide situational awareness within the control network so that
operators have an independent means for comparing commands and readings being received and being
sent and displayed. If there is a discrepancy between these two, the discrepancy represents the first red
flag signaling a malicious actor or cyber-attack. The CyberFence series can do this by alerting and
recording activity that it sees passing over the network. All configuration changes, firewall alerts, DPI alerts,
and authentication failures can be reported either in-band over an encrypted channel or out-of-band using a
separate network. Alerts are both securely recorded in an auditable record, and distributed via SNMP traps
and remote SysLog entries. Through the standards compliant SOAP interface, management appliances
automatically and routinely retrieve these logs for further analysis.
7. Preventing Attacks & Mitigations
While every cyber-attack on a critical or air-gapped system can be seen as unique, using different access
and propagation methods, it can generally be categorized into a few main families. Not all cyber-attacks can
be 100-percent successfully mitigated. A defender must recognize as early as possible when an attack is
taking place and prevent the attacker from achieving the desired goal or performing desired actions.
Through controls such as those provided by the CyberFence series, operators can make exploitation
virtually impossible for non-sophisticated or nation-state attacks, and provide the situational awareness
necessary to discover when sophisticated attacks are being attempted.
Network Connection Attacks - One simple way to mitigate this risk is to use encryption.
Encryption is not widely deployed in process control and automation networks because it is
seen to only provide confidentiality where confidentiality is not required. In fact, encryption
provides two main protections - confidentiality and integrity, with integrity being the more
important attribute within control networks. The integrity protection that encryption provides
ensures that attackers with physical access to the network cannot manipulate the traffic,
generate any of their own, or replay old traffic and go undetected. The confidentiality
protection that comes with it is a bonus.
Endpoint Connection Attacks - One beneficial aspect of a control system is that it fairly
static. Not much changes. An attacker attempting to connect to a network does not know if
port-based access control has been implemented, and so will not know how to avoid
detection. As soon as an attacker tries to connect, a CyberFence series device will detect
either the wrong MAC address or the failed certificate authentication and provide instant
alerts to that effect. Now the administrator can detect that attempt and follow incidentresponse procedures to identify the attempted breach.
Ultra Electronics, 3eTI © 2015
10
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
Internal Host-based Attacks - The use of CyberFence series devices will not only interrupt
the actions of an attacker but very quickly identify that an attacker is attempting to probe the
network, then alert an administrator. The DarkNode Technology in the CyberFence series
devices will make them invisible to an attacker probing the network, and the firewall
functionality will prevent any scans from reaching critical network devices. T attackers won’t
be able to gather any additional information and they won't know why. The administrator can
obtain real-time alerts that this is occurring. Even if an internal PC is compromised with
malware, an attacker’s ability to expand the footprint into the wider network is severely
hampered, and the administrator is alerted early to the compromise even when the PC’s
antivirus misses the initial infection.
Server Compromise or Insider-Based Attacks - Even if the malware does not send its
own malicious traffic, there have been instances when malware manipulates commands
before they are sent. Therefore what the operator tells the system to do is not what the
controller receives and actually executes. This discrepancy can look either like a fault with
the controller or the HMI, but not necessarily like a cyber-attack. This type of attack can only
be prevented through methods that validate what has been received.
The CyberFence series DPI capability ensures that legitimate and safe operations will be
executed by a controller, and that what has been received is what the operator intended. If
any manipulation has occurred, the operator will know and then report it to the network
administrator for further investigation.
Zero-day attacks - The defense-in-depth protection offered by the CyberFence series
dramatically limits the available and vulnerable attack surface of a critical device. Even
though the critical device may support wide ranging functionality and configurations, the
CyberFence series devices ensure that only those functions that are required for operation
are exposed to the wider network. They also ensure that only legitimate and well-formed
packets are allowed through. This makes exploitation extremely difficult. Should any zeroday attack be found in a system, a new DPI rule can be written to detect, drop, and alert.
This ensures protection for the critical device until the vendor issues a patch.
6. Summary
In conclusion we challenge the ICS cyber security community to remember the reason why computers and
cyber systems are used within industrial controls – to improve reliability and predictability within a process.
There is a reason why procedures in the ICS world define what someone should do, not list all the things a
user should not do. Securing an ICS is an exercise in ensuring devices only does what they should do, not
prevent all the different ways they shouldn’t.
No control system will be completely cyber secure, nor will a single product provide the complete solution.
Instead a risk-informed holistic security approach is needed, one that provides a layered set of defenses
that include specific protections for critical edge devices. Performing firewall, intrusion detection, and deeppacket-inspection can all be done at the network core, which is normally acceptable in IT network systems.
Ultra Electronics, 3eTI © 2015
11
October 2015
WHITE PAPER
ICS Security: Beyond the Firewall
But for critical systems this is a highly risky approach. A single misconfiguration or change to the operation
can leave large numbers of critical devices accessible and vulnerable.
A central firewall would not prevent an insider threat performing a malicious action, or even detect it. A
network segregation device (e.g. data-diode) should keep a system air gapped, but would not prevent
malicious code from being inserted into the system via other means (USB stick, software update). Instead,
by moving the defense to the edge, risk is kept to a minimum; any error in a device’s configuration will only
affect that single device and not the whole network.
In a critical operational environment, performance is paramount and sometimes safety-critical. But without
the addition of security the operational environment is at risk of unsafe malicious operation. An appropriate
security control is one that minimizes the impact to the operational environment. A CyberFence series
device protecting an industrial plant’s control system will be deployed and configured differently than the
same plant’s monitoring system, or a building’s automation system. This enables them to provide an
independent assessment of what is actually occurring in control networks between devices. The
CyberFence series solutions are optimized for the unique environment in which they operate, balancing the
risk management requirements and operational limitations of demanding process control and automation
systems.
ICSs require their cyber protections to go beyond the signature based approach of firewalls, to utilizing
protocol aware systems that whitelist applications, connections, and communications.
For more information on Ultra Electronics, 3eTI solutions
contact [email protected] or call +1 301.670.6779.
About Ultra Electronics, 3eTI
Ultra Electronics, 3eTI is a leading provider of military-grade secure communications that enable critical systems
security, infrastructure security, and facilities management for the defense, government, utilities and industrial markets
worldwide. Solutions form robust, cyber-secure, wired and wireless sensor networking systems that modernize and
integrate disparate legacy systems across widespread bases and facilities to increase productivity, and provide a path
to lower operational costs. 3eTI’s product portfolio includes net-centric and OEM products that enable comprehensive
data protection for a wide range of defense and industrial applications such as secure wireless mesh networks,
industrial sensor networks, cyber security, and perimeter security solutions approved for use by the most stringent and
demanding customers, including the US military. (www.ultra-3eti.com).
Ultra Electronics, 3eTI © 2015
12
October 2015