A German steel mill, a Ukrainian power grid, and an American dam all walk into a bar... Okay, so what could be the beginning of a bad joke is anything but a joke. No longer are data and dollars the only things at risk in cyber attacks. More and more, hackers are targeting critical infrastructure with the potential to disrupt operations and cause physical damage.
According to the 2015 Dell Security Annual Threat Report, worldwide SCADA attacks increased from 91,676 incidents in January 2012 to 163,228 in January 2013 to 675,186 in January 2014. As per Ponemon Institute’s 2014 study, Critical Infrastructure: Security Preparedness and Maturity, 67 percent of companies surveyed had suffered at least one cyber attack on their ICS/SCADA systems in that past year, and 78 percent said they were expecting a successful attack within the next two years.
So what’s causing the upsurge? For one, more industrial control systems are being connected to the Internet. For companies on the lookout for ways to do more with less and gain a competitive edge, it’d be tough to ignore the promises of the Industrial Internet of Things (IIoT): improved efficiency, increased productivity, lowered costs, enhanced automation, and, even superior safety. But as with most things in life, having it all is tough to achieve and IIoT is no exception. Lurking behind all the bright and shiny positives Internet connectivity can bring remain the many vulnerabilities endemic to the IT world.
Old Systems, New Vulnerabilities
In a sense, industrial control environments are like an old man—fragile, slow-paced, and not overly adept at dealing with change. Traffic in these environments is exceedingly low compared to a regular IT network and, for the most part, the technology has been in place for 10+ years and was not developed with Internet connectivity in mind, let alone cybersecurity. Systems were physically isolated and security measures revolved around policy, air gapping, and preventing outside exposure. Like with that old man, the introduction of anything new and different has the potential to quickly wreak havoc.
By definition, an air-gapped system is neither connected to the Internet nor any other unsecured networks. No doubt, hacking experts would advise on maintaining air gaps and not connecting to the Internet, but there’s considerable debate over whether this advice is feasible. Indeed, can business and control networks really remain separate, and should they?
Even air-gapped systems are vulnerable to infected USB flash drives or malicious, careless, or bamboozled insiders. Hackers used spear-phishing to infiltrate the German steel mill and prevent a blast furnace from shutting down. Google dorking got the alleged Iranian hackers into the New York dam control system and, had a certain sluice valve not been disconnected for maintenance, it might have meant flood gates opening.
Air-gapped or not, it’s probably wise to assume perimeters are penetrable and to establish additional defenses based on that supposition.
Bring It Home
The industrial sector is replete with geographically dispersed and remote facilities, most of which lack dedicated IT/OT resources and security expertise or, worse (at least from a security perspective), are lights-out, locked-down, and without a soul around. To get to them involves time, personnel, and expense—none of which is good, especially during an emergency.
Unfortunately, centralized administration can be difficult when designated monitoring networks are isolated and unavailable. Companies could arm every substation with dedicated advanced detection tools, but that becomes somewhat expensive when you add a multiplier—50, 100, 1,000 remote locations? And really, beyond the cost concern, it’s probably not necessary. From a data traffic standpoint, if you only have 10 megs of traffic, there’s no need for a box capable of processing a gig. It’s overkill.
A better tack would be to route traffic back to a central processor for inspection.
NERC CIP provides a framework of security controls that is very open to interpretation and multi-method approaches. As an example, one company may satisfy a control by monitoring packet data, another via the correlation of log data, and yet another by simply reducing exposure through air gaps and segmentation.
For companies interested in extending the capabilities of advanced cybersecurity tools at the centralized production environment to substations, implementing an out-of-band transport network to get visibility into both packet data and syslog traffic can be very beneficial. One way of achieving this while maintaining segmentation of the ICS network is to insert a passive network TAP between a local syslog server and reporting endpoints, isolate the syslog traffic via an IP filter, and tunnel it back via an out-of-band network to a central monitoring location. (Like NSA Chief Hacker Rob Joyce said, out-of-band network TAPS are a nightmare to hack.)
Centralization is a way to maintain “air-gappedness” while enabling one-way monitoring that can’t be used as a potential attack vector and can be used to gain intelligence on how a system might be targeted, as well as detect and respond to a host of threats, immediately and remotely.