You’ve Heard the the Catchphrases and Acronyms Surrounding Industrial Network Security, So What Do They All Mean?
The inaugural edition of my new column will attempt to clarify a few things about industrial network security. There’s simply too much misinformation, ambiguity, and uncertainty out there—not to mention a wealth of conflicting opinions and a never-ending syntactical debate over terminology. You’ve heard the acronyms: SCADA, ICS, IACS, DCS, PCS, CI. You’ve caught the catch-phrases: air-gap defense, critical infrastructure, cyber war, advanced persistent threat. What does it all mean? The answer is a difficult one because the topic of industrial network security is broad and covers a diverse set of industries, network architectures, protocols, deployment methods, business goals, and security risks. A company that designs and manufactures ballistic missile systems operates differently from a company that manufactures extruded rubber weather stripping, and the production of bright-white laser jet paper is different from the production of energy. Right? … Right?
Not necessarily. There are commonalities between all of these systems, not the least of which is some sort of control system: the “CS” in the majority of those earlier acronyms. The larger commonality, however, is one of intention. The end goal of a nuclear energy generation facility is the same as that of a commercial seafood cannery: To produce something in an automated fashion with high quality, efficiency and safety, while at the same time minimizing waste and cost. The specific priorities may vary (nuclear facilities being more concerned about safety, for example) but at a high level it’s all about process efficiency. To achieve this goal, specialized facilities are built to automate the processes with precision. These processes are carefully monitored and controlled by other specialized facilities, which interact with business systems to ensure that supply meets demand, and that “operational efficiency” isn’t limited to manufacturing efficiencies, but rather extends across the entire organization. An “industrial network” therefore is made up of at least three distinct parts: an enterprise network (the “business” network, where Dilbert works), the Supervisory Control and Data Acquisition (SCADA) network (the “command center,” where Homer works), and the Control System itself (the “plant,” where Laverne and Shirley work). The three networks are absolutely co-dependent on each other, while at the same type operating in absolutely different ways.
This is why I chose to think of things in the context of “industrial network security” rather than in specifics about SCADA or control system security. All three areas need to be considered in order to adequately protect any specific system. Maybe it’s because I married a veterinarian technician, but I prefer the analogy of the three-headed dog that has fleas: which neck do you put the flea collar on? All of them.
So we agree that “Industrial Network Security” is about enterprise security and SCADA security and Control System security … now what? Now we get to the fun part. By examining some of the unique architectures that are in play (especially in SCADA and ICS networks) we can uncover some interesting new attack vectors, and then use this insight to strengthen our perimeter defenses and our overall situational awareness. To make a point, I’ll use Stuxnet as an example. Stuxnet consists of several zero-day delivery mechanisms that are used for initial infection of a host PC (likely in the business enterprise); it consists of new methods of propagation that allow the malware to move intro the SCADA network and search out specific target systems; and finally it uses those SCADA systems to infect and alter the programmable logic control within the control system itself. Stuxnet has been called a lot of things: revolutionary, sophisticated … I’ve even heard it called a myth. To me, Stuxnet is an exemplar for overcoming current industrial network security efforts, and therefore it’s also a great framework for discussing how to improve that security.
Starting with the attack vector, the most well-known method of the infection methods involved infected .LNK files on removable drives (such as a USB thumb drive) to execute code on a host PC, but there were others including more than one network infection vector. Once deployed, the malware sought out a specific Siemens HMI in order to exploit a vulnerability on that system. The infected system at that point manipulated a Programmable Logic Controller (PLC), which monitored the field bus protocol until it found a specific motor spinning at a specific frequency, and then sabotaged it. Knowing this, we also know to look for attacks coming from several new vectors. The five zero day exploits used in the initial stages included the use of USB drives, network-originated .LNK files (such as remote file share or Webdav mounts), print spooler vulnerabilities and two local privilege escalation vulnerabilities. So what does this mean? It means that a targeted attack can come from: USB drives; shared file resources over the network; print spoolers; and local vulnerabilities. Wait—that last one means that any authenticated access to the target host can be used to exploit local privileges, meaning we have to add “any local access” as a viable vector.
This isn’t news, or at least it shouldn’t be. However, I’ve heard this phrase countless times since last summer when Stuxnet first became the media’s malware darling: “We’re safe from Stuxnet, we’ve taken steps to prevent unauthorized USB access.” I’ve heard everything from simply disabling autoplay to physically removing, covering or locking USB ports. That’s great, but what about the other vectors used by Stuxnet?
If you know the vector, you can plan a defense against the attack. For the initial stage of Stuxnet infection, this means looking for known network-based attacks to a control system that can be easily detected and prevented. Probably. In this case, we know what to look to stop remote .lnk exploits as well as print spooler exploits, so your Intrusion Prevention System will block it. However, if I put on my patented Tin Foil hat of Paranoia™ and think about it, it’s probably safe to assume that a nation-backed cyber attack that uses four known zero-day vulnerabilities, probably uses one or more additional zero-days that we haven’t discovered yet. So we still need to think about inbound network access, and how we might be able to protect ourselves against the unknown.
There’s more, though, because Stuxnet has additional stages, and therefore additional vectors. For example: there is now a documented example of a PLC being infected by an HMI. We can assume our HMIs are all secure and safe, or we can don the hat again and take additional precautions just in case. There are legitimate methods for imposing security in this traditionally insecure area of an industrial network, and it’s time to take them seriously. These methods include straightforward approaches—such as deploying specialized ICS firewalls, IPSs or protocol filters that are designed to operate within the control loops themselves (i.e., immediately in advance of the PLC, or in some cases beyond it). They also include more roundabout ways of detecting threats, such as using your data historian (which already monitors process activity) and existing logs from other sources throughout the infrastructure as a security tool.
So wave good-bye to the mythical air gap. It’s time to start thinking like a criminal and find real ways to protect our critical networks against cyber attacks.
Coming Up Next....
In my next piece, I’ll cover that first vector and recommend some ways to protect your SCADA and ICS environments from inbound network attacks. Next, we’ll take a look at SCADA and ICS networks and protocols to find ways to protect a control system from itself.
Related Reading: Are Industrial Control Systems Secure?
Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers
Related Reading: The Increasing Importance of Securing The Smart Grid
Related Reading: Stuck on Stuxnet - Are Grid Providers Prepared for Future Assaults?