For quite a few years, enterprise IT departments have commonly addressed network security by leveraging Intrusion Prevention Systems (IPS). As we continue the discussion from my previous column (about the paradigm shift needed for designing security for the Operational Technology/OT environment vs. IT), there are interesting lessons learned from IT IPS experiences that OT can benefit from. The first is to understand how attackers have bypassed traditional IPS IT solutions:
The Use of Smaller Messages – Many attacks evade enterprise IPS by breaking attacks into segments. IPS cannot reassemble these properly, because IPS does not understand the industrial protocol. For example, consider this scenario:
(1) Allow “aaabbbccc”
(2) Allow “dddeeefff”
(3) Deny “bbbcccddd”
Without understanding industrial protocols, the sensor can see a message segment that reads “bbbccc.” Although the message content is clear, the IPS does not know if it is the second portion of the first “Allow” message (“aaabbbccc”), or if it is the first portion of the “Deny” message (“bbbcccddd”).
Without the ability to understand the significance or potential impact of a message, tuning an IPS to block an attack is virtually impossible without generating an exorbitant number of false-positives. Such false alarms distract operators from real events, and unnecessarily add a heavy management burden to staff. Particularly in OT environments, where staff may be scheduled across 24/7 shifts, such a burden is magnified.
Leveraging Legitimate Protocol Functionality for Illegitimate Reasons – Attackers can use functions of an intended feature set of a control protocol for malicious purposes. Consider the damage that can be done to plant uptime and production if any of the following functions were used inappropriately:
• turning devices off
• changing IP addresses
• modifying names
• altering settings
• modifying firmware
• restarting devices
As an example, a subcontractor that performs a small portion of a larger process has misconfigured gear that can communicate with your equipment to modify coils, outputs, tags, and other parameters. Without any context to know who (or which device) is permitted to use a particular function, system operators of traditional IPS are left with only one option — open or close a port. This is an all-or-nothing solution that is impractical and unusable.
Control protocols provide access to a range of equipment functionality such as equipment administration, process control and process monitoring over a single TCP or UDP port. Administrative functions control the configuration and programming of control equipment and have the highest potential for abuse – changing control logic applications, equipment configuration such as network addresses and system time, and system operations such as reboots. These functions are used infrequently by specially designated software and users, and represent the greatest risk to the system.
Process control functionality alters the content of device memory and consequently the state of the process. Often this occurs between devices where a change in the state of one device has an influence on the state of another device or a human-facing interface allows the change of a set point or other control logic parameter. Functionality that can change or influence the behavior of the process has increased risk to the system and requires a higher level access privilege than read-only commands.
Process monitoring relies on commands that are read-only, such that they return the state of a device’s memory but do not change the memory’s content or configuration of the device. These read-only commands are the least risky to the continuity and integrity of the process system but can be used by unauthorized users and attackers to gather system intelligence.
Port-based access control is insufficient to differentiate between different protocol functions and parameters, and is impossible to implement the fine-grained access control to the different classes of functionality provided by control protocols.
Bypass Exploit Signatures – Malicious exploits of code normally have short life cycles, which have traditionally prompted vendors of enterprise IT IPS to take the fastest short cuts in developing signatures. These signatures are very good at detecting known exploits, but insufficient in detecting the source vulnerability that initially led to the exploit. There is a clear danger that attackers can easily modify an exploit to bypass the signatures.
For example, many poor IPS signatures will make use of a pattern such as “x41x41x41x41,” which is a sequence of “AAAA” that the researcher was using to arbitrarily fill space. An intermediate attacker can recognize such patterns and simply replace the ‘A’s with ‘B’s or another letter/number, thereby bypassing the exploit’s specific protection. Without understanding the software flaw that led to the security concern, robust protection is impossible. What is the meaning behind the actual exploit data? And what actually triggered it? There are multiple possibilities, and without taking time to investigate and understand the details, IPS vendors are always in catch-up mode, and plants open themselves up to avoidable risk.
Mandating IPS
The Department of Homeland Security ICS-CERT has long advocated using IPS as a key preventative measure. The key to a successful IPS implementation in OT is implementing solutions and practices designed to meet the key specific security, technical, and business requirements of industrial networks. An industrial IPS must feature these types of vital protections and capabilities to ensure low risk of operational interference and high levels of plant-specific security.
A Deep Packet Inspection (DPI) engine – understands the industrial protocols relevant to industrial control systems. Protocol examples include PROFINET or CIP for industrial automation, IEC 6070-5-104 or IEC 61850 for electrical substation automation. Many others exist, and you should particularly consider those within your environment. Once the IPS understands a protocol, it has the intelligence to properly reassemble the segments into meaningful messages. And with these messages, the industrial IPS enables organizations to make properly informed security decisions.
Granular policy control – sets specific parameters to determine when communication is allowed. Actual parameters are highly specific to the industrial protocol. These parameters include items that determine: (1) “Who” – IP addresses, MAC addresses, protocol addressing information (i.e. slave/station address in Modbus), and more; (2) “How” – function codes, operations, data types, and primitive types; and (3) “About what” – coil/IO numbers, memory addresses, tag names, and allowed values. By understanding the parameters, in conjunction with the protocol used and the specific context, system operators will have the proper visibility to take action on illegitimate use of functions and commands.
Protection against vulnerabilities – ensures longer lasting security vs. protection against short-lived exploits. Industrial gear is designed to be in service for decades with minimal interaction from system operators, and device firmware might be on older revisions for extended periods. Protection needs to have high security efficacy to alleviate concerns about frequency of patch times that can disrupt operations. When considering industrial IPS, ensure that your provider has the people, expertise, and experience in OT and security, to fully understand the vulnerability when creating signatures for the DPI engine in an OT environment. Also, work with providers that have key relationships that enable them access to rich vulnerability information from device vendors, government sources, third party independent researchers, and the source researcher who found the vulnerability. In addition, an ICS-focused IPS will ensure proper prioritization and research resources dedicated to understanding the vulnerability in an OT environment, thereby delivering better protection.
And of course, all industrial IPS functionality needs to be easily deployed and managed. Deploying IPS on the same firewall device with an easy-to-use graphical interface (i.e. no command line interface required) will enhance management and deliver visibility across the network.
The Next Step
Because many enterprise IPS solutions are not designed to protect industrial networks, system operators must opt for an industrial security solution approach that includes an IPS that fully understands industrial protocols and the specific context of each industrial command. In addition, knowing that industrial networks are difficult and costly to patch, the optimal solutions must have protection against vulnerabilities vs. exploits to ensure enduring, effective security. Simply leveraging existing IT solutions for an OT environment puts operations at risk of attack and operational disruption.
Related: Learn More at the 2015 ICS Cyber Security Conference
