Common wisdom is that “if I have a firewall and encryption, I
must be safe.” Virtual private networks (VPNs) are seen as the solution to the
remote access problem, but this common belief is very much mistaken. Viruses, malware
and online attacks move through encrypted VPN connections as easily as they can
move through un-encrypted local area networks (LANs). The whole point of a VPN
is to make remote users feel as though they are locally connected to trusted
LANs. Encryption provides protection against data theft, data manipulation, and
man-in-the-middle attacks, but it provides zero protection against attacks from
either the networks they connect, their workstations, or their endpoints. Laptops,
workstations and mobile devices used for remote access are notoriously prone to
compromise.
Now to be fair, understanding of remote access risks varies
greatly. Some utilities very much do “get it” and have deployed powerful remote
access protections. The Department of Homeland Security (DHS) Catalog
of Control System Security: Recommendations for Standards Developers
provides much better advice than just “use a firewall and VPN.” The North
American Electric Reliability Corporation (NERC) 2011 Guidance
for Secure Interactive Remote Access is even better – in fact, it’s
pretty good, as it even starts to mention more advanced and appropriate protections.
One of these more advanced protections are hardware-enforced
industrial cyberperimeters, which are Waterfall’s focus. All software has bugs,
and some bugs are security vulnerabilities. In practice then, all software is
vulnerable. The Heartbleed bug and second
set of OpenSSL bugs makes this point in spades. These bugs allowed attackers to
steal private security keys from public-key cryptosystems used by a large
fraction of the world’s websites, and
in fact used by OpenSSL-based VPN implementations, as well. Since the
bugs were announced, I have spoken to many experts about them. Not one believes
that this vulnerability lay in wait, un-exploited, these last many years.
Governments and organized crime rings all over the world have spent billions
over the last decade to develop sophisticated attack tools, and to find and
exploit zero-day attacks. For example, the latest Wikileaks revelation is that
the NSA has a list of vulnerabilities able to compromise pretty much every
firewall in existence.
All software is vulnerable. Software protections have failed
repeatedly to protect IT networks. Why, then, should we trust software to
protect critical control system networks, especially when hardware-based
protections are available? Unidirectional Gateways replicate industrial servers
for painless, safe and continuous remote monitoring. Remote Screen View lets
remote personnel see the screens of critical machines, and participate in
emergency problem resolution by directing the actions of local personnel over
the phone in real time. Even a simple Secure Bypass device adds enormous value
to an emergency VPN capability. No remote user should have the power to initiate
a remote connection into a protected, critical network without the knowledge
and participation of personnel at the industrial site. And no targeted attacker
should have the power to initiate a remote connection to an industrial site
simply by attacking software.
Hardware-based remote access protections are more powerful
than software-based protections, and are far simpler. Serious software-based
protection is not easy at all, and as hard as it is to implement, those
protections can never be as thorough as simple hardware-based protections.
The time for hardware-based protections has arrived. Why is
everyone still talking about software?
For more information on products for protecting your critical infrastructure site from the Heartbleed vulnerability and other remote access pain points, please click here.