Traditional cybersecurity measures, such as firewalls and
anti-malware, were once considered adequate to protect our IT networks and
industrial control systems (ICS) alike. Recently, however, this assessment has
been challenged as the frequency and success of modern cyberattacks against
these networks have increased. Practitioners of critical infrastructure are
questioning the security tools they once used. If these technologies are
repeatedly failing to protect IT networks from attack, why should they be
trusted to protect control system networks? In short, which of our industrial
control system networks are expendable enough to expose to these software-based,
IT-style cybersecurity approaches?
The answer is, of course, “none.” None of our industrial
control system networks can afford such risk. Compromised control systems put workers’
lives and public and environmental safety at risk, and introduce risks of
downtime and damage to large, costly and difficult-to-replace equipment.
The damage to blast furnaces in December’s German
steel mill cyberattack is a good example of these risks. This incident demonstrated
what today’s attackers are capable of, and the consequences of this kind of attack.
Software-based cybersecurity protections failed to protect the steel mill and
the physical equipment at the site.
If not software, then
what?
To provide effective protection for industrial control
networks, security standards must keep pace with modern attacks. The
latest NIST 800-82r2 and Agence nationale de la sécurité des systèmes
d'information (ANSSI) guidance for industrial control system security recognize
the strength of hardware-enforced unidirectional security gateways. Unidirectional
gateways provide physical protection for control system networks, not just
software security. The gateways replicate industrial servers to corporate networks,
providing safe IT/OT integration for control system networks.
Given the continued evolution of best-practice ICS security
guidance, and the widespread acceptance of unidirectional security gateways,
the question we must all ask of our control systems networks is: which of these
networks are expendable enough to be protected with only firewalls and other IT
security software components?
Interested in reading about the challenges in securing IT/OT
networks? Check out our recent article
for more information.