Three of the seven strategies in the December 2015 report
from the DHS NCCIC/ICS-CERT, “Seven
Strategies To Secure Industrial Control Systems,” recommend unidirectional gateways
for maximum protection from cyberattacks.
The report points to an increase in the frequency and
complexity of cyber incidents. ICS-CERT received reports of 295 incidents in
2015, although it is believed that many more went unreported or undetected. Increasingly
capable cyber adversaries who can, and have, defeated traditional IT-centric
security protections perpetrate these attacks.
To mitigate this growing threat, the DHS encourages us to
deploy technology to prevent these increasingly sophisticated attacks.
Seven Strategies to
Defend ICSs
- Implement Application Whitelisting
(AWL) – When antivirus and malware detection tools fail, AWL can
prevent execution of most malware.
- Ensure proper configuration/patch
management – Unpatched systems are low-hanging fruit for attackers.
What the report does not point out is that patching is costly, and does
little to deter sophisticated attackers, because of the large number of
ICS zero-days waiting to be discovered. The report does point out that
unpatched laptops connecting to ICS networks are a major infection vector.
I agree with this latter point – any laptop or other equipment that is
ever connected directly or indirectly to the Internet must be regarded as
eventually compromised.
- Reduce your attack surface – The
report points out that real-time connectivity between ICS networks and
less-trusted networks is best achieved using hardware-enforced
unidirectional communication, such as Unidirectional Security Gateways.
- Build a defendable network –
Network segmentation can limit the damage from an intrusion and reduce cleanup
costs by limiting how far the compromise can spread through the ICS
network. Again, the report points out that the best design for transferring
real-time data is unidirectional gateways.
- Manage authentication – Adversaries
increasingly focus on stolen credentials, especially for highly privileged
accounts. Among other things, the report recommends employing separate
credentials for corporate networks and industrial control system networks.
I disagree. I think the report would have been more effective recommending
much stronger perimeter protections to lock remote adversaries out
entirely, even those with every password to every ICS computer in the
building.
- Implement secure
remote access – The report recommends surveying and systematically
removing vendors’ and other back doors that appear in the form of modems,
DSL lines and other undisciplined connections to outside networks. The report
also recommends unidirectional gateways to enforce “monitoring-only”
access, such as Waterfall’s Remote Screen View product provides. The DHS
cautions against reliance on “read-only” access enforced by software
configurations; no such software provisions can be as safe or reliable as
the hardware-enforced monitoring-only access of Unidirectional Security
Gateways.
- Monitor and respond – As always,
the DHS recommends practiced intrusion monitoring, incident response, and
system recovery capabilities.
The DHS cites the much-publicized and analyzed “Black
Energy” malware as an example relating to direct or indirect Internet
connectivity. Black Energy relies on a connection to a command and control
center on the Internet. The malware uses this connection to receive
instructions, download additional software – such as the “DiskWiper” cited in
the Ukrainian intrusions – and report intelligence gathered about the layout of
the ICS for use in future, more specific attacks.
The example could have been applied much more widely in the
report. In particular, with Unidirectional Security Gateways as the sole
connection between an ICS network and any external network, Black Energy’s
connection to a command and control center is impossible. The gateways send
information where they are configured to send it, not to random IP addresses on
the Internet, or on the corporate network. In addition, the gateways, of course,
permit no software downloads, remote control, or other instructions from a
command and control center back into the protected network.
The report is short, and is very much worth reading.
To learn more about
unidirectional security gateway technology and how it works to protect ICS
networks, visit www.waterfall-security.com.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.