Remote Access Best Practices

Common wisdom is that “if I have a firewall and encryption, I must be safe.” Virtual private networks (VPNs) are seen as the solution to the remote access problem, but this common belief is very much mistaken. Viruses, malware and online attacks move through encrypted VPN connections as easily as they can move through un-encrypted local area networks (LANs). The whole point of a VPN is to make remote users feel as though they are locally connected to trusted LANs. Encryption provides protection against data theft, data manipulation, and man-in-the-middle attacks, but it provides zero protection against attacks from either the networks they connect, their workstations, or their endpoints. Laptops, workstations and mobile devices used for remote access are notoriously prone to compromise.

Now to be fair, understanding of remote access risks varies greatly. Some utilities very much do “get it” and have deployed powerful remote access protections. The Department of Homeland Security (DHS) Catalog of Control System Security: Recommendations for Standards Developers provides much better advice than just “use a firewall and VPN.” The North American Electric Reliability Corporation (NERC) 2011 Guidance for Secure Interactive Remote Access is even better – in fact, it’s pretty good, as it even starts to mention more advanced and appropriate protections.

One of these more advanced protections are hardware-enforced industrial cyberperimeters, which are Waterfall’s focus. All software has bugs, and some bugs are security vulnerabilities. In practice then, all software is vulnerable. The Heartbleed bug and second set of OpenSSL bugs makes this point in spades. These bugs allowed attackers to steal private security keys from public-key cryptosystems used by a large fraction of the world’s websites, and in fact used by OpenSSL-based VPN implementations, as well. Since the bugs were announced, I have spoken to many experts about them. Not one believes that this vulnerability lay in wait, un-exploited, these last many years. Governments and organized crime rings all over the world have spent billions over the last decade to develop sophisticated attack tools, and to find and exploit zero-day attacks. For example, the latest Wikileaks revelation is that the NSA has a list of vulnerabilities able to compromise pretty much every firewall in existence.

All software is vulnerable. Software protections have failed repeatedly to protect IT networks. Why, then, should we trust software to protect critical control system networks, especially when hardware-based protections are available? Unidirectional Gateways replicate industrial servers for painless, safe and continuous remote monitoring. Remote Screen View lets remote personnel see the screens of critical machines, and participate in emergency problem resolution by directing the actions of local personnel over the phone in real time. Even a simple Secure Bypass device adds enormous value to an emergency VPN capability. No remote user should have the power to initiate a remote connection into a protected, critical network without the knowledge and participation of personnel at the industrial site. And no targeted attacker should have the power to initiate a remote connection to an industrial site simply by attacking software.

Hardware-based remote access protections are more powerful than software-based protections, and are far simpler. Serious software-based protection is not easy at all, and as hard as it is to implement, those protections can never be as thorough as simple hardware-based protections.

The time for hardware-based protections has arrived. Why is everyone still talking about software?

For more information on products for protecting your critical infrastructure site from the Heartbleed vulnerability and other remote access pain points, please click here.

The Security Risks of Remote Access and “Cloud Control Systems”

Today, Waterfall Security has the privilege of participating in a panel at the Federal Energy Regulatory Commission (FERC) Technical Conference to discuss technical and operational issues in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards that the commission approved in late 2013. While Waterfall supports the improvements made in NERC CIP Version 5 over previous versions, we have expressed concerns over the cybersecurity of central turbine monitoring systems and other types of interactive remote access. 

Most turbine vendors require continuous monitoring of operations as a condition of hardware warrantees and hardware support contracts. Turbine vendors generally also require that sites allow occasional remote control of the turbines to correct vibration and other anomalies that might grow into catastrophic failures. This continuous monitoring and occasional remote access is most often enabled by an encrypted virtual private network (VPN) tunnel connected directly from the central monitoring site to the turbine owner’s control system network. This tunnel generally bypasses all of the owner’s corporate security technologies. This means is that there is only one layer of security between any vendor-monitored turbine anywhere in the world – even those turbines not under the jurisdiction of NERC CIP – and any vendor-monitored turbine in the U.S. Further, the remote access permissions that sites grant to vendor monitoring and diagnostics centers are much more intrusive than the Inter-Control Center Communications Protocol (ICCP) set point permissions that are typically granted by generating utilities to BES Control Centers. This makes no sense though. The CIP Version 5 standards require many technical security controls for BES Control Centers, but the central vendor sites are not held to the same standards. In fact, there are currently no technical security measures required of central vendor sites.

These concerns reflect a deeper issue around interactive remote access from any one site or laptop to a large number of similar targets in the Bulk Electric System (BES). In many utilities, there is a set of senior engineers’ laptops which are configured to with “occasional” on-demand access to any of hundreds of generating and substation/switching sites via VPN. In addition, many control system technology vendors are setting central “monitoring and diagnostics” sites for their products, not just turbine vendors. While individual remote access is a security problem, should an attacker take advantage of an opening, these risks are multiplied when one site or one laptop has access to hundreds of such VPN connections.

This issue is easily resolved through a combination of hardware-enforced Unidirectional Security Gateways configured with unidirectional Remote Screen View capabilities. Since the gateways enable one-way communication channels out of the control system, there is zero risk of a cyberattack getting back in. Vendors who need to fix anomalies can call the affected site and turn on screen sharing through Remote Screen View to see site screens and to direct engineering personnel to correct the problems.

Waterfall has formally submitted these comments in a prepared statement for the April 29 FERC Technical Conference. It is our hope that FERC and NERC will take a deeper look into the risks posed by central turbine monitoring and remote access systems, and will take the appropriate measures to mitigate these threats to the reliability of the BES.

Cyberwarfare is a bigger threat to U.S. than terrorism – now what?

Defense News released last week the results of a poll in which nearly half of the U.S. national security leaders who responded cited cyberwarfare as the most serious threat facing the country, ranking it higher than terrorism or China. The alarm bells have been ringing for some time now – the sound got louder last year, when President Obama issued an executive order to update the National Institute of Standards and Technology (NIST) cybersecurity framework. With this latest survey it seems that a consensus is starting to emerge that yes, cyberattacks are a real threat and something must be done to better secure the nation’s critical infrastructures.  While it’s encouraging to see this issue finally getting the attention it deserves, the question still remains “will anything will be done about it?”

Unfortunately, it will probably take a large-scale attack for some utilities to get serious about improving security defenses. This is because many utilities base their risk models on the likelihood of an attack – and without a significant event to reference, the probability of future attack must be low, right? In fact, all it takes is one significant event to trigger the risk models, and no utility wants to become the new poster child for critical infrastructure cyberattacks – one that will be talked about and analyzed for years to come. While the first big attack will almost certainly light a fire underneath utilities, this isn’t something we can afford to wait for when power, or clean water, or clean air for millions of people are at risk.

There is progress to report. The North American Electric Reliability Corporation (NERC) recently updated its Critical Infrastructure Protection (CIP) standards to Version 5, which is a marked improvement over Versions 3 and 4. These standards will go a long way in bringing power grid security up to par by encouraging the adoption of new technologies that are stronger than firewalls.

Firewalls are no match for the advanced level of today’s cyber threats. It’s like going into battle using paper clips for armor. Years ago, a lot of us were confident that a firewall would block the vast majority of cyberattacks, whether we were right or not. Nowadays, firewall limitations are well-known in both white-hat and black-hat communities. The problem is that security practitioners in utilities often have trouble communicating this risk to the management teams who control security budgets. These teams often don’t understand just how poor their defenses are until someone shows them how easy it is to breach those defenses. Hiring a penetration tester is a good way to expose poor defenses, before our enemies do.

NERC has recognized the value of Unidirectional Security Gateways. What will it take to communicate the risk to other decision-makers? Sometimes what it takes is a security breach – malicious or benign – to change our thinking. Better a white-hat penetration-testing breach, than waiting to become a poster child for a black-hat cyberattack. 

Strategic Defence Intelligence recognizes Waterfall Security’s achievements in protecting critical infrastructure

There’s a familiar name in the Strategic Defence Intelligence and Global Defence Technology Awards – Ones to Watch 2013: Waterfall Security. The awards recognize outstanding achievements in defense technology and innovation, validating Waterfall’s unidirectional security gateway technology as stronger than firewalls and underscoring the potential for protecting our nation’s critical infrastructure.

In its announcement of the shortlist of recipients, Strategic Defence Intelligence says that:

“Waterfall Security’s Unidirectional Security Gateway solutions offer effective protection for safety-critical and reliability-critical networks. Unlike competitors that specialise in military and government requirements only, Waterfall’s products cater extensively to the industrial space as well, important when you consider that some of the most sophisticated attacks emanate from outside conventional warfare.”

Highlighted in the assessment of Waterfall’s solutions is our Waterfall for Bulk Electric System (BES) Control Centers, protecting two-way communications via hardware-enforced Unidirectional Security Gateways replicating inter-control-center protocol (ICCP) communications endpoints in two directions.

Last year saw renewed focus in the vulnerability of our nation’s critical industrial infrastructures to cyberattacks. In February, President Barack Obama signed an executive order requiring the National Institute of Standards and Technology (NIST) to create a cybersecurity framework, a preliminary version of which was announced this past fall. (See our take on the framework here.) Perhaps the biggest news of 2013 was the Federal Energy Regulatory Commission (FERC) approval of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards, replacing the ineffectual Version 4 and allowing utilities to move forward with strengthening security programs. 

While there is still a lot of work to be done, we are optimistic that 2014 will see improvements made in securing the nation’s power grids and other critical industrial infrastructures. The more we talk, the more advanced our adversaries become. Firewalls are no match, and it’s time to take action to better secure our infrastructures.