Electric sector security leaders Paul Feldman and Dan Hill recommend unidirectional gateways

Paul Feldman, director of Midcontinent ISO, and Dan Hill, board member for the New York ISO, recently published “Cybersecurity: IT vs. OT, and the Pursuit of Best Practices” in the January 2016 edition of Electricity Policy. The article reviews the state of control system security in the power grid and makes recommendations to improve security. A central recommendation in the article is that “it’s time for transmission and distribution companies to install unidirectional gateways between their SCADA/OT networks and their business networks.” At Waterfall Security, we are steadfast in maintaining that increased use of unidirectional security gateways will measurably improve the security and the reliability of the Bulk Electric System. It is rewarding to see these experts agree.

In their article, Hill and Feldman review ongoing efforts by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) to have industry regulations reflect the current threat landscape.  The authors point out that cybercriminal sophistication has outpaced the resulting regulations, and observe that:

“(A) special methodology to bridge IT and OT/ICS systems is now required in all nuclear plants,” the two authors wrote. “That methodology employs a hardware-based unidirectional gateway … to move data from the OT/ICS network to the IT/business network on a real-time basis.”

The article goes on to explain that using a unidirectional security gateway eliminates the threat of network attacks moving from an IT network into an industrial control system (ICS) network.

“Firewalls are also becoming more sophisticated and more complicated to manage,” the authors write. They continue, pointing out that “It’s an arms race between the firewall providers and attackers. Separate from the arms race, but related to whether the good guys or the bad guys can develop sophisticated software faster, there is also the bug issue. Firewalls are enabled by software, and software often contains bugs.” Firewalls are simply not adequate to deflect modern attacks on industrial control systems.

Hill and Feldman point out that adequate, modern ICS security is very different from doing the minimum to avoid a fine.  Unidirectional security gateways eliminate the threat of remote-control and other network attacks from business networks and from the Internet. Eliminating these threats entirely is far more effective than continuing a cat-and-mouse battle with attackers.

Steering Away From IT Security’s “Gold Standard”

This post is authored by Paul Feldman, Chairman, Midwest ISO & Independent Director, WECC.

For the first decade of industrial control-system cybersecurity, IT security practices were held up as the gold standard for control system security. Yes, certain IT practices amounted to constant, aggressive change to “keep up with the bad guys,” such as constant updates to anti-virus signatures and security updates. While these practices were recognized as a poor fit for the engineering change control discipline fundamental to safety and reliability, IT experts kept telling us that if we could just somehow invent a way to apply standard IT security practices to control systems, then all would be well.

This expert consensus is shifting. The IT “gold standard” has been found inadequate to the needs of protecting control systems. How can this be? Well, let’s look at what is the “IT way.” IT security starts at the perimeter with a layer or three of firewalls between the open Internet and the corporate network. These firewalls are assumed to be porous; after all, they forward messages from the Internet into the corporate network, including millions of email messages each day for large organizations, and a comparable number of Web pages. Some of these messages contain attacks. Firewall vendors and security practitioners do what they can to filter out the attacks, but no filter is perfect. Some attacks get through.

Inside the network perimeter, what do we find? Software: countless computers running all manner of software, including security software. The problem is that all software has bugs and some bugs are security vulnerabilities. In practice then, all software can be hacked, even security software. For proof of this, we need look only as far as every security software vendor's website and count the security updates posted last month.

All of this is why the pinnacle of every modern, defense-in-depth, “gold-standard” IT security program is intrusion detection. We put “eyes on glass,” we pit “our experts against theirs,” we assume we have been compromised and we systematically hunt down the equipment our attackers have taken over. We isolate that equipment, erase it and restore it from a pre-compromise backup.

Control system security is different

How does this work for control system security? Firewalls at the control system perimeter are just as porous as firewalls at the corporate perimeter. Firewalls are routers after all, routers with filters. Firewalls forward messages from less-trusted networks into control-system networks, and the filters do what they can to separate “bad” messages from “good” messages. No filter is or can ever be perfect, though. From time to time, all control-system firewalls forward attacks into control-system networks.

Inside every control system network, we find just as much software as we find in corporate networks. Control systems generally have a little less security software deployed than do IT systems, and they are generally a little more out of date than are IT systems. This means that just like IT systems, control-system software can be hacked; the interior of control system networks is generally an even softer target than the interior of IT networks. At first glance then, all the preconditions seem identical, and so intrusion detection systems seem just as essential to ICS networks as to IT networks.

The problem with intrusion detection is that it takes time. In June of 2015, Tripwire published survey results of 400 critical infrastructure executives and IT professionals: 86 percent of the respondents were confident that they could detect compromised equipment on their control-system networks within a week of the compromise. Other studies suggest this confidence is misplaced. A 2014 Ponemon study showed that the average time from infection to detection was 170 days, and a 2014 Verizon study showed that the average time from infection to remediation was 200 days.

Whether the time to detect and remediate compromised equipment is a month, or a week, or an hour is immaterial. For all of that time, however long it is, a remote attacker has control of equipment on our reliability-critical and safety-critical control-system networks. Control system practitioners always regard such unauthorized operation of their equipment as an unacceptable risk. The IT “gold standard” has failed control-system security practitioners. Control-system security must be based on a much more thorough foundation of attack protection than is possible on IT networks.

Revising control-system security standards

Control-system security standards are being revised and updated all over the world, and are evolving away from this IT approach to security. For example, France's 2014 ANSSI regulations for control-system security identify three types of control-system networks, depending on the societal impact of the networks. Class 1 networks are expendable; society suffers minimally when such a network is compromised. Class 2 networks are important to society, and the compromise of class 3 networks has serious consequences. For class 2 networks, ANSSI states that connections to less- trusted networks “should be unidirectional” toward the less-trusted system. For class 3 networks, “The interconnection of a class 3 ICS with an ICS of a lower class shall be unidirectional towards the latter.” The recently-updated NIST 800-82r2, NERC CIP V5 and V6 standards, and IEC 62443-3-3 all position unidirectional gateways within control-system defense-in-depth programs, as well.

To be fair, many elements of the IT gold standard are still applicable to control system security; it is the emphasis that is shifting. The top priorities on control system networks are not availability or integrity after all, but safety and reliability.

The ANSSI classification is instructive. The control networks most important to society must be protected unidirectionally, but there are no such demands of networks French society considers expendable. Few businesses operating large industrial sites, though, will regard their industrial operations as expendable to the business, however expendable society may deem those operations.

With this new understanding of control-system security being codified in updated standards and advice, we all need to start asking, “Which of our operations are expendable enough to be protected by firewalls?”