Steering Away From IT Security’s “Gold Standard”

This post is authored by Paul Feldman, Chairman, Midwest ISO & Independent Director, WECC.

For the first decade of industrial control-system cybersecurity, IT security practices were held up as the gold standard for control system security. Yes, certain IT practices amounted to constant, aggressive change to “keep up with the bad guys,” such as constant updates to anti-virus signatures and security updates. While these practices were recognized as a poor fit for the engineering change control discipline fundamental to safety and reliability, IT experts kept telling us that if we could just somehow invent a way to apply standard IT security practices to control systems, then all would be well.

This expert consensus is shifting. The IT “gold standard” has been found inadequate to the needs of protecting control systems. How can this be? Well, let’s look at what is the “IT way.” IT security starts at the perimeter with a layer or three of firewalls between the open Internet and the corporate network. These firewalls are assumed to be porous; after all, they forward messages from the Internet into the corporate network, including millions of email messages each day for large organizations, and a comparable number of Web pages. Some of these messages contain attacks. Firewall vendors and security practitioners do what they can to filter out the attacks, but no filter is perfect. Some attacks get through.

Inside the network perimeter, what do we find? Software: countless computers running all manner of software, including security software. The problem is that all software has bugs and some bugs are security vulnerabilities. In practice then, all software can be hacked, even security software. For proof of this, we need look only as far as every security software vendor's website and count the security updates posted last month.

All of this is why the pinnacle of every modern, defense-in-depth, “gold-standard” IT security program is intrusion detection. We put “eyes on glass,” we pit “our experts against theirs,” we assume we have been compromised and we systematically hunt down the equipment our attackers have taken over. We isolate that equipment, erase it and restore it from a pre-compromise backup.

Control system security is different

How does this work for control system security? Firewalls at the control system perimeter are just as porous as firewalls at the corporate perimeter. Firewalls are routers after all, routers with filters. Firewalls forward messages from less-trusted networks into control-system networks, and the filters do what they can to separate “bad” messages from “good” messages. No filter is or can ever be perfect, though. From time to time, all control-system firewalls forward attacks into control-system networks.

Inside every control system network, we find just as much software as we find in corporate networks. Control systems generally have a little less security software deployed than do IT systems, and they are generally a little more out of date than are IT systems. This means that just like IT systems, control-system software can be hacked; the interior of control system networks is generally an even softer target than the interior of IT networks. At first glance then, all the preconditions seem identical, and so intrusion detection systems seem just as essential to ICS networks as to IT networks.

The problem with intrusion detection is that it takes time. In June of 2015, Tripwire published survey results of 400 critical infrastructure executives and IT professionals: 86 percent of the respondents were confident that they could detect compromised equipment on their control-system networks within a week of the compromise. Other studies suggest this confidence is misplaced. A 2014 Ponemon study showed that the average time from infection to detection was 170 days, and a 2014 Verizon study showed that the average time from infection to remediation was 200 days.

Whether the time to detect and remediate compromised equipment is a month, or a week, or an hour is immaterial. For all of that time, however long it is, a remote attacker has control of equipment on our reliability-critical and safety-critical control-system networks. Control system practitioners always regard such unauthorized operation of their equipment as an unacceptable risk. The IT “gold standard” has failed control-system security practitioners. Control-system security must be based on a much more thorough foundation of attack protection than is possible on IT networks.

Revising control-system security standards

Control-system security standards are being revised and updated all over the world, and are evolving away from this IT approach to security. For example, France's 2014 ANSSI regulations for control-system security identify three types of control-system networks, depending on the societal impact of the networks. Class 1 networks are expendable; society suffers minimally when such a network is compromised. Class 2 networks are important to society, and the compromise of class 3 networks has serious consequences. For class 2 networks, ANSSI states that connections to less- trusted networks “should be unidirectional” toward the less-trusted system. For class 3 networks, “The interconnection of a class 3 ICS with an ICS of a lower class shall be unidirectional towards the latter.” The recently-updated NIST 800-82r2, NERC CIP V5 and V6 standards, and IEC 62443-3-3 all position unidirectional gateways within control-system defense-in-depth programs, as well.

To be fair, many elements of the IT gold standard are still applicable to control system security; it is the emphasis that is shifting. The top priorities on control system networks are not availability or integrity after all, but safety and reliability.

The ANSSI classification is instructive. The control networks most important to society must be protected unidirectionally, but there are no such demands of networks French society considers expendable. Few businesses operating large industrial sites, though, will regard their industrial operations as expendable to the business, however expendable society may deem those operations.

With this new understanding of control-system security being codified in updated standards and advice, we all need to start asking, “Which of our operations are expendable enough to be protected by firewalls?”

September news roundup: Exploring the threats to critical infrastructure

September was marked by ongoing exploration and discussion of the very real threats to U.S. critical infrastructure. From successful cyberattacks against U.S. Department of Energy computer systems to a malicious phishing scheme targeting IT workers at critical infrastructure companies, these are the industrial security stories that captured our attention.

U.S. Critical Infrastructure under Cyberattack (Network World, Sept. 29, 2015)

Recent research from ESG reveals that 68 percent of U.S. critical infrastructure organizations have experienced one or several security incidents within the past two years. And 67 percent believe the threat landscape is more dangerous and getting worse than it was two years ago, leading some experts to predict a “cyber Pearl Harbor” in our future.

Cyber Risk Isn’t Always in the Computer (Wall Street Journal, Sept. 24, 2015)

When people think about industrial control systems, they don’t often consider equipment such as backup generators, thermostats and air conditioners, but they should. These components support data-center networks, and due to decades-old technology and communication standards, they are vulnerable to cyberattacks that could take down an entire operation.

Work Needed to Secure Power Grid, Experts Tell House Committee (USAToday, Sept. 11, 2015)

The power grid faces a host of threats, according to witnesses speaking to the House Committee on Science, Space and Technology’s oversight and energy subcommittees. Ranging from natural to physical to cyber, threats to the grid could result in a catastrophic outage, and this possibility should encourage the industry to address vulnerabilities with all possible haste.

Records: Energy Department Struck by Cyberattacks (CNBC, Sept. 10, 2015)

Serving a harsh wake-up call to critical infrastructure companies everywhere, USAToday learned there were 159 cyberattacks that compromised U.S. Department of Energy (DOE) computer systems from 2010 to 2014. Records show that DOE components reported 1,131 total cyberattacks in a 48-month period ending in October 2014, demonstrating a consistent and alarming onslaught of attacks, as well as numerous security vulnerabilities within the department’s cyber defense strategies.

Phishing Schemes Target IT Workers at Critical Infrastructure Companies (Wall Street Journal, Sept. 8, 2015)

The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team reported the use of a malicious phishing scheme targeting IT workers at critical infrastructure companies. Considered the first stage of a cyberattack, phishing emails are intended to target a critical infrastructure operator’s business network, and from there, its control systems.

For more cybersecurity news, check out last month’s news roundup.

Security Nugget: Air Compressors Help Secure Generators

At large generators, per-unit air compressors and Unidirectional Gateways are reducing risk and reducing compliance costs.


The latest CIP V5 transition guidance explains how to assess the impact of segmented networks. Large generating sites are duplicating site-wide resources, such as pneumatic air compressors and control systems, for every generating unit. NERC CIP V5 states that if there is a strong security perimeter around each control system segment, and no segment can influence more than 1500 MW of generation, then the site has no Medium Impact cyber systems. This is a significant incentive; Low Impact systems cost much less to administer than Medium Impact systems.

Done properly, increased redundancy and segmentation can dramatically reduce compliance costs and the cost of risks. The right way to segment generating networks is with Unidirectional Security Gateways. Per-unit physical redundancy and per-unit network segmentation with Unidirectional Gateways turns one large, valuable target into many smaller, much harder targets. Unidirectional segmentation eliminates the single biggest risk to generating networks: the risk of remote attacks reaching through firewalls into control system networks. It does not matter how mundane or how sophisticated the attack, it does not matter whether the attack is from corporate insiders or the Internet, Unidirectional Security Gateways physically prevent all message from external networks that may put a control network at risk.

The bottom line: CIP-compliant segmentation substantially reduces compliance costs. Per-unit Unidirectional Security Gateways substantially reduce risks and costs. Investing a tiny fraction of compliance cost savings into risk reduction with Unidirectional Security Gateways is just good business.

August news roundup: Debunking myths and unveiling threats to critical infrastructure

As the summer enjoyed its last hurrah, industrial cybersecurity became a hot topic in the news. In August, we saw the U.S. Department of Homeland Security working to increase security measures with a new committee, and the National Institute of Standards and Technology’s put out a new proposal to improve international standards in cyberspace. Underlying these developments are the ever-present myths and real threats against our critical infrastructure. For details on these stories and more, check out our monthly snapshot of important industrial cybersecurity news below.

Five myths of industrial control system security (SC Magazine, Aug. 20, 2015)

Despite widespread concern about cyberattacks on industrial control systems, IT security models continue to use outdated methods of cybersecurity based on several unfortunate myths. The belief that firewalls provide adequate protection of our critical infrastructure is one myth that perpetuates despite proof to the contrary. The fact is, firewalls offer only a small amount of protection, but not enough to protect our irreplaceable power grids or the many lives that could be affected by an industrial cyberattack.

Five Reasons The U.S. Power Grid Is Overdue For A Cyber Catastrophe (Forbes, Aug. 19, 2015)

The U.S. power grid is long overdue for a cyberattack, according to Forbes contributor and CEO of think tank Lexington Institute, Loren Thompson. The security community has noticed an increase in the number of attacks on industrial control systems used to operate the power grid, a majority of which were cyber-related. Thompson noted several reasons for this increase including the grid’s numerous vulnerabilities, consistent oversights in its regulatory structure and a lack of financial incentives to encourage security investments in the industry.

Homeland Security moves to prevent attack on power grid (The Hill, Aug. 14, 2015)

The U.S. Department of Homeland Security is creating a new committee to boost digital defenses for the industrial sector. The reason behind this decision is the increasing risk of cyberattacks to critical infrastructure sites, especially as electric grids are getting smarter. Homeland Security Secretary Jeh Johnson called for the panel to identify how well the department’s “lifeline sectors” are prepared to deal with threats and recover from a cyberattack. The committee is also tasked with providing recommendations for a more unified approach to state and local cybersecurity.

A Critical Time for Critical Infrastructure (Light Reading, Aug. 13, 2015)

According to a recent Intel Security and Aspen Homeland Security Program report, operators of critical infrastructure are over-confident in their ability to defend against attacks and misunderstand the scale of the current threat environment. In North America, this reality is one of the forces behind the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) requirements. NERC CIP Version 5 calls for utilities of all sizes to meet new cyber security protection requirements and has a compliance deadline of April 2016.

NIST identifies objectives for cyber standards (FCW, Aug. 11, 2015)

The National Institute of Standards and Technology recently drafting a new proposal, which includes four broad objectives for the government’s pursuit of international standards in cyberspace: improve national and economic security, ensure standards are technically sound, support standards that promote international trade, and develop standards in tandem with industry to boost innovation. If fully implemented, NIST declares the guidance will “enable a comprehensive United States cybersecurity standardization strategy.”

Interested in reading more cybersecurity news? Check out last month’s news roundup.

Unidirectional protections for electric generation (A white paper)

Waterfall Security Solutions released a new white paper describing how Unidirectional Security Gateways and related products are used in power generation applications. The white paper documents the big picture of how, where and why Waterfall’s customers are using the company’s products to protect generating networks. To my knowledge, this is the first time a comprehensive network architecture or use case for unidirectional protections of generating networks has been documented.

The various icons in the diagram depict either unidirectional security gateways, inbound/outbound gateways, the Waterfall FLIP or Waterfall’s Application Data Control add-on. Waterfall customers generally deploy this architecture because they have decided that the risk of an online attack from the corporate network or the Internet that could affect control systems, safety systems or protection systems is unacceptable. To address these risks, customers generally use unidirectional security gateways and related products to replace one layer of firewalls in their layered, defense-in-depth network architectures. With this layer in place, the chain of infection from the Internet and through corporate networks is broken.

Most customers deploy the layer of unidirectional protections at their plants’ IT/OT interfaces, separating plant networks or unit networks, from their corporate networks. The remaining customers generally deploy the unidirectional layer to protect safety-instrumented systems and networks of protective relays from plant and control networks.

In either case, the layer of unidirectional protections separates the most important plant systems from remote attackers. This results in dramatic reductions in cyber risk and the associated cost of risk. NERC CIP and other compliance programs are also very much simplified and reduced in cost, because the strong security of unidirectional protections means far fewer compensating measures need be deployed to reach security targets, and the NERC CIP and other standards increasingly recognize this. In addition, unidirectional gateways and related technologies deployed at the IT/OT connection require far less labor to maintain and monitor than do porous firewalls.

An ever-increasing number of customers are recognizing the benefits of unidirectional security gateways and related unidirectional protective technologies in power plants. Standards authorities agree. Power plants are, after all, not expendable, either to electric utilities or to society at large.

For more information about how unidirectional security gateways reduce threats to critical infrastructure, and to download a copy of the new white paper, check out our resources page.