Steering Away From IT Security’s “Gold Standard”

This post is authored by Paul Feldman, Chairman, Midwest ISO & Independent Director, WECC.

For the first decade of industrial control-system cybersecurity, IT security practices were held up as the gold standard for control system security. Yes, certain IT practices amounted to constant, aggressive change to “keep up with the bad guys,” such as constant updates to anti-virus signatures and security updates. While these practices were recognized as a poor fit for the engineering change control discipline fundamental to safety and reliability, IT experts kept telling us that if we could just somehow invent a way to apply standard IT security practices to control systems, then all would be well.

This expert consensus is shifting. The IT “gold standard” has been found inadequate to the needs of protecting control systems. How can this be? Well, let’s look at what is the “IT way.” IT security starts at the perimeter with a layer or three of firewalls between the open Internet and the corporate network. These firewalls are assumed to be porous; after all, they forward messages from the Internet into the corporate network, including millions of email messages each day for large organizations, and a comparable number of Web pages. Some of these messages contain attacks. Firewall vendors and security practitioners do what they can to filter out the attacks, but no filter is perfect. Some attacks get through.

Inside the network perimeter, what do we find? Software: countless computers running all manner of software, including security software. The problem is that all software has bugs and some bugs are security vulnerabilities. In practice then, all software can be hacked, even security software. For proof of this, we need look only as far as every security software vendor's website and count the security updates posted last month.

All of this is why the pinnacle of every modern, defense-in-depth, “gold-standard” IT security program is intrusion detection. We put “eyes on glass,” we pit “our experts against theirs,” we assume we have been compromised and we systematically hunt down the equipment our attackers have taken over. We isolate that equipment, erase it and restore it from a pre-compromise backup.

Control system security is different

How does this work for control system security? Firewalls at the control system perimeter are just as porous as firewalls at the corporate perimeter. Firewalls are routers after all, routers with filters. Firewalls forward messages from less-trusted networks into control-system networks, and the filters do what they can to separate “bad” messages from “good” messages. No filter is or can ever be perfect, though. From time to time, all control-system firewalls forward attacks into control-system networks.

Inside every control system network, we find just as much software as we find in corporate networks. Control systems generally have a little less security software deployed than do IT systems, and they are generally a little more out of date than are IT systems. This means that just like IT systems, control-system software can be hacked; the interior of control system networks is generally an even softer target than the interior of IT networks. At first glance then, all the preconditions seem identical, and so intrusion detection systems seem just as essential to ICS networks as to IT networks.

The problem with intrusion detection is that it takes time. In June of 2015, Tripwire published survey results of 400 critical infrastructure executives and IT professionals: 86 percent of the respondents were confident that they could detect compromised equipment on their control-system networks within a week of the compromise. Other studies suggest this confidence is misplaced. A 2014 Ponemon study showed that the average time from infection to detection was 170 days, and a 2014 Verizon study showed that the average time from infection to remediation was 200 days.

Whether the time to detect and remediate compromised equipment is a month, or a week, or an hour is immaterial. For all of that time, however long it is, a remote attacker has control of equipment on our reliability-critical and safety-critical control-system networks. Control system practitioners always regard such unauthorized operation of their equipment as an unacceptable risk. The IT “gold standard” has failed control-system security practitioners. Control-system security must be based on a much more thorough foundation of attack protection than is possible on IT networks.

Revising control-system security standards

Control-system security standards are being revised and updated all over the world, and are evolving away from this IT approach to security. For example, France's 2014 ANSSI regulations for control-system security identify three types of control-system networks, depending on the societal impact of the networks. Class 1 networks are expendable; society suffers minimally when such a network is compromised. Class 2 networks are important to society, and the compromise of class 3 networks has serious consequences. For class 2 networks, ANSSI states that connections to less- trusted networks “should be unidirectional” toward the less-trusted system. For class 3 networks, “The interconnection of a class 3 ICS with an ICS of a lower class shall be unidirectional towards the latter.” The recently-updated NIST 800-82r2, NERC CIP V5 and V6 standards, and IEC 62443-3-3 all position unidirectional gateways within control-system defense-in-depth programs, as well.

To be fair, many elements of the IT gold standard are still applicable to control system security; it is the emphasis that is shifting. The top priorities on control system networks are not availability or integrity after all, but safety and reliability.

The ANSSI classification is instructive. The control networks most important to society must be protected unidirectionally, but there are no such demands of networks French society considers expendable. Few businesses operating large industrial sites, though, will regard their industrial operations as expendable to the business, however expendable society may deem those operations.

With this new understanding of control-system security being codified in updated standards and advice, we all need to start asking, “Which of our operations are expendable enough to be protected by firewalls?”