DHS report recommends unidirectional communications for ICS protection

Three of the seven strategies in the December 2015 report from the DHS NCCIC/ICS-CERT, “Seven Strategies To Secure Industrial Control Systems,” recommend unidirectional gateways for maximum protection from cyberattacks.  

The report points to an increase in the frequency and complexity of cyber incidents. ICS-CERT received reports of 295 incidents in 2015, although it is believed that many more went unreported or undetected. Increasingly capable cyber adversaries who can, and have, defeated traditional IT-centric security protections perpetrate these attacks.

To mitigate this growing threat, the DHS encourages us to deploy technology to prevent these increasingly sophisticated attacks.

Seven Strategies to Defend ICSs

1. Implement Application Whitelisting (AWL) – When antivirus and malware detection tools fail, AWL can prevent execution of most malware.
2. Ensure proper configuration/patch management – Unpatched systems are low-hanging fruit for attackers. What the report does not point out is that patching is costly, and does little to deter sophisticated attackers, because of the large number of ICS zero-days waiting to be discovered. The report does point out that unpatched laptops connecting to ICS networks are a major infection vector. I agree with this latter point – any laptop or other equipment that is ever connected directly or indirectly to the Internet must be regarded as eventually compromised.
3. Reduce your attack surface – The report points out that real-time connectivity between ICS networks and less-trusted networks is best achieved using hardware-enforced unidirectional communication, such as Unidirectional Security Gateways.
4. Build a defendable network – Network segmentation can limit the damage from an intrusion and reduce cleanup costs by limiting how far the compromise can spread through the ICS network. Again, the report points out that the best design for transferring real-time data is unidirectional gateways.
5. Manage authentication – Adversaries increasingly focus on stolen credentials, especially for highly privileged accounts. Among other things, the report recommends employing separate credentials for corporate networks and industrial control system networks. I disagree. I think the report would have been more effective recommending much stronger perimeter protections to lock remote adversaries out entirely, even those with every password to every ICS computer in the building.
6. Implement secure remote access – The report recommends surveying and systematically removing vendors’ and other back doors that appear in the form of modems, DSL lines and other undisciplined connections to outside networks. The report also recommends unidirectional gateways to enforce “monitoring-only” access, such as Waterfall’s Remote Screen View product provides. The DHS cautions against reliance on “read-only” access enforced by software configurations; no such software provisions can be as safe or reliable as the hardware-enforced monitoring-only access of Unidirectional Security Gateways.
7. Monitor and respond – As always, the DHS recommends practiced intrusion monitoring, incident response, and system recovery capabilities.

 

The DHS cites the much-publicized and analyzed “Black Energy” malware as an example relating to direct or indirect Internet connectivity. Black Energy relies on a connection to a command and control center on the Internet. The malware uses this connection to receive instructions, download additional software – such as the “DiskWiper” cited in the Ukrainian intrusions – and report intelligence gathered about the layout of the ICS for use in future, more specific attacks.

The example could have been applied much more widely in the report. In particular, with Unidirectional Security Gateways as the sole connection between an ICS network and any external network, Black Energy’s connection to a command and control center is impossible. The gateways send information where they are configured to send it, not to random IP addresses on the Internet, or on the corporate network. In addition, the gateways, of course, permit no software downloads, remote control, or other instructions from a command and control center back into the protected network.

The report is short, and is very much worth reading.

To learn more about unidirectional security gateway technology and how it works to protect ICS networks, visit www.waterfall-security.com.

Electric sector security leaders Paul Feldman and Dan Hill recommend unidirectional gateways

Paul Feldman, director of Midcontinent ISO, and Dan Hill, board member for the New York ISO, recently published “Cybersecurity: IT vs. OT, and the Pursuit of Best Practices” in the January 2016 edition of Electricity Policy. The article reviews the state of control system security in the power grid and makes recommendations to improve security. A central recommendation in the article is that “it’s time for transmission and distribution companies to install unidirectional gateways between their SCADA/OT networks and their business networks.” At Waterfall Security, we are steadfast in maintaining that increased use of unidirectional security gateways will measurably improve the security and the reliability of the Bulk Electric System. It is rewarding to see these experts agree.

In their article, Hill and Feldman review ongoing efforts by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) to have industry regulations reflect the current threat landscape.  The authors point out that cybercriminal sophistication has outpaced the resulting regulations, and observe that:

“(A) special methodology to bridge IT and OT/ICS systems is now required in all nuclear plants,” the two authors wrote. “That methodology employs a hardware-based unidirectional gateway … to move data from the OT/ICS network to the IT/business network on a real-time basis.”

The article goes on to explain that using a unidirectional security gateway eliminates the threat of network attacks moving from an IT network into an industrial control system (ICS) network.

“Firewalls are also becoming more sophisticated and more complicated to manage,” the authors write. They continue, pointing out that “It’s an arms race between the firewall providers and attackers. Separate from the arms race, but related to whether the good guys or the bad guys can develop sophisticated software faster, there is also the bug issue. Firewalls are enabled by software, and software often contains bugs.” Firewalls are simply not adequate to deflect modern attacks on industrial control systems.

Hill and Feldman point out that adequate, modern ICS security is very different from doing the minimum to avoid a fine.  Unidirectional security gateways eliminate the threat of remote-control and other network attacks from business networks and from the Internet. Eliminating these threats entirely is far more effective than continuing a cat-and-mouse battle with attackers.

December news roundup: Aging infrastructure and foreign hackers mark the end of 2015

December’s cybersecurity news further illustrated the reality that foreign state hackers are targeting U.S. critical infrastructure. Of greater concern is the fact that much of our infrastructure security is inadequate to protect against a targeted attack. With outdated security and the growing adoption of the Industrial Internet of Things (IIoT), power grids, dams and other critical infrastructure are at increased risk of a successful network intrusion. Will recent legislation provide the protections needed to improve cybersecurity for critical infrastructure, or is it too little, too late? Read on to learn more about the news and events that capped 2015 and set the tone for the New Year.

Cyber protection a priority for GPS (The Hill, Dec. 4, 2015)

To most, GPS is a useful technology that helps us navigate unfamiliar roads, but GPS has become the backbone of our virtual infrastructure. It is widely used in military operations and controls and provides critical timing functions to ensure control over our power infrastructure. And, according to USAF Col. Brian Searcy (ret.), our global positioning system is a prime target for cybercriminals or nation state adversaries.

House unanimously passes bill boosting resources to fight cybercrime (The Hill, Dec. 10, 2015)

The House unanimously passed a bill to provide state and local governments with federal resources to fight cybercrime. The bill would direct the Department of Homeland Security’s (DHS) cyber hub — known as the National Cybersecurity and Communications Integration Center (NCCIC) — to provide state and local governments with technical training and strategic guidance to help bolster their cyber defenses. The bill is now awaiting a vote in the Senate.

Amit Yoran’s predictions for 2016 (RSA, Dec. 11, 2015)

RSA president, Amit Yoran, shared his insights and outlook for the security landscape in 2016. Of note, Yoran believes a critical breach of an ICS network is increasingly likely to occur in 2016. As we at Waterfall have cautioned for years, many ICS security systems are inadequate to prevent against targeted cyberattacks. And now as IIoT, remote access and automated workflows gain adoption within these critical networks, they are growing increasingly vulnerable to outside attacks. And, as Yoran notes, the potential impact of bringing down a power facility or water treatment plant is an attractive proposition for those who wish to do us harm.

AP Investigation: US power grid vulnerable to foreign hacks (Dec.21, 2015)

The results of a year-long investigation by the Associated Press, underscore the very real concerns security experts have been warning about for years: foreign hackers are targeting U.S. critical infrastructures, with some success. According to the AP report, about a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control power grid operations networks.

Former official: Iranians hacked into New York dam (CNN, Dec. 22, 2015)

According to a former official the hack of Bowman Avenue Dam near Rye Brook, New York in 2013, was a test by Iranian hackers who managed to get control of the dam’s floodgates. News of the attack highlights a growing concern among security experts about the susceptibility of infrastructure operated by outdated or retrofit technology. Until owners of critical infrastructure commit to upgrading their security posture, they will remain vulnerable to these foreign state hacker groups.

From our perspective, any legislation that moves cybersecurity preparedness forward for all industrial control networks is a good thing, but its success depends on complete support from the private sector, including privately owned critical infrastructure. Thus far, the response on the part of many executives has the cybersecurity experts at Waterfall concerned, particularly given the recent evidence that current IT-based security has been repeatedly compromised. At Waterfall, we remain dedicated to educating the market on these vulnerabilities and the dire need for hardware enforced unidirectional gateways.

To learn more about the risks facing industrial control security networks, visit our resources page.