New Approach to Secure Networks
Wednesday, September 7, 2016 @ 11:09 AM gHale
By Katherine Brocklehurst
It’s not a surprise ensuring the reliability and availability of control systems is the number one business driver for securing industrial automation systems.
That idea received confirmation in the SANS 2016 State of ICS Security Survey. Other top reasons for wanting to improve security include lowering risk, ensuring employee safety, meeting regulatory compliance and preventing damage to systems.
Combine these concerns with the fact 67 percent of SANS Survey respondents perceived a severe or high level of threats to control systems, which was up from 43 percent in 2015, and it’s clear that effective industrial security programs are needed. The next challenge is how?
To help address the “how” our company has recently introduced a new approach to industrial cybersecurity that divides security measures down into three areas: Securing the network, securing the endpoints and securing the controllers.
Similar to government standards such as NIST and notable best-practices approaches such as the SANS Top 20, you don’t have to approach the three areas in the 1-2-3 order. Instead, start your focus in the area that aligns with the highest risk to your systems and fits with where your organization is in its security journey.
This article is going to examine the whys and hows of “Securing Industrial Networks.”
Good Network Design
The top industrial security threats that worry plant engineers and IT professionals are attacks from external sources such as hackers, hacktivists and nation states, and, on the other hand, unintentional internal cyber incidents that disrupt systems. Both of these are likely to involve network communications. Examples are:
• Penetrating a network boundary and using a network or industrial protocol to transmit malware to an endpoint
• Connecting a contractor laptop or employee mobile device to the industrial network and introducing malware that then travels to other devices within the plant
• Misconfiguring a device that then broadcasts a traffic storm that disrupts a legacy industrial device
This is the reason the number one best practice recommended by standards organizations, ICS-CERT, and SCADA security experts is to make sure you have a good network design with well-secured boundaries.
The recently published ICS-CERT 2015 ICS Assessment Summary Report, for example, calls out weak boundaries between ICS and enterprise systems as a top vulnerability found in their deep dive assessments of critical infrastructure facilities.
Furthermore, even with a good enterprise-plant boundary, the days of counting only on perimeter defense are long gone. There are always pathways into control systems. The challenge is to contain communications in appropriate areas or sub-systems and prevent threats from migrating to other areas. That’s why it’s also necessary to implement many inside-the-plant-network security zones.
One of the most important ways of segmenting industrial networks for security purposes is to implement the ISA IEC 62443 standard, section -3-2 , that calls for the use of security zones separated by conduits.
A security zone is a group of assets that share common security requirements, for example a supervisory zone and a controller zone. Each zone has a defined border that can be either logical or physical and delineates which assets are included and which are not.
Communications between zones must be via a defined conduit. A conduit is any pathway of communication that enters or exits a security zone. The conduits are the perfect “choke points” for implementing security measures, such as industrial firewalls, to ensure only the traffic needed by plant systems is allowed to pass.
Conduits compensate for the fact the devices they protect have insufficient built-in security. In addition, focusing on conduit mitigation is typically far more cost effective and realistic than having to upgrade every device or computer in a zone to meet security requirements.
Besides the zones and conduit model, other ways to segment networks include the implementation of subnets, VLANS and VPNs. More info on these methods is available in the white paper “Best Practices in Substation Communication Design“.
Securing Industrial Wireless
Industrial wireless applications are being used more and more by manufacturers and operators to improve availability and reduce costs. And, today’s best practices, technologies and products make it straightforward to implement them securely.
Secure Remote Access
Remote access to industrial networks is a key enabler of fast troubleshooting and problem resolution, as well as a travel and time cost saver. It is also increasing in importance as plant systems incorporate more devices with intelligence as part of the Industrial Internet of Things (IIoT) trend, thus requiring support from more organizations.
The challenge is how to provide remote access in a way that is secure yet not complex. The traditional solution has been to use VPNs, but they can be difficult to use, create high administrative overhead and do not guarantee that only legitimate data is transferred.
New secure remote access solutions have come out that provide industrial engineers with tools that are easy to implement, don’t require IT resources and are highly secure. These industrial-focused approaches will increase in capability over time and make it easier to leverage worldwide engineering and technical expertise in cost effective ways.
Monitoring ICS Networks
Monitoring the security status of a network is common practice for IT networks but less common in the OT environment. It is increasing in use, however, and one way of doing it is to connect virtual-machine-based security software to the switch or router that connects the IT/plant DMZ boundary.
The VM machine passively (or non-invasively) collects packet flows, without impacting network operations, and analyzes them for anomalous or undesirable connectivity to the Internet or business network. It can also analyze log sources and apply intelligence and rules to identify malicious / anomalous activity.
Another facet to consider is the value of monitoring industrial network infrastructure equipment such as routers, switches, gateways etc. These systems connect the segments and can be compromised. They need to be assessed, a baseline taken and a monitoring effort applied. Some organizations have their IT teams managing the security and configuration of these devices.
Following best practices and using the technologies outlined above will go a long way to securing your communications infrastructure. Securing industrial operations environments need to be considered holistically, however. This involves also securing endpoints and control systems themselves.
Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. Click here to view Katherine’s full blog.