Securing SCADA Systems from APTs

Tuesday, June 19, 2012 @ 06:06 PM gHale


Editor’s Note: This is Part I of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
A very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.

Now while Flame was busy attacking the Middle East, I was in Abu Dhabi at the International Cyber Security Forum for Energy and Utilities, listening to a talk by Paul Dorey called “Advanced Persistent Threats – A Real Problem with Real Solutions.” Paul’s talk focused on security for the IT industry, but there were important lessons on managing attacks in the ICS/SCADA world.

RELATED STORIES
Stuxnet Warfare: The Gloves are Off
Breaking Down Flame’s Roots
Fake Certificates Spread Flame
How to Check for Flame
Flame and SCADA Security

First, a little background. APTs are carefully crafted attacks against a focused target designed to be effective over an extended period of time. Ricard Bejtlich in his TaoSecurity Blog says it well:

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data).

Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.

Now some people claim that APTs are just marketing hype, but Paul offered some chilling case studies showing that APTs are very real threats. Flame is also good example of an APT, but so are Stuxnet, Nitro, Night Dragon and Duqu. These are all attacks discussed in previous papers and blogs. Trying to wish away APTs as hype is a clear case of sticking one’s head in the sand.

Paul went on to discuss the seven advanced approaches that the best companies are using to deal with APTs. This column will discuss the first approach.

Advanced Approach #1 is to focus your protection efforts on your most important assets. It would be ideal to protect everything perfectly and do it all the time. Unfortunately modern systems, whether they are IT systems or control systems, have become too complex to achieve perfect and uniform security.

So the smart IT teams are focusing their scarce security resources on securing those assets that really matter to the survival of the company. They do not rely solely on a perimeter firewall to keep all the bad stuff out of the company (a technique known as a Bastion Model, which bases a security design on hiding behind a single monolithic solution which could result in the possibility of a single point of failure). Instead, they install additional layered defenses directly protecting key assets such as servers containing sensitive financial or intellectual property information.

There are good reasons for using this approach. The obvious one is that it allows a defense in depth strategy, rather than a bastion strategy. It also allows the company to focus additional money, effort and diligence on a few core assets. For example, it is a lot easier to carefully review the audit logs for two servers every day, rather than two hundred servers. Tasks that are highly focused are more likely to be carried out by over worked security staff.

The third reason is that these assets are the same ones the bad guys will focus on. Sure hackers and worms will go after any undefended computer, but in most cases these victims are just a stepping stone to the real target. Focusing your defensive efforts on the same things that your adversary is focusing on makes good security sense.

The strategy of focusing your defenses also works for ICS and SCADA security. Every control system has a few assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in an electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is massively reduced.

Consider Stuxnet. Symantec reports the worm infected over 100,000 computers, 60% of these in Iran. But its ultimate target had to be the PLCs and drive controllers running the enrichment centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not get to the PLCs, it would have failed in its mission. Had Iran’s defense focused on protecting those PLCs, their enrichment process likely would never had been impacted. Clearly, they focused more on a bastion security model which ultimately failed them, allowing Stuxnet to impact at least 1000 centrifuges.

Don’t get me wrong, neither Paul nor myself are advocating to give up on defending less critical assets or the network in general. This makes no more sense than a knight giving up the field and hiding in his castle.

What is needed (and is missing) is a balanced approach to system security. As an industry, we focus on trying to defend the entire field and forget about the castle containing the royal family. As long as the battle remains in the open, we think we are doing well. But when Ninja assassins (with names like Nitro, Duqu and Flame) start to sneak in, defending every laptop and desktop won’t seem all that important once the grid is down or the plant is leaking toxic chemicals.

So install those firewalls and Intrusion Detection Systems between IT and ICS networks. Build yourself what NERC-CIP calls an Electronic Security Perimeter (ESP). There is nothing wrong with that as part of a security strategy. Just remember to balance it with a focused defense, protecting what really matters to your process or company. Forget to focus and we will win the battle, but lose the war.

Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.



Leave a Reply

You must be logged in to post a comment.