Deploying IPS to Secure ICS

Tuesday, November 18, 2014 @ 09:11 AM gHale

By Nate Kube
Industrial control systems (ICS) are at a great risk of cyber attacks against their hardware and software components, especially in an environment with increased reliance on open networking technologies and connectivity.

News of newly discovered cyber vulnerabilities in ICS are commonplace. Public and private sectors across the ICS landscape worry about the exploitation of these weaknesses and are working collectively to develop defensible postures through regulation, supply chain standards and guidelines for implementation and operation.

API: Incident Response Action Plan
API: ‘Threat is Bad, Solutions Available
Cyber Center: Staying a Step Ahead
Security a Key to Company Growth

The threat environment is ripe for ICS attacks. The cyber attack surface is huge. “Although there are already some 10 billion connected devices, they represent just 1 percent of what’s possible. That number will grow to 50 billion by 2020,” one report said from General Electric.

Attacks are accelerating, too. The Department of Homeland Security (DHS) said in a report that 23 gas pipeline companies were targets of cyber-attacks from December 2011 to June 2012.

The information stolen enables attackers to disrupt and destroy thousands of natural gas compressors. More recently in 2014, Energetic Bear and Dragonfly used two key pieces of malware to gain remote access to compromised systems in the manufacturing automation industry.

The combination of increased ICS connectivity and the ongoing rise in cyber attacks indicates cyber security incidents will become more frequent and complex over the coming years. The main question for those analyzing the risk of an ICS security incident is no longer if, but when will an attack occur? And when it does occur, how will the victim be able to address the range of people, process and technology in order to minimize the impact and cost of the breach.

IT, OT Schism
Before jumping into the details of attacks and mitigation requirements, let’s consider the differences between the IT enterprise network and the OT network. In reality, the networks end up separated by different levels and the respective firewalls and intrusion prevention systems (IPS) work complementarily. IT networks allow a broader range of network traffic including web, email, file sharing and more while OT networks have more highly specific and at times proprietary protocol traffic. In addition, a key difference is focus. For IT networks, many times performance, innovation, and interoperability is key, while for OT network reliability and availability trumps all else. As one can imagine, oil rigs, utilities, and manufacturing sites cannot afford costly downtime.

The differences between the IT enterprise network and the OT network. The networks end up separated by different levels and the respective firewalls and intrusion prevention systems work complementarily.

The differences between the IT enterprise network and the OT network. The networks end up separated by different levels and the respective firewalls and intrusion prevention systems work complementarily.

How does an attack happen in an OT environment? There are a number of potential sources of network attacks on an industrial network. Similar to a traditional IT network, attackers can come from the perimeter or from within. The trouble is “from within” is a far bigger and more complicated attack surface in an industrial setting. Networks are often spread over wide geographic areas. Imagine an oil pipeline stretching from an oil field to the refinery or the port serving it. Between those two points are hundreds or thousands of kilometers of wilderness, dotted with pump stations. Each of these stations will have Programmable Logic Controllers (PLCs) to monitor and control the flow of oil, and report this information back to the control center. In much the same way, the electrical grid consists of transmission, distribution, and switching substations, transformers and reclosers, all which work together to connect where electricity is generated to where it will end up used. Many of these sites are remote and unmanned. If something goes wrong, then a crew needs to go out in a truck to fix it.

The physical nature adds an interesting new element to defense-in-depth. If one of these remote sites ends up physically compromised, and the network is not properly segmented, there is the huge potential the attacker can perform process changes or network-based attacks against PLCs at other sites or against the control center.

Traditional IT security appliances have been deployed at this boundary between the ops data center and field devices (or Master station and Slaves in SCADA terminology) with a degree of success. However, they only offer filtering for Layer 4 and below. They do not address the considerable attack surface of a compromised industrial device at either end of the system, so therefore the devices could potentially attack other hosts via its control protocols.

Bypassing Traditional IPS

For quite a few years, a common way enterprise IT departments addressed the problem was by leveraging Intrusion Prevention Systems (IPS). Operational Technology (OT) groups can now take advantage of similar protections against cyber attacks that can bring down the industrial network, compromise data, or reveal sensitive intellectual property.

While the Department of Homeland Security ICS-CERT has long advocated using IPS as a key preventative measure, the key to a successful implementation is using an IPS that has been designed and built to meet the key security, technical, and business requirements of industrial networks. For simplicity, efficiency, and security efficacy, IPS should be a key component of an industrial next gen firewall solution. The right solution must include an industrial-focused IPS (vs. an enterprise IPS) because industrial attacks can easily bypass enterprise IPS.

Here are three examples.
• Attacks bypass traditional IPS when attacks break into segments the IPS cannot reassemble properly because the IPS does not understand the industrial protocol. For example, consider this scenario: (1) Allow “aaabbbccc,” (2) Allow “dddeeefff,” and (3) Deny “bbbcccddd.” Without understanding industrial protocols, the sensor can see a message segment that reads “bbbccc.” Although the message content is clear, the IPS does not know if it is the second portion of the first “Allow” message or if it is the first portion of the “Deny” message. Without the ability to understand the significance or potential impact of a message, tuning an IPS to block an attack is virtually impossible without an exorbitant number of false-positives.
• Attackers can use functions of an intended feature set of a control protocol for illegitimate reasons. Consider the damage that can occur to uptime and production if any of the following were used inappropriately: Turning devices off, changing IP addresses, modifying names, altering settings, modifying firmware, restarting devices, and more. For example, a subcontractor that performs a small portion of a larger process has misconfigured gear that communicates with your equipment. The misconfigured gear can end up modifying coils, outputs, tags, and other parameters. Without any context to know who (or which device) is permitted to use a particular function leaves system operators of traditional IPS to one option, open or close a port, which is an all-or-nothing solution that is impractical and unusable.
• Exploits normally have short life cycles and thus, vendors of enterprise IT IPS take easy short cuts in developing signatures. These signatures are very good at detecting known exploits, but insufficient in detecting the source vulnerability that led to the exploit. Therefore, there is a clear danger that attackers can easily modify an exploit to bypass the signatures. For example, many bad IPS signatures will have a pattern in them such as “\x41\x41\x41\x41,” which is really just a sequence of “AAAA” the researcher was using to fill space arbitrarily. An intermediate attacker can recognize this pattern and replace the ‘A’s with ‘B’s or another letter/number to bypass the exploit specific protection. Without understanding the software flaw that led to the security concern, full protection is impossible. So, what is the meaning behind the actual data? Is it the number of ‘A’s that leads to the problem? Perhaps the application only expects to receive 2 characters but getting 4 causes it to crash. Does the number in that section of the message have any limits? The letters “AAAA” are the same as the number 1094795585 from the computer’s perspective, so perhaps that number is not supposed to be above 70,000. Does that part of the message even matter for the attack? The sequence “AAAA” can just be separating two more important sections of the message, or padding it to the correct length and doesn’t actually matter. Is the key just one of these items, a combination, or all of the above? Without knowing these kinds of details, IPS vendors are always in catch-up mode.

These represent key attack scenarios that can bypass enterprise IPS and threaten industrial networks. Because of these key differences between enterprise IT networks and industrial networks, the respective security solutions must be able to account for these differences to provide the security needed in ICS environments. Therefore, to combat attacks on industrial networks, system operators require an IPS with specific protections against industrial attacks.

Knowing that, an industrial IPS needs to feature these vital protections and capabilities:

Industrial firewalls can mitigate the risks.
To counter attacks, an industrial next gen firewall featuring industrial IPS must have the following capabilities. First, Deep Packet Inspection (DPI) is designed to understand the industrial protocols relevant to industrial control systems. Some protocol examples include PROFINET or CIP for industrial automation, IEC 6070-5-104 or IEC 61850 for electrical substation automation, and others. Once the IPS understands a protocol, it has the intelligence to properly reassemble the segments into meaningful messages. And it is with these messages the industrial IPS enables organizations to make properly informed security decisions.

Protection against vulnerabilities instead of protection against exploits will ensure long lasting security. Industrial gear needs to be in service for decades with minimal interaction from system operators and device firmware might be on older revisions for extended periods. Therefore, protection needs to have high security efficacy to alleviate concerns about frequency of patch times. Therefore, when considering an industrial IPS, ensure the vendor has the people, expertise, and experience in fully understanding the vulnerability when creating signatures for the DPI engine. Also, work with vendors that have the key relationships that enable them access to full vulnerability information from device vendors, government sources, 3rd party independent researchers, and the source researcher who found the vulnerability. In addition, an ICS-focused IPS will ensure proper prioritization and research resources will be dedicated to understand the vulnerability to better enhance protections whereas an IT-focused IPS would lowly prioritize ICS vulnerabilities.

Protection profiles provide in-depth mitigation processes. Many times, a signature is not enough. There will be times when there needs to be more: A patch, an update on configuring the IPS, additional background information and more. Therefore, guidance and direction is needed for the additional mitigation steps. When considering an effective IPS solution, ensure that protections extend beyond signatures alone. For example, protections should include the following: 1) Policy enforcement ensures set policy to prevent system attacks or misuse that can impact system productivity and reliability. 2) IPS signatures for vulnerabilities help secure the system from the root vulnerability, defending it against any exploit that may try to take advantage of the weakness. This results in greater accuracy for broader protection and security efficacy, even while using fewer signatures. 3) Patching updates are recommended for vulnerable systems to ensure proper versions address security concerns.

Granular policy control sets specific parameters to determine when communication is allowable. Actual parameters are highly specific to the industrial protocol. These parameters include items that determine:
• “Who” – IP addresses, MAC addresses, protocol addressing information (i.e. slave/station address in Modbus), and more
• “How” – function codes, operations, data types, and primitive types
• “About what” – coil/IO numbers, memory addresses, tag names, and allowed values. By understanding the parameters in conjunction with the protocol used and the specific context will allow system operators to have the proper visibility to take action on illegitimate use of functions and commands

In addition, protection beyond detection of anomalous (and potentially vulnerable) traffic is required. Consider capabilities that show deviation of valid traffic from what is expected. Recipe data for pharmaceutical facilities, pipeline pressure information, and vibration information in turbine control, all of these applications are exceptionally sensitive and potentially sensitive to attacks that leverage modifying the actual operating parameters of the control data. We found something very similar to this behavior in the Stuxnet attack on Iran’s nuclear facilities where subtle changes were made to uranium centrifuge speeds.

And of course, all industrial IPS functionality needs to be easily deployed and managed. IPS is a key component of an industrial next gen firewall, so both must end up deployed on the same firewall device. IT Security staff may lack resources or experience with industrial equipment. OT teams may not have the security expertise. So, regardless of whether the IT team or OT team is taking point, the right solution needs to have simplified security administration with an easy-to-use graphical interfaces (i.e. no command line interface required) to enhance management and deliver visibility across the network.

The Next Step
Yes, industrial control systems and enterprise IT networks differ as do their security needs.

Therefore, since enterprise IPS solutions are not designed to protect industrial networks, system operators must choose an IPS that fully understands industrial protocols and the specific context of each industrial command. In addition, knowing that industrial networks are difficult and costly to patch, there needs to be protection against vulnerabilities vs. exploits to ensure long lasting, effective security.

New installations and upgrade projects need t o include security budget to effectively protect your company’s assets, productivity, and revenues.
Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s chief technology officer. He is responsible for strategic alliances, technology and thought leadership. He has filed numerous authored patents in formal test methods and critical systems protection. He has also co-authored numerous security publications for the embedded device security market, and frequently speaks on cyber security issues.

Leave a Reply

You must be logged in to post a comment.