Embracing Advanced Security Technologies

Wednesday, December 12, 2012 @ 05:12 PM gHale

By Andrew Ginter
The provisionally-approved CIP V5 standards address a wider spectrum of cyber-security technologies than previous versions addressed. In particular, the draft V5 standards address and encourage the use of hardware-enforced unidirectional communications technologies, and application control/whitelisting technologies.

The CIP standards drafting teams and senior North American Electric Reliability Corporation (NERC) officials are encouraging Bulk Electric System (BES) entities to “embrace the technology” and to deploy these strong operations-centric cyber-security technologies wherever practical.

Firewall Costs; Hidden Costs
ICS, SCADA Myth: Protection by Firewalls
SCADA Security Basics: Insecure PLCs
ISASecure Means More Security

On the topic of perimeter protections, the draft CIP V5 standards speak to hardware-enforced unidirectional communications technologies. These technologies represent a secure alternative to firewalls and are already used in many defense-in-depth security architectures for control systems throughout the power grid. Like firewalls, unidirectional gateways integrate control system data sources with business information systems through Electronic Security Perimeters. Unlike firewalls, the gateways cannot introduce security vulnerabilities as a result of this integration.

CIP auditors increasingly encounter hardware-enforced unidirectional communications technologies in their practice, and as a result, NERC publications increasingly address the topic. The provisionally-approved CIP V5 standards include communications directionality in the definition of External Routable Connectivity, a definition which exempts certain unidirectionally-protected equipment from 37 of the 103 requirements and sub-requirements in the standards. This is the strongest encouragement the CIP V5 drafting team can provide for a specific security technology.

On the topic of anti-malware protections, the CIP V1-V4 standards mention malware generally and anti-malware technologies generally, but the standards specifically require the universal use of anti-virus technologies. Those earlier versions of the CIP standards say nothing about application control or whitelisting technologies, which are a much newer approach to malware prevention than are anti-virus systems.

Anti-virus systems maintain a list of signatures for different sorts of malware. When a file matches one of the millions of signatures, or even when a certain pattern of execution or pattern of communication matches, the match is flagged as an attack and further execution is blocked. There are well-known problems in applying anti-virus technology to control systems components, not least that these technologies have a hard time catching the very latest Zero Day attacks. Anti-virus systems can only detect attacks they have signatures for, and so require constant signature updates to remain effective. Testing new signatures for safety on control systems is costly and the testing process delays deployment of the very latest signatures. As a result, control systems are always exposed to the most recent malware threats.

The new CIP V5 standards talk about malware very generally and still require that anti-malware technology be deployed on some kind of Cyber Systems. However, the draft standards do not specify which kind of anti-malware technology must be deployed. Further, the standards mention application control/whitelisting technologies specifically as an alternative to anti-virus systems.

Application control systems maintain lists of allowed applications, libraries and executables, as well as lists of the characteristics of those executables. If a new application tries to execute, or if an application tries to modify an executable, or load a new library which is not on the approved list, those execution requests are denied. This way, even zero-day attacks which no-one has ever seen before can be blocked, precisely because the malware is new and is not on the list of allowed executables. Better yet, because there is no list of signatures to constantly update and to constantly test for safe operation, application control systems cost much less to operate on control networks than do anti-virus systems.

The standards drafting team has a number of mechanisms by which they can encourage the deployment of strong cyber-security technologies and the team has used those mechanisms in the course of preparing CIP V5. Members of the CIP version 5 drafting team point out that the provisionally-approved CIP standards were carefully written to encourage the use of strong security technologies in the form of both hardware-enforced unidirectional communications and application control systems.

The standards mention application control/whitelisting systems deliberately as an alternative to IT-centric anti-virus systems, and the standards reduce requirements and compliance costs for unidirectionally-protected equipment. The standards provide unidirectional exemptions precisely because the strong security provided by unidirectional gateways warrant reductions in secondary protective measures. This is the strongest encouragement which the team can provide for a specific security technology.

The use of commodity computing components in control systems and the integration of control system servers with business information systems are driving cost savings throughout the Bulk Electric System. CIP-regulated entities taking advantage of these cost-saving integrations have two choices — they can secure their business-integrated control systems with costly IT-centric anti-virus and firewall technologies or they can secure their control systems with modern, operations-centric security technologies. Entities deploying application control systems and hardware-enforced unidirectional gateways can enjoy the cost-saving benefits of modern, integrated operations without incurring unduly large new compliance costs.

Deploying strong operations-centric security measures is entirely within the spirit of the CIP standards. The point of the CIP standards is to enhance reliability through improved cyber-security. NERC and the CIP drafting team are encouraging BES entities to deploy strong security technologies in the form of application control/whitelisting systems, and unidirectional security gateways.

All ten of the draft NERC-CIP version 5 standards passed ballot on October 10, 2012, and passed a recirculation ballot on November 5, preparing the way for a final version to be submitted to FERC for approval.
Andrew Ginter is the Director of Industrial Security at Waterfall Security Solutions.

Leave a Reply

You must be logged in to post a comment.