Implementing ICS Digital Zone Separation

Monday, January 6, 2014 @ 02:01 PM gHale

By Eric D. Knapp
Digital segmentation and separation are fundamental components of basic cyber security, yet they remain difficult to implement in industrial control environments.

This is partly due to an industry-wide focus on perimeter security, a carryover from the days of air gap protection. The thinking is, “if we can recreate the air gap digitally, we will once again be secure.” However, this is fundamentally flawed thinking.

As industrial systems continue to evolve, they become more distributed, and there are more and more legitimate interconnections between internal systems within that distributed environment. The number of valid reasons for interconnectivity requires that more traffic be allowed through the perimeter, and if perimeter access isn’t denied outright, it isn’t really a gap. With that said, a more flexible approach becomes required.

HUG: Understanding Security and Standards
IF-MAP for ICS, SCADA Security
NIST Cybersecurity Framework: What it Means
IG: DHS’ Own Cyber Plan Lacking

Anyone who has wrestled with this conundrum understands the challenge: There are many systems that make up a distributed industrial automation system; within these systems are devices that must communicate with each other, and in some cases with devices in other subsystems. Some of these connections are purely between control devices, some are between operations and business systems, some are diagnostic in nature, but they are all very real and they’re not going away. The trick is getting the right connections in place, so that only necessary information flows occur. The necessary flows can then be secured, and the unnecessary flows prevented outright.

Purdue Reference Model
This is well defined by the Purdue Reference Model for CIM, which is crowded with flow diagrams, (appropriately) resembling neurons. These diagrams map information flow against logical device groups according to zones and conduits—each zone representing a specific group of devices that work together and require interconnectivity, and each conduit representing connectivity between zones. These concepts are ingrained into the industry’s thinking, and are a foundation for industrial cyber security. Perhaps most notably, this model is used within ISA99 and IEC 62443, where it is presented in terms of security levels, zones and conduits. So, if there are defined zones and levels, what’s wrong with existing perimeter security techniques to protect these levels and zones?

Data Flow Diagram from the Purdue Model for CIM.

Primarily it’s an issue of semantics, but the flaw here is the term perimeter implies one big shell around an entire system, within which many devices, residing within many zones, with different security levels and conduits could all go unmanaged. In other words, what we think of as perimeter security doesn’t infer the same level of granular access controls that a properly enforced conduit provides. Of course, perimeter security is able to properly secure zones: Every zone has a logical perimeter that defines it; if all information flows are forced to cross this boundary via appropriate cyber security measures, each conduit is made more secure.

This requires:
1. Many such perimeters need to be created
2. Appropriate security controls need to be put in place around each, so flows can be inspected
3. These controls need to be able to map different policies to different information flows, so each flow or conduit can be adequately protected

Using these criteria, it becomes obvious that, while there are many ways to segment zones and to enforce perimeter security, they are not always feasible or adequate.

Example of zone separation in a typical control system.

For example, traditional segmentation mechanisms that use VLANs and/or routing would either prohibit the amount of zone separation (by using too few devices), or it would become unduly complex (requiring massive network redesign to accommodate VLANs and IP subnetting). Too simple, and the right security isn’t implemented in the right places; too complex, and the risk of misconfiguration can result in less effective security and unintentional vulnerability. The complexity of highly sub-networked or VLAN-separated systems also requires administrative overhead to operations teams, who are already strapped for IT skills and resources. Last, and certainly not least, the ICS vendors may dictate specific designs, with specific layer-2 and layer-3 configurations, making the implementation of new network segmentation contractually impossible. In other words, traditional segmentation is not feasible for deep segmentation of industrial systems.

Routing can enforce the security of information flows, as can VLANs. However, this security is not absolute, and these paths remain susceptible to attack. Generally, the higher up the OSI stack you go, the more difficult the attack will be. VLAN ‘hopping’ is a relatively simple task that renders VLANs inherently insecure; routers are more difficult to circumvent; while application layer controls are hardest to overcome. Therefore, while VLAN and network segmentation can be effective, it is not entirely adequate for use in industrial systems.

Secure Segmentation
The necessity for a secure segmentation of the network is the crux of the issue: Zones and conduits exist because of a need to restrict access to and between systems, in an effort to improve the security and reliability of the overall system(s). If the information flow isn’t secure, the zone is moot. If the logical perimeter doesn’t adequately control access to the devices it contains, the system remains vulnerable.

To deploy an enterprise-class IT security device within a control environment to separate two discrete control zones, would be to pound a square peg into a round hole. It would also be difficult to justify: The device would be costly, cumbersome, and may in many cases disrupt industrial communications (typically due to latency and other performance characteristics that simply aren’t tuned for sensitive industrial networks). There is also, typically, undue complexity to help products differentiate themselves in the highly competitive enterprise security market.

The answer isn’t to develop entirely new tools, but rather to make existing cyber security tools more relevant. To do so, we must first look at the tools that are available and then determine how to make them more appropriate to industrial control systems.

The basic requirement is simple: Limit the network traffic allowed into and out of any given zone. It is a task that could be easily accomplished with a firewall, using bi-directional traffic filters to prune out unwanted traffic on unwanted ports. It is a good idea, and many cases it’s a necessary one — due to industry mandates that require the use of a firewall or similar technology for this purpose. Because firewalls filter IP traffic, they can also filter industrial control traffic running atop IP. However, while this will narrow the scope of legitimate traffic to what is authorized, even legitimate traffic needs to be inspected more closely.

Network based exploits, denial of service attacks, and insider attacks from disgruntled employees all utilize legitimate traffic in illegitimate ways. Deep packet inspection can help, by looking into packets for an indication of malicious intent. Content filtering (a feature in next generation firewalls) looks at the application contents rather than simply matching packet contents, to determine if an application is being misused. For example, to prevent access to a specific URL instead of blocking all web traffic. This provides additional granularity, but commercial content filters aim primarily at filtering web content and email, and not industrial applications. However, most application-layer firewalls lack the ability to make decisions upon the specialized application-layer protocols used within industrial systems, which ride atop TCP/IP but which establish their own application sessions, enact their own controls, and carry their own payloads.

To become relevant, the firewall must be able to understand these industrial applications, track application-layer sessions, and make decisions accordingly. To become highly relevant, the firewall should allow unwanted or unnecessary features to be disabled by default, so that they are more easily deployed and maintained in an environment staffed by operations managers and not IT managers.

Firewalls with Context
By utilizing existing firewall technology with the necessary relevance, context, and policy enforcement to filter industrial traffic and enterprise traffic; the device can adequately protect an industrial system and effectively secure zones. If the firewall can act transparently (i.e., it does not alter or impact IP communications) then it becomes feasible for deployment, by enabling zone-level separation (separation of systems by logical grouping and function) without the need for network reconfiguration. Such a firewall is much more practical for OT managers and staff because it will not interfere with approved control system designs.

Using relevant cyber security mechanisms, the complex network access policies required can finally be enforced. Through extensive filtering (using next generation firewalls that understand the nature of ICS application-layer protocols), the control network can be essentially “whitelisted.” By filtering the contents of industrial protocols, control can be highly granular and effective by defining which protocols are acceptable, which devices are authorized to communicate, and which tasks they are authorized to perform.

What this means is that zoning can finally be well defined and implemented by operators, using readily available and easy-to-use technology. This very basic and necessary first step toward a mature cyber security profile — the separation of systems into functional groups — will do more for security, reliability and safety than almost any other available security measure. Properly established zones and conduits will make unauthorized access to (and exploitation of) critical devices more difficult; they will help to isolate functional systems to minimize the impact of an incident; and perhaps most importantly, they create a strong architecture foundation upon which more sophisticated security controls can be built.

Eric D. Knapp (@ericdknapp) continues to drive the adoption of new security technology for a safer and more reliable automation infrastructures. Eric is the director of strategic alliances for Wurldtech Security Technologies. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems,” and the co-author of “Applied Cyber Security for Smart Grids.”

Leave a Reply

You must be logged in to post a comment.