Reality Check: Assume a Security Breach

Thursday, July 21, 2011 @ 01:07 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Wednesday blog post. Click here to read over the entire blog.

By Eric Byres
Earlier this month I came across a great article called “The new paradigm for utility information security: Assume your security system has already been breached” by Ernie Hayden of Verizon’s Global Energy & Utility Practice.

In the article Hayden describes how the mindset of cyber security professionals is typically one of “The Fortress,” or what I refer to as “The Bastion Model.” That is, an assumption that cyber threats are outside a perimeter and need to be blocked from entry by physical and technology barriers, such as secure premises and firewalls.

Cyber Report: Turning Off Security for Speed
Unified Strategy for Net Unleashed
Public, Private Sectors Partner on Security
Report: U.S. Cyber Space Remains Unsecure

A classic example of this mentality and its limitations in the SCADA security field occurred at the Davis-Besse Nuclear Power Plant incident in 2003. The plant suffered a hit from the MS SQL ‘Slammer’ worm which caused a traffic overload on the site network. As a result, the Safety Parameter Display System (SPDS) was inaccessible for almost 5 hours, and the plant process computer was inaccessible for over 6 hours.

The incident investigation showed a firewall was in place to isolate the control network from the enterprise network. However, there was a T1 wide area network connection from a software consulting firm that entered the control network behind the firewall, bypassing all the access control policies enforced by the firewall. The worm initially infected the consultant’s server and then was able to enter the Davis-Besse control network through this T1 line.

Certainly, the consultant does deserve part of the blame in this incident. But the U.S. Department of Homeland Security vulnerability assessments show an average of 11 direct connections between the control network and the enterprise network.

Thus, even if you catch Consultant A with his T1 link, you are almost certain to have missed Consultant B, Engineer C, Technician D and Supplier E, with their laptops, USB keys, CDs and serial modems. No matter how careful you are, the odds are eventually something nasty will sneak through to your control network. At that point, you need to be prepared with something more than “Well, we have a firewall…”

Bottom line: the Fortress approach to SCADA security is unlikely to be effective today.

In Hayden’s article he documents several major organizations that have moved beyond the pure Fortress approach to an “assume a security breach” approach, including the U.S. National Security Agency (NSA). Now, this is quite a change and it is not easy to do.

At an automation vendor’s user conference, attendees had just made the realization that cyber security is a problem they need to address. Their knowledge of what to do about this “new” issue was not very high, and reflects the state of the nation among controls engineers.

For an organization to go from a low level of industrial cyber security practices, to the level of “assuming a security breach” is a very challenging journey.

My message to ICS and SCADA operators is this: You need to do two things about cyber security to make your plant safer and more reliable:
1. Learn about and start implementing defense-in-depth strategies so you have a process to contain an infection or breach. The ANSI/ISA-99 and IEC-62443 standards are a good place to start.
2. Be a change agent in your organization. Start the ball rolling to develop the 10 Key Practices that Hayden mentions for dealing with security system breaches.

Unfortunately, given the increase in ICS product vulnerability news over the last year, and especially the last few months, it is necessary to move forward on both basic and advanced cyber security initiatives at the same time.

Being organizationally ready for “assuming an infection” is not easy. However, it is a pragmatic strategy, one that takes both the realities of humans and modern control systems into consideration. The challenge for the controls professional is to apply it in ways that are efficient.

Eric Byres is the Chief Technology Officer at Byres Security. This was an excerpt from his Wednesday blog post. Click here to read over the entire blog.

Leave a Reply

You must be logged in to post a comment.