Control networks and industrial control systems manage the generation and delivery of electricity, automate production lines, control environmental systems in large commercial buildings and hospitals and manage many other vital processes much of which is considered critical infrastructure. They also face a unique set of complications when it comes to cyber security.
Control networks are targeted by the same modern cyber security threats that typical corporate networks face, but many industrial control systems in operation
today were designed during a time when it was sufficient for networks to be physically separated (“air-gapped”) from their corresponding corporate networks. But amidst the sensationalism the Stuxnet worm generated for its ability to sabotage an air-gapped control network, there was an important lesson: Air gaps as a cyber security technique have run their course and are no longer effective.
The Attack Continuum and Defense in Depth
For many years, conventional wisdom focused solely on a perimeter-based defense to keep out attackers but little attention was paid to what happened within the walls of the enterprise. All it takes is one door left open – intentionally or not – to render the best perimeter-based defense useless.
Today, the conventional wisdom is to expect a successful attack, and to design and defend your network with defense-in-depth, a multi-layered, multi-technology strategy to defend an organization’s most critical assets. Another important shift in thinking is to recognize that cyber security is not a point-in-time exercise, rather it must be thought of as a continuous process, constantly evolving focuses on the full attack continuum: before, during and after an attack.
Applying Cyber Security to Control Networks
The adage “forewarned is forearmed” is a key tenet in security strategy. To put this strategy to use, you first have to know what you are protecting and where it is, but that isn’t as easy as it may seem in control networks. Industrial control systems such as remote terminal units (RTUs) and programmable logic controllers (PLCs) are typically built to perform a very specific task and many run proprietary operating systems with the minimum amount of processing power and memory. Therefore, even the most basic discovery methods, such as a ping sweep, could quite conceivably take these industrial control systems down. Security technologies must be able to passively profile control networks without being inline. This means that no communications latencies will be introduced between control systems, and we do not need to aggressively scan the control network. Baselines of behavior and communications patterns may then be established in whitelists where only anomalous traffic is inspected and approved communications are allowed to flow freely as is commonly desired in control networks.
Commercial operating systems such as Microsoft Windows XP have made inroads into the control systems world over the last few years particularly with human-machine interface (HMI) systems and historians. The use of commercial operating systems has provided a benefit to manufacturers in that they do not need to devote the development effort that had gone toward proprietary operating systems, and asset owners enjoy the benefit of increased interoperability between vendors’ equipment. This also means that these control systems face increased security vulnerabilities due to the complexity of the operating system code base. That interconnectivity, itself, creates another attack vector. Although commercial vendors regularly release security patches, patching systems in a control network is not the same as patching systems in an IT network. Control system patching cycles are a great deal longer and require extensive testing in order to protect reliability of the control network.
A nation-state probes corporate networks looking for access to a control network; a smartphone is plugged into a management system to recharge the battery and malware is released onto the network; a new device in a substation begins communicating with a management system, which, in turn, begins communicating with other systems it hadn’t communicated with previously.
Attacks can be swift and blatant, or they can be slow and subtle. They can be direct, or an unknowing middleman can facilitate them. The most important thing is to monitor your networks closely to detect anomalies, violations, or indicators of compromise and to be able to respond immediately.
What may appear innocuous today may be later discovered to have been a cleverly disguised attack. How does one defend vulnerabilities that are not yet known? This can be accomplished by finding a vendor that has a threat-centric approach to security, including a continuous capability that is always analyzing event and network data searching for patterns and anomalies. When an anomaly is discovered retroactively on the basis of new intelligence, the outbreak can be contained and the malware remediated, minimizing the chance of reinfection.
Air gaps are no longer insurance against intrusion and the increased connectivity that brings operational efficiencies to control networks has also brought a host of vulnerabilities and an increased attack surface. While these threats are like those faced by corporate IT networks, the unique requirements of control networks means cyber security solutions are not one-size-fits-all. Organizations must understand this and protect their control networks with advanced cyber security portfolios to remediate threats before, during and after an attack without sacrificing reliability.