"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network," observes Mr. Sean McGurk, the Director, National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security, as quoted by Byres. "On average, we see 11 direct connections between those networks. In some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise network."Simply put, most modern control systems are too reliant on information streams from outside sources for an air gap to work. There are always new patches to apply and new software versions to run, ongoing needs which open up new pathways – such as a USB key or a laptop – that could expose seemingly isolated systems to malicious SCADA-based software, including Stuxnet. And that applies to external threats only. As noted on Belden's blog in a separate post, most industrial security incidents originate from within the control network. This not only renders air gaps essentially useless, but it also reveals how critical systems can be compromised as a result of misconfigured firewalls, poorly segmented networks, unpatched software, device error, and malware, such as BlackEnergy, which was recently discovered to have caused the world's first malware-based power outage and to have infected a workstation at Ukraine's Boryspil International Airport. If air gaps are a thing of the past, how are system administrators and control engineers supposed to protect modern SCADA systems? The way forward rests with foundational network and operational security practices. Paul Ferguson, a senior threat researcher advisor at Trend Micro, explains in a report how personnel need to concentrate on minimizing risks and maintaining an adaptive, evolving security posture.
"The architecture of how ICS networks interface with the other components of an enterprise network is critical to providing a more heightened security posture," Ferguson comments. "To protect sensitive ICS networks, proper segmentation of traffic flow must be provided, restricted access control and authentication must be required, traffic and alert logs must be analyzed, and alert notifications must be appropriately addressed."Personnel can further reap the benefits of a risk-based security posture by following a defense in depth design approach as described in IEC 62443. By segmenting systems into zones and securing the conduits of communication between them with specialized firewalls that understand the communications protocols used in industrial systems, systems can be both hardened and protected from within. This same defense in depth approach applies when the SCADA system is connected to the enterprise or outside world in what is now commonly referred to as the Industrial Internet or the Industrial Internet of Things (IIoT). In an article published on Computing, Harel Kodesh, VP and CTO of General Electric, describes how the industrial internet is made up of three layers: the edge, the middle layer, and the cloud. By protecting the edge devices and installing sensors in the gateway layer, companies can further protect the cloud, especially when it is powered by servers that are optimized for security and when it is configured to facilitate information sharing between edge devices and gateways.
"You can have situational awareness," Kodesh notes. "If you have an IP address that's trying to get into a power station in Poland and the same IP is connecting to a power station in the UK then you should check it out. If you were operating your own system then you wouldn't get that sort of intelligence. It's a bit counter-intuitive but cloud operations in our context are more secure not less secure than operating in isolation."Manufacturing each IIoT device according to "security first, functionality later," not to mention requiring each of the three layers to authenticate itself on a continual basis, will also go a long way towards enhanced security, Kodesh points out. When it comes down to setting those processes in motion, folks from IT can help by embracing the need to learn from OT:
"For IT security pros that want to start to cooperate on security with OT, learning about how OT works is a great starting place," explains David Meltzer, chief research officer at Tripwire. He adds: "Whether that means buying a PLC training kit and learning what these devices actually look like in OT environments, or taking an Industrial Security Controls class, or just reading a book on the subject, it is beneficial for professionals to go in with an open mind and learn about that other side."To read more about the Industrial Internet of Things, please click here. Title image courtesy of ShutterStock