Security and industrial control systems: unlikely bedfellows
July 13, 2017 by Hamid Karimi Beyond Security
Jul. 12, 2017 – Isolation as a complete security solution for industrial control systems (ICS) is dead.
ICS suffers from the use of obsolete, but seemingly irreplaceable, software and a flat network design. Other enterprise networks have responded to security threats by deploying the most current operating systems and application versions, network segmentation and best of breed defences. ICS isolation was the one-note solution that has been acceptable until now, but is no longer a workable plan.
ICS networks that were designed to simply push supervisory commands to remote devices have also exacerbated the challenge. There has been little room for devices to communicate their states, allow updates without down time and to benefit from meta-data-driven intelligence, but security depends upon this.
PLC as the Achilles’ heel of ICS
In addition to a wide attack surface in ICS, due to lack of risk exposure understanding, once vulnerabilities are discovered, time to remediation is excessively long, which provides a window of exploitation opportunity to potential intruders. Among the components of ICS, PLCs provide a particularly weak spot because they are monitored by SCADA systems that are another single point of failure in the overall ICS implementation. Case in point, the Stuxnet was a high-profile SCADA attack that targeted PLCs in Iran’s nuclear program. An unintended consequence of this WORM was its reach beyond the designated target, as Stuxnet’s footprints were discovered across the globe shortly after. The reason was obvious — Iran, like any other country, belongs to the Internet community and Internet is like the Wild West. Moreover, even though SCADA systems need not have Internet access, they often share networks with Internet-connected hosts, causing an inadvertent security failure if human error occurs.
The arrival of IoT
IoT, automation and sensors are pretty much synonymous terms: automation is improbable without IoT and IoT cannot function without sensors. What about the communication language? Sensors in legacy networks widely use proprietary (i.e. closed) protocols to communicate their state and receive supervisory commands. Modern sensors are increasingly using the TCP/IP language, and TCP/IP has known vulnerabilities that can be exploited to invade ICS and in some case, inject malicious code with command and control tools. These developments have brought us an attack surface that is elastic and growing.
Big Brother speaks
Over the year, NIST 800-82 has gone through revisions and offers fundamental guidelines to harden and protect the ICS as a blueprint for public-private partnership. One of the most important advisories issued by NIST is regular and thorough inventory control and vulnerability assessment to measure risk exposure. ICS-CERT, which operates within the National Cybersecurity and Integration Center (NCCIC), also aims to provide cohesion between the government and the industry to secure in ICS applications.
Forecast is cloudy
We are all familiar with the Cloud computing concept. Other approaches, in particular fog and edge computing, have also become popular lately as alternatives or supplemental offerings to the Cloud. The primary factors driving a specific model are security concern (chain of custody) and just-in-time data processing. One can reasonably expect the Cloud to eventually scale and meet the demands of demanding ICS with embedded sensors. In the meantime, hybrid approaches continue to proliferate. Regardless of which methodology wins the battle in the short run, modern DevOps requires collaboration between IT security teams and application (ICS) developers to gain an early understanding of potential and often inherent vulnerabilities before they are introduced to market.
The challenges ICS faces is an epitome of what the computing industry faces today. Without a credible security assessment, the notion of minimizing or closing the attack surface will die an abstract death. As NIST recommends, the most prudent and cost-effective approach is to begin with an effective asset discovery and vulnerability assessment solution; what you cannot see, you won’t protect and what you don’t know will harm you. Ignorance in this instance is a curse, not a blessing. By heeding the call of NIST, the return on investment will be much more potent than trying to stop the threats in real time. Sun Tzu from sixth century B.C once said “know thyself, know thy enemy. A thousand battles, a thousand victories” and in today’s world, that sentiment hits quite close to home.
Hamid Karimi has extensive knowledge about cybersecurity and for the past 15 years, his focus has been exclusively in the security space covering diverse areas of cryptography, strong authentication, vulnerability management, malware threats, as well as Cloud and network protection. He is VP Business Development at Beyond Security, a provider for automated security testing solutions including vulnerability management, based out of Cupertino, Calif.