Several years ago, the keyword being used by security pundits was "convergence." And, although many different marketers came up with variations of what this meant, the primary definition covered the intersection of physical and logical security. An example was when physical security systems such as access control devices intersected with Information Technology systems using the computer system. Convergence occurred when the same ID badge provided access through the front door and onto the company computer system. Both the physical access control and the IT data systems became more secure through this integration.
Meanwhile, beyond the offices and data centers and often miles away were the industrial control systems (ICS) that helped create the organizations' products. Used in industries as diverse as oil and gas, power generation and distribution, healthcare (i.e. MRI's), transportation systems, manufacturing and many others, ICS's, by connecting sensors, machines and instruments were creating automated solutions that increased productivity. These systems could control local operations such as opening and closing valves and breakers, collect data from sensor systems to turn up the heat of furnaces and monitor the local environment for alarm conditions. And, although the basis of these systems is a computer, IT could do little to protect these physical assets from attack. It still can't do much.
This very fact emphasizes the difference between IT (information technology) security and OT (operational technology) security. IT security lives in the context of an IT stack with tools from many vendors – network, servers, storage, apps and data. It’s in a periodically updated ecosystem where most hosts are talking to lots of other hosts and where there are frequent patch cycles - in weeks or, sometimes, days - in response to expected and known cyber threats. IT security basically protects data (information), not machines.
In OT, high-value, well-defined industrial processes - such as in factories, pipelines and airplanes and which execute across a mix of proprietary devices from many different manufacturers - also need protection. Many of the devices and software used in operational environments are 10 to 30 years old. Many were not designed to be connected, have not been patched very often and were not devised to withstand modern attacks.
Software-driven control systems in past decades evolved in isolation and were seldom subjected to the same scrutiny as Microsoft Windows operating systems and other enterprise software in the 1990's and throughout the 2000's. They were never hardened by millions of users and revised multiple times as threats evolved. Surprisingly, many operators don’t even know what’s actually transpiring on their Industrial Internet and, if hacked, have no knowledge of the assault.
While the primary goal in IT is to protect data, OT security strives to keep the process running. Whether from outside threats, like hackers or state-sponsored actors, or inside threats, like human error, in an environment where companies are operating drills, electric grids, MRI's or locomotives, unplanned downtime is simply not acceptable. This is especially true for industries such as oil and gas, energy producers, health facilities and transportation systems in which even a couple minutes of downtime can yield tens of thousands of dollars lost.
Understanding OT Better
Perhaps the most famous hack on an OT system is that of a German factory. On December 2014, the BBC reported, "A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network, says a report (from) the German Federal Office for Information Security (BSI). It said attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report." (http://www.bbc.com/news/technology-30575104). And, only recently, it was reported that breaches to the operation of a dam outside of New York had been attributed to hackers. (http://www.cnn.com/2015/12/21/politics/iranian-hackers-new-york-dam/)
Except in the most trivial cases of misconfiguration allowing direct Internet access, attacks against OT originate either from a trusted insider (whether they are aware of instigating it or not), from compromised enterprise workstations used as a network pivot, or from physically exposed infrastructure such as wireless interfaces. Threat intelligence sources that IT security solutions depend on, commonly referred to as “feeds,” have little relevance to the typical OT system. A unique and possibly one-of-a-kind combination on how one OT system was infiltrated may have little bearing on another, exclusive operating environment.
To get into critical infrastructure OT systems, hackers will leverage many different physical assets, including those within the enterprise security system itself, such as wireless cameras and access control systems. This is why physical security professionals must be concerned about critical infrastructure cyber security. They are already installing the access control systems used to deter terrorists from entering oil fields or permeate dams. Already aware of the ease in hacking contactless cards and readers systems, the leading access control manufacturers are developing anti-hacking options to their systems. Many access control vendors already tout how they meet the new CIP-006 requirements for 2-factor authentication as described by the North American Electric Reliability Corporation (NERC), an organization of U.S. electric grid operators. This is an OT security initiative versus an IT security standard.
Adding to the difficulty of stopping hackers, those who attempt to hack into the Industrial Internet tend to have a lower risk/higher reward dynamic than those who attack IT networks. Critical infrastructure (OT) hackers have little chance of getting caught and a high payoff of creating havoc if they get through. Compared toIT hackers who end up with data, OT hackers can cause immense havoc, such as disabling a factory to turning off the electrical grid. With the stakes involved, OT hackers are much more persistent when they decide to target a site. In fact, the odds are stacked in favor of the OT attacker due to deteriorating network perimeters and the rapid increases in connected devices. Nonetheless, a great amount of budget is typically spent on IT cyber security to stop hacking; not so much on OT security.
The Problem Continues to Grow
The Industrial Internet represents a huge opportunity for growth and efficiency. To realize its full benefits, organizations have to be connected - to the Internet, to local and wide area networks, to IT and to other control systems. Today, the industrial world runs on critical physical assets and embedded systems; in other words, OT.
Gartner, Inc. forecasts that 6.4 billion connected devices will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.(http://www.gartner.com/newsroom/id/3165317). However, this growing number of connected devices also greatly expands the cyber attack surface. Every new connection adds a new element, which the Security Department must protect.
Since many security professionals don't understand the Industrial Internet's role in today's chase for increased productivity, it’s sometimes challenging for them to understand the threat. They think intruders can't get into their critical infrastructure to create havoc because their Industrial Internet is air-gapped.
This is a legacy technique that too many cyber security professionals still count upon. They believe that their Industrial Internet is truly and physically isolated from such unsecured networks such as the public Internet or unsecured local area networks. They don't appreciate that air-gapping, which may have been safe several years ago, no longer does the job that cyber security professionals can rely upon.
Today, there can be a false sense of security when protecting a network that does not have, and often has never has had an active unsecured connection. There are two major reasons why this is not possible:
- Just because the system is operating in isolation doesn't mean it can't get attached. An employee simply accessing an email with his keyboard can breach the gap.
- In today's world, to raise productivity, a system must be connected. Somewhere along the connectivity chain, the system is going to become attached - either willfully or through a mistake. In fact, most CISO's are more concerned over accidental activities by authorized users versus threats by external adversaries.
In addition, the cornerstone of IT enterprise security, software patching, is a particularly painful operation in an OT system. First, many organizations don’t have the infrastructure for qualifying patches to ensure they do not impact any of the other software running on their system and, so, have to depend on their vendors to test and ensure new patches will not impact control of their processes. That takes a lot of time.
Secondly, many of the security controls that are effective in IT are not effective in OT;
they have to be adapted to the technical requirements of OT systems.
Lastly, to apply the patch to an OT system usually means the operation must be shut down. Closing down the refinery, production floor or electric grid periodically to add yet another patch is not a remedy that works when minutes of downtime can cost immense amounts of money. To eliminate turning off the operation when patching, hot patches must be delivered to a security solution that resides directly in front of the control unit while the system continues to produce.
How to Protect Your Critical Infrastructure from Hacking
Specifically, your critical infrastructure needs a solution that addresses five areas, each with their own quandaries:
- ICS/SCADA (Industrial Control System/Supervisory Control and Data Acquisition) equipment is difficult to patch,
- OT protocols can easily be misused to disrupt critical systems,
- Factory networks are very hard to rewire for proper segmentation,
- Limited visibility into attacks on the industrial network, and
- IT security staff lacks experience with industrial equipment.
With these five elements in mind, an OT security application needs to protect your ICS and SCADA operations. It must defend unpatched systems with a strong perimeter and field defense, plus inspect and control industrial protocol traffic. To do so, the security must offer the protection of three security applications: (i) firewall with stateful inspection for layers 2 through 4; (ii) an Intrusion Protection System/Intrusion Detection System (IPS/IDS); and (iii) an Application Visibility and Control (AVC) system. With the combination of these security applications, the security solution will monitor and block malicious activity and attacks - enabling highly available industrial operations to create maximum uptime by securing the productivity of the critical infrastructure.
To simplify security administration, you will need an easy to use graphical user interface (GUI) to empower your operators to efficiently manage security policy and protection profiles and include breakthrough drag and drop virtual zoning for segmentation without network disruption. The solution also needs to offer full security visibility of the industrial network and integration with Security Information and Event Management (SIEM) tools.
Once you have added such an OT solution, the job is not over. To get into your OT systems, hackers will leverage many different physical assets, especially connection points.
In this manner, hackers can then go after control systems directly. Because of this, it makes sense to employ a security and quality testing service to simulate attackers challenging your own system, allowing you to "know yourself" by making sure that you are controlling who is talking to whom.
Also, be sure to ask the manufacturers of your mission critical devices if they have been tested to repel cyber attacks. Have they had their products monitored to both network and operational parameters, allowing vulnerabilities to be discovered and faults to be reproduced, isolated, identified and resolved before they introduced this or these products to the market? Are they certified to be secure?
Lastly, your management needs to assure that the security experts they hire are highly certified and trained to carefully assess, design and implement OT security in your industry environments. If the goal is to help secure operational assets, reduce compliance penalties and enforce supplier security in your business, they need such specific expertise.
Needed Protections that Ensure Critical Infrastructure Security
Cyber-attacks on physical infrastructures can result in significant downtime and productivity loss. As a result, more and more operations are now implementing an OT network security solution that combines the protection of a firewall, IPS and application visibility and control (AVC) to monitor and block malicious activity and attacks to ensure highly available operations for maximum uptime and secure productivity.
Managers of many companies are now planning to devote as much interest to their OT and they have historically given to IT. As importantly, security professionals are now appreciating that there is a need to create convergence between physical, IT and OT security systems.
About the Author: Paul Rogers is President and CEO of Wurldtech, a General Electric (GE) company and General Manager of GE Industrial Cyber Security.
