Control system security: safety first

Every large utility, pipeline, refinery and chemical plant has a cyber security program, but most are IT-centric. Anti-virus programs, software update programs and programs of integration with corporate active directory controllers are all managed by IT teams, along with some degree of convergence and consultation with operations technology (OT) teams. While we have seen few large-scale cyber attacks in these industries, IT-style defenses invite such attacks. Cyber-sabotage is a real threat and it will take more than yesterday’s firewall-level protections to ensure the safety and reliability of today’s industrial sites.

IT-based defenses are routinely defeated
The continuing trend towards the convergence of IT and OT teams, the convergence of IT and OT business processes and technologies and the interconnectedness of IT and OT networks may all have sound business drivers, but too often the result is unexpectedly vulnerable industrial control system security postures. IT-centric firewalls and anti-virus solutions do a fair job of defending against the pervasive threat of viruses and botnets, but have repeatedly proven inadequate to defend against more sophisticated acts of sabotage.

The stock formula for these “more sophisticated” attacks has become widely known and widely practiced: use spear-phishing to pull malware past corporate firewalls, craft your own bits of low-volume, remote-control malware to defeat anti-virus systems, disguise your communications as legitimate traffic to defeat application-layer firewalls, and defeat security update programs by stealing passwords rather than attacking vulnerabilities. New, advanced data-exfiltration prevention technologies are being deployed to address this class of attack on corporate networks, but data-exfiltration-prevention technology does nothing to prevent the cyber-sabotage of industrial networks.

To date, there has not been a well-documented new-style attack on an industrial control system with the intent of cyber-sabotage. That said though, given the easily-available means for such an attack, it remains only a matter of time before some hacktivist couples these well-known attack techniques and technologies with a malicious motive. IT-style defenses designed to prevent the theft of intellectual property do not address this class of cyber-sabotage threat to worker safety, to public safety and to plant reliability. To maintain effective control of the dangerous and very costly physical infrastructure at industrial sites, owners and operators must do more to address modern cyber-sabotage threats.

Beyond IT-style security
Industry leaders are not ignoring this problem. Many are starting to deploy unidirectional gateways, which are hardware-and-software solutions that securely integrate operations data with business networks and systems. The gateway hardware enforces unidirectional data flows, while gateway software replicates servers. The replica servers on the corporate network allow corporate users to access production data in real time without any threat to, or impact on, the real operations servers. Information can flow out of operations networks without allowing any network or remote-control attacks whatsoever back into the network.

These leaders are concluding that making operational networks rely on corporate IT servers in the name of IT/OT integration is a serious vulnerability. The secure way to apply IT processes, skills and infrastructures to operations networks is to deploy unidirectionally-protected parallel infrastructures on operations networks. A separate domain controller infrastructure for operations networks for example, allows IT technologies and processes to be applied to operations networks, without introducing dangerous dependencies on IT infrastructure servers which are exposed to constant threat on Internet-connected networks. Separate operations WANs and operations infrastructures allow businesses to exploit IT technologies, skills and procedures, without exposing operations networks to attacks originating on IT networks.

As a second layer of defense, leading device manufacturers are looking at incorporating application control technology or “whitelisting” to prevent Windows-based devices from falling prey to run-of-the-mill viruses, and to mitigating the slow patching cycles that are part of the engineering change control (ECC) discipline which is so essential to managing control-system networks. Specifying application-control protections in devices should become common practice when upgrading equipment.

Preparation for cyber sabotage starts now
Large, private-sector, critical-infrastructures have yet to suffer a major cyber-sabotage incident, but given the trends in attack capabilities and given the lack of corresponding defensive capabilities deployed at a majority of critical infrastructure sites, such an incident is just a matter of time. IT-OT convergence and IT-style security make plants more vulnerable to certain classes of attacks, not less vulnerable. To maintain control of massive investments in industrial processes, and to ensure safe, uninterrupted operations in the face of modern cyber threats, industry leaders need to reevaluate their approach to cyber security in their integrated IT/OT systems, and take action.