How secure are today’s critical networks?

In this interview, Dr. Lutz J?¤nicke, CTO at Innominate Security Technologies, illustrates the security of critical networks, the regulatory mandates for organizations in the critical infrastructure sector, and showcases the building blocks of a robust security appliance aimed at critical networks.

Based on your experience, how fragile is the security of critical networks in general?
It is very fragile. So fragile indeed, that it makes you wonder why we do not get to see a lot more reports on security breaches and incidents every week. Presumably, there are a large dark number of undetected incidents and most of the discovered ones are being hushed up.

Virtually all of the automation components deployed in critical networks today are designed for exclusive use in secure environments with little to none built-in security capabilities. Many of them have vulnerabilities that cannot or have not been mitigated by patches. And the secure environments that these components would require for their protected operation are not stringently established everywhere.

There’s a variety of regulatory mandates for organizations in the critical infrastructure sector. How do these influence information and hardware security?
Most of these regulations and the underlying standards focus around the establishment of an appropriate security management system and related processes. That is a reasonable approach to start with but typically fails to enforce specific measures and metrics, lack of the latter being a fundamental problem. In contrast to the area of functional safety where a mathematical model exists and safety integrity levels (SILs) can be defined and calculated based on component failure probabilities, a quantitative model and measurements for cyber security levels do not exist.

As a compromise, security certifications typically resort to resilience of the device or system under test against a defined test bench as their pass/fail criteria, thus actually providing more of an evidence for their robustness than for their security. Also, while the hardening of individual components can make valuable contributions, meaningful security assessments are only feasible at the system level. Therefore, regulations run the risk of ending as a paper tiger where asset operators and their vendors focus their efforts on process compliance without achieving significant objective improvements of their security posture.

What advice would you give to those appointed to increase the security of a critical network running outdated software/hardware?
First of all understand and document the necessary and intended behavior of your system components and how they communicate with each other on the network. Then restrict the potential behavior and communication as much as possible to what is necessary and intended by hardening measures, shutting down unused services and interfaces, and deploying distributed firewalls for the protection of critical endpoint devices. Establish demilitarized zones (DMZs) and VPNs with strong authentication for necessary secure remote services to prevent unauthorized remote access. Finally, monitor your system for deviations from its expected state and behavior.

If whitelisting solutions and real-time anomaly and intrusion detection techniques are not available and/or too expensive, do at least monitor the integrity of your system components in regular intervals to detect any unexpected manipulations promptly. Remember the worst thing about Stuxnet was that it went undiscovered by all anti-virus software on the planet for more than 15 months whereas a simple integrity check would have detected its manipulations on day zero.

What are the building blocks of a robust security appliance aimed at critical networks?
Beyond the obvious need for appropriate physical robustness and approvals to operate the appliance in harsh industrial environments, we consider the following capabilities as essential.

A stateful packet inspection (SPI) firewall: For retrofits to existing networks, it is important that the firewall can be operated not only as a router but also as a transparent bridge in a flat network. The firewall should provide denial of service (DoS) protection and quality of service (QoS) packet rate and bandwidth management to prevent overload situations for legacy equipment in particular. Some industrial protocols such as the wide-spread DCOM-based OPC Classic require particular awareness and deep packet inspection (DPI) techniques to allow for their reasonable firewall filtering.

Layer-2 filtering of non-IP protocols by EtherType and/or MAC addresses should also be supported.

Remote logging of firewall events is a must have for monitoring by network management and SIEM systems.

Firewall performance and throughput need to match with the application requirements to prevent the appliance from creating network bottlenecks.

Integrated integrity monitoring for industrial PCs and controllers is an interesting diagnostic capability to cover the residual risk of legitimate network connections being abused for attacks and malware infections.

Secure remote connectivity should be enabled via implementation of an open VPN standard such as IPsec with strong authentication.

Support for a distributed role model of configuration, roll-out, commissioning, and life cycle security management of a large number of appliances. This includes zero-downtime firmware and configuration updates and reserving the permissions for security relevant settings and changes to experts while allowing the average electrician or maintenance technician to physically install an appliance or replace a broken one in the field.