Lior Frenkel is the CEO and co-founder of Waterfall Security Solutions, a provider of unidirectional security gateways, stronger-than-firewalls perimeter security solutions for industrial control networks and critical infrastructures.
In this interview he talks about the vulnerability of global critical networks, challenges related to safeguarding such security architectures from zero-day attacks, ICS security in the future, and much more.
Based on your experience, how vulnerable are global critical networks?
There are a lot of big industrial sites in the world and far more small sites. In my experience, many of the larger sites and some of the smaller ones are reasonably well defended against the simplest attacks, like common malware and stolen passwords. But the opposite is true as well – some of the big sites and a huge number of small ones are poorly defended.
Most sites have at least some protection in place – most commonly firewalls and some encryption, especially on their remote access connections. After all, remote access is so convenient for so many of us … and our enemies as well. More fundamentally, every path through a firewall that lets data out lets attacks pass back in. Cryptosystems encrypt attacks just as happily as they encrypt legitimate communications. Intrusion detection is held up as the holy grail by a lot of experts, but intrusion detection, when it works, takes time, and incident response takes even longer. How long are we willing to give our enemies once they control equipment on our industrial networks?
When it comes more sophisticated attacks – zero-day exploits, sophisticated attack tools, remote attack teams, spear phishing and so on – very few sites of any size have robust protections in place.
This is a very big problem.
Given the complexities of ICS networks, what are the most significant challenges related to safeguarding such critical security architectures from zero-day attacks?
It is not the complexity of networks that is the issue, but the practices of owners, operators, employees and vendors. All cyber attacks are information and every information flow can encode attacks, yet we see people remoting into these sites and carrying USB’s and laptops into them. When inbound information/attack flows are thoroughly controlled, zero-days pose no greater threat than any other vulnerability.
The problem I see is that a lot of people still think they can control information flows with firewalls and encryption. Firewalls are software. So firewalls have zero-days too. So do encryption libraries. Using firewalls full of zero days with encryption libraries full of zero days to protect networks full of zero days is like bailing out your basement with a bottomless bucket – it’s fun to watch but you’d hate to be the one who needs to see progress.
What advice would you give to a security leader that was tasked with improving the security of a large industrial operator?
I would urge them to pick and choose among the standards and advice out there. The French ANSSI advice for industrial control system security for example is robust – but a lot of other advice is either just wrong, or so nebulous it is easy to use it incorrectly. I would paraphrase the ANSSI advice as cyber-security “back to basics”:
- Inventory your ICS information flows – these are your attack vectors.
- Minimize them – all information inbound into your industrial networks is your enemy’s tool.
- Control online information flows with hardware, not just software, most often unidirectional gateways.
- Control offline information flows as well, with a variety of techniques.
ANSSI and a lot of other modern standards forbid firewalls at the perimeter of industrial networks and permit only unidirectional gateways. The unidirectional hardware is physically able to send information in only one way – out of an industrial network. Unidirectional gateway software makes copies of database servers and other servers to IT networks where the copies can interact normally with IT systems. With gateways instead of firewalls, it doesn’t matter how many zero days there are in any software, or how many passwords have been stolen. If no information gets back into an ICS, no attacks get back.
Standard advice to control offline information flows includes anti-virus and sandboxing cleansing stations for removable media, and simply banning external laptops entirely. When a vendor schedules a visit to the site, have an ICS-only laptop provisioned for them with all of the software packages they need. Turn on alerting for all violations of the media & laptop policy. Integrate the security program into the safety program and treat all alerts as security and safety near misses. In short order, we teach our people never to carry information blithely into our industrial networks – they quickly learn and practice that inbound information is their enemy.
This is not rocket science. If zero-day exploits cannot get into our industrial networks to touch our zero-day vulnerabilities, the vulnerabilities are mitigated. We probably still want to patch our systems eventually, but there is no need to do it in the mad, costly panic that we see at so many sites.
I think part of the problem with adoption is the terminology. Most of us think we need to “protect the data” in our control systems, but all cyber attacks are data. We don’t need to protect the data – we need protection from the data. We need to control, thoroughly, all the nasty little ways data and attacks are leaking into our control systems.
How has ICS security changed over the years, and how do you see it evolving in the near future?
Industrial systems face the same pressures as everybody else:
- For 30 years CPUs have been getting cheaper so there are more of them everywhere, and more software everywhere. The problem is that all software can be hacked – so the attack surface increases constantly.
- For 30 years connectivity has been increasing, and every information flow is a potential attack, so the attack surface increases even more.
- And attack tools and techniques get better every year as well – so it becomes ever easier for the bad guys to take advantage of the increased attack opportunities.
In short, it looks bad for our heroes. To make a bad situation worse, a lot of the advice out there, like “quick, patch everything!” is really expensive for reliability-critical sites – and almost every industrial site is reliability-critical.
I believe we need a new way of thinking about the problem. Stop seeing software vulnerabilities and misconfigurations as the problem – the problem is attacks. Stop trying to protect our data – it is our physical equipment, the safety of our workers and the productivity of our physical sites we need to protect – from incoming attack data. Do continue monitoring our industrial networks – we can only optimize what we measure, so we have to measure our security. But stop imagining that monitoring is going to save us from zero-days and other nasties.
Start controlling those incoming data and attack flows – outbound flows into the IT network have IT-class consequences. It is the inbound flows, both online and offline that can carry attacks with unacceptable physical consequences.
This is the kind of change that Waterfall Security Solutions is trying to enable with our Unidirectional Security Gateways and related hardware-based / physical protection products. There are no silver bullets, but if we can enable industrial sites to control information flows much more thoroughly than they do today, we can dramatically improve protections for industrial control systems and dramatically simplify their security programs.