Microsegmentation for refining safety systems
When the TRITON (aka TRISIS) attack struck three refining sites in the Middle East in November of 2017, it was the first known cyber incident to target safety instrumented systems (SIS), specifically Schneider Electric’s Triconex gear.
The consequences of these attacks were plant-wide shutdowns. While such shutdowns are costly, the consequences could have been far worse. Refineries rely on correctly functioning SIS equipment to prevent worker casualties and environmental disasters in the face of both random equipment failures and deliberate cyber sabotage.
TRITON/TRISIS struck again in April of 2019 at another oil refinery in the Middle East, confirming growing concerns that targeted attacks on safety systems are a continuing threat.
The TRITON attack involved both remote control and malware specialized to SIS. The attackers behind TRITON first compromised enterprise networks, though public reports do not specify the specific attack vector. Once the attack teams had a foothold on enterprise networks, they used standard targeted remote-control techniques to escalate privilege, move laterally through the network and move deeper into protected Operations Technology (OT) networks, eventually taking over an engineering workstation used to reprogram SIS equipment.
With control of that workstation, the attackers embedded their code in the SIS equipment while that equipment was still running. The ultimate objective of the attackers is not known though – the attacks were detected because the SIS malware malfunctioned and triggered a plant shutdown.
Refineries are complex and dynamic environments. Refineries generally serve markets with regularly changing needs for refined products, while simultaneously dealing with crude oil inputs whose characteristics also change regularly.
In addition, within the refining industry, production technologies and management techniques evolve constantly in the quest for greater efficient and more effective production. Part of these changes involve continued evolution of industrial control system software, software that steadily becomes more powerful and more useful to the goal of increased production, efficiency and environmental stewardship.
It is difficult to maintain a robust cybersecurity posture in these dynamic environments. At most refineries, hundreds of employees, contractors and product vendor personnel enter the site every day, a large fraction of which use, configure, enhance and/or upgrade control system components.
Such environments often support large numbers of legitimate remote vendors and other remote users logging into control system components from outside the facility. In an environment with constant, remotely piloted evolution of complex physical processes and control systems, it can be very difficult to distinguish legitimate from malicious actions, much less to prevent malicious activity such as TRITON.
Worse, safety instrumented systems are themselves evolving in ways that expose cybersecurity risks. In modern refineries, plant operators have the status of safety systems integrated into their standard plant monitoring and control Human Machine Interface (HMI) screens. Such integration increases the operators’ confidence in the correct operation of the systems but demands connectivity between normal control networks and SIS networks. Enterprise Security Operations Centers – sometimes outsourced to cloud-based service providers – also benefit from connectivity to SIS equipment, to monitor the security status of such equipment.
Such connectivity intended to increase our confidence in safety systems can have unanticipated consequences. For example, SIS software updates generally lag public disclosures of security vulnerabilities by months or even years. This is because no engineering team trusts the accuracy of life-critical software without extensive testing. Such testing takes time, and for all that time, un-patched SIS equipment represents a “soft target” to any attacker able to establish connectivity with the equipment. Network connections that enable operator and enterprise security monitoring can also serve to enable TRITON-class attacks.
Petrochemical manufacturers are addressing this threat to their most important safety systems with microsegmentation – making SIS networks thoroughly monitored and thoroughly-secured “pockets of discipline” in otherwise very fluid manufacturing environments. In short, refiners are locking safety system cabinets, both physically and cyber-wise. More specifically, security teams at refineries are:
1. Physically locking the racks and cabinets containing SIS equipment – physical access to the cabinets with USB drives or laptops now requires an extra level of change-control, safety and security verification
2. Replacing firewalls in these cabinets with unidirectional gateway technology – this technology is based on hardware that permits information to leave the SIS cabinet for use by plant systems, while physically preventing any information or attacks back into the locked cabinet, no matter how sophisticated
3. Deploying advanced OT security monitoring and network intrusion detection systems (IDS) – enabling both plant HMIs and enterprise SOCs to monitor the status of safety systems through the unidirectional gateways.
The combination of these measures makes SIS equipment unreachable to remote attacks such as TRITON, no matter how sophisticated those attacks or the attackers behind them. All cyber attacks are information after all: if no information from external networks can reach the SIS equipment either physically or through online means, no attacks can reach that equipment either.
In more detail, the NIST 800-82 R2 Guide to Industrial Control System (ICS) Security defines a Unidirectional gateway as a combination of hardware and software. The hardware is physically able to send information in only one direction. For example, a transmitting (TX) circuit board may contain a fiber-optic transmitter/laser, but no receiver or photocell. A receiving (RX) circuit board may contain a receiver, but the board physically contains no laser. A short fiber-optic cable can connect the two boards. Together, such hardware is physically able to transmit information from the TX to the RX side but is not able to send any information at all back from the RX side into the TX side.
NIST describes unidirectional gateway software as software that replicates servers and emulates devices. For example, when configured to monitor a Programmable Logic Controller (PLC) using the Modbus protocol, the gateway software polls the PLC regularly, asking the device for the values of all its Modbus registers. The gateway software transmits this register/value snapshot of PLC state through the unidirectional hardware to the gateway’s receiving software. That software holds the snapshot in memory. When an external system, such as a control system HMI, asks the gateway for register values using Modbus poll requests, the gateway responds to the HMI as if it were the protected PLC. In effect, the gateway unidirectionally emulates the protected PLC to the HMI.
With a unidirectional gateway installed in the locked safety system cabinet, operator HMIs continue to monitor safety system status normally, using the gateway’s unidirectional emulation of SIS devices. Central SOCs can also monitor the security status of locked SIS cabinets unidirectionally: unidirectional gateways easily gather and report Syslog and SNMP trap information. Unidirectional gateways can also be configured to emulate mirror and SPAN ports from SIS switches, emulating those ports to OT intrusion detection sensors.
In short, unidirectional gateway device emulation is accurate enough to provide HMI’s, SIEMs, intrusion detection sensors and other external system with what appears to be seamless access to SIS equipment, without ever permitting even one bit of information or potential attacks back into those protected safety systems.
A sometimes-unexpected benefit of unidirectional gateways is reduced operating costs. Because firewalls are vulnerable to software exploits, stolen passwords and a host of other remote attacks, firewalls must be monitored and managed aggressively for security. In contrast, no software-based or network-based attack on a unidirectional gateway is physically able to breach the gateway from an external network and compromise SIS operations. This means organizations can be much more relaxed about monitoring and managing the gateways.
Pockets of discipline
While entire refineries can be protected from remote attacks such as TRITON with unidirectional gateway technology deployed at IT/OT network interfaces, some sites, for their own reasons, are reluctant to deploy the gateways at this high-level interface. All refineries though, can use a combination of physical security and unidirectional gateway technology to microsegment and protect their most sensitive safety systems. In even the most dynamic refinery environments, safety systems should represent pockets of the strictest of engineering change control discipline.
TRITON-class attacks impairing SIS equipment are a serious concern for all refineries. Safety systems serve to mitigate the consequences of the most serious cyber attacks, and so it is vital that safety systems be the most thoroughly protected equipment at industrial sites.
Microsegmenting safety systems with a combination of physical and unidirectional access controls can render those vital systems untouchable by even the most sophisticated remote attacks. Unidirectionally monitoring microsegmented safety systems for reliability by plant operators and security by enterprise SOCs further increases our confidence in safe operations.
There is no safety without security – unidirectionally microsegmented safety systems are vital to continuous secure operations in modern refineries.