wp ics security beyond the firewal v3.2 · ics security: beyond the firewall ... human activity in...

ICS Security: Beyond the Firewall October 2015

WHITE PAPER

ICS Security: Beyond the Firewall

Ultra Electronics, 3eTI © 2015 2 October 2015

Table of Contents

1. Introduction .......................................................................................................................................... 3

2. IT Security: Preventing Data Loss & Unauthorized Access ............................................................ 4

3. ICS Security: Machine-to-Machine (M2M) Reliability ....................................................................... 6

4. Secure Your Most Critical Assets ...................................................................................................... 7

5. CyberFence Security ........................................................................................................................... 8

1. Data Encryption ........................................................................................................................... 8

2. DarkNode Technology ................................................................................................................ 9

3. Port Authentication & Access Control ...................................................................................... 9

4. Firewall ......................................................................................................................................... 9

5. Application-Level Parsing and Deep Packet Inspection ......................................................... 9

6. Alerting & Reporting ................................................................................................................. 10

7. Preventing Attacks & Mitigations ............................................................................................ 10

6. Summary ............................................................................................................................................. 11

WHITE PAPER



1. Introduction

When the terms ‘cyber’ or ‘cyber security’ are used, most think first of PCs, the Internet, and hackers

stealing data. This association is problematic, particularly in the context of an industrial control system

(ICS) environment. The use of PCs, Ethernet, and IP messaging within the industrial community has

made an ICS look more like a traditional IT network. As a result, there is increasing pressure within ICS

organizations to allow IT departments to perform more cyber-related services in the ICS domain, such as

network management and cyber security. While there is nothing inherently flawed in this approach, it

may lack the necessary appreciation of the operational differences between ICS and IT relative to cyber-

risk management. Risk management is the cornerstone of cyber security, and a flawed approach can

result in uncorrected and unacceptable risks.

The cyber world is made up of four key assets: data, devices, networks, and people. Cyber security is

about ensuring the protection and integrated operation of all these elements. A weakness in the

protection of one asset can impact the others.

WHITE PAPER



IT networks are dynamic and unpredictable by nature and this is how signature based protection has

developed into next-generation firewalls type solutions where ‘blacklist’ approaches are effective.

Industrial control system (ICS) networks are fundamentally different from IT networks; they are planned,

static, and predictable. ICSs require reliability and availability. Securing these networks necessitates

limiting communications between and amongst machines to only what is legitimate and safe, or

predicted. In these systems whitelist approaches provide the best protection.

IT security vendors view the ICS space as a new marketplace for their IT security solutions, not realizing

that the constraints and assumptions that exist in the IT space are diametrically opposed to the dynamics

that rule the ICS space. The reasons requiring next-generation firewalls in IT security do not apply to the

ICS environment. Trusting in their effectiveness will leave operators and systems at risk. This paper will

outline why it is time to look beyond the firewall.

2. IT Security: Preventing Data Loss & Unauthorized Access

Personal computers and corporate IT networks were developed to improve the productivity and

performance of their users' activities, and to improve business productivity. As a result, IT networks are

dynamic and unpredictable, mimicking the nature of the underlying business activities. Individual users

come and go, devices are moved, and applications and services change frequently. In the course of a

normal day, IT communications occur among myriad endpoints using constantly changing services and

protocols. Yesterday’s email becomes today’s SMS and tomorrow’s instant message. Humans are not

machines, applying code to conversation types, audiences and frequency will stifle productivity. If IT

inhibits users' ability to communicate in performing their job, business suffers and the IT process or

practitioner is replaced. This dynamic has created a strong incentive for IT departments to ensure users

are happy and productive.

Securing IT networks requires training the user to minimize risky behavior, and to identify and prevent

bad activity. This is how signature-based protection was developed, evolving from simple port filtering

firewalls to signature-based next-generation firewalls. In these systems blacklist approaches are the

best compromise.

The increasing reliance on IT as part of a business’s activities, both to store intellectual property and to

deliver products and services, has made these systems attack targets. In many organizations, the most

valuable corporate asset is data, more so than the devices the data resides in, or even the people that

use it. A business’s reputation, competitive edge, and intellectual property can all be destroyed if its

data is lost or stolen. This reality has created a strong incentive for IT departments to prevent data loss

and unauthorized access to sensitive data.

As a result, IT departments are driven by two competing requirements. First, they must allow users and

the business to be as productive as possible by giving them access to the business’s data. Second,

they must also prevent data loss and unauthorized exposure. Over time, IT departments have become

adept at enabling access to data while closely monitoring activity. If any risky, unauthorized, or known

bad activity occurs, a common and reasonable response is to cut the cables and stop business

WHITE PAPER



activities to prevent further data-loss and quarantine any malicious activity. The networks, devices, and

people are impacted in favor of saving the data.

This is the signature-based protection methodology. It operates on the principle that controlling normal

human activity in the cyber realm is impossible. So instead it focuses on blocking what is known to be

malevolent such as emails to new contacts, new program installations and other risky behavior, while

monitoring the network for things that can go wrong. However, because there are always new ways to do

things wrong, and new ways to exploit systems, IT departments have a never-ending task to keep up with

what they know and define to be bad.

To illustrate, we can look at the evolution of

the common firewall. At the dawn of

computing, there were no firewalls in our cyber

systems. Anyone could communicate with

anyone. This allowed users to interact freely

and more quickly, but also opened channels to

external attacks on sensitive internal systems.

Then firewalls begun to proliferate, controlling

the flow from external to internal while also

allowing internal to external exchanges. Users

could reach out, but attackers could not reach

in. With an end to easy and direct methods for

accessing internal systems, attackers

developed alternative tactics for infiltrating

networks such as infecting emails, documents

and USB sticks, among others. Once inside,

they could then disguise their activities as

being from an approved user and reach

deeper into external systems. They could also

reach from the inside out to infiltrate the data

and receive additional instructions.

Faced with the competing requirements of

allowing and optimizing legitimate data usage

while identifying and blocking threats, the IT security industry created next-generation firewalls. These

devices prioritized the identification of different traffic streams in an attempt to identify malicious traffic

masquerading as legitimate traffic in order to then block it.

The resulting dependency on the next-generation firewall now obliges IT departments to continuously tweak

their firewall rules and signatures to stay ahead of the attackers who are constantly inventing new ways to

camouflage their exploits. There is no foreseeable end to this pursuit on the part of IT, as these teams

cannot restrict legitimate user traffic to avoid incurring data loss without also impairing fully efficient

business processes.

WHITE PAPER



3. ICS Security: Machine-to-Machine (M2M) Reliability

While an ICS may in many ways emulate an IT system, complete with PC devices, networks, and people,

it has fundamentally different drivers. Computers are used within the ICS to improve reliability and

consistency. It is not the data in the system that is the most important aspect of an ICS, but rather the

actions of the devices. In an IT system, the data is consumed and parsed by users; an email arrives and

a user responds. In an ICS, the data is acted upon by devices; a sensor reading arrives and a PLC

modifies its output. Within an ICS, it is not the data that is the most important aspect of the cyber system.

It is the devices because they control the processes and output of the business. Within a power station, a

user may choose to shut the plant down in the face of an attack or incident, but it is the devices that close

the valves, stop the motors, and slow the pumps. Also, while most of the communication in an IT system

supports user-to-user activity, in an ICS the communication is primarily machine-to-machine. An operator

specifies a set-point, but it is the machines that work together to execute that set-point. Like a rock

dropped into a pond, the initial action may be caused by a user but the devices carry the ripples

throughout the rest of the system.

In terms of cyber security this is a critical distinction. If the majority of communications occur between

devices rather than users, and it is the devices, not the data, that are the most important cyber-asset,

then the compromises made in IT security no longer apply. Owners and users of ICSs know this, and it is

why they place a priority on their communications’ availability over its confidentiality.

Instead of being dynamic in nature, as IT systems are, ICSs typically are planned, static, and predictable.

Devices talk to other devices using the same protocols and messages day in and day out. Reliability and

consistency are attained through repetition and minor adjustments rather than wholesale or ad hoc

change. Unpredictable behavior induces unreliable performance in the control system which impacts

business efficiency and ultimately an organization's bottom line. This is why operators and maintainers of

ICSs are accustomed to following strict procedures that instruct them on what to do, rather being given an

ever increasing list of actions not to do. The procedures laid out are proven and their efficacy is

guaranteed to preserve ongoing operation of processes.

If unpredictable or dynamic change is impactful to an ICS, then an ICS cyber-attack is one that creates

unpredictable or dynamic changes or communications. This could be as simple as a compromised device

sending out malformed packets, or as sophisticated as advanced malware that rewrites a PLC’s firmware.

In either case, the attack is causing unauthorized and potentially damaging activity. Securing an ICS,

therefore, requires activity to be restricted to only what is known safe.

An ICS can be impacted by a non-targeted and non-ICS specific cyber-attack. Such has been seen time

and again, as when IT malware such as the Slammer worm or Conficker infects a control system and

floods the network with traffic. This flood of illegitimate traffic unintentionally crashed devices (PLCs or

RTUs) on the network and impacted processes.

An ICS also can also be impacted by a targeted, ICS specific cyber-attack such as Stuxnet. The malware

uses legitimate communications to intentionally modify a device’s operation causing it to operate in an

unsafe manner.

The ultimate vulnerability in both cases is not in the infected PC (that was merely the attack vector), but

rather in the PLC/RTU device. ICS devices should not respond to, or be impacted by, unauthorized

WHITE PAPER



intentional or unintentional activity. We know how an ICS device should operate, therefore, if we limit its

actions and instructions to only safe and legitimate ones, an attacker cannot damage the devices or the

process the devices are controlling.

Instead of minimizing the unauthorized loss of data, as in an IT system, ICS cyber security is focused on

minimizing an attacker’s ability to disrupt versus damage.

To accomplish this, ICS cyber security should focus less on detecting and mitigating known bad behavior,

and more on limiting and enforcing only known good behavior. If we allow only good behavior, it doesn’t

matter whether the attack has been seen before or uses a zero-day vulnerability, ultimately the attack will

fail to force devices to deviate from known safe and legitimate activities.

Change occurs rarely within an ICS, and when it does it is planned and anticipated. Therefore it is

possible and highly desired to whitelist what can run on a device, whitelist which devices can

communicate, and whitelist what they can transmit. Unlike humans, machines don’t mind saying the same

thing every day to the same devices at the same time. In fact this is highly beneficial to the business.

Therefore, whitelisting rather than black-listing or signature based filtering is the only method to ensure

complete and comprehensive ICS cyber security, and prioritizes safety and reliability above all else. We

don’t give our operators a manual outlining all the things they shouldn’t do, we shouldn’t require our

security devices to operate that way either.

4. Secure Your Most Critical Assets

As we have made clear in industrial control systems the most critical cyber component between data,

devices, networks, and people are the devices. ICS cyber security should for this reason be focused on

maintaining the reliability and safe operation of our ICS devices.

When we review the constantly growing list of vulnerabilities reported on the ICS-CERT’s alerts and

advisories pages, we will see that many of the non-PC related vulnerabilities are robustness related. That

is, if a malformed packet is sent, also known as a poison packet, to one of these devices it causes the

device to crash. This is particularly prevalent in systems that use complex control protocols such as DNP3

or BACnet. We saw the Energetic Bear ICS campaign in 2014 use the Havex malware to send malicious

OPC messages crashing many implementations. This is a failure of robustness in our industrial control

devices. Whether an attack is intentional or unintentional, the reality is that unauthorized code can and will

get into our control networks. Our cyber-security mission should be to ensure that even when it does, that

malware cannot cause our devices to crash or behave outside of their normal operation.

In many cases IT security vendors see the ICS space as a new marketplace for their IT security solutions.

Although well intentioned, they often don’t realize that the constraints and assumptions in the IT security

space, that make signature-based solutions so attractive, do not exist in the ICS space. Instead the ICS

community should be requiring security solutions that only allow legitimate and well-formed messages to be

sent. The traffic classification capabilities of next-generation firewalls are not required in the ICS space. We

know what protocols and messages are crossing our networks we don’t need to identify them.

WHITE PAPER



Instead the requirement is to ensure that those

messages do not cause the device to crash (the

message was not malformed) or does not

instruct the device to perform in an unsafe

manner. This is where protocol parsing is

required. The security device analyzing the

traffic not only needs the capability to inspect

the entire message (via deep-packet-

inspection), it also needs to understand what is

being sent. It must fundamentally understand

the protocol and detect when a message, while

legitimately formed or not, is actually asking the

device to do something outside of its normal

operational parameters.

If we can control which devices can

communicate with each other, and how and

what the messages convey, we then have a

known set of permitted actions. Having the

ability to ensure that using only those messages

are used means the uptime and reliability of the

process cannot be damaged only disrupted.

5. CyberFence Security

CyberFence combines a number of different capabilities to create a tailored cyber-defense. As each

industrial deployment is unique and reflects unique threats, vulnerabilities, critical assets, and risk appetites,

it requires individual solutions tailored to specific needs. There are always those attacks that can bypass

static defenses, which is why guards are needed manning the walls proactively looking for attacks and

responding to them through, for example, deep packet inspection and heuristic analysis. Combining layers

of static and active defenses creates solid defense-in-depth protection.

1. Data Encryption

CyberFence provides user-data end-to-end encryption. This means that any data sent by a user via a

CyberFence series device will be encrypted from the source all the way to its destination. No attacker on

the network between the CyberFence series devices will be able to intercept, manipulate, or participate in

the communications. 3eTI uses only government-grade and FIPS validated encryption algorithms and key

management solutions, and performs its encryption in hardware to ensure low latency.

WHITE PAPER



2. DarkNode Technology

DarkNode Technology allows the CyberFence series device to operate stealthily on the network, invisible to

attackers and users alike. An attacker scanning the network or inspecting traffic cannot detect the presence

of the CyberFence series device. This enables quick and easy deployment as the device is transparent on

the network, requiring no additional network configuration. It also stymies attackers as the only indication

that they will have of a CyberFence series device is that their attacks are failing, and they cannot tell why.

3. Port Authentication & Access Control

CyberFence implements 802.1x port authentication on all its user data ports. It is capable of not only

authenticating itself to whatever network it is connected into, but more importantly the user can control what

devices are allowed to connect to the CyberFence device and communicate through the encrypted tunnel.

If a network does not implement port authentication but the user would still like to control logical access to

the network, then access control policies can be used. The user can control what devices are authorized to

connect to a CyberFence series device’s given ports based on MAC address. While this does not provide a

cryptographically authenticated method it does prevent unsophisticated attackers or accidental connections

to the wrong ports.

4. Firewall

Even if users have authorization to communicate through the CyberFence series device it doesn’t mean

that they obtain the authority to communicate to everyone and everywhere on the network. CyberFence

implements a firewall that can control where users are allowed to communicate and which protocols they

can use. This ensures that any critical device behind a CyberFence series product can control who can

communicate with it, and is not left open to anyone on the network to connect to. The CyberFence series

provides critical devices with an endpoint firewall that can not only protect the device from the network, but

also protect the network against any compromised device attempting to form unauthorized connections.

Firewall alerts can both be securely logged and remotely distributed so that security systems can be

immediately alerted to any unauthorized or anomalous connection attempts.

5. Application-Level Parsing and Deep Packet Inspection

Firewalls have historically been used to control who can talk to whom, but not what was being said.

However, this is an issue within critical control and automation systems. If an authenticated system such as

a SCADA server or HMI becomes compromised it would be allowed to communicate through the firewall to

launch an attack on a critical system. CyberFence series devices solve this issue by looking at the entire

contents of a packet rather than just the header in what is known as deep-packet-inspection (DPI). Coupled

with an application protocol awareness, a CyberFence series device can allow or reject a packet based on if

it is well formed, appropriate, or within allowable limits. CyberFence devices understand the industrial

protocols being analyzed which means they can give the user the ability to restrict actions and commands

to only what is required.

WHITE PAPER



6. Alerting & Reporting

One of the main reasons why industrial control and automation environments are vulnerable to cyber-attack

is that operators do not have any situational awareness about what is happening in their control networks.

Users know what actions they perform on an HMI, and they can see the actions a controller has on the

environment (e.g. a PLC), but they don’t know if the action being performed is what they specified in the

HMI. Many cyber-attacks can either manipulate control or manipulate the view to deceive an operator as to

which processes are active or taking place. An attack can even make it seem as though the control system

or controller (e.g. a PLC) is malfunctioning when it is operating correctly by taking commands from malware

rather than the control system.

The CyberFence series is designed to provide situational awareness within the control network so that

operators have an independent means for comparing commands and readings being received and being

sent and displayed. If there is a discrepancy between these two, the discrepancy represents the first red

flag signaling a malicious actor or cyber-attack. The CyberFence series can do this by alerting and

recording activity that it sees passing over the network. All configuration changes, firewall alerts, DPI alerts,

and authentication failures can be reported either in-band over an encrypted channel or out-of-band using a

separate network. Alerts are both securely recorded in an auditable record, and distributed via SNMP traps

and remote SysLog entries. Through the standards compliant SOAP interface, management appliances

automatically and routinely retrieve these logs for further analysis.

7. Preventing Attacks & Mitigations

While every cyber-attack on a critical or air-gapped system can be seen as unique, using different access

and propagation methods, it can generally be categorized into a few main families. Not all cyber-attacks can

be 100-percent successfully mitigated. A defender must recognize as early as possible when an attack is

taking place and prevent the attacker from achieving the desired goal or performing desired actions.

Through controls such as those provided by the CyberFence series, operators can make exploitation

virtually impossible for non-sophisticated or nation-state attacks, and provide the situational awareness

necessary to discover when sophisticated attacks are being attempted.

Network Connection Attacks - One simple way to mitigate this risk is to use encryption.

Encryption is not widely deployed in process control and automation networks because it is

seen to only provide confidentiality where confidentiality is not required. In fact, encryption

provides two main protections - confidentiality and integrity, with integrity being the more

important attribute within control networks. The integrity protection that encryption provides

ensures that attackers with physical access to the network cannot manipulate the traffic,

generate any of their own, or replay old traffic and go undetected. The confidentiality

protection that comes with it is a bonus.

Endpoint Connection Attacks - One beneficial aspect of a control system is that it fairly

static. Not much changes. An attacker attempting to connect to a network does not know if

port-based access control has been implemented, and so will not know how to avoid

detection. As soon as an attacker tries to connect, a CyberFence series device will detect

either the wrong MAC address or the failed certificate authentication and provide instant

alerts to that effect. Now the administrator can detect that attempt and follow incident-

response procedures to identify the attempted breach.

WHITE PAPER



Internal Host-based Attacks - The use of CyberFence series devices will not only interrupt

the actions of an attacker but very quickly identify that an attacker is attempting to probe the

network, then alert an administrator. The DarkNode Technology in the CyberFence series

devices will make them invisible to an attacker probing the network, and the firewall

functionality will prevent any scans from reaching critical network devices. T attackers won’t

be able to gather any additional information and they won't know why. The administrator can

obtain real-time alerts that this is occurring. Even if an internal PC is compromised with

malware, an attacker’s ability to expand the footprint into the wider network is severely

hampered, and the administrator is alerted early to the compromise even when the PC’s

antivirus misses the initial infection.

Server Compromise or Insider-Based Attacks - Even if the malware does not send its

own malicious traffic, there have been instances when malware manipulates commands

before they are sent. Therefore what the operator tells the system to do is not what the

controller receives and actually executes. This discrepancy can look either like a fault with

the controller or the HMI, but not necessarily like a cyber-attack. This type of attack can only

be prevented through methods that validate what has been received.

The CyberFence series DPI capability ensures that legitimate and safe operations will be

executed by a controller, and that what has been received is what the operator intended. If

any manipulation has occurred, the operator will know and then report it to the network

administrator for further investigation.

Zero-day attacks - The defense-in-depth protection offered by the CyberFence series

dramatically limits the available and vulnerable attack surface of a critical device. Even

though the critical device may support wide ranging functionality and configurations, the

CyberFence series devices ensure that only those functions that are required for operation

are exposed to the wider network. They also ensure that only legitimate and well-formed

packets are allowed through. This makes exploitation extremely difficult. Should any zero-

day attack be found in a system, a new DPI rule can be written to detect, drop, and alert.

This ensures protection for the critical device until the vendor issues a patch.

6. Summary

In conclusion we challenge the ICS cyber security community to remember the reason why computers and

cyber systems are used within industrial controls – to improve reliability and predictability within a process.

There is a reason why procedures in the ICS world define what someone should do, not list all the things a

user should not do. Securing an ICS is an exercise in ensuring devices only does what they should do, not

prevent all the different ways they shouldn’t.

No control system will be completely cyber secure, nor will a single product provide the complete solution.

Instead a risk-informed holistic security approach is needed, one that provides a layered set of defenses

that include specific protections for critical edge devices. Performing firewall, intrusion detection, and deep-

packet-inspection can all be done at the network core, which is normally acceptable in IT network systems.

WHITE PAPER



But for critical systems this is a highly risky approach. A single misconfiguration or change to the operation

can leave large numbers of critical devices accessible and vulnerable.

A central firewall would not prevent an insider threat performing a malicious action, or even detect it. A

network segregation device (e.g. data-diode) should keep a system air gapped, but would not prevent

malicious code from being inserted into the system via other means (USB stick, software update). Instead,

by moving the defense to the edge, risk is kept to a minimum; any error in a device’s configuration will only

affect that single device and not the whole network.

In a critical operational environment, performance is paramount and sometimes safety-critical. But without

the addition of security the operational environment is at risk of unsafe malicious operation. An appropriate

security control is one that minimizes the impact to the operational environment. A CyberFence series

device protecting an industrial plant’s control system will be deployed and configured differently than the

same plant’s monitoring system, or a building’s automation system. This enables them to provide an

independent assessment of what is actually occurring in control networks between devices. The

CyberFence series solutions are optimized for the unique environment in which they operate, balancing the

risk management requirements and operational limitations of demanding process control and automation

systems.

ICSs require their cyber protections to go beyond the signature based approach of firewalls, to utilizing

protocol aware systems that whitelist applications, connections, and communications.

For more information on Ultra Electronics, 3eTI solutions

contact [email protected] or call +1 301.670.6779.

About Ultra Electronics, 3eTI

Ultra Electronics, 3eTI is a leading provider of military-grade secure communications that enable critical systems

security, infrastructure security, and facilities management for the defense, government, utilities and industrial markets

worldwide. Solutions form robust, cyber-secure, wired and wireless sensor networking systems that modernize and

integrate disparate legacy systems across widespread bases and facilities to increase productivity, and provide a path

to lower operational costs. 3eTI’s product portfolio includes net-centric and OEM products that enable comprehensive

data protection for a wide range of defense and industrial applications such as secure wireless mesh networks,

industrial sensor networks, cyber security, and perimeter security solutions approved for use by the most stringent and

demanding customers, including the US military. (www.ultra-3eti.com).

wp ics security beyond the firewal v3.2 · ics security: beyond the firewall ... human activity in...

Documents