Jonathan Newell explores the options for protecting data acquisition networks from the digital horrors predicted to accompany the internet of things.
IT security vendors have so far largely stayed well clear of industrial control systems, SCADA and networks of engineering products, preferring to stay in the relatively predictable world of office systems and personal computing.
However, with the Industrial Internet of Things projected by market research company Gartner to swell the inventory of connected devices to over 20 billion by the end of the decade, the security industry is now venturing into the digital hinterland of industrial networks.
Preventing any connection between industrial and corporate networks is an approach adopted by some industry network managers, an approach known as “air gapping” and one which has been shown to be flawed in many ways.
Even for companies that think they have air gaps, there are ways in which they can be breached that are often overlooked, including:
Unknown connections: There can be a connection hidden – or transitory – such as a maintenance engineer attaching a wireless-connected laptop to a machine for remote diagnostics.
Removable media: Plugging a USB flash drive into a computer on the shop floor can introduce malware without the user knowing.
There’s an app for that: Engineers are tech-savvy people and major machine tool and production equipment suppliers have apps for smartphones and tablets that engineers can use in conjunction with the equipment they support.
In a blog post on the website of industrial control system network security specialist Belden, the company’s marketing manager Heather MacKenzie explains that even the biggest physical air gap imaginable wasn’t enough to prevent the International Space Station from being infected by a virus in 2013 through the use of an infected USB device.
DAQ and Connectivity
Any security practice that is put into place should not interfere with the basic function of the network that it is protecting. And this is the prime concern with the isolation approach. You acquire data so that you can do something with it. It needs to be processed, turned into information and communicated or used to control other processes.
Isolating systems negates everything that engineers have been striving for with DAQ and SCADA, so air-gapping an industrial system from other networks is an affront to progress and the Industrial Internet of Things (IIoT), which is also referred to as Industry 4.0.
This dependence on the extended network is something which IT security companies are fully aware of. They are keen to ensure the traditional air gap approach gives way to something more concrete by way of protection. According to Deborah Galea of security company OPSWAT, the security measures need to reflect how critical the network is that they are protecting. “Since SCADA systems are increasingly connected to the Internet for productivity reasons, these systems are also becoming more vulnerable to attack. Considering the critical nature of SCADA systems, along with growing hacker sophistication, operators of SCADA systems will need to step up their security measures to ensure their continuity and integrity,” she says.
When asked about whether air gaps are a viable approach to network security, Galea says: “Air-gapped networks actually create other vulnerabilities. Since data will still need to be transferred into the air-gapped network, for software updates for instance, portable media will have to be used to bring the data into the secure network. Therefore it is essential to ensure that USB devices and other removable media are free from malware before they are connected to the secure network.”
SCADA protection measures
OPSWAT takes the approach of adopting three technologies for protecting industrial control systems and SCADA networks from vulnerabilities being introduced. This approach uses portable media security, data diodes and secure file transfer.
Available from a number of sources is network security software that detects the introduction of portable media onto the network and prevents it from being used or introducing malware. But this works by preventing its use, which can affect productivity. An alternative is to use extensive scanning of any portable media before its introduction onto the network or to transfer the data from the media onto the network using secure transfer software.
The intriguingly named “data diode” is a physical device with a single fibre-optic cable across which data can only be transferred in a single direction, as explained by Galea: “The transmission is handled by two dedicated servers, the pitcher and the catcher. No data can be transported from the receiving network to the transmitting network.”
Critical infrastructure protection
One of the reasons some network owners prefer the notion of air gapping is that it is easy to implement and many question the vulnerability of their networks. On a recent visit to a data acquisition and control system in a traffic management application, the network manager explained that “there probably aren’t any security measures since no-one would want to attack them anyway”. Since Belden was at the heart of the installation, it’s probably a good assumption that the system is well protected, but the attitude of attacks being unlikely is pervasive and erroneous.
In a review performed by OPSWAT, Galea identified some alarming activity relating to cyber crime in critical infrastructure during the last 12 months:
* In March, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a report detailing 245 cyber incidents recorded during the previous year, 79 of which were in the energy sector.
* Dell Security’s annual threat report in April announced that attacks on SCADA systems had doubled in the previous year, most of which were in the UK, the USA and Finland.
* The Chatham House think tank cited the digitisation of SCADA systems as being the cause of increasing levels of vulnerability in the nuclear power industry.
* Just two months ago, a representative of the Defense Information Systems Agency addressed the CyberCon conference with the chilling prediction that cyber attacks used by an enemy to take down SCADA systems will be the prelude to war.
Exploring the Hinterland
With the many different protocols, interfaces and networking equipment available for SCADA networks, a greater body of knowledge is needed to understand the risks, identify vulnerabilities and work with the industry to create a more secure environment.
ICS security vendor, Applied Risk, has taken the first step in exploring the hinterland of SCADA networks with the establishment of the ICS/SCADA Security Lab for the detection, identification and mitigation of threats and vulnerabilities in industrial networks.
Based in Amsterdam, the new lab is currently focused on the chemical, manufacturing, pharmaceutical, power, water, oil and gas sectors. With the latest vulnerability research, reverse-engineering protocol and source code analysis techniques, its researchers are now able to provide early warning of emerging ICS threats and detail their legitimacy.
Vulnerable and infected ICS systems can be identified too, along with exploit attempts or malware activity. Part of the lab’s service also involves remediation activities, including workarounds and configuration changes to safeguard systems for both suppliers and system owners.
In conjunction with the ICS/SCADA Security Lab, Applied Risk is also offering online ICS Security Awareness Training in an attempt to establish a widespread ICS security culture among target organisations.
Commenting on the formation of the new online training resource, Applied Risk’s Jalal Bouhdada told us, “With the appropriate ICS security education in place, organisations are in a significantly stronger position to protect their industrial facilities against prevalent security risks and associated costs while enhancing compliance and demonstrating resilience.”