Industrial control systems like those used to run the electricity distribution grid are vital to the economic well being of any country. But protecting those systems needs a different approach from normal enterprise security.
In the US the North American Electric Reliability Corporation (NERC) is the body charged with ensuring grid reliability. But the NERC's critical infrastructure protection (CIP) standards call for only standard firewall use. Is this putting the grid at risk from hackers or terrorists?
We spoke to Andrew Ginter, vice president of industrial security at Waterfall Security Solutions to find out more.
How worried should we be about attacks on industrial control systems (ICS) and national infrastructure?
I'm very much worried. Modern attacks have demonstrated repeatedly that they can punch through corporate-style cyber defenses, more or less, at will, and it is corporate-style defenses that are deployed at the majority of critical industrial infrastructure sites. This is a mistake. IT can restore damaged systems from backup.
There is no way to restore a damaged turbine or a boiler from backup. There are industrial sites that understand all this and have taken appropriate steps to defend themselves, but the vast majority of sites are not protected thoroughly enough.
Should enterprise IT and ICS be kept completely separate? Why connect ICS to the Internet at all?
There are too many ways to profit from ICS data to keep it locked up and inaccessible. For example, if business systems can determine how often and how long each piece of costly equipment has been used, we can delay maintenance until it is really needed rather than maintain the equipment every few months whether it needs it or not.
This predictive maintenance application of ICS data alone, integrated with HR personnel scheduling, spare parts ordering and other business applications, is estimated to save the average industrial facility between three and seven per cent of total operating costs. In some industries, this is the plant's entire operating profit. There are many other uses for industrial data.
What's wrong with using a conventional firewall?
Firewalls are IT technology and porous by design. Firewalls let both good and bad communications through. Firewalls are designed to let Web requests, responses, email and remote control sessions through. Remote control is the number one modern attack method.
When a firewall is hacked, misconfigured or its credentials stolen, the "protected" network is finished. I could go on. Firewalls simply aren't strong enough to protect industrial sites.
What is unidirectional security?
Unidirectional security gateways give business systems access to industrial data while protecting industrial networks in ways that firewalls simply can't. The gateways let nothing at all back into protected networks - it doesn't matter how smart the attackers are.
If some attacker across the Internet, or some corporate insider, gains access to each and every password on both corporate and industrial networks, there is physically no way to send any sort of attack back through the gateways. No mistake in gateway software protections can put the operation of the industrial network at risk. Remote control attacks simply can't work.
IT-style security is fine for IT networks, but, for computers controlling costly, powerful industrial processes, we need at least unidirectional protections.
Surely technology is only part of the picture, isn't part of the solution always going to lie with training and awareness?
Yes, of course. Unidirectional security gateways eliminate one very dangerous threat vector, namely network attacks from corporate networks and through corporate networks from the Internet, but there are no silver bullets when it comes to security.
That said, what good is training people not to pick up USB sticks in the parking lot if any hacker who wants to sabotage the plant can simply weave a connection straight through porous firewalls? Unidirectional gateways make investments in training and awareness more effective.
With the industrial firewall "barn door" well and truly wiped out, investments in "barring the windows" with training and awareness programs suddenly pay much bigger dividends.
Does government need to act to enforce stricter controls on ICS?
That's a tough one. Security is doing whatever we need to do to address safety and reliability risks to complex, powerful industrial processes. Compliance is doing whatever somebody else tells us to, whether it's useful or not.
When governments specify detailed regulations, such as the NERC CIP rules for the electric grid, many businesses respond by hiring lawyers to run their security programs. These programs quickly transform into minimal compliance programs - do as little as possible to meet the letter of the law.
I would rather see government agencies publish clear guidance identifying threats and explaining how best to address those threats with strong security programs and technologies, such as unidirectional security gateways.
Governments should use their influence and expertise to encourage strong security programs, not mandate minimal compliance programs.