Securing industrial control systems by closing the air gap security loophole

null

Security and industry experts have long advocated for the need to increase the protection of critical infrastructure – including transportation systems, energy and utilities providers, and financial services. The implications of an attack on our nation’s systems are far reaching – from disrupting delivery of key services to impacting public safety. The continued assaults on industrial control systems (ICS), which control critical infrastructure, have the potential to cause chaos and disrupt the everyday lives of British citizens.

Just recently, researchers presented an analysis of Triton, a malware used in the third ever recorded cyber-attack against industrial equipment. Findings indicate that the malware was able to enter the plant via an exploit in “security procedures that allowed access to some of its stations as well as its safety control network.” Additionally, recent erroneous alerts regarding missile strikes caused panic in Hawaii and Japan – each alleged to be the result of human error. These incidents shine an important light on the cyber security procedures used to safeguard these critical systems – from external attackers or insiders, whether intentional or not.

As we’ve seen, the potential for devastation in ICS attacks is high. During two different attacks on Ukraine in December 2015 and 2016, attackers were able to access—and shut down—the country’s power grid for extended periods of time in the midst of winter. Due to their sensitivity and the impact on business and everyday life, the interruption and compromise of these utility infrastructure networks has an immediate effect—both in cost and physical implication.

What stands out in these recent ICS attacks is the ease with which the critical networks were compromised. ICS are supposed to have security controls and safeguards at critical locations to prevent the specific types of attacks that occurred from ever happening.

In some cases, attackers got inside the supposedly air-gapped networks of energy utilities to such an extent that they could have thrown the switches and disrupted power services or caused blackouts. These isolated networks were accessed through third-party vendors and the exploitation of privileged credentials.

Air gapping doesn’t automatically equal security

Obviously, air gapping alone is not enough to stop attackers from gaining access to a network. Air-gapping is one of the most common ways ICS are protected, however, organisations’ interpretation of how to isolate networks often varies. For instance, while many believe they have taken all the correct measures to air gap critical networks, too often these vital environments are not really isolated, allowing for malicious actors to infiltrate networks.

In some of the recent cases, malicious agents used standard techniques and tactics to gain access to air-gapped infrastructure—including bridging isolated networks using credentials, shared hardware and devices, and other VPN bypasses. Take Stuxnet, for example. Agents used standard USB devices to plant the infection on the network.

It’s time to dispel the myth that separating IT networks from operational technology automatically equals security.

One of the key contributors to ICS vulnerabilities is the increasing need for these systems—and their data—to be accessible and to integrate with numerous IT technologies as well as third-party vendor’s operating software and commercial-off-the-shelf products. In this operational environment, air gapping seems ideal due to the proprietary equipment and communication protocols inherent in industries such as utilities and healthcare. But this results in critical infrastructure networks being connected to business systems on corporate networks and the outside world through the internet.

Best practices to create a secure environment 

This has created the biggest loophole for attackers. As the scope of ICS has increased, so have the privileged and administrative accounts that can access these critical networks. These include support and maintenance personnel, operators and control engineers, remote vendors, corporate applications and automated batch applications, all with little inherent oversight. Worse are applications and devices with hard-coded credentials that could be remotely exploitable and provide access for the manipulation of physical devices, the execution of damaging code or DDoS attacks.

By incorporating a few security best practices, in addition to the use of completely isolated air-gapped networks, organisations can control and monitor these critical infrastructure networks, while still providing IT and OT internal users, third parties and applications the access they need. For sensitive networks that have any access points, organisations should focus on:                                                                              

  • Identifying all users, applications and associated credentials used for granting access into the ICS. This should be comprehensive and include the discovery of all accounts and credentials assigned to users, application-to-application accounts accessed using embedded passwords or SSH keys stored locally. The best way to do this is with a tool that can scan the network and generate a report on all the privileged and administrative accounts that have access into the ICS network by internal and external users.           
  • Eliminating stale or unused credentials. Once accounts with access are accounted for, organisations can reduce the number of accounts accessing the critical infrastructure networks by weeding out those that are stale and unused, and then storing the remaining credentials in a secure digital vault. The digital vault can then be accessed by trusted users to get the specific credentials they have permission to use. This is ideal for granting network access to users from remote vendors who frequently change roles. Organisations can further reduce their security risks by regularly performing an automated rotation of system credentials stored and manage with the digital vault.
  • Implementing one-time use passwords. Rotate credentials after every use, using multi-factor authentication to access the vault and incorporate workflow approval processes before the most sensitive credentials are retrieved. Making users log into a digital vault before getting access to an ICS, credential and individual activity can be tracked and reported, which reduces the risks associated with shared accounts.                                                              

It’s critical to manage and monitor users outside of the ICS network as well, whether within the organisation at a corporate level or from outside vendors and applications. By isolating all sessions originating outside of the ICS network, it’s easier to control ICS applications and allow for the implementation of tools to enforce flexible least privilege policies.

Automated analytics tools can also help to define activity patterns that can be used as a baseline to identify suspicious activity. Once the baseline is established, anomalies trigger an alert to IT, OT and security teams that an attacker may have compromised a remote vendor’s credential or is exploiting an account to access the ICS network. This can disrupt in-progress attacks and dramatically reduce potential damage.                                                          

The bottom line is ICS are highly sensitive and need security beyond air gapping. There are an array of processes and tools that, when used together and in addition to air gapping, can create a more secure environment.

Lavi Lazarovitz, Head, CyberArk Labs
Image Credit: Geralt / Pixabay