Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network...
Transcript of Industrial Network Security, Second Editionindex-of.es/Varios-2/Industrial Network...
Copyright©2010
ISA—TheInternationalSocietyofAutomation
Allrightsreserved.
PrintedintheUnitedStatesofAmerica.
1098765432
ISBN978-1-936007-07-3
Nopartofthisworkmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recordingorotherwise,withoutthepriorwrittenpermissionofthepublisher.
ISA
67AlexanderDrive
P.O.Box12277
ResearchTrianglePark,NC27709
www.isa.org
LibraryofCongressCataloging-in-PublicationDatainprocess
Notice
professionaljudgmentinusinganyoftheinformationpresentedinaparticularapplication.
Additionally,neithertheauthornorthepublisherhaveinvestigatedorconsideredtheeffectofanypatentsontheabilityofthereadertouseanyoftheinformationinaparticularapplication.Thereaderisresponsibleforreviewinganypossiblepatentsthatmayaffectanyparticularuseoftheinformationpresented.
Anyreferencestocommercialproductsintheworkarecitedasexamplesonly.Neithertheauthornorthepublisherendorseanyreferencedcommercialproduct.Anytrademarksortradenamesreferencedbelongtotherespectiveownerofthemarkorname.Neithertheauthornorthepublishermakeanyrepresentationregardingtheavailabilityofanyreferencedcommercialproductatanytime.Themanufacturer’sinstructionsonuseofanycommercialproductmustbefollowedatalltimes,evenifinconflictwiththeinformationinthispublication.
AcknowledgmentsMyappreciationisexpressedforthepeoplewhohelpedandinspiredmetowritethesecondeditionofthisbook.
Onceagain,myspecialthanksgotomyISAeditor,SusanColwell.
JohnClem,fromSandiaNationalLaboratories,contributedcontentonRedTeamingforthenewChapter9,NewTopicsinIndustrialNetworkSecurity.
Mygoodfriendfromcollege,AndyHagel,providedcontentandreviewforChapter3,COTSandConnectivity.
Aswiththefirstedition,TomGoodfromDuPontandDaveMillsofProcter&GambleprovidedcontentforChapter10.
TableofContents
Preface
Chapter1.0 IndustrialNetworkSecurity
1.1 WhatAreIndustrialNetworks?
1.2 WhatIsIndustrialNetworkSecurity?
1.3 TheBigPicture:CriticalInfrastructureProtection
1.4 TheChallenge:“OpenandSecure”
1.5 Who’sWorkingonWhat?
1.6 FederalRegulatoryAuthority
References
Chapter2.0 ASecurityBackgrounder
2.1 Physical,Cyber,andPersonnelSecurity
2.2 RiskAssessmentandITCybersecurity
2.3 RiskAssessmentforthePlant
2.4 Who’sResponsibleforIndustrialNetworkSecurity?
2.5 TipsforMakingtheBusinessCasetoUpperManagement
2.6 MakingtheBusinessCasewithData
References
Chapter3.0 COTSandConnectivity
3.1 UseofCOTSandOpenSystems
3.2 Connectivity
3.3 WhatYouGetthatYouDidn’tBargainFor
References
Chapter4.0 CybersecurityinaNutshell
4.1 SecurityIsaProcess
4.2 BasicPrinciplesandDefinitions
4.3 BasicPrinciples:Identification,Authentication,andAuthorization
4.4 MoreCyberAttackCaseHistories
4.5 RiskAssessmentandRiskManagementRevisited
4.6 CyberThreats
4.7 Vulnerabilities
4.8 ACommonCOTSVulnerability:TheBufferOverflow
4.9 AttackerToolsandTechniques
4.10 AnatomyoftheSlammerWorm
4.11 Who’sGuardingWhom?
References
Chapter5.0 Countermeasures
5.1 BalancingtheRiskEquationwithCountermeasures
5.2 TheEffectofCountermeasureUse
5.3 CreatinganIndustrialNetworkCyberDefense
Chapter6.0 CyberdefensePartI—DesignandPlanning
6.1 DefenseinLayers
6.2 AccessControl
6.3 PrincipleofLeastPrivilege
6.4 NetworkSeparation
References
Chapter7.0 CyberdefensePartII—Technology
7.1 GuidancefromISA99TR1
7.2 FirewallsandBoundaryProtection
7.3 IntrusionDetection
7.4 VirusControl
7.5 EncryptionTechnologies
7.6 VirtualPrivateNetworks(VPNs)
7.7 AuthenticationandAuthorizationTechnologies
References
Chapter8.0 CyberdefensePartIII—People,Policies,andSecurityAssurance
8.1 ManagementActionsandResponsibility
8.2 WritingEffectiveSecurityDocumentation
8.3 AwarenessandTraining
8.4 IndustrialNetworkSecurityAssuranceProgram:SecurityChecklists
8.5 SecurityAssurance:Audits
8.6 AddinginPhysicalSecurity
8.7 AddinginPersonnelSecurity
References
Chapter9.0 NewTopicsinIndustrialNetworkSecurity
9.1 RedTeaming:TestYourselfBeforeAdversariesTestYou
9.2 DifferentTypestoAnswerDifferentQuestions
9.3 RedTeamingIndustrialNetworks–Caution,It’sNottheSame!
9.4 SystemSecurityDemandsBothPhysicalSecurityandCybersecurity
9.5 TheTransportationConnection:PassengerRailandCybersecurity
References
Chapter10.0 DefendingIndustrialNetworks—CaseHistories
10.1 ALargeChemicalCompany
10.2 AnotherCompany’sStory—Procter&Gamble
AppendixA–Acronyms
AbouttheAuthor
Preface
SomuchhashappenedsincethefirsteditionofIndustrialNetworkSecuritywaspublishedin1995.Thisareahasgone“mainstream”intermsofpublicawarenessoftheimportanceofIndustrialNetworkstoourcriticalinfrastructureandthethreattothemfromhackers,cyberspies,andcyberterrorists.
Forinstance,thestory“America’sGrowingRisk:CyberAttack”isfeaturedonthecoveroftheApril2009PopularMechanics.Andoneoftheleadstoriesonthefrontpageofthe8April2009editionofTheWallStreetJournalwas“ElectricityGridinU.S.PenetratedBySpies.”ThestorytalkedabouthowforeignpowershadmappedtheU.S.electricalgridandleftbehindsomerogueprogramsthatcouldbeactivatedremotelytodisruptthegrid.
The“BigR,”Regulation,hasreareditsheadintheelectricpowerindustry.TheNERC-CIPcontrolsystemcybersecuritystandardsforelectricpowergenerationandtransmissionentitiesarenowmandatedbytheU.S.government.
Commercial-off-the-shelf(COTS)hardwareandsoftware,asdescribedinChapter3,continuesitsmoveintoIndustrialNetworksaslegacyequipmentisphasedout.Andothersectors,suchaspassengerrail,describedthroughthewriter’seyesinthenewChapter9,arecominguptospeedonIndustrialNetworkSecurityasCOTSbecomecommonplaceinthatsectorcontrolsystems.
Consistentwiththefirstedition,anefforthasbeenmadetokeepthisbookintroductoryandeasy-to-read.Aswiththefirstedition,thiseditionisintendedforthetechnicallayman,manager,orautomationengineerwithoutacybersecuritybackground.Newcyberincidentsandupdatedinformationhavebeenaddedtothechapterswithoutchangingtheoriginalformat.
1.0
IndustrialNetworkSecurity
1.1 WhatAreIndustrialNetworks?Todefineindustrialnetworksecurity,onefirsthastodefineindustrialnetworks.Forthepurposesofthisbook,industrialnetworksaretheinstrumentation,control,andautomationnetworksthatexistwithinthreeindustrialdomains:
• ChemicalProcessing–Theindustrialnetworksinthisdomainarecontrolsystemsthatoperateequipmentinchemicalplants,refineries,andotherindustriesthatinvolvecontinuousandbatchprocessing,suchasfoodandbeverage,pharmaceutical,pulpandpaper,andsoon.UsingtermsfromANSI/ISA-84.00.01-2004Part1(6),industrialnetworksincludetheBasicProcessControlSystem(BPCS)andtheSafetyInstrumentedSystems(SIS)thatprovidesafetybackup.
• Utilities–Theseindustrialnetworksservedistributionsystemsspreadoutoverlargegeographicareastoprovideessentialservices,suchaswater,wastewater,electricpower,andnaturalgas,tothepublicandindustry.UtilitygridsareusuallymonitoredandcontrolledbySupervisoryControlAndDataAcquisition(SCADA)systems.
• DiscreteManufacturing–Industrialnetworksthatserveplantsthatfabricatediscreteobjectsrangingfromautostozippers.
ThetermIndustrialAutomationandControlSystems(IACS)isusedbyISAinitscommitteenameandintherecentlyissuedstandardsandtechnicalreportseriesfromtheISA99IndustrialAutomationandControlSystemsSecuritystandardsandtechnicalcommittee(also,simplyISA99).ThistermiscloselyalliedwiththetermIndustrialNetworks.
Thestandard,ANSI/ISA-99.00.01-2007-SecurityforIndustrialAutomationandControlSystems,Part1(1),definesthetermIndustrialAutomationandControlSystemstoinclude“controlsystemsusedinmanufacturingandprocessingplantsandfacilities,buildingenvironmentalcontrolsystems,geographicallydispersedoperationssuchasutilities(i.e.,electricity,gas,andwater),pipelinesandpetroleumproductionanddistributionfacilities,andotherindustriesandapplicationssuchastransportationnetworks,thatuseautomatedorremotelycontrolledormonitoredassets.”Thisstandardwillbereferredtoas“ISA-99Part1”inthebook.
ThetechnicalreportANSI/ISA-TR99.00.01-2007SecurityTechnologiesforIndustrialAutomationandControlSystems(4)succeedsthe2004versionofthedocumentreferencedinthefirsteditionofthisbook.Thisreportwillbereferredtoas“ISA-99TR1.”Note:Atthetimeofthiswriting,Part2oftheISA-99standardhasjustbeenapproved.Part2is
titledSecurityforIndustrialAutomationandControlSystems:EstablishinganIndustrialAutomationandControlSystemsSecurityProgram(5).
1.2 WhatIsIndustrialNetworkSecurity?Whenwespeakofindustrialnetworksecurity,wearereferringtotherapidlyexpandingfieldthatisconcernedwithhowtokeepindustrialnetworkssecure,and,byimplication,howtokeepthepeople,processes,andequipmentthatdependonthemsecure.Securemeansfreefromharmorpotentialharm,whetheritbephysicalorcyberdamagetotheindustrialnetworkcomponentsthemselves,ortheresultantdisruptionordamagetothingsthatdependonthecorrectfunctioningofindustrialnetworkstomeetproduction,quality,andsafetycriteria.
Harmtoindustrialnetworksandtotherelatedpeople,processes,orequipmentmightbethroughthefollowing:
• MaliciousActs–Deliberateactstodisruptserviceortocauseincorrectfunctioningofindustrialnetworks.Thesemightrangefroma“denial-of-service”attackagainstaHuman-MachineInterface(HMI)servertothedeliberatedownloadingofamodifiedladderlogicprogramtoaPLC(ProgrammableLogicController).
• AccidentalEvents–Thesemaybeanythingfroma“fat-fingered”employeehittingthewrongkeyandcrashingaservertoapowerlinesurge.
Whenwethinkofindustrialnetworksandcomputer-controlledequipment,weusuallythinkofwhatISA99documentscall“electronicsecurity,”butweshouldalsoincludesomeaspectsoftwootherbranchesofsecurity:physicalsecurityandpersonnelsecurity.TheseothertwobranchesofsecuritywillbeaddressedinChapter2.
Toillustratethedistinction,let’ssaywehaveadisgruntledemployeewhoventshisangerinachemicalplantand:
1. turnsaviruslooseonthecomputerworkstationthatrunstheHMIsoftware,allowingthevirustospreadthroughtheindustrialnetwork;
2. takesapipewrenchandbreaksaliquidlevelsightglassonastoragetank,causingtheliquidtoleakoutonthefloor;and
3. priesopenthedoortoanSISsystemcontrollerboxanddisablestheoverpressureshutdownbyinstallingjumpersbetweenisolatedconductorsandbypassingtheaudiblealarms.
Byourdefinition,acts1and3fallwithinourdefinitionofindustrialnetworksecurity.Act2isdeliberatesabotage,butitisphysicalsabotageofamechanicalindicatinginstrument,notofanindustrialnetwork.Act3involvessomephysicalactions,suchasbreakingthelockandinstallingjumpers,butthejumpersthenaltertheelectricalflowwithinanindustrialnetwork,aSISsystem.
Weacknowledgeandstresstheimportanceofphysicalprotectionofindustrialnetwork
components,andalsothepersonnelsecuritythatappliestotheoperatorsofthesenetworks.However,physicalandpersonnelsecurityprotectivemeasureshavebeenaroundforalongtime,andinformationabouttheseprotectivemeasuresisreadilyavailableelsewhere.Chapter2introducesphysicalandpersonnelsecurityaspartoftheentiresecuritypicture;however,themajorityofthisbookcoverstheelectronicsecurityofindustrialnetworks.
TheISA99committeealsoacknowledgesthattheseotherbranchesofsecurity,suchasphysicalandpersonnelsecurity,arenecessarybutsimilarlystatesthatitsstandardsaremainlyconcernedwiththe“electronicsecurity”ofindustrialautomationandcontrolsystems.
1.3 TheBigPicture:CriticalInfrastructureProtectionItisbesttointroducethesubjectofCriticalInfrastructureProtectionfromahistoricalperspective.In1996,PresidentClintonissuedPDD63(PresidentialDecisionDirective63)onCriticalInfrastructureProtection(2),declaringthattheUnitedStateshadcriticalinfrastructurethatisvitaltothefunctioningofthenationandmustbeprotected.PDD63identifiedeightcriticalinfrastructuresectors,includingtheseinfrastructuresusingindustrialnetworks:
• GasandOilStorage&Delivery
• WaterSupplySystems
• ElectricalEnergy
Alongwiththesethreewerealsogovernmentoperations,bankingandfinance,transportation,telecommunications,andemergencyservices.
InFebruary2003,PresidentBushreleasedTheNationalStrategytoSecureCyberspace(3).Init,someadditionalcriticalsectorswerelistedthatuseindustrialnetworks,including:
• ChemicalIndustry
• DefenseIndustrialBase
• FoodProduction
Figure1-1showshowthoseoriginalandadditionalcriticalinfrastructuresectorsmaptothethreeindustrialdomains—chemicalprocessing,utilitiesanddiscretemanufacturing—wedescribedinSection1.1asusingindustrialnetworks.
Figure1-1.IndustrialDomainvs.NationalCriticalInfrastructureAreasUsingIndustrialNetworks
ThelistofcriticalinfrastructuresectorshascontinuedtoevolvesinceFebruary2003,withthefederalgovernmentadding“criticalmanufacturing”tothelistin2008.
Aglanceathistoryshowshowmuchthecriticalinfrastructuresectorsdependoneachother—takeonecriticalsectorawayandothersmaycometumblingdownlikedominoes.TheNortheastBlackoutofAugust2003showedhowafailureofonesectormaycascadetoothers.WhenthepowerwentoutinCleveland,thewatersupplypumpsinthatcityalsoshutdown,sincetheyranonelectricity.Similarly,thetransportationsectorinNewYorkwasaffectedwhentrafficlightsceasedfunctioningandgasstationscouldn’tpumpgas,sincebothwereelectricallyoperated.
Whatconclusionscanwedrawfromthisdiscussionofcriticalinfrastructure?
Wecanconcludethatsecuringindustrialnetworksinourthreedomainsofinterestisaprerequisiteforsecuringcriticalinfrastructureatthenationallevel.Andthisistrueforallindustrializednations.Infact,themoreautomatedandcomputer-dependentanation’scriticalinfrastructureis,themoreitdependsondevelopingandapplyingindustrialnetworksecuritytoensureitsfunctioninginanewageofworldwideterrorism.
1.4 TheChallenge:“OpenandSecure”Let’slookatwhathashappenedinthefieldofindustrialnetworksinthelast12yearsorso.
• COTS.Proprietarysystemshavegivenwaytocommercialoff-the-shelf(COTS)hardwareandsoftwareinindustrialnetworks.NowweseeeverythingfromMicrosoftWindows®todifferentflavorsofLinuxandUnixforoperatingsystems,alongwithEthernet,TCP/IP,andwirelessprotocolsfornetworks.
• Connectivity.OnceCOTShardware,software,andnetworkcomponentsareusedinindustrialnetworks,thenextlogicalthingistoconnecttheindustrialnetworksandthebusinessnetworkssotheformerlyincompatiblesystemscancommunicate.ThebusinesssystemsareinvariablyhookeduptotheInternet.
• Web,WebServices,andWireless.Recentdevelopmentsincludetheabilityto
accessaWebserverineveryintelligentelectronicdeviceandabrowseroneveryengineer’sofficedesktoptomonitorequipmentoperations.AndwirelessLANs(LocalAreaNetworks)offertheconvenienceofconnectingdeviceswithouthavingtoinstallexpensivecablingwithintheplant.
Allthesedevelopmentshaveopenedupoursystems,butthequestionis,“Canwebebothopenandsecure?”Beingopenandsecureisthe“HolyGrail”ofournewindustrialnetworksecuritydiscipline.Wewanttokeeptheoverwhelmingbusinessadvantagesofhavingopensystems,yetsecureoursystemsenoughtoensurethatourplantsandutilitygridsdon’tbecomereadytargetsforcyberattack.
1.5 Who’sWorkingonWhat?Forallpracticalpurposes,thefieldofindustrialnetworksecuritybeganinthelate1990s.TheSeptember11thattacksgreatlyacceleratedthepaceofactivity.Sincethen,abewilderingvarietyoforganizationswithstakesinsecuringindustrialnetworkshavegeareduptoworkonvariousaspectsoftheproblem.
Theorganizationsworkingonindustrialnetworksecuritymaybedividedintocategories:
• GovernmentOrganizations.IntheU.S.,governmentagenciesactiveinindustrialnetworksecurityincludetheNationalCyberSecurityDivision(NCSD)oftheDepartmentofHomelandSecurity(DHS),organizationswithintheDepartmentofEnergy(DoE),theDoENationalLaboratories(e.g.,Sandia,PacificNorthwest,andIdahoNational),theDepartmentofCommerceNationalInstituteofStandardsandTechnology(NIST),theFederalEnergyRegulationCommission(FERC),andtheGeneralAccountingOffice(GAO).Eachorganizationhassomestakeinprotectingtheindustrialnetworksthatmakeupportionsofthenation’scriticalinfrastructure.Someorganizations,suchasFERC,nowhaveregulatoryauthority,aswillbediscussedin1.6.
• Intheinternationalarena,governmentorganizationslikeCanada’sOfficeofCriticalInfrastructureProtectionandEmergencyPreparedness(OCIPEP)andBritain’sCentreforProtectionofNationalInfrastructure(CPNI)playasimilarroleinprotectingtheirnation’scriticalinfrastructure.
• NonprofitOrganizations.Theserangefrominternationalprofessionalandtechnicalsocietiesspanningindustrialsectors,likeISA,toU.S.-basedindustrysector-specificgroupsliketheNorthAmericanElectricReliabilityCorporation(NERC)forelectricpowerandtheAmericanWaterWorksAssociation(AWWA)forthewaterutilities.Includedamongthenonprofitsareschoolsanduniversitiesthathavecourses,seminars,andresearchanddevelopmentprogramsinindustrialnetworksecurity.
• For-ProfitEntities.Thevariouscorporationsthatarethevendorsandusersofindustrialnetworksarekeyindeterminingwhetherindustrialnetworksecurityproceduresandequipmentaredeveloped,commercialized,purchased,andusedsuccessfully.
Withintheorganizationalcategorieslistedabovearetwoorganizationsthatdealwithindustrialnetworksecurity,workingattheinternationallevelacrossthethreeareasofchemicalprocessing,utilities,anddiscretemanufacturing.
Theseorganizationsare:
• ISA,throughtechnicalandstandardscommitteeslikeISA99,ManufacturingandControlSystemsSecurity.
• IEC(InternationalElectrotechnicalCommission),includingCommittee65forworkontheIEC62443NetworkandSystemSecurityStandards.
Theseorganizationsworkacrossindustrialareasand,therefore,manufacturingsectors.Forinstance,wepreviouslymentionedtheISA-99seriesofstandardsandtechnicalreportsthatdefinethebreadthof“IndustrialAutomationandControlSystems”as“appliedinthebroadestpossiblesense,encompassingalltypesofmanufacturingandprocessfacilitiesandsystemsinallindustriesineveryareaofmanufacturing.”
1.6 FederalRegulatoryAuthorityRecently,twofederalgroupshavebeengivenregulatoryauthorityoverindustrialnetworksecurityinthepublicandprivatesector.TheFederalEnergyRegulatoryCommissionhasbeengiventheauthoritytoregulatethecybersecurityofthetransmissiongrid,andithasexercisedthatauthoritybymakingtheNERCCIP(NorthAmericanReliabilityCorp.CriticalInfrastructureProtection)ConsensusIndustryStandardsintoofficialfederalregulationswithenforcementpenalties.TheDepartmentofHomelandSecuritywiththeirCFAT(ChemicalFacilityAnti-terrorism)Regulationsonthechemicalindustry,aremostlyconcernedwithphysicalsecuritybuthaveacybersecuritysection.Otherdepartmentsofthefederalgovernmentregulatingothercriticalinfrastructuresectorsmaywellgetintotheactinthefuture.
References1. ANSI/ISA-99.00.01-2007SecurityforIndustrialAutomationandControlSystems,
Part1.ISA,2007.
2. TheWhiteHouse.PresidentialDecisionDirective63.ProtectingAmerica’sCriticalInfrastructure.May22,1998.Retrieved11/11/2004from:http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.
3. TheWhiteHouse.NationalStrategytoSecureCyberspace.February2003.Retrieved11/11/2004from:http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf.
4. ANSI/ISA-TR99.00.01-2007SecurityTechnologiesforIndustrialAutomationandControlSystems.ISA,2007.
5. ANSI/ISA-99.00.01-2007SecurityforIndustrialAutomationandControlSystems:EstablishinganIndustrialAutomationandControlSystemsSecurityProgram,Part2.ISA,2007.
6. ANSI/ISA-84.00.01-2004Part1FunctionalSafety:SafetyInstrumentedSystemsfortheProcessIndustrySector–Part1.ISA,2004.
2.0
ASecurityBackgrounder
2.1 Physical,Cyber,andPersonnelSecurityWhenconsideringsecurityforbusinessandindustry,securitypractitionershavetraditionallydividedthemselvesintothreeareasofspecialization.Wedescribethesethreeareaswiththeaidoftwotermsusedfrequentlyinsecurity:
• Insiders.Thepeoplewhobelonginyourfacility,includingemployeesandinvitedcontractors,visitors,ordeliveryandservicepeople.
• Outsiders.Peoplewhodon’tbelonginyourfacility,whethertheyenterphysicallyorelectronically.Thiscategorycoverseveryonefromvendorsthroughhardenedcriminals!Uninvitedoutsidersinyourfacilityareintrudersandareguiltyoftrespassing,attheleast.
Keepingthesetermsinmind,andasmentionedinChapter1,thethreetraditionalareasofsecurityare:
• PhysicalSecurity.Guards,gates,locksandkeys,andotherwaystokeepoutsidersfrombecomingintrudersandinsidersfromgoingwheretheydon’tbelong.Thisistheoldestandmostestablishedbranchofsecurityandclaimsthehighestpercentageofsecurityprofessionals.
• PersonnelSecurity.Practitionershereareusuallyoccupiedwiththesequestions:“AretheoutsidersI’mabouttobringintomyplanttrustworthy?”and“MayIcontinuetoplacetrustinmyinsiders?”Thisareaofthesecurityprofessioncoverseverythingfromcriminalbackgroundchecksonnewemployeesandcontractorstoinvestigationofsecurityviolationsbyemployeesandperiodicbackgroundrechecksofexistinginsiders.
• Cybersecurity.Thiscategorycoversprevention,detection,andmitigationofaccidentalormaliciousactsonorinvolvingcomputersandnetworks.TheareanowknownasbusinessorITcybersecurityhasitsrootsinthefinancialandintelligencecommunitiesofthe1960sand70s.
IndustrialnetworksecurityisprimarilyITcybersecurityadaptedtoindustrialnetworks,butincludesimportantelementsofphysicalandpersonnelsecurityaswell.Forinstance,doesitmakeadifferenceifyourvaluableprocessrecipes,keptastradesecretsonyourcontrolnetwork,aretakenbyindustrialspieswho:
• hackintoyourindustrialnetworkthroughthecorporatefirewallandbusinessnetworkandthendownloadandsellthem?(acybersecurityincident),or
• pullupinavandisguisedaslegitimatemessengersfromyourcomputertape
backupstoragefirmandgetanunwittingemployeetohandoveryourfreshlymadebackuptapescontainingthesametradesecrets(apersonnelsecurityincident),or
• breakintoyourplantlateatnight,cleverlybypassingtheburglaralarm,andwalkoutwiththeharddrivesfromyourcontrolserverscontainingtherecipes(aphysicalsecurityincident)?
Theneteffectisthesameinallthreeincidents—yoursecretsaregone!Infact,anindustrialspymaypurposely“casethejoint”andchooseanattackplanbasedonwhereyourdefensesareweakest.
Successfulpreventionofindustrialnetworkattacksinvolvesgettingknowledgeablespecialistsfromallthreeareasofsecuritytositaroundthetableanddiscusspossibleattacksandmeanstopreventthem.Brainstormingtechniquesmaybeused,withnotypeofattackdismissedas“toowildanidea”toconsider.
Forexample,beforetheSept.11,2001attacks,thephilosophydrivingairlinesecuritywas“hijackerswanttolive.”Wouldn’tithavebeenvaluabletoquestionthatassumptionintheyearsleadinguptoSeptember11andsay,“Butsupposethehijackerswanttodie?Whatcouldorwouldtheydothen?”
Inthiswriter’sexperienceinthecorporatesecurityworld,Iwouldsitatthelunchtablelisteningtocorporatesecurityinvestigatorstellstoriesofactiveinvestigations.Manyoftheirstorieswerebizarre,suchasemployeesusingtheircorporatecreditcardstopayforanythingfromexpensivepartsfortheirownmotorcyclestothousandsofdollarsinelectivesurgery!Anyrationalemployeewouldsay,“Don’tdothat,you’llgetcaught!”Didtheseemployeesthinkaboutconsequencesbeforetheywentaheadwiththeirplans?Maybe,buttheconsequencesdidn’tdeterthemfromgoingaheadanyway.
Let’sseeifwecanbrainstormascenariooffactorysabotage.Forexample,thesuccessfulsabotageofafactoryconveyorsystemmight(1)involveanunscrupuloussalesmanfromarivalconveyorcompanywhohasacriminalrecord(personnelsecurity).(2)Hestraysintotheproductionareawhileleftunattendedaftervisitingtheengineeringdepartment(physicalsecurity).(3)There,hedownloadsamodifiedladderlogicprogramfromhislaptoptotheconveyormachineryPLC(cybersecurity).Thatcausestheconveyortomysteriouslymalfunctionthenextday,makingapurchaseofhiscompany’srivalconveyorsystemmorelikelythenexttimehepaysasalescall!
Analysesofsecurityincidentsusuallyrevealachainofeventsthatleduptotheactualcriminalactivity.Ifsecuritymeasures,whethertheyinvolvephysical,personnel,orcybersecurityactivity,canbeintroducedtoprevent,detect,andrespondtothechainofactivitiesatanypoint,thereisagoodchancethefinalcriminalactivitycanbeprevented.
Intheconveyorsystemexample,wheremightsecurityhavebeenintroducedtointerruptthechainofeventsleadinguptotheconveyorsabotage?Wouldtheoutcomehavebeendifferentif:
• therivalconveyorcompanyhaddoneacriminalbackgroundcheckinthehiringphaseanddiscoveredthatthesalesmanhadacriminalrecord;or
• thefactoryhewasvisitinghada“companyescortrequired”physicalsecuritypolicy,preventingthesalesmanfromwanderingintotheproductionareaalone;or
• thefactoryhadactivenetworksecuritymeasuresthatpreventedthesalesmanfromenteringthePLCnetworkanddownloadingamodifiedladderlogicprogram?
Ifanyofthesephysical,personnel,orcybersecuritymeasureshadbeeninforce,thefinaleventinthechain,theconveyor’smysteriousmalfunction,mighthavebeenprevented.
2.2 RiskAssessmentandITCybersecurityRiskassessmentistheprocessbywhichyouandyourmanagementteammakeeducateddecisionsaboutwhatcouldharmyourbusiness(threats),howlikelytheyaretooccur(likelihood),whatharmtheywoulddo(consequences),and,iftheriskisexcessive,whattodotolowertherisk(countermeasures).
Let’ssayyouaretheownerofalargefactorymakingwidgetsinaMidwesternstate,whichhappenstobein“TornadoAlley.”YourplantbuildingandattachedbusinessofficebuildingareasshowninFigure2-1:
Forinstance,forriskstotheofficebuildinganditscontents,suchasthebusinesscomputersystems,wecanillustratewhatonetypeofriskassessment—aquantitativeriskassessment—lookslike.Inthisexamplewewillconsideronephysicalandonecyberthreattotheofficebuildinganditscomputersystem,perFigure2-2.
Figure2-1.WidgetEnterprises,Inc.
Thefirst,amild-to-moderatetornado,representsaphysicalrisktotheofficebuildinganditscontents.Let’ssaythelikelihoodofamild-to-moderate(knownascategoryF0toF2)tornadohittingtheofficebuildingisonceevery20years(afairlydangerousneighborhood!).Thefigureassumestheconsequenceofthethreatoraveragedamagetotheasset(officebuilding)is$5million.Therefore,theannualriskfrommild-to-moderatetornadodamageis:
1event/20years×$5million/event=
0.05×5=
$0.25million/yearatriskfromthistypeoftornado.
Nowwehaveameasureofannualriskintermsofdollars.Wecancompareitwiththeverydifferentriskof,let’ssay,aparticulartypeofcyberattackbyanindustrialspywhoseekstodownloadyourcarefullyguardeddatabaseofbestcustomersandwhattheytypicallyorderfromyou.
Figure2-2.OfficeBuilding–PhysicalandCyberRiskAssessment
Onceweenterthecyberrealm,doingaquantitativeriskassessmentraisesaproblem:unlikeweatherdamageoraphysicalsecurityissuelikerobbery,therearenotalotofhistoricalstatisticstodrawfromtogetlikelihoodnumbers.Butsomedataonthefrequencyofindustrialspyingofalltypesdoesexist,withon-averagelossbydifferentsizecompaniesandindustries.Thisdata,coupledwithlossdatafromyourfactory,mightenableyoutocomeupwithareasonableestimatesoyoucouldcontinuebeingquantitative(asopposedtoqualitative,whichisthealternative.Wewillfocusonqualitativeriskassessmentinanupcomingsection).
Let’sestimatethelikelihoodofthiseventatonecyber-theft(threat)everythreeyears,andthesalesyouwouldloseasaresultofthisinformationbeinggiventoyourcompetitors(consequence)at$10million.Then,fromthistypeofcyberevent:
1event/threeyears×$10million=$3.3million/yearatrisk.
Hereisthepowerofaquantitativeriskassessment.Forthefirsttime,wecancomparethecostofphysicaldamagetocyberdamageintermsthattopmanagementwillunderstand—dollars.Basedonthisriskassessment,wemayconcludethatthemonetaryriskofanindustrialspycyberattackisgreaterthanthemonetaryriskofatornado.Inlaterchapters,wewillseehowcountermeasuresorpreventiveremedies,suchasreinforcedconstructiontolimittornadodamage,canbeevaluatedagainstcalculatedrisktoseeiftheyareworthwhile.
Keepinmindthatourriskanalysishasbeensimplified.Usually,moretermsenterintoariskanalysis,and,asmentioned,gettinggoodnumbersorrangesofnumbersforaquantitativecyberriskassessmentmaybedifficult.
Thefollowingpeoplewillhavealotofinterestintheofficebuildingriskassessmentwejustmade:
• Thebusinessowner,theCEO,andthegeneralmanagers
• ThePhysicalSecurityManagerandtheFacilitiesManager(whomaybethesameindividual)
• TheChiefInformationOfficer(CIO)andthepartoftheCIO’sorganizationresponsibleforbusinesssystemscybersecurity(perhapsanITcybersecuritymanager).
Let’sdrawanorganizationchart(seeFigure2-3)torepresentasimplifiedmanagementstructureforastand-alonefactory.(Notethatinamodernmulti-plantmanufacturingcorporation,numerous“dottedline”relationshipswouldexistbetweencorporateandplantmanagement.)
Figure2-3.OrganizationChart
TheITcybersecuritymanager,whoreportstotheCIO,isresponsibleforthecorporatefirewallsandIntranetandInternetaccess,andmighthavetheseITsecurityissuestodealwith:
• Web.Downloadingofpornographyorillegalcontentbyemployees.
• Email.Virusescomingin;spam.
• Remoteaccess.Allowingauthorizeduserstoconnectviamodempoolorvirtualprivatenetwork,andkeepingunauthorizedpeopleandhackersout.
• Unlicensedsoftware.Keepingemployeesfromusingunpaid-fororunapprovedsoftware.
ToaddresstheseproblemsandahostofotherITsecurityissues,theITcybersecuritymanagerdrawsonthefieldofbusinessorcommercialcybersecurity.Thisfield,termed“computerandnetworksecurity”inpriortimes,includesthefollowing:
• ITsecuritytechnology.Firewalls,antivirusprograms,andauditandsecuritydiagnosticprogramsandtools.
• Trainedpersonnel.Speciallytrainedcomputersecuritypractitioners,holdingcertificationssuchasCertifiedInformationSystemSecurityProfessional(CISSP)orCertifiedInformationSystemsAuditor(CISA)andtrainedintheITsecuritybodyofknowledge.
• ITsecuritypolicies,processes,andprocedures.Publishedcybersecurityguidelinesandrecommendationsfromvariouscommercialcybersecurityorganizations.
Inshort,a“bodyofknowledge”isreadilyavailableforthisarea,whetherwecallitIT,commercial,orbusinesscybersecurity.
2.3 RiskAssessmentforthePlantNowthatwe’vecoveredthebusinessofficebuilding,let’stakealookatourwidgetproductionfactorybuilding(Figure2-4):
Figure2-4.InsidetheFactoryBuilding
Here,weseethetypeofindustrialnetworkwewouldexpecttoseeindiscretemanufacturing,withPLCs,HMIs,etc.
Thistime,let’sillustrateariskassessmentmoreappropriatetoaplantscenario,wherewemaynothaveaccesstorealisticnumbersorestimatesforthelikelihoodofaphysicalorcyberattack.Inaqualitativeriskassessment,relativityrankingssubstituteforabsolutenumbersorestimatesoflikelihoodandconsequences.Theoutputisaprioritizedlistofrisks,showingwhicharemoresubstantial.
Figures2-5and2-6givetheprocedureforaqualitativeassessmentandtheresultingriskmatrix.Weareevaluatingtwoscenarioshere.Thefirst—aphysicalattack—isasabotageoftheassemblylinebyadisgruntledemployeewithhandtools.ThesecondisacyberattacktosabotagethePLCnetworkthatrunstheassemblyline.
Figure2-5.QualitativeRiskAssessmentExample
Asaresultoftheriskassessmentprocessshowninthesefigures,theriskassessmentteamconcludesthatscenario(b),thecyberattack,ismorethreateningthanscenario(a),thephysicalattack.
2.4 Who’sResponsibleforIndustrialNetworkSecurity?Nowwecometothequestion,“Who’sresponsibleforthe(1)physicalsecurityand(2)cybersecurityoftheindustrialnetwork?”
Let’slookatapossiblelistofcandidates.WithintheCIOorganization,theremightbeanITcybersecuritymanager,pertheorganizationalchartinFigure2-3.Withinthefactoryorganizationanyorallthefollowingmanagersandtechnicalpeoplemightbeinvolved:
• PlantManager
• ProductionManager
Figure2-6.QualitativeRiskMatrix
• EngineeringManager
• AutomationandControlManager
• AutomationEngineer,Technician,andPlantOperator
• FacilitiesManager
• PhysicalSecurityManager
SowhodotheCEOanduppermanagementusuallythinkisresponsibleforindustrialnetworkphysicalandcybersecurity?Forthephysicalsecurityoftheindustrialnetwork,itmaybearguedthatwhoeverisinchargeofplantphysicalsecurity,suchastheFacilitiesorPhysicalSecurityManager,hasthisresponsibility.(Althoughtheplantsecurityguardsareusuallyguardingtheplantentrances,farawayfromtheproductionareaofthefactory,thismighttheoreticallycoverthedisgruntledemployeeattackingthePLCnetworkwithapipewrench!)
But,inmanyconferencediscussionstheauthorhasparticipatedin,theusualansweristhatiftheCEOandtopmanagementrealizethatindustrialnetworkcybersecurityisalegitimateconcernatall,theythinktheCIOandtheITcybersecuritymanagerhavethisareacovered.(Andtheyusuallypointtothecorporatefirewall,corporatecybersecuritypolicies,andthegamutofITsecuritycontrolstoproveit.)
ButifwethengototheCIOorganizationandasktheITcybersecuritymanagershowwelltheyarecoveringthis“newlyassigned”areaofindustrialnetworksecurity,thetypicalanswermightbetheyaretotallyunfamiliarwithcontrolsystems:“EngineeringandProductionhandlethat.”
Asmentioned,thefieldofindustrialnetworksecurityreallybeganinthelate1990sandthenacceleratedfollowingtheSeptember11attacks.SinceSeptember11,alotofprogresshasbeenmadeinthisfieldbythemanyorganizationslistedinSection1.5ofthisbook.
However,incontrasttoITcybersecurity,thefieldisstillyoungandthereisonlyalimitedamountofknowledgeandexperiencetodrawupon.Andunlessacorporationhashadtheforesighttospecificallydesignateanindividualoragroup,oritsentireAutomationandControlEngineeringstaff,tohandlethisveryspecializedareaofindustrialnetworksecurity,therealanswertowhoisresponsibleforindustrialnetworksecurityis“noone!”
Unlikethecommercialcomputingprofession,whichhasincludedcybersecurityasalegitimateareaofstudyandpracticeformanyyears,theautomationandcontrolsareahasnottraditionallyhadmuchcontactwithanyareaofsecurity,especiallycybersecurity.Security,whetherphysical,personnel,orcyber,isjustnotinthecurriculumofthevastmajorityofengineeringandtechnicalschools.Itisslowlymakingitswayintothecurriculuminsomeuniversitiesintheformofindividualcoursesandseminars,butiscertainlynotinthemainstreamyet.
Manymanufacturingcorporationsthatdecidedtobuildanorganizationorentitytohandleindustrialnetworksecurityhaveformedacross-disciplinarytaskforce,committee,orpermanentgroup,consistingofpeopleand/orknowledgeandexperiencefromthefollowingplantorganizations:
• AutomationandControlsEngineering,Production,andMaintenance
• ITCybersecurity
• Safety(especiallyinahazardousworkplace,suchasachemicalplantorrefinery)
• PhysicalSecurity(facilities)
• HumanResources(forpersonnelsecuritymatters)
Onlywhenindustrialnetworksecurityisincludedaspartofanoverallsecurityeffortwilltheproperresources,leverage,andempowermentbeavailabletodothejobwell.Althoughgrassrootseffortsbycontrolengineerstosecuretheirindustrialnetworksarewell-intentionedandcommendable,theywillseldombeenoughtodothejob.Justaswithsafety,thefirststepstartswithownershipandcommitmentbyuppermanagement.
But,asmentioned,topmanagementmaynotrecognizeaclearneedforaneffortinthisarea.Abusinesscaseforindustrialnetworksecuritymayhavetobemadeandpresented.Thefollowingsectiongivessometipsonhowtodothis.
2.5 TipsforMakingtheBusinessCasetoUpperManagement
1. Don’tusecyber“tech-talk”toselltopmanagementonindustrialnetworksecurity.Instead,usealanguagetheyunder-stand—risks,consequences,andthecostofreducingtheriskversusthecostofdoingnothing.Asmuchaspossible,trytoputconsequencesindollarterms.
2. Don’tusethe“sky-is-falling”approachandconcentrateonlyontheworstcasescenario.Thatgetsoldfast.Instead,adduptheconsequencesofinaction—
whetheritbeathreattosafety,losttradesecrets,downtime,etc.Evenbetter,trytoincludeallpossibleconsequencesinanitemizedscenario.
3. Dobeveryspecific.Ifproductiondowntimeisaconsequence,howmanydaysofdowntime?Whatwillthecostbe?Whatwillbethecostofgettingproductiongoingagain,ofcleaningupavirusfromtheindustrialnetwork,forinstance?
4. Dorealizethatyoucan’tprotecteverythingfromeverythreat.Countermeasurestoreducetheriskusuallycostmoney.Andthenecessityofspendingthemoneytopayforthesecountermeasureswillhavetobesoldtomanagement.(Thisisaprocesscalledriskmanagement,whichwewillcoverlaterinthisbook.)
5. Dousepubliclydocumentedcasesinwhichindustrywashitbycyberattacks.Somewell-documentedcasesofcyberattacksaredescribedinChapter4.Thendescribewhattheconsequenceswouldbeifasimilarattackhityourplantorindustry.
2.6 MakingtheBusinessCasewithDataHereisanexampleofhowabusinesscasewasmadeforasignificantITcybersecurityinvestment(1).
ATexasUniversitymedicalcentercybersecuritymanagercalculatedthecostofspamtohisorganizationat$1perspammessage,andthecostofrecoveringfromtheNimbdaoutbreakin2001at$1million.Onthebasisofthesenumbers,hesuccessfullyjustifiedtothechieffinancialofficerthepurchaseofspamfilteringandenterpriseantivirussoftwareandshowedhowthecountermeasureswouldmorethanpayforthemselves.Thebusinesscasewasmadewithhardbusinessdatafromhisorganization,indollars.
Asimilarapproachmightbeusedtoargueforindustrialnetworksecurity.Let’ssayyouareacontrolengineerusingCOTSsoftwareonyourindustrialnetworkandhavehadthegoodfortunenevertohavebeenhitbyavirusorworm.Ifyourcontrolnetworkispartofalargemultinationalcorporation,chancesarethatsomeportionoftheITnetworkinyourcorporationwashit.Anditprobablyhasdowntimeandnetworkrecoveryfiguresthatyoucanuseforyourestimates,aswellashorrorstories.
Byaskingthequestion“Ifthisattackhadhappenedtoourindustrialnetwork(s),whatwouldtheresultbein,say,Xnumberofserversdown,Ydaysoflostproduction,Zdaystocleanupandrecover?”Youmightmakeaconvincingcasethat,sincemajorvirus/wormattackshappenatleastseveraltimesayear,yourcompanymightavoidtheinevitablelossbyinstallingcountermeasuressuchasfirewalls,antivirussoftware,orotherproducts.
References1. Violino,B.“TexasUniversityCalculatesFinancialBenefitsofitsSpam,Virus
Defense.”InternetWeek.comarticle.October29,2003.Retrieved11/11/2004from:
http://www.internetweek.com/showArticle.jhtml?articleID=15600902.
3.0
COTSandConnectivity
3.1 UseofCOTSandOpenSystemsCommercial-off-the-shelf(COTS)describesthemovementofbusinessandcommercialcomputerandnetworkinghardwareandsoftwareintotheindustrialnetworkarea,displacingproprietarydevicesandapplications.Thistrendstarted10to15yearsagoandincludesthefollowing:
• Operatingsystems.MicrosoftWindowsNT®,Windows2000®,andWindowsXP®arebeingusedinindustrialnetworks.IntheUnixworld,flavorsofUnixincludingSunMicrosystems’Solaris®,IBM’sAIX®,andHewlett-Packard’sHPUX®,tonameafew,havealsomovedintoindustry.Mostrecently,theLinuxworldhasenteredindustrialnetworks.
• Databasesoftware,suchasMicrosoftSQLServer®andOracle®databases.
• Hardware,includingWindows®PCs,workstations,andservers,andUnixworkstationsandservers.
• NetworkingproductssuchasEthernetswitches,routers,andcabling.
• NetworkingprotocolsforTCP/IP-basedLANs,usingprotocolssuchasHTTP,SNMP,FTP,etc.
• Developmentlanguages,includingC++,MicrosoftVisualBasic.NET®,MicrosoftC#®,Sun’sJava®,etc.
• ObjectLinkingandEmbeddingforProcessControl(OPC).
• Internet,withstandardorcustombrowsersasprocessinterfacestowebserversinIEDs(IntelligentElectronicDevices).
• WirelessLANsusingtheIEEE802.11protocol.
3.2 ConnectivityOnceCOTSisusedinindustrialnetworks,thebusinesssidedemands,“Nowthatyouhaveopeneditup,connectitsowecantalk.”
Connectivityisdesired:
• betweenthecorporatebusinessnetworkandtheindustrialnetwork,
• forremoteaccesstotheindustrialnetworkfromoutsidethecorporatefirewall,and
• tovendors,customers,andotherbusinesspartnersfromtheindustrial
network.
3.3 WhatYouGetthatYouDidn’tBargainForThemovementtoCOTSandconnectivitygivesyouamultitudeofbusinessadvantages,suchas:
• Standardization
• Compatibilitywithbusinesssystems
• Muchlowerpurchasecost
• Familiarinterfaces
• Lesstrainingtimeandeffort
Withtheseadvantages,youalsogetsome“baggage”tocontendwith:
1. Forcedupdatestosoftwarearemuchmorefrequentthanwiththeoriginalproprietarysystems.
2. Therearemillionsofextralinesofsoftwarecodeforamultitudeoffeatures,manynotwantedorneededinindustrialapplications.
3. TheindustrialworldisnotthebusinessdriverforCOTS.
4. Numeroussoftware-relatedqualityandsecurityissuesexist,inparttheresultofthedrivebyvendorstogetnewsoftwareoutthedoorquickly.
5. Thereisacontinualneedtoinstallpatchesforsoftwaresecurityandproperfunctionality.
Thesedrawbacksareseldomrealizedupfront,whenthesystemsarepurchased.
Thebusinessconceptcalled“totalcostofownership”enablesyoutorealisticallyevaluatethesesystemsbyaddingthecostofmaintenance,updates,patching,etc.,totheup-frontpurchaseorlicensingcostoverthelifeoftheinstalledsystem.Whendoingatotalcostofownershipanalysis,theselife-cyclecostsshouldbeincludedintheanalysis.ThisconceptisdiscussedinReference1.
ItisapparentthatsomeoftheeconomicbenefitsofmovingtoCOTSandconnectinguparenegatedbysomeofthedrawbacks.Forinstance,howmanyproprietaryindustrialnetworksoftwareprogramshaveeverbeenhitbyacomputervirusorworm?
RemediationofattackbyavirusorwormisahiddencostofusingCOTS,whichwillnotshowupduringpurchasebutwhichshouldbeincludedinatotalcostofownershipanalysis.Ifantivirussoftwareispurchasedtopreventthesecyberattacks,thecostofinstallingandmaintainingthissoftwareshouldalsobeincludedinthetotalcostofownershipanalysis.
References
1. Emigh,Jacqueline,“TotalCostofOwnership.”Computer-world.comarticle.December20,1999.Retrieved11/11/2004from:http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,42717,00.html
4.0
CybersecurityinaNutshell
4.1 SecurityIsaProcessSecurityisverysimilartosafetyinthatitisacontinualprocessratherthananendpoint.Acontrolnetworkthatissecuretodaymaybeinsecuretomorrow,becausehackersarealwaysthinkingupnewattacks.
Securingindustrialnetworksinvolvestechnology,buttechnologyisonlyoneingredientofthefinalmix.Successfulindustrialnetworksecurityisacarefullycomposedmixtureofthefollowing:
• Educatedandawareusers
• Appropriateorganizationalstructure
• Securitystrategymatchedtotheorganizationstructure
• Policiesandproceduresthatwork
• Auditandmeasurementprograms
• Securitytechnologyappropriatetotheabovemix,atalevelofsophisticationunderstoodbythosewhouseit
4.2 BasicPrinciplesandDefinitionsWecancarryoversomebasicprinciplesofcommercialcomputerandnetworksecuritytotheindustrialnetworkspace.ThefirstiscalledtheAICtriad.AICstandsforAvailability,Integrity,andConfidentiality.Figure4-1showstheseprinciplesasthepointsofatriangle:
Let’sstartwithavailability.Forindustrialnetworks,availabilitymeansthenetworkisfullyoperationalandavailabletousersandothermachineryandprocesseswhenneeded.Ifthesystemisnotoperating,ornotoperatingcorrectlyforanyreasonwhenitisneeded,thispropertyisnotsatisfied.Itcouldbeunavailableformanyreasons,suchasthefollowing:
Figure4-1.TheAICTriad
• Anunintentionalusererrorcrashedthesystem.
• Thesystemhasacomputervirusorwasjusthackedbyaninsideroroutsider.
• Apowerfailurehasoccurred,andthebackupgeneratorisn’tsupplyingenoughpower.
• Thecomputerroomjustburnedtotheground.
CaseHistory1:LackofAvailabilityTheOmegaEngineeringlogicbomb:OmegaEngineeringisaninstrumentandcontrolvendorinNewJerseythatsufferedheavylossesinMay2000whenitfiredadisgruntledcomputersystemsadministrator(1).Beforeheleftthebuilding,theemployeeplanteda“logicbomb,”which,whenactivated,erasedOmega’sproductionsoftwareprograms.Healsostolethecompany’ssoftwarebackuptapesas“insurance”!
IttookOmegaEngineeringmonthstogetbackintoproductionafterthisincident.Thecompanysufferedheavyfinanciallosses,whiletheircompetitorsgainedgroundonthem.
ThenextAICfactorisintegrity.Integrityincomputersecuritymaybedefinedfromtwoangles:theintegrityofthedata,andtheintegrityofthecomputerhardwareandsoftwareitself.
Integrityofdatameansthatthereshouldbenoinadvertentormaliciousmodificationofdatawhileitisstoredorbeingprocessedonasystem.
Let’sapplythisconcepttoaSCADAsystemforagaspipeline.Ifaremotepressuresensoronthepipelinereads1000psig(processdata),andthatvalueisfaithfullytransmittedtothecentralgascontrolroomandshowsupas1000psigonthemaincontrolpanel,wehavedataintegrity.Ifthevalueshowsupas2000psigor500psig,wehaveaprocessdata
integrityproblem!
Hardware/softwaresystemintegrityimpliesthatthehardwareandsoftwareversionsandconfigurationarecorrectatanygiventime,andonlyauthorizedchangesorupdateshavebeenmade.
Forinstance,hardware/softwareintegrityisflawedifanHMIapplicationwastestedonlywithapreviousreleaseofanoperatingsystem,andtheoperatingsystemsoftwareisupgradedorpatchedwithoutpropercompatibilitytestingandchangeauthorization.
ThethirdAICcomponentisconfidentiality—theabilitytokeepinformationonacomputersystemsecret.Itshouldbeaccessibleonlytopeopleauthorizedtoreceiveandviewandmodifythatinformation,andnooneelse.
Forinstance,achemicalorpharmaceuticalcorporationhasrecipes,formulas,andproductionmethodsitwantstokeepawayfromcompetitorsandtopreventtheinformationfrombecomingpublicknowledge.Thecompanyhasgonetogreatlengthstodeveloporacquirethisinformation.
CaseHistory2:TheftofTradeSecrets
AcaseinvolvingLucentTechnologies(2)illustratesthesignificanceofconfidentialityincomputersecurity.In2001,twoChinesenationalswereindictedforstealingproprietarytelecommunicationscomputercodewhileworkingatBellLabsinMurrayHill,NewJersey.Theywerefirstnoticedwhentheiremployerobservedportionsoftheproprietarycomputercodebeingemailedfromthecompany’snetwork.Theyweresuccessfullyconvictedinoneofthefirstcasesprosecutedunderthe1996FederalEconomicEspionageActprotectingtradesecrets.
4.3 BasicPrinciples:Identification,Authentication,andAuthorizationInadditiontotheAICtriad,threeotherimportantdefinitionsareimportantinclassiccomputerandnetworksecurity:identification,authentication,andauthorization.
Identificationanswersthequestion,“WhoamI?”IfIlogontomycomputerasuserDJT,thattellsthecomputerIamDavidJ.Teumim,alegitimateuserlistedinthepasswordfile.
Buthowdoesthecomputerdistinguishmefromanimposterposingasme?
Authenticationrequiresthatyou“proveit”byreinforcingyouridentity,usingoneormoreofthreepossibleauthenticationfactors:
• Somethingyouknow(apassword)
• Somethingyouhave(ahardwaretokenorkey)
• Somethingyouare(abiometric,likeyourvoiceprintorfingerprint)
Usingmorethanoneauthenticationfactorincreasessecurity.
Forinstance,severalchemicalcompaniesuse“two-factorauthentication”tograntemployeesremoteaccesstoplantcomputersfromtheirhomes.Thehardwaretoken(somethingyouhave)displaysauniquenumberthatchangeseveryminuteaccordingtoarandompattern.Whentheremoteuserlogsin,heorsheentersthenumberonthetoken,alongwithafour-digitfixedPINnumber(somethingyouknow).Therandomnumberenteredbytheusermustmatchthepre-synchronizedrandomnumberonthecompany’scentralsecurityadministrationserver.Onlythenistheusergrantedremoteaccessrights.
Authorizationdealswithwhatyouraccessprivilegesare,onceyouhavesuccessfullyloggedontotheprotectedsystem.Whichsystemfeaturesmayyouuse?Whichsystemprogramsorfilesmayyouview,modify,delete,etc.?
Forinstance,inthecontrolroomofapetroleumrefinery,controlroomoperatorsmayhaveaccesstofunctionsrequiredfornormaloperation,butonlycontrolengineersmaybeauthorizedtoperformotherfunctions,likechangingHMIprogramming.
4.4 MoreCyberAttackCaseHistoriesThissectiondescribessomecontrolsystemattacksthathavebeendocumentedinthepress.
CaseHistory3:SCADAAttackThisincidentisaclassicinindustrialnetworksecurity,thefirstpubliclydocumentedcyberattackonacontrolsystem,inthiscase,awastewatertreatmentSCADAsysteminAustralia.
Inthisincident(3),a49-year-oldmanwhohadworkedforthesupplierthatinstalledacomputerizedSCADAsystemforthemunicipalwastewaterworkswasconvictedofacyberattackonthemunicipality’ssewagesystem.TheattacksentmillionsofgallonsofrawsewagespillingintolocalparksandriversinQueensland,Australia,causingconsiderabledamage.TheconvictedmanwascaughtwithradioequipmentandothercomputerapparatususedtohackintotheSCADAnetworkinhiscar.
CaseHistory4:ComputerWorminaNuclearPlantControlSystemInAugust2003,theNuclearRegulatoryCommission(NRC)issuedaninformationalerttoallnuclearplantoperatorsaboutasituationthatoccurredearlierin2003attheDavis-BessenuclearpowerplantinOhio(4),whichwasinfiltratedbytheSlammerworm.InascenarioalltoofamiliartoITcybersecurityexperts,thewormenteredtheplantbyaroundaboutroute.AT1communicationslinethatledtoanetworktowhichthecompany’scorporatebusinessnetworkwasconnectedbecametheconduitforthewormtoreachandcrashtheSafetyParameterDisplaySystem(SPDS).TheSPDSsystemisanindustrialnetworkthatdisplaysthestatusofcriticalreactorsafetymonitoringsensorssuchascoretemperature,coolantstatus,etc.Fortunately,theplantwasoffline,andabackupanalogsystemcouldbeusedwhilethedigitalsystemwasout.
CaseHistory5:ComputerWormsInfectAutoManufacturingPlantInAugust,2005,thirteenDaimlerChryslerautomanufacturingplantswereknockedofflineforanhourbytwoInternetworms,idling50,000workers,whileinfectedWindows2000®systemswerepatched(5).TheZotobandPnPwormsinfectedsystemsintegraltothemanufacturingprocess.
CouldtheincidentsdescribedinCaseHistories3,4,and5havebeenprevented?Chancesareexcellentthatwithasufficientlyadvancedandwell-thought-outindustrialnetworksecurityprogram,theycouldhavebeen.However,eveninthebest-plannedschemes,thereisnofoolproofprogramtoensureyouwillneverhaveasecurityincident.Ifpreventionfailsandyoudohaveanincident,thegoalofindustrialnetworksecurityistodetectthethreatandmitigatethedamageasquicklyandefficientlyaspossible.
4.5 RiskAssessmentandRiskManagementRevisitedLet’sreturntoourdiscussionofriskassessment,beguninChapter2.
Supposewehaveanindustrialnetworkcontrollingourfactory’sassemblyline.Theassemblylinemachinerycanbeattackedphysically,byadisgruntledemployee,orbyanoutsidehackerwhocangetintothesystembyseveralmeans.
WeintroducedthesetermsinChapter2:
• Asset(Whatyouhavethatyouwanttoprotect.)
• Threat(Thepersonoreventthatcancauseharm.)
• Consequence(Theharmthatcanbecaused.)
• Likelihood(Howoftenthethreatisexpectedtocauseharmoveracertaintime.)
• Risk(Consequencesexpectedoveracertaintime.)
• Countermeasures(Waystoreducerisk.)
Let’snowlookatcyberthreatsinmoredetail,andaddanothertermtoourriskassessmentmodel:vulnerability.
4.6 CyberThreatsMilitary,lawenforcement,andITcybersecurityexpertstypicallybreakdownthecategoryofthreatsfurther,inwhatisknownas“threatanalysis.”
Wecanintroducethefollowingtermsandconcepts:
• Adversary(Whoishe,she,orit?Isitasingleperson,anorganization,oraterroristgroup?)
• Intent(Whatmotivatesthispersonororganization?Anger?Revenge?Money?)
• Ability(Howcapableisyouradversary?Abletowritecustomscriptsforcyberattack?Ormerelycapableofdownloadingscriptsthatotherswrite,andthenrunningthem?)
• Target(Whatistheirimmediategoal?Theirultimategoal?)
Let’sconstructasimplechart,athreatmatrix,todescribetheseconceptsforseveralthreatagents(seeFigure4-2).
4.7 VulnerabilitiesAvulnerabilityisa“chinkinyourarmor,”aninvitingspotorsituationwhereanattackbyanadversaryislikelytosucceed.Forinstance,ifaburglartriesyourlockedfrontdoorandthengoesaroundtothebackdoorandfindsitunlocked,theunlockedbackdoorisavulnerability.
Figure4-2.AThreatMatrix
Inindustrialnetworksecurity,avulnerabilityisaplacewhereacyberattackercanbypasswhateverbuilt-indefensesanapplication,network,oroperatingsystemhasinordertogainprivilegesthatwouldnormallybeunavailable.Thisenablestheattackertoinsertactionsandcommands,orevenbecometheall-powerfulsystemadministratoronanoperatingsystemlikeWindows,oracquire“root”privilegesonaUnixbox.
UsingCOTShardware,software,andnetworkinginindustrialnetworksbringsintothecontrolsworldthesamevulnerabilitiesthatplaguetheInternetandthebusinesscomputingworld.COTSsoftwarevulnerabilitiesareduetothefollowing:
• Complexity.Operatingsystemsandapplicationsoftwarehavemillionsoflinesofcode.Onefigurequotedintheliteraturesaysthereisanaverageofonesoftwarebugper100linesofcode.Somefractionofthesebugswillbesecurityvulnerabilities.(Figureouthowmanysoftwarebugsareina40millionlineprogram!)
• InadequateQualityAssurance.Softwaremanufacturersdonotalwayscatchthesequalityandsecurityflawsbeforetheygooutthedoorasproductioncode.Theymaythinkitsufficienttousesoftwarecustomersas“qualitytesters”andhavethemreportbugstobecorrectedinthenextsoftwarerevision.
• SpeedtoMarket.Competitionandconcentrationonnumerousnewfeaturesleadtorapid-firereleasesofnewsoftwareversions.
• LackofSellerLiability.Themajorityofcommercialsoftwarelicensesdonotholdthesellerresponsibleforanydamagetoyoursystemsfromsoftwarethatdoesnotfunctionproperly.(Contrastthatwiththeliabilityformanufacturersofcars,householdappliances,orairplanes.Iftheseproductscauseinjuryoreconomicdamage,arashoflawsuitsusuallyfollows,sometimesinvolvingpunitivedamages.)
• LackofSecurity-BasedDevelopmentToolsandLanguages.Thestandardsoftwaredevelopmentlanguages,suchasC,C++,andVisualBasic,werenotcomposedwithsecurityinmind.Addingsecurityfeatureswasfrequentlyanassignedorunassignedtaskleftuptotheprogrammer,whoisunderdevelopmenttimepressure.Thissituationisbeginningtochange,astherearenowseminars,books,andsomesoftwaretoolstohelpthedeveloperwritemoresecuresoftware.
Let’slooknextatthemostcommonCOTSsoftwareflawaffectingsecurity—thebufferoverflow.
4.8 ACommonCOTSVulnerability:TheBufferOverflowBufferoverflowscauseanestimated40percentoftheexploitablesoftwareflawsintheCOTSsoftwareenvironment.Sadtosay,theyhavebeenaroundformorethan20years.Weknowhowtofixthisflaw,butthedisciplinetoeliminatebufferoverflowshasnotpermeatedveryfarintoCOTSsoftwaredevelopment.
Inprogramminglanguages,suchastheClanguage,whenyourunafunction(whichissomewhatlikeasubroutine)fromthemainprogram,thememoryareadevotedtoyourfunctionwillcontaina“stack,”orbufferarea.Thestackcontainsthingssuchasthevaluesyouarecallingthefunctionwith,andthelocalvariablesyouwillbeusinginthefunction.Attheendoftheallottedbufferspaceforthefunctionisa“returnaddress”thattellsthecomputerwhatlineinthemainprogramtoreturntoafterithasfinishedrunningthefunction.
Suppose,intheClanguage,youwanttoasktheuserforinputviathekeyboardasataskforyourfunction.Sayyouwanttoasktheuserforhisorher“lastname,”andyoufigureitshouldbenomorethan20characterslong.
Youwouldassignavariablelike“Lastname”tohold20charactersmaximum.ButtheClanguagelacksaninherentmechanismforpreventingamalicioususerfromputtingintoomanycharacterswhentypinginput,andthecomputerwillacceptthoseextracharactersandallocatethoseextraandunexpectedcharactersto“Lastname”inthebuffer.
Acleverhackercancraftaverylongstringofcharacters,followedbyashort,verycarefullyconstructedcommandthatoverwritestheoriginalreturnaddresssittinginmemoryattheendoftheallocatedbufferspace.Thenewreturnaddresstellsthecomputertoreturntoaplaceinthehacker’scode,nottothelegitimateaddressthatwasintheoriginalprogram.Thisoverrunsthebufferwhentheinputisgiven.
Ifthehackeriscleverenoughtocrafttherightcommandsinthatillegitimatestring,heorshecaninsertcommandsthatwillgive“root”privilegesonaUnixboxoradministratorprivilegesonaWindowsoperatingsystemwhenoverflowingcertainprograms.Essentially,thehackernow“owns”thesystem,withonebufferoverflowcommand.Notabadachievementforahackerwhocancrafttherightstring!
Thecleveroriginalhackerwhodiscoveredthebufferoverflowstringmaythenpublishthetechniquetoahackerwebsiteorbulletinboardforother,less-experienced“scriptkiddies”touse.
Aswehaveseen,despitethefactthatbufferoverflowshavebeenknownaboutformorethan20years,andprogrammingtechniqueshavebeendevelopedtofixthem,progressoneliminatingthemhasbeenslow.Newcodecomesouteverydaywithbufferoverflowvulnerabilitiesjustwaitingtobediscovered.Oncetheyarediscoveredinpublishedsoftwarecode(let’shopebysomeoneonthesecuritysideofthefenceandnotahacker),theonlyhopeisforthesoftwaresuppliertoissueacodefixor“patch”forsystemsadministratorstoapplybeforeanewcyberattacktakesadvantageofthevulnerability.
4.9 AttackerToolsandTechniquesLet’slookatsomeofthetoolsandtechniquesouradversariesuse:
• Viruses.ViruseshavebeenaroundsincetheadventofthePC.Theyspreadbyinfectingnewhostcomputerswiththeircode(whichcanbecarriedonaUSBflashdriveorCD),byaprogram,orabymacroforaspreadsheetorwordprocessingprogram.Aviruscanspreadbyemailifitcontainsanexecutableattachmentthatcanbeopened.
• Worms.Awormcontainsself-replicatingcodethatmayspreadthroughanetworklikeaLANortheInternet.Awormspreadscopiesofitselfanddoesnotneedhostsoftwaretospread.
• TrojanHorse.Thisisaprogramthatseemstodosomethingbeneficialwithonepartofthecode,whileahiddenpartofthecodedoessomethingmalicious.AnexampleofaTrojanHorsewouldbeascreensaverthatalsoemailsacopyoftheconfidentialdatafilesonyourcomputertoacompetitor!
• LogicBomb.Thissoftwareprogramliesdormantonacomputerharddriveuntilitisactivatedbyatrigger,suchasacertaindateorevent.Thenitactivatesandcausesmaliciousactivity.
• Denial-of-ServiceAttack.Thiskindofattack,usuallynetwork-based,overwhelmsaserverwithaflurryoffalserequestsforconnectionorservice,
causingtheservertolockuporcrash.
• Botnets.Botnetsarenetworksofinfectedcomputersavailabletodothebiddingof“botherders”whorentouttheirhundredsorthousandofcompromisedcomputersforhackingorcoordinateddenial-of-serviceattacks.
Thehackingcommunityspreadsitsknow-howandwaresthroughavarietyofoutlets:
• Hackingwebsites.ThousandsofwebsitesacrosstheInternetofferadviceandcodeoneverythingfromstealingphoneservicetobreakingintowirelessnetworks.Suchsitesmayevenofferdownloadable“point-and-click”hackingtoolsforthenovice.
• BooksandCDs.Atmostlocalcomputershows,youcanfindinexpensiveCDsloadedwithhackers’toolsand“exploitcode.”
• ChatRoomsandBulletinBoards.ManyhackerswillbragabouttheirtechniquesandoffertosharetheminonlinechatroomslikeInternetRelayConnection(IRC).
4.10 AnatomyoftheSlammerWormNowthatwe’veseenhowouradversaries(disgruntledemployees,industrialspies,andhackers)cangettheirhandsontools(viruses,worms,networkscriptsthatexploitvulnerabilitiesinCOTScode),let’stakealookata2003wormcalledSlammerthatcausedthenuclearplantsafetydisplaymonitoringsystemshutdowndescribedinSection4.4.
TheSlammerwormcausedhavoc,bringingtheentireInternettoacrawlinjust15minutes.Theattackstartedwithasingledatapacket,aUserDatagramProtocol(UDP)packetof376bytestotal(muchsmallerthanpreviouswormssuchasCodeRed,at4KB,orNimbda,at60KB).IttargetedUDPport1434,theportthatMicrosoftSQL(StructuredQueryLanguage)Serverdatabasesoftwarelistensinon.Oncereceived,Slammeroverflowedthebufferwithspecializedcodethatspilledpastthe128bytesofmemoryreservedfortheinput.Itthenhadmachine-languagecodethatcausedthemachinetooverwriteitsowncodeandreprogramitselftosendoutaflurryofnew376-byteUDPpacketstoInternetIP(InternetProtocol)addressesitcalculatedusingarandomnumbergenerator.Thetimingwassuchthatthewormcoulddoublethenumberofinfectedhostsevery8.5seconds,bringingtheInternet,andcorporateLANsconnectedtoit,toacrawlastheavailablebandwidthwasusedup.
Astheprevioussectionindicates,theSlammerwormcloggedupinternalbandwidthattheDavis-Bessenuclearplantindustrialnetwork.Italsocausedconsiderabledamageelsewhere.A911callcenterinWashingtonStatethatusedtheSQLServerdatabasewaseffectivelyshutdown.Emergencydispatchershadtoresorttoacumbersomemanualproceduretomakedountilthesystemcouldbebroughtbackup.
AsynopsisofhowtheSlammerwormspreadisshowninFigure4-3.
4.11 Who’sGuardingWhom?OnefinalobservationwilladdabitofironytoroundoutourdiscussionofCOTSsoftwarevulnerabilities.Let’sassumewehaveasoftware-basedfirewalltoprotectaninternalLANthatweconnectuptotheInternet.WeneedthisfirewalltopreventInternetbasedattackslikeworms,andothernetworkattacks,fromreachingourinternalhostsbecauseweknowthesoftwareonourinternalhostsonourLANmightbesusceptibleto(forexample)bufferoverflowattacks.
Figure4-3.HowtheSlammerWormOperates
Sooursoftware-basedfirewallis“guardingthegate”againstcyberattacksthatexploitbufferoverflowvulnerabilities.Thisgivesusawarmfeelingofsecurityuntilwefindoutthatourfirewallcodeitselfmaycontainbufferoverflowvulnerabilities!(Note:Securityresearchersregularlyfindandpublishinformationaboutsoftwarebugsandvulnerabilities[includingbufferoverflowattacks]withinsecuritysoftware,suchassoftware-basedfirewallsandantivirussoftware).
Oncethesevulnerabilitiesarefoundandpublished,theonlyalternativeforsecurity-conscioussystemsadministratorsistopatchandpatchagain.Thereisanareaofexpertisecalled“PatchManagement”thatisnowapplicabletoindustrialnetworkstoaddresshow,when,wheresoftwarepatchesshouldbeapplied.Withinindustrialnetworks,apatchmanagementprogramassumesaveryimportantrolebecausecriticalinfrastructureisinvolved.
References1. Ulsch,M.SecurityStrategiesforE-companies.Infosecuritymag.comcolumn“EC
DoesIt,”July2000.Retrieved11/11/2004from:http://infosecuritymag.techtarget.com/articles/july00/columns2_ec_doesit.shtml
2. UnitedStatesDepartmentofJustice“FormerLucentEmployeesandCo-conspiratorIndictedinTheftofLucentTradeSecrets.”Cybercrime.govpressrelease,May31,2001.Retrieved11/11/2004from:http://www.cybercrime.gov/ComTriadIndict.htm
3. Schneier,B.TheRisksofCyberterrorism,Crimeresearch.orgarticletakenfromTheMezz.com,June19,2003.Retrieved11/11/2004from:http://216.239.39.104/custom?q=cache:uJQl__6DhAUJ:www.crime-research.org/news/2003/06/Mess1901.html+Schneier&hl=en&ie=UTF-8
4. Poulsen,K.SlammerWormCrashedOhioNukePlantNetwork,Securityfocus.comarticle,August19,2003.Retrieved11/11/2004from:http://www.securityfocus.com/news/6767
5. Roberts,P.F.Zotob,PnPWormsSlam13DaimlerChryslerPlants,August18,2005.Retrieved8/8/2009fromhttp://www.eweek.com/c/a/Security/Zotob-PnP-Worms-Slam-13-DaimlerChrysler-Plants/
5.0
Countermeasures
5.1 BalancingtheRiskEquationwithCountermeasuresInourdiscussiononriskassessmentthusfar,wehavebeenaddingtermstoourlistofriskassessmentfactorsfrompreviouschapterstoarriveatthelistbelow:
• Asset
• Threat
• Consequence
• Likelihood
• Vulnerability
• Risk
• Countermeasures
Let’stakealookattheinterrelationshipsamongthefirstsixtermsinFigure5-1.Then,inFigure5-2,let’sseehowcountermeasuresfitin.
Nowthatwehaveillustratedtherelationshipsbetweentherisktermswithandwithoutcountermeasures,let’ssee,onamorepracticallevel,howcountermeasuresmightbeintroducedintoourquantitativeandqualitativeriskassessmentexamplesfromChapter2.
5.2 TheEffectofCountermeasureUseFigure2-2(Chapter2,Section2.2)showedasimpleriskassessmentillustrationfortheofficebuildingconnectedtothewidgetfactory.Init,weseethattherisk,orexpectedlossperyearfromamild-to-moderatetornadostrikingtheofficebuilding,is$.25million,or$250,000peryear.
Figure5-1.RiskAssessmentBeforeCountermeasures
Figure5-2.RiskAssessmentAddingCountermeasures
Nowsupposewewanttointroduceacountermeasuretoreducetheexpectedlossperyear.Wecancomputethecostofreinforcingtheofficebuildingstructureandspreadthatcostoutoverthesamenumberofyearsasourriskassessmenttimeframefigure,20years.(Notethatthisisarathersimplisticanalysisintermsoftherealityoffinancingbuildingimprovements.)
Let’ssayreinforcingthewallsandrooftopreventtornadodamagewillcost$1million,andwedothistoday.Theriskevaluationforthereinforcedbuildingcoversthenext20years.So$1million/20years=$.05millionor$50,000costperyearfor20years.
Nowlet’scalculatethereductioninexpectedlossperyearbyreinforcingthebuilding.Ourriskwas$.25million,or$250,000peryear,sospending$50,000peryearoncountermeasureswillreduceriskby$250,000.(Note:inpractice,countermeasuresarerarely100percenteffective.Acertainamountofdamageriskperyear,termedresidualrisk,wouldprobablyexistdespiteyourbesteffortsatbuildingreinforcement.)
Notbad—wehavespent$50,000peryeartosave$250,000inrisk.Neglectingresidual
risk,ournetsavingbyriskreductionis:
$250,000saved/year–$50,000spentoncountermeasures=$200,000/year.Itstilllookslikeagooddeal!
Figure5-3showstheriskassessmentforthebuildingafteraddingtornadocountermeasures.
Nowsupposeinsteadwespend$5milliontoreinforcethebuildingandevaluatethatover20years.Wouldthisbeagooddecision?Well,$5million/20years=$0.25million/year.Wewouldspend$250,000oncountermeasurestosave$250,000onannualrisk.Ournetsavingsinestimatedlossperyearwouldbezero!
Figure5-3.OfficeBuilding–PhysicalandCyberRiskAssessment
Wecanseethatweareinapowerfulpositionifwearefortunateenoughtohavehistoricalweatherdamagedatatodrawfromtosupportaquantitativeriskassessment.Wecancalculatewhenacountermeasurewillpayforitselfandatwhatpointitdoesnotmakeeconomicsense.
ThesametypeofanalysiscanbemadeforourindustrialcyberspyscenarioinFigure2-2.However,weshouldrememberthatourrisknumbersandtheeffectofcountermeasureswillbemoreestimatedand,therefore,moreopentovariability.
Let’sturntohowwecanevaluatetheeffectofcountermeasuresinaqualitativeriskassessment.Withaqualitativeriskassessment,wedonotdealdirectlyindollars.Instead,wedeterminewhichrisksaregreater,thenprioritizethespendingofourresourcesoncountermeasures.
Let’sgobacktothefactoryriskassessmentfromChapter2,Section2.3,andthequalitativeriskassessmentprocessandmatrixshowninFigures2-5and2-6.AsFigure2-6shows,scenario(a)(physicalattack)producesa“medium”riskrating,andscenario(b)(cyberattackonthePLCnetwork)producesa“high”riskrating.
Ifwecanintroducecountermeasurestodecreasethelikelihoodofacyberattack,thenwemightbeabletomovescenario(b)fromthe“high”riskzonetothe“medium”riskzone,alongsidescenario(a).WemightdothisbybetterisolatingthePLCnetworkfromtherest
ofthecompanyandtheoutside,orbydecreasingcybervulnerabilities,orbymitigatingtheeffectsofasuccessfulcyberattackwithaquickerormorecompletedisasterrecoveryprogram.
Discussionmightfocusonwhichapproach(es)wouldlowerrisklevelmost,whatcountermeasure(s)touse,howeffectiveeachwouldbe,andsoon.Thecostofeachalternativecountermeasuremightbeestimated,forexample,alongwithhoweffectiveitwouldbeinreducingtotalrisk.
Sowhenweevaluatetheeffectofcountermeasuresinreducingtotalriskinaqualitativeriskassessment,wearereallygoingthroughaprocessanalogoustoourquantitativeexample.
Ariskmanagementstepnormallyfollowstheriskassessmentstep,withtheassessmentteamweighingtheresultsoftheriskassessmentstep.
Therearethreepossibleriskmanagementdecisionstheteamcanmakeoncetheyknowwhattherisksare:
• Accepttherisk
• Minimizeoreliminatetherisk
• Transfertherisk
Acceptingtheriskmeansessentiallytodonothing.Theenterprisechoosestolivewiththeriskandaccepttheconsequencesshouldithappen.
Minimizingoreliminatingtheriskmeanscountermeasureswillbeevaluatedandapplied.(Andtheresidualrisk,leftoveraftercountermeasuresareapplied,willbeaccepted).
Thethirdalternativetransferstherisktoanotherparty,suchasaninsurancecompany.Forinstance,theenterprisewillpayaninsurancepremiumforprotectionfromlossofsalesintheeventofasabotageattack.
Theremainderofthisbookdealswithconstructinganindustrialnetworkcyberdefense.Inotherwords,weareassumingthesecondriskmanagementoptionandfocusonminimizingoreliminatingrisk,ifpossible,byusingcountermeasures.
5.3 CreatinganIndustrialNetworkCyberDefenseAfterwehavedoneaqualitativeriskassessment,wemaydecidetogowiththesecondriskmanagementoptionandfocusonminimizingoreliminatingrisk,ifpossible,bytakingcountermeasures.Howdowegoaboutdecidingonwhatcountermeasuresareappropriateforindustrialnetworksinourchemicalplants,utilitygrids,andfactories?Chapters6–8ofthisbookdealwithconstructinganindustrialnetworkcyberdefense,butwe’lllookatitbrieflyhere.
Figure5-4summarizesthecontentsofChapters6through8.Itshowsthe“Countermeasures”blockfromFigure5-2,separatedintophysicalandpersonnelsecuritycountermeasures,togetherwiththetopicsofChapters6–8ascomponentsofanoverall
cyberdefense.
AsshowninFigure5-4,agoodindustrialnetworkdefensecontainsthefollowing:
• DesignandPlanning
• Technology
• People,Policies,andAssurance
• PhysicalandPersonnelSecurityCountermeasuresandSupport
Figure5-4.CountermeasureComponents
Countermeasuresmayactinavarietyofways,asthefaceofthecountermeasuresblockofFigure5-2shows.Countermeasuresmayactto:
• deteranddetectthethreat(asabarkingwatchdogonthepremiseswoulddetectanddeteraburglar),
• minimizeavulnerability(asbarsonawindowwouldmakeforcedentrymoredifficult),and
• mitigatetheconsequences(aseffectivedisasterrecoveryplangetsahackedserverupandrunningagain).
6.0
CyberdefensePartI—DesignandPlanning
6.1 DefenseinLayersTheprincipleofdefenseinlayersisthatonereliesonmanydifferentoverlappinglayerstopreventaworst-casescenario.Ifonelayerfails,thenextistheretotakeover,andsoon.
Tounderstandhowthisconceptmaybeappliedtoindustrialnetworksecurity,let’sfirstlookatthewaytheconceptisappliedinacommonchemicalprocessingapplicationthatincorporatesaSafetyInstrumentedSystem(SIS).
Onesimplepolymerizationprocessusestwohazardouschemicals,amonomer(chemicalA)andasecondreactant(chemicalB),whichmaybeaninitiatororcatalystforthereaction.Thereactionisexothermic,whichmeansheatisreleasedwhenthetwochemicalsarecombinedandbroughtuptoreactiontemperature.
Figure6-1showsanexampleofthesimplepolymerizationreactionsetup.Init,ourmonomer(chemicalA)flowsfromastoragetankontherightthroughacontrolvalveintothereactor,whereitcombineswithchemicalB,whichflowsfromthestoragetankontheleft,throughacontrolvalve,andtothereactor.Theprocessmaybesequential(i.e.,firstthemonomerischargedtothereactor,thenchemicalBisaddedslowlyduringtheactualreactionstep).
Awell-knownprocesssafetyhazardofpolymerizationisthepossibilityofa“thermalrunaway,”wherethereactionheatbuildsupinsidethereactorvessel,raisingthetemperatureandpressureofthereactionmixtureuntilitburststhereactorvessel,leadingtoanexplosion,fire,andhazardousfluidreleaseintothesurroundings.Theprocesssafetystrategyistokeepthereactionundercontrolbyremovingtheheatthatisgenerated,neverlettingitbuilduptothepointwherethereactionproducesmoreheatthancanberemoved.
Figure6-1.PolymerizationPlantExample
Reference(1)givesacasehistoryofapolymerizationreactorrunawayandexplosionthatwasinvestigatedbytheU.S.ChemicalSafetyandHazardInvestigationBoard.
Tocounterthepossibilityofathermalrunaway,controlsystemssafetydesignuses“layereddefenses”(2).ProtectioninlayersformsthefoundationsofSISdesignbysuchspecificationsasANSI/ISA-84.00.01-2004,FunctionalSafety:SafetyInstrumentedSystemsfortheProcessIndustrySector,andIEC61508,FunctionalSafetyofElectrical/Electronic/ProgrammableElectronicSafety-RelatedSystems.Thesystemdesignercontainsthehazardsofthisprocessbysuccessivelayersofcontrolandmechanicalsystemsprotection,asshowninFigure6-2(3):
Thelayersofprotectionagainstarunawayreactionbeginwiththebasicprocesscontrolsystem(BPCS).IfcontroloftheprocessfromtheBPCSislostandthereactiontemperatureandpressuregotoohigh,then,inthenextlayer,alarmsonexcessivereactiontemperatureandpressurewillsound,requiringmanualactionbyoperatorstoshutdownthereactionprocess.
Figure6-2.LayersofProtectionAgainstaRunawayReaction
Iftheselayersfail—thealarmmalfunctions,theoperatorsdon’trespondorrespondincorrectly,etc.—thenthenextlayer,theSIS,willtakeover.Inourexample,thismightbedonebyshuttingofftheflowofreactantBand/orbyprovidingemergencycooling.
Thenextlayerismechanical(forexample,blowingtherupturedisktoreleasethereactioncontents).Afterthat,additionallayersmightincludeasecondarycontainmentsystem(dikes,etc.),and,finally,emergencyresponse,firstbytheplantandthenbythecommunity.
Theselayersofprotectionshouldbeasindependentaspossible,sothefailureofonelayerdoesnotaffecttheperformanceofthenext.
ASecurityExample
Nowlet’ssayourpolymerizationtakesplaceinasmallchemicalplantthathasanofficebuildinglocatedbesidethecontrolroomasshownonthesitelayoutinFigure6-3.(Inreality,thecontrolroomandofficebuildingshouldbelocatedasafedistancefromthereactionareaandchemicalstorage.)Notethatinthesafetyexample,thehazardwewereprotectingagainstaroseinsidethereactionvessel,andourlayersextendedoutwardaround
it.Inthissecurityexample,weareprotectingfromtheoutsidein.
Figure6-3.PolymerPlantSiteLayout
Let’sincludethebusinessandcontrolnetworksinFigure6-3.Thebusinessnetworkwillservetheofficebuilding,andthecontrolroom/chemicalreactorareawillhaveaBasicProcessControlSystem(BPCS)networkandaSafetyInstrumentedSystem(SIS).
Let’ssayourtaskistoprotecttheofficenetwork,theBPCS,andtheSISfromahackerwhoisbentoncausingarunawayreactionbyusingtheInternettopenetratethechemicalplantthroughthefirewall.Aboveall,wewanttoprotecttheSIS,sinceitisacriticalsafetysystem.NextinimportancetotheprocessistheBPCSand,finally,thebusinesssystem.
DrawingaseriesofconcentricringsaroundfirsttheSIS,thenaroundtheBPCS,andfinallyaroundthebusinessnetwork,asshowninFigure6-4,willhelpusdiscussdefenseinlayersforsecurity.
Figure6-4.CyberDefenseinLayers
Acyberattackerwouldfirsthavetopenetratethecorporatefirewalltogettothebusiness
network(LayerOne).ThenexttargetwouldbetheBPCSnetwork(LayerTwo),andfinallytheSIS(LayerThree).IfonlythebusinessnetworkandBPCSarecompromised,theSISandsubsequentsafetylayerswillacttopreventarunaway.IfboththeBPCSandtheSISarecompromised,arunawayismorelikely.Itcannowbepreventedonlybyadditionalprotectionlayerslikeoperatoractionormechanicalsafetydevicessuchasrupturedisksandsecondarycontainment.Ifallelsefails,theconsequenceswouldbedealtwiththroughemergencyresponse.
Foracybersecuritydefenseinlayerstobeeffective,eachlayershouldhaveitsowndefensesandnotmerely“sitby”passively.Forinstance,thebusinessnetworkmighthaveanintrusiondetection/protectionsystemtodetectandpreventcyberattacksfrombeyondthefirewall.
However,supposeweattachanexternalmodemtotheBPCSnetworkinFigure6-4,sotheprocessengineerscantelecommutetotheplantonweekendsandholidays.Whathappenstoourdefenseinlayersmodelnow?Ifanoutsidehacker,throughwardialingandpasswordguessing,canobtainentrytotheBPCSinonestepinsteadofhavingtohackinthroughthecorporatefirewall,hehaseffectivelybypassedLayerOneandisatLayerTwo.(Awardialerisacomputerprogramusedtoidentifyphonenumbersthatcanconnectwithamodem.)Evenworse,ifthereisamodemconnectionintoLayerThree,perhapstolettheSISvendorcommunicatewiththeSIS,thehackermightbypassbothLayersOneandTwotogainaccess.ThehackermightcommithiddensabotagetoLayerThree,perhapsbydeactivatingtheSIS.ThismightnotbecomeobviousuntiltheBPCSlosescontrolofthereaction,andtheSISisneededtobringthereactionbackintocontrol.
Thisbringsupanotherobservation:Eachlayerofdefenseiseffectiveonlyifthereisnoeasywaytobypassthelayer.
6.2 AccessControlAccesscontrolforindustrialnetworksistheimportantareaofdeterminingandenforcingwho(orwhatdeviceorsystem)hasaccesstothesystemassets,suchastheHMI,theprocesscontrolnetwork,thecontrollers,servers,etc.And,ifaperson,device,orsystemisallowedto“touch”thesesystemassets,accesscontrolspecifies:
• Whatistheirauthorizationlevel?
• Whatdataorsettingsmaytheychange,delete,add,etc.?
• Howwillthisbecontrolledandenforced?
Alongwithcyberaccesscontrol,theparallelareaofphysicalaccesscontrolwilldetermineandenforcewhocanwalkintothecontrolroomorotherphysicallocationwheretheindustrialnetworksarelocated.Tobetrulyeffective,cyberandphysicalaccesscontrolmustacttogether.
Solet’scontinuewithourillustrativeexampleofthesmallpolymerizationplantillustratedbyFigures6-1through6-4,andseehowaccesscontrolintegrateswiththe“defenseinlayers”model.
Althoughitmightnotbetypicallythoughtofinthisfashionforadefenseinlayersmodel,wemightvisualizeLayerOneinthisexampleashavingtworegions:
1. Aperimeter,orboundary
2. Aninteriorarea
ItiseasytovisualizethesetwoLayerOneregionsintheofficeLANinFigure6-4.ThecorporatefirewallseparatestheofficeLANfromtheInternet.Thefirewallrepresentsregion1above,theperimeterorboundary,separatinginsidefromoutside.TheofficeLAN,ontheotherhand,extendingthroughtheofficebuildingandinterconnectingmanydifferentserversandworkstations,istheinteriorareaandrepresentsregion2.
Itisjustasimportanttothesuccessofthedefenseinlayersmodelfortheinteriorregion,theofficeLAN,tobe“hardened,”thatis,nottohaveobviousnetworkorhostvulnerabilities,asitisforthefirewalltobecorrectlyconfigured,monitored,andmaintained.WhathappenswithintheofficeLANiscrucialtomaintainingtheeffectivenessoftheperimeterprotectionofthefirewall.BoththeperimeterandtheinteriorofLayerOnemustacttogether.
Forexample,let’ssaythefirewallisconfiguredandoperatingperfectly.IfanofficeworkerreceivesapieceofmaliciousemailcontaininganexecutableofaTrojanHorse,hisorhermachinemaybe“takenover”andusedtolaunchattacksontheconnectingnetworks.SomeTrojanscanevenestablishanoutboundconnectionfromtheofficeLANhostthatwastakenoverthatgoesoutthroughthefirewalltothehacker’sserverontheInternet.Theoutgoingtrafficfromthemachinethathasbeentakenoverwilllooklikeaninnocentweb(http)connectioninitiatedbythatinternalhost.
Foranotherillustrationoftheconceptofdefenseinlayers,let’snowconsiderbothphysicalandcyberaccesscontrolofLayerTwo.Physicalaccesscontrolwouldregulatewhocancomeintothecontrolroom,whichmayhavealockeddoorwithonlyauthorizedemployeeshavingthekey,forinstance.Onceinsidethecontrolroom,anemployeewouldneedthepropercyberaccess,acorrectloginandpassword,toaccessBPCScontrolfunctions.Accesscontrolalsoincludesauthorizationlevels,whichmightallowcontrolengineerstochangeprocesssetpointsbutnotallowoperatorstoperformthesameactions.
Italsowouldbedesirabletohaveathirdpersonintheloop,acontrolnetworkadministrator,whowouldassignandadministerthelogins,passwords,andauthorizationlevelsinstepwithpersonnelchanges.Inthefollowingsectionsofthischapter,wewilldiscussdifferentsecurityaspectsthat,takentogether,leadtothesuccessofthedefenseinlayerssecuritystrategy.
Theabovediscussion,wherewevisualizeeachlayerofprotectionascomposedofaperimeterandaninteriorarea,isformalizedintheISA-99Part1standardasthe“zoneandconduit”methodforIndustrialNetworkSecurity.
Thezoneandconduitmethodbecomesthetoolforriskassessmentandthenriskmanagementandreduction.TheinteriorareacomprisingLayerOnebecomesthe“zone,”whererisklevelisuniform,andthecorporatefirewallconnectingLayerOnewiththe
Internetbecomesthe“conduit.”ReadersarereferredtoISA-99Part1(4)forfurtherdetails.
6.3 PrincipleofLeastPrivilegeOneconceptwewillborrowfromITcybersecurityforuseinindustrialnetworkaccesscontroliscalled“theprincipleofleastprivilege,”alsoknownas“securitybydefault.”Intheory,thisprincipleisstraightforward,butinpractice,applyingthisprincipleisverydifficultinaconventionalplantcontrolroomwithoperators,supervisors,andengineersloggingontoconsolesusingatypicalsystemofuserloginsandpasswords.Ifweweretoapplytheprincipleofleastprivilegetoaccesscontrolinacontrolroom,wewoulddothefollowing:
• Startbydenyingeverything.Denyallaccessandauthorizationtoeverybody.
• Afterproperidentificationandauthentication,grantaccessandauthorizationprivileges(theabilitytodoauthorizedtasks)foronlythoseminimumsetsoffunctionseachindividualneedstodohisorherjob,andnomore.
• Removetheseaccessandauthorizationprivilegespromptlywhentheindividualnolongerneedsthem,suchasafteranewassignmentorjobrotation.
Manylongtimeemployeesintheprocessindustries“accumulate”passwords—andthereforeunneededaccessandauthorizationprivileges—astheyrotatethroughvariousjobs.Theprincipleofleastprivilegerequiresorganizationstokeeptrackofwhataccessandauthorizationprivilegesanemployeeneedstoperformpresenttasks,andtoallowauthorizationforthosefunctionsonly.
Ifanemployeeorcontractorleavesoristerminatedforcause,byfarthemostimportantaccesscontrolactiontoperformistoremoveallphysicalandcyberaccessandauthorizationprivilegesimmediately.Thismeansgettingbackorinvalidatingallphysicalaccesscards,keys,etc.,andimmediatelydeletingorinvalidatingtheirpasswordsandotherauthorizationsfromeverysystemtheyeverhadaccessto.Itisespeciallyimportanttoremovetheirabilityforremoteaccess(throughmodem,virtualprivatenetwork,etc.).Iftheyhadaccesstoanygrouporsharedaccounts,thosepasswordsshouldbechangedimmediately.
Applyingtheprincipleofleastprivilegeinpracticeisdifficult,ifnotimpossible,withouttherightaccesscontroltechnology.ThedifferenttypesofaccesscontroltechnologiesarecoveredinChapter7.Chapter7discussesrole-basedaccesscontrol,animportanttechnologytoenableadoptionoftheprincipleofleastprivilege,aswellastosimplifyandbettermanageidentification,authentication,andauthorization.
6.4 NetworkSeparationNetworkseparationisaperimeterorboundarydefense,whichwediscussedinSection6-2.Let’slookbackatFigure6-4,CyberDefenseinLayers,andlookattheconnectionbetweenourofficeLAN,inLayerOne,andtheBasicProcessControlSystem(BPCS).
TheprincipleofdefenseinlayersimpliesthatadirectofficeLAN-to-industrialnetwork
connectionisnotagoodidea.AnyonehavingaccesstotheofficeLAN,whetheraccesswasobtainedlegitimatelyorillegally,nowhascompleteaccesstotheindustrialnetworkanditscomponents,includingHMIs,controlservers,etc.
Sowhatshouldourriskteamdoaboutadirectbusiness-to-controlsystemconnection,ifitexists?
ApplyingthebasicriskmanagementchoicesdetailedinChapter5-1,theriskteammayelectto:
1. accepttherisk,anddonothing,leavingadirectconnectiontotheindustrialnetwork;
2. partiallycloseoffthisaccesswithafirewall,filteringrouter,orotherrestriction;or
3. cuttheconnectionbetweenthebusinessandindustrialnetworkscompletely.
Mostcompaniesinthechemicalprocessing,utility,anddiscretemanufacturingindustriessaytheyneedsomeconnectivitybetweenthebusinessnetworkandindustrialnetworktosurvive.Thereisjusttoomuchbusinessadvantagefromhavingsomeformofconnectivityandinformationflow.
Inthewriter’sexperience,mostcompaniesstartedoutwithanunfetteredbusiness-to-industrialnetworkconnection.WhilesomecontinuetoelectOption1,accepttherisk,mostaregoingtoOption2,puttinginaninternalfirewallorothernetworkrestrictionsuchasafilteringrouter.
Chapter10presentsanaccountofthewayalargecompanyhashandledinternalbusiness-to-controlsystemconnections.
FewcompanieswillelectOption3,tocuttheconnection.However,somecompaniesthatneverconnectedtheindustrialandbusinessnetworkstobeginwithmaycontinuetoobservethatpolicy.
References1. U.S.ChemicalSafetyandHazardInvestigationBoardInvestigationReport–
ChemicalManufacturingIncident,ReportNo.1998-06-I-NJ.(April8,1998).Retrieved11/11/2004from:http://www.csb.gov/Completed_Investigations/docs/Final%20Morton%20Report.pdf
2. AmericanInstituteofChemicalEngineers(AIChE),CenterforChemicalProcessSafety.GuidelinesforSafeAutomationofChemicalProcesses.AIChE,1993.
3. AmericanInstituteofChemicalEngineers(AIChE),CenterforChemicalProcessSafety.GuidelinesforSafeAutomationofChemicalProcesses,Figure2-2.AIChE,1993.
4. ANSI/ISA-99.00.01-2007,SecurityforIndustrialAutomationandControlSystems,Part1.ResearchTrianglePark,ISA,2007.
7.0
CyberdefensePartII—Technology
7.1 GuidancefromISA99TR1TheANSI/ISA-TR99.00.01-2007–SecurityTechnologiesforIndustrialAutomationandControlSystemsstandardhasawealthofinformationonITsecuritytechnologyandhowitmaybeappliedtosecuringindustrialnetworks.Eachtechnologyissummarizedaccordingtothefollowingheadings:
• SecurityVulnerabilitiesAddressedbythisTechnology,Toolsand/orCountermeasures
• TypicalDeployment
• KnownIssuesandWeaknesses
• AssessmentforUseintheIACSEnvironmentSystems
• FutureDirections
• RecommendationsandGuidance
• InformationSourcesandReferenceMaterial
ThesectionsinthischaptercoversomeofthetechnologiesdescribedintheISA-99seriesofstandards.Ourcoverageofthesetechnologiesisintendedtobeageneralintroductiontothevarioustechnologiesandhowtheyareused,ratherthanadetailedtechnicalexplanation.
7.2 FirewallsandBoundaryProtectionAfirewallactsasa“gatekeeper”or“trafficcop”tofilterandblocktrafficfromonenetworkgoingtoanother.Let’slookattwocases,illustratedinFigure7-1:
Figure7-1.FirewallIllustration
• Firewall“A”protectsthecorporationbusinessLANfromtheoutsideInternet.
• Firewall“B”isinternalandseparatesthebusinessLANfromtheindustrialnetwork.
Eachfirewallhasasetoffirewall“policies”(nottobeconfusedwiththehigher-levelsecuritypoliciesdescribedinChapter8)thatdetermineswhichhostsornetworksononesidemaytalktohostsornetworksontheotherside.
Itallboilsdowntoayes/nodecisionforeach,whethertopermitordenyeachattemptedconnection.
Asanexample,let’slookatclassesofusersinsideandoutsidethebusinessnetwork,asshowninFigure7-2,andwhatconnectionstheymightwanttoestablish.
Figure7-2.SampleFirewallSetup
IfabusinessLANuserwantstoconnecttoanoutsidewebserver(thefirewall“listens”forattemptsatconnectionviathewebprotocolknownasHTTP),thisis“permitted”(unlessmanagementisclampingdownontoomuchoutsidewebsurfing!)
However,ifabusinessLANuserwantstoconnecttoanoutsidestreaming“RealAudio”server,perhapsthisconnectionwillbe“denied”byCorporateITcybersecurity.
Let’stakealookatattemptedtrafficgoingtheoppositedirection.Ifamachineontheoutside,host“hacker.com,”wantstoconnectfromtheoutsideInternettoaninsidebusinessLANworkstationorserver,thisshouldbeblockedor“denied.”MostcorporationshostawebserverinanintermediatezonecalledaDMZ(DemilitarizedZone)forlegitimateincomingtrafficsuchastogetsalesbulletinsandthelike.
SP99TR1goesontodescribethreedifferenttypesoffirewalls:
• PacketFilter
• ApplicationProxy
• StatefulInspection
Modernfirewallsmaybehardware-based(e.g.,afirewallappliancewithembeddedsoftware)orsoftware-based,runningasapplicationsoftwareonaWindowsorUnixoperatingsystem.Ifsoftware-basedfirewallsareused,theunderlyingoperatingsystemmustbehardened,asdescribedinChapter8,tobeeffective.
AnexampleofamodernchemicalcorporationusinginternalfirewallsisgiveninChapter9.
AlternateInternalBoundaryProtectionNearlyallcorporationswillhaveacorporatefirewall(FirewallAasshowninFigure7-1).However,somemayelectnottogowithafull-fledgedinternalfirewall(FirewallBinthe
figure)toseparatecriticalinternalsystemsfromtheirbusinessLANsandintranets.Adegreeofprotectioncanbeprovidedbyusingarouterwithfilteringcapabilities.Forinstance,usingarouter’sAccessControlLists(ACLs),anetworkadministratorcanselectwhichhostsandnetworksononesideoftheroutercanconnectwithspecifichostsandnetworksontheothersideoftherouter,asdescribedearlierinthissectioninthediscussionoffirewallpolicies.
7.3 IntrusionDetectionIntrusiondetectorsmonitorcomputernetworksorcomputerhosts,lookingforpossibleintrusions.Therearetwogeneraltypesofintrusiondetectors:
• Network-based(NIDS–NetworkIntrusionDetectionSystem)
• Host-based(HIDS–HostIntrusionDetectionSystem)
Anetwork-basedintrusiondetectormaybeattachedtothenetworkitmonitorsbya“networksniffer”arrangement,oritmaybeembeddedintotheoperatingcodeofarouter,firewall,orstandaloneappliance.
Itmaylookforeitherorbothofthefollowingwarningsigns:
• Knownattacksignatures,recognizedfromanup-to-datedatabaseofknownattackssuchasworms.
• Networktrafficanomalies,changesintrafficpatternsthatarestatisticallysuspicious.Forinstance,heavyincomingtrafficonalittle-usedportorIPaddressmightindicateanattack.
Ahost-basedintrusiondetectorismountedonaparticularhostcomputer,suchasaworkstationorserver.Itmayperformaperiodicscanofallcrucialfilesonthehosttolookforsignsofunauthorizedalteration,whichmightindicateacompromiseofthehostsystembyanintruder.Thisactioniscalleda“fileintegritycheck.”Itmayalsomonitornetworktrafficinandoutofaparticularhost,orlookforsuspicioususagepatterns,whichmightindicateanintruderisatwork.
Figure7-3showshowatypicalNIDSandHIDSmightbedeployedinthecorporatenetworkexampledisplayedinFigure7-1.
Figure7-3.IntrusionDetection
Figure7-3showstheNIDSdeployedtolistentoor“sniff”thenetworktrafficjustinsidethecorporatefirewall.ItlooksforsignaturesorpatternsofintrusionfromtheoutsideInternetpastthecorporatefirewall.
Ontheotherhand,theHIDSmonitorsonehost;inthiscase,thehostonthebusinessLAN.
TheactiontakenbyaNIDSorHIDSuponsensingapotentialbreak-incanvary,anywherefromsendinganemailtopagingasystemadministrator.
Anemergingvariationonintrusiondetectioniscalledintrusionprevention.Thisdetectorautomaticallytakesaprearrangedactionuponanysignofintrusion.Forinstance,iftheNIDSinFigure7-3weretodetectananomalyandcausethefirewalltoblocksomeoralltrafficintothebusinessnetworkfromtheInternet,itwouldbeactivelydoingintrusionpreventionratherthanthemorepassivenotificationthatcomeswithintrusiondetection.
OneconcernwithdeployingNIDSandHIDSisthetendencyforfalsealarms,orfalsepositives,whichtaketimeandefforttotrackdown.Justasyoudon’twantaburglaralarmtogooffbecauseitthinksthefamilypetisaburglar,minimizingfalsealarmsisnecessarywhendeployingthistechnology.
7.4 VirusControlSincetheadventofthePC,therehasbeenaconstantstrugglebetweenviruswritersandpeoplewhomakesoftwaretodetectandcontrolviruses.Overtheyears,newandmorecleverviruseshaveevolved,andantivirusresearchersareevolvingmorestrategiestospotandcleanthem.
Theviruspreventionanddetectioncycleisa“chaseyourtail”game.Morethan50,000
virusesareknowntoexist.Alargenumberofthemare“zoo”viruses,whichexistincontrolledlaboratorycollectionsonly.Asweareonlytooaware,however,asignificantnumberof“inthewild”viruseshavebeenreleasedintocyberspaceandhavedonedamage.
Figure7-4showsthedilemmaantivirusresearchersface.
Figure7-4illustratesasituationinwhichaviruswritercreatesatotallynewvirus,oranewvariationonanoldvirus,andreleasesit“inthewild.”Somecomputersgetinfected,andtheirownerssendasampleofthenewviralinfectiontoanantivirusvendor’sresearchteam.
Withinafewhours,theantivirusteamhas“disassembled”theinnerworkingsofthevirusandcapturedthatvirus’sdistinctsignature,orcodepattern,asashortsequenceofbits.Theantivirusvendorthendistributesthatvirussignaturetoitscustomersasanupdateoftheirvirussignaturesfile.
Figure7-4.TheAntivirusCycle
Theproblemisthatthevirussignaturetheydevelopedisvalidonlyforthatparticularvirus.Viruswriterscan“tweak”avirustoalteritscodepatternandmakeanewversionthatwillgoundetected.Viruswritersmaygoasfarasbuyingseveralbrandsofvirusdetectionsoftwareinordertodownloadthelatestsignaturefileupdatesandchecktoseeiftheir“tweaked”virusisdetectable!
Thus,thereisaconstantrunningbattlebetweenviruswritersandtheantivirusresearchcommunity.
Severalantivirusproductstrytodetectnewvirusesforwhichnosignatureisyetavailable.Thisantivirussoftwarewatchesforunusualprogrambehaviororcombinationsofbehaviorsinanefforttoidentifyvirusesupfront,beforeinfection.
Antivirusprogramstypicallycontainthreeparts:
1. TheGraphicalUserInterface(GUI).
2. TheEngine.Thiscontainsthescanningsoftware,whichcomparesfilesonthehostcomputerwiththelatestvirussignaturesfromthesignaturefile.
3. TheSignatureFile.Downloadedatregularintervals,sayeachday,itcontainssignaturesofthelatestvirusesandTrojans.
Virusesmayattackvariouslocationsinoperatingprogramsandmemory.Figure7-5showsjustafewofthemajorvirusesthathaveattackedinhistory,alongwiththetypeofattack.
Figure7-5.SomePastVirusAttacks
SomePastVirusAttacksVirusdetectionand/oreliminationmaybedeployedatthreelevels,ortiers,withintheindustrialnetwork:
• Attheperimeteroftheindustrialnetwork.Virusprotectionmaybebuiltintooraddedontofirewallproducts.
• Atthecontrolserverlevel.Servereditionsofantivirusproductsmaybeusedhere.
• AttheindividualworkstationorPClevel.Forinstance,theworkstationrunningtheHMIconsolemayhaveantivirussoftwaretoprotectagainstemployeesbringingindiskettes,flashdrives,orCDswithviruses.
Atpresent,thereisstillsomeresidualdiscussionaboutwhetherusingantivirussoftwareatthecontrolserverorworkstationlevelwillinterferewithproperoperation.Manycontrolvendorsapproveusingonlyspecificbrandsofantivirussoftwarethathavebeentestedfornon-interferencewithapplicationsoftware.Inaddition,thevendorsmayspecifythatonlycertainfeaturesoftheantivirussoftwaremaybeused,anditmustbeconfiguredacertainway.
In2006areporttitled,“UsingHost-BasedAntivirusSoftwareonIndustrialControl
Systems”wasissued,describingtheresultsofatwo-yearDOENationalSCADATestBedstudywrittenonthesubjectofusinghost-basedantivirussoftwareoncontrolsystems,writtenbytheauthor,SteveHurd,andJoeFalcofromNIST(1).
Ifavirusisdetectedinrealtime,thenextquestionis:Whatistheplantoisolatethenetworksection,cleanthevirus,andthengetbackinoperation?Thisispartofanincidentresponseplanthatmustbesetup.
7.5 EncryptionTechnologiesEncryptiontechnologiesarethepracticalapplicationofthefieldofcryptography,whichmeans“secretwriting.”Cryptographyhasbeenusedinmanyformssinceancienttimestoconcealinformationlestitfallintothewronghands.Amessage,onceencrypted,appearsasgibberishandisofnousetoanadversaryunlesstheadversaryknowshowtoreverseordecrypttheencryptedmessage.
Tounderstandthebasicsofencryption,sometermsneedtobeintroduced:
• Plaintext.The“plainEnglish”versionofatextornumericalmessagetobeconcealed.
• Ciphertext.Theplaintexttransformedbyanencryptionalgorithm,usinganencryptionkey,intoamessagethatisunreadablewithoutbeingdecrypted.
• EncryptionAlgorithm.Themathematicalformulaorprocedureorotherformulathatwillconverttheplaintexttociphertext.
• EncryptionKey.Auniquecombinationofnumbersand/ordigitsthatisusedbytheencryptionalgorithmtoconvertplaintexttociphertext.
Let’sgiveasimpleexampleoftheuseofanencryptionalgorithmwithkey,attributedtoJuliusCaesarandhismethodof“secretwriting.”TheCaesarcipherusesaverysimplesecretkeyalgorithm,calledasubstitutioncipher.Wesubstitutenewlettersforeachletteroforiginaltexttomaketheoriginaltextillegible.
Supposewe’recommunicatingwiththebattlefield,andthemessagewewanttosendis:
ATTACKATDAWN
Ourencryptionalgorithmworksasfollows:Firstwewriteoutthelettersofthealphabet.Thenwewriteoutasecondalphabetbeneaththefirstalphabet,exceptweshiftitoneletterover:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXY
Startingfromthebottomalphabet,whereverwehaveanAinouroriginalmessage,welookdirectlyaboveitandsubstituteaB,inthetop(shifted)alphabet.SoouroriginalmessageATTACKATDAWNbecomestheunreadable
BUUBDLBUEBXO
(Inpractice,wecaneliminatethespacesbetweenwordsaswell.)
Thekeytooursimplealphabetsubstitutionalgorithmisthenumber1.Weshiftedthealphabetoverbyonelettertoformciphertext.Wecouldjustaseasilyhaveshiftedthealphabetby2,sothatAwouldnowbecomeC,BwouldbecomeD,etc.
Caesar’sgeneralinthefield,receivingthecrypticmessageBUUBDLBUEBXOonlyneedstoknowthealgorithmandthekeytogetbacktheplaintextATTACKATDAWN.Usingthetwoalphabetsabove,thegeneralgoesfromtopalphabettobottom,reversingthewaytheencryptionwasperformed.
The“keyspace”isthenumberofuniquevaluesthekeycantake.Whatarepossiblevaluesofthekey?Well,wecanshiftthealphabetbyuptothenumberoflettersinthealphabet,25.(Ifweshift26,wecirclearoundthealphabetandcomebacktowherewestarted.)Sowehave25uniquekeysthatcanbeusedwiththissimplesubstitutionalgorithm.
IftheenemyfindsoutthealgorithmbeingusedistheCaesarcipher,hecantryabruteforceattackagainstthealgorithm,usingonemessageintheciphertexthehasmanagedtointercept:BUUBDLBUEXBO.
Bytryingeachuniquecombinationinthekeyspace,1-25,theenemycandiscoverthekeyused.Inourexample,ifhejusttriesthenumberone,theplaintextbecomesevident.
Ashasbeenmentioned,theCaesaralgorithmiscalledasecretkeyalgorithm.Onlythesenderandrecipientofthemessagemayknowthesecretkey.Ifanadversaryfindsout,allislost.
Writingsecurecryptographicalgorithmsisverydifficult.Thealgorithmmustberesistanttoanattackbyanalysis,calledcryptanalysis.Andthekeyspacemustbelargeenoughthatitwouldtaketoolongtofindthekeythroughtrialanderror(abruteforceattack).
Inourexample,ifdawnandtheattackcomebeforetheadversarycanfindtherightkeybytrialanderrororanyothermethod,thenthealgorithmwillhaveserveditspurpose.
Modern-daysecretkeyalgorithmsusemathematicalcalculationswithkeysizesdescribedintermsofbits.TheDataEncryptionStandard(DES)algorithm,whichisattheendofitsusefullife,uses56bits.AbruteforceattackonDESisverytimeconsumingbutachievablewithtoday’scomputingpower.ItisbeingsupersededbytheAdvancedEncryptionStandard(AES),whichusesuptoa256-bitkey.
Justlikethecat-and-mousecompetitionbetweenviruswritersandantivirusresearchers,thereisarunningcompetitionbetweencryptographers,whodevelopnewencryptionalgorithms,andpractitionersofcryptanalysis,whotrytobreakthembymanydifferentmeans.Atstakearebillionsofdollars—forinstance,ininterbankmoneytransfersthatmightbecompromisedifsomeoneonthewrongsidediscoversthekeyorhowtocrackthealgorithm.
PublicKeyvs.SecretKeyAlgorithms
Secretkeyalgorithms,runningthegamutfromtheCaesarciphertoDESandAESalgorithms,aredesignedtopreserveconfidentiality.(RemembertheAICtriadoutlinedinChapter6?)Theconfidentialityofthedata(plaintext)ispreservedonlyaslongastheadversarydoesnothaveaccessto,ortheabilitytofigureout,thesecretkeybyabruteforceattackoranyothermethod.
Anotherformofcryptography,publickeycryptography,wasinventedin1978bythreeindividuals,forwhomitiscalledRSA:Rivest,Shamir,andAdelman.Itmaybeusedforbothauthenticationandconfidentiality.
Inpublickeycryptographyeachuserhastwokeys,ora“keypair.”Akeypairismadeupofapublickey,whichmaybegivenoutin“publicplaces,”andaprivatekey,whichmustbekeptsecretbytheuser.Thetwokeysaremathematicallyrelated.Figure7-6showshowpublickeycryptographymaybeusedtoensureconfidentiality.
Figure7-6.UsingPublicKeyforConfidentiality
ReferringtoFigure7-6,thereceivergeneratesakeypairandkeepstheprivatekeysecret,butsendsthepublickeytothesender,whowantstosendthereceiveraconfidentialmessage.
Thesenderencryptsaplaintextmessagewiththereceiver’spublickey,thensendstheencryptedmessagebacktothereceiver.Thereceiver,usingtheprivatekey,istheonlyonewhocandecryptthemessage.
Thisillustrationshowswecanuseapublickeyalgorithmtodothesamethingasasecretkeyalgorithm.Inpractice,though,usingapublickeyalgorithmtakesmuchmoreprocessingtime.Itwouldnotbepracticaltousepublickeytoencryptandsendlargeamountsofdata.Inpracticethepublickeyisusedincombinationwithasecretkeyforthispurpose.
Therealadvantageofpublickeyencryptionisthatitmaybeusedforauthentication.
Figure7-7showshowwemayhaveourusersauthenticateeachother.
Figure7-7.UsingPublicKeyforAuthentication
ReferringtoFigure7-7,supposethereceiverwantstobesurethemessagereallycamefromthesender,notanimposter.Ifthesenderandreceiverhadeachgeneratedtheirownkeypairsandthenswappedpublickeys,thiswouldbeachievable.Thereceiverwouldhavethesender’spublickeytobeginwith.Thereceiverwouldaskthesenderto“sign”themessagewithhisorherprivatekey,creatingadigitalsignature.Uponreceivingthemessage,thereceiverwouldcheckthesender’sdigitalsignatureagainsttheircopyofthesender’spublickeytoseeiftheymatched.Iftheydid,themessageindeedcamefromtherealsender,notanimposter.
Aswecanseefromtheaboveexample,iftwousersgeneratekeypairs,theymaybeusedforbothauthentication(digitalsignature)andconfidentiality(encryption).
Inourpreviousexample,thesenderandreceiverhavemetinperson,knoweachother,and,therefore,havea“trustrelationship.”Butwhatifthesenderandreceiverhavenevermetandestablishedthattrustrelationship?Howdoesthereceiverknowthepublickeyreceivedoriginallyfromthesenderreallybelongstothesenderandnottoanimposter?
Theansweristoprovideapublickeyinfrastructure,orawayofcertifyingorguaranteeingthepublickeysaregenuineandreallybelongtotheauthenticsenders.Thisisusuallydonebyanoutsideagencysuchasabankorothercertifyingagency.Theoutsideagencycertifiesinsomewaytothereceiverthatthesenderisauthentic(byrequiringproofofidentity,forinstance)andthepublickeyisgenuine.
MessageIntegrityCheckingWeneedanothertypeofcryptographicalgorithmtocompleteourcryptotoolkit—analgorithmthatcanletusknowifamessagehasbeenalteredinanyway.Acryptographicchecksumdoesthisforus.Usinganalgorithm,itsumsuptheuniquepatternofonesandzeroescomprisingthebinaryrepresentationofamessage,generatingashortchecksum.
Intelecommunications,acyclicredundancycheck(CRC)isusedforthispurpose—aftereveryframeofdataacyclicredundancycheckiscomputedandtackedontotheendofthemessage.Computingacryptographicchecksumensuresthatthemessage/checksum
correspondencecannotbetamperedwith.
Addingacryptographicchecksumtoourtoolkitgivesusmethodstoensureconfidentiality,authentication,andmessageintegrity.
ApplicationofCryptographytoIndustrialNetworkSecurityApplicationsusingcryptographyareenteringthefieldofindustrialnetworksecurityataslowpaceforthefollowingreasons:
1. Encryptionisacomplexsubjectandrequiresanunderstandingofthemathematicalbasisofthealgorithmsused.
2. Addingencryptiontoindustrialnetworkdatatransmissionsaddsprocessingtimetowhatmaybefullyutilizedmicroprocessorsandalsorequiresadditionalcommunicationsbandwidth.Whentalkingaboutresponsetimeinmillisecondsorfordeterministiccontrolapplications,thelatencyor“jitter”introducedcoulddelaycrucialcontrolevents.
3. Keymanagement.Generating,storing,anddistributingkeyscanbeadifficultprocess.Ifusingpublickeyinfrastructure(PKI),asuitablestructuremustbesetup.
7.6 VirtualPrivateNetworks(VPNs)VirtualprivatenetworksfulfillanimportantroleinthenetworkedworldandtheInternet.
UsingtheopenInternet,theyaredesignedtogiveprotectiontodatacommunicationequaltoorgreaterthansendingdataviaadedicatedphoneline.AVPNworksbysettingupasecuretunnelovertheInternetusinganencryptedconnection,andoffersthesethreecapabilities:
1. Identification,Authentication,andAuthorization(see7.7)
2. Integrityofinformationtransfer
3. Confidentiality
Figures7-8and7-9showtwowaysaVPNmightbesetup.
Figure7-8.VPNConfiguration1
Figure7-9.VPNConfiguration2
Figure7-8showsaVPNconfigurationforgivingsecureremoteaccessacrosstheInternet.Here,remotehosts(saytwodifferentemployeesworkingathome)mayaccessacorporateprivatenetworksecurelybysettingupVPNstotheirlaptopcomputers.TheywouldlogintotheirlocalInternetServiceProviders(ISPs),gotothewebaddresssetupfortheircorporation’sVPNequippedfirewall,authenticatethemselves,andbegrantedaccess.
IntheconfigurationshowninFigure7-9,theVPNconnectionallowsprivatenetworkA,shieldedfromtheInternetbyFirewallA,toconnectsecurelywithprivatenetworkB,whichissimilarlyshieldedfromtheopenInternetbyFirewallB.
7.7 AuthenticationandAuthorizationTechnologiesInSection4.3wedealtwiththeissuesofIdentification,Authentication,andAuthorization.Weintroducedtheseconceptsasfollows:
• Identification=Whoareyou?
• Authentication=Proveit.
• Authorization=Nowthatwe’veestablishedyouridentity,whatsetofaccessprivilegesdoyouhave?
Wealsointroducedthethreefactorsofauthenticationasthefollowing:
• Somethingyouknow
• Somethingyouhave
• Somethingyouare
Wecanuseanyfactorofauthenticationaloneorincombinationwithotherauthenticationfactorstohaveastrongerauthentication.
Incyberspace,usingsomethingyouknowtranslatesintousingapasswordorpassphrase.Apasswordisrelativelyshort,sayeightalphanumericcharacters,andapassphraseislonger.Thisisthemosttime-honoredandwidelyusedmethodofcyberauthentication.Thismethodassumesthesystemuserwillenterasecretandcrypticcombinationoflettersand/ornumbers,andthenwillrememberthemthenexttimeheorshewantstologontothesystem.
Anyonenotknowingthiscrypticcombinationoflettersandnumberswouldhavetogetthepasswordfromtheuserbytrickerysomehoworresorttobruteforceguessing,atrial-and-errormethodoftestingallpossiblecombinationsofnumbersandlettersthatmightmakeupapasswordorpassphrase.
Tobeeffective,passwordsorpassphrasesmust:
• Haveenoughcharacterssothetaskofabruteforcetrial-and-errorattackwouldbeprohibitivelytime-consuming;
• Notbeeasilyguessablebyanotherparty;
• Beretainedintheuser’smemoryonly,notwrittendownonslipsofpaper,stickynotes,etc.;and
• Bechangedatreasonableandregularintervals,sayonceortwicepermonth.
Authenticationwith“somethingyouhave”equatestoauthenticationwithakeyorhardwaretoken.Oneofthemostdirectwaystoprovideauthenticationisbyresortingtoaphysicalsecuritydevice,suchasalock,withakeycarriedbytheuser.
Theuserplugsinahardwaretokentogainaccess,perhapsoneintheformofanRadioFrequencyIdentificationDevice(RFID)oraUSBdongle.Anembedded-chipcardorasystemusingamagneticstripemaybeusedalso.
Authenticationwith“somethingyouare”bringsuptherapidlydevelopingareaofbiometrics—thetechnologyofverifyingidentitywithauniquephysicalattributethatisnoteasilyduplicated.Biometricidentificationcanincludethefollowing:
• HandGeometry
• Fingerprint
• Voiceprint
• FaceRecognition
• SignatureRecognition
• IrisRecognition
Thefieldofbiometricshascomealongwayinthelastfewyears.Someoftheabovemethods,suchashandgeometry,havebeenusedinindustryfor20–30years;others,suchasfacerecognition,aremuchnewer.
Biometricsmaybeabusedaswellasusedproperly.
Whensystemdevelopershavetriedtousebiometricsforidentificationandauthenticationtogether,ratherthanforauthenticationalone,theyhavegenerallynotbeensuccessful.Reference(2)isanewsstoryofanattempttousefacerecognitiontocatchcriminalsbytheTampa,Florida,policedepartmentthatfailedtoproduceresults.
IncreasingtheFactorsofAuthenticationGreaterconfidenceintheauthenticationprocessmaybehadbyusingtwoormorefactorsofauthentication,eithermultipleinstancesofthesamefactorordifferentfactors.Forexample,inapopulartwo-factorauthenticationprocessreferredtoinSection4.3,atokenflashingaonetimepasswordthatchangeseachminutecanbeusedasacentralizedlog-inscreen,wheretheusermustinputapassphraseconsistingofauniquefour-characterPINthatdoesn’tchange(somethingyouknow)withtheone-timepassword(alsosomethingyouknow)displayedontheencryptiontokentologonandgetaccesstothecomputingservices.
AuthorizationFinally,let’stalkaboutauthorization.AsintroducedinSection4.3,onceauser(ordevice)isidentifiedandauthenticated,weneedsomewayofallocatingcertainaccessprivilegestothepersonordevice.Whataretheypermittedtodo?Whichfilesmaytheychange,delete,orcreate?
Historically,severalconceptualmodelsofauthorizationhavebeenusedbygovernmentandthemilitary,andbyindustry.
• MandatoryAccessControl.Thishasbeenusedinmilitaryandgovernmentcircles.Hereinformationfilesareclassified“Secret,”“TopSecret,”etc.,andonlypersonswiththematchingsecretortopsecretsecurityclearancemayhaveaccesstothesefiles.Controliscentralized,andbasedonarigidsetofaccesscontrolrules.
• DiscretionaryAccessControl.Thishasbeenusedcommonlyinindustryandcommercialcomputersystems.Here,whoever“owns”theinformationisempoweredtosetlimitsonwhomayaccesstheinformationandwhatprivilegestheyhavetomodifyit.
• Role-BasedAccessControl.Thistypeofaccesscontrolshowsgreatpromiseforindustrialnetworkingsituations.Here,theusersaregroupedintoroles,dependingonwhattheirjobfunctionis.Forinstance,inabank,therolesmightbeteller,headteller,branchmanageretc.,withanumberofindividualsbelongingtoarolegroup.Onceemployeesareidentifiedandauthenticatedwithinthesystem,theirrolesdeterminetheirauthorizationprivileges,nottheirindividualidentities.Onecanseetheefficiencyadvantageif,forinstance,acentralizedrole-basedaccesscontrolsystemwereusedinalargeindustrialcontrolroom.Operators,shiftsupervisors,engineers,andtechnicianswouldeachbeinarolegroupthatwouldhavecertainfixedprivileges.Ifoneemployeeleavesandanotherarrives,eachonlyneedstoaddordeletetheirindividualidentitiestotheroleslistonthecentralizedserver,notaddordeletethemfromaccesscontrollistsonpiecesofindividualsystemsinthecontrollist.
Itshouldbeemphasizedthatidentification,authentication,andauthorizationdon’tpertainexclusivelytopeople.Asecureintelligentdevice,suchasacontrolsensororactuatororaPLConanetwork,mayneedtoidentifyitselftotherestofthecontrolnetworkasthe“realthing”andnotan“imposterdevice.”Andawholesubnetwork(forinstance,aremoteindustrialnetworksegment)mayneedtoidentifyitselftoanothernetwork.Identification,authentication,andauthorizationareformachines,devices,andindustrialnetworksegmentsaswellasforpeople.
References1. Falco,J.,Hurd,S.,andTeumim,D.“UsingHost-BasedAntivirusSoftwareon
IndustrialControlSystems.”NISTSpecialPublication1058(2006).
2. Bowman,L.M.“TampaDropsFace-RecognitionSystem.”Cnet.comarticle.August21,2003.Retrieved11/11/2004from:http://news.com.com/Tampa+drops+facerecognition+system/2100-1029_3-5066795.html
8.0
CyberdefensePartIII—People,Policies,andSecurityAssurance
8.1 ManagementActionsandResponsibilityInChapter2,wesawthattobeeffective,industrialnetworksecurityhastobedrivenbytopmanagementandworkitswaydownthecorporation.Thealternative,a“grass-roots”effortbyautomationandcontrolengineering,maybecommendablebutwillprobablynotgettheattentionandresourcesitneedstosucceedinameasurableway.
Severalkeyfactorsarenecessarytodevelopameaningfulindustrialnetworksecurityorganizationandprogram.Twoofthesefactorsare:
• Leadershipcommitment.Industrialnetworksecurityneedsagenuineplaceintheorganization,aplacethatfitsinwithcorporategoalsforriskmanagementandforcorporateandITsecurity.Thismeanstopmanagementmustbecommitted,andthisoftenmeansaconvincingbusinesscasemustfirstbemade(seeChapter2).
• Anindustrialnetworksecuritycommittee,taskforce,orsimilarentity.ThisentitymaybecalledaProgramTeam.
ResourcesfortheProgramTeammustinclude:
• Personnel
• Budget
• Training
• Organizationalempowermentandauthority
• Acharter,usuallysomehigh-levelsecuritypoliciesthatdetailthemission,structure,goals,andresponsibilitiesoftheProgramTeam
• Afirstproject—asmodestorasambitiousasProgramTeamresourceswillallow
• Aplanforthefirstproject.
8.2 WritingEffectiveSecurityDocumentationSecuritydocumentationcreatesavehicleforinformingyourcompanyaboutrecommendedand/orrequiredpracticesforcybersecuritythatcanbereadandunderstoodbyreadersatalllevelsoftechnicalsophistication.Mostreaderswanttospendaslittletimeaspossiblewadingthroughinformationthatdoesnotapplytothemtogettowhat
theyreallyneed.
Let’stalkaboutITcybersecuritybeforeweconsiderindustrialnetworks.TherearemanydifferentapproachestowritingsecuritydocumentsintheITworld,andtheresultingdocumentationmaybelabeleddifferentlyandbecomposedofdifferentsetsofinformationfromcompanytocompany.
Thewriter’spointofview,afterspendingmanyhoursinfruitlessdiscussionswithpeersoverwhichpieceofpapershouldbecalledbywhatname,isthattheissueisnotsomuchwhatnamewegivetoourdocumentsbutwhetherthedocuments,takentogether,conveytherequiredinformationinanefficientfashion.Also,doesthefinalsetofsecuritydocuments“hangtogether”andproduceacoherentframeworkforthevariousreaders?
Withthisintroductioninmind,let’slookatthebusinesssideofthecompanywedescribedinChapter2.AsetofITcybersecuritydocumentsforthebusinesssideofourwidgetfactorywouldaddresstheseissues,amongmanyothers:
• Web.Downloadingofpornographyorotherillegalcontentbyemployees.
• Email.Virusesandspamcominginwithemail.
• Remoteaccess.AllowingauthorizeduserstoconnectviamodemorVPNandkeepinghackersout.
• Unlicensedsoftware.Keepingemployeesfromusingunpaid-forsoftware.
Whatsortofsecuritydocumentationsystemisbesttoconveyalltherequiredsecurityinformation?ThewriterpresentsthefollowingITcybersecurityframeworkasonesystemthat“hangstogether.”Bynomeansisittheonlywaytoalsostructureasetofindustrialnetworksecuritydocuments,butitisacommonandprovenway.
Thissystemusesfourtypesofsecuritydocuments:
• SecurityPolicies
• SecurityStandards
• SecurityGuidelines
• SecurityProcedures
Classificationofsecuritydocumentsintothecategoriesabovedependsonthemessage,theintendedaudience,thedocument’stechnicalsophistication,andwhetherthemessageandinstructionsarerecommendedormandatory.
Let’sstartatthetopofthelist.Securitypolicyusuallycomesfromhighinthemanagementchainandisashortstatementofthecorporation’spositiononsecurityissues.Forinstance,itmaycomefromashighalevelastheCEOofthecompany,sayingsomethingsuchas,“ThiscorporationbelievesthatITcybersecurityiscrucialtothesuccessofthecompanyforthefollowingreasons:(listreasons).Therefore,wehaveassignedthe(nameofgroup),undertheleadershipof(nameortitleofpersonincharge),toberesponsibleforthisareaandtoreporttomeatregularintervals.”
AmongITcybersecurityprofessionals,theterm“securitypolicy”mayalsobeusedatmuchlowerlevels.Forinstance,thesecuritypolicyforafirewallmaysimplybealistofrulesforsettingupafirewall.AmongITprofessionalsthismaybeanallowableusefor“securitypolicy,”butwemustclearlydifferentiatethisdocumentfromtheCEO’sproclamation!
Wewillshowhowtodothisinanupcomingfigure.Let’snowdefinethethreeothersecuritydocumentslistedabove:
• SecurityStandard.Adocumentthatismandatoryandprescriptive,describinghowtodealwithcybersecurityissues.Forexample,“AfirewallmustbeusedateveryconnectionfromthebusinessLANtotheInternet.”Itmayalsoincludeprovisionssuchasthelevelofapprovalnecessaryforelementsofthesystemnottobesubjecttoacertainpartoftherequirement.
• SecurityGuidelines.Adocumentthatdescribesrecommendedbutnotmandatorywaystosolvesecurityproblemsorsetsforthoptionsforsolvingproblems.
• SecurityProcedures.Detailedtechnicaldocumentsforaccomplishingsecuritytasksandmeantfortheemployeesdoingthework.Asecurityproceduremaybeamandatoryorrecommendedwaytoperformasecuritytask.
Next,let’screateaframeworkonwhichhangthefourtypesofsecuritydocumentswhileallowingfordifferentlevelsofsecuritypolicy.Figure8-1givessuchasecuritydocumentframework.
AsshowninFigure8-1,securitypoliciescascadefromthehighestlevel(CEOlevel)tomid-level(CIOorITcybersecurity)tolowlevel(forinstance,theindustrialnetworksecuritylevel).TheaforementionedProgramTeamthatdecidesandimplementssecuritywithintheindustrialnetworkboundarymightbeanexcellentchoicetowritethelow-levelsecuritypolicies.
Figure8-1.ACybersecurityDocumentFramework
ConsideraspecificexamplefromourlistoftypicalITcybersecurityissues—Internetandemailusebyemployees.Atthetop(CEO)level,theremightbepolicieson“businessonly”useofInternetandemailbyemployees.Atmid-level(CIO),theremightbefurtherpolicyqualificationofwhatconstitutesbusiness-onlyuseoftheseresources,withstandards,guidelines,andprocedurestoenableandenforcethispolicy.
Finally,thelow-levelpolicydescribeshowInternetandemailaccesswillbeaddressedinsidetheindustrialnetworkboundary.
AmajorcybersecurityquestionmaybewhethertoallowcompanyemailandInternetconnectivitytoanycomputerconnectedtotheprocesscontrolnetwork,forfearofspreadingvirusesorTrojanhorsestocriticalprocessnetworks.
Somealternativesmightbeto:
1. allowcompanyemailandInternetconnectivitytoanyoperatororengineeringworkstation,asdesired;
2. allowcompanyemailandInternetconnectivityonlytocertaincontrolledandmonitoredworkstations;or
3. notallowanycompanyemailorInternetconnectivitytoanycomputerontheprocesscontrolnetwork.(Thisisthemostrestrictivesecuritypolicy,andtheapproachfavoredbythewriter.)
However,analternatemeansofprovidingemailandInternetaccesswithinthecontrolroomistoextendthebusinessLANintothecontrolroomasaparallel,“air-gapped”network,andhavededicatedbusinessworkstationsforoperators.Thisway,businessnetworkconnectivityisprovidedwithoutdirectprocesscontrolnetworkaccess.
Butlet’ssayalternative2ischosen.Thesecuritydocumentsmightbeframedaroundthe
mechanismandinfrastructuretoprovidethissolution.
TheSecurityPolicywouldsimplystatethatonlycertaindesignatedandcontrolledworkstationsontheprocesscontrolnetworkcouldbeusedforInternetandemail.
ASecurityStandardmightspecifythetypeandnumberofworkstationallowed,whowillsettheseup,theconfiguration,methodofmonitoring,auditing,etc.
ASecurityProceduremightbetheinstructionstotheIT/ControlEngineeringstaffonexactlyhowtosetuptheseworkstations.
Akeyfeatureofthesecuritydocumentframeworkisthatonegroupofreadersisnotburdenedwithunnecessarydetailmeantforanothergroupofreaders.Thepolicydocumenthasnoneedforthetechnicaldetailsofhowtosetuptheworkstation.Thissecuritydocumentframeworkismodular,concise,andprovidesfordifferentdocumentsfordifferentclassesofreaders.
8.3 AwarenessandTrainingOneareaofsecuritythatisfrequentlyoverlookedisindustrialnetworksecurityawarenessandtrainingforalltheusersofasystemorgroupofsystems.
Securityawarenessisaccomplishedwhenindustrialnetworkusersunderstandtheneedforsecurity,thethreatsandvulnerabilitiesinageneralway,thesecuritycountermeasuresandwhytheyaredesignedthewaytheyare,andhowthelackofsecureoperationofthesesystemswillaffecttheirjobsandthecompany’sbottomline.
Itisimportanttorepeatawarenesssessionstoregularlyremindemployees,contractors,andotherusersofthesystemofthesemattersandtokeepthemuptodateonchanges.
Someformatsforawarenesssessionswithemployeesmightbe:
• Livesecuritytalksorpresentations
• Printedmaterials,suchasbrochures,posters,etc.
Thesecurityawarenessprogramisforeverybody—allwhowilluseorcomeincontactwiththesystems.Ontheotherhand,securitytrainingisspecific.Securitytopicsmaybepresentedinself-taughtsessionsorinmoreformalclassroomsessions.Forinstance,trainingnewengineersonthemethodforsecureremoteaccessoveraVPNmightbeasuitabletopicfora“hands-on”trainingsession.
8.4 IndustrialNetworkSecurityAssuranceProgram:SecurityChecklistsSecuritychecklistsarelistsofroutineactivitiesthatmustbecompletedtoaccomplishacertainsecuritygoal,suchassecuringahostornetwork.Theyareusedextensivelyforday-to-dayactivitiesinITcybersecurityandmayalsobeusedforindustrialnetworksecuritytasks.Let’slookatsomefunctionssecuritychecklistsprovideinITcybersecurity.
OnewayCOTSsoftwarecanbevulnerabletocyberattackisbyhavingopenportsand
servicesonthehostcomputerthataren’tbeingused,therebyopeningavenuesofattack.Thisismuchlikeleavingmanydoorsinabigbuildingunlockedeventhoughnooneusesthesedoors.
COTSoperatingsystems,wheninstalled“outofthebox,”frequentlyleaveservices(fromwebserverstoexotic,little-usedservices)andportsopenbydefault.Itistheoppositeofthebasicsecurityprinciple—thePrincipleofLeastPrivilege—describedpreviously.Ifportsandservicesarenotclosedinasystematicprocedure,theseopendoorsmakecyber-attackeasier.
AnotherwayCOTSsoftwaremayinvitecyberattackisbyleavingunpatchedvulnerabilities.Asdiscussedpreviously,manyvulnerabilitiesinCOTSsoftwareforbusinessandindustrialnetworkapplicationsarecodedintothesoftwareduringthedevelopmentprocessandthennotcaughtinacodeinspectionorqualityassuranceeffortbeforerelease.WesawinChapter4thatasimplebufferoverflowconditionisresponsibleformanysecurityvulnerabilities.
Unfortunately,thesevulnerabilitiesarethenfoundoneatatimebysecurityresearchersorbythehackingcommunity.Ifavulnerabilityiscaughtbyasecurityresearcher,perhapsafterausercomplaint,theresearchershouldworkwiththevendortoensurethatapatchisdevelopedandavailableatthesametimeasthevulnerabilityismadepublic.
Thisgivesconscientioussystemadministratorstimetodownloadthepatchfromthevendor’swebsiteandfixtheirsystems,hopefullybeforeanewvirusorwormtargetingthatvulnerabilitycanbeinventedbyahacker.
Vendorsandnon-profitsecurityorganizationshavesecuritychecklistsandevenautomatedsystemconfigurationtoolstoidentifyandclosetheunneededportsandservicesdescribedabove,aswellastocheckonsecuritypatchlevelandinstallation,inastep-by-stepfashion.
Thisprocessofpatchingvulnerabilitiesandturningoffunneededportsandservicesforyourcomputersandnetworkequipmentisknownas“hostandnetworkhardening.”
Anexampleofacoordinatedhostandnetworksecurityhardeningprojectisaprogrambegunin2003bytheNationalInstituteofStandardsandTechnology(NIST).NISTbegantogatherandputintoadatabasemanydifferentsecuritychecklistsandautomatedconfigurationtoolsetsfurnishedbysuchcompaniesandorganizationsasMicrosoft,theNationalSecurityAgency(NSA),andothers.(1)
Theconceptofhostandnetworkhardeningandsecuritychecklistsmayalsobeappliedtoindustrialnetworksecurity.Someapplicationsmightinclude:
• checkinganindustrialnetworksecurityconfigurationbeforeputtingitintoproductionmodeor
• hardeningaWindowsorUnixhostbeforeconnectingittoanindustrialnetwork.
BeforeusinganITsecuritychecklistforanindustrialnetwork,oneadditionalstepis
necessary:lettingtheindustrialnetworkvendorreviewandtestthechecklistactivities,includingclosingportsandservicesandapplyingpatches,toensurethatchecklistactivitiesarecompatiblewiththeapplicationsoftwareasinstalled.Figure8-2givesasimpleflowchartthatincludesthisextrastep.
Figure8-2.IndustrialNetworkHardeningFlowchart
Once“blessed”bytheindustrialnetworkvendorasinFigure8-2,securitychecklistsmaybeveryeasilyincorporatedintothesecuritydocumentframeworkoutlinedpreviously,atthelevelofstandards,guidelines,orprocedures.Theywillsavetime,improveuniformityandconsistencyofsecurityefforts,andhelpensurethatorganizationalknowledgeofindustrialnetworksecurityisnotlostifkeypeopleleavethecompany.
8.5 SecurityAssurance:AuditsSecurityauditsarealsofrequentlyusedinITcybersecurityasameansof:
• checkingthatchangestoanetwork’ssetupandconfigurationaresatisfactoryandagreewithestablishedsecurityproceduresbeforeallowingthenetworktobeputintonormaloperation,
• reviewingsecuritylogs,frequentlywiththeaidofsoftwareaudittoolstoautomatethelogscanningprocedure,andlookingforsignsofanintrusionorcompromise,and
• performinganoutsideandindependentauditonthenormaloperationofsecurityfeaturesbysystemsadministratorsorothers.
Usually,auditorsarespeciallytrainedinITcybersecuritytechniques.OneorganizationthattrainsITcybersecurityauditorsistheInformationSystemsAuditandControlAssociation(ISACA).AuditorswiththecertificationISACAsponsors,whoareknownasCertifiedInformationSystemsAuditors(CISA),areskilledinavarietyofauditingmethodologiesforvariousITsystemsandapplications.
Inasimilarvein,anindustrialnetworkalsoneedsaperiodicaudittoensurethatsecuritycountermeasuresaresetup,configured,andoperatingproperly.
Thegoaloftheindustrialnetworksecurityauditoristofindoutifthecountermeasuresdesignedintothesystemarestilloperatingeffectively,thewaytheyweredesignedandintendedtooperate,orifmaintenancehasfallenoffandthecountermeasureshavenotbeenupdated,yieldinganineffectivecyberdefense.
8.6 AddinginPhysicalSecurityAsChapter2emphasizes,physicalsecurityplaysamajorroleinthesecuritydefenseofanysegmentoftheindustrialplant,includingtheindustrialnetwork.Physicalsecuritycountermeasurestopreventordeterunauthorizedentryand/oraccessincludemeasuressuchaslocksondoorsandwindows,fences,andsecurityguards.Countermeasurestodetectunauthorizedintrusionsincludeburglarandintrusionalarms,closed-circuitTV(CCTV)cameras,andvideorecordersforthosecameras.MorerecentlytherearevideoanalyticssoftwarepackagesforCCTVsystems,whichcanalertoperatorstosuspiciousorunauthorizedmovementsofpeopleinrestrictedareas,etc.Physicalsecurityhasbeenaroundforhundredsofyears,andquiteanumberofsophisticatedphysicalsecuritydevicesareonthemarket.
Therearemanygoodsourcesofinformationonphysicalsecurityinaplantenvironment.TheAmericanChemistryCouncil(ACC)hasafairamountofmaterialonphysicalsecurityinitspublication“SiteSecurityGuidelinesfortheU.S.ChemicalIndustry.”(3)
ASISInternational,aninternationalorganizationofsecuritymanagementprofessionals,hasawealthofgoodarticlesandresourcesonphysicalsecurityonitswebsite(4),includingarticlesfromitsmonthlymagazine,SecurityManagement.
ButperhapsthebestadviceonphysicalsecurityfortheindustrialnetworksecurityProgramTeamisalsotheeasiesttofollow:AsurgedinChapter2,includearepresentativeofphysicalsecurityorfacilitiesmanagementinriskassessmentandotheractivitiesoftheindustrialnetworksecurityTeam.Withoutphysicalsecurityrepresentation,animportantperspectivewillbemissing.
8.7 AddinginPersonnelSecurityLikephysicalsecurity,personnelsecurityisanotherimportantcomponentnecessarytoroundouttheindustrialnetworksecuritydefenseforanindustrialplant.Someofthemorecommonpersonnelsecuritycontrolsincludethefollowing:
• Backgroundscreeningchecksbeforehiringemployeesandcontractors.Thesemayincludecriminalrecordchecks,creditchecks,drivingrecords,educationrecords,etc.
• Aclearstatementofcompanysecuritypoliciesandthesecuritybehaviorexpectedofemployeesandcontractors.
• Companytermsandconditionsofemployment,includingmeasuressuchasemployeerightsandresponsibilitiesanddetailingoffensestosecuritypolicies,disciplinaryactions,etc.
• Incidentinvestigation.Manybigbreachesofsecurityareprecededbysmallbreaches.Allsecurityrelatedincidentsshouldbeinvestigatedandtheindividualsinvolvedmonitoredforindicationsoffurthersecurityviolations.
• Recheckingemployees’andcontractors’backgroundsperiodically,especiallyafterasecurityviolation.Thisshouldbedoneinlinewithcompanypersonnelpolicies.
Aswithphysicalsecurity,personnelsecurityhasbeenaroundalongtime.Therearemanyresourcesoutthere,andmanypractitioners.ThepreviouslymentionedACC“GuidetoSecurityatFixedChemicalSites”hasanumberofpersonnelsecurityguidelinesandrecommendations.But,asmentionedpreviouslyinSection8.7regardingthefieldofphysicalsecurity,thebestadvicethewritercangivewithpersonnelsecurityissimplytohaverepresentativesofpersonnelsecurity,whethertheHRdepartmentormanagementoranothergroup,sittingatthetablewhentheriskassessmentteamortheindustrialnetworksecurityProgramTeammeets,andtomakesurethattheirpointofviewisincluded.
References1. ComputerSecurityResourceCenter(CSRC)SecurityChecklistforCommercialIT
Products.NationalInstituteofStandardsandTechnology.Lastupdated10/19/2004.Retrieved11/11/2004fromhttp://csrc.nist.gov/checklists/.
2. Kirk,M.“EligibleReceiver”fromPBSFrontlinedocumentary“CYBERWAR!”OriginallyBroadcast4/23/2003.Retrieved11/11/2004fromhttp://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/.
3. AmericanChemistryCouncil,ChlorineInstitute,andSyntheticOrganicChemicalManufacturersAssociationSiteSecurityGuidelinesfortheU.S.ChemicalIndustry.10/2001.
4. ASISInternationalWebsite.Retrieved11/11/2004fromwww.asisonline.org.
5. Kaplan,D.“AttackCodeReleasedforSCADASoftwareVulnerability.”SCMagazinearticle,Sep.8,2008,Retrieved8/30/2009fromhttp://www.scmagazineus.com/Attack-code-released-for-SCADA-software-vulnerability/PrintArticle/116387/.
9.0
NewTopicsinIndustrialNetworkSecurity
9.1 RedTeaming:TestYourselfBeforeAdversariesTestYouRedteamingtracesitsrootstowarfarewherecommandersneedtotestandrefinetheirowndefensesandbattleplanstoferretoutweaknesses,studyadversarytactics,andimprovetheirstrategies.Sincethisbookcoversindustrialnetworks,ourfocuswillbeoncyberredteamingusedtoevaluatesecurityquestionsrelatedtothesesystems.Cyberredteaminghasstrongtiestobothnetworkvulnerabilityassessmentandpenetrationtesting.
Cyberredteaming,asyoumightexpect,isaratheryoungfield,butitismaturingasredteamshavebeguntocollaborate,exchangingideas,sharingtools,anddevelopingnewtechniques.Overtime,differentgroupshavecometousecyberredteaminginoneformoranother,applyingittoanswerdifferentquestions(e.g.,Aremypersonnelpreparedtodefendmynetworkfromacyberattack?andWhichofseveralsecurityapplianceswillbestprotectmynetwork?),andindifferentdomains(e.g.,cyberandphysical).
Butwhatexactlyisredteaming?Akeyfactoristhatredteamingismission-driven.
Manydifferentgroupsperformredteamingandusedifferingterminology,techniques,andprocesses:commercialsecurityfirms,variousmilitaryunitsandgovernmentagencies,andnationallaboratories.Ifonewantstounderstandagroupthatperformsredteamassessmentsthenfirstonemustunderstandwhatthatgroupmeansbyredteaming.Forinstance,SandiaNationalLaboratories’InformationDesignAssuranceRedTeam(IDART™)groupdefinesredteamingas“authorized,adversary-basedassessmentfordefensivepurposes.”TheIDARTgroupadvocatesthatredteamassessmentsbeperformedthroughoutanycybersystemlifecyclebutespeciallyinthedesignanddevelopmentphasewherecooperativeredteamassessmentscostless,andcriticalvulnerabilitiescanbeuncoveredandmitigatedmoreeasily.
9.2 DifferentTypestoAnswerDifferentQuestionsTheIDARTgrouphasbeenredteamingfortheU.S.governmentandcommercialcustomerssince1996andiswidelyknownintheredteamcommunity.IDARTidentifieseightuniquetypesofredteamingthatcanbeperformedindividuallyorcanbecombinedwithothertypes.Theyarequicktopointoutthatcareful,detailedplanningofaredteamassessmentrequiressignificantcommunicationbetweenassessmentcustomersandtheirredteam.Experiencedredteamsshouldprovidetheircustomerswithtechnicaloptionsforanefficientandeffectiveassessmentprocessthataddressestheircustomers’securityconcerns.
TheeighttypesofredteamingidentifiedbyIDARTintheirRedTeamingforProgram
Managerscourseare:
1. Designassurance(toimproveneworexistingsystemdesigns)
2. Hypothesistesting(tomeasureperformanceagainstawell-formedhypothesis)
3. Redteamgaming(toevaluateadversaryattackdecisionmakinginagivenscenario)
4. Behavioralanalysis(toanalyzeadversariesinordertoidentifyindicationsandwarnings)
5. Benchmarking(toproduceaperformancebaselinethathelpsmeasureprogress)
6. Operational(totestpersonnelreadinessanddefensivetactics,techniques,andprocedures)
7. Analytical(toformallymeasureandcompareavailableadversarycoursesofaction)
8. Penetrationtesting(todeterminewhetherandbywhatmeansanadversarycancompromisesystemsecurity).
9.3 RedTeamingIndustrialNetworks–Caution,It’sNottheSame!Mostredteamsdon’tassessindustrialnetworksbecausetheylackthespecializedknowledgeandtrainingrequiredtoassessthesensitivecomponentsfoundinindustrialnetworks.Industrialnetworksprovidecriticalreal-timeornearreal-timecontroloverphysicalprocesses,andcyberredteamingsometimesresultsinintentionaloraccidentaldenials-of-service.Activenetworkassessments(includingpenetrationtesting)shouldalmostneverbeconductedinaproductioncontrolsystemorcontrolsystemnetwork.
Whereacontrolnetworkinterfaceswithabusinessnetwork,cyberassessmentteamsshouldbeexpertinunderstanding(andverifying)thenetworkboundariesandhowtrafficispassedbetweenthenetworks.Vulnerabilityscansandnetworkfoot-printingactivitiesroutinelyexecutedbybothnetworkadministratorsandindependentassessmentteamsintraditionalITnetworkscanhaveextremelyadverseimpactsonindustrialnetworks.
Insteadofconventionalactiveassessments,industrialnetworkstakeholdersmustenableassessments(includingredteaming)byusingpassivetechniquesandisolatedtestsystemsandnetworks.Still,integratingredteamassessmentsintoindustrialnetworkenvironmentsdemonstratesanaggressive,proactive,security-consciousculture.Thekeystosuccessarewhatformofredteamingisimplemented,whoisontheteam,andthataresponsible,safestrategyisadoptedtoprotectagainstaccidentaldamageand/ordisruptiontothenetwork.
9.4 SystemSecurityDemandsBothPhysicalSecurityandCybersecurity
Physicalsecuritysystemsareevolvingtobeincreasinglydependentoncybersystemsandinformationtechnology.Forinstance,physicalaccesscontrolsystemsatsensitivemilitary,government,andcommercialinstallationsusecomputers,sensors,communicationsnetworks,databases,andotherelectronicinformationtechnology.SuchsecuritysystemnetworksarenearlyindistinguishablefromanyotherkindofITnetwork.
Indeed,newindustrialnetworkstandards,suchasthosecontainedinNERCCIP,mandatephysicalsecuritysystemshavinggreatercapabilities.Thesesystemscontainfunctionality(likestreamingvideo)thatrequirebandwidththatisnotfoundina24-Kbprocesscontrolline,butwhichisfoundina100-to1000-Mbbusinessnetwork.
Oneeasysolutionfornetworkownersistorunthephysicalsecuritycommunicationsthroughthebusinessnetwork,andperhapsestablishaWiFiconnectionforremotesensors.Theproblemisthatifsomeoneissuccessfulincompromisingthebusinessnetwork,theyarenowwithinstrikingdistanceofthephysicalsecuritysystem.Anotherapproachmightbetorunsomeorallofthephysicalsecuritysystemcommunicationsthroughthecontrolsystemsnetwork.Insomeinstancesthiscanworkwell,butinothersitcanrepresentabigrisktothecontrolsystemsnetwork.
Thebottomlineis,giventheemergingtrendinphysicalprotectionsystems–incorporatingCOTSnetworkingtechnologiesandcommunicationsprotocols–acapableadversary(outsiderorinsider)isbutastone’sthrowawayfromchangingaphysicalsecuritydatabaseandlettingsomebodyinsideasensitivefacilitywhomyoudon’twantinside.
Becauseattacksagainstanykindofsystemornetworkcanusephysicalmeans,cybermeans,orboth,acomprehensiveapproachtosecurityrequiresassessmentsofbothphysicalsecurityandcybersecurity.Evenmore,systemdefendersmustunderstandtheconceptofblendedattacks,wherebyanattackerusesphysicalmeanstoenablecyberattacks,andcybermeanstoenablephysicalattacks.Systemownersanddefendersshouldconsiderthatcyberredteamingtheirindustrialandadministrativenetworkswithoutalsoredteamingtheirphysicalsecurityisinadequate.
Finally,performingredteamassessmentsisnotataskforamateurs.Evenprofessionalsecurityorganizationsthatlackspecificexperienceinredteamingshouldconsultwithexperiencedredteamstoconsideravarietyofassessmentquestions,options,recommendedpractices,legalities,andlessonslearnedbeforeattemptingtoimplementaredteamassessment.
9.5 TheTransportationConnection:PassengerRailandCybersecurityBy2005manyindustrysectors,suchasoilandgas,chemicals,andelectricpowerwerealreadyawareof,andworkingon,aspectsofindustrialnetworksecurity.Muchofthecriticalinfrastructureinthesesectorsisprivatelyowned;whataboutpubliclyownedinfrastructure,suchasinthetransportationsector,particularlypassengerrail?
ThepassengerrailindustryintheUnitedStateshasaninterestingvarietyofsystems.Itcontainssomeoftheoldestandlargestsubwaysystemsintheworld,includingNewYork
CityTransit.TothatonemayaddshowpiecesubwaysystemslikeWashington,D.C.’sWMATA,new,sleeklightrailsystemssuchasHoustonMetro,andadvancedpeople-moverandcommuterrail.
Passengerrail,aswithothercriticalsectorsmentionedearlierinthisbook,hasnotbeenwithoutitscyberincidents.Forinstance:
• In2003acomputervirusshutdowntheCSXsystem.Amtraktrains,whichnormallyusethefreightcompany’srails,werelikewiseshutdownforhours.(1)
• In2007a14-year-oldPolishteenagerinthecityofLodzhackedintothecity’stramsystem,causingtwostreetcarstocollidehead-onandsendingpassengerstothehospital.(2)
• In2006inToronto,ahackerchangedtheelectronicpassengeradvertisingontrainsignboardstodisplayadisparagingcommentaboutCanada’sprimeminister.(3)
Inthesummerof2005,thewriterapproachedAPTA,theAmericanPublicTransportationAssociation,withaproposal.APTAisthetradeassociationforNorthAmerica’spassengerrailandbuspublictransitagenciesandassociatedindustry.Publictransit,coveringeverythingfrombigcitysubwaysandcommuterrailtonewerlightraillines,wasundergoingachangeincontrolsystemsfromoldelectromechanicalrelayandserialcommunicationssystemstomodernindustrialnetworksusingPLCs,fiberoptics,wideareanetworks(WANS),andInternetprotocol(IP)-basedcommunication.WouldAPTAbeinterestedinjumpingonthesamebandwagonastheindustriesmentionedabove,andsupportacontrolsecurityinitiative?
ThewriterrecallsthemeetingwithAPTA’sstaffattheirWashington,DCheadquarters:“Ihadtheusualarticlesaboutcontrolsystemsecurity,concerningcomputervirusesandworms,andIwasmakingmoderateprogress,whenIdecideditwastimetopulloutmyheavyammunition:acopyof2600,theHackersQuarterly,Spring2005edition,freelyavailableinmanybigbookstores.
ThispublicationhadaarticleonhackingtheMetroCard®farecollectionsystem,whichisusedbyanumberofbigcitysubwaysystems.Theauthorofthe2600articlehadreverseengineeredtheinformationencodedonthemagneticstripesonthesecards,andresearchedtheoriginalpatentsonthesystemtogainknowledgeofthetechnicaldetails.Itwasafulldescriptionofthesystem,howthecardsareencoded(andhowtodecodethem),howtheoreticallythecardscouldbeoverwritten(withadisclaimertotheeffectthattheauthorsurelywouldn’twantanyoftheirreaderstodoanythingillegalsuchastryingtochangetheamountstoredonthecardsandtrytousethem!).Inall,thearticlewasveryprofessionallydone,andwouldhavemadeanytechnicaleditorproud.”
Thatarticledidit!IhadmadeasaleonthevalueofindustrialnetworksecuritytoAPTA.Withsomemoreawarenessandorganizationalefforts,theAPTA“ControlandCommunicationsSecurityWorkingGroup”wascreatedandfunded.Atthetimeofthiswriting,Part1oftheRecommendedPractice“SecuringControlandCommunications
SystemsinTransitEnvironments”isintheballoting/approvalstage.Part1containsgettingorganizedandbackgroundinformationfortransitagencies,upthroughriskassessment.Part2willfollow,whichwillcontaindevelopingasecurityplananddesigning,installing,andmaintainingsecuritycontrols.
References1. Hancock,D.“VirusDisruptsTrainSignals.”CBSNews.comarticle,8/21/2003.
Retrieved8/2/2009fromhttp://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml.
2. Leyden,J.“PolishTeenDerailsTramafterHackingTrainNetwork.”TheRegister,1/11/2008.Retrieved8/2/2009fromhttp://www.theregister.co.uk/2008/01/11/tram_hack/print.html.
3. Leyden,J.“HackersLibelCanadianPrimeMinisteronTrainSigns.”TheRegister,5/3/2006.Retrieved8/2/2009fromhttp://www.theregister.co.uk/2006/05/03/canadian_train_sign_hack/.
Note:Mr.JohnClemofSandiaNationalLaboratorieswasamajorcontributortothematerialinSections9.1–9.4.
10.0
DefendingIndustrialNetworks—CaseHistories
10.1 ALargeChemicalCompanyInthissection,wewilltakealookatacasehistoryofalargemultinationalcorporationinaddingindustrialnetworksecuritytoitscontrolnetworks.
Thefigureswewillusetoillustratethisstoryhavebeentakenfromslidesgivenbythiscompanyatapastconference.
Figure10-1showsthetypicalsituationinthecompanyasfarasindustrialnetworkswereconcernedbeforetheindustrialnetworksecuritypush.
Here,weseethatthebusinessLANsandtheprocesscontrolnetwork(theProcessControlLANinthediagram)wereblendedtogether,makingupacorporateIntranet.
Therevisednetworkarchitecture,afteranintensivecampaigntoisolatetheprocesscontrolnetwork,isshowninFigure10-2.The“E-Pass”notationonthediagramwillbeexplainedlaterinthissection.
HereweseeacompletereengineeringtoseparatethebusinessLAN,orIntranet,fromtheProcessControlNetwork(PCN).IfwereferbacktoChapter6,thedesignandplanningphilosophyofdefenseinlayerswasappliedtoseparatethebusinessLANandtheProcessControlNetworkusingafirewall.
Figure10-1.Pre-ExistingSecurityControlsNote–E-Pass=TwoFactorAuthentication(RSA)
Figure10-3showshowseveralfirewalloptionsweretriedbythecompany,andthelow-cost“SOHO”typeappliance(singleoffice/homeoffice)wasrejected.Amoderate-sizeenterpriselevelfirewallwasselected.
Itisimportanttomentionthatthecompanydidnotattempttodothisinternalfirewalladdition/networkseparationexclusivelyin-house.Rather,thecompanychosetopartnerwithaManagedFirewallProvider,anexternalvendorthatsuppliedthefirewallsandprovidedoffsitemonitoringandfirewallexpertiseforthecompany’splantnetworksaroundtheworld.TheManagedFirewallProviderconceptisusedinthebusinessworldbymanymediumandlargecompaniesthatdonotwanttodotheentirejobin-house.
Figure10-2.NewPerimeter-BasedSecurityControls
Figure10-4showshowcommunicationtypicallyflowsacrosstheinternalfirewallfromthe“clean”processsidetothebusinesssideforsuchthingsasbackups,OPCdataupdates,antivirussignaturefileupdates,andsoon.
Figure10-5givesaperformancesummary,basedonthenumberofinstalledfirewalls(morethan60).Asthefigurementions,thenecessaryprocesscommunicationswerehandledwithnothroughputissues,andtheconclusionisthat“standardITfirewalltechnologycanbeusedforprocesscontrolapplications”.
Figure10-3.FirewallCharacteristics
Let’snowturnourattentiontothecaption“E-pass”thatismentionedinFigures10-1and10-2.E-Passisatwo-factorremoteaccessauthenticationmethodusedcorporate-wideatthiscompany.Thetechnologyissuppliedbyacommercialcybersecurityprovider,RSA.AsyouwillnoticeinFigures10-1and10-2,thediagramsmention“E-PassRequired,”or“E-PassNotRequired,”or“E-PassMaybeRequiredtoAccessCertainAssets.”
TheRSAtoken-based,two-factorauthenticationschemeusesacentralizedserverthatisqueriedtosecurelyauthenticatethatremoteusersarewhotheysaytheyare.Accessrightstohostsonthenetworkareprovidedbytheapplicationsand/orinternalprocesscontrolfirewall.
Figure10-4.TypicalCommunications
Figure10-5.Performance
Tosummarize,thiscasehistoryshowsthatalargecorporationwithplantsacrosstheglobewasabletoverysuccessfullyapplysomefundamentalstrategiesofindustrialnetworksecurityandseparatetheirProcessControlNetworksoffwithfirewalls.
10.2 AnotherCompany’sStory—Procter&GambleInthissection,wewilllookatacasehistoryfromasecondlargecorporation,Procter&Gamble.Thistimewewillfocusonhowalargecompanyviewsindustrialnetworksecurityrisksandperformsaqualitativeriskanalysis,aswasdescribedinChapter2.The
figurestoillustratethisstorywereprovidedbyDaveMills,aTechnologyLeaderinProcter&Gamble’sCorporateEngineeringorganization.
Figure10-6showsageneralmodelfordevelopingariskmanagementprocessforemergingareasofrisk.AtProcter&Gamble,thismodelwashelpful,butrealityprovedmorecomplicated.Inordertoobtainthehumanresourcestoperformthequalitativeriskassessment,aninitialscreeningassessmentwasneededtopersuademanagementthatamorein-depthstudywasjustified.TheRiskReductionProgramappearsfairlylinearinFigure10-6,but,inreality,thesecuritygoalsandstandardsweredevelopedinparallelwiththesecuritycontrols.Ifyouaredevelopingariskmanagementprogramwhileyouareexperiencingtherisks,youoftendon’thavethetimetoperformeachstepinseries.
DealingwithriskisnotanewphenomenonatProcter&Gambleorotherlargecorporations.Riskinmoretraditionalandfamiliarareashasbeenanalyzed,evaluated,andmanagedforyears.Whatisnewaretheuniquesecurityrisksassociatedwithmodernindustrialnetworksandhowtobringthatrisk“intothefold”alongsideotherriskmanagementprograms.
Figure10-6.Background-RiskManagement(CourtesyofProcter&Gamble)
Figure10-7showstheexistingriskdisciplinesthatindustrialnetworksecuritycutsacrossatP&G:BusinessContinuityPlanning(BCP),ITSecurity(IT)andHealth,SafetyandEnvironment(HS&E).
Figure10-8showshowProcter&Gamblewoundupwithaspecificriskassessmentmethodology:FacilitatedRiskAssessmentProcess(FRAP).TheprimarycustomerwastheInformationSecurityorganization,andthiswasthemethodologytheyhadthemostexperiencewith.
OneofthemainpointsDaveMillsstressedisthatthewholeriskassessmentdiscussionisbynaturedifferentfordifferentcompanies,asdifferentcompanieshaveuniqueproducts,
manufacturinglocations,manufacturinghazards,andprobablydifferingthreatprofiles.Onthe“soft”side,corporatecultureandpersonnelmanagementissuesmustbetakenintoaccountwhenperforminganindustrialnetworksecurityriskassessmentthatmatchesyourcompany.
Figure10-7.RiskAreasbyDiscipline(CourtesyofProcter&Gamble)
Figure10-8.RiskAnalysisMethodologies(CourtesyofProcter&Gamble
ManythankstoDaveMillsandProcter&GambleEngineeringforallowingtheirstorytobepublished.
AppendixA–Acronyms
ACC AmericanChemistryCouncil
AIC Availability,Integrity,andConfidentiality
AIChE AmericanInstituteofChemicalEngineers
AWWA AmericanWaterWorksAssociation
BCIT BritishColumbiaInstituteofTechnology
BPCS BasicProcessControlSystem
CCPS CenterforChemicalProcessSafety
CIDX ChemicalIndustryDataExchange
CIO ChiefInformationOfficer
CISA CertifiedInformationSystemsAuditor
CISSP CertifiedInformationSystemSecurityProfessional
COTS CommercialOffTheShelf
DCS DistributedControlSystems
DHS DepartmentofHomelandSecurity
DoE DepartmentofEnergy
FERC FederalEnergyRegulationCommission
GAO GeneralAccountingOffice
GUI GraphicalUserInterface
HMI HumanMachineInterface
IDE IntelligentElectronicDevice
M&CS ManufacturingandControlSystems
NERC NationalElectricalReliabilityCouncil
NIST NationalInstituteofStandardsandTechnology
NISCC NationalInfrastructureSecurityCo-ordinationCenter
NRC NuclearRegulatoryCommission
OCIPEP OfficeofCriticalInfrastructureProtectionandEmergencyPreparedness
OPC ObjectLinkingandEmbeddingforProcessControl
PCSRF ProcessControlSecurityRequirementsForum
PLC ProgrammableLogicControllers
SCADA SupervisoryControlandDataAcquisition
SIS SafetyInstrumentedSystems
SPDS SafetyParameterDisplaySystem
TCP/IP TransmissionControlProtocol/InternetProtocol
AbouttheAuthor
DavidJ.Teumim’sbackgroundincludescorporatesecurityandwebprojectmanagementpositionswithAgereSystemsandLucentTechnologies,alongwith15yearsofprocess,project,control,andsafetyworkforUnionCarbideCorp,BritishOxygen,andAT&T.
HisassociationwithISAbeganinearly2002whenhechairedISA’sfirsttechnicalconferenceonIndustrialNetworkSecurityinPhiladelphia,PA,andtaughtthefirstISAseminaronthissubject.
Since2004,hisfirm,TeumimTechnical,LLC,hasprovidedindustryoutreachforthreeU.S.DepartmentofEnergyNationalSCADATestBedprojects,consultingforSandiaNationalLaboratories.Morerecently,hehaschairedanAmericanPublicTransportationAssociation’sWorkingGrouponControlandCommunicationsSecurity.
Teumimholdsamaster’sdegreeinchemicalengineeringandiscertifiedasaCertifiedInformationSystemSecurityProfessional(CISSP).HeresidesinAllentown,PA.