Benchmarking among Critical Infrastructure Protection (CIP) Technologies
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
The selection process of a cyber defense for Industrial Control System (ICS) and its deployment are not an easy task, because it requires combined expertise in the field of ICS architectures and cyber defense. Furthermore, the person in charge must understand the actual OT process and the logical data flow. Since 2010, over a dozen cyber defense methods were introduced for Critical Infrastructure Protection (CIP) and this fact itself makes the selection task even more complex. The purpose of this paper is to benchmark among several methods according criteria mentioned above. The information below is based on published data and each method is ranked according to the scale shown on the right side, Very Low (VL) – Low (L) – Neutral (N) – High (H) – Very High (VH). The colors indicate the strength of the selected defense measure according to each factor.
Cyber Attack Risks
Cyber risks can happen from multiple directions. The larger is the “attack surface” the higher are the chances that an adversary will detect a hidden gap and launch an attack on your organization. Such gaps can be created by a forgotten connection, bug in the operating system, a sabotage caused by an employee, negligent action by a service man of your subcontractor, incorrect action by an authorized person, technical failure and last but not least an internally or externally generated cyber-attack. In order to detect such an incident, minimize the damage and restore the operation to normal condition, you must deploy cyber defense. The PPT triad (People-Policies-Technology) indicates what need to be done. Cyber security experts will tell you that there is no single defense technology, which may absolutely protect your organization and the selected solution shall integrate layers of defense, which may protect you against expected threats.
ICS cyber defense technologies must take into consideration several critical factors:
- Must not interfere with the control process and not require changes in PLCs and HMI programs
- Provide adequate cyber defense against risks caused by anyone directly connecting to the ICS
- Provide strong cyber defense against risks caused by external attacks (via the IT network)
- Capable dealing with specific ICS data protocols related to each section (PLC, HMI, server)
- To deal with new threats, it must be upgradeable with defense features and easy to deploy
Some of the technologies listed below (partial list) can be considered as part of complementing or compensating measures for ICS cyber defense:
a) Unidirectional Diode between IT and OT
The Diode provides absolute blocking of data in the direction from the external network to the OT zone. This technology utilizes a single fiber link equipped with a transmitter and a receiver. When selecting this solution, the assumption is that strong physical protection prevents internally generated attack. The deployment is easy and it does not negatively affect the operation of the OT network. Some diodes are programmed with predefined protocols, others can transfer Layer-2 traffic without actually analyzing the content of the data.
b) Authenticating gateway
Provides extension to physical protection of the OT zone. It is assumed that only authorized people can access the ICS zone, however using this method you can assure that the authorized person can connect to your ICS only in the predefined time window and they can only access the pre-defined device. This solution requires issuing a downloaded ticket (work order), which defines the access limitations.
c) Anomaly behavior-based IDS
Zero-Day attacks are extremely difficult to detect. Using a host or network-based IDS (HIDS/NIDS), anomaly behavior programs can analyze data flow, process conditions or process commands and detect conditions which are out of the predefined boundary. Using this technology, you are not searching for any specific condition or signature, and the monitored data and real-time process conditions are constantly benchmarked according to the approved baseline. If and when a significant deviation is detected, the IDS will issue an alarm through the predefined alerting method. Note: IPSs are rarely used for ICS cyber defense.
d) Visibility Analysis inside the OT zone
You know that it is extremely difficult to protect a system if you do not have an accurate inventory of the installed hardware and software and their versions. You must also refer to a risk that a device is replaced by an adversary with a malverized unit. Furthermore, we are all aware that from time to time suppliers publish alerts on new vulnerabilities in their devices and information on availability of correcting programs. Once you receive such an alert, you can plan ahead how and when the correction shall be done. It is important to emphasize that any change in the ICS represents a risk to the operating Safety, Reliability and Productivity (the SRP triad). Therefore, extensive testing is mandatory prior deployment of any corrective action.
e) Cyber secured remote access
OT systems are often serviced by external subcontractors, who connect to your ICS remotely, perform the needed analysis and remotely deploy corrections. By principle, this process is considered by experts as a “backdoor” and organizations shall put forth the necessary efforts to prevent remote connection to their ICS or at least reduce the connection time to minimum. In cases, when due to SRP related justifications it must be done immediately, the connection shall be done through strong defense mechanisms such an ICS-aware firewall, unidirectional diode, DMZ, etc., and the connecting expert must be authenticated.
f) File sanitizing using the CDR process
Organizations often update their production recipes provided by their operation department, a process which may lead to injecting malware. The Content Disarm & Reconstruction (CDR) is a cyber-security technology for removing malicious code from transferred files. Unlike malware analysis, the CDR process does not determine malware’s functionality but removes file components that are not approved by the system’s definition and policy. Important to remember that the CDR process is not straight forward for ICS programs.
Summary and Conclusions
The selection and deployment of enhanced cyber security for OT are highly important. This action represents just a small part of the overall operating and maintenance costs and therefore important selecting a certified solution that fit your system. Use of complementing and compensating cyber defense technologies helps to comply with SRP requirements and therefore these actions more than justify the investment.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin