Over the past decade, at some point, every manufacturer has struggled with the best way to protect their Industrial Control System (ICS) and the data, engineering, technologies, and products that it constitutes. An ICS needs to communicate with business systems but as the network security paradigm has evolved, how can manufacturers keep up?
Supply chain, energy management, lab testing, maintenance, regulatory data collection, and productivity management business systems all require data from manufacturing systems. The underlying technologies and protocols these systems use to retrieve that data involve various kinds of databases, web servers, remote access, and file transfers. Therefore, in order to protect an ICS from the security risks of business systems, the best method for protecting an ICS has been to architect a security boundary that separates the business systems from the ICS, called an Industrial Demilitarized Zone (IDMZ).
What is an IDMZ?
An IDMZ is a boundary that exists to create a buffer within a manufacturing or process facility between the business systems and the industrial control systems, which have different security requirements and share no inherent trust in each other. This boundary uses network and application security controls to manage the flow of data between the untrusted zones.
Years ago, cybersecurity existed in a completely “walled” world, physically speaking. Then in 2006, with little notice or fanfare at the time, a new way to store data was created. The public cloud, a third party provided server and network infrastructure delivered over the internet (AWS, Microsoft Azure, Google Cloud, IBM Cloud), has been changing the way IT organizations store data and handle their compute workloads ever since. Many IT organizations now use a hybrid cloud combining public cloud services with on-premises server infrastructure. As both the public network infrastructure and the public cloud become more reliable, more and more storage and compute is outsourced to third-party public cloud service providers.
In hindsight, it was inevitable that the public cloud would become the storage of choice for IT organizations. There was a time when huge server rooms were reserved for floor-to-ceiling physical server racks. The walls of those rooms constituted almost the entirety of IT security: the perimeter firewall. The hybrid cloud not only reduced the need for physical server storage space, but outgrew those rooms via virtualization. The firewall still exists; however, if a large portion or the entirety of your data storage and compute workloads live outside of the firewall, then that perimeter is no longer enough. To adapt to the shifting boundaries of the perimeter and new security threats that exists due to the exposure to the internet when accessing the public cloud, a new security paradigm was introduced: The Zero Trust Model.
What is a Zero Trust model?
The Zero Trust model maximizes the principle of least privilege, where only the minimal amount of rights that are necessary to perform a task are granted to a user or system. This principle enforces a no-trust stance, only allowing data or communication between devices if the user, data, computer, and location is allowed. This moves away from the old “trust-everything-if-it’s-in-my-zone” model, to a “distrust-everything-unless-it-can-be-verified-in-multiple-ways” model.
The ICS threat landscape is evolving. Large-scale ransomware attacks such as WannaCry or the masquerading NotPetya and targeted attacks on critical infrastructure using malware such as Crash Override, Triton, or LookBack are becoming increasingly common. ICS environments and their administrators, whether they were aware or not, have always depended heavily on IT perimeter security. For even those with an IDMZ, the IT perimeter security was the first line of defense from the greater world. The IDMZ was the last line of defense. As the IT perimeter disappears, it may be the only line of defense.
Can an ICS environment embrace the Zero Trust model?
If it were only that simple. A typical IT environment may be complex, but will share some commonalities:
- Standard computer hardware with a lifecycle plan
- Standard Operating System that is routinely patched
- Standard business office software tools
- Supported identity and access management solution for users and assets
- Supported and updated means for an asset to identify and defend itself against an attack
An ICS environment consists of hundreds of different kinds of products of several generations made by a multitude of vendors that communicate using different protocols. These are all unique hardware platforms using their own custom firmware and software. Even the software-only solutions are only compatible with extremely out-of-date operating systems and in many cases, no longer supported operating systems. Even if a system uses an operating system that is still receiving patches, ICS personnel are always reluctant to do so in fear that implementing a patch will cause downtime, and their concerns are not unfounded.
So, for an ICS to exist “securely” in a Zero Trust Model, ICS assets will need to become as self-preserving as common IT assets. Let’s consider all the changes to the platforms and control system technologies required for this to be achieved:
- Zero Trust immediately flips the bit from a 1 to a 0.
- Currently, ICS devices trust anything that can communicate with them. They have no way to verify the user, device, location, or reason an asset is communicating with them, or what objects are being accessed. From their end, they have no way to verify when they initiate a connection.
- Most ICS devices have no authentication mechanisms or no rules, logging, or administration when they do.
- They have no way to detect when they are under attack, or if something is attempting to communicate with them abnormally.
- There are no behavioral technologies that could identify previously unseen behavior or analyze the consequences of multiple actions.
- Not to mention the cultural shift needed
For example, even if an ICS device requires authentication using the common username/password model, the device will be configured with the simplest credentials possible, be shared by everyone, and remain logged on, perpetually. From the technologies and skills required for plant personnel, to the security culture and the monitoring and administration, everything about the ICS will have to change. Oh, and make that shift without any impact to production!
Challenges with IDMZs
Not every company is ready to invest in an IDMZ – it can be challenging to design and painful to integrate within existing OT and IT network systems. In order to design and implement an IDMZ, an expert-level understanding is needed in the following areas:
- Network security
- Firewalls platforms and ACLs
- Virtual server technologies
- System Hardening
- Application security
- Domain Functionality and Security
- Secure Data and File Transfer methods
- Secure Remote Access Methods
- and the list goes on…
To further the challenge, the IDMZ must then be supported by a team equally as knowledgeable in these aspects in order to maintain the infrastructure, approve network changes, and respond to security threats.
While the path to an IDMZ is not simple nor is it inexpensive, it’s worth doing the math to determine if it’s the right solution for you. Are the costs related to the IDMZ less than the cost of what it is protecting? If the IDMZ is protecting your entire ICS, it would be a very good investment. Considering the increasing threats to extremely vulnerable ICS environments, in a world without walls, it is actually the only complete protection available right now for your ICS.
Industrial Control Systems are not yet mature enough to exist with a reasonable tolerance of security risk in a perimeterless world. Defense-in-depth is strongly encouraged. However, until these devices can protect themselves and interact with external protection systems, an IDMZ remains the best defense for Industrial Control Systems. For now, the “inner wall” reinforced by an IDMZ must remain.
Learn more about how Rockwell Automation can help you create and maintain an IDMZ as part of a defense-in-depth approach to network security.