A Host Identity Protocol takes a modern approach to cybersecurity to help boost network security management and better protect industrial control systems and other assets.
By Jeff S. Hussey, CEO, Tempered Networks
With the proliferation of IP-enabled devices and non-traditional endpoints, network infrastructures are becoming increasingly complex and creating larger attack surfaces. Attacks on industrial control systems (ICS) and assets are part of this trend. As ICS and supervisory control and data acquisition (SCADA) systems — including network devices, embedded controllers, physical access systems, and much more — converge onto IP-based networks, security is an added component.
The main issue is the use of TCP/IP, which is great for connectivity but is inherently insecure. To address this issue effectively, a fundamentally different approach is needed, where security is a foundational component rather than bolted on as an afterthought.
SCADA Attacks Are Real
According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, more than 200 incidents occurred involving security intrusions across all critical infrastructure sectors in 2015, compared to 245 incidents in 2014. The critical manufacturing sector had 97 reported incidents, which accounted for 33% of all incidents reported.
The increase in ICS security attacks drove Kyle Wilhoit, a threat researcher at IT security company Trend Micro, to look into whether hackers would be interested in a SCADA system. He set up a honeypot architecture that mirrored a water treatment facility to test SCADA attackers and their abilities. Of the surprisingly high number of attacks, Wilhoit concluded that 17 of them would have been considered “catastrophic.” He summarized his findings with this: “Anything that is Internet-facing will likely get attacked at some point.”
It's clear these types of attacks will continue to be pervasive, causing potentially destructive, disruptive and expensive issues for both public and private entities. The only way to prevent them is to play defense.
ICS Security Challenges
Three situations create ICS security problems in current networking structures.
1. Converging IT and process networks. An organization's IT infrastructure grows in proportion to its staff, and things quickly get complicated when adding users and infrastructure to a corporate network that is shared with operational technology (OT). A study by Positive Technologies found that “more than 40% of the SCADA systems available from the Internet are vulnerable and can be hacked by malware users with only limited skills.” An industrial demilitarized zone (iDMZ) is an excellent way to separate IT and OT traffic, but not all companies have had the foresight to implement an iDMZ.
Once the doors are open to the outside, it invites things to come inside. Web and email servers on the same network as SCADA servers can create a readily targeted system, because, as hackers say, “If you can ping it, you can own it.”
The challenge is to balance security with connectivity and operational efficiency. A common approach is to “lock the doors” by shutting down unnecessary connections to SCADA networks. However, this can interfere with critical business functions.
Another approach is Virtual Local Area Networks (VLANs). When coupled with properly configured IT infrastructure and device-specific virus protection, VLANs are proficient at protecting servers, PCs, laptops and mobile devices. VLAN segmentation augmented by policies based on people/roles/zoning is another best practice that many users may not have considered, so as VLANs are introduced into the ICS infrastructure, they create issues because they were not designed to protect industrial infrastructure.
While these approaches provide helpful functionalities, they also introduce an equal number of ICS security nightmares. As the number of Internet-connected devices increases drastically, the right balance of connectivity versus security must be a high priority.
2. Managing remote access. Operators of ICS and automation networks need to give vendors, contractors and other company employees remote access to their systems. According to a survey by The Repository of Industrial Security Incidents (RISI), 33% of all ICS security incidents were the result of remote access breaches.
Remote access is normally granted via virtual private networks (VPNs), which are typically configured through the corporate front door, often taking days or weeks. Once the VPN is configured, a vendor then has 24/7 access and might even gain access to more devices than the operator realizes. So, while a VPN is considered the most secure form of remote access, it is difficult to configure, monitor, constrain and revoke.
3. Configuring network and security policies across the network. Change management within industrial environments is a major hurdle for both IT and operations. Modern technology is rapidly enabling increased device connectivity. Because change and modification of industrial networks is difficult at best, production networks often are expanded beyond their security limits.
For example, integrating a water quality lab into a process network would require a major IT project to extend the process VLAN to the lab. In an ideal world, this would be a quick modification, and engineers and external contractors would be granted very restricted access on an as-needed basis. In reality, this ideal implementation is all too difficult to achieve from a cost and operational perspective. As a result, the network extension is completed in any way possible — with security bolted on after the fact.
Consider a second potential scenario where the goal is to replace legacy devices with modern, connected equipment while still isolating the devices. Isolation paired with dynamic connectivity is very challenging. Often, the new device is configured in much the same way as the previous device, leaving the new systems just as exposed to attacks.
A New Trust Model
The root cause of most TCP/IP architecture challenges stems from TCP/IP being inherently insecure, as the protocol was originally developed for connectivity rather than security. Consequently, it's an incredibly reliable protocol, yet dependent on a trust model that is unsecure from the start. To address this, the Internet Engineering Task Force (IETF) developed the Host Identity Protocol (HIP) as an alternative to traditional encryption methodologies.
HIP makes it possible to take a fundamentally different approach to ICS security. Used by the military to secure communications and then further developed and deployed in the defense and aerospace industry, this approach provides a cloaking technology for mission-critical infrastructure, including nontraditional devices that can't protect themselves.
Putting HIP-based physical or virtual security appliances in front of IP-connected devices helps organizations create private overlay networks that encrypt communications between devices that must be explicitly whitelisted. Protected devices are undetectable from the underlying network and cloaked from would-be attackers.
In addition to hardening security, a HIP-based approach also addresses configuration and management challenges. Because it's implemented as an overlay, it doesn't affect the underlying network infrastructure or configuration. Operations or IT can easily provision secure overlay networks — without requiring advanced security skills — using a centralized orchestration engine that dramatically simplifies the deployment and management of thousands of devices. Remote access privileges can be granted or revoked with the same level of simplicity.
To overcome the inherent insecurity of TCP/IP and the management complexity of many existing security methods, modern technologies and a HIP-based approach offers organizations a way to protect critical infrastructure that is secure by default and optimized for ICS environments.
Tempered Networks, based in Seattle, Washington, is an Encompass™ Product Partner in the Rockwell Automation PartnerNetwork™. The firm provides cyber security and connectivity protection for business-critical control networks, communications and devices. The company's platform allows organizations to “cloak” critical systems, communications and vulnerable endpoints.
Learn more about the Rockwell Automation Encompass Product Partner Program.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.