Andrew Ginter, VP Industrial Security, Waterfall Security Solutions
We have all heard the phrase “oh that’s for nuclear – they’re different.” While nuclear is “different” in many realms, it is not so different in the realm of industrial cyber security. Cyber-attacks, attack tools and the attackers themselves only become more sophisticated over time. The risk of physical sabotage using a cyber-attack is common to nuclear and non-nuclear sites.
Yes, nuclear generators are more concerned than most about both physical and cyber security, but the “sophisticated cyber-attacks” that nuclear generators were talking about five years ago are today encoded into publicly available, powerful and easy-to-use attack tools. These tools make yesterday’s “sophisticated attacks” accessible to large numbers of hackers of modest talents, and even to unskilled “script kiddies.”
Nuclear generator security people have been talking about issues that are becoming equally troubling for the entire electric sector and for industrial control systems in all industries.
|Waterfall Security’s unidirectional gateway is one of many ways businesses can keep computers and other technology safe from outside threats.
Courtesy: Waterfall Security
Security Is All About Safety
We can start with priorities. Industrial security standards and guidance published in the early 2000s, such as the National Institute of Standards and Technology (NIST) 800-82r1 and International Electrotechnical Commission (IEC) 62443-1-1, all talk about “CIA” versus “AIC.” Conventional IT security priorities tend to be, in this specific order, confidentiality, integrity and availability (CIA). If the banking website starts leaking credit card numbers to the Internet, shut it down to protect confidentiality. If the site starts letting people transfer money they don’t have, shut it down to protect database integrity. Finally, try hard not to shut the site down at all. Protect the site’s availability, because every hour the site is running the bank reaps millions of dollars in transaction fees.
Common wisdom among control-system security practitioners in the early 2000s was that, in the ICS world, this triad is reversed. The highest priority for control systems was thought to be availability (keep the control system running), the second priority was integrity (keep the control system running correctly) and the third priority was confidentiality. In the world of nuclear generators, though, we never hear any of this “CIA vs. AIC” terminology.
The first priority at nuclear generators was, is and always will be safety. Cyber security breaches are systematic failures of safety equipment, not random failures, and so cannot be modeled by standard safety calculations. Cyber security is therefore essential to safety; digital safety systems are worthless if they are compromised. The second nuclear security priority is always reliability: prevent damage to the generating unit, and keep the lights on. And yes, the third priority is confidentiality.
This “safety and reliability” wording is being discussed in a number of control-system standards forums. Revision 2 of the NIST 800-82 “Guide to Industrial Control Systems (ICS) Security” is the first major standard to pick up the new wording. Several other draft standards from different organizations are looking at this new wording, as well. It is the safety and reliability of the physical processes that are the cyber-security focus at most industrial sites, not abstract CIA/AIC attributes of the industrial control-system computers and networks.
Security Starts at the Perimeter
In a real sense, all cyber security starts at the cyber/physical security perimeter. If a control system ever makes the transition from a trustworthy state to a compromised state, the compromise had to originate somewhere. Compromise always comes from “the outside.” It comes from network attacks, software/malware coming into the control system, people with malicious intent entering the secure area to mis-operate the control system and hardware components with embedded software crossing through the perimeter.
Classic network perimeter protection in old-school ICS security standards is all about firewalls. The problem with firewalls is that they are porous by design. At their core, all firewalls are routers, because all firewalls forward messages. Some of the forwarded messages contain attacks, in spite of every firewall vendor’s best efforts to filter “good” packets from “bad.” Fundamentally, every path through a firewall intended to permit data to flow out of a control system network also allows attacks back into that “protected” network.
In 2010, the Nuclear Regulatory Commission (NRC) effectively forbade American nuclear generators from deploying firewalls to connect generating-unit safety and control networks, directly or indirectly, to any less-trusted network. As a result, to balance between security and operational needs, all American nuclear generators deployed unidirectional security gateway technology. Unidirectional gateways are deployed widely in other nations, as well, either because of a similar regulatory imperative, or simply because the technology provides such dramatic threat reduction benefits. Unidirectional gateways permit information to leave industrial networks and are physically incapable of sending any message or any information back into protected networks to put those networks at risk. Unidirectional gateway hardware makes the gateways secure, and unidirectional server replication software makes the gateways plug-and-play replacements for firewalls.
Since 2010, unidirectional gateways have been deployed widely outside the nuclear generation industry, and have appeared in many ICS security standards and guidance documents. For example, the 2013 North American Electric Reliability Corporation Critical Infrastructure Protection Version 5 (NERC CIP V5) standards recognize the security of unidirectional gateways in the definition of the NERC term “External Routable Connectivity.” The standards relax roughly one-third of the CIP V5 requirements for medium impact power plants with unidirectional gateways deployed, in recognition of the superior security provided by the gateways. The proposed 2015 NERC CIP V6 standards also include all of these exemptions and introduce additional ones. The NIST 800-82r2, International Society of Automation (ISA)/IEC 62443-3-3, and European Network and Information Security Agency (ENISA) control-system standards also recognize the strength of unidirectional gateways.
The 2014 French Agence nationale de la sécurité des systems d’information (ANSSI) ICS security standards go even further. ANSSI groups control systems into three classes, based on the importance of the industrial site. The standards permit the use of firewalls for only the least important Class 1 networks. ANSSI states that all connections between the more important Class 2 networks and any less-trusted networks “should be unidirectional” toward the less-trusted networks. For the most important Class 3 networks, ANSSI outright forbids the use of firewalls.
The ANSSI standards make this point very clearly: firewalls are permitted for partitioning networks at the same level of trust, but may not be used to connect networks at different trust levels.
Historically, guidance for interactive remote access to industrial sites echoed standard guidance for IT systems: use encryption, firewalls, two-factor authentication and “jump hosts” – machines to terminate remote desktop or other interactive sessions outside of the control system, and permit only connections from the “jump host” machines to control networks. The thinking was that if these measures were secure enough for corporate networks, they should be enough for control networks, as well. Bluntly though, the problem with this approach is that corporate networks are not particularly secure.
In 2010, the United States’ Nuclear Energy Institute (NEI) NEI-08-09 guidance and the NRC-5.71 rules effectively banned interactive remote access to nuclear generator safety and control-system networks. Today, no American nuclear generator permits such access. And again, similar rules and practices are in effect in many other nuclear generation jurisdictions throughout the world.
The rationale for banning remote access is simple: there is no way to assure the trustworthiness of remote endpoints. Modern attack tools and techniques routinely defeat anti-virus, security updates and other IT-centric protections. If a remote laptop or workstation is compromised, no two-factor authentication, encryption or jump hosts will save us. A compromised endpoint computer is no longer running trusted software. Such a machine is going to do whatever its attacker wants the machine to do, not what the owner or operator wants the machine to do. If we trust a compromised machine to operate any part of our control system remotely, we have handed our control system over to our attacker.
What is the state of remote access outside of nuclear generation? ISA ICS security training material describes remote access technology as “high risk.” The 2014 ANSSI standards “strongly discourage” remote access for Class 2 networks, and forbid such access for Class 3 networks. The current NERC CIP V5 standards permit remote access, provided that IT-standard encryption, two-factor and other security controls are deployed, but this may change. The American Federal Energy Regulatory Commission (FERC), in its Notice of Proposed Rulemaking (NOPR) for the proposed CIP V6 standards, has expressed concern about the adequacy of CIP V5/V6 controls for interactive remote access, and has invited comments from all stakeholders as to what might be done to address these concerns.
Given the clear direction on the part of the nuclear industry, and the strong indications outside of nuclear, the future of remote access seems clear. Within a handful of years, expect remote access to be permitted or recommended only for unimportant, expendable networks and expendable industrial processes.
Sometimes, removable media, such as USB Flash sticks and CD-ROMs, are essential to the configuration and operation of industrial control systems. At the same time, any medium that can store information, can also store attacks and malware. This is a serious problem.
Nuclear generators have discussed this risk at length, and, for now, have settled on a handful of security controls to deal with the risks of removable media:
- When moving information from control systems to less-trusted networks, use only brand new media – no exceptions. The thinking is that any medium exposed to a corporate network or other untrusted network is potentially compromised, and so untrustworthy.
- When moving information from “outside” networks into trusted networks:
- use brand new media and expose it to a minimum number of “outside” machines;
- prefer to use CD-ROMS to USB Flash sticks, because of the risk of USB firmware compromise;
- scan the media on at least one dedicated anti-malware scanning machine, with at least four different anti-malware engines;
- once files have been identified as probably “clean,” copy those files to a new CD-ROM, and carry the CD-ROM into the trusted network; and
- as much as possible, try to load these CD-ROMs onto an isolated test-bed for functionality and security testing, before loading them into live equipment.
This entire process is viewed as high risk, and nuclear sites strongly discourage use of this process at all. That said, though, sometimes the process is unavoidable, such as when control-system software components are being enhanced or upgraded. Many in the nuclear community view these current measures as interim measures and are evaluating alternatives, such as unidirectional FLIP technology. FLIP operates as a unidirectional security gateway, except that it switches the orientation on a scheduled, basis to enable information to flow unidirectionally into the protected network from time to time.
In the wider world, concerns over the safety of removable media are only starting to be discussed. The ISA/IEC 62443-3-3 and the proposed NERC CIP V6 standards contain only vague IT-like provisions for managing removable media, roughly amounting to “use removable media only on systems with anti-virus software installed.” The 2014 ANSSI standards are more specific. ANSSI encourages Class 1 networks to do what nuclear generators do today. The less-expendable Class 2 and Class 3 networks are required to do what nuclear generators do today. Individual sites are also deploying unidirectional FLIP technology to automate these anti-virus checks and other security controls and even further reduce the use of removable media on industrial systems.
Thus, it seems that stronger controls for removable media on non-nuclear control systems are coming, but are somewhat further in the future than remote access and unidirectional gateway controls.
Historically, industrial supply-chain concerns were focused on safety. There have been cases where distributors were found to be selling, deliberately or inadvertently, equipment that claimed a high Safety Integrity Level rating, when the equipment was, in fact, counterfeit, and not SIL rated at all.
In nuclear generators, supply-chain integrity discussions have expanded in recent years to include control-system computer components of all types. Supply-chain security concerns include recent reports that nation-state intelligence agencies had inserted remote control radio components into brand new computers that were intercepted in transit between a distributor and a customer, and concerns about CPUs and vulnerable firmware embedded in USB devices.
The 2010 NEI and NRC rules require “measures to protect against supply-chain threats,” including trusted distribution paths, vendor validation and tamper-proof seals. These measures are more easily required than delivered, though, especially for cheap, high-volume USB components, including Flash sticks, keyboards and mice. How to maximize the effectiveness and minimize the cost of addressing supply-chain risks are open issues and topics of frequent discussion in nuclear security meetings and workshops.
Discussions of supply-chain security in the non-nuclear world are only just beginning. In the FERC NOPR for NERC CIP V6, FERC gives notice of its intent to order NERC to develop supply-chain security provisions for a future revision of the CIP standards. FERC’s stated reason for the coming order is “recent malware campaigns targeting supply-chain vendors.” This is presumably a reference to recent “watering hole” attacks, where control-system vendor websites were hacked to distribute malware, as well as legitimate control-system software updates. In addition, while NIST 800-82r2 provides no specific measures for ICS supply-chain protection, the standard does refer readers to supply-chain security controls listed in the IT-focused NIST 800-53.
Once again, because cyber-attack tools and cyber-sabotage tools only become more powerful and easier to use over time, what was regarded yesterday as a sophisticated attack that only the most important nuclear control systems must address, is likely to be regarded tomorrow as a pervasive, universally available attack capability that all industrial sites must consider.
Today, in many industries, safety, reliability and equipment protection priorities are driving deployments of unidirectional gateway technologies and prohibitions against remote access. Unidirectional gateways defeat even those modern attacks that firewalls are ineffective against, without impairing plant to business communications that are so valuable to modern enterprises.
In addition, removable-media controls and supply-chain protection are issues are on the horizon for all “important” industrial sites. In short, control-system security standards from many authorities are evolving rapidly to reflect and address modern attack capabilities that nuclear generators have been dealing with for years.
Today, the real questions facing all electric-sector owners and operators are “which of our sites are important enough to protect with modern security measures?” and “which of our sites are expendable enough to continue protecting against only yesterday’s attacks?”
Really – are any of our industrial sites expendable?
Andrew Ginter is the vice president of industrial security at http://www.waterfall-security.com/, a provider of Unidirectional Security Gateways for industrial control networks and critical infrastructures. Ginter has 25 years of experience leading the development of control system software products, control system middleware products and industrial cybersecurity products.