This is a continuation of last month’s column on cybersecurity, but with a very specific target. When I interviewed experts in the field, I was specifically looking for feedback on protecting critical infrastructure installations with respect to remote access only. Standard IT solutions and/or issues were not considered. The real question was how we protect these assets when remote access is needed and/or required.
It is obvious that IIoT is going to create a bastion of security issues according to Joe Weiss, an international cybersecurity expert who writes the Unfettered blog. Weiss has been involved with industrial security issues for a very long time, and he strongly believes that the moment we think of the control network in IT terms we are in trouble.
“Control solutions are different from IT, and they should be,” he stated. And the debate on shared networks vs. OT networks ensued. He cited the Ukraine power grid intrusion, which was determined to have occurred due to a SCADA node being remotely controlled. This attack is the first publicly acknowledged incident with consequences.
The resulting recommendations included using at least two factor authentications for remote access, which Weiss condones. Authorizing the device being used is paramount, as well as the user. For example, it is common for oil and gas companies to release specific laptops to remote users and implement network filters based on MAC addresses.
Weiss also pounded the table on the importance of logging all events. The best defense is a rearview mirror. His main point however is the device networks that are on the system-wide network that hackers can have access to. Such things as valves that are present and available on the network typically are not secured since they are connected to a host device which is.
"We have to think differently with IIoT," says Weiss. "Even a 4-20 mA current loop has been compromised creating havoc. People are not doing enough to secure their installations on remote access." But he concedes it depends on what the consequences are when the installation is in fact breached. There’s a difference between an email account and a nuclear reactor.
This is exactly the issue Marty Edwards, director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), has with remote access and the required authentication. Two and/or three factor authentication of the user and the device is necessary.
Edwards is risk-driven. He suggests that in order to assess your remote-access requirements you must do a risk assessment. There are “standards and references" documents on www.ics-cert.us-cert.gov. It’s a good place to start when trying to understand the long reach of remote access and its consequences. For example, check out Guide to Industrial Control Systems (ICS) Security. The DHS is using something called personal identification verification (PIV) in response to the President's directive HSPD-12 which Route1 supports, but no other solution does. But do you need that level of authentication? Edwards says yes, based on your risk assessment.
Remote-access solutions are needed due to the widespread use of mobile and personal devices. However, as Edwards states, “The tendency is to not have security.” He suggests the price point to implement security, which adds nothing to the bottom line, has to be commensurate with the risk assessment, as well. You wouldn’t spend $100/month to protect an email account, but you might for HMI remote access protection.
While he suggests that all HMI/SCADA nodes be disconnected from the Internet directly, access can still be gained using tunnels and standard corporate VPNs. VPN-type applications such as TeamViewer are not recommended for critical infrastructure. Again, however, he stresses that the outcome of the risk assessment is paramount on determining what the consequences can be, should a SCADA node be breached. The Ukraine issue caused a loss of power. No damage was done, as it was with Stuxnet. Maybe they got lucky.
Edwards goes on to mention that BYOD should not be tolerated at all due to the intrusion possibilities. Simply look at the availability of information from your phone that Pokémon Go application has been accused of accessing.
He also suggests that if a contractor needs remote access, then he should use a locked-down customer-supplied device, which has been authenticated by the IT group.
However, going back to the authentication issues, is a simple password enough? Remote access security is a process. The above two gentlemen agree on risk assessment and accessing the control network based on industrial requirements and with industrial authentication.
Risk assessment should be free, as such. Once that has been done, then the C-level executives have to get involved and buy in to provide budgets to do the work and provide the security platform. The fact that it is going to cost money could very easily derail the process, but you have to try. No one else will do it for us.
In my next column, I will share insights from Ian Verhappen, Steve Hechtman and Don Pearson. Their views will intrigue you.
Homepage image courtesy of hywards at FreeDigitalPhotos.net