Control System Cybersecurity Is Shifting Away from Corporate Thinking
The hardware and software on corporate and control system networks are similar, but other characteristics of the two networks differ. The essential difference is, not surprisingly, control. Control system networks control the physical world. Corporate systems manage data.
ICSs, especially in critical industrial infrastructures, control powerful, costly and often dangerous industrial processes, such as refineries, water purification systems and power plants. Modern societies depend on these processes to maintain standards of living and are generally protected by “guns, guards and gates” because any unauthorized/unqualified operation of these powerful systems, however briefly, represents an unacceptable risk.
Contrast this with the standard approach to information technology. Modern businesses rely on employees accessing email and the Internet, so corporate networks and firewalls must, by design, permit users to receive content from the Internet – content which may contain attacks. Worse, once past the firewall, corporate networks are computers and software. All software has defects; some defects are security vulnerabilities, so, in practice, all software can be hacked. Corporate security teams regard compromise as inevitable.
Corporate security practitioners deploy anti-virus systems and other “hardening” measures to protect vulnerable networks, but no such measures can stop all attacks. This is why the pinnacle of corporate security systems is intrusion detection systems staffed by cybersecurity experts.
While control system networks are also full of software, there are important differences. Corporate network perimeters must permit Web pages and email, but control system perimeters permit no such traffic. On both networks, security experts need hours minimally, and sometimes days or weeks, to detect and repair compromised computers. On control networks, attackers can remotely operate equipment for all of this time. The simplest damage an intruder could inflict is activating an emergency shutdown. Refineries, power plants and other large installations can take days or longer to return to full capacity after a shutdown. More sophisticated mis-operation can physically damage furnaces, turbines, transformers and other costly equipment. Worst case attacks can cause public safety hazards, such as releasing sewage into drinking water distribution systems.
Cybersecurity best practices are evolving to recognize these critical differences. The latest North American Electric Reliability Corporation Critical Infrastructure Protection Version 5 (NERC CIP V5) standards for the North American power grid and the 2014 French Agence nationale de la sécurité des systèmes d’information(ANSSI) standards encourage or require stronger network protections for control system networks.
The French standards are the strongest; they ban firewalls and Internet-based remote control for the most societally sensitive networks, such as railway-switching networks or chemical-plant safety networks. These new rules are “old news” to control system teams with a history of dealing with safety, equipment-protection and reliability issues. For example, such teams have long banned remote configuration of safety systems; often the only way to reprogram a life-critical system is to stand in front of the system with a key in hand to enable programming.
The new rules, though, can come as a surprise to corporate security teams with little awareness of control, safety or reliability issues, and a long history of remotely reconfiguring corporate networks. The clear lesson in the new rules is that, unlike porous-by-design corporate networks, intrusion prevention is vital to the operation of critical ICS networks.
Rather than firewalls, the ANSSI rules require, and the NERC CIP rules encourage, hardware-enforced unidirectional security gateways. The gateways are fiber-optic hardware that physically enables information to flow in only one direction. The gateways gather control system data from databases on control networks and populate corporate databases with that data in real time. Unidirectional gateway deployments generally have no impact on business operations, other than to dramatically reduce risks by preventing network attacks from corporate insiders and the Internet. Corporate users can still access the latest plant information in real time by querying the replica databases on the corporate network.
The NERC CIP V5 standards encourage the use of unidirectional security gateways by providing exemptions from up to 30 percent of CIP compliance requirements for networks protected by strong, unidirectional perimeters.
With hardware-enforced unidirectional gateways as the new control-system security best practice, system security teams globally are re-evaluating and enhancing control-system security programs. Today’s best practices demand that all of us responsible for the security of control-system networks examine our industrial sites and answer the question: “Which of these sites is expendable enough to leave protected by firewalls?”