28 Jan 2016 DHS recommends unidirectional communications for ICS protection
Three of the seven strategies in the December 2015 report from the DHS NCCIC/ICS-CERT, “Seven Strategies To Secure Industrial Control Systems,” recommend unidirectional gateways for maximum protection from cyberattacks.
The report points to an increase in the frequency and complexity of cyber incidents. ICS-CERT received reports of 295 incidents in 2015, although it is believed that many more went unreported or undetected. Increasingly capable cyber adversaries who can, and have, defeated traditional IT-centric security protections perpetrate these attacks.
To mitigate this growing threat, the DHS encourages us to deploy technology to prevent these increasingly sophisticated attacks.
Seven Strategies to Defend ICSs
- Implement Application Whitelisting (AWL) – When antivirus and malware detection tools fail, AWL can prevent execution of most malware.
- Ensure proper configuration/patch management – Unpatched systems are low-hanging fruit for attackers. What the report does not point out is that patching is costly, and does little to deter sophisticated attackers, because of the large number of ICS zero-days waiting to be discovered. The report does point out that unpatched laptops connecting to ICS networks are a major infection vector. I agree with this latter point – any laptop or other equipment that is ever connected directly or indirectly to the Internet must be regarded as eventually compromised.
- Reduce your attack surface – The report points out that real-time connectivity between ICS networks and less-trusted networks is best achieved using hardware-enforced unidirectional communication, such as Unidirectional Security Gateways.
- Build a defendable network – Network segmentation can limit the damage from an intrusion and reduce cleanup costs by limiting how far the compromise can spread through the ICS network. Again, the report points out that the best design for transferring real-time data is unidirectional gateways.
- Manage authentication – Adversaries increasingly focus on stolen credentials, especially for highly privileged accounts. Among other things, the report recommends employing separate credentials for corporate networks and industrial control system networks. I disagree. I think the report would have been more effective recommending much stronger perimeter protections to lock remote adversaries out entirely, even those with every password to every ICS computer in the building.
- Implement secure remote access – The report recommends surveying and systematically removing vendors’ and other back doors that appear in the form of modems, DSL lines and other undisciplined connections to outside networks. The report also recommends unidirectional gateways to enforce “monitoring-only” access, such as Waterfall’s Remote Screen View product provides. The DHS cautions against reliance on “read-only” access enforced by software configurations; no such software provisions can be as safe or reliable as the hardware-enforced monitoring-only access of Unidirectional Security Gateways.
- Monitor and respond – As always, the DHS recommends practiced intrusion monitoring, incident response, and system recovery capabilities.
The DHS cites the much-publicized and analyzed “Black Energy” malware as an example relating to direct or indirect Internet connectivity. Black Energy relies on a connection to a command and control center on the Internet. The malware uses this connection to receive instructions, download additional software – such as the “DiskWiper” cited in the Ukrainian intrusions – and report intelligence gathered about the layout of the ICS for use in future, more specific attacks.
The example could have been applied much more widely in the report. In particular, with Unidirectional Security Gateways as the sole connection between an ICS network and any external network, Black Energy’s connection to a command and control center is impossible. The gateways send information where they are configured to send it, not to random IP addresses on the Internet, or on the corporate network. In addition, the gateways, of course, permit no software downloads, remote control, or other instructions from a command and control center back into the protected network.
The report is short, and is very much worth reading.