Andrew Ginter, vice president of industrial security for Waterfall Security Solutions, argues that certain cyber perimeters are essential to the Industrial Internet of Things.
By Martin Ashcroft
Ten or twenty years ago, the protection of a critical piece of industrial infrastructure meant building a wall around it – or at least a perimeter fence with razor wire on the top. Admission to the site would be controlled at an entrance gate. Physical security was thus assured, up to a point. We’ve all seen films in which criminals devise the most ingenious methods to gain access to heavily protected sites, but this kind of security set the bar high enough to defeat all but the most determined.
Times have changed, however. Criminals no longer have to gain physical access to our sites to do us damage, and their malicious objectives have expanded beyond stealing money and secrets. This is because we have created new access paths for our enemies, right into the heart of our operations—our industrial control systems. Our critical industries have become significantly more exposed to criminal activity in the last few years, because we have developed technologies that allow us to monitor and improve the efficiency of our operations through the Internet.
The Internet has revolutionised our lives in the last twenty years, but the revolution has only just begun. We now have instant access to an infinity of information (not to mention Internet shopping), but a concept known as the Internet of Things (IoT) is now emerging as the next stage of the revolution.
The IoT has taken the Internet to another level. While level one required human interaction with devices to obtain information or deliver instructions, the Internet of Things opens a new dimension where everyday objects have intelligence as well as network connectivity, allowing them to communicate with each other automatically, without human intervention.
A ‘thing’, in the Internet of Things, could therefore be a refrigerator in your home that is programmed to order groceries from an online supermarket, when your designated stock levels are triggered. Any object that can be given an IP address and provided with the ability to transfer data over a network, is a candidate for the Internet of Things. The possibilities are endless.
The Internet of Things is still in its infancy, but the next level of the Internet revolution is hot on its heels—the Industrial Internet of Things (IIoT). This takes the same concept of connectivity and extends it to the equipment, plant and machinery that controls our heavy industries. The resulting systems can monitor, collect, exchange, analyze and act upon the information they receive to make changes to the way the equipment operates—again without human intervention.
In the new age of relentless connectivity, a new rule seems to be emerging. If it can be connected, it will be connected. As is often the case with new “solutions”, while the benefits are obvious and compelling, risks and disadvantages tend to be disregarded. While the IIoT has great potential for quality control, productivity and supply chain efficiency, the danger of connecting critical control systems to an Internet with billions of access points is a mere afterthought.
Plug and play
“The ultimate vision of the Industrial Internet of Things,” says Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, “is that if we have a problem in a power plant or a chemical plant, we can go to our local distributor and buy 47 widgets, bring them back to the shop, plug them together, and hook them up to the physical process and to the Internet. The widgets then talk to each other, talk to the Cloud, work out what’s happening in the process, make the necessary corrections and everything starts working normally again. It’s magic.”
The vision is for everything to be connected, all the way out to the Cloud. Managers at corporate headquarters can monitor everything from their cell phones. We can see how efficiently the turbines are running, how much water is being consumed, which bearings are going to need replacing next, which trucks will need new tires. It’s a miracle of connectivity. But while managers sit watching in HQ, who else is connected?
“This vision talks the talk about security,” says Ginter, “but until recently, we have failed to grasp some of the fundamentals of it. A lot of people imagine that security for the Industrial Internet of Things is going to be the same as security for the Internet of Things. They’re both connected to the physical world. They’re both connected to the Cloud. That’s the same thing, isn’t it?
“In reality, however, there are few safety concerns with the Internet of Things. Concerns are mostly about reliability and privacy. With the Internet of Things, everyone talks about the endpoint. The endpoints are like cell phones on the network, exposed to the world. Hackers from across the planet can reach every endpoint. So security is all about hardening the endpoint with virtual hypervisors and trusted platform modules and a gazillion bits of encryption. What is not generally appreciated is that we’re talking about software here, which is sufficient for the IOT market, but not the IIOT market.”
Andrew wrote software for 25 years. He did not deliberately put bugs in his software, he assures me, but all the software he ever wrote had bugs—along with all the software written by everybody else. Some of these bugs are security vulnerabilities, so in a nutshell, all software can be hacked.
Andrew addresses an audience with a powerful story to drive this message home. “Imagine that we have a state of the art safety system for the boilers, turbines and ammonia scrubber tanks in our power plant,” he says. “Imagine that every security innovation anyone can think of has been incorporated into this safety system. Would anyone connect every single piece of it to the Internet?” He looks around the room and people are shaking their heads. ‘Not a chance,’ their faces are saying. ‘We’re not stupid’.
So the vision for the Industrial Internet of Things needs to be adjusted, says Ginter, because the current vision is for everything to be connected together, right up to the Cloud. If we’re not going to connect a critical safety system to the Internet, are we going to do so with the control system for a billion dollar chemical or pharmaceutical plant? Of course not. That would be a gamble. As with responsible gambling, we must only connect to the Internet what we can afford to lose, because all software can be hacked.
All software can be hacked, so every message any software receives could be a potential attack. This is why we do not expose our most important control systems to random messages from the Internet. “Some kind of network perimeter is fundamental to certain systems in the Industrial Internet of Things,” says Ginter. “It may not be essential to each individual device, but it’s essential for some parts of the system.” It’s a beautifully simple concept that takes us back to our original understanding of security—the physical barrier.
“Any industrial process important enough to put a physical perimeter around, is a candidate for a cyber security perimeter as well,” Ginter continues. “An electric transmission substation is typically a couple of acres with a barbed wire fence around it and maybe some video monitors. So a substation deserves a cyber perimeter as well as a physical perimeter. A power plant even more so. We have a well-established history of deciding when a physical perimeter is required,” he argues, “so we should use the same criteria for a cyber perimeter.”
As we discussed at the beginning though, nothing can be absolutely secure. If we have a sentry on a gate, he can be overpowered, tricked or threatened into letting an attacker in. If we have a solid wall, someone so inclined can drive a bulldozer into it, or dig a tunnel underneath it. The question is, how secure do we want to be? How high should we raise the security bar?
“It should be at least high enough to block a remote cyber assault from the other side of the planet,” says Ginter. “An attacker should have to cross the physical perimeter or persuade somebody on the inside to put their freedom at risk to assist the attack. That raises the bar to the point where it’s no longer possible to make wholesale attacks on multiple power plants all at once. It’s no longer possible for someone on the other side of the world to be sipping coffee while stirring the pot to see what they can blow up. That threat is eliminated if the bar is high enough.”
Multiple attacks on power plants might have seemed far-fetched a few years ago, but threats to the industrial control systems of our critical infrastructure are no longer theoretical. Remote control malware labelled ‘Energetic Bear’ was uncovered by the security firm Symantec in 2014. The attackers, who became known as Dragonfly, compromised the computer systems of more than 1,000 organisations in 84 countries in a campaign spanning 18 months. Symantec’s report concluded that Dragonfly’s purpose was espionage, but if the attackers had used the sabotage capabilities available to them, they could have caused serious disruption to energy supplies in the affected countries. Only last year, the Ukraine suffered power outages as a result of a remote control cyber attack. When remote control malware can initiate physical consequences, a widespread, simultaneous attack is only a matter of time.
One way secure communications
Waterfall Security Solutions is a cyber security specialist focused on protecting industrial control systems and the Industrial Internet of Things. Waterfall produces hardware-enforced perimeter security products to prevent the sabotage of ICS (industrial control system) networks. Its flagship product is the Unidirectional Security Gateway. The gateway hardware allows data to flow out of an industrial system, but allows nothing back in. In other words, the gateway unit at the network perimeter has a transmitter, but not a receiver. The only way is out. “Unidirectional Security Gateways enable safe network integration,” says Ginter. “They let businesses monitor their control system equipment, but make it physically impossible to send any attack message back in to those critical networks.
“We claim 100 per cent protection against attacks from external networks,” he continues. “There is no technology that can prevent absolutely all attacks, but these silent, online, network-based remote-control attacks are the workhorse of cyber sabotage, and are the specific risk that comes with increased network connectivity. Outbound-only Unidirectional Gateways eliminate that attack vector entirely.”
The underlying goal of the Industrial Internet of Things is to enable the right people to share information. Waterfall makes data from the industrial control system available for those people by replicating databases outside the industrial control network. “Anyone who wants real-time data can ask the replica and get the same answer they would have had by asking the live system,” Ginter explains. “They get the same answer from the replica without ever sending a message to the control system and putting the industrial process at risk.”
Firewalls protect data; Unidirectional Gateways protect safety
The Industrial Internet of Things is all about connectivity, monitoring and control, all the way up to the Cloud. “That’s all possible,” says Ginter. “But we need to be extremely careful about allowing control from the Internet back into our systems. Our most sensitive control systems still need network perimeter protections. Software-based, message-forwarding firewalls will not do the job. Unidirectional Gateways raise the bar so that attackers sipping coffee on the other side of the planet are no longer able to manipulate our most important industrial processes.