23 Oct 2018 Ministry of Environmental Protection regulation emphasizes industrial cybersecurity best practice
Governments all over the world are beginning to toughen cyber regulations imposed on industry to respond to the increasing threat of cyber attacks on national critical infrastructure. This class of cyber attack does not just limit itself to enterprise systems. If the control systems of a digitized petro-chemical plant, for example, fall in the hands of a threat actor, not only can the national energy supply be in danger, but the physical plant itself could be at risk of explosion or fire.
This clear and present danger is considered a serious threat in Israel, where several such attacks attempted on industrial sites in the past 12 months. The Israeli Ministry of Environmental Protection in its new regulation on cyber requirements for plants handling hazardous materials and has adopted the national best practices for cyber protection to guard against risks to public health due to cyber attacks on industrial sites. These requirements include implementing the strongest cyber protections available: unidirectional gateways.
According to the Israeli Hazardous Materials Act, any company handling hazardous materials in a quantity or concentration exceeding a specified amount will be required to possess a Hazardous Materials/Toxins Permit from the Ministry of Environmental Protection. This government regulation is designed to protect specifically businesses which handle toxic chemicals which have the potential – in the event of an incident – to inflict harm on the environment, public health or workers at the site. According to the new regulations, companies who do not comply with the new cyber security protection guidelines risk losing their license to operate altogether.
In modern industrial plants, the processing, transportation and storage of hazardous materials is controlled by computers. This means that misoperation of the control system poses serious threats including the risk of unscheduled downtime impairing the production of important products, physical equipment damage, or worse, a hazardous materials incident resulting in environmental damage, site casualties or public safety risks. The government will start with applying the regulation to a selection of 60 of the most high-risk factories, but the final goal is to “cyber-fortify” a total of 4,000 factories nation-wide.
Sophisticated Security Methodology
That the Israeli government, like many governments, is toughening up its industrial cyber regulation comes as no surprise. For the chemical processing industry specifically, periodic regulatory updates and reviews are commonplace. Chemical companies undergo regular PHAs – Process Hazard Analyses – which are a set of organized and systematic assessments of the potential hazards associated with an industrial process. PHAs aim to improve safety and reduce the consequences of unwanted or unplanned releases of hazardous substances – and the cyber-physical element is no exception to this assessment.
What is impressive about the Israeli regulation however, is the level of sophistication the regulation demonstrates regarding the methodology and protections required to safeguard control systems against remote attacks. Firstly, the regulation follows a cyber classification methodology specifically appropriate for industrial networks: the IDENTIFY, CLASSIFY, & PROTECT model, similar to what we see in France’s ANSSI regulations. Secondly, the document prioritizes perimeter protection above all other methods of network cyber defense, reasoning that when the consequences of compromise are thoroughly unacceptable, prevention of compromise must be the protected site’s first priority. In contrast, traditional IT defense in depth cyber frameworks generally follow an ‘identify, protect, detect, and respond’ model – which weighs prevention and detection equally.
In an industrial network environment, different systems and networks may have different levels of safety and reliability criticality and must be identified and protected accordingly. By incorporating a “classify” element as well as prioritizing perimeter “protection”, the regulation is following the path of the ANSSI industrial control network guidelines, where the classification of networks (from most reliability critical, to least trusted) is essential to building the proper protections within an industrial network environment.
In the Israeli regulation, businesses with a toxic substances permit are required to be mapped into one of four categories from low impact – to very high impact. Risk management and defenses for each system are determined according to the system’s classification. The classification levels are designed to be very cautious. Class 3 systems are those whose worst-case compromise poses a clear threat to even one human life, and whose worst-case costs exceed about 1.5 million US dollars. Class 4 systems are those whose worst-case compromise poses a clear threat to “many” lives, and whose cost of compromise exceeds $6M USD. It is clear that many control systems at even modestly-sized chemical facilities will be categorized as class 4 – the highest threat class.
Network perimeter protections are specified for all classes of networks, but differ from IT-style protections most thoroughly for class 4 networks. In a sense this is not surprising – all cyber attacks are information and the only way for any system to change from an uncompromised to a compromised state is for attack information to cross a network perimeter. The new regulation forbids firewalled connections between class 4 networks and any less-critical network, permitting only unidirectional gateways – one-way information flows – at such connections.
Unidirectional gateways differ from firewalls in two ways: the gateway hardware is physically able to transmit information in only one direction, and the gateway software does not forward network traffic as firewalls do, but instead replicates servers and emulates devices through the unidirectional hardware. The gateways are permitted to be oriented only to replicate servers from class 4 networks to less-critical networks. Users and applications on the less-critical networks can then access the replica servers and devices as if they were the original industrial server, acquiring and analyzing data from them normally. No network attack, however sophisticated, can penetrate the gateway hardware. The hardware design physically prevents any information from less-critical networks from reaching class 4 networks, thus preventing all remote cyber attacks.
Commitment to Security
The fact that the Israeli Ministry of Environmental Protection has clearly required unidirectional gateway technology for control equipment at chemical facilities of any significant size speaks to the government’s commitment to cybersecurity. Designing a robust cyber-secure industrial network must take into account the potential physical consequences of a cyber breach of control systems, which go well beyond the scope of a data breach of traditional IT systems. Unidirectional security gateways protect industrial networks absolutely from the remote cyber threats that are routinely breaching industrial networks in less cautious jurisdictions.