25 Feb 2020 Ransomware Hits Gas Plant: OT Segmentation Is And Will Always Be Essential
The US DHS CISA just issued an alert describing a natural gas compression facility hit by ransomware. The facility had to shut down, triggering a shutdown of the entire “pipeline asset.”
The first two technical mitigations the alert recommends both amount to segmentation – do not leave ICS assets on the IT network, much less on the Internet. Do not let industrial protocols traverse the IT network. I have criticized DHS / CISA advice in the past, but this time they hit the nail on the head.
That OT network segmentation is so important is surprising to some. Common wisdom on IT networks is that “the perimeter is dead.” This sentiment is accurate for IT networks and IT assets – where is the perimeter around a cell phone after all? And how much business-critical information is on such phones?
But – this common wisdom does not, and will never, apply to industrial networks. Think about it – every single message anything sends to any computer is a kind of control – the message causes the computer to execute instructions that the computer would not otherwise have executed. Every message controls the computer that receives the message to some degree, sometimes less and sometimes much, much more.
So – how many computers on the open Internet should be allowed to control our safety systems, our PLCs or our pipeline SCADA systems today? None. How many computers on the Internet should be allowed to send messages to our safety systems and control systems testing for known or new vulnerabilities today? None.
Our safety systems and industrial computers run software – they always will. How many computers on the Internet should be allowed send messages to control our industrial systems tomorrow? Ever?
How many computers on the IT network have any business controlling our safety systems? Our control systems? Ever?
There are practitioners who bemoan the state of patching on industrial networks – if only, if only we could patch our industrial networks, then we would not need segmentation, they cry. And patching is hard on industrial networks – on networks optimized for reliability, security updates are as likely to introduce reliability problems as they are to eliminate software vulnerabilities. This means process engineers are very reluctant to apply security updates at all promptly, preferring to install updates only at long intervals and after extensive and costly testing. If only, we are told, if only there were a way to apply patches to these industrial networks, all would be well.
Really? Security updates – if they work at all – eliminate known vulnerabilities. They do nothing for unknown vulnerabilities, much less for the misconfigured permissions modern attackers & ransomware use to propagate. Even if we could patch every industrial asset the instant a patch came out, would we let random attackers all over the Internet send messages to our safety systems? To our control systems? To test for zero-days and misconfigurations?
Other practitioners are utterly convinced that intrusion detection and security monitoring are the pinnacle of industrial security, able to prevent all credible attacks.
This makes no sense either – in terms of the NIST Framework, intrusion detection is a detective measure, not a preventive one, by definition. And intrusion detection and incident response take time. If an intruder pushes the operator out of her chair and starts moving the mouse on the HMI, how long should we give them? 24 hours? 24 minutes? 24 seconds?
Industrial practitioners tell us that this is entirely the wrong question. The question is not how long would we give an intruder, but “how did that person get in here?” and “what are we going to do to make sure this never happens again?” There is a role for detection on industrial networks, but first priorities on industrial networks are always prevention and protection.
The future is segmented
Secure industrial networks controlling important physical processes are and will always be segmented from IT networks and from the Internet. This is intrinsic – segmentation is driven by the nature of software and by the unacceptable physical risks of compromise ranging from safety incidents to costly plant shutdowns. None of human lives, environmental damage, damaged equipment, and production outages can ever be “restored from backups.”
What is surprising to many is that the most robust segmentation is not facilitated by firewalls. Firewalls are themselves software and are themselves subject to misconfiguration. Why does it make sense to use firewalls full of software and vulnerabilities to protect our industrial control systems full of software and vulnerabilities?
The most secure industrial sites on the planet all deploy at least one layer of Unidirectional Gateway technology in their defense-in-depth network architecture, most commonly at the IT/OT interface. Unidirectional Gateways are physically able to send information in only one direction – generally from the industrial network to the IT network. The gateways replicate servers – so enterprise users can query the replicas and get access to any or all of the latest real-time data that the industrial network is authorized to share with enterprise users.
Another surprise to many readers is that advanced unidirectional technology suites, such as ours at Waterfall, include a variety of mechanisms to enable disciplined control of operations, even though the gateways are truly unidirectional.
Don’t get me wrong – while security starts with robust segmentation, security does not end with segmentation. There is a role for firewalls – for internal segmentation on both IT and OT networks. There are important roles for patching and for intrusion detection systems on industrial networks.
But robust security always starts with segmentation, and will always start with segmentation, and the most robust segmentation is unidirectional. Again – all the world’s most secure sites have at least one layer of Unidirectional Gateway protection in their defense in depth network architectures, almost always separating OT networks from IT networks and from the Internet.