Flying Blind in Critical Infrastructure

Tuesday, June 07, 2011

Chris Blask


The root problem with SCADA security is that control systems have been built on the concept that devices can be trusted.

Since everything else about SCADA is based on the concept that devices can never be trusted ("Sure, the temperature in the boiler should stay at such-and-such, but I would like to monitor the hell out of it, anyway."), once you get your head around the idea that you cannot trust your cyber devices either you find that it fits with existing industrial ideology quite well.

The solution to industrial cyber security is to do your best to build a reliable cyber system - just as you do with the physical assets in the industrial process - then monitor it like a convicted criminal in solitary confinement.

Unlike physical assets which need to have monitoring bolted onto them, cyber assets inherently produce masses of telemetry. Ironically given the context, virtually none of this data provided freely by control system devices is ever looked at.

Imagine taking 99% of the data about the state of your industrial process and choosing not to make it available to your operators. Under normal conditions everything functions as it is supposed to, so concluding that you are in control might be understandable.

Only in the post-disaster analysis would you discover that (for example) there had been continuous out-of-spec pressures that led to the initial failure and subsequent catastrophic chain-reaction.

This is precisely what is done with cyber assets today. If you operate a control system network today the security of your ICS is almost definitely in a Rumsfeldian "Known Unknown" state: you know that you do not know if your ICS is under attack right now.

That probability waveform can only empirically collapse in one direction - only one of two "Known Known" states can be determined - and that can only at the moment bad things happen to your industrial process.

Lots of attacks (like the much-referenced Stuxnet, and most attacks today in IT) seek to hide themselves. On control system networks that is trivial: any first-year hacker that actually got caught on almost any ICS network deserves to have their keyboard taken away.

Illiterate tundra farmers with bilateral frostbite could learn how to lurk undetected on your ICS network in less time than it took to write this article.

All of the efforts to secure devices attached to ICS networks are good and necessary. But we have to get away from the idea that we have secured any device and can therefore trust it. Monitoring can be done in many places in many ways that will not have a negative impact on the industrial process itself.

It is interesting how the cyber component evolved in industrial environments in a way that flew under the radar for so long. A pump would not be installed without monitoring in these facilities, but the system to monitor and control the entire process is, itself, entirely unmonitored.

I'm an old SIEM guy so I think like this all the time, but the parallel between SIEM and control systems struck me very early on. They are effectively the same thing: systems for monitoring and managing complex environments.

SIEM is about "Knowing what you have and what it is doing" and being able to do something about it. Control systems are essentially the same animals.

Basic monitoring of almost any type would catch Stuxnet ("Hey, when did we allow peer-to-peer networking on our ICS?"). Event messages (syslog, SNMP, ...) from devices between HMIs and PLCs will show the traffic across the network. A SIEM sensor on a span port will do the same.

Combine those with some IDS and you can now do protocol analysis. Do something with host security (HIDS, WMI,...) and now you can see what is going on at the server/HMI level.

For remote access, add access device telemetry (from the VPN terminator on the ICS network, for example) and you will be able to see when folks come inbound and, depending how you do it, what they are up to. Gather telemetry from the remote device (smartphone, laptop,...) and you again have a deeper view into what is happening.

Most attacks today are not brilliant and will be visible to anyone who looks for them. We need to drain the swamp, at the very least, so we can stop worrying about every fifteen-year-old with spare time. Just securing devices won't do that for us (fifteen-year-olds will know about vulnerabilities before you do) but simply paying attention will.

Gathering and processing telemetry as a practice finds itself deeper into the operational stack than just detecting and stopping rogue access, though. Policies can be implemented as rules in the monitoring system.

Cause and effect and the sequence of events can be verified and if need be enforced ("Person with Role A can only perform Task B from Location C, but never in Scenario D."). The ability for facility operators to gain back the control of their controls is easily within reach using existing technologies and methods.

I understand how and why we got to the place we are today - and it was not anyone's 'fault' as such - but it is nonetheless unacceptable and needs to stop. Now.

The only thing left to blind fate in industrial processes are the systems that control them.

Chris Blask authored the first book on SIEM, "Security Information and Event Management Implementation", published by McGraw Hill. Today he is Vice President of Industrial Control Systems Group at AlienVault, the producer of the world's most popular SIEM technology, and is on faculty at the Institute for Applied Network Security (IANS).

Possibly Related Articles:
Information Security
SCADA SIEM Network Security Infrastructure Programmable Logic Controllers ICS AlienVault
Post Rating I Like this!
Geoff Cruickshank Hi Chris,

Having worked in the SCADA industry for over a decade, one other major factor in security flaws for new builds of SCADA systems is the sales department's insistence that the customer be able to access the network from home. By the time the specifications filter down to the engineering department, it's a done deal and the customer will accept nothing less than the ability to use a browser to adjust the temperature of their office before leaving work so it's "nice and warm" when they get there. The fact that the same system is used for access control of doors, control the speed of fans and close dampers is totally lost on sales people, as it is now an integral part of their pitch to have web connectivity. There are a thousand and one things that can be done to cause mass casualties in high rise buildings just by fooling around with the air handling equipment (obviously I won't go into specifics). The engineer is left to try and provide web access whilst maintaining a high level of security, which quite plainly is an oxymoron.

Chris Blask Hey Geoff,

Indeed, the gap between wishes and reality often leaves underfunded engineers responsible for making unicorns perform quantum calculations. That does not necessarily mean the wishes are frivolous, though (quantum unicorns could turn out to be very handy). The trick is to negotiate a realistic truce between those requesting quantum unicorns and those charged with delivering them.

This article spun out of a conversation on Linkedin about smartphones and remote access to industrial control systems. It is obvious that allowing unfettered access to control systems from smart devices would be a Bad Thing, and plenty of folks raise alarms. In the case of smart devices, though, it is also equally obvious that it would be impossible to completely prevent their use for these applications.

Our responsibility is to somehow manage this gap between the time when nobody could control HVAC systems with an iPhone app and the time when everybody will be doing it. It is an adolescent process so we should expect to observe a range of attributes we will have to deal with. Like all adolescent that do not end up as tragic evening news, however, this stage will pass. Folks will be busily managing building control systems from their corneal implants between rounds of street hockey. Our task is to not end up on the evening news.

It can be worked out, though, and your comment is literally part of the process. Individual and aggregate statements like yours create environments where boundaries are tenderized and changes can happen.

Every business unit gets a turn to say: "Cheap, good or fast! Pick two, dammit!"

It's your turn on this topic. :~)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked