A discussion on ICS and IoT cyber protection between Ed Amoroso, Founder & CEO of TAG Cyber, and Francis Cianfrocca, Founder & Chief Scientist, Bayshore Networks. Originally posted on LinkedIn.
Ask any group of experienced cyber security experts what keeps them up at night, and you will no doubt hear the phrase “industrial control” in their answers. The challenge of protecting the myriad of different legacy and new electromechanical systems in our factories, transportation, telecommunications, and other tangible critical infrastructure sectors has grown significantly.
The primary culprit, most would agree, has been the often cavalier decision to connect critical control functions to networks. And while inexperienced observers might view private networks as offering some level of security, capable hackers would brush off such an approach as nothing more than a speed bump. So whether your industrial control system (ICS) or Internet of Things (IoT) devices are hosted on the Internet or in some private data center behind a perimeter, the chances of cyber attack are going to be immense.
This is a frightening prospect for infrastructure elements such as nuclear power that have the ability to produce serious consequences if attacked. I recently sat down with one of our nation’s leading experts in this area, my good friend Francis Cianfrocca. As founder of Bayshore Networks, Francis has had a front row seat to the growth of industrial attacks and he was kind enough to sit down and share his insights with me over some delicious Greek salads in Queens.
EA: Should we all be worried about terrible cyber attack scenarios to critical infrastructure systems such as power generators or manufacturing plants?
FC: As an active participant in the industry, I am certainly worried about these types of large-scale cyber attack scenarios, especially to the type of critical infrastructure components you mention, including power, telecommunications, manufacturing, and transportation. Whether these scenarios are something that everyone should be worried about – well, my hope is that we in the security industry can work together to reduce the associated risk so that people don’t have to be so worried. Unfortunately, we’re all just getting started with this. So much existing of our legacy equipment, software, and processes is just plain insecure. This leads to a very big cyber security risk in information technology, operational technology, and industrial control systems.
EA: Anyone who has ever attended engineering school knows that industrial engineers are highly intelligent. Why is it that they’ve gotten the cyber security so wrong?
FC: Cyber security was never an original requirement in the development of most industrial and operational systems. So it should come as no surprise that these requirements were not prioritized. And while you’re correct that industrial engineers are intelligent, it was never about their competency as engineers. Their respective focus has just not been on functional requirements for stopping cyber attacks. Now that everyone knows the industrial control infrastructure, operational Internet, and related systems are vulnerable to cyber attacks, the entire IoT and ICS industry is scrambling for solutions. Our approach at Bayshore Networks has been to focus on the underlying communication protocols that connect devices to the monitoring and control functions usually operated from a management center. The good news is that this approach allows us to fine-tune the policy controls required to prevent malware from causing serious consequences. The bad news is that this is not an easy process.
EA: Is it hard to reverse engineer a legacy ICS protocol? What techniques do the best organizations use to get this done?
FC: At the lowest level, engineers just have to collect the data, analyze the communications, and then help determine what protocol steps are involved. A majority of existing systems luckily use Modbus, so this emphasis simplifies matters, and our engineers have optimized our tools to deal with this protocol. In other cases, we’ve tried to create generalized solutions based on automation that helps generate policy controls faster and in a less error-prone manner. Keep in mind that this is mostly for legacy systems with protocols designed many years ago. When new systems are designed and put in place, we can do a better job because the security can be designed from the ground up.
EA: What is the best solution to keeping hackers away from control systems? Is it telemetry and control encryption? ICS firewalls? IoT command monitoring? Improved device runtime protections? All of the above?
FC: It would be easy to just answer “all of the above,” but that is too simple, and most companies probably cannot afford to do everything they’d like to do. Instead, the best approach is to manage security risk through a comprehensive program of technology, architecture, and process. The Bayshore IT/OT cloud-based gateway was designed to help orchestrate this overall risk reduction. It supports granular content inspection, industrial protocol filtering based on policy, and is applicable to a wide range of technologies including Industrial Automation and Control Systems (IAS), Supervisory Control and Data Acquisition (SCADA) systems, and even smaller programmable logic controllers (PLCs). The goal is to help security teams avoid having to throw a hodge-podge of different security solutions at the industrial control security problem.
EA: Do you see a difference in new ICS applications – in terms of their security – than legacy systems that were put in place many years ago?
FC: Obviously, an ICS designed today is going to have better support for remote administration, native cryptography, access control, proper authentication, and even code security. But the vast majority of existing equipment and software in every industrial setting remains legacy. And this problem is not likely to go away for some time.
EA: What other types of solutions do you envision for protecting industrial systems from attack?
FC: Techniques related to software-defined segmentation are particularly promising, because they remove the weaknesses inherent in a larger perimeter solution. I also like recent advances in identity management, which are directly applicable to IT/OT systems. In particular, contextual, adaptive authentication based on a range of identity indicators is a good direction for protecting ICS devices. Finally, the overall threat intelligence process and ecosystem are so much more accurate and timely, and this includes intelligence about OT protocols.