From the very beginning, critical infrastructure networks were designed solely for control purposes and to provide operators with information. Cyber security was not even a distant consideration, as cyber attacks were practically unheard of.
The beginning of the 21stcentury brought about a newfound awareness of the potential damage that cyber attacks can cause. Still, cyber security was viewed primarily in terms of its traditional roots – as an IT-type risk – and was treated as such in terms of threat mitigation.
The traditional doctrine for securing networking devices focuses on two basic elements:
The first is an anti-virus, which is simply a software running on a PC. The second is the firewall.
The security mechanism of early firewalls was based on pre-determined knowledge of applications, network relationships between applications and the establishment of an enforcement mechanism for these relationships. As such, it allowed communication only between devices with pre-approved source and destination IP addresses. In more advanced firewalls, a Deep Packet Inspection (DPI) software engine created a firewall/anti-virus hybrid that checks the data that passes through.
New Technologies Bring New Threats
Today, the transition from traditional circuit-switched to new packet-switched networksgreatly increases the risk of cyber threats directed at critical infrastructure.Critical infrastructure networks are becoming smarter, automated and more connected. As a result, they are also more susceptible than ever to cyber threats.
Due to their static nature, traditional SDH networks with dedicated connections are less susceptible to cyber attacks than some packet-based alternatives, such as MPLS, in which traffic is routed per hop and can dynamically reach any point in the network using IP addressing.
Equipment vendors long assumed that systems would remain immune to cyber attacks as long as they kept interface and communication protocols secret. They confidently reasoned that without a detailed specification, attackers would be unable to communicate with the equipment (and most likely, would not even bother to try). Many claimed that this would block any possibility of cyber attacks on devices or networks, and while that may partially be true, the growing use of standard hardware, software and protocols has rendered this approach ineffective.
Industrial devices and protocols were designed primarily with operational safety and reliability in mind. Security was not considered a top priority. Earlier versions of the leading SCADA protocols for power utilities, for example, did not have robust mechanisms for source address authentication or validation of message integrity. The 2010 discovery of the STUXNET virus was a painful reminder of this particular vulnerability.
One rarely discussed aspect of security vulnerability analysis is the underlying network technology. Since legacy networks were seldom attacked and more modern networks are mostly protected only to a small degree – the operational network was not well defended against cyber threats. There are two major vulnerabilities that can be associated with the network layer:
- Attacks on the network control plane(also known as “signaling plane”), which is the set of functionalities that prepare and maintain the data plane, including finding paths through the network (routing), setup and release of connections, protection switching, etc.
- Attacks on the data plane (also known as “forwarding plane”), which is the set of functionalities responsible for forwarding packets through the network from source to destination. Denial of Service (DoS) attacks are a classic example.
Combined, these two planes of attack represent a major vulnerability. They are dependent on the design and implementation of the network overlay and can be either enhanced or mitigated as a result of network design considerations.
Defense-in-Depth of Power Industrial Control Systems
For power networks, standard network firewalls and anti-virus software is simply not enough to qualify as a defense-in-depth strategy. Such an approach addresses only one vector of defense, and will be rendered useless if an attacker can either breach the network or use malware to issue malicious commands. This is why a multilayered defense strategy must be deployed to protect against all attack vectors – especially in the mission critical environment of the operational or automation and protection network.
Within any industrial control system (ICS) network, each layer of defense-in-depth protection has both advantages and vulnerabilities. Working together, the combined solution successfully provides protection against:
- Remote attacks originating at other locations,prevented by a networking firewall and inter-site encryption. They prevent hackers from gaining access to the internal networks “logically.”
- Man-in-the-middle attacks, prevented by inter-site encryption and prevents corruption or tampering of data.
- Network control plane attacks, prevented via the design of the underlying network. For example, selecting a security-robust infrastructure like Carrier Ethernet orSDH in lieu of MPLS or MPLS-TP.
- Masquerading attacks, prevented achieved through source authentication protocols such as IEEE802.1X, which verifies that a particular host has not been replaced by another machine that can in turn issue malicious data or attacks.
- Snooping and scouting, prevented by using network technology with rigid path definition and universal address space – like Carrier Ethernet.
- Malware attacks from remote terminal units (RTUs), control stations or human-machine interface (HMI), prevented by the use of distributed application-aware firewalls. These firewalls can dive into the SCADA protocols to verify that commands are within the bounds of the control or monitoring automation solution – not just that the devices are members of the automation network.
A properly designed ICS is surrounded by multiple layers of defense, whereby each layer addresses a different type of attack. When one layer filters some of the attack, the next layer protects its vulnerabilities. The underlying ICS network can only be fully secured when all layers function together. Otherwise, each can be attacked and defeated relatively easily.
Ultimately, network security must be seriously considered at every stage of the design, and not only as an afterthought. Diligent planning can dramatically improve the resilience of the network and reduce the expense of securing it.
Amir Barnea, Head of Critical Infrastructure Line of Business, RAD