By Robert M. Lee, Cyberspace Officer, USAF
In control systems, the communication and work between vendors, asset owners and engineers that take place on a daily basis can be vast, and security may not be the first item on everyone's mind; the mission is to keep the systems running, secure or not. But the very real possibility of cyber warfare has changed that. The question is what must the control systems community do to adapt to the threat of cyber warfare?
Simply stated, the community must get back to the basics of security, take part in creating better regulations, and band together to face the threat as a community instead of as individuals.
With the media attention given to the Stuxnet worm since June 2010, the world has been forced to realize the possibilities and threats of cyber warfare. Cyber warfare took place long before the release of Stuxnet, but its release caused nation-states, corporations and other groups across the world to realize the benefits of using a domain of warfare with limited entry costs and the possibility of non-attribution, which is the ability to operate without positively being connected to an operation. The idea of using cyberspace to inflict physical damage, such as damaging nuclear centrifuges, was an unproven theory to most before Stuxnet. With the theory publicly proven true, most vendors and asset owners realized that control systems are valued and legitimate targets.
As the communities behind cybersecurity, hacking and control systems began to overlap, it became obvious that it was not only the large control systems, but also the smaller ones that were targets. To properly hack into a system one must understand it. Before attacking high-profile targets, it is wise for any hacker—nation-state-backed or not—to compromise smaller control systems, or related systems, for reconnaissance purposes. A hacker can not only understand control systems and network layouts better for future attacks, but may also gain important information, such as firewall and security configurations, trusted network access, operation manuals, design schematics or even password files. All of this information is important to carrying out an effective attack against larger control systems, such as the electrical power grid, water filtration plants, oil refineries and nuclear reactors. This style of reconnaissance is perfectly demonstrated with the Duqu malware.
In October, Duqu was discovered operating on a number of targets including those in Europe, Sudan and Iran. These targets have not been fully identified, but Symantec has stated that the targets include industrial manufacturers. Duqu is primarily an information-gathering platform with strong ties to Stuxnet. The kind of information gathered from Duqu is the type that would be required to create a cyber weapon that would target control systems. The Duqu malware seems to target industrial manufacturers, but this may only represent another vector of attack against control systems that rely on the parts these manufacturers create.
With an understanding that all control systems need to be protected, the focus becomes what smaller control system owners and operators can afford to do in terms of security. A limited number of people understand both control systems and cybersecurity well enough to properly defend the networks, which makes these personnel highly sought after and generally unattainable for many in the control systems community. Because of this and the fact that there is no checklist to supplying complete security, the task of securing networks can seem daunting and nearly impossible. What owners and controllers can do is adopt a security mindset and get back to the basics of cybersecurity.
The basics of cybersecurity begin with evaluating the systems. No one knows the network layout more in depth than the owners and controllers of those networks. Excluding the insider threat, no attacker has this level of knowledge, and this is one of the asset owner's greatest defenses. End users and the companies that employ them must take responsibility for their systems and recognize when hardware and software in their networks are missing or acting in a manner outside of their intended use. Furthermore, if pieces of hardware or software that are unaccounted for are attached to systems, there should be concern. This network accountability is not an easy task, but is much less cumbersome than surviving a network attack where business secrets are stolen or network operations are halted.
After accepting and properly implementing network accountability, security measures must be put into place. An air gap—the complete isolation of your network—is difficult, if not impossible to achieve. However, air gap best practices are a good step towards network security. Asset owners should ensure that their networks are not connected to outbound connections, and that there are methods of physical and electromagnetic security in place. Those in charge of network security must then assume this barrier of defense will be compromised. With this assumption, other steps for security must be taken. A defense-in-depth approach is as unique to each situation as is the network it protects, but some security steps are universal.
On a control system network there should be a demilitarized zone (DMZ) that separates internal parts of the network from other less operationally important sections. Firewalls with properly defined rule sets should limit traffic to only what is necessary to continue operations. Networks should use intrusion detection systems (IDS) or intrusion prevention systems (IPS) to look for malicious network activity. Vulnerability assessments using trusted software and reputable red teams should look for vulnerabilities in the network. Identifying vulnerabilities allows for patching and mediation to occur in areas that hackers would use to compromise a network. User agreements must be established with employees, so that proper use of the network is clearly defined. No number of security steps will prevent a network compromise if users are allowed to use the network improperly by, for example, connecting personal external hard drives to it. Asset owners must also implement access controls to limit who can gain physical or network access to resources.