By Robert M. Lee, Cyberspace Officer, USAF
In control systems, the communication and work between vendors, asset owners and engineers that take place on a daily basis can be vast, and security may not be the first item on everyone's mind; the mission is to keep the systems running, secure or not. But the very real possibility of cyber warfare has changed that. The question is what must the control systems community do to adapt to the threat of cyber warfare?
Simply stated, the community must get back to the basics of security, take part in creating better regulations, and band together to face the threat as a community instead of as individuals.
With the media attention given to the Stuxnet worm since June 2010, the world has been forced to realize the possibilities and threats of cyber warfare. Cyber warfare took place long before the release of Stuxnet, but its release caused nation-states, corporations and other groups across the world to realize the benefits of using a domain of warfare with limited entry costs and the possibility of non-attribution, which is the ability to operate without positively being connected to an operation. The idea of using cyberspace to inflict physical damage, such as damaging nuclear centrifuges, was an unproven theory to most before Stuxnet. With the theory publicly proven true, most vendors and asset owners realized that control systems are valued and legitimate targets.
As the communities behind cybersecurity, hacking and control systems began to overlap, it became obvious that it was not only the large control systems, but also the smaller ones that were targets. To properly hack into a system one must understand it. Before attacking high-profile targets, it is wise for any hacker—nation-state-backed or not—to compromise smaller control systems, or related systems, for reconnaissance purposes. A hacker can not only understand control systems and network layouts better for future attacks, but may also gain important information, such as firewall and security configurations, trusted network access, operation manuals, design schematics or even password files. All of this information is important to carrying out an effective attack against larger control systems, such as the electrical power grid, water filtration plants, oil refineries and nuclear reactors. This style of reconnaissance is perfectly demonstrated with the Duqu malware.
In October, Duqu was discovered operating on a number of targets including those in Europe, Sudan and Iran. These targets have not been fully identified, but Symantec has stated that the targets include industrial manufacturers. Duqu is primarily an information-gathering platform with strong ties to Stuxnet. The kind of information gathered from Duqu is the type that would be required to create a cyber weapon that would target control systems. The Duqu malware seems to target industrial manufacturers, but this may only represent another vector of attack against control systems that rely on the parts these manufacturers create.
With an understanding that all control systems need to be protected, the focus becomes what smaller control system owners and operators can afford to do in terms of security. A limited number of people understand both control systems and cybersecurity well enough to properly defend the networks, which makes these personnel highly sought after and generally unattainable for many in the control systems community. Because of this and the fact that there is no checklist to supplying complete security, the task of securing networks can seem daunting and nearly impossible. What owners and controllers can do is adopt a security mindset and get back to the basics of cybersecurity.
The basics of cybersecurity begin with evaluating the systems. No one knows the network layout more in depth than the owners and controllers of those networks. Excluding the insider threat, no attacker has this level of knowledge, and this is one of the asset owner's greatest defenses. End users and the companies that employ them must take responsibility for their systems and recognize when hardware and software in their networks are missing or acting in a manner outside of their intended use. Furthermore, if pieces of hardware or software that are unaccounted for are attached to systems, there should be concern. This network accountability is not an easy task, but is much less cumbersome than surviving a network attack where business secrets are stolen or network operations are halted.
After accepting and properly implementing network accountability, security measures must be put into place. An air gap—the complete isolation of your network—is difficult, if not impossible to achieve. However, air gap best practices are a good step towards network security. Asset owners should ensure that their networks are not connected to outbound connections, and that there are methods of physical and electromagnetic security in place. Those in charge of network security must then assume this barrier of defense will be compromised. With this assumption, other steps for security must be taken. A defense-in-depth approach is as unique to each situation as is the network it protects, but some security steps are universal.
On a control system network there should be a demilitarized zone (DMZ) that separates internal parts of the network from other less operationally important sections. Firewalls with properly defined rule sets should limit traffic to only what is necessary to continue operations. Networks should use intrusion detection systems (IDS) or intrusion prevention systems (IPS) to look for malicious network activity. Vulnerability assessments using trusted software and reputable red teams should look for vulnerabilities in the network. Identifying vulnerabilities allows for patching and mediation to occur in areas that hackers would use to compromise a network. User agreements must be established with employees, so that proper use of the network is clearly defined. No number of security steps will prevent a network compromise if users are allowed to use the network improperly by, for example, connecting personal external hard drives to it. Asset owners must also implement access controls to limit who can gain physical or network access to resources.
One of the most important parts of network security is detection. As Capt. Jeremy Sparks, instructor at the Air Force's Undergraduate Cyberspace Training school teaches the future Air Force's network defenders: Prevention is key, but detection is a must. Detection not only mitigates the damage and duration of an attack, but it can also deter and prevent an attacker altogether. One of the most appealing aspects of cyber warfare is limited attribution. Without this aspect, the motivation of nation-states and hackers to conduct operations in cyberspace greatly decreases.
All of what is mentioned above is a broad look at network security for control systems; it is not an all-inclusive list. The security mindset must be used to think about each level of the network and what would be available to prevent or mitigate a compromise there. It is an ongoing process that must be given proper attention and resources even when both are limited.
Control system and software vendors must take responsibility as well and provide better software and hardware that has a focus on security instead of just availability. Better code and hardware testing, as well as longer durations for patching support are all a great start. Asset owners must participate in this process too, and work with vendors to identify issues. Both vendors and asset owners must then work with the government and regulation committees to identify regulations and standards that must be enforced. The minimum standard is not something that can foster true security, especially with systems that affect national security. However, this is not an issue of pointing blame at any party involved. Instead, this is an issue of getting the community to come together, and bringing different experiences to find solutions.
This community is where the battle over control systems will be won. Both the cyber community and the control systems community have very talented and passionate individuals working together to bring about positive change. The best advice for those involved in control systems is not based in varying and ever-evolving security practices. Instead, the single greatest piece of advice is to reach out to the community, and share information, practices and lessons learned. There is a real fight going on in cyberspace involving control systems, but it is not a fight one has to wage alone. With a security mindset, networking and a touch of optimism the community as a whole can enable itself to truly secure control systems.
Author's note: I want to thank the individuals I spoke with at the 11th ACS Control System Cyber Security Conference. The information and inspiration gained from the community involved was invaluable. I would also like to thank the Air Force's Undergraduate Cyberspace Training school at Keesler AFB, Mississippi, especially my mentors, Jeremy Sparks and Paul Brandau, for their continued work and acceptance that cyber security is not solely a military issue, but one that affects us all.
Duqu is primarily an information-gathering platform with strong ties to Stuxnet. It seems to target industrial manufacturers.