Ten years ago, “Operational Technology” (OT) vendors had only just really started to embrace Ethernet and TCP/IP as enterprise wide and global networking technology. The devices were generally designed “assuming” they would be on isolated “Supervisory Control and Data Acquisition” (SCADA) network segments and “something else” was going to take care of any security issues. In some cases, there was no security at all. If you had the right configuration software, then you could configure the OT device to do as you pleased. This was accepted as “sort of” okay while these devices were connected to isolated networks. The network boundary was probably a single secured building, possibly located on a secured property. Physical and network isolation did a “good enough” job of protecting the asset from malicious interference.
Engineers and Managers who were becoming more and more accountable for business stability and risk, then started wanting visibility from head office about what was happening down on the “plant floor” or “out in the field”. A typical response from IT would have been, “yeah, no problem we can connect the SCADA network to the Corporate network via our firewall and that way the SCADA network and the devices contained in it can still be hidden\protected from the wider corporate network and definitely hidden from the internet”. The key fundamental remained. Nothing OT was directly connected to the internet, it was buried behind several layers of firewall or was still completely disconnected.
What does your “average“ SCADA network look like today?
The average SCADA network is something that has just “evolved” over the last decade, usually in a “knee-jerk” reaction to a change in OT requirements and quick “band-aid” solutions are still in place years later. Little, if any thought has been given to providing security to OT. It has all been about connectivity, sometimes in extremely adverse conditions. The much touted “Internet of Things” (IoT) has driven a paradigm shift in how the individual components of a SCADA system are connected. These days a client expects to be able to place assets anywhere in the world that has connectivity to the internet and easily connect that asset to their SCADA network somewhere else in the world. For this to occur it means that anybody, anywhere with access to the “internet” has the ability to attempt to access to your “field” assets and possibly in some way your control system. Thus, there exists a possibility (however remote) of someone doing damage to your system.
How bad is this?
Is the average Industrial Automation device secure? Have these OT devices caught up or stayed with the pace of IT software systems in terms of security? Do they have inbuilt security, do they at least have a “password”? To be blunt, No, not really. There are current generation OT devices that are built from the ground up with best of breed IT security features but these devices come at a price premium. This may be okay with a brand-new roll out, but what about our legacy systems? It is impractical to take a purest perspective on getting with the times, right?
What can be done?
So how do you go about improving SCADA security for systems with legacy products, and doing it with a level of protection commensurate with the level of risk if something goes wrong? The first and most vital step is to understand the level of exposure in terms of currently deployed technologies. This must be considered against the backdrop of current attack strategies of hackers including terrorists and what new generation devices offer in terms of mitigation against these strategies.
Unified Threat Management firewall
(UTM) firewalls are a “whole of network” protection product extending their capabilities beyond that of just being a “firewall” blocking or allowing traffic based on static rules. These solutions not only monitor what is passing through them, they also monitor internal traffic for malicious activities. Using a combination of subscription based “Intrusion signatures” which are regularly updated by the security vendor and/ or a “learning mode” which creates a baseline of what is a “usual day at the office”, the UTM firewall can alert when it detects abnormal behaviour. This “Intrusion Detection System (IDS) can be extended to become an “Intrusion Prevention System” (IPS) where the firewall will automatically block the malicious activity from passing through the firewall and incorporate\manage Endpoint Protection (EP) software agents. Several vendors have firewall products that are similar in network port density to a switch. By replacing your existing switch technology and linking all devices directly to the firewall you have the ability to almost instantly quarantine any device that is showing malicious behaviour. This is an extremely brief explanation and there are as many variations on IPS, IDS and EP as there are vendors supplying them.
However, IPS can be a dangerous thing in SCADA. OT is all about availability and you can’t have some “trigger happy” firewall device blocking communications at the first sign of an issue. It needs to be set up and monitored by someone who knows what SHOULD be happening in the network. Is that you? Does anybody even know what SHOULD be happening on your OT network?
Benefits and things to consider when looking at UTM Firewalls
- Ease of deployment, configuration, and management. A UTM is meant to make security simple, but will you be able to use it effectively with the skillset of the staff you have available to you? A simple integrated web interface can make advanced security features accessible to relatively unskilled staff.
- For larger companies, look for a management system that enables you to push out configuration changes to separate devices in branch offices.
- Ease and speed of adding additional services. If the original hardware has been sized appropriately, any additional security features that you may come to need can be unlocked by paying an additional license fee
- Resources of the vendor. How good are the security research labs of the vendor concerned, and will it be able to add new security features to its products as they become available elsewhere in the market as point products? If not, the UTM may fail to meet your security needs much sooner than you would like.
- The ability to deal with remote offices and mobile workers. Unless you plan on deploying UTMs at a number of locations, you’ll need to link your branch offices to your UTM. Mobile workers will also have to connect to it via a VPN. It’s therefore important to choose an appliance that can manage sufficient incoming connections, and offers a variety of VPN connections – possibly including support for iOS and Android tablet devices if employees use them.
- Will a given UTM provide sufficient functionality and reporting to enable your organization to pass a compliance audit?
A well designed UTM solution can help you stay on top of your networks security, even if its boundary now geographically spans the globe.