Applying Security Defense-In-Depth

One of the most important realizations cyber security engineers made in their early work is that security efforts are ineffective in isolation. It was this vital realization that gave birth to the concept of defense-in-depth, which is a technique of defending systems against any particular attack vector using multiple and varying methods.

By Matt Luallen and Steve Hamburg, Encari December 1, 2009

LINKS

Industrial cybersecurity blog www.controleng.com/blogs

For more information, visit:

www.archer.com

www.cisecurity.org

www.coretrace.com

www.encari.com

www.inl.gov

www.lumension.com

www.nist.gov

www.nitrosecurity.com

www.sandia.gov

www.symantec.com

www.tenablesecurity.com

www.tripplite.com

www.toplayer.com

www.us-cert.gov/control_systems

www.waterfalltech.net

Read more on cyber security at www.controleng.com/archive :

Cyber security hits home, Jan. 2009

10 control system security threats, Apr. 2007

One of the most important realizations cyber security engineers made in their early work is that security efforts are ineffective in isolation. It was this vital realization that gave birth to the concept of defense-in-depth, which is a technique of defending systems against any particular attack vector using multiple and varying methods. Documented historically by Sun Tzu and re-conceived by the National Security Agency, this layering strategy aims at providing a comprehensive approach to information and electronic security.

This strategy strongly applies to the industrial control systems arena. While many industrial control systems are becoming commercially available with various integrated cyber security controls, the reality is these systems are still susceptible to many types of threats. Consequently, they should not be deployed in isolation, at least from a cyber security perspective. The question that system owners and implementers raise is, “How do we maximize the assurance that our industrial control systems will be sufficiently resilient against cyber attacks once deployed?” The answer is defense-in-depth.

The primary objective of this discussion is to highlight defense-in-depth techniques for control system security with an overview of cyber security software products and solutions, along with cyber security best practices. Two publications from the National Institute of Standards and Technology (NIST) provide an excellent overview of the topic: “Recommended Security Controls for Federal Information Systems—Special Publication 800-53” and “Guide to Industrial Control Systems Security—Special Publication 800-82” can be applied to industrial control systems currently commercially available.

Given the extent to which defense-in-depth applies to industrial control systems, this will be the first in a series of articles addressing this topic. Defense-in-depth is also an ongoing discussion topic at the Industrial Cyber Security blog located at the Control Engineering website.

Using specialists

Before proceeding further, consider a simple health-care analogy. You may go to your primary care physician, but what happens after he or she diagnoses your medial issue? If it is not something the primary care physician is comfortable treating, you’ll be referred to a specialist. After all, if you have a brain tumor, you would probably not want your primary care physician to perform such delicate surgery, let alone a physician who specializes in gastrointestinal medicine. The same idea of seeking out appropriate specialists applies as you begin looking for cyber security software solutions to harden your industrial control systems.

For example, you may be considering procuring a proven and well-known security information and event management (SIEM) software solution. You discover that the product has a new integrated module bundled with it that promises to streamline user-access provisioning. Do you really want to use this new and potentially unproven module to address this specific aspect of your identity and access management operations? Or should you lean toward another software product that has been specializing in these functions for several years? It is definitely the latter that you should pursue, regardless of how inexpensive the new module may be. Asset owners will face this kind of decision more often as industrial control system vendors move to secure their solutions.

Using the chart

The chart presents a summary view of current threats and solutions:

Common cyber components of industrial control systems;

Prevalent cyber security threats facing the cyber components of industrial control systems;

Cyber security software products (i.e., technical cyber security controls). The examples named, from our experience, have proven capable of mitigating these threats but there are probably others that can also do the job; and

Proven cyber security best practices (i.e., people and process cyber security controls) that can mitigate the corresponding threats.

If you study the table, you should conclude that cyber security threats facing industrial control system cyber assets may be effectively mitigated through establishing and executing a sound defense-in-depth strategy including both technical and procedural controls. Future articles in this series running in 2010 will elaborate upon these controls and address other topics related to industrial control systems security, including:

Providing an overview of the pros and cons of typical IT solutions leveraged within a control network;

Presenting “Procurement Language for Control Systems” concepts and providing security software guidance;

Explaining the diverse skill sets required to effectively secure industrial control systems; and

Considerations to apply and steps to employ in order to maximize assurance that appropriate and sufficient security controls are endorsed and supported by your control system vendor.

We look forward to seeing your comments at our blog.

Industrial control system cyber asset
Primary cyber security threats
Recommended cyber security software products (technical cyber security controls)
Recommended cyber security best practices (people and process cyber security controls)

Field hardware (RTUs, PLCs, other IEDs)
• Default, insecure settings • Unmanageable
• External vulnerability scanning assessment tools (Tenable Nessus) but use with caution • Interactive configuration analysis using ICS vendor-defined templates
• Update with only authenticated firmware • Protect sensitive configuration information • Design enclaves with the appropriate collaborations among physical security, cyber security, operations, and engineering to ensure reliability

Human machine interface (HMI)
• Lack of accurate visibility of system state • Lack of authentic control
• Application whitelisting solutions (CoreTrace Bouncer) • Restrictive man-in-the-middle configurations (see Encari’s whitepaper “Protecting a Smarter Grid”)
• Operators must have integrated understanding of physical, cyber and operational awareness data

Field technician/engineering workstations
• Highly mobile/transient laptop connecting to many cyber assets and networks of varied trust levels • Physical loss of sensitive information
• Full disk encryption (Pointsec) • Application whitelisting (CoreTrace Bouncer) to limit rogue applications • Local host firewall and security controls (Symantec)
• Understand incident response plan in the event of a lost system • Security awareness to impart best practices regarding laptop management

Remote vendor support computer
• Untrusted system and/or network allowed access to control networks and systems
• Build jumphosts (using Hypervisor and VMWare ESX server) • Apply serial connectivity access restrictions (using Tripp Lite products)
• Establish service level agreements with screened consultants

Industrial communications network
• Default, insecure settings • Unmanageable • Interconnected to many varied trust level networks
• Example: Migrate to managed Cisco ICS hardware • Use hardening guides available from www.CISecurity.org • Fully discover and document wired and wireless cyber assets and their connectivity using manual processes or passive detectors (Sandia National Laboratory’s Antfarm and Software Defined Radios (SDR)) • Define appropriate architectural isolation capabilities for incremental incident response
• Collaborate with the vendor to migrate to standard manageable IT communications platforms and capabilities • Define incremental monitoring, alerting and response escalation procedures based upon threat indicators

DCS/SCADA front-end processor (data acquisition/control server)
• Common operating systems with typical IT vulnerabilities • Unauthenticated WAN/LAN communications with cyber assets of varied trust levels
• Define one-way communication flow for mutual distrust (Waterfall Technologies) • Application whitelisting (CoreTrace Bouncer) to limit rogue applications • Multipath redundancy for field communications
• Duplicate systems based upon the trustworthiness of the application and controlled environment (Electrical distribution versus transmission)

Historian/database
• Manipulation of stored information to impact future forecasting or real time processing (dependent upon implementation) • Backchannel communication flow to source of information (front-end application)
• Monitor database modifications for fraudulent activity (NitroSecurity dbm) • Application whitelisting (CoreTrace Bouncer) to limit rogue applications • Define one-way communication flow for mutual distrust (Waterfall Technologies)
• Influence vendors to incorporate the same database software that is used by your personnel (e.g. corporate database servers)

All
• Undocumented changes to or addition of cyber assets or communication channels • Multi-homed devices spanning the control and corporate networks • Undocumented cyber asset circuit board communications • Workforce attrition and insider threats
• Integrate restrictive communications and data flows (enclaves) • Password escrow (eDMZ Security Password Management) • Develop a patch and baseline management solution (Lumension/KBox) • Establish a compliance and documentation repository (Archer Technologies) • Maintain continued industry threat and vulnerability awareness (Critical Intelligence) • Develop attack tree methodologies to perform risk analyses (Amenaza SecurItree)
• Utilize the DHS CSSP procurement language to integrate appropriate controls • Develop appropriate workflows and communications to support sustainable change management processes • Review engineered specifications for cyber assets • Executive, engineering, physical security and cyber security collaboration

 

Author Information

Consultants Matt Luallen and Steve Hamburg are cofounders of Encari and writers of the Industrial Cyber Security blog for Control Engineering.