Defending ICS and SCADA Systems from Cyber Attacks
As Operational Technologies (OT) for the Industrial Internet of Things (IIoT) proliferate and converge with enterprise IT systems, CSOs and CIOs need to assess the risks with their growing attack surface. Top of the list should be looking at the potential threats and attacks emanating from the network, given the convergence of OT and IT networks. Further, for legacy ICS and SCADA systems there is a clear and immediate need to provide an additional layer of security to ensure latent vulnerabilities cannot be exploited.
The recent US-CERT alert, APT Activity Targeting Energy and Other Critical Infrastructure Sectors, warns against this very problem and emphasizes that threat actors are deliberately choosing the organizations they target, rather than pursuing them as targets of opportunity. The advanced persistent threats (APTs) are currently targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. The attacks are multi-stage intrusion campaigns targeting low security and small networks such as OT systems to gain access and then moving laterally to key IT systems such as mail and file servers.
In this joint technical alert from the DHS and FBI, the cyber kill chain model is used to analyze, discuss, and dissect the malicious cyber activity. The phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. BlackRidge addresses key aspects of the kill chain, from stopping the initial scanning and reconnaissance at the earliest possible time, to preventing unauthorized access to systems in the later stages. BlackRidge Transport Access Control (TAC) authenticates requests to establish TCP sessions before allowing their establishment, stopping the kill chain for both known and unknown attacks.
The following paragraphs describe some common attack types and how BlackRidge blocks or defends against these classes of attack.
Management and Control Plane Attacks
Management networks and control planes are used to provision, manage and monitor networks and security systems and their component devices such as routers and firewalls. Management networks also perform critical functions for SCADA and ICS systems. These management networks are exposed to the same advanced threats and attacks as business systems. With the convergence of OT and IT this should now be a foundational requirement to protect management and control planes. BlackRidge Transport Access Control (TAC) can be used to authenticate and authorize access to these control networks and systems while stopping port scanning and network reconnaissance, effectively cloaking them. Additionally, both authorized access and unauthorized attempts and their associated identity if present, are logged to SIEM or analytics systems. This enables capabilities for situational aware networks where autonomic remediation, artificial intelligence (AI) and analytics can all be combined to offer complete defense.
Network Scanning and Enumeration
BlackRidge protects against network enumeration, network reconnaissance and port scanning by using non-interactive authentication and responding only when a presented identity is authenticated and authorized. This capability is referred to as zero trust networks and ensures that unless authentication occurs on the first packet no other interaction occurs. BlackRidge specifically protects against SYN scans and can also redirect unidentified or unauthorized traffic to alternate network or resources such as a honey net. Since network scanning and reconnaissance is often part of a security regime, BlackRidge can allow it from an authenticated, authorized identity while blocking scans from unidentified or unauthorized users and devices. In addition, the low overhead sensor capability allows telemetry for audit and control systems.
Zero Day and DDoS attacks
BlackRidge protects resources from zero day and DDoS attacks from unidentified and unauthorized identities while continuing to allow access from authorized identities. BlackRidge products are designed to operate at line rate even when under continuous DDoS and brute force attacks. BlackRidge protects directly against specific exhaustion attacks such as SYN and RST flooding, and also against brute force application layer attacks by unidentified or unauthorized users. For zero-day attacks, the simple notion is that resources protected behind the network are no longer exposed. This allows for legacy systems that may have software or microcode problems to be protected giving full security while internally teams can be working to apply upgrades or resolve issues.
Lateral Movement and Malware Attacks
BlackRidge protects against the lateral movement of malware by segmenting network topologies into enclaves requiring authorized identity to enter or leave. The enclave boundaries can be arbitrary with respect to the network infrastructure, enabling users on a shared VLAN or subnet different authorities based on their identity. Network segmentation is one of the most common deployments for BlackRidge and creates a logical separation from the underlying physical network and simplifies the administration and security control. Similarly, BlackRidge protects users from phishing attacks when all network resources are protected by TAC. In addition to First Packet Authentication, BlackRidge TAC provides mutual authentication, which provides authentication of the protected resource to the requestor, protecting them from attacks. Mutual authentication is not available for unprotected resources, leaving them vulnerable to malware attacks.
Boundary Controls for Data Protection
Boundary controls are particularly relevant to upcoming requirements for GDPR and the NIST Cyber Security Framework. Data is usually ex-filtrated from systems via the network. This is a serious problem that can be resolved through autonomic event and remediation controls to ensure any network flow that is unauthorized would be either terminated or redirected for further investigation. To achieve this, BlackRidge provides an API for trust levels to be adjusted dynamically for identities based on unauthorized behaviors, as described in this IEEE paper on Autonomic Security. Adjusting BlackRidge trust levels can also be driven by AIsystems to provide near real-time, per flow security controls for autonomic remediation.
In summary, BlackRidge TAC protects SCADA and ICS systems against most threats and attacks using strong, authenticated identity and attribution. There is currently no other mechanism for blocking adversary scanning and reconnaissance without also blocking legitimate users. BlackRidge products are interoperable with network and security equipment from multiple vendors, and can span multiple simultaneous administrative domains, providing an ideal cyber defense solution for converged OT and IT networks. Contact us to continue the conversation on how to successfully execute the cyber defense of your ICS and SCADA systems.
The article was written by Robert Hubbard, Director OEM Development at BlackRidge Technology. Rob joined BlackRidge Technology in 2017 to drive network security partnerships and solutions. He was previously with CarbonHelix where he drove their SIEM as a service business with IBM. Rob is a networking and security industry veteran with experience building products, solutions and alliances for Cisco and Juniper Networks. Robert offers a broad and realistic industry perspective for customers, is a patent holder and has filed multiple patents for technology related to Security and Networking. The article can also be accessed on BlackRidge Technology’s blog.