Shining a Light on Industrial Control Networks with Purpose Built Intrusion Detection Systems

Tuesday, September 16, 2014

Nate Kube

457ad4752923de991424e3d0f5a6abb6

With their reliance on open networking technologies and increased connectivity, industrial control systems (ICS) are at a great risk for cyber attacks against their hardware and software components. Announcements of newly discovered cyber weaknesses in ICS are now commonplace. Public and private sectors across the ICS landscape are greatly concerned about the exploitation of these vulnerabilities and are working collectively to develop defensible postures through regulation, supply chain standards and guidelines for implementation and operation.

ICS connectivity and publicized vulnerabilities are on the rise. For example:

· The number of industrial products with Ethernet connectivity grew 350% (30% CAGR) between 2007 and 2012, with 4.5 million connected products in 2012. (Source: VDC Research).

· The number of ICS vulnerability disclosures grew 600% between 2010 and 2012. (Sources: NSS Labs, DHS).

· The cyber attack surface is immense. There are 45 million connected SCADA devices and millions of connected Smart Grid devices installed worldwide. (Source: Mocana)

Gas Compressor Stations Targeted in Cyber Attacks

Similarly, cyber attacks are on the rise:

· In the six-month period ending June 2012, nation-state cyber attackers targeted 23 US pipeline companies. One company had remote access to 60% of pipelines in North America. The attackers stole password lists and control system credentials. (Report “Active Cyber Campaigns Against the US Energy Sector” DHS, ICS-CERT)

· In August 2012, hacktivists using the Shamoon virus attacked Saudi Aramco in an effort to halt production. The main IT network (~30,000 workstations) and corporate website were shut down for more than a week (some services were down for even longer). Saudi Aramco stated that the cyber attack was aimed at production, though it failed to disrupt it.

· Researchers using internet-facing honeypots mimicking ICS systems recorded 74 intentional attacks in five months. Eleven of the attacks modified the control system. (Trend Micro).

Of particular interest is the growing involvement of hacktivists and nation states in infrastructure cyber attacks. Hacktivists such as Anonymous, through their #OpPetrol campaign, have selectively targeted ICS assets for attack to protest perceived social and political injustice. Covert nation state-sponsored cyber attacks against critical infrastructure are also occurring. These include the suspected Bush administration’s Operation Olympic Games, which targeted Iran’s Natanz nuclear facility, and the sweeping infrastructure attacks in Georgia prior to the Russian invasion, both of which remain formally unacknowledged.

The combination of increased ICS connectivity and the ongoing rise in vulnerability disclosures indicates that cyber security incidents will become more frequent and complex over the coming years. The main question for those analyzing the risk of an ICS security incident is no longer if such an incident will occur, but when. And when it does occur, how will they ensure that they are addressing the range of people, process and technology in order to minimize the impact and cost of the breach.

For years, one of the most effective ways enterprise IT departments have addressed the problem is by leveraging Intrusion Detection Systems (IDS) security.  Operational Technology (OT) groups can now take advantage of similar protections against cyber attacks that can bring down the industrial network, compromise data, or reveal sensitive intellectual property.  While the Department of Homeland Security ICS-CERT has long advocated using IDS as a key preventative measure, the key to a successful implementation is using an IDS that has been designed and built to meet the key security, technical, and business requirements of industrial networks.  For simplicity, efficiency, and security efficacy, IDS should be a key component of an industrial next gen firewall solution.

The right solution must include an industrial-focused IDS (vs. an enterprise IDS) because industrial attacks can easily bypass enterprise IDS.  For example, attackers can:

Use smaller messages to bypass traditional IDS– Many attacks evade enterprise IDS when attacks are broken into segments that the IDS cannot reassemble properly because the IDS does not understand the industrial protocol. For example, consider this scenario:

(1) Allow “aaabbbccc”

(2) Allow “dddeeefff”

(3) Deny “bbbcccddd”

Without understanding industrial protocols, the sensor can see a message segment that reads “bbbcc.”  Although the message content is clear, the IDS does not know if it is the second portion of the first “Allow” message or if it is the first portion of the “Deny” message. Without the ability to understand the significance or potential impact of a message, tuning an IDS to block an attack is virtually impossible without an exorbitant number of false-positives.

Leverage legitimate protocol functionality for illegitimate reasons– Attackers can use functions of an intended feature set of a control protocol for malicious purposes. Consider the damage that can be done to uptime and production if any of the following were used inappropriately: turning devices off, changing IP addresses, modifying names, altering settings, modifying firmware, restarting devices, and more. For example, a subcontractor that performs a small portion of a larger process has misconfigured gear that communicates with your equipment. The misconfigured gear can be used to modify coils, outputs, tags, and other parameters. Without any context to know who (or which device) is permitted to use a particular function leaves system operators of traditional IDS to one option, open or close a port, which is an all-or-nothing solution that is impractical and unusable.

Bypass exploit signatures– Exploits normally have short life cycles and thus, vendors of enterprise IT IDS take easy short cuts in developing signatures.  These signatures are very good at detecting known exploits, but insufficient in detecting the source vulnerability that led to the exploit.  Therefore, there is a clear danger that attackers can easily modify an exploit to bypass the signatures. For example, many bad IDS signatures will have a pattern in them such as "\x41\x41\x41\x41,” which is really just a sequence of "AAAA" that the researcher was using to fill space arbitrarily. An intermediate attacker can recognize this pattern and replace the 'A's with 'B's or another letter/number to bypass the exploit specific protection. Without understanding the software flaw that led to the security concern, full protection is impossible. So, what is the meaning behind the actual data? Is it the number of 'A's that leads to the problem? Perhaps the application only expects to receive 2 characters but getting 4 causes it to crash. Does the number in that section of the message have any limits? The letters "AAAA" are the same as the number 1094795585 from the computer's perspective, so perhaps that number is not supposed to be above 70,000. Does that part of the message even matter for the attack? The sequence "AAAA" can just be separating two more important sections of the message, or padding it to the correct length and doesn't actually matter. Is the key just one of these items, a combination, or all of the above? Without knowing these kinds of details,IDS vendors are always in catch-up mode.

These represent the key attack scenarios that can bypass enterprise IDS and threaten industrial networks.  Because of these key differences between enterprise IT networks and industrial networks, the respective security solutions must be able to account for these differences to provide the security needed in ICS environments. Therefore, to combat attacks on industrial networks, system operators require an IDS with specific protections against industrial attacks.  Therefore, an industrial IDS must feature these vital protections and capabilities:

To counter the above attacks, an industrial next gen firewall featuring industrial IDS must have the following:

A Deep Packet Inspection (DPI) engineis designed to understand the industrial protocols relevant to industrial control systems.  Some protocol examples include PROFINET or CIP for industrial automation, IEC 6070-5-104 or IEC 61850 for electrical substation automation, and many others.  Once the IDS understands a protocol, it has the intelligence to properly reassemble the segments into meaningful messages.  And it is with these messages that the industrial IDS enables organizations to make properly informed security decisions.

Granular policy controlsets specific parameters to determine when communication is allowed.  Actual parameters are highly specific to the industrial protocol. These parameters include items that determine: (1) “Who” – IP addresses, MAC addresses, protocol addressing information (i.e. slave/station address in Modbus), and more; (2) “How” – function codes, operations, data types, and primitive types; and (3) “About what” – coil/IO numbers, memory addresses, tag names, and allowed values. By understanding the parameters in conjunction with the protocol used and the specific context will allow system operators to have the proper visibility to take action on illegitimate use of functions and commands.

Protection against vulnerabilitiesinstead of protection against exploits is needed to ensure long lasting security. Industrial gear is designed to be in service for decades with minimal interaction from system operators and device firmware might be on older revisions for extended periods.  Therefore, protection needs to have high security efficacy to alleviate concerns about frequency of patch times. Therefore, when considering an industrial IDS, ensure that the vendor has the people, expertise, and experience in fully understanding the vulnerability when creating signatures for the DPI engine. Also, work with vendors that have the key relationships that enable them access to full vulnerability information from device vendors, government sources, 3rd party independent researchers, and the source researcher who found the vulnerability. In addition, an ICS-focused IDS will ensure that proper prioritization and research resources will be dedicated to understand the vulnerability to better enhance protections whereas an IT-focused IDS would lowly prioritize ICS vulnerabilities.

Protection profilesprovide in-depth mitigation processes.  Many times, a signature is not enough.  There will be times when more is needed: a patch, an update on configuring the IDS, additional background information and more. Therefore, guidance and direction is needed for the additional mitigation steps.  When considering an effective IDS solution, ensure that protections extend beyond signatures alone. For example, protections should include the following:

· Policy enforcementensures set policy to prevent system attacks or misuse that can impact system productivity and reliability

· IDS signaturesfor vulnerabilities help secure the system from the root vulnerability, defending it against any exploit that may try to take advantage of the weakness. This results in greater accuracy for broader protection and security efficacy, even while using fewer signatures

· Patching updatesare recommended for vulnerable systems to ensure that proper versions address security concerns

And of course, all industrial IDS functionality needs to be easily deployed and managed.  IDS is a key component of an industrial next gen firewall, so both must be deployed on the same firewall device. IT Security staff may lack resources or experience with industrial equipment.  OT teams may not have the security expertise.  So, regardless of whether the IT team or OT team is taking point, the right solution needs to have simplified security administration with an easy-to-use graphical interfaces (i.e. no commandline interface required) to enhance management and deliver visibility across the network.

In summary, there are differences between industrial control systems and enterprise IT networks resulting in different security needs. Therefore, since current enterprise IDS solutions are not designed to protect industrial networks, system operators must opt for an industrial next gen firewall with an IDS that fully understands industrial protocols and the specific context of each industrial command. In addition, knowing that industrial networks are difficult and costly to patch, an industrial next gen firewall “must-have” is protection against vulnerabilities vs. exploits to ensure long lasting, effective security. Therefore, for new installations and for upgrade projects, be sure to include security budget for industrial next gen firewall to effectively protect your company’s assets, productivity, and revenues.

About the Author: Nate Kube is founder and Chief Technology Officer at Wurldtech Security Technologies.

Related: Register for the 2014 ICS Cyber Security Conference

Possibly Related Articles:
11611
Firewalls Network->General SCADA
Federal Military Municipal State/County Hardware Industrial Control Systems
Firewall SCADA Security ICS Intrusion Detection System Industrial Control Networks Nate Kube Wurldtech
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.