Critical Infrastructure and ICS Security Remain a Network Segmentation Problem

By Michael Murray, SVP and GM Cyber Physical Systems

Companies in every industry are developing and implementing connected industrial control applications as strategic digital business initiatives. However, the risks of security breaches and the subsequent impacts to consumer privacy and now personal safety are limiting the delivery of secure and resilient services, that are based on these connected applications.  Many company’s networks remain disconnected due to the fundamental problem that these network architectures were built on an older, non-secure tapestry of legacy sensors, controllers and serial communications buses which are vulnerable to attacks regardless, if they are connected or not (Stuxnet).

In established industrial nations, the Industrial Control Systems (ICS), their actuators and serial communications buses (MODBUS, PROFINET, etc.) are the new threat vector for attacking Critical Infrastructure, Industrial and Building Automation applications. There is significantly less cost and technical hurdles involved in attacking these systems than those of a new cloud solution. And unfortunately, these attacks offer the same or worse outcomes as large-scale distributed IT attacks.

For any company trying to protect against these threat vectors, there is an additive operational cost to securing these types of brownfield, or installed, systems. The actuators, sensors, and gateways integrated into these legacy networks were not created with security as a priority. These devices exist in Operations Technology Levels 0, 1 and 2 of the stack, from the Frost & Sullivan table below:

Many believe using artificial intelligence (AI) in the cloud will solve the ICS security issue; however, AI systems do not have data from Level 0 and Level 1 or even Level 2 of the stack. Furthermore, if the devices at Levels 0 through 2 remain unchecked, or their identity unauthenticated, the data being used for the algorithms can be corrupted and provide incorrect baselines. Also, the amount of data being generated by these devices is so significant that it is likely cost prohibitive to store in a cloud solution.

This lack of authenticated identity for devices coupled with the low rate of capital expenditures in these markets is the real problem with critical infrastructure systems. This also limits the adoption of further connected intelligent devices, today and in the foreseeable future. Further complicating this problem is the convergence of the operational networks with IT networks.

The best solution is for firms to segment and segregate their monitoring, communication and control networks using an identity-based approach to control network communications. Using authenticated identities provides strong and adaptable access policies to control who can connect to the network, and which assets and data they are able to see. As we connect more intelligent devices to existing or new cyber physical controls, or connect monitoring systems into critical infrastructure applications, we continue to increase the risk of security breaches and the loss of control of our devices and our privacy. More importantly this offers an adversary the opportunity to damage property, affect business services that negatively impact revenues, cause production and service downtimes and most importantly, potentially take human lives.

ICS and SCADA systems control the operation of systems which, if tampered with, can produce disastrous outcomes, such as turning on a branch of the power grid in a city or factory that is supposedly offline when a worker is attempting a repair or making a new connection. From a monetary perspective, when TSMC, one of the most secure and sophisticated factories in the world, was hacked this year, the firm lost over $171M from downtime of their production lines, per CNN’s coverage.

BlackRidge Transport Access Control is capable of brownfield deployments in legacy networks to segment and segregate active ICS and SCADA systems. Further, BlackRidge solutions assist our customers in achieving the US-CERT recommendations for improving the security of network infrastructure devices by providing a topology independent approach to network segmentation and segregation. Non-interactive identity authentication and policy enforcement operating at the transport layer can control network scanning and mapping and the “isolation” of network assets, while providing identity to SIEMs and analytics for enhanced monitoring, audit, assessment, behavioral and adaptive response.

Building a foundation of trust in new and legacy networks starts with authenticated identity and an identity fabric that can be extended from the edge to the cloud within the network layer. This is the bedrock for the foundation of IT and OT security, providing segmentation and segregation, dynamic policy enforcement, and enhanced visualization of flows for analytics, audit, and assessments. Due to our nations aging infrastructure, segmentation of trust pedigree and providence levels will become imperative for our secure, resilient and sustained growth.