Cybersecurity Measures Must Protect Both Networks
BY JAKE WILLIAMS, RENDITION INFOSEC
When it comes to ensuring cybersecurity for critical assets, it is hard to find more critical assets that those that control the electrical grid. Traditionally, most security focus is given to the operational technology (OT) networks where grid infrastructure is controlled. This means that little attention is paid to the information technology (IT) resources where things like billing and administration take place. Even in organizations where investments in IT security are made, there is often confusion among management about the relationship between IT and OT security.
IT and OT networks are traditionally separated so that compromises impacting IT networks do not directly impact OT networks. A single phishing email should not put an attacker in a position to damage the electrical grid.
|Network Security Monitoring|
Some reading this article will note that in many cases OT devices are connected directly to the internet. A quick search of the online tool Shodan will show numerous programmable logic controllers (PLCs) and other industrial control system (ICS) assets meeting this criterion. Because this is such a deviation from industry best practices, however, this article is not about these cases. This article assumes that organizations have taken basic security procedures to protect their OT assets and segregate IT assets from OT assets.
In most cases where OT networks are compromised, the attackers enter the IT network first. From there, they must determine how data moves from the IT network to the OT network and abuse those same paths to pivot into the OT network.
When the IT network is properly secured, the actions the attackers take to map this dataflow should cause significant noise. Some organizations say “no data moves from the IT to the OT network” and “our OT network is completely disconnected from the Internet.” But in our experience auditing networks, this is never true. Some way to install new software and software patches on the OT network must exist. Attackers most interested in obtaining access to OT assets are advanced persistent threats, with the time and resources to develop specialized tools to bridge the IT-OT gap.
Separating OT From IT
There are three primary ways that IT is separated from OT: 1) an airgap (no networked connection between IT and OT); 2) a firewall, and 3) a cross domain solution (sometimes called a data diode). In practice, many organizations refer to all three of these as airgaps.
In the case of an airgap, there is no physical connection between IT and OT and no connection from the OT network to the internet. There are always requirements to move data in and out of the OT network on at least an infrequent basis. With an airgap, however, there is usually no central location where data is moved and hence there is no opportunity for centralized monitoring. Absent some technical controls, data often will be moved haphazardly. In addition, due to the technical constraints of airgaps and operational needs, they tend not to stay airgaps for long. What may be an airgap on paper is often not an airgap in practice. (Read more about airgaps beginning on page 18.)
A firewall centralizes a choke point for data transmission between IT and OT. Most firewalls cannot, however, dissect and validate network protocols, especially those in use by ICS equipment. For instance, if the firewall were configured to allow MODBUS telemetry over TCP port 502, most firewalls would allow any traffic over TCP port 502. Attackers might use this to move illicit traffic between IT and OT networks. Despite these limitations, the firewall does offer a centralized choke point for traffic, which can be logged and easily monitored, unlike an airgap solution.
“- Cross Domain Solution (Data Diode)
A data diode or cross domain solution can be thought of as a “data aware” firewall. Rather than simply allowing any traffic across a particular port, the data diode performs content inspection to ensure that data is well formed and does not violate integrity constraints. While it is not impossible for an attacker to transfer data that could be used in an attack, it makes the attacker’s job much harder.
Monitoring the IT-OT gap
Why should organizations care about the methods used to separate IT from OT? The security mechanism used by the organization dictates the methods the attacker must use to try to compromise the OT network.
In the case of an airgap, the attacker must locate workstations where systems administrators move data using USB drives or burn CDs or DVDs to move data across the airgap. An attacker can query registry values enterprise wide from a domain admin account to locate those machines and user accounts that are most likely involved with moving data.
Of course, an attacker can also use physical hardware to bridge the airgap if he or she can obtain physical access. Both in the case of a physical hardware bridge and scanning remote registries to locate those who transfer data, continuous network monitoring discovers these events with ease. Registry queries create event logs in the event logs on Windows endpoints and will also create event logs at the domain controller. In most cases, NetBIOS and LLMNR queries from the airgapped OT network will be present in the network traffic of the IT network. Defenders need only to look for this traffic to discover that networks have been inadvertently (or maliciously) bridged.
In the case of a firewall, detection of attackers moving to the OT side is even easier. If attackers wish to move between the IT and OT networks, they must cross through the firewall. Centralized logging of firewall connection blocks and network flows will easily reveal movement from IT to OT. As attackers try to discover what ports and protocols are allowed through the firewall, they will inevitably make noise. This noise is easily discovered if the network is baselined and firewall logs are being monitored.
Finally, cross domain solutions (aka data diodes) are the easiest form of network bridge to detect attacker movement. Because the data diode validates data types moving from IT to OT (and vice versa) the attacker must create data that appears valid to the data diode, but also serves some malicious purpose on the OT network. This is far from easy (but is possible) and requires much trial and error. Each failure will create alerts at the cross domain solution, which should be investigated immediately.
Finding Attackers in the IT Network and Keeping Them out of OT
As mentioned earlier, cyber attackers almost always enter the network from the IT side. The most common route for this is via phishing emails. Through good continuous security monitoring, organizations can quickly determine when they have been breached and have attackers operating in the network. User awareness education, while important, is not enough to secure the IT network from phishing threats.
Many utility companies only have monitoring in place at the boundary firewall. While this is better than nothing, it is far from ideal. It is important to understand that once attackers exploit a victim through phishing emails, they are already operating inside the firewall. While most firewalls block network traffic inbound, they generally allow all traffic outbound.
Even in cases where the firewall was configured to block some outbound traffic, attackers quickly figure out how to exfiltrate data via authorized protocols and network destinations. Attackers have toolkits built to facilitate this type of activity. Attackers and researchers have built tools to steal data and operate in the network using authorized applications such as Gmail, Dropbox, network ping packets, DNS (domain name to IP address resolution) and many more commonly authorized applications.
Endpoint monitoring inside the network is required to find the attacker operating in the network. Endpoint monitoring will aggregate event logs at a security information and event management system (SIEM) where investigators can easily observe attacker activity patterns that are impossible to see otherwise. In addition, a SIEM is very useful for discovering insider threats (e.g. mass theft of customer data).
It is worth noting that while a SIEM can be a costly investment, many managed security service providers can lease SIEM hardware and software and provide monitoring at a price point that is well within operational expenditure (OPEX) levels. Building a security monitoring architecture that will detect attackers in the IT network before they can even attempt the transition to the OT network need not require a capital expenditure (CAPEX) budget cycle.
This should remove barriers to adoption and give utility organizations the tools they need to minimize the threat to the IT network, in turn maximizing the security of the OT network.
Jake Williams is the founder and president of the information security firm Rendition Infosec. Williams is a former U.S. government hacker with two decades of experience in information security. He now works with organizations all over the globe to evaluate security, build monitoring programs and investigate cyber intrusions.