CyberFence

May 2015

CyberFence

Table of Contents
1.

Introduction .......................................................................................................................................... 3

2.

Risk Management ................................................................................................................................ 5

3.

CyberFence Devices ............................................................................................................................ 6

4.

CyberFence Security ........................................................................................................................... 8

1.1. Data Encryption ........................................................................................................................... 9
1.2. DarkNode Technology ................................................................................................................ 9
1.3. Port Authentication & Access Control ...................................................................................... 9
1.4. Firewall ....................................................................................................................................... 10
1.5. Application-Level Deep Packet Inspection ............................................................................. 10
1.6. Alerting & Reporting ................................................................................................................. 11

5.

Attacks & Mitigations ........................................................................................................................ 11

1.7. Network Connection Attacks ................................................................................................... 11
1.8. Endpoint Connection Attacks .................................................................................................. 12
1.9. Internal Host-based Attacks..................................................................................................... 12
1.10. Server Compromise or Insider-Based Attacks ...................................................................... 13
1.11. Zero-day attacks ........................................................................................................................ 13

6.

Summary ............................................................................................................................................. 14

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

1. Introduction
Over the past few years a great deal has been achieved in terms of industrial control systems (ICS) cyber
security. Almost all industry sectors are taking notice of the threats and are pursuing standards and best
practices for how to protect themselves. For the most part these standards and practices advise similar
methodologies define a critical systems perimeter, erect perimeter defenses and control what comes in
and goes out. This has resulted in a large number of secure systems,' which are essentially networks of
segregated enclaves with restricted access from public networks. This is great protection against an
attacker trying to penetrate your network from a publicly accessible one such as the Internet, which is a
legitimate threat. It needs mitigating, but is it the threat we should be most worried about?
One of the biggest problems with the segregated enclave approach is once an attacker is in that enclave
there isnt much security to prevent him or her doing almost anything. Once the perimeter is breached,
typically the system is owned and the damage done. Attackers are human; they prefer easy over hard and
less risk to more risk. Attacking a system from the public side using well-known vectors is one of the easiest
and least risky methods, which is why it is so prevalent. A reasonable and best-practice approach would be
to install strong perimeter defenses, such as data-diodes or gateways, and stop that attack vector.
However, while this will stop a cursory attack from a public network, it wont stop a dedicated attacker who
will instead target a more weakly defended approach. It also will not stop an insider who has access into the
secure enclave.
There are myriad ways to gain access to the critical process control network that do not involve access over
a public network such as the Internet. These include the inadvertent or unauthorized use of a USB stick, the
connection of an infected maintenance contractors laptop, the intentional infection by an insider, or a
corrupted patch. Any one of these approaches would bypass the perimeter security and cause an unwanted
cyber-impact to the critical process control network.
Instead, security engineers should take the approach of preventing vulnerability from being exploited, rather
than preventing a specific attack vector. In many industrial control systems the vulnerability waiting for
exploitation is that of programmable logic controllers (PLCs), which are reliable but not robust. When
operated correctly a PLC is one of the most reliable computing devices deployed; however, if told to do
something unexpected or non-standard, it more often than not fails or malfunctions. Therefore if an attacker
wanted to cause physical damage or impact a facilitys operations then their goal will be to interfere with
PLC related communications.
Traditionally hackers would come at this through a publicly accessible interface and make their way down to
the control domain. By deploying good perimeter defense we have made this attack vector much more
difficult if not impossible. But we have not mitigated the vulnerability. The PLC is still not robust and if an
attack breaches the perimeter it will still succeed. This is a risk that is acknowledged in the guidance by
recommending antivirus on all PCs, including those in the control enclave. If there were no risk, why run
antivirus? If this vulnerability remains, but the most prevalent attack vector is closed what is the risk that it
will still be exploited?
There are plenty of familiar methods for breaching the perimeter: Stuxnet infected air-gapped systems
through infected USB sticks; engineers continue to bring devices and computers on-site when providing
maintenance; vendors still have remote access to their systems over dedicated links. Trying to guess and
mitigate the next attack vector is a cat-and-mouse game that the defender will never win. The truth is

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

embedded systems dont have adequate security and continue to be at risk of an attacker maliciously
interfering with them and their controlling computers. If we want to protect a system we need to mitigate the
vulnerability, not prevent the attack vector. Once an attacker can communicate on your network, he or she
can interfere with control communications, disrupt timing messages, send damaging messages to the
controllers, or simply conduct a denial of service attack against a system or component.
In response to the increased use of strong perimeter security from public networks, hackers have
increasingly migrated to hacker drop-boxes. These are low-cost disposable computers that are left within a
victims facility to act as a physical Trojan horse. If an attacker can gain access to your facility or use
someone who can, they can drop a small computer where no one would look and, through it, gain a
permanent foothold into your system.
Cheap but powerful computers such as the Raspberry Pi or Arduino combined with hacker toolkits such as
Kali and a disposable cell phone give attackers an easy way to hack into an ICS network for under $100. In
a large and disparate facility or office building, would anyone notice a small device about the size of two
decks of cards? Would they even question its existence? How about if it was hidden in plain sight disguised
as another PLC? Due to the prevalence of information on the Internet, almost anyone can build a
penetration device that can be slipped into a pocket on the way to work, then surreptitiously connected to
the network, and remotely accessed anytime and from anywhere desired. For ease of use and low risk this
is a great vector for an attacker, and currently bypasses almost all guidance and best-practice protections.
The greatest risk of this type of attack is from a malicious insider. These individuals have access,
knowledge, and the motivation to cause damage ranging from nuisance to catastrophic.

Typical Industrial Network

Architecture

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

In an attempt to help address these problems, Ultra Electronics, 3eTI created CyberFence, a series of
devices to protect industrial control and automation systems. CyberFence has been independently validated
to official standards including Federal Information Processing Standards (FIPS) 140-2 and Common Criteria
for its security implementation. CyberFence also has been vulnerability-tested thoroughly by government
agencies such as the Department of Energys Idaho National Laboratory. As this whitepaper will outline,
3eTIs CyberFence solution provides critical system protection as part of a holistic cyber-security solution.
More than just a firewall, network segregation and monitoring solution, it provides a unique defense-indepth solution focusing on protecting the most critical and vulnerable devices in a facility from a wide range
of cyber and physical attacks.

2. Risk Management
Due to the unique and complex interconnection and implementation of different control and monitoring
systems, the cyber-attack vectors and their associated risks are varied and specific to each deployment.
How corporate networks, remote workers, network architectures, and removable media all interface with the
control domain will introduce unique vulnerabilities and provide pathways for an attacker to perform a
malicious action. Strict guidelines and one-size-fits-all solutions do not lend themselves to solving this
problem. The needs of an auto manufacturing plant will be different from those of a nuclear power station or
water treatment facility. Some systems are safety critical, some contain industrial secrets, and each has a
different value to their owners. In security terms every installation and customer has a unique critical-asset
list, threat assessment, risk appetite and operational limitation. A product or system designed for one
architecture will not ideally fit the needs of another. Instead you need a tailored solution specifically
configured to the customers real-world situation. It is necessary to balance the utility need for efficient
operation with the security required for safe operation.
The correct way to define that tailored solution is through a risk management process. Defining what is and
what is not acceptable will enable the owner to determine where function is more important than security,
and where security is more important than utility. In reality choosing utility over security need not mean a
reduction in protection. By employing a defense-in-depth approach to security, both functional and security
requirements can be met at the same time. The vulnerability that is exposed to enable more efficient
operation can be mitigated using a different layer of security.
These different layers combine together to give a level of protection greater than that provided by any single
layer or solution. This is why, in addition to utilizing perimeter firewalls, enterprises still deploy endpoint
security for their desktop PCs (e.g. antivirus). The defense provided by a firewall does not by itself provide
enough protection for the desktop PC. This layered approach is the same one 3eTI and international
standards advocate for an industrial control and automation system. While there are endpoint protection
products available for the desktop PC, there were not any available for critical embedded computers such
as PLCs or remote automation solutions (RTUs). This is why 3eTI developed the CyberFence series of
products - to deploy a defense-in-depth solution that provides endpoint protection for critical devices.

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

Defense-in-Depth (DID) Architecture

The CyberFence series of products ensures that each critical device has the individual protection it needs
with its normal operation left undisturbed. 3eTI understands that the addition of security into the process
control domain must not negatively impact performance or reliability. This is why CyberFence has been
designed specifically to support the needs of industrial control and automation.

3. CyberFence Devices
A holistic solution requires many different tools, such as data-diodes separating corporate and control
domains, firewalls regulating network connections, and antivirus monitoring workstations. However, in the
control and monitoring domain, protection doesnt spread much farther than the network core. Most
solutions focus on network activity, attempting like a traffic cop to detect an attack through the congestion of
normal operations. However, attacks dont typically target the network or clearly identify themselves when
passing over it. Instead, as Stuxnet showed, the ultimate aim of a control system attack is to manipulate or
control a critical edge device, i.e. the device sitting at the edge of the network interfacing with the real-world
such as a programmable logic controller. Located at the edge of the network, the CyberFence series is
designed to protect these critical edge devices by acting as personal bodyguards, providing defense-indepth protection from cyber-attacks. It does this by integrating a number of discrete protection mechanisms
together to more assertively regulate access and communication to the more vulnerable and critical devices
and systems.

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

There are currently four different devices within the CyberFence series, each of which provides a similar set
of features, and a common management approach, while providing the right set of security controls for a
given application. The customer can choose from a wide range of encryption, authentication, throughput,
firewall, and deep-packet-inspection (DPI) capabilities to find the right solution for the requirement.

Benefits of Cyber Security Defense-in-Depth (DID)

Solutions

DarkNode

Description

Where

Used within
FIPS Layercritical networks
2 DID
where latency &
Crypto
integrity are
paramount

Used across
FIPS Layernetworks e.g.
EtherGuard 3 DID
between facilities
Crypto
or over the
Internet
EtherWatch

UltraCrypt

SCADA
Firewall

Used to protect
industrial devices
from malicious
attack

Used to protect
High Speed
high-speed
Encryption
private networks
or leased lines

DPI

Firewall Encrypt

Mbps

FIPS 140-2
Level 2

Common
Criteria

Suite B
Cap.

V-LAN

~120

VPN

~120

~120

V-LAN

~450

802.1X

OutBand
Mgmt

Dark
Node
Tech.

EtherWatch is the most advanced SCADA firewall available in the market. It provides both straight firewall
and application-level deep-packet-inspection capabilities, which means it can control not only what
protocols are allowed, but also what commands within the protocol can be sent and even what those
commands can say.
DarkNode provides the same advanced capabilities as EtherWatch but also introduces FIPS validated
Ethernet encryption. DarkNode can encrypt multiple different VLANs with different encryption keys to
provide cryptographically separated communications within the same network, and prevent unauthorized
devices from monitoring or maliciously interfering with the traffic. DarkNode has been specifically designed
to provide low-latency encryption for those environments such as industrial control and automation who
would like to use encryption but to whom no adequate solution exists.
EtherGuard allows those with remote critical devices or systems to safely and securely connect them back
to the core network over less secure or public networks such as the Internet. EtherGuard provides FIPS
validated VPN encryption with additional protections such as port authentication and access control policies
to ensure that only authorized devices can utilize the encrypted channel, and that their communications are
not manipulated or intercepted en-route.

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

UltraCrypt provides high-speed low-latency VLAN encryption for those customers who use private
networks or leased lines to communicate their data, but who dont trust the integrity or confidentiality of
those links.
All devices within the CyberFence series have the capability to be managed both locally and remotely using
a variety of industry standard network management methods, such as SNMP, SOAP XML, and HTML,
allowing them to be managed from a wide variety of network management systems. Most importantly each
device can be remotely managed via a completely separate network interface from user-data to provide true
out-of-band management. These management interfaces provide multiple ways for communicating security
alerts and notifications in the case of malicious or anomalous activity.
Any CyberFence series device can be easily integrated into the customers security infrastructure and
provide data feeds for their Security Incident & Event Management (SIEM) system either in real-time or via
log retrieval. Therefore any process control or automation network can achieve the same level of security
and real-time monitoring that enterprise networks enjoy today. And through the use of open industry
standard interfaces, customers are not constrained by vendor lock-in or stove-piped proprietary solutions.
Part of what differentiates the CyberFence series of devices from other industrial firewall or security
products is that the CyberFence series has been independently validated by a variety of government
agencies and laboratories on its implementation and robustness. Trust in the CyberFence series security
capabilities comes not only from the over 60 years Ultra Electronics has been producing information
assurance products for governments and industry worldwide, but also from the fact that independent
experts have extensively looked at and tested it for weaknesses and vulnerabilities. The encryption within
the product range has been certified under the Cryptographic Module Validation Process (CMVP) to FIPS
140-2 Level 2. Likewise the product implementation has been assessed by NIAP under the Common
Criteria Evaluation & Validation Scheme. Finally the end-product has been black-box security evaluated by
a number of different government agencies including Idaho National Laboratory, the U.S. Department of
Energys lead nuclear and security research establishment and home of the National SCADA Test Bed
Program.
The CyberFence series range has also undergone physical and environmental testing to ensure that the
products can be used within normal and hazardous locations safely. As a result they have been tested to
meet IECEx, Class I Div 2, and Atex certifications, and are applicable for use in a wide-range of industrial
and enterprise environments. For more information on the list of certifications please contact Ultra
Electronics, 3eTI directly.

4. CyberFence Security
CyberFence combines a number of different capabilities to create a tailored cyber-defense. As each
industrial deployment is unique and reflects unique threats, vulnerabilities, critical assets, and risk appetites,
it requires individual solutions tailored to specific needs. EtherGuard implements both static protection
controls and active defensive controls. The static protection controls are those elements (e.g. encryption,
firewall, authentication) that provide protection even when no attack is taking place, the defensive walls so
to speak. Build these walls high and thick enough and you can deter or prevent a large number of attackers
from exploiting your system. However, there are always those attacks that can get past your static

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

defenses, which is why you need guards manning the walls proactively looking for attacks and responding
to them through, for example, deep packet inspection and heuristic analysis. Combining layers of static and
active defenses creates solid defense-in-depth protection.

1.1. Data Encryption

All devices except the EtherWatch device provide user-data end-to-end encryption. This means that any
data sent by a user via a CyberFence series device will be encrypted from the source all the way to its
destination. No attacker on the network between the CyberFence series devices will be able to intercept,
manipulate, or participate in the communications. 3eTI uses only government-grade and FIPS validated
encryption algorithms and key management solutions, and performs its encryption in hardware to ensure
low latency. Customers can select the algorithm and encryption mode suitable for their implementation
including NSA Suite B. Likewise all management activity is over an authenticated HTTPS session which is
itself only accessible over an encrypted VPN or VLAN tunnel that allows an administrator to control which
users can perform management activities even if they are authorized to send data.

1.2. DarkNode Technology

All devices except EtherGuard have DarkNode Technology built in. DarkNode Technology allows the
CyberFence series device to operate stealthily on the network, invisible to attackers and users alike. An
attacker scanning the network or inspecting traffic cannot detect the presence of the CyberFence series
device. This enables quick and easy deployment as the device is transparent on the network, requiring no
additional network configuration. It also stymies attackers as the only indication that they will have of a
CyberFence series device is that their attacks are failing, and they cannot tell why.
While EtherGuard does not implement full DarkNode Technology (as it creates a Layer 3 encrypted VPN
tunnel), it does provide obfuscation and stealth capabilities. EtherGuard carefully limits what information it
makes available to other network devices, frustrating information gathering activities. By wrapping all traffic
over a single cryptographically assured VPN tunnel it obstructs an attackers ability to detect who is talking,
what they are saying, and even how many devices are participating. The network topology behind
EtherGuard is hidden.

1.3. Port Authentication & Access Control

EtherGuard implements 802.1x port authentication on all its user data ports. Therefore it is capable of not
only authenticating itself to whatever network it is connected into, but more importantly the user can control
what devices are allowed to connect to the EtherGuard and communicate through the encrypted tunnel. As
the EtherGuard is used to securely communicate devices over a less-trusted or public network, the
likelihood is that the critical device or system being connected is in a remote location. This means that any
device connecting to the EtherGuard has connectivity back into the home network, so port authentication
allows a network administrator to authenticate and control every device that connects.
The other devices in the CyberFence series (DarkNode, UltraCrypt, EtherWatch) do not provide port
authentication capabilities themselves, but they dont hamper its deployment. As they are transparent to the
network they can be used inside a network utilizing 802.1X port authentication.

Ultra Electronics, 3eTI 2015

May 2015

CyberFence

If a network does not implement port authentication but the user would still like to control logical access to
the network, then access control policies can be used. The user can control what devices are authorized to
connect to a CyberFence series devices given ports based on MAC address. While this does not provide a
cryptographically authenticated method it does prevent unsophisticated attackers or accidental connections
to the wrong ports.

1.4. Firewall
Even if a user has authorization to communicate through the CyberFence series device it doesnt mean that
they obtain the authority to communicate to everyone and everywhere on the network. All devices in the
CyberFence series except UltraCrypt implements a Firewall which can control where users are allowed to
communicate and which protocols they can use. This ensures that any critical device behind a CyberFence
series product can control who can communicate with it, and is not left open to anyone on the network to
connect to. The CyberFence series provides critical devices with an endpoint firewall that can not only
protect the device from the network, but also protect the network against any compromised device
attempting to form unauthorized connections.
Firewall alerts can both be securely logged and remotely distributed so that security systems can be
immediately alerted to any unauthorized or anomalous connection attempts.

1.5. Application-Level Deep Packet Inspection

Firewalls have historically been used to control who can talk to whom, but not what was being said.
However, this is an issue within critical control and automation systems. If an authenticated system such as
a SCADA server or HMI becomes compromised it would be allowed to communicate through the firewall to
launch an attack on a critical system. CyberFence series devices solve this issue by looking at the entire
contents of a packet rather than just the header in what is known as deep-packet-inspection (DPI). Coupled
with an application protocol awareness, a CyberFence series device can allow or reject a packet based on
what is in the application layer as well as where it came from. All devices except UltraCrypt can perform
application-level DPI.
By knowing what protocol a critical system uses, a CyberFence series device can filter out both nonstandard protocol packets, and unwanted (but legitimate) commands. For instance a CyberFence series
device could be configured to make a critical device read-only by dropping any write commands it sees, or
preventing an attacker from reconfiguring a device by preventing any software/program uploads.
What makes the CyberFence series approach to application-level DPI unique is that users can configure
the application-level DPI using a human-readable XML file. This XML file can be written to conform to
almost any type of industrial protocol, meaning that the DPI in the CyberFence series is protocol
independent. As new XML configuration files are created, new protocols are thereby supported with no
software or firmware updates required. The customer benefits from new protocol support without
purchasing any additional licenses or software upgrades.

Ultra Electronics, 3eTI 2015

10

May 2015

CyberFence

1.6. Alerting & Reporting

One of the main reasons why industrial control and automation environments are vulnerable to cyber-attack
is that operators do not have any situational awareness about what is happening in their control networks.
Users know what actions they perform on an HMI, and they can see the actions a controller has on the
environment (e.g. a PLC), but they dont know if the action being performed is what they specified in the
HMI. Many cyber-attacks can either manipulate control or manipulate the view to deceive an operator as to
which processes are active or taking place. An attack can even make it seem as though the control system
or controller (e.g. a PLC) is malfunctioning when it is operating correctly by taking commands from malware
rather than the control system.
The CyberFence series is designed to provide situational awareness within the control network so that
operators have an independent means for comparing commands and readings being received and being
sent and displayed. If there is a discrepancy between these two, the discrepancy represents the first red
flag signaling a malicious actor or cyber-attack. The CyberFence series can do this by alerting and
recording activity that it sees passing over the network. All configuration changes, firewall alerts, DPI alerts,
and authentication failures can be reported either in-band over an encrypted channel or out-of-band using a
separate network. Alerts are both securely recorded in an auditable record, and distributed via SNMP traps
and remote SysLog entries. Through the standards compliant SOAP interface, management appliances
automatically and routinely retrieve these logs for further analysis.

5. Attacks & Mitigations

While every cyber-attack on a critical or air-gapped system can be seen as unique, using different access
and propagation methods, they can generally be categorized into a few main families. Not all cyber-attacks
can be 100-percent successfully mitigated. A defender must recognize as early as possible when an attack
is taking place and prevent the attacker from achieving the desired goal or performing desired actions.
Through controls such as those provided by the CyberFence series, operators can make exploitation
virtually impossible for non-sophisticated or nation-state attacks, and provide the situational awareness
necessary to discover when sophisticated attacks are being attempted.

1.7. Network Connection Attacks

One of the easiest ways to attack a process control network is to acquire direct network connectivity and
then to maliciously interfere with that traffic. Process control and automation networks are typically
geographically very large, from power stations and factories to railway signaling and oil pipelines. These are
large facilities with porous physical controls and many places in which an attacker can connect devices.
Small network taps bought from almost any online electronics store can provide an attacker with
undetectable logical and physical access to even an air-gapped network. With their own device connected
to the network, attackers can inspect traffic to understand what protocols are being used, what commands
are being sent, and what the topology of the network looks like. After that they can subtly and almost
invisibly begin to manipulate traffic or communicate with critical devices.
One simple way to mitigate this risk is to use encryption. Encryption is not widely deployed in process
control and automation networks because it is seen to only provide confidentiality where confidentiality is

Ultra Electronics, 3eTI 2015

11

May 2015

CyberFence

not required. In fact, encryption provides two main protections - confidentiality and integrity, with integrity
being the more important attribute within control networks. The integrity protection that encryption provides
ensures that attackers with physical access to the network cannot manipulate the traffic, generate any of
their own, or replay old traffic and go undetected. The confidentiality protection that comes with it is a
bonus.

1.8. Endpoint Connection Attacks

While encryption will reduce the number of places where attackers can connect their malicious devices it
does not remove the risk completely. There are always some devices and networks that will sit behind an
encryptor into which an attacker can connect, for instance between a PLC and the encryptor. Another
potential risk is the connection of a temporary device, such as a maintenance workers laptop, to an
unauthorized port or system. An employee or sub-contractor could be authorized to work on one system,
but he or she accidentally or intentionally connects to a different system and cause malicious activity. To
minimize the risk of this occurring 802.1X port authentication can be deployed. Now every device
connecting to the network will require the use of an authorized digital certificate. This also allows an
administrator to control not only which devices can connect to a system but also to which ports. If port
authentication cannot be deployed on all devices, access control via MAC addresses can be used. While
this will not stop a dedicated attacker from spoofing a legitimate address it does provide the CyberFence
series an additional opportunity to detect an attack.
One beneficial aspect of a control system is that it is for the most part fairly static. Not much changes. An
attacker attempting to connect to a network does not know if port-based access control has been
implemented, and so will not know how to avoid detection. As soon as an attacker tries to connect, a
CyberFence series device will detect either the wrong MAC address or the failed certificate authentication
and provide instant alerts to that effect. Now the administrator can detect that attempt and follow incidentresponse procedures to identify the attempted breach.

1.9. Internal Host-based Attacks

One of the most popular and prolific ways of attacking a process control or automation system is to infect
one of the supporting PCs with malware. This could be anything from an HMI, engineering terminal, or log
server. As most of these computers run Windows and commercial software, malware attacks on these
systems are well-understood and more routinely accomplished even when antivirus is deployed. Once a
machine has been infected an attacker will often attempt to better understand the topology of the
compromised network and what other devices are available. This inevitably involves network scanning or
veiled probing activities. Most devices are good network citizens and so when probed by an infected
machine will respond back to the queries, enabling the attacker to gather more information to spread the
damage more widely across the system.
The use of CyberFence series devices will not only interrupt the actions of an attacker but very quickly
identify that an attacker is attempting to probe the network, then alert an administrator. The DarkNode
Technology in the CyberFence series devices will make them invisible to an attacker probing the network,
and the firewall functionality will prevent any scans from reaching critical network devices. T attackers wont
be able to gather any additional information and they won't know why. The administrator can obtain realtime alerts that this is occurring. Even if an internal PC is compromised with malware, an attackers ability to

Ultra Electronics, 3eTI 2015

12

May 2015

CyberFence

expand the footprint into the wider network is severely hampered, and the administrator is alerted early to
the compromise even when the PCs antivirus misses the initial infection.

1.10. Server Compromise or Insider-Based Attacks

One of the most challenging and worrying risks is the compromise of a process control server or similar
system. These servers have the authority to communicate with all the critical edge devices, and issue
commands. Likewise an insider with access to the HMI or control system can directly issue dangerous or
malicious commands. Authentication and firewall controls will not detect or prevent this type of attack
because the compromised machine is authorized to issue commands.
Almost all controllers and industrial protocols support a wide range of capabilities, normally much wider than
used for normal operations. For instance, a controller configured to provide readings will also support being
written to even outside of normal operation. The CyberFence series application-level DPI will detect and
prevent unauthorized commands from being executed even if they are legitimately formatted. Likewise, an
insider may be capable of setting a control value (e.g. set-point value) to an abnormal or dangerous level.
Sometimes, but not always, this is prevented by the HMI or control logic. The insider also may modify the
acceptable limits. A CyberFence series device can inspect the control message and not only detect what
type of command is being sent, but also what the values in the command are, then determine if such a
setting is permissible.
Even if the malware does not send its own malicious traffic, there have been instances when malware
manipulates commands before they are sent. Therefore what the operator tells the system to do is not what
the controller receives and actually executes. This discrepancy can look either like a fault with the controller
or the HMI, but not necessarily like a cyber-attack. This type of attack can only be prevented through
methods that validate what has been received.
The CyberFence series DPI capability ensures that legitimate and safe operations will be executed by a
controller, and that what has been received is what the operator intended. If any manipulation has occurred,
the operator will know and then report it to the network administrator for further investigation.

1.11. Zero-day attacks

Almost every week new vulnerabilities are published by ICS-CERT, meaning that almost every week a
different set of users are finding themselves vulnerable to new attacks. Mitigating these vulnerabilities can
be a long and drawn-out process. The equipment vendor must produce a patch, the patch must be robustly
tested, and then it must be comprehensively deployed in the real system. In some cases these
vulnerabilities are only discovered when on-going attacks are taking place, denoting the vulnerability is a
zero-day. How do operators protect themselves against an attack they dont know is intended for them?
How do operators protect themselves against an attacker who knows their system better than they do?
The defense-in-depth protection offered by the CyberFence series dramatically limits the available and
vulnerable attack surface of a critical device. Even though the critical device may support wide ranging
functionality and configurations, the CyberFence series devices ensure that only those functions that are
required for operation are exposed to the wider network. They also ensure that only legitimate and wellformed packets are allowed through. This makes exploitation extremely difficult. Should any zero-day attack

Ultra Electronics, 3eTI 2015

13

May 2015

CyberFence

be found in a system, a new DPI rule can be written to detect, drop, and alert should that attack be
attempted. This ensures protection for the critical device until the vendor issues a patch.

6. Summary
No control system will be completely cyber secure, nor will a single product provide the complete solution.
Instead a risk-informed holistic security approach is needed, one that provides a layered set of defenses
that include specific protections for critical edge devices. Performing firewall, intrusion detection, and deeppacket-inspection can all be done at the network core, which is normally acceptable in enterprise systems.
But for critical systems this is a highly risky approach. A single misconfiguration or change to the operation
can leave large numbers of critical devices accessible and vulnerable. A central firewall would not prevent
an insider threat performing a malicious action, or even detect it. A network segregation device (e.g. datadiode) should keep a system 'air gapped,' but would not prevent malicious code from being inserted into the
system via other means (USB stick, software update). Instead, by moving the defense to the edge, risk is
kept to a minimum; any error in a devices configuration will only affect that single device and not the whole
network.
The CyberFence series of devices offers customers the protection they need in an easily deployed and
managed solution. By providing out-of-band management and alerting capabilities, the CyberFence series
can be safely deployed into an operational network and provide situational awareness about that network
without impacting performance. The CyberFence series is designed to make security-management real
time, like the operational environment.
3eTI appreciates that within the control industry the addition of security controls is not undertaken lightly.
Security typically impacts performance. In a critical operational environment, performance is paramount and
sometimes safety-critical. But without the addition of security the operational environment is at certain risk
of unsafe malicious operation. An appropriate security control, therefore, is one that minimizes impact on
the operational environment, tailored to the deployment of efficiently providing protection. A CyberFence
series device protecting an industrial plants control system will be deployed and configured differently from
the same plants monitoring system, or a buildings automation system. The CyberFence series solutions
are optimized for the unique environment in which they operate, balancing the risk management
requirements and operational limitations of demanding process control and automation systems.

About Ultra Electronics, 3eTI

Ultra Electronics, 3eTI is a leading cyber-technology company with products and systems that secure critical
infrastructure and improve operational efficiency. The company delivers certified solutions that protect and connect
critical systems using military-grade security for the defense, government, energy and industrial automation markets
worldwide.
3eTI helps preserve operational investments through advanced machine-to-machine (M2M) communications security,
secure wireless networks and innovative sensor network applications, leveraging new and legacy systems while
complying with highest government and industry standards. 3eTIs net-centric and OEM product portfolio includes
robust Wi-Fi and industrial wireless mesh networks, cyber-physical security, and integrated command and control, all of
which are approved for use by the governments. (www.ultra-3eti.com).

Ultra Electronics, 3eTI 2015

14

May 2015