Documente Academic
Documente Profesional
Documente Cultură
May 2015
CyberFence
Table of Contents
1.
Introduction .......................................................................................................................................... 3
2.
3.
4.
5.
6.
Summary ............................................................................................................................................. 14
May 2015
CyberFence
1. Introduction
Over the past few years a great deal has been achieved in terms of industrial control systems (ICS) cyber
security. Almost all industry sectors are taking notice of the threats and are pursuing standards and best
practices for how to protect themselves. For the most part these standards and practices advise similar
methodologies define a critical systems perimeter, erect perimeter defenses and control what comes in
and goes out. This has resulted in a large number of secure systems,' which are essentially networks of
segregated enclaves with restricted access from public networks. This is great protection against an
attacker trying to penetrate your network from a publicly accessible one such as the Internet, which is a
legitimate threat. It needs mitigating, but is it the threat we should be most worried about?
One of the biggest problems with the segregated enclave approach is once an attacker is in that enclave
there isnt much security to prevent him or her doing almost anything. Once the perimeter is breached,
typically the system is owned and the damage done. Attackers are human; they prefer easy over hard and
less risk to more risk. Attacking a system from the public side using well-known vectors is one of the easiest
and least risky methods, which is why it is so prevalent. A reasonable and best-practice approach would be
to install strong perimeter defenses, such as data-diodes or gateways, and stop that attack vector.
However, while this will stop a cursory attack from a public network, it wont stop a dedicated attacker who
will instead target a more weakly defended approach. It also will not stop an insider who has access into the
secure enclave.
There are myriad ways to gain access to the critical process control network that do not involve access over
a public network such as the Internet. These include the inadvertent or unauthorized use of a USB stick, the
connection of an infected maintenance contractors laptop, the intentional infection by an insider, or a
corrupted patch. Any one of these approaches would bypass the perimeter security and cause an unwanted
cyber-impact to the critical process control network.
Instead, security engineers should take the approach of preventing vulnerability from being exploited, rather
than preventing a specific attack vector. In many industrial control systems the vulnerability waiting for
exploitation is that of programmable logic controllers (PLCs), which are reliable but not robust. When
operated correctly a PLC is one of the most reliable computing devices deployed; however, if told to do
something unexpected or non-standard, it more often than not fails or malfunctions. Therefore if an attacker
wanted to cause physical damage or impact a facilitys operations then their goal will be to interfere with
PLC related communications.
Traditionally hackers would come at this through a publicly accessible interface and make their way down to
the control domain. By deploying good perimeter defense we have made this attack vector much more
difficult if not impossible. But we have not mitigated the vulnerability. The PLC is still not robust and if an
attack breaches the perimeter it will still succeed. This is a risk that is acknowledged in the guidance by
recommending antivirus on all PCs, including those in the control enclave. If there were no risk, why run
antivirus? If this vulnerability remains, but the most prevalent attack vector is closed what is the risk that it
will still be exploited?
There are plenty of familiar methods for breaching the perimeter: Stuxnet infected air-gapped systems
through infected USB sticks; engineers continue to bring devices and computers on-site when providing
maintenance; vendors still have remote access to their systems over dedicated links. Trying to guess and
mitigate the next attack vector is a cat-and-mouse game that the defender will never win. The truth is
May 2015
CyberFence
embedded systems dont have adequate security and continue to be at risk of an attacker maliciously
interfering with them and their controlling computers. If we want to protect a system we need to mitigate the
vulnerability, not prevent the attack vector. Once an attacker can communicate on your network, he or she
can interfere with control communications, disrupt timing messages, send damaging messages to the
controllers, or simply conduct a denial of service attack against a system or component.
In response to the increased use of strong perimeter security from public networks, hackers have
increasingly migrated to hacker drop-boxes. These are low-cost disposable computers that are left within a
victims facility to act as a physical Trojan horse. If an attacker can gain access to your facility or use
someone who can, they can drop a small computer where no one would look and, through it, gain a
permanent foothold into your system.
Cheap but powerful computers such as the Raspberry Pi or Arduino combined with hacker toolkits such as
Kali and a disposable cell phone give attackers an easy way to hack into an ICS network for under $100. In
a large and disparate facility or office building, would anyone notice a small device about the size of two
decks of cards? Would they even question its existence? How about if it was hidden in plain sight disguised
as another PLC? Due to the prevalence of information on the Internet, almost anyone can build a
penetration device that can be slipped into a pocket on the way to work, then surreptitiously connected to
the network, and remotely accessed anytime and from anywhere desired. For ease of use and low risk this
is a great vector for an attacker, and currently bypasses almost all guidance and best-practice protections.
The greatest risk of this type of attack is from a malicious insider. These individuals have access,
knowledge, and the motivation to cause damage ranging from nuisance to catastrophic.
May 2015
CyberFence
In an attempt to help address these problems, Ultra Electronics, 3eTI created CyberFence, a series of
devices to protect industrial control and automation systems. CyberFence has been independently validated
to official standards including Federal Information Processing Standards (FIPS) 140-2 and Common Criteria
for its security implementation. CyberFence also has been vulnerability-tested thoroughly by government
agencies such as the Department of Energys Idaho National Laboratory. As this whitepaper will outline,
3eTIs CyberFence solution provides critical system protection as part of a holistic cyber-security solution.
More than just a firewall, network segregation and monitoring solution, it provides a unique defense-indepth solution focusing on protecting the most critical and vulnerable devices in a facility from a wide range
of cyber and physical attacks.
2. Risk Management
Due to the unique and complex interconnection and implementation of different control and monitoring
systems, the cyber-attack vectors and their associated risks are varied and specific to each deployment.
How corporate networks, remote workers, network architectures, and removable media all interface with the
control domain will introduce unique vulnerabilities and provide pathways for an attacker to perform a
malicious action. Strict guidelines and one-size-fits-all solutions do not lend themselves to solving this
problem. The needs of an auto manufacturing plant will be different from those of a nuclear power station or
water treatment facility. Some systems are safety critical, some contain industrial secrets, and each has a
different value to their owners. In security terms every installation and customer has a unique critical-asset
list, threat assessment, risk appetite and operational limitation. A product or system designed for one
architecture will not ideally fit the needs of another. Instead you need a tailored solution specifically
configured to the customers real-world situation. It is necessary to balance the utility need for efficient
operation with the security required for safe operation.
The correct way to define that tailored solution is through a risk management process. Defining what is and
what is not acceptable will enable the owner to determine where function is more important than security,
and where security is more important than utility. In reality choosing utility over security need not mean a
reduction in protection. By employing a defense-in-depth approach to security, both functional and security
requirements can be met at the same time. The vulnerability that is exposed to enable more efficient
operation can be mitigated using a different layer of security.
These different layers combine together to give a level of protection greater than that provided by any single
layer or solution. This is why, in addition to utilizing perimeter firewalls, enterprises still deploy endpoint
security for their desktop PCs (e.g. antivirus). The defense provided by a firewall does not by itself provide
enough protection for the desktop PC. This layered approach is the same one 3eTI and international
standards advocate for an industrial control and automation system. While there are endpoint protection
products available for the desktop PC, there were not any available for critical embedded computers such
as PLCs or remote automation solutions (RTUs). This is why 3eTI developed the CyberFence series of
products - to deploy a defense-in-depth solution that provides endpoint protection for critical devices.
May 2015
CyberFence
3. CyberFence Devices
A holistic solution requires many different tools, such as data-diodes separating corporate and control
domains, firewalls regulating network connections, and antivirus monitoring workstations. However, in the
control and monitoring domain, protection doesnt spread much farther than the network core. Most
solutions focus on network activity, attempting like a traffic cop to detect an attack through the congestion of
normal operations. However, attacks dont typically target the network or clearly identify themselves when
passing over it. Instead, as Stuxnet showed, the ultimate aim of a control system attack is to manipulate or
control a critical edge device, i.e. the device sitting at the edge of the network interfacing with the real-world
such as a programmable logic controller. Located at the edge of the network, the CyberFence series is
designed to protect these critical edge devices by acting as personal bodyguards, providing defense-indepth protection from cyber-attacks. It does this by integrating a number of discrete protection mechanisms
together to more assertively regulate access and communication to the more vulnerable and critical devices
and systems.
May 2015
CyberFence
There are currently four different devices within the CyberFence series, each of which provides a similar set
of features, and a common management approach, while providing the right set of security controls for a
given application. The customer can choose from a wide range of encryption, authentication, throughput,
firewall, and deep-packet-inspection (DPI) capabilities to find the right solution for the requirement.
Solutions
DarkNode
Description
Where
Used within
FIPS Layercritical networks
2 DID
where latency &
Crypto
integrity are
paramount
Used across
FIPS Layernetworks e.g.
EtherGuard 3 DID
between facilities
Crypto
or over the
Internet
EtherWatch
UltraCrypt
SCADA
Firewall
Used to protect
industrial devices
from malicious
attack
Used to protect
High Speed
high-speed
Encryption
private networks
or leased lines
DPI
Firewall Encrypt
Mbps
FIPS 140-2
Level 2
Common
Criteria
Suite B
Cap.
V-LAN
~120
VPN
~120
~120
V-LAN
~450
802.1X
OutBand
Mgmt
Dark
Node
Tech.
EtherWatch is the most advanced SCADA firewall available in the market. It provides both straight firewall
and application-level deep-packet-inspection capabilities, which means it can control not only what
protocols are allowed, but also what commands within the protocol can be sent and even what those
commands can say.
DarkNode provides the same advanced capabilities as EtherWatch but also introduces FIPS validated
Ethernet encryption. DarkNode can encrypt multiple different VLANs with different encryption keys to
provide cryptographically separated communications within the same network, and prevent unauthorized
devices from monitoring or maliciously interfering with the traffic. DarkNode has been specifically designed
to provide low-latency encryption for those environments such as industrial control and automation who
would like to use encryption but to whom no adequate solution exists.
EtherGuard allows those with remote critical devices or systems to safely and securely connect them back
to the core network over less secure or public networks such as the Internet. EtherGuard provides FIPS
validated VPN encryption with additional protections such as port authentication and access control policies
to ensure that only authorized devices can utilize the encrypted channel, and that their communications are
not manipulated or intercepted en-route.
May 2015
CyberFence
UltraCrypt provides high-speed low-latency VLAN encryption for those customers who use private
networks or leased lines to communicate their data, but who dont trust the integrity or confidentiality of
those links.
All devices within the CyberFence series have the capability to be managed both locally and remotely using
a variety of industry standard network management methods, such as SNMP, SOAP XML, and HTML,
allowing them to be managed from a wide variety of network management systems. Most importantly each
device can be remotely managed via a completely separate network interface from user-data to provide true
out-of-band management. These management interfaces provide multiple ways for communicating security
alerts and notifications in the case of malicious or anomalous activity.
Any CyberFence series device can be easily integrated into the customers security infrastructure and
provide data feeds for their Security Incident & Event Management (SIEM) system either in real-time or via
log retrieval. Therefore any process control or automation network can achieve the same level of security
and real-time monitoring that enterprise networks enjoy today. And through the use of open industry
standard interfaces, customers are not constrained by vendor lock-in or stove-piped proprietary solutions.
Part of what differentiates the CyberFence series of devices from other industrial firewall or security
products is that the CyberFence series has been independently validated by a variety of government
agencies and laboratories on its implementation and robustness. Trust in the CyberFence series security
capabilities comes not only from the over 60 years Ultra Electronics has been producing information
assurance products for governments and industry worldwide, but also from the fact that independent
experts have extensively looked at and tested it for weaknesses and vulnerabilities. The encryption within
the product range has been certified under the Cryptographic Module Validation Process (CMVP) to FIPS
140-2 Level 2. Likewise the product implementation has been assessed by NIAP under the Common
Criteria Evaluation & Validation Scheme. Finally the end-product has been black-box security evaluated by
a number of different government agencies including Idaho National Laboratory, the U.S. Department of
Energys lead nuclear and security research establishment and home of the National SCADA Test Bed
Program.
The CyberFence series range has also undergone physical and environmental testing to ensure that the
products can be used within normal and hazardous locations safely. As a result they have been tested to
meet IECEx, Class I Div 2, and Atex certifications, and are applicable for use in a wide-range of industrial
and enterprise environments. For more information on the list of certifications please contact Ultra
Electronics, 3eTI directly.
4. CyberFence Security
CyberFence combines a number of different capabilities to create a tailored cyber-defense. As each
industrial deployment is unique and reflects unique threats, vulnerabilities, critical assets, and risk appetites,
it requires individual solutions tailored to specific needs. EtherGuard implements both static protection
controls and active defensive controls. The static protection controls are those elements (e.g. encryption,
firewall, authentication) that provide protection even when no attack is taking place, the defensive walls so
to speak. Build these walls high and thick enough and you can deter or prevent a large number of attackers
from exploiting your system. However, there are always those attacks that can get past your static
May 2015
CyberFence
defenses, which is why you need guards manning the walls proactively looking for attacks and responding
to them through, for example, deep packet inspection and heuristic analysis. Combining layers of static and
active defenses creates solid defense-in-depth protection.
May 2015
CyberFence
If a network does not implement port authentication but the user would still like to control logical access to
the network, then access control policies can be used. The user can control what devices are authorized to
connect to a CyberFence series devices given ports based on MAC address. While this does not provide a
cryptographically authenticated method it does prevent unsophisticated attackers or accidental connections
to the wrong ports.
1.4. Firewall
Even if a user has authorization to communicate through the CyberFence series device it doesnt mean that
they obtain the authority to communicate to everyone and everywhere on the network. All devices in the
CyberFence series except UltraCrypt implements a Firewall which can control where users are allowed to
communicate and which protocols they can use. This ensures that any critical device behind a CyberFence
series product can control who can communicate with it, and is not left open to anyone on the network to
connect to. The CyberFence series provides critical devices with an endpoint firewall that can not only
protect the device from the network, but also protect the network against any compromised device
attempting to form unauthorized connections.
Firewall alerts can both be securely logged and remotely distributed so that security systems can be
immediately alerted to any unauthorized or anomalous connection attempts.
10
May 2015
CyberFence
11
May 2015
CyberFence
not required. In fact, encryption provides two main protections - confidentiality and integrity, with integrity
being the more important attribute within control networks. The integrity protection that encryption provides
ensures that attackers with physical access to the network cannot manipulate the traffic, generate any of
their own, or replay old traffic and go undetected. The confidentiality protection that comes with it is a
bonus.
12
May 2015
CyberFence
expand the footprint into the wider network is severely hampered, and the administrator is alerted early to
the compromise even when the PCs antivirus misses the initial infection.
13
May 2015
CyberFence
be found in a system, a new DPI rule can be written to detect, drop, and alert should that attack be
attempted. This ensures protection for the critical device until the vendor issues a patch.
6. Summary
No control system will be completely cyber secure, nor will a single product provide the complete solution.
Instead a risk-informed holistic security approach is needed, one that provides a layered set of defenses
that include specific protections for critical edge devices. Performing firewall, intrusion detection, and deeppacket-inspection can all be done at the network core, which is normally acceptable in enterprise systems.
But for critical systems this is a highly risky approach. A single misconfiguration or change to the operation
can leave large numbers of critical devices accessible and vulnerable. A central firewall would not prevent
an insider threat performing a malicious action, or even detect it. A network segregation device (e.g. datadiode) should keep a system 'air gapped,' but would not prevent malicious code from being inserted into the
system via other means (USB stick, software update). Instead, by moving the defense to the edge, risk is
kept to a minimum; any error in a devices configuration will only affect that single device and not the whole
network.
The CyberFence series of devices offers customers the protection they need in an easily deployed and
managed solution. By providing out-of-band management and alerting capabilities, the CyberFence series
can be safely deployed into an operational network and provide situational awareness about that network
without impacting performance. The CyberFence series is designed to make security-management real
time, like the operational environment.
3eTI appreciates that within the control industry the addition of security controls is not undertaken lightly.
Security typically impacts performance. In a critical operational environment, performance is paramount and
sometimes safety-critical. But without the addition of security the operational environment is at certain risk
of unsafe malicious operation. An appropriate security control, therefore, is one that minimizes impact on
the operational environment, tailored to the deployment of efficiently providing protection. A CyberFence
series device protecting an industrial plants control system will be deployed and configured differently from
the same plants monitoring system, or a buildings automation system. The CyberFence series solutions
are optimized for the unique environment in which they operate, balancing the risk management
requirements and operational limitations of demanding process control and automation systems.
14
May 2015