Today, our critical infrastructure is complicated. Industrial machines are controlled by overall control systems known as Industrial Control Systems – Supervisory Control and Data Acquisition(ICS-SCADA) – and they are connected to so called programmable logic controllers (PLCs) and remote terminal units (RTUs) via Operation Technology Networks – OT networks. Traditionally the ICS-SCADA systems were kept on a separate physical network. Completely disconnected from the organizations administrative IT Network and the Internet. However, with the deployment of IIoT and various Smart field devices such as flow and temperature sensors, the need to communicate between the administrative IT network and the Industrial OT network increases. The problems arise exactly when OT networks and IT networks are not separate from each other.
For instance, an attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. In the case of ICS-SCADA attacks, the attacker can move from the IT Network to the OT Network via the routers/switches that are connecting them and manipulate the SCADA protocol messages, creating dangerous configurations that could lead to loss of service or physical destruction. Furthermore, they can leverage a number of legacy protocols and service ports associated with network administration activities and use it to extract device configurations, harvest login credentials, identify vulnerable devices and much more.
Industrial Control Systems have been around for a long time, and they are often made up by older programs that cannot be easily updated to account for the emerging cyber threat. Therefor it is very important to consider the security implications that arises when you connect these legacy systems to the administrative IT network.
Protection of critical infrastructure requires both encryption and network segmentation. Segmentation enables you to better control the traffic that flows between the networks, and encryption protects against wire tapping and also protects the integrity of the data that is being sent.
Segmentation as such isn’t a new thing, but most organizations still rely on standard firewalls to control the data flow between the networks. The problem with firewalls is, of course, that they protect against known dangers only. And ransomeware can find its way around a firewall and infect a network with grave consequences. Also, firewalls are typically complex devices that can be misconfigured to allow traffic flow in the wrong direction.
A more secure way to segment networks can be achieved by implementing a so-called Cross Domain Solution. Cross Domain Solutions addresses the concept of communicating, sharing or moving information between domains (networks) and apply validation, transformation or filtering to the exchange. This type of solutions is typically used by military and defense organizations, but critical infrastructure providers can elevate their security level by considering the implementation of a non-enterprise network segmentation technology consisting of data-diodes and proxies, thereby enabling precise information exchange.
It is time for the industry to take a more military-grade approach to cybersecurity!