Partner Perspectives

Defending Critical Infrastructure Without Air Gaps And Stopgap Security

Traditional IT security solutions need modifications to successfully defend critical infrastructure on tomorrow’s cyber battlefields.

There has recently been a great amount of discussion regarding critical infrastructure and its inherent security vulnerabilities. Critical infrastructure primarily comprises aging supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are far more pervasive than most people realize: The Department of Homeland Security has defined 16 separate critical infrastructure sectors, many of which include outdated cybersecurity protections.

Security Through Obscurity No Longer Works

The vast majority of critical infrastructure consists of aging industrial control systems that were designed to operate on isolated, “air-gapped” networks. If considered at all during protocol development and network design, security took a back seat to more pressing considerations such as low latency and uptime. Multisite connectivity typically occurs via secure WAN links on private telecom networks, and operators tend to emphasize physical security over cybersecurity. Today, however, the lack of attention given to network security during early development is becoming problematic as critical infrastructure is increasingly being connected in some fashion to the Internet, giving hackers a potential access point.

Many of these SCADA and ICS systems run proprietary code on legacy operating systems that have been refined over the decades. In fact, most programmable logic controllers, protocol converters, and data-acquisition servers within these systems lack even basic authentication, making them highly vulnerable to hacking. Today, many operators believe the legacy nature of their systems confers protection, which simply isn’t true. If an asset has potential value, there are cybercriminals and nation states with the means and motives to target it.

New Thinking For The Next Generation Of Critical Infrastructure

Complicating matters further, the administrators and operations personnel tasked with supporting critical infrastructure frequently have different priorities. Operational technology (OT) teams that maintain SCADA networks focus primarily on high resiliency and availability to keep production online at any cost, while information technology (IT) teams that manage corporate networks are more concerned with connectivity, security, and compliance. However, both teams understand today’s security imperative, and within most organizations these teams are actively planning the next generation of security architectures.

As the threat landscape shifts over time, both IT and OT security infrastructure must be able to adapt to new security needs, policies, and threat-detection methods. Single-function security devices will soon be a thing of the past, as security architecture becomes increasingly versatile. Firewalls, intrusion prevention systems (IPS), VPN gateways, and routers all perform vital roles. To achieve the infrequent scheduled downtime requirements of OT environments, these software-based devices must be updatable on the fly while performing the security or networking tasks at hand. And to minimize unscheduled downtime, they must be highly reliable or support active-active clustering with transparent failover options.

In addition to support for OT protocols, it’s clear that traditional IT security solutions will need some modifications to successfully defend critical infrastructure on tomorrow’s cyber battlefields. Here’s a list of some potential features and requirements to get started:                                 

  • Ensure High Performance, Resiliency, And Availability
    As the name implies, critical infrastructure must operate nonstop without performance degradation -- even when performing processing-intensive, deep-packet inspection and real-time emulation. In many cases, there’s no such thing as “scheduled downtime.” Therefore, clustering, load balancing, and automatic failover must be standard features of security solutions within critical infrastructure.

  • Make Endpoints More Intelligent And Secure
    The devastating effects of rogue data-scraping apps on point-of-sale systems were made abundantly clear in the aftermath of recent high profile data breaches. Prior to that, Stuxnet opened our eyes to what can happen when industrial programmable logic controllers are compromised within uranium-enrichment facilities.New and existing endpoints must become sentry points capable of validating the use of trusted applications andobserving all connections made by executables. They must share insights with firewalls, IPS, and other security devices across the network and be able to enforce application whitelisting and blacklisting, as well as terminate operation if they become compromised.

  • Protect And Connect Multiple Security Zones
    Security architecture must provide advanced protection from both known and unknown threats within each security zone and be able to securely link traffic between security zones, including distributed facilities. This is another area where traditional security devices have come up short. Creating security devices that can be deployed in multiple roles -- as stateful firewalls with VPN termination, IPsec VPN gateways for multisite connectivity, or next-generation firewalls with IPS and application control, for example -- enables much tighter security throughout the organization. Moreover, the ability to manage the system with a common security console and share security data in a bidirectional manner -- regardless of protocol or connection type -- gives critical infrastructure architects and operators new levels of flexibility and management simplicity.

  • Monitor And Manage The Entire System
    It’s impossible to overstate the importance of integrated monitoring and management. Threats can pass between IT, SCADA, and ICS zones, so it’s essential to have end-to-end visibility of critical infrastructure and be able to correlate information across systems to identify and mitigate threats. Placing intelligence on all endpoints allows these devices to share security data and be managed as part of an overall architecture. A global management console not only allows remote provisioning, management, and updating of software on all critical infrastructure devices, it enables application whitelisting and other security policies to be pushed to devices. Tight integration between the global management console and security information and event monitoring (SIEM) solution will accelerate accurate situational awareness and reduce management time and expense. And last but not least, critical infrastructure solutions must simplify the task of compliance reporting and auditing. Integrated monitoring and management makes this possible.

Is our industry currently providing the security technologies, flexibility, and agility to empower critical infrastructure? In many cases I believe the answer is yes, which is good news, given that many of these solutions are also required to secure the Internet of Things and the future of IT overall. 

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading