Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
8/13/2015
10:08 AM
Raja Patel
Raja Patel
Partner Perspectives
50%
50%

Defending Critical Infrastructure Without Air Gaps And Stopgap Security

Traditional IT security solutions need modifications to successfully defend critical infrastructure on tomorrow's cyber battlefields.

There has recently been a great amount of discussion regarding critical infrastructure and its inherent security vulnerabilities. Critical infrastructure primarily comprises aging supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are far more pervasive than most people realize: The Department of Homeland Security has defined 16 separate critical infrastructure sectors, many of which include outdated cybersecurity protections.

Security Through Obscurity No Longer Works

The vast majority of critical infrastructure consists of aging industrial control systems that were designed to operate on isolated, “air-gapped” networks. If considered at all during protocol development and network design, security took a back seat to more pressing considerations such as low latency and uptime. Multisite connectivity typically occurs via secure WAN links on private telecom networks, and operators tend to emphasize physical security over cybersecurity. Today, however, the lack of attention given to network security during early development is becoming problematic as critical infrastructure is increasingly being connected in some fashion to the Internet, giving hackers a potential access point.

Many of these SCADA and ICS systems run proprietary code on legacy operating systems that have been refined over the decades. In fact, most programmable logic controllers, protocol converters, and data-acquisition servers within these systems lack even basic authentication, making them highly vulnerable to hacking. Today, many operators believe the legacy nature of their systems confers protection, which simply isn’t true. If an asset has potential value, there are cybercriminals and nation states with the means and motives to target it.

New Thinking For The Next Generation Of Critical Infrastructure

Complicating matters further, the administrators and operations personnel tasked with supporting critical infrastructure frequently have different priorities. Operational technology (OT) teams that maintain SCADA networks focus primarily on high resiliency and availability to keep production online at any cost, while information technology (IT) teams that manage corporate networks are more concerned with connectivity, security, and compliance. However, both teams understand today’s security imperative, and within most organizations these teams are actively planning the next generation of security architectures.

As the threat landscape shifts over time, both IT and OT security infrastructure must be able to adapt to new security needs, policies, and threat-detection methods. Single-function security devices will soon be a thing of the past, as security architecture becomes increasingly versatile. Firewalls, intrusion prevention systems (IPS), VPN gateways, and routers all perform vital roles. To achieve the infrequent scheduled downtime requirements of OT environments, these software-based devices must be updatable on the fly while performing the security or networking tasks at hand. And to minimize unscheduled downtime, they must be highly reliable or support active-active clustering with transparent failover options.

In addition to support for OT protocols, it’s clear that traditional IT security solutions will need some modifications to successfully defend critical infrastructure on tomorrow’s cyber battlefields. Here’s a list of some potential features and requirements to get started:                                 

  • Ensure High Performance, Resiliency, And Availability
    As the name implies, critical infrastructure must operate nonstop without performance degradation -- even when performing processing-intensive, deep-packet inspection and real-time emulation. In many cases, there’s no such thing as “scheduled downtime.” Therefore, clustering, load balancing, and automatic failover must be standard features of security solutions within critical infrastructure.

  • Make Endpoints More Intelligent And Secure
    The devastating effects of rogue data-scraping apps on point-of-sale systems were made abundantly clear in the aftermath of recent high profile data breaches. Prior to that, Stuxnet opened our eyes to what can happen when industrial programmable logic controllers are compromised within uranium-enrichment facilities.New and existing endpoints must become sentry points capable of validating the use of trusted applications andobserving all connections made by executables. They must share insights with firewalls, IPS, and other security devices across the network and be able to enforce application whitelisting and blacklisting, as well as terminate operation if they become compromised.

  • Protect And Connect Multiple Security Zones
    Security architecture must provide advanced protection from both known and unknown threats within each security zone and be able to securely link traffic between security zones, including distributed facilities. This is another area where traditional security devices have come up short. Creating security devices that can be deployed in multiple roles -- as stateful firewalls with VPN termination, IPsec VPN gateways for multisite connectivity, or next-generation firewalls with IPS and application control, for example -- enables much tighter security throughout the organization. Moreover, the ability to manage the system with a common security console and share security data in a bidirectional manner -- regardless of protocol or connection type -- gives critical infrastructure architects and operators new levels of flexibility and management simplicity.

  • Monitor And Manage The Entire System
    It’s impossible to overstate the importance of integrated monitoring and management. Threats can pass between IT, SCADA, and ICS zones, so it’s essential to have end-to-end visibility of critical infrastructure and be able to correlate information across systems to identify and mitigate threats. Placing intelligence on all endpoints allows these devices to share security data and be managed as part of an overall architecture. A global management console not only allows remote provisioning, management, and updating of software on all critical infrastructure devices, it enables application whitelisting and other security policies to be pushed to devices. Tight integration between the global management console and security information and event monitoring (SIEM) solution will accelerate accurate situational awareness and reduce management time and expense. And last but not least, critical infrastructure solutions must simplify the task of compliance reporting and auditing. Integrated monitoring and management makes this possible.

Is our industry currently providing the security technologies, flexibility, and agility to empower critical infrastructure? In many cases I believe the answer is yes, which is good news, given that many of these solutions are also required to secure the Internet of Things and the future of IT overall. 

Raja Patel is vice president in the Intel Security Group and general manager of the Network Security business unit at Intel Corporation. He is responsible for defining and executing the strategic direction for Intel Security's Network Security business, which includes network ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...