Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/28/2017
09:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Should Trump Tackle Air-Gapped Critical Infrastructure?

MIT experts issue recommendations to the president, urging him to take elements of the electric grid and gas pipeline offline - but other security experts say that ship has sailed.

Experts from the Massachusetts Institute of Technology and stakeholders from US critical infrastructure companies weighed in today with a host of recommendations for the Trump administration on how to take meaningful action to protect the nation's vital systems. In addition to the usual advice to quit delaying a decision, the experts' report took a stand by suggesting that critical components of the electrical grid and gas pipeline need to be taken offline.

The advice comes by way of a major report out from MIT's Internet Policy Research Initiative at the Computer Science Artificial Intelligence Laboratory. The report is the culmination of a year's worth of work reaching out to stakeholders across four major economic sectors: electricity, finance, communications, and oil and natural gas. Written by a group of luminaries headed by principal author Joel Brenner, a former inspector general for the National Security Agency, the report offers a handful of pointed recommendations to the president about how critical infrastructure security coordination needs to be expeditiously advanced.

As the Trump administration starts to float proposed executive actions in regard to improving federal cybersecurity, there's been very little said about bolstering the protection of privately owned critical infrastructure. The authors of the report warn that this could be to the country's great detriment. They say that coordinated improvement of national cybersecurity interests must include privately owned critical infrastructure if the US is going to make meaningful headway in improving the national risk posture.

"The nation can no longer afford a pattern of uncoordinated executive action and scattershot research," the authors say. "Total security is not achievable. But a materially improved security environment for the infrastructure on which virtually all economic and social activity depends can be created with sufficient resources and political will."

One of the biggest technical bones of contention the authors have regards the widespread access by critical control components of the US electrical grid and gas pipelines to the public Internet. The report states that security pros overwhelmingly believe at least certain aspects of their systems need to be air-gapped from public networks. The problem is deciding which aspects.

"There are significant differences of opinion about appropriate degrees of isolation," the authors admit. They recommend to the president that his administration expedite in coordination with the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, a conference of state electricity regulators, to "explore the feasibility and expense of isolating key elements of electricity generation and delivery from public networks."

It's an interesting debate because, in many instances, the industrial control system (ICS) environment is growing more connected to public networks than ever.

"It seems counterintuitive, this recommendation, because the myth of the air gap disappeared years ago," says Phil Neray, vice president of industrial cybersecurity for CyberX. "And it's getting even more unfeasible to do an air gap now when we're moving towards smart grids and smart manufacturing, when there's an even bigger need to connect the [operation technology] to the IT network in order to do analytics and real-time intelligence."

According to Lane Thames, software development engineer and security researcher with Tripwire's vulnerability and exposure research team, the security community must face these facts with planning that takes into account the convergence of the cloud, the industrial Internet, and the Internet of Things, which is already happening now. Companies are moving forward with it to not only improve the efficiency of the essential infrastructure but also to improve reliability.

"Newer industrial control systems will, indeed, have connections to the cloud for applications such as big data analytics and such. For example, predictive maintenance, which is key for advanced smart manufacturing, requires such technology," he explains. "These cloud-based applications will also come with communication paradigms that essentially break, as a minimum, our current standard views and best practices of security in terms of perimeters and segmentation."

These aren't trends that can easily be stemmed, and air-gapping systems with increasingly complex interconnections will not only be unrealistic from a business sense but also technically difficult to do. Neray says that there are better way of mitigating the risks, namely through continuous monitoring for anomalies and continuous assessment for vulnerabilities in critical systems, as well as improving information sharing between public and private sector stakeholders.

More Than Technology
Whatever the technical solutions look like, experts seem to agree that it will take more than just technological advancement to move forward on critical infrastructure security.

"The challenges we face are not merely technical. They are also economic, managerial, behavioral, political, and legal. Indeed, the technical challenges may be the easiest to address. For example, aligning economic, tax, and liability incentives with the goal of higher security is not a technical challenge," the report said. "Realigning incentives would be a daunting task, but our critical infrastructure cannot be made reasonably secure unless we do."

Richard Clarke, for one, believes that it's going to regulation — a dirty word in Washington — to really make a dent in thing. At the S4 conference earlier this year, he suggested that the country needs to set regulatory deadlines industry by industry for rolling out security enhancements to new and legacy systems that affect critical infrastructure. He believes that the research for the right technical solutions will only follow this kind of hard-and-fast regulation, because significant investments need to be made.

"In the absence of regulation, none of this is going to happen," he said. "In the absence of regulation, no one company is going to say, 'I'm going to do this.' In the absence of regulation, no one sector is going to say, 'We are going to do this.'"

For his part, Neray agrees with the MIT report that tax incentives could also help do the trick.

"Tax incentives would be a great way to do it," he says. "Tax incentives are just generally more popular than more regulation. And incentives to spend more on continuous monitoring to protect our infrastructure — that sounds like a no-brainer to me."

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2017 | 11:39:01 AM
Security ain't "Smart"
The real issue here is the perennial conflict between security and accessibility -- which are exact opposites of each other.  You can't have accessibility with 100% security, and you can't have security with 100% accessibility.

Similarly, you can't have a secure infrastructure AND IoT.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.