Editor’s Note: This is Part II of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
When it comes to Advanced Persistent Threats (APTs), companies need a complete focused effort, rather than using the shotgun approach of trying to protect everything equally.
Professor Paul Dorey just presented a paper about the seven important lessons the IT world has learned in managing APTs. In a previous version, we focused on Part 1 of the lessons, here will will focus on lessons 2, 3 and 4, and how to apply these lessons to ICS and SCADA security.
Professor Dorey’s talk discussed the seven advanced approaches that the best companies are using to deal with APTs. His Advanced Approach 1 involved setting what he called “‘Controls Coverage”. The objective is to focus protection efforts on your company’s most important assets, rather than using the shotgun approach of trying to protect everything equally.
Lesson 2: Focus on Detection, Not Protection
Advanced Approach 2 centers on “Control Focus.” If you are going to spend money on security controls, what types of controls are the most effective? Professor Dorey notes that Detective Controls (i.e. those technologies and processes that detect attacks) are more effective against modern cyber threats when compared to Preventative Controls like firewalls, data diodes and anti-virus software.
Now you might think that a person that designs and sells ICS/SCADA firewalls for a living would be dead against Professor Dorey’s approach. I’m not. The fact is, after reviewing countless control systems and attacks against control systems, the industrial automation world is terrible at detecting anything unusual on their control network. Few companies can even discover when a contractor has attached an unauthorized laptop to their system, never mind detect a sophisticated, stealthy attack.
The old “security in the dark” approach has to end. SCADA and ICS engineers need to get a better handle on what sort of traffic is travelling over the control network. To address this, a major focus at Tofino Security in the past year is the addition of strong reporting technologies. For example, modules like the Secure Asset Management LSM are designed to detect and report if unexpected devices join your network.
Similarly, deep packet inspection (DPI) modules for the Modbus and OPC protocols provide detailed reporting to 3rd party Security Incident and Event Monitoring (SIEM) systems. So if your read-only remote operator station suddenly starts to try to program a PLC, you can get an immediate alert that trouble is brewing in your control system.
Lesson 3: Move Your Perspective from Perimeter-based to Data-centric
The third lesson for successful APT containment is to change your security focus from controlling the perimeter to controlling specific collections of data, regardless of where they are in space and time. For example, if a financial company can ensure customer credit card records are encrypted at all times (and the keys to decrypt the records are not leaked), then the loss of a laptop with these records is of limited importance.
Or take the case of Bradley Manning, the young U.S. Army private that leaked thousands of classified documents to WikiLeaks. If these sensitive documents had been always encrypted and Bradley had only been able to view them with a controlled application at his desk, then his ability to share so many documents would have been limited. Instead, it is clear the US Army’s security strategy was to leave them unencrypted, (or in a form that was easy to convert to an unencrypted form) and hope these documents never left the perimeter of the U.S. military-base. Obviously, this “perimeter-focused” strategy failed badly.
At first glance, applying this lesson to ICS and SCADA systems appears to be difficult as data confidentiality is of far less importance to the control system. But substitute the word “process” or “asset” for the word “data,” and it makes sense. A “process-centric” or “asset-centric” approach to managing security means making sure that specific high value processes continue to function reliably regardless of what else is happening around them. The safety world, with standards like IEC61508 and IEC61511, has a long history of using this sort of approach.
Lesson 4: Why Log? Compliance versus Threat Detection
The final Advanced Approach lesson for today looks at the reason we log security events (assuming we log them at all). Too many of the sites I visit, especially sites trying to pass NERC-CIP audits, log only for compliance reasons. They generate massive log collections, but if anyone ever bothers to analyze the logs, it is only after something really bad has happened. By then it is too late.
Now effective threat detection doesn’t mean pouring over thousands of logs every day. It means optimizing what information you collect so dangerous anomalies standout, rather than get buried in the noise.
Lessons 1 to 4 – A Realistic Unified Security Strategy
Look back at Lesson 1 – “Focus protection on your most important assets” and compare it with the three lessons from today. What you will notice is that these four lessons are highly related around the concept of focused effort. For example, effective threat detection is only possible if you focus your controls on detection and focus your coverage on what matters. Unfocused approaches to security that try to protect everything inside a perimeter are too complex and too expensive.
So think about what processes and assets you really want to protect in your SCADA or ICS system and start focusing on those. Think about what would indicate trouble in your system and focus on detecting that. Advance your security approach from scattered to focused and save time, money and effort. You might just save your company from the next APT.
Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.