By Andrew Ginter
Today we are talking about a fairy tale. This tale doesn’t have princes or frogs, but instead it deals with SCADA and industrial control system security.
The existence of a “firewall” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA/ICS security. The idea is, in a properly designed system, there is a logical barrier between the control network and the business network. Since unauthorized information cannot cross such a “firewall,” bad things like hackers and worms can never get into critical control systems. From this, a corollary flows: “Companies that get worms in their systems obviously have not configured the proper ‘firewall’ and deserved to be infected.”
The real problem with the “firewall” concept is not the technology. The issue is that a “firewall” misleads companies into a false sense of security, making it a very scary fairy tale indeed. Even if there really is no logical connectivity, there is still good old-fashioned “sneakernet.” There’s either malicious or unintentional misuse by an operator who does get in. There’s piggy-backing on vendor-recommended “essential” connections — isn’t that how Stuxnet propagated through “firewalls” in search of its target networks? There’s drive-by downloads, reaching through VPNs and stealing passwords. So there’s all sorts of ways for a cyber attack to cross that mythical “firewall.”
Now — substitute “air gap” for “firewall” in the above. Does it sound more familiar? Pretty much every one of these arguments which has recently been made against air gaps can also be made against firewalls, and quite a few more besides.
Does this mean we stop using firewalls? That would be nonsense. But ever since the recent burst of rants against air gaps by industry security experts, I have heard nothing but confusion from end users.
No security process or technology is perfect: Not air gaps or firewalls, not patching or long passwords, not anti-virus or whitelisting, and not intrusion detection or SIEMs. As my martial arts instructor is fond of pounding into us students: For every defense there is an offense, and for every offense there is a defense. If the point we want to make is there are no silver bullets, should we be out there confusing the issue by poking holes in one security technology after another? How about lining up the right way to go?
Stop Confusing Us
I have spoken to the authors of several of these recent “air gaps are dangerous and have never really existed” security rants and every one of them honestly maintains they are not trying to confuse practitioners. They are merely trying to point out how nothing is perfect and how you cannot rely on just one solution. Instead, they say, end users should be practicing defense-in-depth, both of security process and of security technology, for their control system equipment.
That’s a fine sentiment, but the message security practitioners are taking from the “air gaps have never existed” rants is not about defense-in-depth, but rather USB sticks are more dangerous than firewalls, and so air gaps should be replaced with weaker firewalls.
To start with, “air gaps never really existed” is historical revisionism. Air gaps clearly did exist. An air-gapped system was one which had no electrical/online connection to an external network. Yes, even back then, air-gapped systems still routinely exchanged information with external systems, but not through online connections. Instead, information was exchanged in the heads of system operators, in printed reports and occasionally on removable media. Retroactively redefining “air gap” as “exchanging no information whatsoever with any external system,” and so concluding that air gaps never did exist is not true to the history of computing, and discounts the threat of online attacks.
Online Attacks vs The Mighty USB
As for the fear of the mighty USB? The “air gap” criticisms make much of the dangers of USB sticks and imply that firewalls are safer. Let’s look at the spectrum of threats and see how modern-day attacks propagate and how we can combat them.
• High-volume, organized-crime-authored, worms, viruses, and botnets? These attacks are easily pulled through firewalls and even pushed through them. These attacks also propagate via USB sticks. Anti-virus systems do a fair job of catching high-volume threats, and application-control/whitelisting solutions do even better. A strong response to high-volume threats is an application control system deployed on your most vulnerable equipment, or even an up-to-date anti-virus system, as well as USB “media cleansing” stations that your people use habitually.
• Disgruntled insiders on the business WAN? These adversaries sometimes have accounts and passwords which provide online access to important systems through your control system firewalls. These people are well-positioned to social-engineer additional online access and privileges as well. Air gaps and unidirectional gateways block insider attacks from business networks more effectively than do firewalls. As for USB sticks, disgruntled business insiders are not authorized to physically enter the secure ICS server room and touch the equipment with a USB stick.
• Disgruntled ICS insiders? Are they really going to use USB sticks if they have VPN accounts through the firewalls and critical system passwords and access to the hardware? No — they’ll use their passwords. Or hammers.
• Advanced Persistent Threats? These adversaries do not use USB sticks. They use online attacks: Spear phishing or conventional web/SQL attacks to pass through firewalls, and then use manual remote control through the firewalls to propagate their attacks through their target network. Air gaps and unidirectional security gateways thoroughly defeat these online, remote control attacks.
• Stuxnet? Yes, Stuxnet propagated via USB sticks, but if you recall, it punched through firewalls like they weren’t there too. Replacing your air gap with a firewall does not protect you from Stuxnet. Further, once Stuxnet stopped being an under-the-radar threat and went high-volume, anti-virus vendors published signatures for the worm and that was the end of Stuxnet on AV-protected networks. Today, application control and AV solutions catch Stuxnet in a heartbeat.
In this spectrum of attacks, what should we really be worried about? High-volume threats are old news and we all know how to protect against them. Stuxnet was a massive investment based on serious insider intelligence. If you have an adversary willing to put sleepers on your staff 10 years ago, have those sleepers extract detailed intelligence as to how best to attack you, and then spend tens of millions of dollars to create a custom, automated attack targeted specifically at one of your sites, you need to get help from your own military and your intelligence agencies, not buy a firewall.
The big new threat which routinely defeats conventional defenses is online attacks. These “advanced,” targeted, remote control attacks. These adversaries reach through firewalls, they fly under the anti-virus radar, and they operate your computers by remote control. They are capable of sabotaging your control systems, even though the most frequent intent attributed to them is industrial espionage.
Strong security programs defend against our adversaries’ capabilities, not their intent. Together, the combination of application control, habitual use of USB cleansing stations and either air gaps or unidirectional gateways contribute to a strong defensive posture, and this combination is one which many industrial sites are examining and implementing.
Security experts: Stop trashing one approach to security after another. Recommend strong security and position security technologies correctly against the spectrum of threats and within defense-in-depth programs. Consistently add value through reasoned analysis. If you must point out limitations of one technology, explain clearly, either stronger alternatives or compensating measures to include in security programs.
Stop confusing security practitioners. Start teaching them.
Andrew Ginter is director of industrial security at Waterfall Security Solutions. His email is firstname.lastname@example.org.