ultra 3eti cyberfence whitepaper

CyberFence May 2015

CyberFence

Ultra Electronics, 3eTI © 2015 2 May 2015

Table of Contents 1. Introduction .......................................................................................................................................... 3 2. Risk Management ................................................................................................................................ 5 3. CyberFence Devices ............................................................................................................................ 6 4. CyberFence Security ........................................................................................................................... 8

1.1. Data Encryption ........................................................................................................................... 9 1.2. DarkNode Technology ................................................................................................................ 9 1.3. Port Authentication & Access Control ...................................................................................... 9 1.4. Firewall ....................................................................................................................................... 10 1.5. Application-Level Deep Packet Inspection ............................................................................. 10 1.6. Alerting & Reporting ................................................................................................................. 11

5. Attacks & Mitigations ........................................................................................................................ 11 1.7. Network Connection Attacks ................................................................................................... 11 1.8. Endpoint Connection Attacks .................................................................................................. 12 1.9. Internal Host-based Attacks ..................................................................................................... 12 1.10. Server Compromise or Insider-Based Attacks ...................................................................... 13 1.11. Zero-day attacks ........................................................................................................................ 13

6. Summary ............................................................................................................................................. 14

CyberFence


1. Introduction Over the past few years a great deal has been achieved in terms of industrial control systems (ICS) cyber security. Almost all industry sectors are taking notice of the threats and are pursuing standards and best practices for how to protect themselves. For the most part these standards and practices advise similar methodologies – define a critical system’s perimeter, erect perimeter defenses and control what comes in and goes out. This has resulted in a large number of ‘secure systems,' which are essentially networks of segregated enclaves with restricted access from public networks. This is great protection against an attacker trying to penetrate your network from a publicly accessible one such as the Internet, which is a legitimate threat. It needs mitigating, but is it the threat we should be most worried about?

One of the biggest problems with the segregated enclave approach is once an attacker is in that enclave there isn’t much security to prevent him or her doing almost anything. Once the perimeter is breached, typically the system is owned and the damage done. Attackers are human; they prefer easy over hard and less risk to more risk. Attacking a system from the public side using well-known vectors is one of the easiest and least risky methods, which is why it is so prevalent. A reasonable and best-practice approach would be to install strong perimeter defenses, such as data-diodes or gateways, and stop that attack vector. However, while this will stop a cursory attack from a public network, it won’t stop a dedicated attacker who will instead target a more weakly defended approach. It also will not stop an insider who has access into the secure enclave.

There are myriad ways to gain access to the critical process control network that do not involve access over a public network such as the Internet. These include the inadvertent or unauthorized use of a USB stick, the connection of an infected maintenance contractor’s laptop, the intentional infection by an insider, or a corrupted patch. Any one of these approaches would bypass the perimeter security and cause an unwanted cyber-impact to the critical process control network.

Instead, security engineers should take the approach of preventing vulnerability from being exploited, rather than preventing a specific attack vector. In many industrial control systems the vulnerability waiting for exploitation is that of programmable logic controllers (PLCs), which are reliable but not robust. When operated correctly a PLC is one of the most reliable computing devices deployed; however, if told to do something unexpected or non-standard, it more often than not fails or malfunctions. Therefore if an attacker wanted to cause physical damage or impact a facility’s operations then their goal will be to interfere with PLC related communications.

Traditionally hackers would come at this through a publicly accessible interface and make their way down to the control domain. By deploying good perimeter defense we have made this attack vector much more difficult if not impossible. But we have not mitigated the vulnerability. The PLC is still not robust and if an attack breaches the perimeter it will still succeed. This is a risk that is acknowledged in the guidance by recommending antivirus on all PCs, including those in the control enclave. If there were no risk, why run antivirus? If this vulnerability remains, but the most prevalent attack vector is closed what is the risk that it will still be exploited?

There are plenty of familiar methods for breaching the perimeter: Stuxnet infected air-gapped systems through infected USB sticks; engineers continue to bring devices and computers on-site when providing maintenance; vendors still have remote access to their systems over dedicated links. Trying to guess and mitigate the next attack vector is a cat-and-mouse game that the defender will never win. The truth is

CyberFence


embedded systems don’t have adequate security and continue to be at risk of an attacker maliciously interfering with them and their controlling computers. If we want to protect a system we need to mitigate the vulnerability, not prevent the attack vector. Once an attacker can communicate on your network, he or she can interfere with control communications, disrupt timing messages, send damaging messages to the controllers, or simply conduct a denial of service attack against a system or component.

In response to the increased use of strong perimeter security from public networks, hackers have increasingly migrated to hacker ‘drop-boxes.’ These are low-cost disposable computers that are left within a victim’s facility to act as a physical Trojan horse. If an attacker can gain access to your facility or use someone who can, they can drop a small computer where no one would look and, through it, gain a permanent foothold into your system.

Cheap but powerful computers such as the Raspberry Pi or Arduino combined with hacker toolkits such as Kali and a disposable cell phone give attackers an easy way to hack into an ICS network for under $100. In a large and disparate facility or office building, would anyone notice a small device about the size of two decks of cards? Would they even question its existence? How about if it was hidden in plain sight disguised as another PLC? Due to the prevalence of information on the Internet, almost anyone can build a penetration device that can be slipped into a pocket on the way to work, then surreptitiously connected to the network, and remotely accessed anytime and from anywhere desired. For ease of use and low risk this is a great vector for an attacker, and currently bypasses almost all guidance and best-practice protections. The greatest risk of this type of attack is from a malicious insider. These individuals have access, knowledge, and the motivation to cause damage ranging from nuisance to catastrophic.

Typical Industrial Network Architecture

CyberFence


In an attempt to help address these problems, Ultra Electronics, 3eTI created CyberFence, a series of devices to protect industrial control and automation systems. CyberFence has been independently validated to official standards including Federal Information Processing Standards (FIPS) 140-2 and Common Criteria for its security implementation. CyberFence also has been vulnerability-tested thoroughly by government agencies such as the Department of Energy’s Idaho National Laboratory. As this whitepaper will outline, 3eTI’s CyberFence solution provides critical system protection as part of a holistic cyber-security solution. More than just a firewall, network segregation and monitoring solution, it provides a unique defense-in-depth solution focusing on protecting the most critical and vulnerable devices in a facility from a wide range of cyber and physical attacks.

2. Risk Management Due to the unique and complex interconnection and implementation of different control and monitoring systems, the cyber-attack vectors and their associated risks are varied and specific to each deployment. How corporate networks, remote workers, network architectures, and removable media all interface with the control domain will introduce unique vulnerabilities and provide pathways for an attacker to perform a malicious action. Strict guidelines and one-size-fits-all solutions do not lend themselves to solving this problem. The needs of an auto manufacturing plant will be different from those of a nuclear power station or water treatment facility. Some systems are safety critical, some contain industrial secrets, and each has a different value to their owners. In security terms every installation and customer has a unique critical-asset list, threat assessment, risk appetite and operational limitation. A product or system designed for one architecture will not ideally fit the needs of another. Instead you need a tailored solution specifically configured to the customer’s real-world situation. It is necessary to balance the utility need for efficient operation with the security required for safe operation.

The correct way to define that tailored solution is through a risk management process. Defining what is and what is not acceptable will enable the owner to determine where function is more important than security, and where security is more important than utility. In reality choosing utility over security need not mean a reduction in protection. By employing a defense-in-depth approach to security, both functional and security requirements can be met at the same time. The vulnerability that is exposed to enable more efficient operation can be mitigated using a different layer of security.

These different layers combine together to give a level of protection greater than that provided by any single layer or solution. This is why, in addition to utilizing perimeter firewalls, enterprises still deploy endpoint security for their desktop PCs (e.g. antivirus). The defense provided by a firewall does not by itself provide enough protection for the desktop PC. This layered approach is the same one 3eTI and international standards advocate for an industrial control and automation system. While there are endpoint protection products available for the desktop PC, there were not any available for critical embedded computers such as PLCs or remote automation solutions (RTUs). This is why 3eTI developed the CyberFence series of products - to deploy a defense-in-depth solution that provides endpoint protection for critical devices.

CyberFence


The CyberFence series of products ensures that each critical device has the individual protection it needs with its normal operation left undisturbed. 3eTI understands that the addition of security into the process control domain must not negatively impact performance or reliability. This is why CyberFence has been designed specifically to support the needs of industrial control and automation.

3. CyberFence Devices A holistic solution requires many different tools, such as data-diodes separating corporate and control domains, firewalls regulating network connections, and antivirus monitoring workstations. However, in the control and monitoring domain, protection doesn’t spread much farther than the network core. Most solutions focus on network activity, attempting like a traffic cop to detect an attack through the congestion of normal operations. However, attacks don’t typically target the network or clearly identify themselves when passing over it. Instead, as Stuxnet showed, the ultimate aim of a control system attack is to manipulate or control a critical edge device, i.e. the device sitting at the edge of the network interfacing with the real-world such as a programmable logic controller. Located at the edge of the network, the CyberFence series is designed to protect these critical edge devices by acting as personal bodyguards, providing defense-in-depth protection from cyber-attacks. It does this by integrating a number of discrete protection mechanisms together to more assertively regulate access and communication to the more vulnerable and critical devices and systems.

Defense-in-Depth (DID) Architecture

CyberFence


There are currently four different devices within the CyberFence series, each of which provides a similar set of features, and a common management approach, while providing the right set of security controls for a given application. The customer can choose from a wide range of encryption, authentication, throughput, firewall, and deep-packet-inspection (DPI) capabilities to find the right solution for the requirement.

EtherWatch is the most advanced SCADA firewall available in the market. It provides both straight firewall and application-level deep-packet-inspection capabilities, which means it can control not only what protocols are allowed, but also what commands within the protocol can be sent and even what those commands can say.

DarkNode provides the same advanced capabilities as EtherWatch but also introduces FIPS validated Ethernet encryption. DarkNode can encrypt multiple different VLANs with different encryption keys to provide cryptographically separated communications within the same network, and prevent unauthorized devices from monitoring or maliciously interfering with the traffic. DarkNode has been specifically designed to provide low-latency encryption for those environments such as industrial control and automation who would like to use encryption but to whom no adequate solution exists.

EtherGuard allows those with remote critical devices or systems to safely and securely connect them back to the core network over less secure or public networks such as the Internet. EtherGuard provides FIPS validated VPN encryption with additional protections such as port authentication and access control policies to ensure that only authorized devices can utilize the encrypted channel, and that their communications are not manipulated or intercepted en-route.

Solutions Description Where DPI Firewall Encrypt Mbps FIPS 140-2

Level 2 Common Criteria

Suite B Cap.

802.1X Out-Band Mgmt

Dark Node Tech.

DarkNode FIPS Layer-2 DID Crypto

Used within critical networks where latency & integrity are paramount

X X V-LAN ~120 X X X

X X

EtherGuard FIPS Layer-3 DID Crypto

Used across networks e.g. between facilities or over the Internet

X X VPN ~120 X X X X X

EtherWatch SCADA Firewall

Used to protect industrial devices from malicious attack

X X

~120

X

X X

UltraCrypt High Speed Encryption

Used to protect high-speed private networks or leased lines

V-LAN ~450 X X X

X X

Benefits of Cyber Security Defense-in-Depth (DID)

CyberFence


UltraCrypt provides high-speed low-latency VLAN encryption for those customers who use private networks or leased lines to communicate their data, but who don’t trust the integrity or confidentiality of those links.

All devices within the CyberFence series have the capability to be managed both locally and remotely using a variety of industry standard network management methods, such as SNMP, SOAP XML, and HTML, allowing them to be managed from a wide variety of network management systems. Most importantly each device can be remotely managed via a completely separate network interface from user-data to provide true out-of-band management. These management interfaces provide multiple ways for communicating security alerts and notifications in the case of malicious or anomalous activity.

Any CyberFence series device can be easily integrated into the customer’s security infrastructure and provide data feeds for their Security Incident & Event Management (SIEM) system either in real-time or via log retrieval. Therefore any process control or automation network can achieve the same level of security and real-time monitoring that enterprise networks enjoy today. And through the use of open industry standard interfaces, customers are not constrained by vendor lock-in or stove-piped proprietary solutions.

Part of what differentiates the CyberFence series of devices from other industrial firewall or security products is that the CyberFence series has been independently validated by a variety of government agencies and laboratories on its implementation and robustness. Trust in the CyberFence series security capabilities comes not only from the over 60 years Ultra Electronics has been producing information assurance products for governments and industry worldwide, but also from the fact that independent experts have extensively looked at and tested it for weaknesses and vulnerabilities. The encryption within the product range has been certified under the Cryptographic Module Validation Process (CMVP) to FIPS 140-2 Level 2. Likewise the product implementation has been assessed by NIAP under the Common Criteria Evaluation & Validation Scheme. Finally the end-product has been black-box security evaluated by a number of different government agencies including Idaho National Laboratory, the U.S. Department of Energy’s lead nuclear and security research establishment and home of the National SCADA Test Bed Program.

The CyberFence series range has also undergone physical and environmental testing to ensure that the products can be used within normal and hazardous locations safely. As a result they have been tested to meet IECEx, Class I Div 2, and Atex certifications, and are applicable for use in a wide-range of industrial and enterprise environments. For more information on the list of certifications please contact Ultra Electronics, 3eTI directly.

4. CyberFence Security CyberFence combines a number of different capabilities to create a tailored cyber-defense. As each industrial deployment is unique and reflects unique threats, vulnerabilities, critical assets, and risk appetites, it requires individual solutions tailored to specific needs. EtherGuard implements both static protection controls and active defensive controls. The static protection controls are those elements (e.g. encryption, firewall, authentication) that provide protection even when no attack is taking place, the defensive walls so to speak. Build these walls high and thick enough and you can deter or prevent a large number of attackers from exploiting your system. However, there are always those attacks that can get past your static

CyberFence


defenses, which is why you need guards manning the walls proactively looking for attacks and responding to them through, for example, deep packet inspection and heuristic analysis. Combining layers of static and active defenses creates solid defense-in-depth protection.

1.1. Data Encryption

All devices except the EtherWatch device provide user-data end-to-end encryption. This means that any data sent by a user via a CyberFence series device will be encrypted from the source all the way to its destination. No attacker on the network between the CyberFence series devices will be able to intercept, manipulate, or participate in the communications. 3eTI uses only government-grade and FIPS validated encryption algorithms and key management solutions, and performs its encryption in hardware to ensure low latency. Customers can select the algorithm and encryption mode suitable for their implementation including NSA Suite B. Likewise all management activity is over an authenticated HTTPS session which is itself only accessible over an encrypted VPN or VLAN tunnel that allows an administrator to control which users can perform management activities even if they are authorized to send data.

1.2. DarkNode Technology

All devices except EtherGuard have DarkNode Technology built in. DarkNode Technology allows the CyberFence series device to operate stealthily on the network, invisible to attackers and users alike. An attacker scanning the network or inspecting traffic cannot detect the presence of the CyberFence series device. This enables quick and easy deployment as the device is transparent on the network, requiring no additional network configuration. It also stymies attackers as the only indication that they will have of a CyberFence series device is that their attacks are failing, and they cannot tell why.

While EtherGuard does not implement full DarkNode Technology (as it creates a Layer 3 encrypted VPN tunnel), it does provide obfuscation and stealth capabilities. EtherGuard carefully limits what information it makes available to other network devices, frustrating information gathering activities. By wrapping all traffic over a single cryptographically assured VPN tunnel it obstructs an attacker’s ability to detect who is talking, what they are saying, and even how many devices are participating. The network topology behind EtherGuard is hidden.

1.3. Port Authentication & Access Control

EtherGuard implements 802.1x port authentication on all its user data ports. Therefore it is capable of not only authenticating itself to whatever network it is connected into, but more importantly the user can control what devices are allowed to connect to the EtherGuard and communicate through the encrypted tunnel. As the EtherGuard is used to securely communicate devices over a less-trusted or public network, the likelihood is that the critical device or system being connected is in a remote location. This means that any device connecting to the EtherGuard has connectivity back into the home network, so port authentication allows a network administrator to authenticate and control every device that connects.

The other devices in the CyberFence series (DarkNode, UltraCrypt, EtherWatch) do not provide port authentication capabilities themselves, but they don’t hamper its deployment. As they are transparent to the network they can be used inside a network utilizing 802.1X port authentication.

CyberFence


If a network does not implement port authentication but the user would still like to control logical access to the network, then access control policies can be used. The user can control what devices are authorized to connect to a CyberFence series device’s given ports based on MAC address. While this does not provide a cryptographically authenticated method it does prevent unsophisticated attackers or accidental connections to the wrong ports.

1.4. Firewall

Even if a user has authorization to communicate through the CyberFence series device it doesn’t mean that they obtain the authority to communicate to everyone and everywhere on the network. All devices in the CyberFence series except UltraCrypt implements a Firewall which can control where users are allowed to communicate and which protocols they can use. This ensures that any critical device behind a CyberFence series product can control who can communicate with it, and is not left open to anyone on the network to connect to. The CyberFence series provides critical devices with an endpoint firewall that can not only protect the device from the network, but also protect the network against any compromised device attempting to form unauthorized connections.

Firewall alerts can both be securely logged and remotely distributed so that security systems can be immediately alerted to any unauthorized or anomalous connection attempts.

1.5. Application-Level Deep Packet Inspection

Firewalls have historically been used to control who can talk to whom, but not what was being said. However, this is an issue within critical control and automation systems. If an authenticated system such as a SCADA server or HMI becomes compromised it would be allowed to communicate through the firewall to launch an attack on a critical system. CyberFence series devices solve this issue by looking at the entire contents of a packet rather than just the header in what is known as deep-packet-inspection (DPI). Coupled with an application protocol awareness, a CyberFence series device can allow or reject a packet based on what is in the application layer as well as where it came from. All devices except UltraCrypt can perform application-level DPI.

By knowing what protocol a critical system uses, a CyberFence series device can filter out both non-standard protocol packets, and unwanted (but legitimate) commands. For instance a CyberFence series device could be configured to make a critical device ‘read-only’ by dropping any write commands it sees, or preventing an attacker from reconfiguring a device by preventing any software/program uploads.

What makes the CyberFence series approach to application-level DPI unique is that users can configure the application-level DPI using a human-readable XML file. This XML file can be written to conform to almost any type of industrial protocol, meaning that the DPI in the CyberFence series is protocol independent. As new XML configuration files are created, new protocols are thereby supported with no software or firmware updates required. The customer benefits from new protocol support without purchasing any additional licenses or software upgrades.

CyberFence


1.6. Alerting & Reporting

One of the main reasons why industrial control and automation environments are vulnerable to cyber-attack is that operators do not have any situational awareness about what is happening in their control networks. Users know what actions they perform on an HMI, and they can see the actions a controller has on the environment (e.g. a PLC), but they don’t know if the action being performed is what they specified in the HMI. Many cyber-attacks can either manipulate control or manipulate the view to deceive an operator as to which processes are active or taking place. An attack can even make it seem as though the control system or controller (e.g. a PLC) is malfunctioning when it is operating correctly by taking commands from malware rather than the control system.

The CyberFence series is designed to provide situational awareness within the control network so that operators have an independent means for comparing commands and readings being received and being sent and displayed. If there is a discrepancy between these two, the discrepancy represents the first red flag signaling a malicious actor or cyber-attack. The CyberFence series can do this by alerting and recording activity that it sees passing over the network. All configuration changes, firewall alerts, DPI alerts, and authentication failures can be reported either in-band over an encrypted channel or out-of-band using a separate network. Alerts are both securely recorded in an auditable record, and distributed via SNMP traps and remote SysLog entries. Through the standards compliant SOAP interface, management appliances automatically and routinely retrieve these logs for further analysis.

5. Attacks & Mitigations While every cyber-attack on a critical or air-gapped system can be seen as unique, using different access and propagation methods, they can generally be categorized into a few main families. Not all cyber-attacks can be 100-percent successfully mitigated. A defender must recognize as early as possible when an attack is taking place and prevent the attacker from achieving the desired goal or performing desired actions. Through controls such as those provided by the CyberFence series, operators can make exploitation virtually impossible for non-sophisticated or nation-state attacks, and provide the situational awareness necessary to discover when sophisticated attacks are being attempted.

1.7. Network Connection Attacks

One of the easiest ways to attack a process control network is to acquire direct network connectivity and then to maliciously interfere with that traffic. Process control and automation networks are typically geographically very large, from power stations and factories to railway signaling and oil pipelines. These are large facilities with porous physical controls and many places in which an attacker can connect devices. Small network taps bought from almost any online electronics store can provide an attacker with undetectable logical and physical access to even an air-gapped network. With their own device connected to the network, attackers can inspect traffic to understand what protocols are being used, what commands are being sent, and what the topology of the network looks like. After that they can subtly and almost invisibly begin to manipulate traffic or communicate with critical devices.

One simple way to mitigate this risk is to use encryption. Encryption is not widely deployed in process control and automation networks because it is seen to only provide confidentiality where confidentiality is

CyberFence


not required. In fact, encryption provides two main protections - confidentiality and integrity, with integrity being the more important attribute within control networks. The integrity protection that encryption provides ensures that attackers with physical access to the network cannot manipulate the traffic, generate any of their own, or replay old traffic and go undetected. The confidentiality protection that comes with it is a bonus.

1.8. Endpoint Connection Attacks

While encryption will reduce the number of places where attackers can connect their malicious devices it does not remove the risk completely. There are always some devices and networks that will sit behind an encryptor into which an attacker can connect, for instance between a PLC and the encryptor. Another potential risk is the connection of a temporary device, such as a maintenance worker’s laptop, to an unauthorized port or system. An employee or sub-contractor could be authorized to work on one system, but he or she accidentally or intentionally connects to a different system and cause malicious activity. To minimize the risk of this occurring 802.1X port authentication can be deployed. Now every device connecting to the network will require the use of an authorized digital certificate. This also allows an administrator to control not only which devices can connect to a system but also to which ports. If port authentication cannot be deployed on all devices, access control via MAC addresses can be used. While this will not stop a dedicated attacker from spoofing a legitimate address it does provide the CyberFence series an additional opportunity to detect an attack.

One beneficial aspect of a control system is that it is for the most part fairly static. Not much changes. An attacker attempting to connect to a network does not know if port-based access control has been implemented, and so will not know how to avoid detection. As soon as an attacker tries to connect, a CyberFence series device will detect either the wrong MAC address or the failed certificate authentication and provide instant alerts to that effect. Now the administrator can detect that attempt and follow incident-response procedures to identify the attempted breach.

1.9. Internal Host-based Attacks

One of the most popular and prolific ways of attacking a process control or automation system is to infect one of the supporting PCs with malware. This could be anything from an HMI, engineering terminal, or log server. As most of these computers run Windows and commercial software, malware attacks on these systems are well-understood and more routinely accomplished even when antivirus is deployed. Once a machine has been infected an attacker will often attempt to better understand the topology of the compromised network and what other devices are available. This inevitably involves network scanning or veiled probing activities. Most devices are good network citizens and so when probed by an infected machine will respond back to the queries, enabling the attacker to gather more information to spread the damage more widely across the system.

The use of CyberFence series devices will not only interrupt the actions of an attacker but very quickly identify that an attacker is attempting to probe the network, then alert an administrator. The DarkNode Technology in the CyberFence series devices will make them invisible to an attacker probing the network, and the firewall functionality will prevent any scans from reaching critical network devices. T attackers won’t be able to gather any additional information and they won't know why. The administrator can obtain real-time alerts that this is occurring. Even if an internal PC is compromised with malware, an attacker’s ability to

CyberFence


expand the footprint into the wider network is severely hampered, and the administrator is alerted early to the compromise even when the PC’s antivirus misses the initial infection.

1.10. Server Compromise or Insider-Based Attacks

One of the most challenging and worrying risks is the compromise of a process control server or similar system. These servers have the authority to communicate with all the critical edge devices, and issue commands. Likewise an insider with access to the HMI or control system can directly issue dangerous or malicious commands. Authentication and firewall controls will not detect or prevent this type of attack because the compromised machine is authorized to issue commands.

Almost all controllers and industrial protocols support a wide range of capabilities, normally much wider than used for normal operations. For instance, a controller configured to provide readings will also support being written to even outside of normal operation. The CyberFence series application-level DPI will detect and prevent unauthorized commands from being executed even if they are legitimately formatted. Likewise, an insider may be capable of setting a control value (e.g. set-point value) to an abnormal or dangerous level. Sometimes, but not always, this is prevented by the HMI or control logic. The insider also may modify the acceptable limits. A CyberFence series device can inspect the control message and not only detect what type of command is being sent, but also what the values in the command are, then determine if such a setting is permissible.

Even if the malware does not send its own malicious traffic, there have been instances when malware manipulates commands before they are sent. Therefore what the operator tells the system to do is not what the controller receives and actually executes. This discrepancy can look either like a fault with the controller or the HMI, but not necessarily like a cyber-attack. This type of attack can only be prevented through methods that validate what has been received.

The CyberFence series DPI capability ensures that legitimate and safe operations will be executed by a controller, and that what has been received is what the operator intended. If any manipulation has occurred, the operator will know and then report it to the network administrator for further investigation.

1.11. Zero-day attacks

Almost every week new vulnerabilities are published by ICS-CERT, meaning that almost every week a different set of users are finding themselves vulnerable to new attacks. Mitigating these vulnerabilities can be a long and drawn-out process. The equipment vendor must produce a patch, the patch must be robustly tested, and then it must be comprehensively deployed in the real system. In some cases these vulnerabilities are only discovered when on-going attacks are taking place, denoting the vulnerability is a ‘zero-day’. How do operators protect themselves against an attack they don’t know is intended for them? How do operators protect themselves against an attacker who knows their system better than they do?

The defense-in-depth protection offered by the CyberFence series dramatically limits the available and vulnerable attack surface of a critical device. Even though the critical device may support wide ranging functionality and configurations, the CyberFence series devices ensure that only those functions that are required for operation are exposed to the wider network. They also ensure that only legitimate and well-formed packets are allowed through. This makes exploitation extremely difficult. Should any zero-day attack

CyberFence


be found in a system, a new DPI rule can be written to detect, drop, and alert should that attack be attempted. This ensures protection for the critical device until the vendor issues a patch.

6. Summary No control system will be completely cyber secure, nor will a single product provide the complete solution. Instead a risk-informed holistic security approach is needed, one that provides a layered set of defenses that include specific protections for critical edge devices. Performing firewall, intrusion detection, and deep-packet-inspection can all be done at the network core, which is normally acceptable in enterprise systems. But for critical systems this is a highly risky approach. A single misconfiguration or change to the operation can leave large numbers of critical devices accessible and vulnerable. A central firewall would not prevent an insider threat performing a malicious action, or even detect it. A network segregation device (e.g. data-diode) should keep a system 'air gapped,' but would not prevent malicious code from being inserted into the system via other means (USB stick, software update). Instead, by moving the defense to the edge, risk is kept to a minimum; any error in a device’s configuration will only affect that single device and not the whole network.

The CyberFence series of devices offers customers the protection they need in an easily deployed and managed solution. By providing out-of-band management and alerting capabilities, the CyberFence series can be safely deployed into an operational network and provide situational awareness about that network without impacting performance. The CyberFence series is designed to make security-management real time, like the operational environment.

3eTI appreciates that within the control industry the addition of security controls is not undertaken lightly. Security typically impacts performance. In a critical operational environment, performance is paramount and sometimes safety-critical. But without the addition of security the operational environment is at certain risk of unsafe malicious operation. An appropriate security control, therefore, is one that minimizes impact on the operational environment, tailored to the deployment of efficiently providing protection. A CyberFence series device protecting an industrial plant’s control system will be deployed and configured differently from the same plant’s monitoring system, or a building’s automation system. The CyberFence series solutions are optimized for the unique environment in which they operate, balancing the risk management requirements and operational limitations of demanding process control and automation systems.

About Ultra Electronics, 3eTI Ultra Electronics, 3eTI is a leading cyber-technology company with products and systems that secure critical infrastructure and improve operational efficiency. The company delivers certified solutions that protect and connect critical systems using military-grade security for the defense, government, energy and industrial automation markets worldwide. 3eTI helps preserve operational investments through advanced machine-to-machine (M2M) communications security, secure wireless networks and innovative sensor network applications, leveraging new and legacy systems while complying with highest government and industry standards. 3eTI’s net-centric and OEM product portfolio includes robust Wi-Fi and industrial wireless mesh networks, cyber-physical security, and integrated command and control, all of which are approved for use by the governments. (www.ultra-3eti.com).

http://www.ultra-3eti.com/

ultra 3eti cyberfence whitepaper

Documents

cyberfence security

attacks mitigations

day attacks

cyberfence ultra electronics

insiderbased attacks

network connection attacks

endpoint connection

cyberfence devices