Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
8/13/2015
10:08 AM
Raja Patel
Raja Patel
Partner Perspectives
50%
50%

Defending Critical Infrastructure Without Air Gaps And Stopgap Security

Traditional IT security solutions need modifications to successfully defend critical infrastructure on tomorrow's cyber battlefields.

There has recently been a great amount of discussion regarding critical infrastructure and its inherent security vulnerabilities. Critical infrastructure primarily comprises aging supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are far more pervasive than most people realize: The Department of Homeland Security has defined 16 separate critical infrastructure sectors, many of which include outdated cybersecurity protections.

Security Through Obscurity No Longer Works

The vast majority of critical infrastructure consists of aging industrial control systems that were designed to operate on isolated, “air-gapped” networks. If considered at all during protocol development and network design, security took a back seat to more pressing considerations such as low latency and uptime. Multisite connectivity typically occurs via secure WAN links on private telecom networks, and operators tend to emphasize physical security over cybersecurity. Today, however, the lack of attention given to network security during early development is becoming problematic as critical infrastructure is increasingly being connected in some fashion to the Internet, giving hackers a potential access point.

Many of these SCADA and ICS systems run proprietary code on legacy operating systems that have been refined over the decades. In fact, most programmable logic controllers, protocol converters, and data-acquisition servers within these systems lack even basic authentication, making them highly vulnerable to hacking. Today, many operators believe the legacy nature of their systems confers protection, which simply isn’t true. If an asset has potential value, there are cybercriminals and nation states with the means and motives to target it.

New Thinking For The Next Generation Of Critical Infrastructure

Complicating matters further, the administrators and operations personnel tasked with supporting critical infrastructure frequently have different priorities. Operational technology (OT) teams that maintain SCADA networks focus primarily on high resiliency and availability to keep production online at any cost, while information technology (IT) teams that manage corporate networks are more concerned with connectivity, security, and compliance. However, both teams understand today’s security imperative, and within most organizations these teams are actively planning the next generation of security architectures.

As the threat landscape shifts over time, both IT and OT security infrastructure must be able to adapt to new security needs, policies, and threat-detection methods. Single-function security devices will soon be a thing of the past, as security architecture becomes increasingly versatile. Firewalls, intrusion prevention systems (IPS), VPN gateways, and routers all perform vital roles. To achieve the infrequent scheduled downtime requirements of OT environments, these software-based devices must be updatable on the fly while performing the security or networking tasks at hand. And to minimize unscheduled downtime, they must be highly reliable or support active-active clustering with transparent failover options.

In addition to support for OT protocols, it’s clear that traditional IT security solutions will need some modifications to successfully defend critical infrastructure on tomorrow’s cyber battlefields. Here’s a list of some potential features and requirements to get started:                                 

  • Ensure High Performance, Resiliency, And Availability
    As the name implies, critical infrastructure must operate nonstop without performance degradation -- even when performing processing-intensive, deep-packet inspection and real-time emulation. In many cases, there’s no such thing as “scheduled downtime.” Therefore, clustering, load balancing, and automatic failover must be standard features of security solutions within critical infrastructure.

  • Make Endpoints More Intelligent And Secure
    The devastating effects of rogue data-scraping apps on point-of-sale systems were made abundantly clear in the aftermath of recent high profile data breaches. Prior to that, Stuxnet opened our eyes to what can happen when industrial programmable logic controllers are compromised within uranium-enrichment facilities.New and existing endpoints must become sentry points capable of validating the use of trusted applications andobserving all connections made by executables. They must share insights with firewalls, IPS, and other security devices across the network and be able to enforce application whitelisting and blacklisting, as well as terminate operation if they become compromised.

  • Protect And Connect Multiple Security Zones
    Security architecture must provide advanced protection from both known and unknown threats within each security zone and be able to securely link traffic between security zones, including distributed facilities. This is another area where traditional security devices have come up short. Creating security devices that can be deployed in multiple roles -- as stateful firewalls with VPN termination, IPsec VPN gateways for multisite connectivity, or next-generation firewalls with IPS and application control, for example -- enables much tighter security throughout the organization. Moreover, the ability to manage the system with a common security console and share security data in a bidirectional manner -- regardless of protocol or connection type -- gives critical infrastructure architects and operators new levels of flexibility and management simplicity.

  • Monitor And Manage The Entire System
    It’s impossible to overstate the importance of integrated monitoring and management. Threats can pass between IT, SCADA, and ICS zones, so it’s essential to have end-to-end visibility of critical infrastructure and be able to correlate information across systems to identify and mitigate threats. Placing intelligence on all endpoints allows these devices to share security data and be managed as part of an overall architecture. A global management console not only allows remote provisioning, management, and updating of software on all critical infrastructure devices, it enables application whitelisting and other security policies to be pushed to devices. Tight integration between the global management console and security information and event monitoring (SIEM) solution will accelerate accurate situational awareness and reduce management time and expense. And last but not least, critical infrastructure solutions must simplify the task of compliance reporting and auditing. Integrated monitoring and management makes this possible.

Is our industry currently providing the security technologies, flexibility, and agility to empower critical infrastructure? In many cases I believe the answer is yes, which is good news, given that many of these solutions are also required to secure the Internet of Things and the future of IT overall. 

Raja Patel is vice president in the Intel Security Group and general manager of the Network Security business unit at Intel Corporation. He is responsible for defining and executing the strategic direction for Intel Security's Network Security business, which includes network ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...