Cyber Security - Protecting Automation Controllers

  • April 04, 2014
  • Feature

By Bill Lydon, Editor

Layered cyber security protection has become an important factor for automation systems. The bottom layers of the network include the controllers with real-time embedded processors. Founded in 1992, Icon Labs provides cyber security solutions for embedded real-time processors.  I recently interviewed Alan Grau, President and Co-Founder, about their company and solution offerings. Icon Labs is headquartered in West Des Moines, Iowa.

Question: How did Icon Labs start?

Alan Grau: Icon Labs started as a services company doing projects for some of the major telecom/datacom firms in the Chicago area. We used our expertise in embedded systems development, real-time operating systems (RTOSes), and security to transition into a product company focused on security for embedded devices.

Question: If I have a corporate firewall, why should I worry about embedded cyber security protection?

Alan Grau: For one thing, embedded devices are not always deployed in the manner in which the designer anticipated. There are thousands (probably even millions) of embedded devices that were designed without security that are now connected to the Internet. The manufacturers assumed these devices would only be deployed in closed networks, but that didn’t always happen.

In addition, corporate firewalls are no guarantee of absolute security. We read about successful attacks on enterprise networks every day. In addition, insider attacks cannot be blocked by a corporate firewall. Embedded devices often have a much different communication profile than what is enforced by the corporate firewall. Communication that might be perfectly reasonable through the corporate firewall may not be appropriate for an embedded device.

Question: How is IT industry doing relative to embedded?

Alan Grau: The IT world is still miles ahead of the embedded world in terms of security. This really isn’t surprising, given that hackers have historically been focused on IT networks. This is changing, and hackers are starting to focus more on embedded devices. We can learn some important lessons from the IT world, most importantly that a single layer of security is not enough. Many embedded devices either have no security, or simply implement security protocols such as SSH and call it good. Anyone who has studied IT security will understand that a single layer of security is insufficient.

Question: I have PLC’s and controllers that have embedded real-time operating systems. Why do I need to worry about cyber-attacks?

Alan Grau: Hackers are starting to directly target these types of devices. While a device built with a real-time operating system may not be vulnerable to a Windows virus, it is still vulnerable to a number of cyber-attacks, including protocol attacks, dictionary attacks, insider attacks, and denial-of-service attacks. Some embedded devices have been released with hard-coded user names and passwords, leaving the door wide open for hackers.

Question: How do you protect devices?

Alan Grau: Icon Labs Floodgate products provide a critical, missing layer of security for embedded devices. Floodgate Defender provides firewall services, enabled embedded devices to control the packets they process. Floodgate Defender supports rules-based filtering, stateful packet inspection, and threshold-based filtering. Floodgate Agent supports management of filtering policies from a centralized management system, and Floodgate Aware enables integration with enterprise Security Information and Event Management (SIEM) systems, which can analyze traffic patterns and detect a wide range of security events. Rules-based filtering can be used to implement IP address whitelisting, limiting communication to only a few known, trusted hosts. A cyber-attack coming from any other IP address will be blocked, providing a critical layer of defense. An SIEM system can detect things such as IP packets being sent to a server in China, which, for most systems, should not happen.

Rules-based Filtering

Question: Can you provide a basic description of stateful packet inspection and threshold-based filtering?

Alan Grau: Stateful packet inspection works by tracking the state of the connection and makes filtering decisions based upon this information. Threshold-based filtering detects and blocks packet flood attacks.

Question: All of this sounds like a burden for an embedded processor that will impact performance. Can you address this?

Alan Grau: Floodgate Software products are designed for use in embedded applications, and the filtering algorithms were written to ensure efficient processing. The overhead for the filtering algorithms is far less than you might expect. Floodgate Aware sends log and event information to the SIEM, which can analyze packet history, detect packets from known, bad IP addresses, and perform other analysis and correlation tasks that could not be supported on the embedded device.

Question: Do you have any thoughts about the value of IPv6 incorporation of IPSec to enable higher levels of cyber protection?

Alan Grau: Adding IPv6/IPSec increases the level of security in a device. However, adoption of IPv6 has been slow in industrial control devices. Some industrial protocols (PROFINET and EtherNet/IP) are not easily ported to IPv6, and, in other cases, adoption has been slow due to prevalence of legacy IPv4 devices.

Even when IPv6/IPSec is supported, this still only provides one layer of security. One of the main lessons learned from studying security in the enterprise is that multiple layers of security are required. A firewall should still be added to the device to control communication and block unused services.

Question: If my corporate network has adopted IPv6 and industrial controllers using IPv4 are on the same network, are there any special things I should do to isolate these devices to protect the networks?

Alan Grau: The requirements for security really don’t change based on where a device is deployed. The message we are giving our clients is that you should never assume the environment in which a device is deployed is free from threats. Always assume that the device will be attacked. Once you make this design assumption, you will build security into the device. If the device has security built in, it can be safely deployed regardless of the network environment.

Question: What questions should I be asking my industrial control supplier?

Alan Grau: It is important to understand the level of security built into the device and the recommendations from the supplier on how to ensure the device is securely deployed. Do they provide recommended security settings or configurations? Do they assume the device is only deployed behind an air-gap (i.e., not connected to the public network)? What level of testing and validation have they done to ensure that the device is truly secure? Many device OEMs are assuming that their devices will not be targeted for attack or that the device will not be connected to a public network. It is critical to understand these assumptions.

Question: What about my existing devices?

Alan Grau: The first step is to determine the level of security provided by existing devices. The next step is to determine if an upgrade is available to increase the level of security for the device. If there is a deficiency in the level of security provided, then you have the option of replacing the device with a more secure product (if available), adding hardware protection such as the Floodgate Defender Appliance, or just living with the risk of attack.

Floodgate Defender

Question: How would you best describe how the Floodgate Defender Appliance adds protection?

Alan Grau: The Floodgate Defender Appliance provides firewall services for the devices it protects. It filters all packets that are sent to the device, blocking any packets that violate the filtering policies.

Question: How is the Floodgate Defender Appliance kept up to date?

Alan Grau: Floodgate Agent provides remote management of the appliance to ensure filtering rules are maintained and managed.

Question: Roughly how much does the Floodgate Defender Appliance cost?

Alan Grau: Pricing depends upon volume and features. Pricing starts at $995 for our base product.

Question: Does Floodgate Defender Appliance protect controllers from things like Stuxnet?

Alan Grau: Floodgate Defender Appliance can isolate controllers, ensuring they only communicate with known, trusted hosts. It can also close any unused ports and protocols, further reducing the attack surface of the controller. By blocking communication from all but known hosts, attacks originating from any other device are blocked before a connection is even established.

Question: What is your relationship with McAfee?

Alan Grau: Icon Labs is a McAfee partner and supports integration with the McAfee ePO, which provides centralized management of security for all devices in a network. Our Floodgate product is the only RTOS-based security product that is integrated with the McAfee ePO. Using Floodgate, RTOS-based products can now provide situational awareness and support policy management from a standardized central management console.

Question: What operating systems do you support?

Alan Grau: Floodgate products have been ported to VxWorks, INTEGRITY, RTXC, MQX and to several embedded Linux distributions. We plan to add support for additional operating systems as required by our customers.

Question: Do your products have ISASecure Embedded Device Security Assurance certification?

Alan Grau: The Floodgate product family provides services to help industrial devices achieve ISASecure certification, particularly with the robustness testing requirements.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..