- April 14, 2015
By Alan Grau, Icon Labs
Security can no longer be thought of as a ‚Äúnice to have‚Äù. Investment in security cannot be viewed through the lens of ROI or competitive advantage. Security must be considered a fundamental requirement ‚Äì like air bags in automobiles. Everyone involved in the development of technology for critical infrastructure needs to recognize the threats and begin investing today in security solutions.
By Alan Grau, Icon Labs
Cyber-attacks on Industrial Automation Systems are not new. Hackers have been probing, and in many cases, penetrating these systems for many years. Many of these attacks against industrial automation systems were similar, or even the same as, the attacks used against corporate IT systems.
Recently a number of previously unpublicized attacks, malware and embedded surveillance tools were reported by researchers from Kaspersky Labs. At their annual Security Analyst Summit (SAS), they presented detailed findings of pervasive malware and embedded surveillance tools that, for over a decade, have largely gone undetected. Many of the threats presented by Kaspersky can be or were used to target industrial automation systems. While the report implies that the surveillance tools were developed and deployed by the US National Security Agency there is little doubt other countries and bad actors have, or soon will develop similar technology.
Some of the capabilities that distinguish these threats from many previous threats include:
- Cyber tools that systematically penetrate and map air-gapped systems; and then report data to a remote command and control system
- Malware operating at the firmware level that enabled discovery of encryption keys, cracking of encryption algorithms, and that remains hidden in place even through a complete operating system reinstall
- Malware that replaced hard-drive firmware to create a secret storage area on a hard disk that could even survive drive reformatting
The researchers also reported that some of this malware was first introduced as early as 2001 and has gone undetected until now.
These findings raise some troubling questions for Industrial Automation engineers and security professionals. Chief among them is; are we doing enough to protect our systems?
Advanced Malware and Cyber Warfare
Even if we accept the implication that the malware discovered by Kaspersky Labs was created by the NSA, that does not imply that the critical infrastructure and industrial automation systems within the US and our ally nations are safe from attack. There is little doubt that China, Russia, and Iran have large, dedicated and active cyber warfare groups. Well-funded hacking and criminal groups are also capable of developing advanced malware as sophisticated as that reported by Kaspersky.
This means that today’s Industrial Automation systems need to be protected against technology designed to infiltrate and map air-gapped systems and discover encryption keys, all while remaining undetected by standard security technologies.
Anyone building industrial control systems or other critical infrastructure devices needs to take a new look at security. The notion that air-gaps are impenetrable is a myth. The Kaspersky report detailed methods to compromise them. Worse yet, many customers fail to maintain a strict air-gap. In addition, the concept of ”security by obscurity” must be abandoned as the relic that it is. The investment must be to build security into the foundation of every device being utilized within critical infrastructure.
Cybersecurity investment: a neglected requirement
Most companies are aware of the need for cybersecurity. Media coverage of cybersecurity incidents is front page news. In 2013, President Barack Obama issued an executive order mandating greater levels of cybersecurity within critical infrastructure and he recently held a cybersecurity summit in Silicon Valley to push for greater awareness and investment in cybersecurity. Many industries are developing security standards for specific vertical markets.
Despite the growing awareness and government initiatives, investment in cybersecurity is still lagging.
All too often, companies are looking at cybersecurity and asking “What is the ROI for investing in security”. That is simply the wrong question to ask. Given the threat, cybersecurity should be considered a critical requirement, just as safety has been. The critical infrastructure, manufacturing, automotive and other industries have invested billions into safety and need to spend that much, or more, on fighting against cyber-attacks.
Building security into the device
IIoT (Industrial Internet of Things) and Industrial Automation networks are made up of a wide range of device types- from small to large, from simple to complex – from simple sensors to sophisticated systems. These devices are very different from standard PCs or other consumer devices. Many are fixed function devices that have been designed specifically to perform a specialized task and use a Real Time operating system such as VxWorks, Nucleus, INTEGRITY or MQX, or a stripped down version of Linux.
Historically, these devices have been built without robust security capabilities. Installing new security software on a legacy system in the field either requires a specialized upgrade process or in many cases, is simply not supported. Often, these devices are optimized to minimize memory usage and processing cycles, and simply do not have the resources available to support traditional security mechanisms.
As a result, PC security solutions that can protect an IT network or computer system won’t protect the embedded devices found inside of many factory and automation systems. In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices. A new approach is required.
Security must be built into the device itself. Building protection into the device itself provides a critical security layer - the devices are no longer dependent upon the corporate firewall as their sole layer of security. In addition, the security can be customized to the needs of the device.
Security Framework for Industrial Automation
Building security into an embedded device is a complex process and it is critical to get it right. Developers whose products get hacked might never get a chance for a do-over.
As the saying goes, the security systems must be successful all the time while a hacker only has to be successful once.
To help ensure the security system is adequately protected, key features must be included in the design. This includes hardening the device via secure boot, authentication, and intrusion detection)
A security framework will provide key security features to ensure the device is secure while reducing the amount of code that needs to be written by OEM.
Also important are secure communication (security protocols, embedded firewall), making the devices visible to monitoring (remote command audit, event reporting), and enabling security management (remote policy management, integration with security management systems).
Implementing all of these capabilities from scratch requires a large engineering investment and opens the door to potential security weaknesses. Any coding errors or security loopholes could possibly be exploited by hackers to penetrate the system. Integrating existing open-source components still presents a formidable effort, especially for RTOS based systems due to the sometimes large porting effort required for open-source solutions.
Utilizing a commercial security framework provides OEMs an ideal solution. The OEMs engineering team can concentrate on the core features of their product and still provide robust security capabilities. Tracking security vulnerabilities and releasing of security updates is provided by the security vendor, relieving the OEM from these tasks.
While there is no one one-size fits all security solution for embedded devices, solutions are available that provide a framework for OEMs. Icon Labs Floodgate Security framework provides OEMs with the core security capabilities required for securing there devices. This provides the flexibility needed to customize the solution to the specific requirements of their device, while ensuring that critical security capabilities are included.
Securing legacy devices – the “bump-in-the-wire” solution
In addition to considering security for new devices, there is also a need for security for the large installed base of legacy control devices and systems that were manufactured with inadequate security. Upgrading these devices to improve security requires the device manufacturer to develop a newer software or firmware version with improved security. Once the new version is available the devices can be upgraded to provide enhanced security.
Unfortunately, the upgrade process may be difficult, expensive or impossible. Some devices cannot be upgraded without being returned to the factory to be updated. In some cases the manufacturer may no longer support the device, or may even be out of business. Replacing these devices is often simply too expensive to be an option and newer devices may not yet be available with improved security.
For legacy equipment and systems that cannot be easily or affordably replaced or upgraded, a “bump-in-the-wire” appliance solution can provide the required security. This type of solution can protect legacy devices that are otherwise unprotected. The “bump-in-the-wire” appliance provides security by enforcing communication policies, ensuring that only valid communication is allowed with the protected device.
Security can no longer be thought of as a “nice to have.” Investment in security cannot be viewed through the lens of ROI or competitive advantage. Security must be considered a fundamental requirement – like air bags in automobiles. Everyone involved in the development of technology for critical infrastructure needs to recognize the threats and begin investing today in security solutions that provide the highest level of protection possible.
About the Author
Alan Grau is the President and cofounder of Icon Labs, a leading provider of security solutions for embedded devices. You can reach him at email@example.com
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe