Cybersecurity for Industrial Control Systems Cannot Wait

  • October 11, 2016
  • Tempered Networks
  • Feature

By Jeff Hussey, CEO, Tempered Networks

Today’s industrial control systems (ICS) represent critical operational assets across many organizations and a large cross section of industries such as utilities, manufacturing, warehouse and distribution, retail, transportation, and more. Connecting and safeguarding these vital networks is critical to improving operational efficiency, while maintaining the safety of our communities and the personnel who work with these ICS systems.

Today’s common practices for ICS security and networking are simply unsustainable. Organizations, from small to enterprise level, require a new approach that ensures networks and people can efficiently scale to keep up with increasing connectivity demands. It is equally important, however, to implement a cost-effective way of protecting any device or system—from today’s intricate SCADA systems and PLCs to legacy networks and long-lived systems such as HVAC, fuel pumps, and generators among others. Additionally, there is a vital need to properly safeguard transient and mobile resources such as robots, vehicles, sensors, trains, laptops, and tablets in a rapid and seamless fashion.

Secure the Network

The most recent SANS Institute survey on network security in March of 2016 states that up to 44% of network endpoints have experienced a security breach within the last two years.

"As the perimeter continues to dissolve and end-user technology continues to evolve, more endpoints are being exposed to external threats," (G.W. Ray Davidson, SANS survey author)

Internet connectivity is available to roughly three billion people worldwide today. Whereas a vast majority of these individuals have good intentions that include harmless activities like reading email, far too many have malicious intent in mind. Decision makers with responsibilities over modern and legacy ICS need to be concerned, not only with ordinary hackers, but also with the possibility of foreign espionage attempting to steal intellectual property or disable our vital resources.

Security experts at the U.S. Department of Homeland Security (DHS) have confirmed that principal activities behind many foreign hacks have been targeted at discovering models of ICS-SCADA systems and other key hardware/software components of critical infrastructure. China, Russia, and North Korea have already proven their ability to successfully execute major attacks on critical U.S. systems related to power, public utilities, manufacturing, and other industries.

Unfortunately, the engine that makes our connectivity run is TCP/IP, which was built with openness and connectivity in mind, but not security. One of the most basic attacks a hacker can execute is by spoofing the IP address of an endpoint. Such a misrepresentation is all they need to gain access to your data, sabotage your operations, and damage your reputation as a capable and socially responsible organization.

“In its early days, the Internet was designed to be a network that combined unprecedented speed, reach, and efficiency. It was a perfect formula … for the dark side.” (Leonard Kleinrock, UCLA scientist and pioneer of networking)

Optimize Operational Efficiency

Complicating the issue of network security is the operational need to keep ICS systems running at peak efficiency. Unfortunately, efficient connectivity is often compromised in favor of bulky layers of added security and prohibitive firewalls as a best effort to safeguard critical assets.

Additional connectivity challenges are presented by operational technologies (OT) located in geographically sparse areas, making it time-consuming and costly to get skilled staff members to various sites to effectively authorize vendors and other users. Between the growing connectivity requirements and the ever-expanding Internet of Things (IOT), which might range from medical devices and smart meters to break room vending machines, securely adding such an influx of connected devices has become very challenging.

Given the constant threats from hackers, bad actors, and foreign attacks, as well as the steadily increasing demand on network connectivity, there needs to be a better operational solution to efficiently connect and protect critical ICS systems.

Secure and Connect ICS with Next Generation Technologies

Best practice calls for segmenting your network and ICS to significantly reduce an attacker’s ability to traverse the network in the event of an intrusion. Until now, however, segmentation has been so difficult and complex with traditional technologies that most organizations have avoided or ignored this approach.

Organizations need to find a way to more efficiently segment ICS down to the device level, while reducing IT complexity to effectively increase operational output. If executed properly, a solution should have the beneficial side effect of decreasing labor costs with the lesser need for advanced IT skill sets to properly maintain the network. One of the ways this can be accomplished is through “cloaking,” which is an approach that encrypts your network to render it virtually invisible to hacker reconnaissance, and protect it against DDOS, MiTM attacks, and IP spoofing.

ICS stakeholders need to implement a solution that encompasses both, added security and better connectivity. The solution also needs to include simplified provisioning that eliminates the need for highly skilled IT staff to respond to every request for access or denial of service. Authorization for vendors and other users needs to be executed rapidly with automatic failover across Ethernet, Wi-Fi, cellular, and radio transmissions if necessary. This provisioning needs to be possible from remote locations to eliminate the need to send skilled staff members to distant locations.  Without sufficient deployment speed in regard to these activities, operational output suffers at the hand of default security measures that bog down networking in favor of overly cautious permission practices.

The optimal solution should also address business continuity and availability issues in the event of a system failure or a compromised device. For example, providing the ability for system administrators or lesser skilled personnel to quickly switch traffic between networks or data centers to avoid any downtime. And, what if an administrator could instantly revoke and quarantine any device that has been attacked by malware through API-initiated alerts?

Cyber security breaches and the growth of connected ‘things’ are trends that aren’t going away. IT decision makers need to move past the overwhelmingly restrictive policies of next generation firewalls and the overly complex nature of virtual private networks (VPN) and virtual local area networks (VLAN). These options only provide band-aids as an attempt to cover up open security wounds and chronically slow networking performance. Time is of the essence to implement a better way to secure and connect your ICS.

About the Author

Jeff Hussey is the Co-Founder, President, and CEO of Tempered Networks, the pioneer of Identity-Defined Networking. The company is dedicated to the secure connectivity needs of organizations that require operational agility, without compromising protection for their business critical infrastructure, endpoints and assets.  

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..