PLC Protection: Are we looking forward or backward? |

PLC Protection: Are we looking forward or backward?

June 162014

By Dr. Alex Tarter, Ultra Electronics, 3eTI

The past ten years have marked extraordinary progress in advances to ICS cybersecurity.  Every industry sector has taken notice of the threats. Decision makers are pursuing standards and best practices for improved and assured systems safeguards. These standards and practices often reflect similar methodologies: Define a critical system’s perimeter, erect perimeter defenses and control what comes in and out.

Segregated-Enclave Security – A Temporary Fix
This methodology has resulted in a preponderance of so-call secure systems, which are really just networks of segregated enclaves with restricted access from public networks. The result is solid protection against an attacker trying to penetrate a network from a publicly accessible one, such as the Internet, which is a legitimate threat in need of mitigation. However, is it the threat that troubles us the most?

One of the biggest problems with the segregated-enclave approach is that, once attackers are in that enclave, there is little security to prevent them from doing almost anything they want. Once the perimeter is breached, typically the system is owned, and the damage is done. Attackers are human and they prefer easy versus difficult and less risk to more. Attacking a system from the public side using well-known vectors is among the easiest and least risky methods of intrusion, which is why it is so prevalent. A reasonable and best-practice approach would be to install strong perimeter defenses, such as data-diodes or gateways and eliminate that attack vector.

What could be flawed in this approach? While it will stop a cursory attempt, will it stop a dedicated one? Will the bad guy give up and go away, or simply try an alternative entre? Are we protected against a second or third attempt, or have we assisted the attacker by leaving clues toward our unprotected flank?

With each security control and architecture design, we should be asking if this system or feature bars point of vulnerability from exploitation, or merely prevents an attack vector. In many industrial control systems, the target hinges on the fact that PLCs are reliable but not robust. When operated correctly, a PLC is one of the most reliable devices in operation, yet if tasked with something unexpected or non-standard, it often fails or malfunctions. If an attacker wants to cause physical damage or impact a facility’s operations, the preferred tactic will involve interfering with PLC-related communications.

Traditionally, hackers would come at this through a publically accessible interface and make their way to the control domain. Then, by deploying good perimeter defense, we have made this attack vector much more difficult, even impossible. We have not, however, mitigated the vulnerability. The PLC is still not robust and, if an attack breaches the perimeter, it will still succeed. This is a risk that is acknowledged in the guidance by recommending anti-virus protection on all PCs, including those in the control enclave. Why run anti-virus if risk is not present? If the vulnerability remains, but the most prevalent attack vector is blocked, what is the risk that it will still be exploited? There are plenty of familiar methods for breaching the perimeter.

New Methods of Breaching a Network’s Perimeter
Stuxnet infected air-gapped systems through infected USB sticks, yet engineers continue to bring devices and computers on-site when providing maintenance, and vendors still have remote access to client systems over dedicated links. Trying to guess and mitigate the next attack vector is a cat-and-mouse game that the defender will not win. The truth is that embedded systems don’t have adequate security. They remain at risk of an attacker maliciously interfering with them and the controlling computers. If we want to protect a system, we need to isolate the vulnerability, not prevent the attack vector. Once intruders can communicate on a network, they can interfere with control communications, disrupt timing messages, send damaging messages to the controllers, or simply conduct a denial-of-service attack against a system or component.

Interesting to observe is the rapidly developing world of hacker "drop-boxes." These are low-cost disposable computers that are left within a victim’s facility to act as a physical Trojan horse. If an attacker can gain access to a facility, or employ someone who can, that person can drop a miniature device where no one would think to look and, through it, a permanent foothold into the system. Cheap but powerful computers such as the Raspberry Pi or Arduino combined with hacker toolkits such as Kali and a disposable cell phone give attackers an easy way to hack a network for less than $100. In a large and disparate facility or office building, who would notice a device the size of two decks of cards? What if it were hidden in plain sight disguised as another PLC?

This is exactly the concept that Stephen Hilt demonstrated at the recent Digital Bond S4 conference with his ‘PLCpwn’ device. Recent news reports have even shown the ability to equip USB or Ethernet cables with hidden radios that allow hackers to secretly access a network or computer.  For less than the price of a nice dinner, and a weekend's effort, almost anyone can build a penetration device that can be slipped into a pocket, surreptitiously connect to the network, and used to remotely access systems anytime and from anywhere desired. For ease of use and low risk, this vector is highly attractive to attackers, and currently circumvents virtually every standard protection.

Would You Prefer a Mask or a Vaccine?
If the vulnerability is in the controller, security walls should be installed at the network perimeter and provide end-point protection for embedded systems.  Think of it this way, if faced with an immediate risk of contracting plague, would you prefer a mask or a vaccine?

We should be looking ahead, and toward all the other types of attack vectors, not just those seen in the past. We should proactively be recommending vulnerability mitigations rather than preventing attack vectors.

About the Author
Alex Tarter, Group Cyber Security Technical Lead, Ultra Electronics, 3eTI, is an expert and thought leader on new technologies and solutions for industrial and commercial applications for the protection of critical infrastructure. In addition to the work he does developing security solutions, Alex performs vulnerability and cyber security work for military and industrial applications, having prepared more than 50 reports on various aspects of security and situational awareness for industry, UK MoD, and U.S. DoD. He holds a PhD from Lancaster University, and a Master's of Engineering from Imperial College London. He serves as a civilian advisory expert to NATO on Cyber Defense for the Industrial Resources and Communications Services Group.