Welcome to the 18th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Network Security Keeps the Lights On and the Bad Guys Out
Security in Critical Infrastructure Control Systems
Software has pervaded our lives in a way that few could have predicted when the first high-availability systems were fielded decades ago. Starting with applications in national defense and line of business data processing, software now powers critical systems such as banking and public utilities.
Consumer computers and banking systems have been under attack for decades. These systems offer cyber criminals financial incentives that have fueled a steady stream of new attacks that have been answered by large expenditures by software vendors and security firms. Since consumer software changes frequently, vulnerabilities are always present, but even the standard internet protocols like DNS, TCP/IP, and SSL/TLS have proven to be inadequate in the face of sophisticated cyber-attacks. The dynamic consumer software market has played a cat and mouse game trying to stay ahead of cyber-attackers and is meeting the needs of consumer systems. Generally, consumers expect high performance graphics to handle modern games and touch screens. But long-term reliability and uptime are secondary concerns.
The software that runs critical infrastructure like power stations must be carefully designed, thoroughly vetted, and continuously monitored. In contrast to consumer systems, it may run for years without restarts or upgrades. Until recently, lack of financial incentive has kept cyber-attackers away from SCADA (supervisory control and data acquisition) software. But with the recent cyber-attacks against and by Iran, the level of attention by the news media has raised the awareness that our critical infrastructure systems are vulnerable.
Wide public adoption of the internet and the consumerization of IT are trends that have been the focus of cyber-attackers for years. Nevertheless, those trends are quite new compared to the adoption of power control protocol standards that date back several decades. An example of such a protocol is IEC 60870-5, which defines a format for exchanging command and control data between two nodes within a power system. It has been extended by IEC 62351, which among other things, defines an approach for transmitting existing 60870-5 payloads over a modern TLS encryption tunnel. This is a sensible scheme, as it allows data protection to be handled, for the most part at least, by a standards-based proxy component that can be introduced into the existing system without risking pervasive changes that would impact reliability.
However, software changes are never risk-free, and even the proxy approach must be carefully managed. For example, TLS protocol negotiation can fail for a number of reasons, including an expired server certificate or incompatible encryption capabilities between endpoints. That the protocol can, by design, succeed on one day and then fail the next raises some challenging questions in the SCADA context. For example, if the security protocol fails on a critical power control link, should the system fall back to the insecure version in order to ensure that the message is always delivered, no matter what? Perhaps the system is experiencing an emergency shutdown in order to prevent possible loss of life or property damage – this is a vote for allowing insecure failover. On the other hand, perhaps a terrorist organization is attempting to inject unauthorized commands to bring down the grid – this is a vote against.
Call to Action
Our recommendation is simple: continue to retrofit SCADA systems with modern security capabilities in a way that preserves their critical reliability characteristics. As we’ve pointed out, tradeoffs are inevitable. The best approach is to create a threat matrix that defines the expected behavior of the system in response to attack and failure scenarios. Creating a realistic strategy in response to the modern threat landscape is the best way to ensure that the lights stay on and the bad guys stay out.
Contact JW Secure at email@example.com to learn more about our proven experience in implementing IEC 62351 and highly available software systems.
Secretary Panetta on Cybersecurity, Business Executives for National Security – Oct. 11, 2012
Hackers exploit software that allows remote operation of industrial systems. – Dec. 3, 2012
U.S. Suspects Iran Was Behind a Wave of Cyber Attacks
Obama signs secret directive to help thwart cyber attacks
Obama Ordered Use of Stuxnet, Acceleration of Cyber Attacks against Iran