By Deborah Lee James, Former Secretary of the Air Force
Cyber-attacks are a daily occurrence for the US Air Force. In an unfortunate parallel to private industry, Air Force networks are attacked, and defended, thousands of times each week. I know this too well as former Secretary of the Air Force. In my current role, I also am well aware that operators of public as well as private critical networks are forced to pour more time, attention and resources than ever before into computer network security because it is so critical to our nation’s safety and economic vitality.
In light of these costs, and associated high stakes, a clear return on investment is imperative. Such a return is not certain if we train our sights solely on network security. Cyber intruders have shown us repeatedly that many avenues are open to them for launching attacks and compromising critical data. That’s why the Air Force is investing more heavily in operational security, and the private sector cannot afford to fail following suit.
Operational security encompasses the entire portfolio of assets that execute processes, or missions, as directed by software code. These processes might be setting a flight path for an advanced fighter aircraft, or they may direct automated maintenance routines for an HVAC system on a facility where classified operations are conducted.
The Industrial Internet of Things (IIoT), characterized by the vast and complex interconnections of different systems, has opened innumerable gateways to our economy’s many enemies. Today’s cybersecurity for our critical infrastructure — dams, powerplants, industrial complexes — extends barely beyond the network core. Yet surprisingly, and alarmingly, edge devices linked to critical systems that prevent life-threatening malfunctions are almost entirely unguarded by PC-style firewalls.
The remedy to resolving so exploitable a shortcoming is to comprehensively integrate endpoint security into national cybersecurity practice for critical systems. We must, in effect, lock down each individual endpoint that can, if compromised, abet the spread of malware through the greater network.
To keep networks secure, a more comprehensive layered approach is necessary. Doing so addresses three essential realities:
- Our national security and war-fighting efforts have become highly dependent on the expanding Industrial Internet of Things (IIoT).
- Unclassified network segments that support supply, logistics and other physical operations require greater cyber-protection.
- Action planning is increasingly mission-critical for protecting sensitive databases and endpoint terminals from advanced persistent threats.
Network operators are becoming more aware of foundational vulnerabilities that lie beyond the boundaries kept by standard firewalls. They are recognizing, for example, that the automation controls managing America’s largest corporate and residential campuses have become a target for state-sponsored enemies. These enemies don’t need to breach firewalls if they can turn off the lights and heat. Such network segments, if crippled, can potentially shut down hospitals, military outposts, nuclear plants and more.
Cybersecurity and the Industrial Internet of Things
Informed industry leaders now recognize that cyber-threats to critical endpoints are a dangerous by-product of the IIoT. Mitigating these risks, many acknowledge, requires fresh methodologies in cybersecurity planning and purchases.
Standard operating procedure for securing a fixed, versus IIoT, network has resulted in a multitude of superficially secured systems that limit some levels of access to public networks such as the internet. As long as an attacker remains outside the network, this type of security may be sufficient. Unfortunately, the threats most dangerous to IIoT are essentially indifferent to standard perimeter safeguards. Devices communicate with remote servers, and users interact via human-machine-interfaces (HMIs) such as PCs, tablets and smart phones. But all these communications are presumed by firewalls to be taking place among authorized people and machines.
The problem is that once intruders breach the system, as they inevitably will, there is little security in place to prevent them from doing almost anything they please.
Attackers prefer a path of least resistance, so penetrating a system from a public network using well-known hacker tactics is an easy way to infiltrate. A logical counter would be to install strong perimeter defenses, such as data-diodes or gateway-firewalls, to eradicate the external attack vector. While this approach is as logical as it is typical, it is severely incomplete.
Such a defense may thwart a direct attempt to breach a network, but it is far less likely to deflect a persistent and determined offender. This attacker may try a watering-hole or USB-based tactic to insert malicious code into a system. A cyber-enemy may infect the firmware on a website or compromise maintenance laptops via USB. Configuration files and flash drives may be corrupted through any number of software-based and social engineering methods that have all succeeded in the recent, and well-publicized, past.
The takeaway is this: The most concerning vulnerability isn’t one that allows an unauthorized party to access an IIoT device from outside the network. The real threat is that IIoT embedded devices will do whatever they’re told once a command, even a malevolent one, reaches them.
Every security control and architecture design should be built to prevent any possible vulnerability from being exploited. In many ICSs, an attacker targets an embedded device’s lack of robustness. Yet interconnected devices are rarely tested for behaviors should they receive an unauthorized command. If challenged by a non-standard operation or command, basic embedded devices often fail or malfunction.
The Industrial Security Landscape: Breaching a Network Perimeter
The threat landscape has never been more precarious. Machine systems are everywhere, connecting everything. Computers are welcomed into homes and offices in ways that often are invisible to their users. Critical systems that drive industry — heating, ventilation, air conditioning, generators, pumps, motors, light bulbs, temperature sensors – are all increasingly operated across connected networks.
With every new innovation in technology comes unforeseen consequences. In the industrial space where cyber meets physical, computers interconnect to perform functions that require no human involvement. The result is an irresistible sandbox for cyber criminals. The valves, meters and other gadgets in daily use worldwide have little or no embedded security, even while the smart phones and computers that connect with them are hyper-secured. Modern cybersecurity has almost entirely overlooked the vast majority of devices that make up the Internet of Things, leaving them almost entirely defenseless.
Implementing End-to-End Cybersecurity
When implementing comprehensive cybersecurity, the approach must be holistic if it is to be consistently effective. All possible weaknesses must be addressed. This means considering endpoints when devising systems and cybersecurity programs, and when planning purchases.
To illustrate: There is no point to locking the front door when the window beside it is visibly open. Intruders simply move from the strongest point of defense to the weakest. For interconnected critical networks, a comprehensive approach to sound cybersecurity means evaluating and correcting a host of vulnerabilities that impact people, devices, networks and data.
The best way to implement end-to-end risk controls is to understand how an attacker might succeed, then determine how best to implement security for optimum risk mitigation. Doing so calls for proven risk strategies that leverage industry standards. These strategies are then complemented with independently validated technologies proven to prevent the introduction of fresh vulnerabilities.
Cybersecurity Best Practices
Best practices, in many cases, apply almost interchangeably to both the military and civilian industrial sectors.
Consider strategic security guidance to industry issued in 2015 by the US Department of Homeland Security (DHS). The agency’s Seven Strategies outlined steps recommended for assuring optimized security. In issuing the best practices, DHS noted that these actions, had they been taken, could have prevented a large percentage of successful attacks to US critical infrastructure.
In accordance with this expert guidance, comprehensive security must tightly mesh physical facilities with cyber systems. Central command-and-control centers must be equipped, for example, with intelligent analytics to proactively monitor, detect, alert and provide solutions in a crisis. Virtual perimeter monitoring should assure edge or boundary security. In the case of a military base, a comprehensive cyber-physical safety net connects remote sensors to security operation centers to facilitate alerts, responses and analyses of security events using, ideally, a wireless and intelligent video networking system.
Such an approach models the defense-in-depth methodology US defense experts advocate. To shore up the weak links in critical networks, private industry must heed DHS guidance. Here are methods for applying DHS recommendations to ICS:
- Application Whitelisting – The only way to truly detect and prevent attempted execution of malware uploaded by adversaries is through application whitelisting applied to the networked connections between ICS devices. In the event an application is compromised, any attempted action is limited to preapproved operations. This helps prevent an attack from spreading which, in turn, improves system reliability and integrity.
- Ensuring Proper Configuration/Patch Management – Systems that are fully certified to highest security-implementation standards allow users to safely monitor and control operations across facilities. Unauthorized access beyond an initial entry point is blocked, as are man-in-the-middle and other attacks. Such controlled access facilitates configuration and patch implementations by limiting access to key management systems.
- Reducing Attack Surfaces – Technology with end-to-end encryption can create a segmented network for ICS devices whereby they are rendered invisible to unauthorized devices such as infected flash drives. Advanced certificate-based authentication can block port reuse and unauthorized access by, for example, a contractor’s unauthorized laptop. It can assure that only necessary and approved communications occur between known devices.
- Building a Defendable Environment – Validated cryptographic protections can isolate critical-control traffic from other traffic even when transported over the same physical network. Through device-level firewall functionality and command-level whitelisting, all host-to-host communications are monitored and restricted.
- Managing Authentication – Network and ICS data can be segmented using centralized PKI (public key infrastructure) security. To breach such a segmented system, an attacker would have to simultaneously compromise security frameworks on two separate network segments.
- Securing Remote Access – Access should be secured through encrypted connections using PKI-based authentication. Monitor-only modes are useful for permitting exclusively valid and authorized data to be exported without opening a link that an attacker can use to send traffic in, or tunnel data out.
- Monitoring and Response – Military-grade technology is available to industry for advanced monitoring. When unauthorized activity is detected, such systems block access and send an alert to approved personnel.
Despite perceptions to the contrary across some industry quarters, it is possible to affordably, efficiently and comprehensively cybersecure ICS infrastructure by locking down endpoints. The threat is real, and with the demonstrated feasibility of adopting best practices, doing so should be mandatory.
Following the military’s deeply layered approach, industry should embrace best-in-class endpoint security tools. Network owners and operators should seek technologies that defend endpoints against persistent threats by accurately identifying malware upon arrival, and responding appropriately before an attack can be launched.
US defense agencies’ go-to gear for end-to-end cybersecurity is lightweight and virtually plug-and-play. It doesn’t impact IT operations because it doesn’t interfere with networks’ existing architectures. Fortunately, such solutions are not exclusive to US military, defense and intelligence operations. The private sector would have avoided many its most severe, and costly, breaches had it followed the government’s lead in cyber-hardening critical network assets.
About the Author
Deborah Lee James is Special Advisor to Ultra Electronics, 3eTI. Former Secretary of the Air Force, James leads a wide range of strategic initiatives for 3eTI with a focus on defense-oriented programs that improve customers’ operations while cyber securing automated system endpoints.