Security Ranch Security Ranch

February 15, 2021

Firewall Policies for Industrial Control Systems

Filed under: Uncategorized — Tags: , — Ken @ 8:04 pm

Firewall Policies for Industrial Control Systems

            For this paper, the term Industrial Control Systems will be used as a generalized term for Supervisory Control and Data Acquisition Systems (SCADA), Programmable Logic Controllers (PLC), and Human Machine Interface (HMI).  ICS is the technology that connects the Information Technology (IT) world to the Operational Technology (OT) world (Bodungen, 2017).  It is being used every day to run power companies, oil refineries, space technology, and manufacturing plants.

Before this technology, when a company wanted to adjust a machine they would need an employee to manually change a machine until the desired outcome was reached.  Eventually in the 1960’s some of this technology was being connected to the popular mainframe computers from that time.  When personal computers started becoming popular in the 1990’s companies started to want to have more control and management of the OT technology.  ICS were used to connect the IT/OT on internal networks and later the internet.  With those connections came a host of new problems that Control Systems Engineers and Computer Engineers never had to deal with before.  All of the threats and vulnerabilities on the internet were introduced to this new technology.  On the one hand, you had vulnerabilities from the web, and on the other hand, you had all of the vulnerabilities that were on the ICS exposed to the world.  To be sure, those vulnerabilities have been there from the get-go, but they were able to be mitigated by workarounds and the fact that they were isolated from most external threats.

Another unique issue with ICS technology is that a lot of the systems are still using the original technology that was used when it was created.  Those systems have never been updated or upgraded.  Most of the time this is due to the nature of the OT requiring extremely high availability.  Imagine if a power plant had to shut down for even a little while to upgrade its equipment.  In reality most, companies never upgraded their equipment because it “just works.”

So, when the equipment that is used by companies become 20 or 25 years old and get connected to the internet, there are some interesting considerations that IT security professionals need to understand to secure those technologies and not brick them in the process.  If you had a computer from 20 years ago, it would be considered ancient today and would likely be almost unusable for what most people use computers for now.  One example of how these systems are unique is that most of the older technology has just enough power to run what it is supposed to do and no more.  Most “best practices” would say that you want to encrypt all of your communications between your devices and computers.  With ICS that may not be possible.  Industrial Control Systems are unique and therefore will need special considerations when developing security policies. This paper will discuss four different types of security policies out of the possibly hundreds of types out there.  The first policies are firewall policies.

Firewall are a major component of any network, and for ICS network it is no different.  Firewalls are used to filter the desired traffic from the undesired traffic.  One of the primary uses of firewalls is to provide for network segmentation and plays into the broader defense in depth strategy.  A popular model on how to segment ICS networks logically is the Purdue Enterprise Reference Architecture (PERA) or more commonly the Purdue Model (Bodungen, 2017).  The Purdue Model divide a network into six different levels labeled Level 5 thru Level 0.  Layer 5 is the top layer and is the Enterprise Layer.  This is the level that a corporate office and its network operate on.  Level 4 is also an enterprise level, but it is more for branch offices and the physical locations of where the equipment is located.  Layer 3 is the ICS-DMZ.  The Demilitarized zone is used the same way that a DMZ would be used on web applications.  This is the level where SCADA systems are located so they can be accessed by both the enterprise offices and they can communicate with the components below them.  Level 2 is the Area Supervisory Control and is where some components like PLCs and HMIs are located.  Level 1 is where most of the PLCs are located and where most of the actual controlling of the OT takes place.  Level 0 is the OT equipment (Bodungen, 2017).

There are eight overall goals when developing the security policies and rules for firewalls.  The first goal is to eliminate all direct connections from the internet to the process control network (PCN)/SCADA network otherwise also as the Level 3 ICS-DMZ in the Purdue Model (CPNI, 2005).  The second goal is to restrict access from Level 5 to Level 3 and below.  Very few, if any employees should have access to the lower levels of the ICS network.  As a best practice, this is an example of “least privilege” and “need to know” (CPNI, 2005).  Goal three is to allow but restrict access to the Level 3 by the Enterprise Level 4 and 5.  That access should also be restricted to only the servers and devices that are needed for compliance reasons like data historians and maintenance databases (CPNI, 2005).  Goal four is to secure remote access to the control systems.  Occasionally, third parties such as vendors or contractors will need access to the control systems.  This could be for emergency maintenance reason or for upgrading systems.  There should also be separate policies and firewall rules for vendors and contractors.  The fifth goal is to secure all wireless connections.  The sixth goal is to develop well-defined rules for what traffic will be allowed thru the firewall and what protocols are allowed.  The IT department will need to create Access Control Lists (ACLs) and ensure that the principle of “least privilege” and “need to know” are used (     ).  The seventh goal is to secure the connection between the firewall and management.  This is so that system administrators can monitor all traffic over a secure connection by using highly restricted management servers.  The last rule is to monitor all traffic and scan for any unauthorized protocols or unusual activity.  This can be achieved by using a firewall or an Intrusion Prevention/Detection System (IPS/IDS).

IDSs and IPSs are useful because they can give you greater flexibility in what to do with the traffic.  Firewalls generally will only deny, drop, or allow traffic based on the rules that were written.  If the telnet protocol is blocked, then no telnet traffic will be allowed to pass the firewall.  IDS/IPS, on the other hand, can block the connection and alert it IT department if any authorized activity is attempted on the network.  There are three primary detection methodologies used by IPS/IDSs.  The first detection method is the Signature-based detection method.  The signature can come in many forms, but some commons signatures are unauthorized protocols or unauthorized names.  For example, the name root should probably never be used as it is a well-known name and many hackers would try to use that name when logging in.  Other signatures could be from file names that would likely be filled with malware.  One area of information security that studies and creates signatures is Threat Intelligence.  Threat analyst will study malware or cyber attacks and create Indicators of compromise (IOC) that can be programmed into firewalls and IDS/IPS to stop attacks before they can happen.  This detection method is good for known threats (Scarfone, 2007).

The second detection method is the anomaly-based detection.  Anomaly-based detection can detect unusual activity that deviates from an initial baseline profile.  If the regular working hours are from 8 a.m. to 5 p.m. and activity is detected at midnight an alert would be triggered and either record the event in a log file or block the connection entirely (Scarfone, 2007).

The third detection method is Stateful protocol analysis.  Stateful protocol analysis is the latest detection method and is suitable for deep packet inspection as it can remember the “state” of the connection while inspecting the packets.  This is good for connections that have to be authorized.  When a user attempts to make a connection and is authenticated, the network device will remember that the connection was authorized and what was authorized.  While the stateful analysis IDS/IPS are the most capable the downside of using this is that it is extremely resource intensive and could slow network traffic down if there is too much traffic (Scarfone, 2007).

The National Institute of Standards and Technology (NIST) created two critical documents that can help with creating and applying security controls and policies.  NIST SP 800-82 r2 is the Guide to Industrial Control Systems Security and contains the best practices for security policies and controls.  These controls are based on the controls presented in another vital document, the NIST SP 800-53 r4 Security and Privacy Controls for Federal Information Systems and Organizations.  SP 800-53 contains most of the security and privacy controls that you would need to build your security policies from.  IT administrators should attempt to implement the controls in SP 800-52 first and where the controls are not possible, or feasible SP 800-53 contain compensating controls that can still achieve the same or nearly the same results.

As with the Internet of Things (IoT), more devices than ever are being connected online.  This trend will likely continue accelerating for the foreseeable future.  In fact, a new buzzword is called the Industrial Internet of Things (IIoT) and is the same things except that control systems are connected to the internet.  Another new trend in the ICS world is virtualization and cloud services.  For the same reasons that businesses are all started to move to the cloud industrial control systems are going to start moving there as well.  As this happens some of the same vulnerabilities that exist in cloud services will start appearing in the ICS networks.  With those new vulnerabilities security professionals will have to find new ways to secure the ICS networks.

References

CPNI.  (February 2005).  Firewall Deployment for SCADA and Process Control Networks.  Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/2005022-gpg_scada_firewall.pdf

Bodungen, Clint. Singer, Bryan. Shbeeb, Aaron, Hilt, et al. (2017). Hacking Exposed: ICS and SCADA Security Secrets & Solutions.  McGraw Hill Education New York: NY

Scarfone, Karen. Mell, Peter.  (February 2007).  Guide to Intrusion Detection and Prevention Systems (IDPS).  Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf

Stouffer, Keith. Pillitteri, Victoria. Et. Al. (May 2015).  Guide to Industrial Control Systems Security Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Joint Task Force Transformation Initiative.  (April 2013). Security and Privacy Controls for Federal Information Systems and Organizations.  Retrieved from  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Cruz, Tiago.  Simoes, Paulo, Et. Al.  (July 2016).  Security implications of SCADA ICS virtualization: survey and future trends.  Retrieved from https://www.researchgate.net/publication/305725280_Security_implications_of_SCADA_ICS_virtualization_survey_and_future_trends

Powered by WordPress