Ultra Intelligence & Communications

Cybersecurity Spotlight: Next Generation Firewalls within the ICS Network

September 26th, 2016 / By

A next-generation firewall (NGFW) enforces security policy on multiple layers of the OSI model. In addition to a traditional network layer firewall, an NGFW is able to filter at the application layer as well.

In order to achieve this, the NGFW will employ capabilities such as deep packet inspection (DPI), antivirus signature detection, authentication, web application firewall (WAF), bandwidth management, and an intrusion prevention/detection system (IPS/IDS). This is done by inspection of the data contents of the packet itself, rather than just the packet headers. In doing so, the firewall can understand the messages and enforce a security policy by filtering out undesirable or malicious communications.

This technology has been employed at the enterprise level for several years now, but it has only recently crossed over to the ICS/SCADA realm. Many solutions that were made for the enterprise level are now being deployed for the operational technology (OT) environment.

However, there are some considerable differences in the OT network versus the enterprise network. While the enterprise network will see a plethora of protocols and interactions with different applications, the OT network generally sees the same traffic day-in and day-out. It is typically segregated from the enterprise as well as the Internet. Endpoints in ICS and SCADA networks often have a longer life than endpoints in the enterprise. Workstations might be replaced every 2-4 years, but PLCs and RTUs are usually replaced on much longer lifecycles at 10-15 years.

The age of these devices also poses additional challenges for operators communicating with them. Sometimes older applications or operating systems are needed just to communicate with the equipment. With availability as a top priority in this environment, patches, updates and upgrades are few and far between. This leaves gaping vulnerabilities within the OT environment.

Once a system upstream is compromised, an attacker can work his or her way to the ICS/SCADA network. The industrial protocols used in this network are generally easy to decode using a sniffing tool like Wireshark. After gaining access, the attacker can begin to sniff and manipulate the traffic to issue malicious commands.

This can have real-life kinetic results: just ask the Ukrainians.

To counter this threat, the solution for many years has been isolation from all other networks, or what is known as air-gapping. However air-gapping is not a catch-all solution; the air-gap can be breached by a malicious insider or via social engineering techniques.

How do we protect our PLCs and RTUs from compromised systems within the OT network? This is where NGFWs can help. Industrial NGFWs can provide IDS/IPS, DPI, and/or authentication capabilities to the OT network. The distinguisher between these solutions is application-layer inspection capabilities. Some solutions will take a shallow look at the application-layer data unit of the packet to verify that the protocol being used on the designated port is indeed the protocol that should be utilizing said port. In other words, if a system is communicating via ModbusTCP, the NGFW can verify that ModbusTCP is being used on port 502, and that is it.

Other solutions will utilize signature-based IDS/IPS capabilities to detect malicious traffic. This works very well for known threats, but it does not work very well for zero-day vulnerabilities. This solution works by analyzing the data in the packet for known strings associated with malware.

Another solution is rule-based DPI. Utilizing DPI, an application whitelisting approach can be taken. This approach designates a whitelist of ‘safe’ commands for the endpoints in the ICS/SCADA network. The advantage to application whitelisting is that even if a system upstream is compromised, the NGFW with DPI will only allow commands through to the ICS/SCADA network that are deemed safe. The benefit is that the system does not need to keep a signature list updated to guard against the latest known threats. The system simply allows or disallows commands issued through the industrial protocol.

An additional capability of DPI is the ability to perform sanity checking, ensuring that the packet is well-formed and conforms to the protocol standard. This can help mitigate vulnerabilities from buffer overflow attacks.

Whitelisting approaches in the enterprise are generally not desirable due to the constantly changing nature of applications and services running within an organization. However, as the OT network remains largely unchanged for long periods of time, application whitelisting works very well. When looking for NGFW solutions for the ICS/SCADA environment, OT admins should keep these subtle differences in mind.

For more information our DPI-capable CyberFence solutions please contact: info@ultra-3eti.com.