Ultra Intelligence & Communications

Securing the VPN to Thwart ICS Cyber Threats

July 30th, 2014 / By

When NIST released “Guide to Industrial Control Systems (ICS) Security[i] this spring for industry comment, the revised guidance included updates on the importance of network segmentation and segregation for improved cybersecurity. The agency sought to help industry head off and minimize damage from network breaches that allow attackers to move freely through ICS enterprise networks.[ii]

Segmentation can be accomplished logically through virtual local area networks (VLANs), encrypted virtual private networks (VPNs), and through physical network separation and network traffic filtering at gateways and firewalls. In determining the most effective security architecture, assume a malicious penetration is both imminent and inevitable.

Forewarned and forearmed, we should incorporate appropriate features at design outset to contain potential damage from any network attack. The objective is to prevent the attacker from exploiting a small foothold in one portion of your network to expand access across the entire network.

Good architecture provides multiple barriers to keep hackers from accessing your organization’s crown jewels — the data, systems, or controls essential to your company’s continued economic well-being and survival. Network segmentation is a key part of limiting access and collateral damage.

ICS as warship? Not as strange as it sounds.
A well designed ICS shares characteristics with today’s warship, specifically its hull design. The ship’s hull is intended to keep water out, with multiple compartments so one or more of them can be compromised without endangering the entire ship. Compartments contain damage and flooding and protect the overall seaworthiness of the ship from the devastating results of a hull breach. A well-designed hull protects the ship from both accidents and hostile intent. According to NIST, “Network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect its ICS.

A recurring vulnerability in distributed ICS networks is remote endpoints at unmanned facilities where intruders can gain physical access to the facility’s interior. We all recognize the serious threat posed by an insider attack such as the one executed by Eric Snowden against the NSA. ICS planners often overlook that attacks made from inside the network perimeter from remote unmanned locations will often bypass critical layers of protection such as firewalls and proxy servers. Attacks made from within the network perimeter can also evade detection when network sensors do not provide traffic monitoring at the edge.

To counter this, we must harden the vulnerable end-points of our distributed networks to provide more robust security. It is imperative that connectivity from remote unmanned network enclaves is protected by such measures as port authentication and encryption to preclude unauthorized connections and malicious traffic.

Many companies connect remote locations through point-to-point leased network connections or dial-up modems and feel a false sense of security because their private network is not directly connected to the internet. Point-to-point private network connections are not inherently more secure than a properly firewalled and monitored internet facing connection when physical security can be easily defeated. Like a warship’s hull, private network endpoints are only as secure as the facility housing the connection. It is more the rule than the exception for private network connections to be made without firewall or VPN protection at these remote facilities.

Since firewalls are expensive, they tend to be centrally deployed in the network core. While centralized firewalls protect from malicious traffic originating outside the network, they don’t effectively protect internal assets from an “inside-the-network” attack. An attacker inside a remote facility can plug into any unsecured port to capture traffic and send commands.

Physical access is often easier to obtain at remote unmanned locations. To effectively counter this vulnerability we must add additional layers of protection such as:

  • Encryption
  • Port authentication
  • Deep packet inspection, and
  • Physical security enhancements such as centrally monitored and alarmed network closets.

NIST recommends both VLANs and encrypted VPNs for segmenting ICS enclaves. However, VPNs provide greater protection than VLANs. Most network security specialists agree VLANs provide only limited security features. A VLAN uses packet tagging and relies on the switch to enforce traffic separation. It is easy to misconfigure switch ports, and most switches are designed for connectivity, not for security.

As a protective measure, VLAN tagging can be compared to putting up a sign on an unlocked door saying “Only Authorized Personnel May Enter.” A sign might deter an honest person, but once someone with malicious intent obtains physical access inside the perimeter of your network, VLANs do not prevent further exploitation. NIST recommends MAC address filtering and port-based authentication using 802.1x to mitigate switch susceptibility from attacks within network that target VLANs.

Securing the VPN at the edge. Why and what cost?
Not only do VPNs provide more security than VLANs, they have the additional benefit of encrypting the contents of the data traffic stream from network packet sniffers. This makes network reconnaissance, man in the middle, and replay attacks more difficult to accomplish. However, a VPN device is still vulnerable to being exploited if the attacker gains physical access to an unencrypted port. This is best remediated at remote endpoints by deploying a VPN device that includes additional security measures such as certificate-based port authentication, deep packet inspection, and firewall capabilities to only allow communication with authorized and authenticated network destinations.

NIST recommends source and destination device pairing as an effective measure to protect ICS networks. At the network edge, this can be accomplished by using the strong encryption and port authentication offered by new arrivals to the ICS market affording full-featured functionality in low cost but robust FIPS 140-2 validated VPN appliances.

Any discussion of VPNs should address the relative advantages of hardware-based VPNs (or VPN appliances) over software-based VPNs. While software based VPNs provide a layer of security, they come with numerous unwanted potential vulnerabilities due to the greatly expanded attack surface presented by the host operating system. They are simply, and inherently, less secure than purpose-built VPN appliances with validated FIPS 140-2 cryptographic modules. More specifically:

  • A VPN appliance uses a very small OS (usually a secure Linux kernel) that is stripped down to include only the minimum code required for configuration, key management, authentication and encryption.
  • Modern intelligent VPN devices can securely segment a network enclave.
  • They can limit attackers’ ability to expand their foothold by including firewall and deep-packet inspection functionality.
  • If the attacker cannot access the systems external to the penetrated network enclave, you have greatly reduced the risk of further damage.

VPNs installed on a full featured OS operate at the application layer over 3 to 10 GB or more of system files containing 30 to 40 million software lines of code. Opportunities for programmer-induced flaws such as buffer or stack overflows increase proportionally with the complexity and size of the operating system. In addition to the potential for OS coding flaws, the typical Windows 7 installation, for example, includes 300-plus hardware drivers produced by hundreds of different vendors. Device drivers are frequently the weak link used by sophisticated hackers to bypass system security boundaries and attack protected kernel functions. Very few device-driver developers are well versed in writing secure code, and OS manufacturers such as Microsoft can perform only limited driver security testing.

While putting intelligent VPN devices at the network edge drives up cost, this cost is offset by the additional protection and potential cost savings from avoiding remediation for a large number of compromised systems in a production environment. Following network penetration and exploitation, the remediation and cleaning of malware infected computers is labor intensive and involves costly downtime that far outweighs the minimal investments to install VPN gateway devices to properly segment network enclaves across your ICS network.

Your network is attacked. Now what?
If we have properly segmented our network by using VPN devices in our remote enclaves, we’ve laid the foundation for protecting the integrity of the entire network. However, segmenting a network can result in a loss of visibility over network assets unless we provide the means to centrally monitor individual network segment assets.

While the first principle of security architecture to assume a network will be penetrated, the second is that real-time visibility over the network is imperative. To effectively manage the damage control response after a penetration, a capable system information and event management (SIEM) console is essential. It provides visibility and early warning of potential intrusions and network issues, it also provides forensic information to help scope recovery efforts during, and immediately after, an incident.

We will want system alerts and notifications from VPN devices, host-based Intrusion detection/prevention systems (HIDS/HIPS) and network firewalls for early warning of unauthorized device connections, blocked traffic from deep packet inspection rule sets, or unauthorized commands and network protocols. Incorporating intelligent VPN devices provides additional insight into our network security at the remote edges of our network through real-time reporting of security events. Centralized monitoring of remote assets allows the organization to maintain situational awareness that may reveal a cyber-intrusion in progress.

Finally, No discussion of an enterprise ICS system with embedded cryptographic devices with firewall functionality would be complete without addressing the importance of both device configuration and key management. According to NIST: “Using firewalls on an individual device basis can create significant management overhead, especially in change management of firewall configurations,” and “Cryptography also introduces key management issues. Sound security policies require periodic key changes. This process becomes more difficult as the geographic size of the ICS increases…Because site visits to change keys can be costly and slow, it is useful to be able to change keys remotely.”

It cannot be overemphasized that the weak point of an encrypted system often is poorly designed key-management. The ability to execute an over-the-network rekey of your cryptographic devices is essential during and after a network penetration. If a secure device with valid credentials has been lost or compromised, you should be able to immediately revoke that device’s PKI credentials so it cannot be misused. All cryptographic devices need to be rekeyed on a regular basis to prevent analytical attacks against the cypher stream. Remote rekeying is an essential capability for distributed ICS networks as it simplifies device management and increases security.

Parting thoughts.
It is important to choose hardware that supports remote key management as it can be costly and time consuming to have to visit remote facilities to update cryptographic keys.

Second: We should pick VPN devices and key management software that have been FIPS 140-2 validated to ensure that the cryptographic systems are providing the expected level of protection.

Third: Any ICS network needs to have a capable SIEM console to monitor the network for unauthorized connections and malicious activity and assist in forensic analysis after an attack has taken place.

If you are interested in knowing more about tactics and techniques for securing ICS networks, you’ve come to the right place. Ultra Electronics, 3eTI has been in the business for nearly 20 years and is aggressively adding content to its SecureICS portfolio and resources. One place to start for product information is 3eTI certified network security.

[i] Special Publication 800-82 Revision 2 Draft

[ii] “Segmentation can make it significantly more difficult for a malicious cyber adversary and can contain the effects of non-malicious errors and accidents.” (NIST 800-82, Chapter 5-1)