Ultra Intelligence & Communications

Security for Industrial Systems Left Unprotected by Firewalls

February 12th, 2016 / By

Throughout almost all industrial networks managing power and water, oil and gas and more, OPC (OLE for process control) has been deployed, making it one of the world’s leading industrial protocols. It is valued for its utility in enabling interoperability among widely varying components and technologies. However, it is also the source of frequent threat warnings and attacks. It obliges firewalls to open large holes (port ranges), that any device can access, to operate correctly.

Security experts and government authorities have escalated OPC warnings to power plants, manufacturing facilities and other critical-infrastructure operations. Dangers associated with the protocol were dramatically demonstrated with Havex, malware deployed during the Energetic Bear/DragonFly ICS cyber-attack campaigns reported in 2014. It targeted OPC and caused crashes and denial-of-service impacts in many infected systems.

It became clear from subsequent analyses of the tactics, techniques, and procedures of these ICS attacks that myriad channels remain for an attacker to compromise a segregated control system. A wide range of threat actors have found success directly spear-phishing an operator, launching a watering-hole attack to infect a broad range of ICS users, or manipulating vendor software through downloads that install Trojan-horse malware.

Much of the response to these intrusions has focused on preventing the attack-vectors from succeeding. This is a laudable goal and one that must be pursued. However, if these attacks have taught us anything it is that there is almost always a way into the control system. After all, an air-gap is really just a low-bandwidth channel. There are always devices and patches intentionally brought in over the air-gap. Successfully preventing all of these attacks all of the time requires more resources and expertise than many owner/operators can comprehensively and reliably deploy, particularly when the threat is irregular and ill-defined. Instead, ICS owner/operators should pursue fortifications beyond PC or perimeter-based protection. For OPC, this means locking down internal firewall rules to allow only authorized OPC communications, and to identify, filter and alert on any unauthorized or potentially malicious activity.

OPC is the latest protocol supported by 3eTI’s CyberFence family that provides robust cybersecurity for industrial protocols including DNP3, MODBUS TCP, BACNet, EtherNet/IP and CANopen/CAN bus. CyberFence monitors and cyber-hardens vulnerable OPC systems by implanting a comprehensive whitelist firewall policy, closing the holes that previously would have to remain open. CyberFence then monitors the traffic to identify authorized communications, proactively permitting them through the firewall. This allows authorized and legitimate OPC DA, HAD, and A&E communications to occur without interference while identifying and frustrating malware and attackers.

These operations improve the robustness of the system and enhance reliability during a cyber-attack or unauthorized user actions. CyberFence’s ability to provide real-time out-of-band alerts ensures that any anomalous, malicious or dangerous activity is safely filtered out and immediately logged and alerted without impacting ongoing authorized operations.  Read more.