It seems axiomatic that a zero-day vulnerability is undefendable. At the moment a particular exploitable bit of software code is discovered by a malicious hacker and the clock starts ticking from zero-day forward, clearly, by definition, there is no protective patch or workaround yet available. And so the hacker has free rein to wreak havoc while the good guys work frantically to play catch up.
Indeed, zero-day attacks against industrial control systems are a growing threat, with nearly as many known attacks in 2017 alone as in all the years before combined. And it seems to be a trend that, unfortunately, will be increasing.
Not to throw all operational technology (OT) network gear and SCADA device manufacturers under the bus, but it seems evident that there are some well-known products that hit the market with inherent vulnerabilities. There are also some manufacturers who seem less than interested in creating patches in a timely manner, if at all.
A good illustration of the state of the environment can be inferred from some of the verbiage in the FY2018 Intelligence Authorization Act, which seeks to help secure critical infrastructure in industrial environments. In one of the subsections, Congress instructs the National Laboratories—which one would think should be on the cutting edge of technology—to investigate the use of analog control systems rather than digital relays in order to avoid zero-day attacks. In other words, the idea of throwing away five decades of advancements and returning to the days of non-networked electromechanical relays seems to be on the table as a reasonable solution. If that doesn’t show a lack of confidence in industrial product manufacturers when it comes to cyber security, I don’t know what does.
It seems clear that the responsibility for stopping attacks lies not with the manufacturers of the individual devices, but with the individual operators of OT networks. After all, it is their organization that is going to take the primary hit and suffer the financial, legal and reputational fallout. Industrial cyber security should be looked at as an “aftermarket” issue, with operators working to make optimum use of internal and third-party resources to keep their networks secure.
Putting it in perspective
Zero-day attacks are scary. And dramatic. Action movies love to show the basement hacker or the enemy government spy effortlessly gaining illicit control of the power plant computers and gleefully destroying the electric grid, whether for ransom or for terrorism purposes.
In the real world, however, such zero-day exploits, although increasing, are still relatively rare. More common are attacks against vulnerabilities that are well documented and for which patches exist, or are otherwise more readily defendable.
To be frank, with OT a lot younger as an industry and working hard to grow and evolve in the realm of cyber security, the current sophistication level in the field is akin to where enterprise IT might have been around ten years ago. Too often, professional, expert OT teams are not yet fully established and deployed. Products are not thoroughly tested and vetted for the actual environment before being installed. Crucial data moving across the plant floor is not encrypted. There are precarious, exploitable connections to other networks.
In other words, in some organizations, there may be some lower hanging cyber security fruit to be concerned about, with many robust product and service solutions readily available. For example, most every plant should ensure that their OT environment has taken the following actions:
- Discover Your Assets—Inventory and catalog all devices, including make/model/firmware version, to determine what is doing what and if it is optimized for current needs
- Secure Your Network—Identify points of external connectivity, installing or upgrading firewalls to isolate industrial control systems from corporate networks and the internet
- Monitor Your Endpoints—Gain visibility into what’s happening at the endpoints of the network, so you are aware of activity over time, both normal and nefarious.
In addition, all OT network operators should subscribe to alerts, advisories, reports and other invaluable resources from the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and diligently act upon the information provided, taking precautions and installing patches as soon as possible.
Breaking out of the “catch up” paradigm
These basics of cyber security are vital, and they will take OT leaders far—but, still, only so far. The inherent problem with the way vulnerabilities are traditionally mitigated is the need to be locked in the mindset of playing continuous catch-up. The bad guys find a vulnerability, and the good guys work aggressively over days, weeks or even months to mitigate it. And the cycle repeats.
One obvious way to be strategically proactive rather than continually reactive is making greater use of ethical hacking techniques and internal programs focused on cyber security so that more and more potential exploitabilities can be discovered and mitigated before the bad guys even know of their existence.
These actions can be effective in cutting down the potential universe of zero-day vulnerabilities, with the catch-up game at least played with friends rather than foes. Even more promising perhaps are emerging network protection products that rely not on the need for patches but, rather, detect anomalies in network traffic regardless of the existence of a patch. Thus, as they perform deep packet inspection (DPI) of traffic, they are looking not to identify known signatures of known problems, but instead for patterns inconsistent with normal usage and indicative of attempts to exploit the network. Therefore, there is no need to wait on a patch, and the endless, ineffectual cycle of being attacked and playing catch up is broken.
In TOFINO, our sister company, Belden offers an extremely robust security appliance, one that can be effectively working to deny potential exploits 24/7/365 without the need for human intervention through patches and updates. Further, my company, Tripwire, offers software solutions that can expand the capabilities of the state-of-the-art TOFINO innovation even further, adding alerts, logging, configuration management, and other functionality that helps the product deliver even greater value.
This type of signature-less DPI technology might be the answer for your OT environment when it comes to growing zero-day and related cyber security concerns. How are you keeping your network significantly safer from vulnerabilities? If you’d like to find out more, we’d welcome discussing the possibilities with you.
Robert Landavazo is a Systems Engineer at Tripwire where he focuses on helping customers secure their Industrial Control Systems. He has a background in in the electric utility sector, most recently working to implement a NERC Critical Infrastructure Protection (CIP) internal compliance program leveraging Tripwire’s own product suite. While at this utility, Robert worked in Operations Technology to support SCADA in Distribution, Transmission and Generation. Prior to his tenure in utilities, Robert worked in Public Safety, managing emergency communications infrastructure like Next Generation 911, IP Radio and Computer Aided Dispatch systems.