SCADA: Changing the Dynamic
How do we build a truly resilient security framework directly incorporating micro segmentation into the SCADA systems and our network in order to protect it, when we can’t add security controls for fear of the business consequences?
I think the solution is quite obvious on the surface: change the dynamic that has existed within our communication-centric IT world since the inception of ARPANET. What do I mean?
The internet and its predecessors have all been focused on one thing – creating ease of communication. TCP IP, the foundation for our internet technology addressing a delivery system, is a very promiscuous protocol. IP addresses, by design, like to advertise where they are. Yes, we have firewalls and Network Address Translation (NAT) etc., but NAT was built to solve a different problem and so only solves half of this problem. Once I am on the network and I do a port scan, I get IP addresses.
The second part of the problem is that in today’s world, every access port is generally connected (physically and logically) to every other data center port (or every asset port). In other words, a route exists between every port on the LAN to every other port in the LAN. You may be thinking “what about VLANS?” There was a time when this logically-connected problem was solved through the use of VLANS. That time is long gone. The advent of the laptop and wireless technology forced companies (in the interest of mobility and agility) to provision access VLANS everywhere to give every physical access port a logical route to every other access port to the data center. Then came VMware and the ability to v-motion. Driven again by the need for agility and mobility, we trunked all VLANS to all assets, as it seemed like a good idea at the time. The corollary is that anyone on the network (good, bad or indifferent) has a route to the key company jewels. It’s the same conundrum we keep finding ourselves in, which kills me because in the physical world we would never build a bank without doors or a vault just so it would be easier for the customers and the tellers. The good news is we don’t have to try to solve the problem the same way we have for the past 30 years. We can innovate, and instead of trying to bolt security on, we can try make security an integral part of the solution.
[You might also like: SCADA Part 4: The Network in Focus]
What I’m suggesting is not a new idea, but it is an idea whose time has come and whose proponents have finally made easy enough to be accessible to the masses: Stealth networking. Encapsulate IP in a transport protocol that is the opposite of promiscuous, and create an environment where routes to the crown jewels are transient and are created only as needed when a person/user with appropriate credentials logs on, and are automatically deleted when that person exits/unplugs. Thus even if the “bad guy” breaks through the outer defenses and gets into your firewall, he cannot go any further because the routes to infiltrate the network do not exist. If malware infects a server, lateral infection spread becomes far more difficult because there are far fewer routes (in the SCADA world there may well be none).
The best part is this solution is heavily couched in automation technology and configuration is easy as pie. Two of the leading IEEE standard protocols that have inherent stealth networking capabilities are Shortest Path Bridging (SPB) and HIP (Host Identity Protocol). Most security practitioners you talk to today will advocate micro segmentation, so think of stealth networking as dynamic micro segmentation. The biggest risk that remains when using stealth networking (network or application-based) is that an identity can get hijacked. That is why a robust two-factor authentication system in conjunction with stealth networking technology is the best way to ensure the integrity of your systems. Out-of-band WAF and DDoS, and the best ways to ensure availability of the systems and choosing technology that adds the least latency is the key to ensuring that the systems warranty is protected.
In my opinion, if you do the things discussed in this five-part blog and add a cyber-security insurance policy into the mix, you will have done your due diligence and gone a long way towards protecting your company and its reputation. We can and should do more than just meeting compliance requirements. We should do our best to protect our environment, improve corporate governance and potentially save lives.
