Massive cyber attacks of viruses such as the ransomware Wannacry on numerous companies last May, or Industroyer which, according to a study conducted by cybersecurity researchers (1), temporarily shut an electric power plant down in the Ukraine at the end of 2016, underscore the vulnerability of critical infrastructures and the current methods in place to protect them. But is the accusation of insufficient investment in regular cyber protection upgrades actually founded?
Most of the world’s critical infrastructures were designed to be physically isolated and meet strict security requirements. Many were built before the age of digital communication, making them that much more vulnerable to cyberattack. Today, industrial infrastructures need to send and receive information, whether connected or not. Actually, the USB key, often used to exchange data in unconnected structures, is an even more dangerous attack path than the network because it is only marginally protected.
It is especially difficult and expensive to update the systems that control industrial processes. These are usually aging Windows systems and the regular application of new patches, transmitted by the manufacturer, place a factory’s availability, and even smooth operation, in jeopardy. Industrial control systems are generally vulnerable to attacks that take advantage of flaws already corrected by Microsoft years ago. On the one hand, the industrial protocols used at the command control level are generally lacking as far as security is concerned (such as the protocol used in the Ukraine and exploited by Industroyer). On the other hand, outside persons responsible for servicing process control systems usually do so on site and often use work-essential tools on their laptops, laptops not overseen by the factory. These are attack paths (though usually involuntary) of contagion.
The problem is especially at the following level: many industries are not economically or structurally capable of absorbing drops in productivity and maintaining permanent training programs for dedicated staff, which are inherent to regular cyber protection actions (such as the application of new patches for instance).
Hackers have had 30 years to refine their attacks
We can continue to attempt to counter every new cyberattack, with hackers always one step ahead. More and more numerous, as well as structured and financed, hackers have had 30 years to perfect themselves on their own turf, their turf being a connected area that is constantly expanding. The scope of possibilities is huge since more and more industries and devices are connected.
Viruses such as Stuxnet, propagated by USB key, or Industroyer, which spread via connected computers, have already wreaked havoc because they were more or less able to directly access the command and control systems of the automation network. This is the Cyber Kill Chain® (2) principle: the virus initially accesses it to install a backdoor and a control channel via the Internet, it follows up with a reconnaissance mission (in order to determine which protocols are used), and finally launches an attack at the most opportune moment (for example, before Christmas for the Ukrainian attack).
Next-gen approach: eliminate the transport layer for data exchange
Few cybersecurity products on the market are designed for the special context of industries.
In order to protect an infrastructure, there must be a physical airlock against digital attacks to separate communication layers and eliminate the transport medium.
The advantage of the implementation of this type of protection is that industrial control systems are designed in layers, according to a Purdue Model (3) for instance: at the top are standard IT protocols, then a layer with a combination of both industrial and IT protocols, and finally, the exclusively industrial layer. A segregation system between these different zones is relatively easy to install. In this respect, the defense-in-depth approach is especially adapted to this type of architecture.
Seclab vs. Industroyer
The technology developed by Seclab combines electronics and software. This technological approach guarantees a strict segregation of networks and USB ports by electronic means, making communication without direct connection possible.
In the Trust and Secure Exchange solutions (Seclab’s Denelis technology), protocols can be filtered according to several failsafe operation and cybersecurity rules specific to the infrastructure.
Several Denelis units with different configurations can be positioned at each intersection of the Purdue model zones. At the top level, the principle is to allow IT protocols through then to, little by little, restrict these to industrial protocols.
Example of a simplified architecture:
Denelis 1 transfers files (ideally signed) and essential unfiltered protocols on the application layer. In this way, Denelis makes it complicated to compromise command control. In order to do this, you would, for example, need a physical access, the theft of a signature key for authorized files, or a flaw in an unfiltered protocol (the security manager can decide to reduce authorized protocols to a strict minimum, according to how critical the installation is).
The Denelis break in the network and a good configuration prevent a significant part of the reconnaissance stage from the topmost zones of the Purdue model. After this first electronic break, we recommend using a filtering software solution (Stormshield or Wallix, for example), parameterized according to operational requirements, which we will find permanently in Denelis 2.
Denelis 2 filters industrial protocols with process-adapted rules, i.e. just enough to manage it securely, no more (through a whitelist of commands). In the case of the Industroyer attack on the Kiev power plant in December 2016, it would have prevented inconsistent commands from being executed or would have at least notified operators that suspicious commands were made.
This Denelis unit can also prevent attacks on the process with filtering designed in conjunction with the operational requirements.
In conclusion, to prevent a virus from reaching critical systems, there must be a break in its digital attack path. File exchanges or application flows must be possible between two detached domain networks without creating a network route between domains. The contamination is consequently blocked in an airlock; by design it ensures prevention of spreading into the rest of the workflow. This next-gen cybersecurity approach therefore enables sound data exchange, without network continuity. And good news, there is a solution. It is actually achievable in the industrial context, simply because it can be implemented without disrupting factory operations or having to train users.
Xavier Facélina and Benoît Badrignans
Cybersecurity specialists in critical systems and co-founders of Seclab