ICS and SCADA Security Myth: Protection by Firewalls

(This article was originally published in the June, 2012 ICSJWG Quarterly Newsletter.)

In this article I am going to talk about a fairy tale. This tale doesn’t have princes or frogs in it, but instead it deals with SCADA and industrial control system security. The existence of a “firewall” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA/ICS security. The idea is that, in a properly designed system, there is a logical barrier between the control network and the business network. Since unauthorized information cannot cross such a firewall, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows:
Companies that get worms in their systems obviously have not configured the proper firewall and deserved to be infected.
The real problem with the firewall concept is not the technology. The issue is that a firewall misleads companies into a false sense of security, making it a very dangerous fairy tale indeed. Even if there really is no logical connectivity, there is still good old‐fashioned "sneakernet." There's either malicious or unintentional misuse by an operator who does get in. There's piggy-backing on vendor-recommended "essential" connections - isn't that how Stuxnet propagated through firewalls in search of its target networks? There's drive-by downloads, piggy-backing on VPNs and stealing passwords. So there are all sorts of ways for a cyber attack to cross that mythical firewall.

So obviously no, the protection is not there anymore. And even if you think it's there, it's probably a sound best practice to assume that it isn't and put host security controls in place to protect against that potential attack anyway. Better safe than sorry. With a little knowledge, one can do a Google or Shodan search on a SCADA or PLC and find multiple examples of systems that are supposed to be inaccessible behind multiple layers of firewalls and never supposed to be connected to the world online and vulnerable to attack.

Firewalls do not and should not exist. Patching vulnerabilities won't make systems secure. Standards and regulations are here to stay. The threat will surpass our ability to tolerate it long before we can re-engineer and re-deploy every vulnerable system. These are all just facts, and ignoring them is just as dangerous as ignoring corrosion on high-pressure pipes. Many of those who still rally to the defense of firewalls are folks with experience and intellect beyond question. They have spent more time applying those weighty assets to these issues than virtually anyone else, and their opinions cannot be disregarded. Experience and brilliance, however, do not always lead to correct conclusions.

This Is, Of Course, Nonsense
The above rants are cut-and-pasted from publications by well-known security experts, arguing against air gaps. I have substituted "firewalls" for "air gaps" and substituted words illustrating vulnerabilities of firewalls rather than illustrating vulnerabilities of air gaps. Pretty much every argument which has been made against air gaps can also be made against firewalls, and quite a few more besides.

Ever since the recent burst of rants against air gaps by well-known authors, I have heard nothing but confusion from practitioners. "Such-and-such-an-expert said firewalls are stronger than air gaps, so we're deploying firewalls everywhere." Well firewalls are far from perfect, and lead a false sense of security just as often as do air gaps. Should we abandon firewalls as well? Should we put all of our PLCs and HMIs right out on the Internet, to be certain that nobody develops a false sense of security?

This is, of course, nonsense. No security process or technology is perfect: not air gaps or firewalls, not patching or long passwords, not anti-virus or whitelisting, and not intrusion detection or SIEMs. As my martial arts instructor is fond of pounding into us students: for every defence there is an offence, and for every offence there is a defence. If the point we want to make is that there are no silver bullets, should we be out there poking holes in one security technology after another? Will "myths of anti-virus" be the next trend in headlines? Will "fairy tales in patching" be the headline after that? How much confusion must we sow?

Stop Confusing Us
I have spoken to the authors of several of these rants and every one of them maintains they are not trying to confuse practitioners. They are merely trying to point out how one or another "silver bullet" is vulnerable, and so practitioners really should be practicing defence-in-depth, both of security process and of security technology, for all of their equipment. This is a fine sentiment, but this "fairy tale rant" tactic is fatally flawed. The message practitioners are taking from these rants is that they should deploy weak approaches to security to avoid being seduced by strong approaches. ICS security practitioners surely have enough problems without us confusing them this way.

If the security experts of the world want to help matters, we should undertake to educate practitioners as to what is the spectrum of threats we face, what specific, modern threats each practice or technology addresses, and how thoroughly each threat is addressed.

Walking the Walk
Lest I be accused of doing no more than the experts I criticize, let me offer up an alternative to firewalls: unidirectional security gateways. Beyond the "false sense of security" nonsense, the "air gap" articles point out that modern control systems must routinely transfer a fair amount of information to business systems in order to control the costs of the physical process they control. Unidirectional gateways support that one-way data movement without introducing the attack opportunities which firewalls do. Better yet, in the vast majority of cases, the gateways are seamless replacements for firewalls - no redesigning of networks or application integration technologies is necessary. Even better, and perhaps counter-intuitively, the technology supports a variety of remote support and central management strategies as well.

And for the corner cases? The "air gap" rants make much of the dangers of USB sticks when any data must be moved back into a protected network. Let's look at those dangers. Which modern-day threats propagate via USB sticks and how can we combat them?
  • High-volume, organized-crime-authored, worms, viruses, and botnets? These attacks propagate via USB sticks, yes, and anti-virus systems do a fair job of catching high-volume threats. Application-control/whitelisting solutions do even better. Stand up "media cleansing" stations with defences like these installed and use them habitually on your mobile media.
  • Insiders on the business WAN? They don't attack with USB sticks because they aren't authorized to physically enter the secure ICS server room and touch the equipment.
  • ICS insiders? Are they really going to use USB sticks if they have passwords and access to the hardware? No - they'll use their passwords. Or hammers.
  • Advanced Persistent Threats? These adversaries do not use USB sticks - they use spear phishing or conventional web/SQL attacks to pass through firewalls, and manual remote control to propagate once they are inside. Unidirectional gateways defeat both of these attacks.
  • Stuxnet? Yes, Stuxnet propagated via USB sticks, but if you recall, it punched through firewalls like they weren't there as well. And once Stuxnet stopped being a highly-targeted, under-the-radar threat and went high-volume, anti-virus vendors put signatures out for it and that was the end of Stuxnet on AV-protected networks. Today, both whitelisting and AV solutions catch Stuxnet in a heartbeat.
In fact, sending absolutely everything through your firewalls and banning USB sticks entirely is dangerous. Do you really want your firewalls to pass every kind of rarely-needed data through to your control network? I submit that a well-practised system of screening USB keys through a handful of different vendors' whitelisting and anti-virus systems is a better way to address USB threats than any firewall can be. After all, firewalls make you complacent about removable media. Then, when you really need to use a USB stick, you are out of practice and prone to error.

Looking Forward
Security practitioners: if you can't use air gaps because you have too much data which must move routinely, use unidirectional gateways. If you can't use the gateways for whatever reason, use firewalls with absolutely minimal data movement configured. Do not configure holes through your firewalls for every last bit, of every kind, of diverse, low frequency data that you will ever need. Always have a powerful, well-practiced system of media cleansing available, using at least one application control/whitelisting solution, and one or more anti-virus solutions.

Security experts: stop trashing one approach to security after another. Start recommending strong alternatives, and position them correctly within defence-in-depth strategies. Consistently add value through reasoned analysis. If you must point out limitations of one technology, explain clearly, either stronger alternatives, or compensating measures, to include in security programs.

Stop confusing security practitioners. Start teaching them.

1 comment:

  1. Great post, Andrew.

    Your point at the end is almost identical to a comment I left on the Unicorn post over at Tofino. I see too much attacking and not enough educating and it frustrates me!

    Thanks for injecting some reason and sanity into the discussion.

    Pat Russell