With the network perimeter now in flux, ICS security can benefit from Zero Trust architecture and micro-segmentation.
A truck driver queues up to an automated signup booth a few meters outside the fenced area of a factory. The booth, which connects directly to the factory ICS (industrial control systems) production network, lets him perform the signup procedure without leaving the truck. The automated warehousing system now knows he has arrived to pick up cargo.
An engineer from a vendor’s tech support team is sorting out a problem with a controller sitting deep within the ICS production network. To troubleshoot the issue, he connects directly to the network using a direct L2L (LAN to LAN) VPN connection. The perimeter firewall rules for the entire IP range of the vendor’s network (/16 mask) enable certain staff to connect to the factory if necessary.
A contractor visits the factory floor to update controller software that will enable the production line to assemble a new product. The product requires additional logic for the sensors on the line. The contractor plugs his own laptop directly into an ethernet port of a switch in the ICS rack and establishes a connection to the controller. Using his phone as a mobile access point, he then proceeds to connect to the internet to download the latest version of the controller software. The ICS production network has just been bridged to the internet.
So where’s the perimeter?
These are just a few examples of the flexible nature of live ICS environment perimeters our consultants see when visiting production facilities. The increasing need for data transfers and remote connectivity have very quickly turned the once-isolated ICS network firewall into Swiss cheese, presenting challenges for ICS security. The effective perimeter of the ICS network may exist hundreds of kilometers away from the actual facility. This trend has further accelerated with the adaptation of mobile and cloud technologies, even in ICS environments.
All of which has made it increasingly difficult to effectively manage the ICS network perimeter in the traditional fashion of putting a single barrier at the entry point into the network. No longer is the perimeter the physical fence around the facility. Rather, the perimeter is where the furthest point of your network is. That may be a booth sitting outside the fence line or the home of a vendor employee.
In fact, it’s common that the company operating the production facility doesn’t even know where their actual perimeter is. Complex modern supply chains and the multitude of vendors maintaining the production environment create a complex network infrastructure.
Micro-segmentation as a solution
With the technological advancements of the modern network equipment and access control solutions that are on the market today, it is possible to build a so-called Zero Trust architecture. In a Zero Trust architecture, users who remotely connect to the ICS network are adequately identified based on their identity and location. Access rights can be granted in a granular manner allowing connections only for specific hosts or controllers within the network. This dynamic network micro-segmentation enables tight access control without the need to configure overpermissive user or vendor-specific firewall rules. This greatly reduces the attack surface towards the ICS network and possibilities of lateral movement within the network.
Micro-segmented private overlay networks are described, for example, in the ISA (International Society of Automation) document TR100.15.01 “Backhaul Architecture Model: Secured Connectivity over Untrusted or Trusted Networks.” This document presents an architectural model of connecting industrial control system components over untrusted backhaul networks. The learnings and architectural model from the paper can also be used as a baseline for “trusted” VPN and LAN connections.
It is time to acknowledge the challenges of ICS security. One, it’s difficult to control what happens within the ICS network and how suppliers and vendors handle their security. Two, as supply chains become increasingly complex, it’s time to move away from the paradigm of “all VPN traffic comes from trusted sources.”
For more on ICS security, download our ebook about the story of a targeted cyber attack in the manufacturing industry. You’ll learn about how attackers breach your defensive barriers, plus find out what happens in a full-blown ICS attack.