Designing Operational Technology with Security in Mind
June 7, 2013 | Uncategorized | Yariv Lenchner
by Yariv Lenchner
I saw a post recently on Slashdot that got me thinking about the security of operational technology used for our critical infrastructure. The poster asked the question (paraphrased):
Is there a device to automatically disconnect network or otherwise time limit a physical connection to a network? We are dealing with a production outage of large industrial equipment. The cause? The supplier, with no notice, remotely connected to the process control system and completely botched an update to their system.
Believe it or not, this is very much like what happens when critical infrastructure is attacked by an outside attacker. Someone outside the organization is able to remotely connect to an ICS and perform functions that they shouldn’t. According to Charles Edwards, deputy inspector general of the Department of Homeland Security (DHS), this includes “the potential for large-scale power outages or man-made environmental disasters and cause physical damage, loss of life and other cascading effects.”
The industrial control world is a very unique world. Even though it’s using more and more technologies that are coming from the general IT world, it still has its own unique needs and ways of doing things. One of the most well-known differences is the preference for availability over security in the design of systems. This is, of course, very problematic as more and more industrial control networks become the target of cyber-attacks.
In the case of the Slashdot poster, and in the case of cyber-attacks, Cyber-Ark’s Privileged Session Management (PSM) suite (acting as a Next-Generation Jump Server) would provide more control over who is accessing the industrial control network and what they’re doing once they’ve assumed control.
In the case of the Slashdot poster – using Cyber-Ark PSM, the poster could have:
- Set a rule that will require the utility to authorize the remote access request before any access is granted;
- Monitor the session in real time (as if it was over-the-shoulder monitoring); Intervened in the privileged session and terminated it immediately;
- Performed root-cause analysis for rapid remediation and change management review;
- Reviewed video recorded session playbacks for audit proof.
The point? Industrial control vendors did not build their systems with security in mind – and it’ll be several generations of products until they catch up to the threat landscape. Critical infrastructure companies must be proactive and take control over the exposed privileged accounts in their operational technology.