Now that many critical infrastructure systems have become network-connected – sometimes kicking and screaming – we take a look at why their tech often seems mired in the Dark Ages, and what folks here at RSA think might help.
The problems have been decades in the making. The pumps and motors that are now network-enabled have been running hydroelectric dams and other critical infrastructure just fine since some of you were kids, all without any packets flowing. Now management pushes to connect them all, and, unsurprisingly, gets a cool reception.
One vendor here at RSA has a technology that detects patterns in EMI emitted from microchips, sensors and wires embedded in all manner of ICS equipment and then whitelists the known-good running code. The tech is nicely accurate at detecting rogue code and is effective, but adoption has been slow.
I brainstormed it with this vendor's booth staff. It seems that to be eager adopters of their tech, plant operators would need an understanding that included a mix of embedded hardware, FPGA cores, EMI, whitelisting and how to connect it all to a network in a secure way. It’s arguably a great technology integration, but that mix of competencies would be very rare to find in a typical plant operator.
The reason relates to legacy: The plant operators with the most practical knowledge of keeping the gears humming have a very high priority on high system availability vs confidentiality or integrity – the other two legs of the CIA triad frequently referenced in the IT world. In other words, if the systems keep running, no one calls, and uptimes of years are both very common and welcome for things like the power grid.
That means the most senior (and therefore, well-paid) operators have little incentive to packetize anything or stay up late learning about subnets. For some, networks represent an uncomfortable scourge that only affects the sunset years of their career, and assign it a commensurate importance.
I spoke at a regional conference for professionals in the utility sector about network attacks, and while they were interested, I could tell from some of the questions that some operators lacked even basic network knowledge, so I incorporated a basic networking slide, which I think was most welcome. Although many operators were loath to admit it, especially with co-workers present, they really knew very little about how networks operate at all.
Add that to the perception within critical infrastructure sectors that that there’s a raft of legislative efforts of perceptibly dubious import being foisted upon their systems (not all, but enough), and it’s easy to understand the possible pushback.
ESET has recently investigated compromises in industrial systems, and noted that some exploits were leveled against systems that were woefully out-of-date, but where patches and updates have been widely available for years.
Some plant equipment is air-gapped for security, but that represents new challenges when updates are needed for functionality and/or security. One vendor here at RSA has a system that strips out packet headers on network-based updates, and transfers whitelisted files in an Asynchronous Transfer Mode (ATM) frame across a fiber optic cable where it is then re-assembled, in a manner that foils many packet-based attacks. We’ll see how they fare.
Meanwhile, the slow ooze of senior workforce into retirement, and the commensurate influx of digital natives, will be most welcome. And while the digitally-nurtured newcomers will have their hands full gaining the experience to keep the plant running for decades without significant interruption, packetized systems won’t seem a strain to learn and implement in ways that make sense.
Now, if we could take the ancient communication protocols used to control the systems and redesign them to have robust authentication and other security features baked in, our systems might stand a chance!