Identifying and Stopping Network Security Breaches
By Frank Andrus, Bradford Networks
Companies in the energy sector have experienced an unprecedented level of cyberattacks in the past year. The U.S. government issued a rare public warning in the fall of 2017 about aggressive, ongoing cyberattacks on energy and utility targets. Various surveys and news stories from 2016 and 2017 report that well over 60 percent of critical infrastructure organizations had a security incident in the prior two years, and just as many said that the threat landscape looks worse going forward. As utilities embrace digital transformation, operational efficiencies and productivity increases, but additional network connections also expand the network’s attack surface. To combat this larger threat landscape, utilities must quickly close the resulting network security gaps.
Security Gap No. 1: Unsecured endpoint devices such as IoT and BYOD devices
Unsecured endpoint devices are a growing challenge for network security. With the prevalence of bring you on device (BYOD) and Internet of Things (IoT) devices, there are more uncontrolled devices connecting to the network than ever before. As these devices continue to saturate the market, organizations are struggling to balance the productivity gains they deliver against the security risks. The most formidable challenge is that there is no device configuration standardization for BYOD or IoT. There are hundreds of permutations of device type, brand, operating system and security health status. Yet, many organizations are rapidly adding IoT-enabled security cameras, sensors and office equipment, as well as allowing employees, guests and contractors to connect unknown mobile devices to the network. This is concerning because many mobile and BYOD devices lack sufficient security and most IoT devices have little or no intrinsic security. Ponemon Institute’s 2017 State of Mobile & Internet of Things Application Security Study discovered that 46 percent of respondents stated they (likely or definitely) already experienced an attack as the result of IoT applications. These risks are poised to increase as thousands of new IoT devices continue to enter the market. Gartner predicts that IoT device adoption will more than double from 8.4 billion devices in 2017 to 20.4 billion devices by 2020.
Security Gap No. 2: Older industrial control systems, including SCADA and PLCs
Most energy companies have some older industrial control systems (ICS). The two most concerning subsets of ICS are the SCADA systems and programmable logic controllers (PLCs). Energy companies frequently use SCADA systems to gather and analyze real-time data, monitor and control plants or equipment, as well as manage the flow of electricity through grids. PLCs are used for myriad purposes, including sequencing, logic or motor control for industrial control systems.
SCADA technology has been around for many years, but due to the nature of networking and the knowledge of security at the time, these systems were never designed to operate in the threat landscape of today. This is also the case with PLCs as many lack sufficient security. In addition, many legacy SCADA systems and PLCs use old firmware that cannot talk to new operating systems and many security software programs, which exponentially increases security risks. With today’s deep integration of IoT devices that can reach every corner of the network, these unsecured ICSs that used to be secured through obscurity, are now vulnerable targets. Kaspersky Lab experts found 13,000 ICSs connected to and accessible from the internet, and 90 percent of them have known vulnerabilities. The survey also found the problem is widespread, with 30 percent of these vulnerable ICSs located in the U.S. and about 14 percent in Europe.
Security Gap No. 3: Long lag times before incursions are discovered and remediated
The Ponemon Institute’s 2017 Cost of Data Breach Study found that on average, the less time a hacker spends in the network, the lower the costs from the incursion. Sadly, it still takes an average of 191 days before an attack is discovered, then another 66 days until the breach is contained.
Why does it take so long? IT groups face thousands and sometimes tens of thousands of alerts per day. It is impossible for security analysts to review every possible threat and difficult to separate the real threats from the noise.
While these attackers are dwelling in the network unnoticed, they can move in a lateral fashion expanding their network privileges and spreading to increasingly sensitive areas of the network. Once in the network, attackers can cause damage in several ways—they may steal valuable data and information, take control of physical facilities causing damage or install ransomware that locks users out of the network and facilities systems until a ransom is paid. Reducing the ability of hackers to exploit vulnerable security gaps and limiting the amount of time hackers spend in the network are crucial security requirements and ones that most utility companies are actively trying to address.
Three steps to
stopping attacks
Hackers are not going away and will continue to become more sophisticated. To close endpoint security gaps, utilities need three core capabilities to stop hackers in their tracks.
1. Complete visibility into every device connected to the network. A recent Forrester Consulting paper titled “IoT and OT Security Research Exposes Hidden Business Challenges” revealed that 82 percent of organizations cannot identify all the devices connected to their networks. Becasue it is impossible to protect the network from a threat that can’t be seen, complete real-time visibility is a crucial first step in securing endpoint devices. Visibility also simplifies centralized management and ensures that if a device is compromised, it can be located quickly, even if the device is in a remote location.
How should a utility IT group begin? It should start with a live inventory of network connections, identifying every endpoint device connected to the network, as well as the physical location, type of device, operating systems, antivirus software and patch levels. The IT group can use this to create a complete database with a real-time view of all devices, satisfy several regulatory requirements for audit trails and facilitate network planning. In addition, a complete visibility solution will provide information on the device, as well as log the device ownership, connections made and applications used, then deliver it along with any alerts to provide contextual information that speeds resolution. Many organizations receive alerts of suspicious activities on a specific IP address, then spend hours trying to manually track down the suspect device. Critical infrastructure organizations cannot risk this dwell time—complete visibility is the first crucial step to secure today’s myriad endpoint devices.
2. A flexible network access control (NAC) solution. As hackers have evolved, so has NAC technology. Among other advances, a good NAC program now includes functions such as the ability to stop the lateral spread of malware through network segmentation, provide pre-connect and post-connect compliance checks and automate the detection and quarantine of rogue endpoints. Organizations can use NAC to establish criteria and enforce policies about who can access the network and how much access each user should receive. The ability to customize individual levels of access not only satisfies several regulatory requirements, but also limits access to an organization’s most sensitive data and devices in case of a breach. A good NAC solution also acts as a compensating control for devices that lack enterprise security, including IoT, BYOD, SCADA and PLCs. It also enables organizations to set minimum required operating system and antivirus patch levels, and will allow only devices that meet the criteria to connect to the network. It can enforce policies for automatic provisioning, access and much more to reduce the burden on IT groups.
3. An automated threat response solution. Automated threat response can immediately isolate devices acting suspiciously and prevent the damage from attackers dwelling in the network. With thousands of alerts each day, it’s impossible for analysts to manually triage and investigate each threat. By implementing a real-time automated threat response solution, organizations can reduce dwell time from months to seconds. NAC solutions can scan devices pre-connect, but also continuously monitor endpoints. A good NAC solution can automatically isolate:
“- Any endpoint that does not comply with minimum network security standards
“- An endpoint that falls out of compliance while connected
“- Any endpoint that behaves in a suspicious way
For example, if a surveillance camera or HVAC controller begins hitting a utility’s DNS server, it should be investigated in real-time by correlating it with contextual information and automatically isolating the device. The best automated threat response solutions can also work seamlessly with other best-of-breed security solutions to ingest additional data that increases the fidelity of the alerts, accurately triages the most critical events, then delivers the alert, along with the contextual who, what, where and when information, to an analyst. This speeds time to resolution and reduces the burden on already strained IT resources.
How one utility secured remote ICS without breaking its budget
One major utility needed to improve security for its highly distributed ICS architecture with several legacy systems that were too old to support current 802.1x authentication standards. It needed either a large cost-prohibitive upgrade or compensating controls to secure its 5,000 endpoints in 200 locations. This issue was further complicated by the fact that many of the ICSs were in remote locations and bandwidth was a problem. This meant the utility also needed centralized control of remote legacy devices with limited bandwidth. It implemented an advanced NAC solution that ensures that unknown endpoints that try to connect to the network are automatically quarantined, and known endpoints must meet minimum antivirus security and OS patch levels to access the network. To simplify the process and reduce the burden on IT resources, known devices that do not meet the requirements are redirected to a limited access page for self-remediation. In addition, the utility used the NAC solution to generate a comprehensive live inventory of all connections and fed this data into its security information and event management software, as well as set NAC policies for control and automated threat response to immediately shut down any port that acts suspiciously.
The final analysis
As digital transformation increases efficiency, it also increases network vulnerabilities. With budgetary limitations and a short supply of skilled IT workers, it can be challenging to build a strong security posture and an efficient organization. As part of a nation’s critical infrastructure, however, it is crucial that utilities continue to find new ways to use technology to close these emerging security gaps and decrease the risk of a breach or a hacker-induced power grid failure. Because endpoint devices represent one of today’s biggest security gaps, securing these devices is a strong first step.
Frank Andrus has more than 20 years of experience in network management applications and has helped patent automated device discovery methodologies. Frank is currently the chief technology officer at Bradford Networks, leading R & D and product development for network access control and security automation and orchestration.
