Pundits are amazed at the level of attack sophistication in a recent attack on Siemens' process control systems via Windows workstations. What surprises me is that people are surprised.
Stuxnet: malware that can infiltrate Siemens' process control systems via the Windows workstations used to manage them. Much of the security community discussion has been speculation about the attackers and motive. And pundits are amazed at the level of attack sophistication: rootkit construction, the employment of no fewer than four zero-days, and ability to target, for the first time, obscure embedded control software.
What surprises me is that people are surprised.
At my company's tech summit a few years back, a rep from the Idaho National Laboratory (INL) was asked about vulnerabilities in critical infrastructure. His answer: “I can't talk about them for national security reasons. But suffice it to say that most of these systems are being controlled by Windows PCs.”
I once asked the chief security architect at a major US oil refining company to explain how he protects the refinery control systems from cyber attack:
Q: Is the process control network connected to the Internet?
Q: So there is no physical path from the control network to the corporate network?
A: Well, the networks are isolated by the latest firewall appliances.
Q: The same way your corporate network is protected from the Internet?
A: Yes, except we have a separate set of firewalls there. So an attacker would need to bridge both sets of defenses to get to the crackers.
OMG. The folks responsible for IT security of critical infrastructure think that Windows and Linux workstations isolated by commercial network security appliances can keep out sophisticated attackers? Please.
Ask a whitehat like Adriel Desautels from Netragard , and he'll tell you that getting through the firewalls, IPS, IDS is child's play. Other data center experts have estimated that the cost of hiring a good hacker to infiltrate even the best protected DMZs is anywhere from $25K to $100K. Stuxnet is simply the latest proof that critical infrastructure is a viable target for determined and well-funded attackers.
So what can we do to protect our embedded control systems? Stuxnet media coverage is all about the usual Microsoft patches and Symantec advisories. Something heavy handed is needed if we hope to change the fail-first, patch-later status quo.Two answers. We can rearchitect, using creative security techniques to ensure that the critical control systems cannot be illicitly accessed and reprogrammed. We need high assurance of this security, a level far beyond commercial IT practice. But it has been done for other security-critical embedded systems, such as the F-35 Joint Strike Fighter avionics.
Another approach is to cut the cord: physically isolate the critical network and epoxy the USB ports. That may sound outrageous, but it is precisely how the DoD and IC protects their most sensitive, compartmentalized classified networks. In fact, General Keith Alexander, DoD CYBERCOM chief, just made a similar recommendation (see “Cyber Command Director: U.S. Needs To Secure Critical Infrastructure,” InformationWeek) , perhaps coincidentally with the recent Stuxnet coverage?
Physical isolation introduces some inefficiency at first, but that can be addressed with the application of high assurance access solutions that can securely manage critical computer systems, even over the Internet. These access control systems use the latest and greatest Windows or Linux HMIs, but they do NOT depend on Windows or Linux for their security.
In the case of the smart grid, utilities are still early in the development of security strategy and network architectures. We can–no, we must–build high assurance security in from the ground up. Let's not squander this once-in-a-lifetime opportunity.
Dave Kleidermacher is CTO of Green Hills Software. He writes about security issues, sharing his insights on techniques to improve the security of software for highly critical embedded systems.