Protecting your ICS from Zero-Day Attacks (plus Video)

Submitted by Joel Langill on Mon, 2011-05-02 21:00

Nowadays Stuxnet has become a household term the second anyone talks about cyber security for industrial control systems (ICS). This sophisticated piece of malware first identified in 2010, showed just how powerful an ICS compromise could be in terms of both the impact to manufacturing operations and the possibility of mechanical damage. Was this an isolated attack, unlikely to occur again, or the beginning of a new era in ICS security issues?

Zero-Day Vulnerabilities Galore

The question was answered in March 2011 when an independent security researcher from Italy, Luigi Auriemma, openly published his SCADA security discoveries. Luigi, who had never before worked with ICS software, spent a few days studying a small number of common packages. He uncovered 34 vulnerabilities that target four different ICS systems. These vulnerabilities were "zero-days," meaning that the vendor was unaware of their existence and that there were no patches available to prevent them from affecting the targeted ICS.

Working with Eric Byres, I decided to take a closer look at these vulnerabilities. I presented some of my findings in the form of specific White Papers for 7-Technologies and ICONICS GENESIS systems.

As control system professionals, what are we supposed to do to protect our systems from both known and unknown threats? Simply installing anti-virus software is not sufficient because such software does not have signatures to detect zero-day vulnerabilities.

The Auriemma exploits are additionally difficult to detect because they use valid application services running inside the ICS host. These services are often used to communicate with other "valid" nodes within the overall ICS architecture.

How to Secure your ICS against Nasty Threats

One of the most effective security controls that can be implemented is one that fortifies vulnerable hosts by building a barrier around them. The barrier restricts communication to valid protocol channels and also only allows communication between valid clients and servers in the architecture.

In the video below, “Protecting your ICS from Zero-Day Attacks”, I detail how one specific zero day attack works against a Siemens FactoryLink HMI system. Then, using Tofino technology as an example, I show how an industrial firewall can be installed in-line between a vulnerable host and the rest of the control system to address this zero day.

The video describes the specific rules needed in the firewall, so you can use this information regardless of the firewall product you use. That said, the Tofino solution allows you to build and fine tune rule-sets, based on the actual valid communications between the clients and servers. This feature is extremely valuable when dealing with older systems where vendor documentation relating to communication "ports" and "services" may not be available.

Finally, the video explains how an additional layer of protection can be added by utilizing open-source intrusion detection software. I show how this ICS can be installed with a combination of both ICS-specific and custom-developed rules to provide early detection when a potential attack is taking place.

Protecting critical infrastructure from Zero-Day attacks doesn’t have to be difficult. Let’s work together to secure critical systems today.

Joel Langill’s Video – “Protecting your ICS from Zero-Day Attacks”

This article is a special guest contribution by: