The good security practice for getting security updates to an ICS is well understood. A server on the SCADA or DCS network pulls the security updates from the ICS DMZ. The ICS DMZ pulls them from the corporate network, who pulls them from the Internet. You will see this in multiple ICS security guideline documents and most assessment reports … if the ICS security perimeter is a firewall.
Now imagine you have upgraded your ICS security perimeter to a unidirectional security gateway. The ICS can still push process data out to the DMZ for use on the corporate network, but the physics in the unidirectional security gateway prevents all communication from the DMZ to the ICS network.
In a one-way world, how do you get security updates, such as antivirus signatures and security patches, to the systems on the SCADA or DCS networks?
We choose between two, neither perfect, ways, but loyal blog readers may have additional ideas for this happy problem.
- Sneakernet with a dedicated USB drive that is scanned for malware. This is obviously not perfect because there is no way to guarantee the USB drive is not infected, even with appropriate security controls. And yes, this is a flow of information into the ICS so it is not completely air gapped or one-way.
- Deploy an inbound unidirectional security gateway with modules for the security update protocols.
The second option is a bit unusual. Typically a unidirectional security gateway restricts communication from the more sensitive/important network to the less sensitive/important network. This use would allow only communication from the DMZ to the ICS network. These unidirectional products offer modules that allow anti-virus signatures and Microsoft security patches to be sent one-way.
With the inbound one-way solution it is possible for an attacker to send properly formatted data on the right port through the unidirectional security gateway. In this case it could be a rogue signature that would stop the ICS or a security patch that is in fact some attack code. Of course this was also possible in the firewall scenario, but the whole idea of deploying a unidirectional security gateway is to improve security over a firewall.
Neither solution is ideal, but which is better? [Read more…]