Is It Worth It?
In last week’s Friday News and Notes we mention a story on access and management of PLC’s via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in new ways. What are the benefits of this increased exposure and is it worth the increased risk? Here’s a common example:
An organization is putting in Ethernet enabled PLC’s or other field devices, and the organization that will install, configure and manage the PLC’s wants to be able to do this from any computer on the corporate/enterprise network. This group is often not responsible for monitoring and controlling the process from the control center, but obviously if multiple PLC’s are corrupted or are unavailable it could have catastrophic results to the process.
Now in the maintenance group’s defense, they have come to this conclusion because the PLC sales and engineering groups are highlighting this as a standard practice and huge benefit. However you will find almost unanimity amongst standards, guidelines and security professionals that it is a bad idea to affect control from the enterprise. The difficulty is expectations are set and maybe even sold as an important benefit.
The next step in the discussion is “what if we implement this security product”. So a firewall or firewalls are suggested, followed by VPN’s, followed by strong authentication, terminal servers, … Layer upon layer of security, which by the way adds complexity, potential for configuration error and an increased attack surface. Every time we say it is a bad idea another security product solution is proposed. It becomes very difficult to focus on the real question of whether it is really necessary to allow regular access with an ability to affect control from any enterprise computer?
Is it possible for maintenance personnel to go to a site with a dedicated connection to the control system network to make changes? Is it slightly inconvenient or a huge problem? If it is a huge problem do we need to build one or more secure rooms with drops that access the control network? More often than not when we finally get past the “can’t we secure it” discussion - - which can take a while - - there is an admission that there is not a compelling need for access control any time from any computer on the enterprise. Just because something can be done, it should not always be done if it increases exposure without significant and required benefits.
Two related comments on this:
- Asset owners need to make sure they evaluate new access carefully BEFORE it gets installed. It is hard enough to stop new access, but it is almost impossible to pull away access that employees are use to having.
- Most asset owners should have a means of emergency remote access from outside the control network. This may seem inconsistent with the example in this blog entry, but the key word is “emergency”. If you don’t have this emergency capability or a workable administrative procedure an insecure method will likely be put in place in an emergency.
Author: Dale Peterson
Posted: March 9th, 2008 under Calculating Risk.
Comments: 5
Comments
Comment from Matthew Franz
Time: March 9, 2008, 4:49 pm
Complexity, I understand, but how does adding multiple security devices increase attack surface. Is this the if I add AV (which may or may not have some agent running and itself might have vulns to exploit) I am increasing my attack surface argument?
I don’t know if it was first brought out in the BCIT good practices doc, but there seems to now be a consensus view lately in this community that the belt & suspenders approach of using multiple (different vendor) firewalls not the way to go.
Before I actually was responsible for managing Internet facing firewalls I was sort of agnostic on this issue, but now that I do, I’m a big proponent of 2-3 (or more) different stateful filtering devices between trusted and untrusted network. To me the risks of misconfiguration vulnerabilities caused by additional layers of access controls seems to be lower than the risks posed by having to manage vulnerabilities in your filtering devices.
All in one security devices (FW/I[D|P]S/AV…) from a single vendor scare the hell out of the me for that reason. Distributing enforcement mechanisms (and potential attack surface) makes a lot more sense than putting all your eggs in one basket. Yeah, managing policy across all these devices is a real pain, but that is a problem the asset-owner can solve if there is the will.
Comment from Marc Tritschler
Time: March 10, 2008, 5:50 am
Matt makes the key observation here - “managing policy across all these devices is a real pain, but that is a problem the asset-owner can solve if there is the will”. I would extend this a little by appending “, the resources, and the budget.” to the end of that sentence.
So Matt agrees that maintaining the configuration of security products is a challenge. But not only do you increase complexity by adding more security for remote maintenance, you also add to the resource requirements and the costs. In many cases remote maintenance is sold on the basis of reduced cost, but I’m not convinced that this is universally true when you consider the cost of the security products and resources required.
Comment from Ralph Langner
Time: March 10, 2008, 7:35 am
The headline of this article, even though stated as a question, contains much wisdom about the (in)security of contemporary field networks. Folks have gotten used to the behavior that adding a remote access capability here and enable control room staff browse the Internet there are all such nice conveniences that seem to come for free once that we are using a plain Windows+IP based network. Any security expert would point out that many of those conveniences are NOT worth it, by emphasizing the flipside of the coin, i.e. increased attack surface. At the end of the day, it becomes a question of whom you want to listen.
Comment from Jake Brodsky
Time: March 10, 2008, 7:37 am
Usually, higher level integration is a move for better efficiency. In a genuine emergency, we design our controls to be functional at lower levels of integration, not higher. In other words, we aim to get closer to our process. The theory is that the closer you are to an element of the process, the less likely it will be that some intermediate thing will fail. It also facilitates bringing the process back to full efficiency much sooner.
Thus, Dale’s notion of an “emergency external access” is rather difficult for me to envision a need for. In fact, the only way I can imagine a thing like that being useful is if it is some kind of back door. Back Doors tend to lead to more security problems, not less.
Nit picking like that aside, Dale, you’re asking the questions I ask: Why do we need a certain connectivity, and why must we connect it so closely to the process? The closer an external connection gets to a process the more likely it will be that something will go wrong.
Furthermore, is there any facility to alert the Operators that you’re changing something? Don’t we owe them the awareness of what is going on? And if that’s the case, then why not talk to them over the phone? You know, it’s like that other thing the Blackberry is known for: Talking to people.
Comment from amino world
Time: March 14, 2008, 11:49 am
(’wireless modbus on the web’ suddenly comes to mind — an actual product claim from recent ISA Expos… is there anything _less_ secure?)
technology enables all kinds of things and the folks adding these features to products and in plant seem only to consider the benefits (which many times may only be market share) and not how they might be abused, much less what might go wrong. this kind of access barely passes safety policies and usually fail security concerns outright — as well as having fantastically low ROI or ‘pound/hour’ contributions. if it’s only marginally safe (what might go wrong), and offers neutral to poor security (what can someone who wants to hurt me _make_ go wrong), why is this such a good idea?
i’m reminded of the juicy line from ‘Jurassic Park’: “Yeah, but your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.”
Write a comment