Best Practices for Control System Security

While, intrusion detection systems (IDS) are a critical piece of security infrastructure, today’s new generation IDS—often referred to as intrusion prevention systems (IPS)—are not only able to detect threats, but mitigate them by blocking the traffic from entering your network.

Why focus on IPS? Because it’s only logical to implement the tightest layer of control in order to maintain business continuity.

IPS is a new technology category that focuses on taking a proactive approach to both IT and control network security by preventing attacks on multiple network resources, as opposed to similar technologies that merely detect and report on attacks that have already taken place.

IPS is gaining visibility due to the inherent limitations in existing security technologies. Intrusion prevention can be thought of as the logical follow-on to signature-based technologies such as IDS and anti-virus, and to network-oriented protection solutions such as firewalls.

IPS complements IDS by blocking traffic that exhibits dangerous behavior patterns. It prevents attacks from harming the network or control system by sitting in between the connection and the network and the devices being protected.

Like an IDS, an IPS can run in host mode directly on the control system station, and the closer to the control system it is, the better the protection.

Back in the Day

Traditional security products have focused on the biggest threats that emerged as computer networking, email and web applications were adopted by corporations. As corporations adopted these technologies, they purchased products to solve the security issues inherent in these technologies, namely perimeter protection (firewalls), network protection (network-based intrusion detection), and file-based security (anti-virus).

These technologies do not address new attacks that ride over existing protocols to attack applications, or new content-based attacks that attack systems before vendors are able to release and distribute signatures and other countermeasures.

For the control system environment the underlying theme for intrusion prevention has to be around Day-Zero attacks being managed.

Best Practices

Any organization intending to protect itself with IPS should take a number of factors into consideration before buying. Care should be taken that solutions meet corporate security, manageability, and flexibility requirements, lest the solution be only a partial one or, worse, introduce a significant management burden that overshadows the security benefits.

Best practices should include:

Host-based protection. As technologies such as high-speed networks, switching, and end-to-end encryption are more widely adopted, providing desired security at the network level becomes a major challenge.

The best place to enforce security is at the desktops and servers, where the actual work is performed and the potential for damage is greatest.

Here again your IPS selection must take into consideration the value of only a host IPS solution that is not signature- and/or role-based-dependent.

In the control environment one of the key challenges is the overall deployment and execution of current security vulnerability patches for given operating software.

Real-time prevention decisions. To ensure the highest levels of security and minimize the ability to bypass the security policy on a host, application calls must be intercepted at the kernel level where the determination is made of their adherence to policy.

IPS solutions that are implemented by replacing shared libraries or analyzing system audit logs can be bypassed relatively easily. An effective IPS strategy includes preventing violations in real-time, rather than noting attacks or system changes after the fact.

Defense in depth. In order to completely enforce a company’s security policy, your IPS must intercept all major points of communication between applications and the underlying system.

Network control must limit client/server communications at the port and protocol level, as well as hosts for permitted communications. File system controls must allow/deny read and/or write access to folders and files on an individual and group basis.

Registry controls must prevent the overwriting of important registry keys that control how the system and other applications operate. And COM controls to restrict inter-process communication to allowable access.

Since attacks have multiple phases exploiting network- and application-level weaknesses, replicating and distributing themselves, and making unauthorized changes to the system, a complete IPS strategy must protect systems from all of these phases. That way if a new class of attack is released, it will be thwarted at one or more of the stages.

Real-time correlation. At the agent and enterprise level correlation is vital for IPS technology.

Correlation deployed at the agent provides a level of accuracy on prevention decisions that does not exist with signature matching approaches.

Correlating sequences of events within the context of an application’s behavior eliminates the potential for false positives.

Correlation at the enterprise level enables security to be adaptive. By correlating the events on distributed agents, IPS policies can be dynamically updated to prevent propagation of malicious code, thus preventing widespread damage to numerous resources.

Behavioral approach. The IPS approach must enforce appropriate system and application behavior to ensure that the security implemented is proactive, not reactive.

Solutions that rely on signatures only provide security to the release of the most recent signature update.

Flexibility. Every corporation is unique. IPS solutions must be flexible to accommodate this uniqueness by permitting the customization of policies and creation of new policies that accommodate both unique applications and unique implementations.

The solution must support automated policy creation to ease the management burden of creating policies by hand.

Ease of deployment. The IPS strategy should minimize the personnel overhead associated with agent deployments. Solutions must provide out-of-the box functionality to allow for rapid deployment of the desired security policies, and must allow for new and custom policies to be rolled out as needed without additional intervention at the host level.

The solution must support Web-based deployment and allow for easy integration with standard corporate software distribution mechanisms.

Centralized event management. All events generated by the agents must roll up into a centralized repository from which alerts and reports may be generated.

Solutions you are considering must support standard alerting interfaces such as SNMP, paging, email, flat files, and allow for custom interfaces to the alerting system to easily integrate with corporate systems.

Platform coverage. Any IPS must provide coverage for the key operating systems that the corporation wishes to protect. In light of recent attacks like NIMDA, which target multiple hosts, the same management and enforcement paradigm must apply to both desktop and server-based systems.

Administration. To ease policy management, policies must be definable centrally and automatically distributed to agents on a configurable interval. Policies must also be exportable for replication and archive purposes. Ernest Rakaczky manages the overall development and implementation of the customer support infrastructure and support services to meet today’s current security needs for Invensys. Mr. Rakaczky also participates in the efforts underway at ISA within SP99, NIST within PCSRF, MSMUG and plays an active role in the various Security initiatives with DHS, INEEL and SANDIA.