by Andrew Ginter, VP of Industrial Security, Waterfall Security Solutions

Firewalls are often the first security mechanism that is installed on any network. For industrial control and SCADA networks in sites such as water systems, power plants, manufacturing platforms, transportation signaling systems, among others, firewalls simply aren’t good enough to keep attack payloads away. Industrial plants need unidirectional gateway technology that make it physically impossible for remote cyberattacks to enter critical control systems.

Industries_group_image.pngRecently, we’ve been hearing about attackers using ransomware to threaten with the manipulation of the industrial controls of a nuclear power plant, or a municipal water system, or a sprawling petrochemical plant. It’s bad enough when financial institutions or large retailers experience the theft of millions of cardholder records, but at least nobody died from those incidents. But if an attacker could jack up the temperature gauges of a petrochemical hydrocracker unit, there could be massive casualties from the resulting explosions and fires.

Even back in 2013 Trend Micro reported an experiment the company conducted where it deployed a dozen honey pots around the world that were designed to look like the ICS (industrial control system) networks of municipal water utilities. Within four months, the honey pots attracted 74 intentional attacks, including at least 10 where the attackers were able to take over the control system. This experiment proved that attackers have both the intention and the ability to penetrate critical infrastructure systems that, in theory, should be less vulnerable than Internet-facing corporate networks.

In the industrial world, there were no connections between the control systems and the outside world until about two decades ago. 

That was when plant operators discovered there is a wealth of information in the control systems that could help them better manage their plants. For example, production units have to be taken offline every so often for maintenance. By collecting data from the control systems to understand how hard the equipment has been used, the managers might be able to optimize the schedules for maintenance. Running the equipment a few extra days between maintenance cycles could save millions of dollars a year. 

When companies connected their control networks to their corporate networks for the purpose of gathering this data, they introduced the security problems that plague the corporate networks today. Everything from viruses to APTs (Advanced Persistent Threats) can jump across networks and get into the control networks that used to be thought of as invulnerable.

Even firewalls are insufficient to keep the bad stuff out

As anyone who manages firewalls on a corporate network knows, malicious payloads sometimes slip through undetected, and this could be disastrous for an industrial control network. That’s why many ICS networks are protected with a different kind of security device.

To continue reading fill out this short form: