仅仅几年前,大多数人并不认真担心控制网络的网络安全。这些系统的很大程度上没有连接的性质有助于确保其安全性。现在,随着制造商数量不断增加,将工业控制数据与其他系统进行数字化和共享,网络攻击正在增加,潜在影响范围从严重的财务损失到丧失人类生命。
Clearly, cybersecurity for industrial control systems (ICSs) is an urgent matter. Company executives across a range of industries feel their control systems are more vulnerable than they were a year ago, according to the2016 State of ICS Security Survey来自SANS研究所。大约四分之三的受访者(67%)表示,他们认为对其控制系统造成了严重或高度的威胁。这是一年前的43%。
Byron K. Wallace worries a little less than most. As cybersecurity process control network (PCN) vulnerability assessor for a large oil and gas producer, he knows his control system is air gapped—or at least as close to air gapped as he can make it. “Are you ever 100 percent air gapped? Technically no, but practically yes,” says Wallace, who has a Ph.D. in IT.
他公司的PCN独立存在,没有与远程用户或其他网络的连接。预防措施很多。USB端口被锁定。访问控件严格。员工培训至关重要。所有设备和软件都在将其放在控制网络上之前在单独的实验室中进行严格测试。华莱士的团队定期进行全面的审核,以确保他不知道没有任何联系。
Meanwhile, Wallace says, operations do not miss out on the benefit of sharing information. Operators input data from production and downtime reports from the air gapped system into the company’s information system. These data are updated each day, and that’s good enough, he says. The ability to have real-time data would not provide enough benefit to warrant risking a major security event.
华莱士说,权衡收益与成本很重要。“如果恶意软件进入工厂并下降,我有每天损失40万美元的风险。”连续过程优化中的任何增量节省都不足以证明连接性的合理性。
Wallace makes it clear, however, that this approach is not for everyone. “You have to understand your operating philosophy and what works for you,” he says, adding that it requires a special relationship with control vendors. “The vendor can’t just come in and patch the system. It’s a cutthroat, no-trust environment. This does not work for everyone. Your management philosophy may not allow this approach.”
For a list of key questions to ask yourself, see “Could Air Gapping Be Right for You?”.
解锁生产数据的价值
What’s the safest state for a plant? When it’s shut down and not producing. As true as that might be, it’s hardly a serious option. Instead, we’re left with the question: To air gap or not to air gap?
今天的大部分控制设备操作was produced decades ago and built for the long haul, with no thought of communicating with other systems—and correspondingly, no need for cybersecurity. Particularly in process industries like utilities, some companies are using long-established air gaps to protect their control systems. But in today’s hyper-connected world, that choice comes at a cost.
与其他系统共享大量的过程数据更好,可以更好地决策,允许更多的颗粒状绩效管理,并启用资产优化和预测性维护以降低成本并提高安全性。在严格受监管的行业中,众所周知的车间到脚层的连通性可轻松合规。它允许远程访问员工和供应商解决问题,从而最大程度地减少停机时间。
“没有真正的论点。您想连接还是不连接?那列火车已经离开了车站。”NextNine,出售ICS安全解决方案。
Companies that persist in air gapping may well find the economics of that choice bearing down on them at some point, says Albert Rooyakkers, founder, CTO and vice president of engineering forBedrock Automation。“They will miss the predictive analytics, causing them to blow a bearing on a turbine that costs $150 million,” for example.
Beyond the opportunity cost of not connecting control systems, many question the fundamental viability of air gaps. “There’s a religious debate about air gaps: Do they work or not; do they exist or not?” says Jeff Lund, senior director of product line management for Belden. “It’s an interesting philosophical debate, but it can be irrelevant to the question of whether they make you more secure or not.”
Most cyber incidents originate from inside the system, Lund says; in that case, air gaps do not help. A device fails, for example, masquerading as a denial of service attack. Belden often hears from smaller manufacturers that they are not as likely as their large counterparts to be the target of a cyber attack. “But you don’t need security just because you’re an attractive target. It’s to make yourself more resilient against these other failures that can happen.”
Companies that think they maintain air gaps around their ICS networks might be in for a nasty surprise, says Marc Kaplan, vice president of security architecture forTempered Networks。“唯一真正的空气散发是当您拥有完全断开连接的网络时,没有蓝牙,没有Wi-Fi,不可用的IPS,没有USB端口,没有任何类型的远程访问和严格强制执行的访问控件。”
Air gaps can also introduce errors, warns Gregory Wilcox, global technology and business development manager forRockwell Automation。“Employees may write down data on clipboards and then manually key it in, but then you have increased the risk of errors.”
Most of the spokespeople for control vendors interviewed here did not report a resurgence of interest in air gapping among their customer bases. “What we’re seeing is the need for connectivity to control system data,” says Jeremy Bryant, general manager of industrial communications forSiemens USA。“我们确实看到了电力空间中的一个例外,法规可能需要从控制系统到外部的气隙。”
自动化Rooyakkers归结坚实的基石on the anti-air gap side. “How can you be future-proof in a disconnected world? You can’t just go live in the woods,” he says. A better strategy, he adds, is to implement modern networking technology that has security built in, along with other measures layered on top. “You’re stuck until you decide to build the right technology in a brownfield or greenfield approach.”
Other cybersecurity approaches
If not an air gap, then what? There are a host of security architecture choices and specific technologies that are designed to provide a layered approach to protecting ICS, including (in no particular order):
- Identity-defined networking. Tempered Technologies’ Identity-Defined Network fabric operates on a trust model with IEEE 802.1X certificate-based authentication and identification. This approach goes beyond passwords and perimeter protection to continuous, intelligent authorization based on context. The network is cloaked, so it can be viewed only by authorized users.
- Segmentation. With this cloaking variant, the network is broken up into segments with strict access controls in between. Rather than a strict separation between two networks, the segments can open, give access when presented with the right credentials and then close again.
- Defense-in-depth. Siemens advocates creating connectivity with a defense-in-depth approach. As the name suggests, a wide variety of standards-based security technologies are layered upon each other, along with well-defined and enforced organizational practices. “We only allow the communication to the people that need to have it,” Bryant says. “You know specifically who is getting on your network and what they are doing.”
- Data diodes. Also called unidirectional security gateways, data diodes allow only a one-way flow of information. This means data can flow from the control system to the information system but not vice versa. Emerson Electric and other vendors, such as Waterfall Security, are proponents.
- Demilitarized zone (DMZ) between industrial and IT space. Rockwell’s Wilcox advocates a “best of both worlds” approach that resides between air gap and a shared environment. “This is about good connectivity between separate infrastructure,” he says. Each side can pass information to the other via a highly secured industrial DMZ that resides between the two environments.
- 特殊用途的安全设备。Belden提供了托菲诺Xenon安全设备,该设备符合IEC 62443网络安全标准的控制标准,并进行了深度数据包检查。贝尔登(Belden)的隆德(Lund)说:“它看着消息内部,并询问该消息来源是否要求做允许这样做的事情。”这种方法超出了标准防火墙。
Most important to remember: No approach, whether air gap or something else, is infallible or a fit for every company. “Air gap is not a universal solution,” says Claudio Fayad, vice president of technology forEmerson Automation Solutions。“It does have benefits, but it does not guarantee 100 percent protection. And it can be restrictive because it doesn’t allow you to do the optimizations that could help you make better products, deliver less impact to the environment and other benefits.”
华莱士(Wallace)显然是一个气隙支持者,采用了测量方法。“您永远无法消除威胁。您只能将其最小化。您可以创建层次和障碍,并希望阻止入侵。这就是我们多年来在业务系统方面一直在做的事情,但现在我们正在为流程控制而做。”他说。“有了气隙,脆弱性仍然存在,但减少了。”