SCADAfence Blog

Firewalls Have Proven to be Far From Impenetrable

Written by Michael Yehoshua | Sep 28, 2019 4:00:00 AM

No single solution can offer a silver bullet for cybersecurity. Nevertheless, vital facilities such as power stations and manufacturing plants are currently in danger of relying too heavily on firewalls by regarding them not merely as a first line of defense, but as impenetrable barriers. 

Recent Cyber-Attacks on Energy Grid Firewalls

Energy grid operations in California, Wyoming, and Utah were disrupted in March of this year by what is now believed to have been a Denial of Service (DoS) attack that exploited a known vulnerability in a firewall used by the facility in question. But even those firewalls that do not yet have known vulnerabilities, can only offer partial security for vital utilities such as power stations. 

Ever since Russian cyber-attacks blacked-out parts of the Ukraine energy grid in 2015, power stations have been identified as soft targets by hacker groups now known to be sponsored by states such as Russia and China, as well as by organized cyber gangs demanding ransoms. No single line of defense can possibly provide full protection against state-level tactics, techniques, and procedures (TTPs). 

The Security Challenges of Industry 4.0

In any case, the security perimeter is now expanding well beyond the boundaries of any firewall. As we enter the fourth industrial revolution, often referred to as ‘Industry 4.0’, power stations have little alternative but to accelerate the process of digitization that began when internet connections eroded the “air gap” security layer provided by the stand-alone systems traditionally used to operate energy facilities. 

The process of digitization also frequently involves the use of third-party services and systems providing hackers with further ways to circumvent firewalls. The recent inclusion of previously stand-alone systems such as surveillance cameras and building management systems into the Internet of Things (IoT) also creates further vulnerabilities in power stations, manufacturing facilities, and ‘smart buildings’.

As those operating power facilities increasingly reach out to third-parties for new IT hardware and software and services, they open potential new doors for hackers. Any organization working closely with a power or manufacturing facility needs to be secured just as effectively as the systems running the power facility itself. Organized cyber criminals and state-sponsored hackers have become increasingly adept at using poorly-secured third-party systems to infiltrate otherwise secure organizations with malware.

Hackers Now See Firewalls Only as Temporary Obstacles

Firewalls on their own also do little to protect facilities against the greatest security flaw of all – human error. Hard-pressed software engineers working to tight deadlines, for instance, sometimes make configuration errors that can be identified and exploited by threat actors before they can be fixed. This type of error is hard to anticipate or detect as staff often try and cover up procedural mistakes. Staff using email are also increasingly prone to socially-engineered spear-phishing attacks that craft emails consisting of a brief message typically purporting to come from the facility’s IT department or from a manager or senior executive.

With so many attack vectors at their disposal and with access to state-level TTPs, hackers now see firewalls as only temporary obstacles at most. Even the deployment of multiple firewalls, the so-called “firewall sandwich”, represents little more than a series of speed bumps in the road to organized hacker groups determined to break into supposedly secure facilities.

The Effective Way to Safeguard Utilities

The only effective safeguard for utilities such as power stations is to monitor all activity on the facility’s operational technology (OT) network. Ideally, passive technologies should be used to monitor activities within the OT network without affecting its efficiency in any way. To achieve this, a passive platform must be capable of catering for the very high outputs generated by the increased digitalization of OT in order to ensure minimal numbers of false positives.

SCADAfence connects to the OT network by using taps or port mirroring, basically providing a replica of the network’s traffic for analysis, making it possible to identify indicators throughout the cyber kill chain in order to warn the security teams of a potential attack before it materializes. Pre-defined integration to other security controls, such as SIEMs and Firewalls, allows users to define automated actions for the response. The SCADAfence platform also allows users to investigate security incidents, control “logical” segmentation’ (identifying communications between two segments which should not be communicating), providing device-based risk management and many other useful tools that allow users to deal with effectively with cyber threats in OT environments.