Securing your ICS Devices at the Edge
Securing at the ICS edge has always been a hot topic within the critical infrastructure realm. Unlike at the core side of a network, where layer 3 segmentation, next-gen firewall packet inspection, and micro-segmentation are all automated ways to inspect packets and alert or block events as they occur, the edge, at the layer 2 level, has no such protections for packets that remain at the edge or continue within the same subnet or VLAN. The age old question then, is how to be protect the edge of our networks, often located in run down shacks in the middle of nowhere, pumping water, automating electricity flow, or regulating gas pressure, or even operating our street lights, from nefarious attacks?
The first place to look at protection is at the managed layer 2 switch itself. Here, specific techniques and technologies, old and new, can help protect direct access in locations that are not always protected by human awareness. Let me introduce you to some of these techniques if you are not already aware, with the understanding, each technique has its own SWOT (strengths, weaknesses, opportunities, and threats) and should never be deployed as a lone security guard, but teamed with multiple techniques to provide that depth in defense.
Switch Port Protection – Anyone can access unsecure network resources by simply plugging their device into an available switch port. Here are some techniques to prevent this from happening.
- Port Disabling – The simplest way to stop someone from plugging into an available switch port is to disable it. It takes administrative access to enable.
- Port Security – Port security will automatically stick the first device’s MAC Address to the port. Any other device with a different layer 2 MAC will deploy one of two types of security: protect or shutdown. In protect, the port will temporarily stop packet flow until the original device is plugged back in. In shutdown mode, the port becomes disabled until an Administrator re-enables the port. This helps with active ports not disabled, and protects against swapping devices.
- Black Holing – In a layer 2 environment at the edge, traffic can flow between like VLANs or subnet ranges, without having to travel back to the core layer 3 switch. Setting up your unused ports with a Black Hole VLAN, ensures that even if you forgot to disable a port, and device’s traffic plugged into that port would be never allowed to communicate with any other port on a different VLAN, essentially making communication on that port impossible. Using a VLAN number like 888 or something easily distinguishable helps identify these ports quickly.
- Protocol Disabling – With any port, you can allow or deny protocol access. In an ICS world, there may be only a few ports you need open: Modbus, DMP3 or HART. By just enabling what you need, you restrict access to these devices from any other port to just these protocols.
Traffic Monitoring – Assigning a traffic or port monitoring software to your edge switches can alert you to any changes to the normal setup. Traffic stopping, ports disabling, or even changings in normal traffic sizes can identify and alert you to potential tampering at the edge. Check out this website to see some of the better products available. I personally really like PRTG.
Machine Learning / Artificial Intelligence – The new-normal cybersecurity tool in the analysts toolbox is machine learning or AI. Beginning in 2015, but mostly deployed at the core of a network, this technology has now made its way to the edge. Most AI cyber vendors have devices that collect all packet data at the edge and port them to a centralized repository where a normalized Machine 2 Machine (M2M), or Human 2 Machine (H2M) moving baseline is developed and can detect changes to normal network behavior, in real-time without signature catalogs.
There are many more techniques I could talk about, but these six can really help secure your edge within just the layer 2 switch. Deploying one is definitely not enough, but layering each technique on top of each other, while administratively more complex, increase your security posture exponentially.
Do you have any techniques you use to protect the edge? Post your comments here and share the knowledge.