Does your chemical facility have adequate security measures to ensure your Chemicals of Interest (COI) cannot be stolen, diverted, or sabotaged? When was the last time your Cybersecurity Plan was independently reviewed or updated?
Perhaps it’s time to take an objective look at some security vulnerabilities that are common among chemical facilities and look at them from the perspective of a “nefarious actor.” The people outside and possibly inside your company who are looking for ways to steal or divert your COIs, or sabotage equipment to cause a COI release, for their financial or ideological reasons. Yes, you know the nefarious actors exist, but do you hope they are busy targeting some other company’s COIs, and not yours?
The Industrial Control System (ICS) can be considered the brain of the chemical facility. The ICS will have one or more designed connections to the corporate or Business Network for the purpose of communicating between the networks, but will often contain several unknown, unarchitected, and unauthorized connections that were created by well-meaning people inside and outside the company to allow them a convenient access point, simply to facilitate doing their job. It’s these unknown, unauthorized endpoint connections that have the greatest potential to be exploited by nefarious actors since they were not addressed when the security architecture was designed. We will address these unknown endpoints in greater depth in a later article.
In this article, we are not going to address all vulnerabilities that may exist in an ICS, but instead, focus on three cyber security solutions we believe all chemical facilities should implement, as well as the associated vulnerabilities these solutions mitigate to understand better why you need them. As you read about these vulnerabilities, ask yourself if your ICS contains these solutions, or something similar, to mitigate the risk from these vulnerabilities.
Those three security solutions are a) a demilitarized zone (DMZ), b) Next Generation Firewalls (NGFW), and c) Security Information and Event Management/Security Operations Center (SIEM/SOC).
DMZ – Demilitarized Zone
A DMZ is a term used to describe how computer systems and networks are protected by separating critical systems, components, or networks from untrusted portions of the network. In essence, creating an intermediary network, or a buffer zone that permits communications to transfer from an untrusted network to a trusted network. In the chemical facility architecture, the ICS is the trusted network, while the Business Network is less trusted but more trusted than the Internet.
By confining certain data, processes, and services to the DMZ, it allows the system and administrators to monitor the activity in a safe zone and allows greater response time if some unauthorized activity is detected in the DMZ before it spreads to more trusted portions of the network.
In a perfect world, communications would not exist between the ICS and the Business Network. In reality, there are people and processes in the Business Network that need access to data on the ICS. Data needs to move between the two networks. By moving the data, processes, and services of the ICS that are needed by the Business Network into the DMZ, you can limit communications so that all data communication flows through the DMZ, where it is tightly monitored and controlled. There are no unknown, unarchitected communications nodes.
Access to the ICS can be monitored closely through automated tools such as the SIEM/SOC discussed below. But even greater access control can be monitored through an Interface in the DMZ that approves and monitors all access to the ICS.
Remote access to the ICS can be controlled using a virtual private network connection to the DMZ and Multifactor Authentication (MFA). This eliminates the need for remote access to come in through the Business Network. The use of MFA significantly reduces the risk of nefarious actors obtaining access to your ICS through lost or stolen credentials, phishing, or brute force attacks.
In order to set up a DMZ between your ICS and Business Network, you will need someone with both cybersecurity expertise as well as knowledge of how chemical manufacturing companies operate to ensure the right components are moved into the DMZ and the necessary secure links are in place between the DMZ and the ICS, and between the DMZ and the Business Network. Additionally, you will need state-of-the-art NexGen Firewalls discussed below.
NGFW – NexGen Firewalls
Conventional firewalls that simply provide Network Address Translation (NAT), packet filtering, stateful inspection of connections, and VPN support are insufficient to provide the level of security you need to secure your ICS against nefarious cybersecurity actors. Nor are they adequate to create, maintain, and enforce the security required for your DMZ. You need to employ NGFWs that perform a deep level inspection at the application layer to mitigate vulnerabilities that may exist in the authorized applications themselves. This is where 80% of cyber-attacks are currently based.
Whereas conventional firewalls filter network traffic based upon ports and protocols, NGFWs allow the system and administrators deeper inspection of the applications. A finer level of identity access control with rule-based management can be set up and enforced for applications accessing the network. Using a signature-based Intrusion Protection System (IPS), NGFWs can identify and filter traffic based upon the specific applications, rather than just opening ports for any and all traffic. Some can discern thousands of different applications. This prevents malicious applications and activity from using non-standard ports to evade the firewall. It also can prevent the need for having a separate IPS behind the firewall.
NGFWs can discern clear-text and encrypted traffic and decrypt SSL/TSL traffic to ensure it’s an allowed application, check identity level access rules, and then re-encrypt the traffic. This provides additional protection from malicious applications that attempt to hide using encryption and sneak through the firewall.
Most NGFWs include directory support, such as Active Directory, to provide a much finer granularity of user access control than can be achieved with conventional firewalls. They can also include access control based upon rule-based information such as blacklists and whitelists and check for viruses, phishing, and other malware sites and applications.
Since the contents of all traffic packets are inspected, traffic analytics can now be mined to provide the network administrators statistical information for capacity planning, troubleshooting, monitoring system usage, and user activity.
SIEM/SOC – Security Information and Event Management/ Security Operations Center
A SIEM is a software product that combines security information management with security event management to provide real-time monitoring, data aggregation, data correlation, data analysis, data visualization, alerts, and data and component access authorization enforcement to cybersecurity experts. Although the SIEM can be purchased separately and installed on your network, the analysis of the information the tool aggregates is only as good as the people using it, and hence the SIEM is often purchased as a service through a 3rd party provider providing cybersecurity expertise through a Security Operations Center, and hence the term SIEM/SOC.
To understand the value of the SIEM/SOC service, you first need to realize how many system and event logs are created in your system and network. In a given day, that number in a chemical facility can run in the hundreds of thousands. Analysis of them requires the ability to deal with volume, normalization, aggregation, speed, and real-time analysis.
Looking at individual device event logs is extremely time-consuming and generally unproductive. The volume and speed of the data being captured happens too quickly for any real analysis. Since the data between the devices has not been normalized or correlated, trying to analyze the same event through the lens of different device logs is extremely slow and provides for duplicate, associated entries.
The use of a Syslog server is a step in the right direction and can centralize all log events into one location and normalize the log message format. Some Syslog servers will provide some level of aggregation and visual representation, but the security analyst is still faced with pouring over thousand of events in order to visually recognize patterns that may explain intended or nefarious activity going on in the network. The solution is an automated tool that can pull these events together in one place, correlate and normalize them, and provide real-time visualization of the events based upon pre-programmed triggers.
At the heart of the SIEM/SOC are event triggers. These are predefined rules that dictate behavior in the network, which have the potential to indicate vulnerability or a potential attack. Examples of triggers could include: multiple logon attempts, authorized logon from a remote location, authorized logon from a device which is not the user’s typical device, connection to the network through a Wireless Access Point (WAP), or simply network access outside of regular business hours.
Like most sophisticated tools, the use of the SIEM/SOC is only as good as the expertise of the cybersecurity analyst and their knowledge of your chemical facility network. In the end, the cybersecurity analyst needs to understand the processes and events that are going on in your chemical facility in order to analyze the event data in real-time to provide early detection of targeted attacks, advanced threats, and data breaches. This real-time analysis of threats and vulnerabilities is why the SIEM/SOC is generally outsourced to a third-party who has both the SIEM/SOC and chemical facility expertise necessary to secure your ICS.
Brian Sullivan
CEO, FitNetworks
FitNetworks partners with its clients like no other managed service provider when implementing Cybersecurity.
Got specific questions? Fill out the form below or give us a call to see if we are a good Fit!
