wide awake at the wheel trusted sender and receiver

SmartDataDatathatprotectsitself!Nashville, TN (855) 313-6032

WIDEAWAKEATTHEWHEELTRUSTINGTHESENDERANDRECEIVERINICSANDSCADASYSTEMS


WIDEAWAKEATTHEWHEELTRUSTING THE SENDER AND RECEIVER IN ICS AND SCADA SYSTEMS

ABSTRACT

We exchange text messages with our friends and family all the time. Their numbers are listed in our contacts and based on the contact photo and the way our friends reply, we assume we know who we’re texting with. Sometimes, though, a random text will appear – just a phone number and a message. Probably something like “good morning you J” or “hey girl!” You can see the number the message came from, but who is on the other end of the keypad? As a human, you can use your powers of logic, intuition, and reverse phone lookup to determine who is the sender of the unknown message. But how do machines distinguish? How do programs know if the command they are receiving is from a known and trusted source?

Existing protection methods like physical security, perimeter security and encryption only go so far, have known and exploited weaknesses. Plants continue to modernize and add devices to networks, while the culture and attitudes at these same plants takes much longer to accept technological advancements. As attackers become more sophisticated, which they do with every attempt, a fundamental change in protection is necessary to ensure the safety and security of the fundamental services citizens rely on for their well-being. Moreover, the advancements need to be simple to use or invisible to technicians so they are easily adopted.

SmartData technology creates self-protecting data objects that enhance existing cyber security protocols and makes any transmission usable and recognizable to users or devices that have been previously identified and authenticated. Any unauthorized entity will never be able to access or recognize a SmartData object.

INTRODUCTIONWhat do these environments have in common?

• Railway switches • Air traffic control • Electric substations • Waste processing • Nuclear power and processing facilities • Water power and reservoir management • Autonomous transportation • Manufacturing plants • Harbor and port authorities

In an effort to modernize, devices controlling these kinds of systems have been added to a network. In many of the systems installed years ago, factory installed passwords or hard-coded credentials are typical. Technician turnover, multiple users, and ease of use are all considerations that make these accommodations popular. Culture is a factor, too. Change comes slowly to industries that have used the same protocols and the same technologies for decades. A bright spot in these industries is physical security. Infrastructure industries have known they are susceptible to physical infiltration from their inception and they have ingrained processes keeping facilities secure. Physical security has been refined because that has been s specialty from the beginning. Cyber security is newer and the industry is less specialized for that.


Malicious actors know this and are becoming more sophisticated and increasing the number and variety of attacks they use. Data interception, DDos, data alteration, and cyber “drive-by shooting” are being used by individuals, groups, and nation-states depending on their strategic goals. Viruses are being designed to attack SCADA systems. The Department of Homeland Security reports that industrial control systems were subject to at least 245 attacks in 2014.

In the highly publicized case of the Ukrainian power utility hack of 2015, the system received a 21-line code injection in the midst of its normal operating commands. Because the code appeared to be from a legitimate source in a legitimate format, the code was executed and 80,000 people were without power for six hours.

The Aurora test conducted in 2007 at Idaho National Labs was widely publicized and demonstrated how a viral attack could take control of circuit breakers to create out-of-phase conditions that resulted in a devastating effect: the generator under attack blew up.

Why does it seem so simple to to find and attack these systems? Because it is. The search engine Shodan can find any open device with an IP address within a geographic range. Available information includes the device’s owner, service port header information, firmware details and available protocols. It could be a wireless printer, a smart television, a traffic signal, or a device controller. Even a Google search with specific technical criteria (called dorking) can return a list of open devices. An attack by an Iranian national on a dam in upstate New York used Google dorking to find and then infiltrate the water level controller. Once the device is known, penetrating the network and installing malware involves just a few more clicks. The entire identification and infiltration of an ICS/SCADA system can take less than a day.

Until recently, it was known that system security was weak, but it was believed that anyone trying to hack systems needed to have a high level of skills to manipulate the devices they found. That belief has been shattered with the recent research of Reid Wightman at Digital Bond Labs. Presenting at the S4 Conference in January 2016, he found at least 4 companies making variable speed drives (which control a motor’s speed) that don’t require authentication to get read/write capability. The motor makers intentionally make it easy for operators to find out the maximum motor speed – to make safe speed maintenance easy. Malicious actors can find the maximum safe speed and override it without leaving a trace. If that motor is cooling a nuclear power facility or if it is holding back a reservoir, the public threat is greater and more damaging than any financial data breach. Unfortunately, the state of ICS/SCADA system security today would likely find motor-caused damage to be blamed on manufacturing error, not malicious intent.

In this landscape, knowing who to trust and which commands to execute become vitally important. Technician turnover has remained consistent and culture takes a long time to change. Especially when there are more than 2000 utilities in the United States. How can ICS and SCADA systems remain operational with an impeccable level of availability when a single malicious actor can apparently take command of systems with ease? The industry cannot move backward into a state of full manual operation. It should not remove devices from the network when the benefits of networking outweigh the risk of remaining online. The problem lies in ensuring systems know which commands are trustworthy and should be executed and which should be ignored and reported.

THESTATEOFTHEART

Utilities and critical infrastructure systems excel at physical security. You needn’t look further than your nearest airport. Physical barriers, card readers, physical searches, credentials, and employee behavior all play a role in maintaining the integrity of access to systems.

The same organizations are also getting better at perimeter security for protecting internal networks. Layers of network defense are a deterrent to casual attackers or mischief-makers. Layered network security with firewalls, system anti-virus programs, and console anti-virus programs, offer specialized ways to prevent unwanted access to systems. Like completing a video game, an attack must successfully solve each level before getting to the ultimate prize – control of the system. The drawback to layered network security is that it adds time, cost and complexity. And any news feed will show us that a layered network is not impenetrable.


Encryption programs can obscure massive amounts of data. Often, an application will encrypt its own output, like a protected pdf. Encryption like this is a secondary feature of the application and while effective at a surface level, may not keep out a motivated interloper. Total disk encryption, managed by an external application, is the level to which many organizations with sensitive data or mobile workforces are moving. Any of these encryption methods, whether internal or external to an application, require key management protocols. When multiple encryption methods are used, multiple keys must be managed, stored securely, and retrieved immediately. The major drawback to encryption methods is that they exchange public keys which subjects data to exfiltration, and encryption can significantly slow down performance.

The ultimate goal is for legitimate parties to execute timely commands and have devices recognize only legitimate requests while defending themselves from imposters. Protection at the data layer does not rely on external applications, networks, or operating systems. Self protecting data, or SmartData, is recognizable and useful only to aware applications with legitimate credentials and validated users.

Security at ICS/SCADA installations

Physical Long history and successful implementation

Network Prevents accidental attackers when implemented. Requires sophisticated layers to prevent others.

Encryption Available at the application layer. Requires key management for: exchange, safekeeping, recall.

Detection Occurs after penetration when damage may have occurred. Not reliable for zero-day recognition and recovery.

Data Protection at the data layer does not rely on applications, networks or operating systems. Self-protecting data is recognizable and useful only to aware applications with legitimate credentials.

SMARTDATANEUTRALIZESTHREATS

In ICS environments, there is implied trust. That means any command received is a good command. Using the example of a train, we assume that Console A sends a command to Train B. “Slow down! Curve ahead!”


If the malicious actor were to intercept the command, and wanted to cause havoc, he could replace the good command “Slow down!” with his own command “Full speed ahead!” Using today’s systems, the train would not know that the replaced commands is a bad command, because it looks like a legitimate command.

When using the SmartData protocol, the user at Console A must log in and irrefutably prove his identity before issuing any command. In addition, the identity of the sender, or Console A, and the identity of the receiver, or Train B, must be included in the header of the command. This smart command is unrecognizable to any person, process, or machine other than the participants included in the command, in this case the sender and receiver.

When the SmartData-aware train receives any command, it will first view the header to determine:

• is the sender known and trusted? • from which device did the command originate? • is the timeframe of the command within a reasonable range?

When evaluating the legitimate command, the train determines all the important factors to be true and follows the command to slow down. In the case of the replaced message, not only does the train determine important factors to be false, it recognizes that the command is not in a SmartData form. Depending upon the rules defined by the owner, the train can report or log this illegitimate command. Furthermore, a malicious actor would be unable to distinguish a command cloaked in a SmartData object. When using SmartData, key logging, packet interception, and command spoofing all become irrelevant. SmartData objects are recognizable only to SmartData-aware applications. Even then, only authorized and legitimate users of that particular SmartData object are able to see what’s inside.

In a worst case scenario when a legitimate user turns rogue, the train may follow a bad command. But, because user information must be provided in order to create the command, there is irrefutable proof of the individual who executed the bad command. There is no guesswork or investigation to determine who is responsible.


How do SmartData-aware devices know with certainty which actor gave a command? Certainty comes from the authentication method used in SmartData protocols. Unlike most authentication which requires a login ID and password and perhaps another code for multi factor authentication, SmartData authentication relies on a series of prompts and responses that are unique to individuals or machines. Prompts and responses are impervious to social engineering and administrators can select a minimum number of prompts and responses required to authenticate. In addition, multi-vector authentication is a built-in option.

SmartData objects carry authentication, encryption, and rules for access with them. When an authenticated user or device is logged in, they are able to access the data they need without managing encryption keys, which are buried deep throughout the SmartData object. Nothing about the contents of the object is ever shared publicly and only authorized and authenticated users will ever see and be able to use the contents.

SmartData works anywhere software talks to software. Because it is not dependent on network, operating system, or application, it can drop in to any environment and start protecting data as soon as it’s installed. With no other change than the installation of SmartData technology, critical systems and their operation become as secure as when physical isolation was the only method of protection.

SmartData technology works with native applications so that technicians and machines can be logged in, authenticated and otherwise unaware that SmartData is working on their behalf. Anyone outside will be unable to comprehend the packets they see.

Data interception and data alteration become impossible when systems are protected by SmartData. Systems becomes impervious to code injection or other attacks where illegitimate commands are given to legitimate devices. The bottom line: control of systems, control of your environment, control of outcomes is never relinquished.

SUMMARY

SmartData ensures the only legitimate users and legitimate devices are able to execute commands. SmartData makes any system impervious to malicious actors and protects not only the integrity of operations but any data associated with a facility, including research, personnel data, emails, or financials. SmartData accomplishes this in a way that enhances existing security protocols, does not impact performance, and is nearly invisible to legitimate authenticated parties.

Without a fundamental change in the way critical infrastructure industries protect themselves from individuals, groups, or nation-states with ulterior motives, even the best physical and layered security will not prevent a disaster. Beyond the inconvenience of a multi-day power outage or the hazard of traffic signal corruption, there is real potential for mass chaos and loss of life should dams have an unplanned, unregulated release, air traffic control systems be rendered useless, or a nuclear facility overheats. Each unsuccessful attack teaches the attacker something new. Each attempt becomes more sophisticated and potentially more devastating.

Smart data works regardless of network, operating system, or application. Smart data is self protecting data. Wherever software talks to software, Smart data can make sure only legitimate parties are involved. The roadmap to total protection follows when software talks to software, when software talks to component systems, when components systems talk to circuits and processors. The destination is uncompromised performance, protection, and privacy in any industry for any type of data.

Let SertintyONE show you how your ICS and SCADA systems can grow to be fully mature SmartData aware systems. Contact the sales team for an evaluation of your existing trusted sender/receiver scheme and more information about how SmartData can fit into your existing structure.

[email protected]

855-313-6032


WHOWEARE:

SertintyONE is a software development company focused on protecting confidential, proprietary and personal data. Our development initiatives are aimed at ensuring the right person has the right information at the right time, irrespective of the user, device, network or operating system. We are headquartered in Nashville, Tennessee.

wide awake at the wheel trusted sender and receiver

Documents