Posts

Adding Security and Flexibility to MQTT

The Control System Integrators Association (CSIA) recently published a case study titled Adding Security and Flexibility to MQTT in which an implementation of MQTT was made more secure, and at the same time more flexible, using Skkynet’s DataHub technology.

In a large wood processing plant in North America, managers had planned a data collection and integration system to cut production costs, improve output and enhance network security. However, their chosen protocol, MQTT, did not provide sufficient security and flexibility. The project depended on connecting multiple MQTT inputs to a single MQTT broker in the cloud, while also allowing plant personnel to consolidate, log, and analyze the data along the way. And they had to keep the production system secure behind a DMZ.

No conventional MQTT broker could do all that. Bit they found that DataHub software, with its MQTT Smart Broker, logging, tunnelling, and other features was well suited to the task.

Calling for Resilience

Tough times demand tough measures.  A recent convergence of three disruptive forces on industrial automation calls for resilience, according to the report of a recent survey from Claroty, The Global State Of Industrial Cybersecurity 2021: Resilience Amid Disruption.  These forces are: an increase in ransomware attacks, accelerated digital transformation, and a growing trend towards working remotely. What’s needed is more investment in improved technology and the hiring and training of staff, according to the majority of the 1,100 IT and OT (operations technology) security professionals interviewed.

The number of ransomware attacks sustained by industrial enterprises, and the costs involved, are staggering.  A full 80% of the companies surveyed were hit, including a breach of their OT/ICS (industrial control systems) for more than half of them.  Over 60% paid the ransom, with an average payment of around $500,000 USD, and over $5,000,000 for some.  That doesn’t count the cost of lost production downtime, which for the companies surveyed ranges from tens of thousands to millions of dollars per hour.

At the same time, the need for networking industrial data is stronger than ever.  Fully 90% of these companies report that they sped up adoption of digital transformation since the start of the pandemic, and don’t anticipate turning back.  Adding to that, working remotely has become a new normal.  Just 21% of the companies surveyed had their full staff working onsite in 2021, and only 27% expect to have everyone back working onsite after the pandemic.

Secure data communications are vital

Taken together these trends indicate a strong demand for secure data communications.  Claroty, the industrial cyber security company that sponsored the survey, offers five technical and procedural  recommendations.  For data communications, the report said maintaining proper segmentation between OT and IT networks can be a highly effective defense against ransomware:

“There are many business processes and applications that need to communicate across the IT/OT boundary, so organizations need to ensure this is done in a secure way. Ensuring an organization’s OT network and assets are isolated from IT in a manner that aligns with segmentation best practices can be a highly effective means of stopping the lateral spread of ransomware and other malware from IT to OT.”

Responding to this need for network isolation, Skkynet offers a wide range of secure solutions for in-plant, OT/IT, and cloud connectivity.  Industrial enterprises large and small have come to recognize the value of our secure-by-design approach that gives them full access to their production data while keeping their OT networks secure behind DMZs and fully closed firewalls.  Skkynet’s software and services answer the call for resilience.

White House Pushes for Security

Since the ransomware attack on the Colonial Pipeline last month, the US government has become more vocal on the need for industrial cybersecurity. A recent memo from the White House to corporate executives and business leaders across the country urges them to protect their companies against hackers. Among the action items is the need to segment networks, to isolate OT from IT.

“It’s critically important that your corporate business functions and manufacturing/production operations are separated,” the memo states, “and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.”

The memo says that although the government is leading the fight against cyber attacks of all kinds, the private sector is also expected to play their part. They are urged to back up data, update systems, and test response plans and implementations. The memo also listed five best practices from the president’s Improving the Nation’s Cybersecurity Executive Order, including:

  1. Multifactor authentication
  2. Endpoint detection
  3. Response to an incursion
  4. Encryption
  5. A capable security team
Isolate Control Networks

Most of the recommendations could apply to any system or network exposed to the Internet, but the White House also included one directly related to industrial systems: Segment your networks to protect operations. Industrial control system networks, it says, should be isolated so they can continue operating even when the management network is compromised.

This was the case with the Colonial Pipeline incident last month. Although the hack caused turmoil in the company and a week of problems for the whole East Coast of the US, it could have been much worse. If the hackers had been able to take control of the pipeline itself, we might have witnessed physical damage both to property and the environment.

To avoid such problems, isolating control networks is critical. This is best accomplished using a DMZ, a “demilitarized zone” that separates control systems from management systems. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.

Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection. Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.

We are pleased to see support for securing industrial control systems coming from the White House and US government, as well as governments and agencies throughout the industrialized world. A more secure environment will keep costs down and production running smoothly by keeping hackers out of our control systems.

Emergency at Colonial Pipeline

Another ransomware attack hit the headlines last week.  This time it’s Colonial Pipeline, the largest in the USA by some estimates, 8,850 km long, with carrying capacity of over 3 million barrels of petroleum products.  The attack has prompted the US Department of Transportation to issue an emergency declaration, easing restrictions on overland transport of supply by truck, a necessary but high-cost alternative for the company.

Colonial is wisely reluctant to release details, so we might never know exactly who did this or how it happened.  But that’s not the point.  One way or another, a malicious actor may have compromised a node on the IT network, which could have been used as a staging ground to launch an attack on the OT (Operations Technology) network.

What we do know is how to prevent that kind of attack from spreading.  There should be no need for emergency declarations.  As we have discussed previously, most people in the know―from government regulators and standards agencies to top management and on-site engineering staff―understand that you must isolate your networks.  In this age of cloud, IoT, and digital transformation, when it is becoming possible to connect everything together, we also need to implement ways to keep things separate.

A Well-Known Solution

Isolating a control network from an IT network is not difficult.  The technology has been around for decades.  It involves inserting a defensive layer, a DMZ (Demilitarized Zone) between the two networks, and using firewalls to protect them.

The challenge lies in moving production data securely across the DMZ in real time.  This is where Skkynet’s DataHub technology shines.  The DataHub can connect to equipment and SCADA systems on the industrial side, and pass that data through the DMZ to the IT side, without opening any firewall ports on either side.

We hope Colonial Pipeline recovers quickly from this emergency, and that oil and gas will soon begin to flow again up the East Coast of the USA.  Meanwhile, we encourage others to heed this wake-up call.  The attack surface of an entire company is huge.  Persistent hackers are bound to find their way in, eventually.  The best way to prevent damage to the production systems is to isolate the corporate network from the control network and insert a DMZ.  They may get that far, but no farther.

OPC Attack Surface Exposed

Industrial systems, once of little interest to hackers, are now targeted on a regular basis, making security an ever-growing concern.  At the same time, as more companies update and add to their control systems, the OPC industrial protocol continues to grow in popularity. So it would make sense to ask the question, how vulnerable to attack is an industrial system that uses OPC?

A recent white paper by Claroty, Exploring the OPC Attack Surface, discusses a number of security vulnerabilities in the products of three well-known suppliers of OPC software.  These issues, reported to the Industrial Control System Cyber Emergency Response Team (ICS-CERT), could “expose organizations to remote code execution, denial-of-service conditions on ICS devices, and information leaks,” according to the report.

The companies involved have isolated the bugs, fixed them, and issued upgrades to their software, but the underlying problem remains.  All software has bugs, and OPC software is no exception.  Every connection to the Internet risks exposing an attack surface that could be exploited.

Unforeseen requirements

Like most industrial protocols, OPC was conceived and developed before the advent of Industrie 4.0 and the Industrial IoT.  Back then, nobody seriously considered connecting their process control systems to the Internet.  All production equipment and networks were entirely disconnected (“air-gapped”) from the outside world, or at least secured behind closed firewalls.

Connecting a factory or industrial process to an IT department or cloud service introduces risk.  The design of OPC requires an open firewall port to make a connection.  Most companies are currently using workarounds to overcome this Achilles heel, but none of them are adequate.  Using a VPN simply expands the security perimeter of a control network to the outside world of phishing emails and ransomware attacks. Using an IoT gateway to connect an OPC server to a cloud service still requires connecting the plant network to the Internet in some way.

The most secure approach

Instead, the most secure way to get data from OPC servers running on a plant network is by using one or more DMZs.  According to a recent NIST report, “The most secure, manageable, and scalable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs.”

Using a DMZ makes it possible to isolate the plant from the Internet. Although OPC alone cannot connect through multiple hops across a DMZ, adding Skkynet’s DataHub technology makes it possible.  A DataHub tunnel for OPC can establish secure, real-time data flow across the connection, without opening any inbound firewall ports.  This effectively cuts the attack surface to zero.  Even if there is an undiscovered bug lurking somewhere in an OPC server, there is much less risk.  After all, hackers cannot attack what they can’t see.

NIS 2 Raises the Bar for Network Security

Key directive: One or more DMZs are needed for the most secure, manageable, and scalable segregation of control and corporate networks.

The recent adoption of a new NIS 2 Directive by the European Commission is a sign of the times.  Beset by a world-wide pandemic, many companies across the EU have turned to digital technologies to allow their workforce to stay productive, and to facilitate access to valuable production data.  This has led to unprecedented levels of industrial data being passed between company networks and across the Internet, increasing the risk of exposure to malicious intruders.

To combat the threat, the European Commission has accepted revisions to the Directive on Security of Network and Information Systems (NIS), now calling it NIS 2. Among other things, this document mandates a number of basic security elements, including standards for networking data between the production and corporate levels of a company.

The Commission has tasked ENISA, the European Union Agency for Network and Information Security, with implementing the standards.  In pursuit of this mandate, ENISA relies on the expertise of three well-known bodies, NIST, ISO, and ISA to provide detailed descriptions of how network security should be implemented, as published in its Mapping of OES Security Requirements to Specific Sectors document.

Using DMZs

For example, the recommended way to bring process data into the corporate office is summed up in NIST document SP-800-82.  It says: “The most secure, manageable, and scalable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs.”

These three zones are the control zone (OT), the corporate zone (IT), and the DMZ itself.  The document describes the value and use of firewalls to separate these zones, and to ensure that only the correct data passes from one to the other. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.

Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection.  Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.

Unlike MQTT, which cannot reliably daisy-chain connections across the three zones as ENISA recommends, the DataHub maintains a complete copy of the data and connection status from the source to final destination.  Thus, it provides accurate indicators of data reliability at each zone in the system, along with making the data itself available.

We applaud the European Commission for its no-nonsense stance on cybersecurity with NIS 2, and encourage all EU members, indeed any company expanding its use of corporate networking, Industrie 4.0, or Industrial IoT technologies to adhere closely to the guidance of ENISA, and to implement three-zone security using one or more DMZs.