2018-07-25
更好的可见性对于改善工业控制系统(ICS)和关键基础设施的网络安全至关重要,但是这要求OT(操作技术)和IT(信息技术)进行融合。
我们应该如何解决工业控制系统的网络安全问题呢?
专家说,更好的可见性对于提高ICS/SCADA的安全性至关重要。但是,除非信息安全团队停止用IT专家的眼光来看待ICS环境,否则他们永远不会获得这种可见性。
专家说,IT和OT的装备、流程和人员有着根本的差异。
GE石油天然气集团网络安全和风险团队的高级安全总监保罗�布拉格(Paul Brager)说:“总的来说,IT人员不知道如何运行OT环境。”
“互联网的成功使得计算机领域的人感到自豪。”ICS-ISAC主席兼Unisys工业控制系统全球总监克里斯�布莱克(Chris Blask)表示。然而,工业工人“知道这个社会如何运作”,比如不能将生活污水混入饮用水。
因此,在网络安全专家担心ICS恶意软件攻击国家电网时,OT工程师们担心的是,他们的发电站和生产线可能不只会被黑客破坏,还面临其他威胁。他们非常了解这一点,因此他们坚持广泛的过程安全管理控制、危害分析、变更管理、应急响应,事件调查规则等等,以便及早和迅速地应对这些威胁。
将任何新事物(新泵、软件补丁、升级、新安全工具)引入操作环境必须要非常慎重,因为任何对可用性或完整性的干扰都有可能导致不可逆转的、代价高昂的甚至危险的物理影响。
最糟糕的结果是持续停电、水坝破裂、核崩溃和公共供水系统污染,除此之外,还会导致经济影响。没有经过充分测试的软件补丁一旦被释放到化工厂的操作环境中,其系统可能会在生产过程发生故障或脱机,即使时间很短,化工厂也会遭受严重的损失。“这可能要报废价值10万美元的产品。”布拉格说。
“任何CEO都不会因为要去修复貌似没有损坏的设备(如不受支持的操作系统)而同意停止抽油一周。”OT安全公司Claroty的联合创始人和西门子工业安全服务前全球总监加利纳�安托娃(Galina Antova)解释说。说服他们相信网络安全面临威胁非常困难,更不用说让他们花钱解决了,她说。
企业IT环境可以承受比OT环境更多的迭代和停机时间。如果OT环境是稳定、运行和高效的,那么为什么要做些可能会使它变得不稳定的改变呢?
PAS首席执行官埃迪�哈比比(Eddie Habibi)解释说,目前运行的许多物理和网络-物理系统已经用了“几代”了。
正如这些专家所说,OT人员的一般态度是:如果设备没有损坏,就不要改动。因此,信息安全专家面临的挑战是:说服OT人员相信有些设备已经损坏了,然后在事态变得更糟之前修复它们。
正如布莱克所说,ICS是“提供对物理过程的可见性的系统”,它们唯一不可见的就是ICS系统本身。
布拉格说:“可见性是一个大问题,在面对网络物理系统时,我们通常没有很多的可见性。”当出现问题时,“你无法确定这是网络原因还是人为原因。”
哈比比说,不幸的是,“这些系统不容易被发现”。正如他所解释的,工业环境通常是一个非常复杂的专有系统,通过不同的协议进行通信,需要一定的专业知识才能运行。
布拉格补充说,许多OT系统已经不再受支持,供应商可能已经不存在了。其中的一些系统只能通过一个协议通信。
哈比比说:“由于人们不断地增加自动化功能,因此这种情况不断恶化。”
这种IT-OT“融合”为环境增加了更多的传感器、更多的I/O卡、更多的端点、更多的协议、更多的互连和更高的复杂性,使得情况更加糟糕。
“除非你可以直观地看到资产,”布拉格说,“否则很难询问它...但是如果你不知道你有哪些设备,你就不知道你有多脆弱。”
此外,他指出,大量工业环境通常由具有访问权限的第三方管理。布拉格说,他们应该对此进行记录,包括谁运行什么,在哪里运行。
不过,哈比比表示,呼吁这些第三方承包商和托管服务提供商进行人工记录比“什么都不做更糟糕”。
根据布拉格的说法,每当安全团队或公司提出“嗅探”或“积极询问”这些术语时,“这些工厂中的人就会紧张”。
他解释说,对企业IT经理来说非常温柔的姿态可能会被操作工程师认为是危险的入侵。工业过程不能容忍有可能引入的新延迟,如果某些机械系统损坏而无法恢复,则需要更换。
布拉格说:“如果你说‘我们要安装一个代理’,他们会说‘不行,你不能安装’”。
这并不能改变必须提高可见性的事实。没有可见性,攻击威胁可能会比一些OT团队意识到的更加严重,因为攻击者可能比操作者具有更好的可见性。
因此,ICS安全团队的目标是,Antova说,“以被动的方式提高可见性……这是我可以做的,只要不影响工程师的流程,他们将允许我这样做。”她说,这也能用最低投资获得最大的收益。
哈比比也敦促同样的做法。被动地评估环境中的所有组件,然后检查所有组件的漏洞,将该信息提供给操作员,并允许他们采取行动(或不采取行动)。“如果你想修复那些损坏的窗户和门锁,”他说,“那就实施一个非常严格的变更管理流程吧。”
但是,布拉格警告说,要仔细测试产品,因为一些承诺“被动监控”的供应商比他们声称的被动性更被动。
由于ICS与安全流程和变更管理有关,因此,OT和IT团队将有机会聚在一起。
布莱克说:“很多事情都归结于礼貌问题。你不做的事情恰恰是安全团队经常做的,如果你因为这个指责别人,那就不要怪别人不再邀请你参加会议了。”
《Look, But Don't Touch: One Key to Better ICS Security》
Better visibility is essential to improving the cybersecurity of industrial control systems and critical infrastructure, but the OT-IT cultural divide must be united.
How do we fix industrial control systems cybersecurity?
Experts say better visibility is essential to improving ICS/SCADA security. But infosec teams will never gain that visibility until they stop trying to observe ICS environments through the eyes of IT professionals.
There are fundamental differences in IT and OT (operational technology) gear, processes, and people, say experts.
"Overall, IT has no idea what goes into operating an OT environment," says Paul Brager, senior staff product security leader, cybersecurity and risk, for GE Oil and Gas.
"The success of the Internet has made computer people kind of smug," says Chris Blask, chair of the ICS-ISAC and global director of industrial control systems for Unisys. Industrial workers, however, he says, "know how society works," like what keeps raw sewage out of your drinking water supply.
So while cybersecurity professionals worry about nation-states knocking out the power grid with ICS malware attacks, OT engineers know that their generating stations and production lines can be disrupted by much more than hackers. They're so aware of this that they adhere to extensive process safety management controls, hazard analysis, change management, emergency response, incident investigation rules, and more, to deal with such threats early and swiftly.
The introduction of anything new to the operational environment - a new pump, a software patch, an upgrade, a new security tool - is approached with caution, because any disruption in availability or integrity could have irreversible, expensive, even dangerous physical impacts.
It isn't just the worst-case scenarios of sustained blackouts, broken dams, nuclear meltdowns, and poisoned public water systems, either: it's economic impacts as well. If part of a chemical plant's system malfunctions or goes offline during a production run even very briefly because an insufficiently tested software patch misbehaves once it's released into the live environment, the chemicals could be corrupted. "That might be $100,000 of product that they dump," Brager says.
"No CEO is going to sign something that says 'Okay we're going to stop extracting oil from the ground for a week,'" to fix something that doesn't appear to be broken, like an unsupported operating system, explains Galina Antova, co-founder of OT security firm Claroty and former global head of industrial security services for Siemens. Convincing them that cybersecurity is a threat at all, much less one worth spending money on, is a challenge, she says.
Enterprise IT environments will withstand more iteration and downtime than OT environments. If the OT environment appears to be stable, operational and efficient, then why make a change that might make it unstable?
Many of the physical and cyber-physical systems in use today have been in use "literally for generations," explains Eddie Habibi, CEO of PAS.
As these experts say, the attitude is generally If it ain't broke, don't fix it. So infosec professional's challenge therefore is: to convince the OT side of the house that something is broken and then to fix it without breaking it further. And that takes a lighter touch than infosec pros and their tools are used to.
Seeing What No One Else can See
As Blask says, ICS is "the system put in place to provide visibility into physical processes. The one thing that they don't have visibility into is the [ICS] system itself."
"Visibility is a big deal. And we typically don't have a lot of visibility down there," on the cyberphysical systems says Brager. When something goes wrong, "You don't necessarily know if it's a cyber thing or a human thing."
Unfortunately, says Habibi, "These systems are not easily discoverable." As he explains, industrial environments are often a heterogenous conglomerate of highly complex, proprietary systems, communicating on different protocols, requiring specialized expertise to run.
Brager adds, many of these systems are no longer supported and the vendors may no longer exist. Many of them only communicate on one protocol, if they communicate at all.
"It continues to get worse," says Habibi, "because people continue to add automation."
This IT-OT "convergence" adds more sensors, more I/O cards, more endpoints, more protocols, more interconnections, and more complexity to an environment, making the picture even murkier.
"Unless you can visually see [an asset]," says Brager, "it's really hard to interrogate it ... But if you don't know which ones you have, you don't know how vulnerable you are."
Plus, he notes, a significant amount of industrial environments are generally managed by third parties with privileged access. Documentation - who runs what, where - is the last thing done, if it's done at all, says Brager.
However, calling these third-party contractors and managed service providers and asking them for a manual count would be "worse than doing nothing," says Habibi, because of the scale of the challenge.
How to Do it
According to Brager, whenever terms like "sniffing" or "actively interrogating" are suggested by security teams or companies, "the people in those plants get real nervous."
What may seem like a very gentle gesture to an enterprise IT manager, he explains, may be seen as a dangerous intrusion to an operational engineer. The industrial processes cannot tolerate new latency that might be introduced and if some mechanical system is damaged and cannot be recovered, it will need to be replaced.
"If you say, 'we're going to install an agent,' they'll say 'No you won't install an agent,'" says Brager.
That doesn't change the fact that improved visibility is necessary. Without it, attackers hiding in plain sight may be a greater threat than some OT teams realize -- because attackers may be better at achieving visibility than operators are.
Take the CrashOverride/Industroyer malware, which researchers discovered was responsible for the December 2016 attacks on the Ukrainian power grid. It's designed to map, target, and attack grid operations by exploiting ICS communication protocols. The malware actually employs those protocols just the way they were designed so that it flies under the radar.
ICS security team's goal, therefore, says Antova, is "improving visibility in a passive way. ... This is something I can do that the engineers will allow me to do without impacting their processes." It also provides the most benefit for minimum investment, she says.
Habibi urges the same practice. Passively take stock of all the components in an environment, then check them all for vulnerabilities, present that information to the operator, and allow them to act (or not). "You want to fix those broken windows and broken locks," he says, "Then implement a very tight change management process."
But, Brager cautions, test products carefully, because some vendors that promise "passive monitoring" are less passive than they claim.
As ICS relates to safety processes and change management, it's is an opportunity for OT and IT groups to come together.
"A lot of this comes down to having manners," says Blask. "What you don't do is what security teams often do, is say 'your baby is ugly.' ... And then they complain to their friends why they don't get invited to the meetings anymore."
附件:
《Look, But Don't Touch, One Key to Better ICS Security》--原文.pdf
《Look, But Don't Touch, One Key to Better ICS Security》--译文.pdf
微信公众号