<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Beyond the Firewall: Smarter Network Security for the “Smart Grid”

May 31, 2016

Network-enabled sensors and devices, part of the Internet of Things (IoT), can be a boon to industrial operations. They help Supervisory Control and Data Acquisition (SCADA) systems automate processes and collect data such as humidity, temperature, and air pollution.

Today, IoT products are cheap and plentiful, making them fairly easy to procure and deploy. Some IoT solutions offer risks that can't be ignored, however. Network security experts have significant concerns about IoT devices, especially when they’re implemented in an infrastructure setting such as a power grid.

The Security Challenges of IoT-Enabled Infrastructure

There are two distinct network security challenges regarding IoT-enabled infrastructure. The first has less to do with IoT solutions and more to do with the systems that control vital operations, such as utilities.

SCADA systems were built to do things like keep the lights on, maintain the flow of natural gas, and ensure that crops receive water. They were not designed to withstand network security threats. Moreover, it’s quite difficult to add security solutions after the deployment of SCADA systems. The most common SCADA system protocols (MODBUS and DNP3) are inherently insecure, and to make the situation worse, one breach at any point in the network within a SCADA system allows a hacker free reign. The long equipment life of SCADA systems gives them high ROI, but that doesn’t mean that network security staff regularly monitors vulnerabilities.

Security isn’t built into the design of many IoT products, either. Consumer IoT solutions are a special risk. Take the Nest thermostat, for example. In 2014, an engineering professor from the University of Central Florida led a team of researchers which succeeded in jailbreaking the device by loading software through the thermostat’s USB port. The next year, security researchers at TrapX published a report on how a criminal could hack the thermostat and gain access to other “smart” devices in someone’s home.

>> Download now: Learn how to secure your industrial network
[Free Whitepaper]

The Nest thermostat is only one vulnerable IoT product. Cars, medical devices, rifles, baby monitors, refrigerators, and even the iconic Barbie doll were all targets of hacks in 2015.

There are plenty of hackers and criminals who would dearly love to hack into utility grids. Some of them have succeeded. Just days before Christmas 2015, two of Ukraine’s power generating facilities were hacked. Eighty thousand customers were left without power for approximately six hours. Some experts have attributed the attack to Russian-designed malware.

When IT and OT Converge: Handling Network Security Threats Facing “Smart” Infrastructure

Industrial IoT (IIoT) networks create a convergence between IT and operational technologies (OT). This convergence brings with it serious security risks.

IIoT networks can span many miles and include hundreds, if not thousands, of data points. Each of these data points is vulnerable to threats which could cripple an IT network. And not all of these embedded technologies allow software updates or patches which would protect the rest of the network.

Organizations undertaking smart grid projects are aware of these security challenges. Such projects are regulated by the Federal Energy Regulatory Commission. However, you do need to think beyond security defenses. Simple, common-sense precautions like segmenting networks and implementing firewalls will prevent soft attacks. But really you must go beyond perimeter defenses and, ironically enough, that starts with a passive approach.

Passive Real-time Monitoring is the “Smarter” Solution

Industry and Infrastructure should not be a target. They can take security measures which will protect them and their unique environments. One such measure is implementing network elements that spot any anomalies and deviations from normal behaviors through passive, real-time monitoring. Simple, listen only devices like a passive network TAP copy the data and send it to an analyzer or deep packet inspection (DPI) solution to alert organizations of possible breaches. Of course, first you need to know your baseline traffic  in order to determine what traffic is normal and what is not.

Passive, Listen-only Network TAPs Protect Industrial Infrastructure

Passive network TAPs are essential to industrial Ethernet connectivity because they are purpose-built, un-hackable and capable of enabling network monitoring without affecting traffic flow. In the industrial Ethernet sector, the majority of organizations are still utilizing 100M and 10/100/1000M copper networks. In the use case of requiring copper, Garland has specialized copper aggregation TAPs that are listen-only. These TAPs were made specifically for lawful intercept cases and are the standard for FBI Surveillance Protocols.

According to Chris Sistrunk, TAPs are a great way to gain visibility into a network, both to look for evil, but to also detect misconfigurations and devices with firmware problems. Chris writes in detail in his blog, It's a TAP about the 4 Considerations when installing a TAP in ICS.

The use of passive network TAPs combined with innovative monitoring solutions companies can work towards defending themselves from a critical infrastructure attack like the one in Ukraine. 

Defending Industrial Ethernet Network Security Garland Technology

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES