Protecting Critical Infrastructure from portable media threats
According to research performed by Lloyd’s of London insurer, Aegis London, “in the first half of the 2013 fiscal year, the US Department of Homeland Security’s Industrial Control Systems–Computer Emergency Readiness Team responded to more than 200 incidents, 53 per cent of which were in the energy and utility sector, and many of them sponsored by states such as China”. Efforts to improve the security of critical infrastructure systems like nuclear power plants and water treatment facilities have accelerated at a rapid rate since the issuance of US Executive Order 13636 Improving Critical Infrastructure Cybersecurity, on February 12, 2013.
As attacks become more sophisticated and digital control systems increase in complexity and levels of automation, it is increasingly difficult to prevent threats from impacting the operation of critical infrastructure. As a security measure, most critical infrastructure systems are air-gapped, or isolated from external networks. Because of this, portable media is a primary vector for cyber-attack; it is often the only way to transport files to and from secure areas. As key attack vectors for malware, it is extremely important that extra attention is placed on securing the portable media devices that are brought in and out of a secure facility.
While imperative to the protection of critical infrastructure, securing portable media devices is not easily done, and there are many requirements that can impact the portable media security policies for operators of critical infrastructure. In many cases, there is no single source for an organisation’s portable media security policy, and individual facilities may require unique security policies.
This article outlines a secure data workflow which organisations can implement in order to balance their security needs against their operational requirements, as well as how best to approach the crafting of security policies that address the inclusion of portable media while ensuring adherence to EO 13636.
Security Balancing Act
When making decisions about security policies for a critical infrastructure facility, the costs of implementing a stricter policy need to be weighed against the potential costs that could result from the failure of a weaker policy. The solution for each organisation will vary based on the requirements necessary to meet their security and business objectives.
Increases in digital security rarely come without a corresponding increase in operating costs. These costs include purchasing a security solution, implementing this security solution, and finally managing and maintaining the solution. Initial costs often include the physical infrastructure necessary to deploy the solution, such as servers, kiosks and networks, as well as the consulting services that are often required to implement the solution correctly.
Following the solution deployment there will be ongoing costs, which include the monitoring and management of the solution, keeping the solution up-to-date, and educating employees. Employees must be trained on the new security policy and associated procedures, which often results in a temporary reduction in productivity as employees acclimate to the new security processes and procedures.
That said, these expenditures must be weighed against the costs of a potential security breach, which can be enormous. Facilities may be forced to suspend operations if the breach is serious enough; the monetary impact of even a temporary shutdown is difficult to calculate given the nature of the industry. There are also the remediation costs, the forensics to assess the damage as well as the removal of any malware that has found its way into the secure network. Coupled with this is the significant productivity loss, as employees’ usual workflow is hampered during the investigation and cleanup effort.
Monetary damages aside, there are other costs that may result from a security breach. The impact to an operator’s reputation can be serious, criminal liability and class-action lawsuits may follow if others are negatively impacted. Depending on the breach, the loss of classified or sensitive information is also a possibility, the financial impact of which may be hard to quantify. Finally, by definition, any operator of critical infrastructure provides services to the public, which, if disrupted, will have significant negative impacts (such as power outages) on many individuals and groups outside of the operator itself.
Defining Acceptable Media and Content
Defining a portable media and content strategy is key to a secure data workflow policy. As with all security programs, development of a program and policy should consider the business and technology requirements and limitations of an organisation.
When developing a secure data workflow policy, organisations should first define what types of portable media are acceptable and how they can be used. In secure facilities, the standard policy is to restrict the types of media and files to only those necessary for employees to perform their jobs successfully. For example, if there is no business reason for USB drives in a facility, these should be prohibited to eliminate the risk they introduce. Another facility may decide to only allow USBs and CD/DVDs and ban other types of portable media like external hard drives. For example, if an external storage device has multiple partitions or is not a read-only device it could be classified as a high security risk and therefore not adhere to the secure data policy.
The same is true for limiting the files that are permitted by an organisation’s security policy. Administrators may choose to limit the file types that are allowed; for example, banning executable file, but allowing document files. Administrators could also filter files based on their properties; for example, limiting files to a specific size or blocking any encrypted files where a password has not been provided.
Designing Secure Data Workflows
The secure data workflow policy within a critical infrastructure facility, especially pertaining to physical media being brought from an insecure environment into a secure network, should attempt the highest level of precaution achievable. The best security policies have multiple layers of protection, to guard against many types of threats, both known and unknown. This defence-in-depth strategy will minimise the risk of any one threat getting past all of the security layers. A secure data workflow should leverage threat protection methods including:
User authentication and source verification: Prevent unauthorised users or sources from bringing in data and facilitate logging for future auditing;
File type analysis and filtering: Prevent risky file types from entering the facility, including files that have spoofed extensions;
Multiple anti-malware engine scanning: Detect threats that are known by any of the many commercial anti-malware engines, and leverage many varying heuristic algorithms to detect zero-day attacks;
Document sanitisation: Further protect against unknown threats by using sanitisation methods to strip potential threats out of documents and images.
A common implementation of the above referenced data workflow are kiosks stationed as check points at the entrance to secure facilities. Kiosks provide the bridge for any data entering a secure facility, so that the workflow can be controlled and known and unknown threats can be kept out of the facility. Anyone entering a secure area would be required to use the kiosks to scan all portable media drives before the devices are allowed entry. The kiosks would confirm the user, the source, the file type, look for any malicious partitions and malware, and determine whether the device is secure or if it requires further inspection. An administrator can then also add enforcement of the specific media devices that are allowed into the facility. For example, allowed media devices could be restricted to known, pre-screened portable media that are trusted to be “clean”. Any files allowed through the secure data policy above would need to be copied to the trusted drives before entering the secure facility. This workflow ensures that no portable media enters a secure area without first passing through a full data security analysis.
Common architectures for a kiosk-based secure data workflow can include: standalone kiosks, kiosks networked together, and kiosks connected to a centralised scanning server. These solutions can be connected or disconnected from the Internet depending on the facility’s level of security, and the desire for ease of management.
Weighted and quantified
The most efficient method of protecting a facility against the threats potentially found on portable media is a difficult one to establish for operators of critical infrastructure. There are many aspects that impact how a secure data workflow is defined and implemented, including the types of portable media expected to be brought into a facility by employees, outside contractors, and visitors. Each should be weighted and quantified to define a strong and robust secure data workflow policy that allows an organisation to operate in the most secure and productive way possible.
A critical infrastructure facility should err on the side of caution and develop secure data policies that are as restrictive as possible, but flexible enough to evolve with an organisation’s shifting security and business needs. An administrator should evaluate various data security policies, measure the benefits and costs of each one, and determine how to successfully implement the security solution. The best policy will be one that takes a facility’s specific business and technology needs into account and is designed accordingly.