Education of personnel is a key element in establishing an effective security strategy. Realizing that things such as unauthenticated connections between endpoints and cleartext communication can compromise current systems leads us to understand that this vulnerability enables the potential for a man-in-the-middle (MITM) attack, a form of active eavesdropping. Coupled with a lack of accountability — inadequate authentication and authorization to strongly enforce access — it's easier to make unauthorized changes to the configuration of systems.
WHERE DO WE GO FROM HERE?
Properly addressing the aspects cited above provides a foundation for effective security. However, as technology advancements are introduced into the control systems environment, the need for vigilance will increase, as will the importance of applying best practices and techniques. Fortunately, new technology and process evolution should help us make a step change in control system security.
Four techniques should play a significant role in improving security over the next five years: 1) whitelisting; 2) encryption; 3) incident detection and response; and 4) remote security operations centers.
Whitelisting. Perhaps you're familiar with use of the "white list" approach in e-mail management — specifically, for eliminating spam and allowing messages you want to receive. We see it today as a way to prohibit unapproved software/applications from running on the protected system. "Good" software makes its way onto the white list, while unauthorized software is kept from executing. Many enthusiasts believe whitelisting is a good safeguard against "zero day" intrusions (i.e., ones where defenders have no prior awareness of a vulnerability) — preventing some, but not all.
Whitelisting does put in place a capability to enable better change management, protecting against unauthorized alterations to the system configuration — an approach that might have provided some defense against Stuxnet. Some power companies now are implementing whitelisting as part of their critical infrastructure protection programs.
Forward-thinking whitelisting advocates are looking at advancements in the technology as a way to quarantine unauthorized software upon discovery, quarantine after blocking, enhance whitelist management, and produce a file system inventory that can accelerate verification of software on a hardware platform.
Whitelisting will be available for process control systems. Regardless of the depth of its initial usage, the technology will provide another layer of defense.
Encryption. A key issue today is that almost all communication on a control system is cleartext (a term sometimes used synonymously with plain text). This unencrypted text makes an MITM attack possible — allowing the intruder to "fake out" its victims, passing information as though it were a trusted endpoint, operating in a "trust the sender" scheme.
A solution is to encrypt communication. Encryption is the process of using an algorithm to transform text so "the message" is unreadable to anyone not possessing the encryption key. Encryption has a long history with the military and governments for secret communications. Today, we see it as a common method for protecting information in commercial systems and with wireless communication. One of the questions is where to encrypt the data — at rest or in transmission.
Encryption by itself can safeguard the confidentiality of messages, but protecting the integrity and authenticity of a message requires other techniques.