Mitigating ICS Threats

Blast furnaces use carbon monoxide to remove oxygen from iron ore. It’s a simple chemical process, but the operation of a live blast furnace is anything but simple. Several years ago, unnamed hackers broke into a German blast furnace and caused significant damage to the infrastructure. Luckily, no one was killed. The attack was initiated through mundane office IT systems, followed by traversal to the OT-managed industrial system.

A process called photolithography is used in micro-fabrication to transpose a geometric pattern to a substrate. This is how you make printed circuit boards and microprocessors. Several weeks ago, a Japanese optical manufacturer of the photomasks that support this process was hacked, resulting in their industrial output levels dropping by 60%. The attack came in through normal IT channels and included cryptomining drops.

Industrial safety shutdown systems use triply-redundant modular functions that vote on suitable decisions based on inputs. A couple of years ago, an oil and gas petrochemical facility was hacked severely, resulting in an unwanted safety shutdown. The redundant safety devices were apparently open and vulnerable to detection from hackers, which allowed them to be programmed into a failed state.

All these complex incidents – and it would be easy to go on and on – illustrate the challenges that result when OT systems become accessible to threats via conventional IT networked systems. All demonstrate the significant weaknesses that are inherent in modern gateways designed to provide effective separation of IT and OT systems. Changes are urgently required to this poor security set-up, and the timeframe is immediate.

It was thus welcome to have the opportunity last week to catch up with the fine security experts at Bayshore Networks. They were kind enough to share with me recent advances in their OT security platform. I’d first become interested in their work several years ago, so it was fun to do a fresh dive into the details of their solution approach. My time was well-spent and I’ll share below what I learned from the team.

“The best defense against cyber threats to factories, plants, and other industrial control systems is a modular platform that combines uniform, inline protection across multiple security functions,” explained Toby Weir-Jones, who runs Product for Bayshore. “The platform functions should include asset discovery, policy enforcement for OT protocols, data diode support, and secure remote access – all configurable based on local needs.”

Bayshore’s platform addresses the fact that industrial environments differ from enterprise IT environments in a crucial way: Any compromise, malicious or accidental, will have immediate, real-world, irreversible consequences Any solution to save an industrial operator from exposures and costs must therefore offer real-time protection. Bayshore’s policy engine provides exactly that across its four core products. They call this approach OTanywhere.

Toby explained to me how ICS security teams should demand modularity in the context of the Purdue model. Level 0 and 1 protections should focus on the sensors and continuous controls required in the cell area zones. Level 2 protections must address supervisory tasks supporting operators. Level 3 security should create OT security zones via remote access and site operations. And level 4 and 5 protections should connect the OT, IT, and enterprise.

Bayshore supports these modular requirements with a platform that includes four primary components. The Bayshore Lighthouse component provides automated, continuous, passive monitoring of the OT environment. It is designed to enforce protection policies for new and legacy OT systems, and uses machine learning to adapt to new cyber threats to the OT environment. Bayshore stresses ease of deployment and use in the design of this component.

The Bayshore SCADAfuse capability is designed to reside next to endpoints in the OT environment, including PLCs and SCADA devices. The goal is to stop unauthorized usage, unusual commands, remote takeovers, and dangerous executions that might be initiated by some unknown source. Management of SCADAfuse includes bypass for traffic throughput to ensure support for normal, authorized communications.

The Bayshore SCADAwall function, which is being released later in 2019, includes a valuable data diode capability. OT security teams have come to recognize the value of supporting unidirectional communications from OT environments back to IT management control systems. The security goal, of course, is to prevent malware from traversing IT/OT gateways to infect critical ICS systems and software.

Finally, the Bayshore Beacon component includes support for secure remote access in the context of critical ICS/OT environments. Many OT security teams must rely on off-the-shelf IT VPN products today, but would prefer a remote capability designed specifically for industrial environments such as manufacturing or energy, where the security requirements are intense and remote access must be carefully set-up and monitored.

“These modular functions are designed to give both IT and OT security teams a variety of options in reducing the threat to ICS systems,” Weir-Jones explained. “We have been working in this area for many years, and the platform is the culmination of our understanding of how best to provide modern cyber security. Organizations that deploy Lighthouse, SCADAFuse, Compass, and Beacon will truly be ahead of the game.”

I asked Weir-Jones how Bayshore deals with IT and OT security staff, and the inevitable differences that arise in backgrounds, skills, and interests. He shared that differences doexist today, but that Bayshore sees a convergence in the skill sets and focus areas between IT and OT teams. The IT/OT gateway has gradually evolved to a more familiar component in industrial environments, and staff supporting it are beginning to work together well.

I also asked Weir-Jones about compliance in OT security and whether this was influencing platform design. He shared that Bayshore directly addresses the framework requirements found in important security standards such as the NERC Critical Infrastructure Protection (CIP). This did not surprise me, because my team at TAG Cyber sees the importance placed on these compliance standards in ICS environments, most of which are highly regulated.

From an analyst perspective, the biggest risk I see for Bayshore Networks, and any other security vendor focused on ICS, is that they must deal with most capable and advanced malicious adversaries in the world. Offensive campaigns launched against OT systems are usually among the most impressive attacks ever seen (witness Stuxnet), so developing security solutions in this area is no cake walk.

But I think Bayshore Networks is well-positioned to succeed in this area. They come from good technical roots, and have been serving ICS customers for many years. The platform they’ve built certainly appears to include the correct types of protection functions. My guess is that as they continue to grow, they will have to maintain nimble updates to deal with that super-capable set of adversaries, but those are table-stakes for ICS security vendors.

If you work in this area, then I suspect you already know Bayshore Networks. But if not, then Toby Weir-Jones is ready and waiting for your call. Ask him to take you through the overall platform and to help explain how it can be integrated into your environment. Perhaps the German blast furnace and Japanese photomask manufacturers might have had different threat outcomes had they been in touch with Bayshore in advance.

As always, let us know what you learn.