Unidirectional Security in SCADA

The good security practice for getting security updates to an ICS is well understood. A server on the SCADA or DCS network pulls the security updates from the ICS DMZ. The ICS DMZ pulls them from the corporate network, who pulls them from the Internet. You will see this in multiple ICS security guideline documents and most assessment reports … if the ICS security perimeter is a firewall.

Now imagine you have upgraded your ICS security perimeter to a unidirectional security gateway. The ICS can still push process data out to the DMZ for use on the corporate network, but the physics in the unidirectional security gateway prevents all communication from the DMZ to the ICS network.

In a one-way world, how do you get security updates, such as antivirus signatures and security patches, to the systems on the SCADA or DCS networks?

We choose between two, neither perfect, ways, but loyal blog readers may have additional ideas for this happy problem.

  1. Sneakernet with a dedicated USB drive that is scanned for malware. This is obviously not perfect because there is no way to guarantee the USB drive is not infected, even with appropriate security controls. And yes, this is a flow of information into the ICS so it is not completely air gapped or one-way.
  2. Deploy an inbound unidirectional security gateway with modules for the security update protocols.

The second option is a bit unusual. Typically a unidirectional security gateway restricts communication from the more sensitive/important network to the less sensitive/important network. This use would allow only communication from the DMZ to the ICS network. These unidirectional products offer modules that allow anti-virus signatures and Microsoft security patches to be sent one-way.

With the inbound one-way solution it is possible for an attacker to send properly formatted data on the right port through the unidirectional security gateway. In this case it could be a rogue signature that would stop the ICS or a security patch that is in fact some attack code. Of course this was also possible in the firewall scenario, but the whole idea of deploying a unidirectional security gateway is to improve security over a firewall.

Neither solution is ideal, but which is better? At this point, and we are still looking for the best solution, frequency is the key determinant. If an owner/operator is only applying security patches every quarter, then the USB drive sneakernet solution is preferred. It does not leave an inbound data transfer capability open at all times when it is only needed for a very short window four times a year. There also is the cost issue of deploying a unidirectional security gateway for this limited use.

Antivirus signatures represent the opposite timing situation. Many owner/operators are updating these signatures daily or bi-daily. This would lead to the operational issues and likelihood of a manual update reliably occurring that frequently. In addition, statistically the risk related to an infected USB drive increases with each data transfer use. This is a better case for the inbound one-way solution.

There is no clear cut right answer to this, and it likely will be influenced by the individual owner/operator environment and culture. Gun to my head, forced to choose, I would select the USB drive data transfer options with stringent security controls on the process.

As part of this decision I would reduce the antivirus signature updates to weekly, unless there was specific malware signatures that were needed on an emergency basis. If there is a directed attacker trying to compromise your system, he will modify the malware so antivirus does not detect it. This is trivial. The antivirus is designed to detect mass market, known malware that happens to find its way to your ICS.

One final note – make sure you still have a secure emergency remote access method to the SCADA or DCS. There are another set of good security practices for this, but the three key items are: it is physically disconnected; it times out and physically disconnects after use; and it is rarely used.

Image by Bruce Berrien   … Does this look like a hipster hacker trying to go the wrong way?