The technology exists. It just isn’t being marketed and sold for this need.
The majority of ICS related cloud services currently deployed are for predictive maintenance and performance analysis. These are ‘open loop’ services. Open loop in the sense that the cloud services do not need to send any data back to the ICS. A data diode / one-way device is the ideal security solution for these services. It’s physics, not software, that prevents any data from being sent back from the cloud to the ICS.
Products from market one-way leaders Waterfall, Owl, and others will meet the one-way need, and the prices are going down. Ideally a one-way device would be an option for any open loop cloud service. They are seen in a small percentage of deployments, typically for highly security conscious asset owners. Most of the cloud services providers don’t recommend or offer the one-way devices, and often fight their being included. They add complexity to the project, and more importantly they block the way to two-way / closed loop services.
The vendor that supplied the physical equipment, integrated the system or has domain expertise can offer not only to monitor and suggest changes to the process, but also to make the change for the asset owner from the cloud. This forms a ‘closed loop’ with the requirement to allow data from the cloud to the ICS.
The knee-jerk reaction for most ICS security professionals is, “we don’t want to ever allow this. What if the cloud service provider was compromised? They then could control our process. This is bad.”
The real question should be what benefits will the asset owner receive from this service and what is the maximum consequence of a compromised, gone rogue cloud service?
A real-world, simple example is a boiler. There are cloud services monitoring boilers that offer the option for the cloud service to adjust a small number of settings to improve performance as conditions vary. They can calculate improvements in boiler efficiency and turn this into a hard number of money saved.
What is the maximum consequence of compromise of this closed loop service? With the typical cloud service offering, it is quite large. The security is a VPN between the cloud service and the ICS that gives the service provider unfettered access to the ICS. The limitations are simply the service provider only doing what they promised to do and no more. Of course, an attacker who compromised the cloud service provider would feel no restrictions.
What is needed for these close looped systems is an edge device with deep packet inspection (DPI) that will limit the cloud service provider to only the capabilities they are hired to perform. In our boiler example, the cloud service provider could modify a small number of registers and a range for the modifications could be specified. The maximum consequence with this protection would be less efficient boiler operations during the period of attack.
The good news is the product category, originally created by Eric Byres and the Tofino team, that does this DPI has been around for over a decade. Mindshare for this product category has diminished due to acquisitions leading to many of the offerings being small parts of large companies now. The over half-billion venture capital dollars poured into the ICS detection space has also reduced their marketing impact.
Ideally a cloud service provider would partner with a company that could provide open and closed loop security solutions and offer these as a paid option to their customers. Often both would be used. One-way wherever possible and the minimal and approved control capability using DPI. Thereby being prepared in advance for the “what about the security” question.
The potential players in the ICS security product market could include:
- The leading one-way vendors, Waterfall and Owl. They have the product for open loop / predictive maintenance and just need to come up with a DPI product. They could build it in house with their protocol expertise or by acquiring one of the companies failing in the detection or industrial firewall space. It is a graceful way for them to escape the one-way is the only way trap.
- Bayshore Networks is the only company I can think of today (who am I missing?) that already has both products. There is only a marketing and positioning exercise to go after this market. They don’t have the market presence and this is pioneering work, much like the early days of one-way. Still a pivot to being the ICS cloud services edge device is there for the taking.
- Other industrial firewall companies.
- Microsoft … it’s why Bayshore or others trying to take this market may be high risk. Microsoft’s acquisition of CyberX and the increasing ICS intelligence and DPI in their edge device makes this possible. It could be the de facto answer for getting ICS data to Azure. The question is whether Microsoft will build the right product or try to use its market power to force the easier product on the market. If it is the later, it is an opening for another vendor to go after the security conscious asset owner. Of course, if Microsoft has some success we will seem similar from AWS.
- A startup. They could begin with a focused branding strategy.
Ultimately it will depend on what the asset owner customers demand or request. Will the current mode of VPN tunnel into the ICS / feel free to make yourself at home / I trust you be acceptable to asset owners? If yes, then cloud service providers will not complicate their lives with security and limitations.