Innominate has a PR type sending around a recent white paper, Post‐Stuxnet Industrial Security Zero‐Day Discovery and Risk Containment of Industrial Malware with the Innominate mGuard Technology. My last info on Innominate was they had a field firewall, similar to the Byre’s Tofino. They are based in Germany so we hear less of them in North America. The company lost an important OEM partner/reseller a few years back and was subsequently purchased by Phoenix Contact in 2008. So let’s take a look at the latest Innominate solutions and if they would have helped against Stuxnet.
The white paper first talks about protecting the PC from Stuxnet:
Due to the difficulties of deploying antivirus software on industrial PCs and with the timely provision of malware signatures, alternative techniques of integrity assurance are gaining relevance and acceptance for the protection of industrial systems. The mGuard CIFS Integrity Monitoring method, for instance, provides monitoring of configurable sets of files on PCs for unexpected modifications of executable code (CIFS or Common Internet File System denoting the file sharing protocol used by Windows and other operating systems). When initialized, it computes a baseline of signatures for all monitored objects and then periodically checks them for any deviations. This process works without any external provision of virus signatures, without the risk of disrupting operations through “false positives,” without installation of software, and with moderate load on the monitored PCs, by utilizing the processing resources of an mGuard security appliance. In this way, suspect modifications are reliably discovered and promptly reported via SNMP and E-mail to network management systems or responsible administrators.
The author has a point about signature based anti-virus solutions being ineffective against new attacks or even modified attacks. This is no longer an effective technology that may not be recommended by “security experts” in three years. The issue of the load of anti-virus, Host IPS or whitelisting on industrial PC’s has been largely addressed by owner/operators with more realistic PC refresh cycles. Almost all ICS vendors now support anti-virus on their systems, and a S4 paper by Andrew Ginter showed that Host IPS and whitelisting technology actually had a slightly lower performance impact than anti-virus. A better case may be if your ICS vendor doesn’t allow Host IPS or whitelisting, hereinafter just referred to as Host IPS, on their servers or workstations. The community has a way to go on this, but Emerson, Invensys and a few others are leading the way to Host IPS support.
But what is this mGuard CIFS Integrity Monitor and is it better than a Host IPS solution. The “without installation of software” points to an external monitoring solution, and in fact the CIFS Integrity Monitoring is part of an appliance, such as their mGuard Centerport or OEM solution. You can think of the CIFS Integrity Monitor as an external Tripwire-type solution.
While my preference would be strongly for the Host IPS approach, it is believable that the CIFS Integrity Monitor would have detected the Stuxnet changes on a PC.
The protection for the S7 PLC is also an external solution, basically a mGuard firewall that requires user authentication on the programming port. Basically authentication can be set for each firewall rule, and there are options for how long the IP address / authentication is active. Torsten Rossel of Innominate described it better in this email excerpt, inserted with his permission, below:
It allows you to define additional sets of firewall rules for individual users or groups which are not part of the standard static rule set but have to be dynamically activated by user authentication through the firewall’s WebGUI. Authentication can be against locally managed credentials or against RADIUS accounts. The special thing about user firewall rules is that they can implicitly refer to the IP address from which the authentication occurred as the “from” IP address for the authorized connections.
This means an authorized engineer with his programming notebook receiving changing IPs from DHCP every day will log into the firewall in front of the controller and programming access to the controller will exclusively be accepted for the IP from which he logged in. After a configurable static or dynamic timeout period that access will then automatically be blocked again.
This type of solution is being seen quite a bit in the North American electric sector where authentication for access to a substation is required if there is a Critical Cyber Asset there. Competitive products would be Subnet Solutions or the Teltone products that Industrial Defender purchased, as well as other industrial firewalls.
Conclusion: The white paper is accurate that these two solutions could have protected a Siemens system from Stuxnet. They may not be the most elegant approach, but the fact that they are all external solutions may be preferred by some owner/operators.
Photo by Sebastian Bergmann