Network Security: Critical System Defense
By Thomas P. Gresham, CISO, Port of San Diego
Prior to the Internet, Information Technology (IT) networks were self-contained and relatively free from cyberattacks. Now it is commonplace to read about data breaches, website defacement and system outages. All business supported by IT should be aware of which applications or systems are critical to the survival of the organization. This could be an Enterprise Resource Planning (ERP) system supporting financial records or an Industrial Control System (ICS) such as an HVAC or building access control system.
Organizations frequently employ a flat network, meaning that all systems share the same connectivity and leverage the same level of cybersecurity. The problem this creates is that once a cyber attacker breaches one system, they often are free to move laterally within the organization’s network in search of more attractive targets of opportunity. The Target breach is a notable example where the HVAC system was compromised, allowing hackers to move laterally within the network. Target’s business-critical point-of-sale system (POS) was eventually discovered and exploited, causing an estimated $252 million in damages. The Target incident illustrates what can happen when system interconnections are not properly protected. Businesses are often unaware of exposure created by building connections between systems. This increasing connectivity is creating new avenues of access for potential cyber attackers.
Critical System Identification
The first step to protecting critical systems within a network is to identify which systems require additional safeguards based on the value they provide to the organization. An inventory should be performed based on the value of the information and a risk assessment performed to calculate how much it would cost if the system were taken offline. It is likely to be cost prohibitive to enhance cybersecurity across all systems within an enterprise. The results from critical system assessments should be applied to determine where to allocate funding for more stringent cybersecurity safeguards.
A simple tier model may be used to group systems into respective categories of importance. For example, an HVAC system controlling a server room’s temperature and humidity will be categorized as a high importance due to the fact that other systems operating on servers will shut down if HVAC is lost. A moderate system may be an HR system that while important, may be able to tolerate a certain degree of downtime. low systems would be considered those of little to no impact on operations should they become compromised.
"At the far end of the protection spectrum is the creation of a unidirectional network enclave. This mechanism is costly but very effective"
Critical System Defense
Hackers are actively targeting critical systems at an increasing rate, motivated by the recent successful attacks. For example, hospital systems are now actively targeted after Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in 2016 to decrypt medical systems that were crippled by ransomware. Speculation as to the source of the attack points to a malicious email that was inadvertently activated by a medical center employee.
A short-term and low-cost mitigation for critical systems is the regular application of security patches. Vendors often provide updates to firmware and operating systems that remediate vulnerabilities as they are discovered. As systems vulnerabilities are patched, attacker methods will be hampered as many of the attacker’s exploit techniques will become ineffective. Many organizations may be hesitant to bring a critical system down for patch maintenance but with proper planning, testing and vendor involvement, unanticipated patching issues can be minimized.
In the long run however, organizations should take measures to segment off critical systems from the general computer network. This is especially important for legacy systems that cannot be patched or where access credentials may be hard-coded. Internal segmentation slows down and/or prevents attackers from breaching higher-security systems.
These segmented networks, known as network enclaves, can be created through a variety of mechanisms, each varying by cost and security strength. A network Access Control List (ACL) is a layer of security that acts as a control gate for your network, passing traffic in and out of one or more subnets. This approach is easy to implement at a low cost but is the least secure method as attackers can often locate a pivot point for connecting across networks. A more effective method is to deploy internal firewalls. Locating critical systems behind internal firewalls allows for communication between networks and offers enhanced access protection as well as auditing of network traffic. At the far end of the protection spectrum is the creation of a unidirectional network enclave. This mechanism is costly but very effective. A unidirectional network (also referred to as a unidirectional security gateway or data diode) is a network appliance or device allowing data to travel only in one direction. These devices are frequently used in classified national security environments, but have applicability to the private sector. In effect, critical systems can communicate statistics and other vital metrics outbound to other networks; however no data can communicate inbound to the critical systems from outside networks. System administration can only occur within the protected enclave.
Granted, administration of such enclaves adds overhead in terms of administration, but the value it provides in terms of added security can mean the difference between a minor intrusion and a full blown breach of a critical system.
In closing, every organization should identify and assess the risk associated with each IT system. Any systems that are identified as critical should be afforded additional cybersecurity safeguards that are commensurate to the value of the service they provide. Critical systems should then be internally segmented from the rest of the system to provide a defense-in-depth that will slow or stop an attacker from breaching the most valued assets of the organization.