Saturday, February 5, 2011

DHS Best Practice for Remote Access Falls Short

DHS's Control Systems Security Program (CSSP) group recently released their best practice on securing remote access to trusted networks like control systems and their semi-trusted demilitarized zones (DMZ).  The best practice can be viewed by clicking here.  Unfortunately, if we maintain the "think like a hacker" mentality, this document still falls very short of expectations, and is not far off of the NIST guidance document produced in September 2010.

In order to provide a comprehensive defense-in-depth strategy for remote access that addresses both internal (company) and external (non-company or contract) personnel, the focus has to be expanded from just providing basic authentication and confidentiality.  The solution needs to address the health of the endpoint, as well as provide a mechanism to restrict access to the trusted system once access is granted.


During the Fall Conference of the U.S. Dept. of Homeland Security's Control Systems Security Program (CSSP) Industrial Control System Joint Working Group (ICSJWG), I presented a paper on security remote access to control system networks.  The link to that presentation is provided here, as well as an agenda of the Fall conference.

The gap between the DHS best practice and my paper centers around a lack of definition of what the solution is trying to accomplish.  My approach focuses on a few key premises:
  • “Keep the bad guys out of the trusted network(s)”
  • “Keep the bad guys in (to contain the breach and minimize negative consequences)”
  • Completely isolate the remote client from specific networks (PCN, PIN, ELAN, WAN) that they have no reason to access
  • Encrypt all data in transit outside the enterprise
  • Monitor remote access traffic for any unusual or suspect activity
  • Correlate information from multiple-sources for rapid threat identification
  • Ability to quickly revoke access
  • Platforms are not company-controlled which limits applications, policies, etc.
  • Must consider various IT security policies including required firewall configurations, port access, etc.
This can only be accomplished when a solution is based on not only traditional Authentication, Authorization, and Accounting (which is what most solution tend to emphasis), but also Assessment, Remediation, Access Control, Monitoring, and Event Detection.  Only when all of these components have been installed will you have a solution  that not only control access, but also provides threat mitigation should there be a breach resulting from the authenticated access granted to an infected endpoint.

In order to accomplish, the solution needs to leverage existing Virtual Private Networks (VPN) that can be implemented with various appliances such as firewalls or software-based implementations like Microsoft's Forefront Threat Management Gateway (TMG).  One recommendation at this point is to create a separate VPN connection that will be used for trusted control system network access.  In doing so, it will facility both internal and external personnel.  Remember, you should not allow foreign, untrusted hosts to land on a network if you can avoid it - a hacker always says, if I can see a host, I can compromise the host!  Furthermore, you cannot always assume that an external user can support a thick-client that is often the case with IPsec-based VPN installations.  For this reason, consideration should be given to lighter clients for personnel who may access the network with platforms that are different to your corporate IT standards.

Next, it is essential to perform health assessment on the endpoints once they have been properly authenticated.  If this is not performed, it is possible to introduce malicious content directly on the trusted network, with little or no detection due to the encrypted nature of the VPN.  Assessment can be performed with various Network Access Control (NAC) products including Microsoft's Network Policy and Access Services role which can be assigned to Server 2008 hosts.

The next most vital step is to then restrict access between the remote host and the hosts resident on the trusted network.  This is best performed at the switch level using either policy-based switch (as with Enterasys products) or other technologies such as dynamic VLANs (RFC3580).  Any remote user should be restricted in the scope of hosts with whom they can communicate (directly or indirectly).

Finally, remote access introduces significant risk to the overall security posture of the solution.  For this reason, all remote access should be implemented with some form of intrusion monitoring and event monitoring applications to supervise the remote sessions, and generate alerts when any unusually activity is performed.  Most remote access solutions focus too much on protecting data in transit and guaranteeing some high-level of authentication.  They do not, however, provide much in the way of making sure that this "foreign" host meets the requirements of other nodes with which it can communicate on the trusted control system networks.

A remote access solution recommended by SCADAhacker would contain several of the following defense-in-depth strategies (the actual solution is based on the risk exposure of each installation):

  • Security risk assessment & quantification process to understand threats and the necessary Security Controls
  • Network segmentation (zones & conduits) process which often leads to multiple "functional" DMZs
  • VPN with encrypted tunnels
  • Strong multi-factor authentication
  • Virtual LANs - especially within the DMZs
  • Network access control for role or policy-based access (don't be afraid to try another vendor who may provide a product more tailored to remote access)
  • Secondary firewall from different vendor  - implementing firewalls in "series" for security rather than "parallel" for availability
  • Security information event management (SIEM)
  • Intrusion detection (IDS)
  • Security awareness & training program (eliminate split tunnels, use of certain public WiFi, etc.)
  • Incident response & forensics
  • Vulnerability testing to assess the resilience and strength of the implementation

If you have questions on any of this, or would like additional information, please feel free to drop me a note.

16 comments:

  1. Joel have you ever tried implimenting all of those controls with a 4g wireless link then using it operationally? In weak signal situations in particular?

    Whilst I agree that all of those controls and the method you have suggested will work and make a more secure endpoint

    Sometimes you have to turn some part or in some situations all or part thereof off in order to get any apreciable thruput!

    I have not seen any RP's come out for peer review for quite a while. I might see what is happeing with that process and maybe this is a good avenue to get involved and input these controls that you have described into the document.

    Ron Southworth

    ReplyDelete
  2. Ron, I thought you were part of the review group for the recommended practices? How long has it been since you were requested to do a peer review?

    Dave Kuipers

    ReplyDelete
  3. Unlike most of the other products endorsed by CSSP, I found the remote access best practice hard to consume.

    Maybe I'm slower than others or just not the intended audience but content analysis required very careful and time consuming reading (and re-reading).

    I'm all for roadmaps but IMHO a best practice shared in context of an evolutionary story probably needs to be emphasized in a large font bold face intro. Folks that quickly browse could easily imprint on some of the 'wrong way' illustrations.

    Sometimes I wonder if big confusing documents on security standards and practices are doing more harm than good. Are experts just writing to impress each other?

    Sorry to come out kind of critical, it is meant constructively. Remote access functionality is just too important. We need easy to consume advice in context of intended use cases.

    Consider Lofty Perch’s “The First Mile: Client Side Security for Remote Access to Control Systems” at ICSJWG as one example.

    ReplyDelete
  4. The goal of the CSSP is to help government and industry decrease cyber risk. With the new released practice of how to secure remote access, many bigger corporations might change the way they operate their network. This newly released practice will help secure many data.

    ReplyDelete
  5. IT service refers to the implementation of quality IT services that meet the needs of the business such as technical support for computing, networking, and telephony etc.Thanks admin for this post.
    IT Service

    ReplyDelete
  6. Thank you very much for sharing these informative and wonderful strategies.
    energy efficient lighting ct

    ReplyDelete
  7. The security at home is essential and must put all our security systemsSecurity on our site is very necessary to do safety systems to give us confidence and tranquility.
    voice and data cabling ct.

    ReplyDelete
  8. I want to thanks to share this documents with us and this is so nice and attractive

    ReplyDelete
  9. thanks for sharing this post.
    Spaceage security- 24V DC, 48V DC, BTS 4 channel DC energy power meter digital panel meter, remote energy monitoring, RS232, RS4852 Interface, for BTS telecom shelter multiple operator manufacturer supplier, distributor, dealer, exporter in india Delhi/NCR.

    ReplyDelete
  10. VIRUS REMOVAL

    Is Your Computer Sluggish or Plagued With a Virus? – If So you Need Online Tech Repairs
    As a leader in online computer repair, Online Tech Repairs Inc has the experience to deliver professional system optimization and virus removal.Headquartered in Great Neck, New York our certified technicians have been providing online computer repair and virus removal for customers around the world since 2004.
    Our three step system is easy to use; and provides you a safe, unobtrusive, and cost effective alternative to your computer service needs. By using state-of-the-art technology our computer experts can diagnose, and repair your computer system through the internet, no matter where you are.
    Our technician will guide you through the installation of Online Tech Repair Inc secure software. This software allows your dedicated computer expert to see and operate your computer just as if he was in the room with you. That means you don't have to unplug everything and bring it to our shop, or have a stranger tramping through your home.
    From our remote location the Online Tech Repairs.com expert can handle any computer issue you want addressed, like:
    • - System Optimization
    • - How it works Software Installations or Upgrades
    • - How it works Virus Removal
    • - How it works Home Network Set-ups
    Just to name a few.
    If you are unsure of what the problem may be, that is okay. We can run a complete diagnostic on your system and fix the problems we encounter. When we are done our software is removed; leaving you with a safe, secure and properly functioning system. The whole process usually takes less than an hour. You probably couldn't even get your computer to your local repair shop that fast!
    Call us now for a FREE COMPUTER DIAGONISTIC using DISCOUNT CODE (otr214427@gmail.com) on +1-914-613-3786 or chat with us on www.onlinetechrepairs.com.

    ReplyDelete
  11. 1 Problem: HP Printer not connecting to my laptop.

    I had an issue while connecting my 2 year old HP printer to my brother's laptop that I had borrowed for starting my own business. I used a quick google search to fix the problem but that did not help me.
    I then decided to get professional help to solve my problem. After having received many quotations from various companies, i decided to go ahead with Online Tech Repair (www.onlinetechrepairs.com).
    Reasons I chose them over the others:
    1) They were extremely friendly and patient with me during my initial discussions and responded promptly to my request.
    2) Their prices were extremely reasonable.
    3) They were ready and willing to walk me through the entire process step by step and were on call with me till i got it fixed.
    How did they do it
    1) They first asked me to state my problem clearly and asked me a few questions. This was done to detect any physical connectivity issues with the printer.
    2) After having answered this, they confirmed that the printer and the laptop were functioning correctly.
    3) They then, asked me if they could access my laptop remotely to troubleshoot the problem and fix it. I agreed.
    4) One of the tech support executives accessed my laptop and started troubleshooting.
    5) I sat back and watched as the tech support executive was navigating my laptop to spot the issue. The issue was fixed.
    6) I was told that it was due to an older version of the driver that had been installed.

    My Experience
    I loved the entire friendly conversation that took place with them. They understood my needs clearly and acted upon the solution immediately. Being a technical noob, i sometimes find it difficult to communicate with tech support teams. It was a very different experience with the guys at Online Tech Repairs. You can check out their website www.onlinetechrepairs.com or call them on 1-914-613-3786.
    Would definitely recommend this service to anyone who needs help fixing their computers.
    Thanks a ton guys. Great Job....!!


    ReplyDelete
  12. Superbly written article, if only all bloggers offered the same content as you,
    Computer Repair Sarasota

    ReplyDelete
  13. Anti-Eavesdropping App Encrypted, secured communication solutions for smartphones and telephony systems, including complete anti-tapping & anti-hacking solutions and apps; advanced SCADA cyber defense solutions.

    ReplyDelete
  14. Brilliant and exceptionally energizing site. Adoration to watch. Continue Rocking. www.ansonpc.com

    ReplyDelete
  15. I really wana thank you for providing such informative and qualitative material so often. wp themes

    ReplyDelete