Industrial control-focused security programs depend on firewalls to minimize the threat of intrusion into operations networks, but security practitioners often fail to account for their limitations. Most firewalls are deployed in many layers, but attackers can move through them one at a time using an extensive toolbox of methods. An article from Andrew Ginter for the International Society of Automation reviews 13 classes of firewall attacks, along with several mitigating actions available to security professionals.
The first class of firewall attack is phishing. Phishing attacks involve sending emails through a firewall, persuading the recipient to forfeit passwords or unknowingly download malware. To prevent phishing attacks, security professionals should use unidirectional gates to prevent externally generated emails into firewall-secured industrial networks.
The second class of firewall attack, social engineering, most often manifests as password theft. Attackers can simply physically search for written-down passwords or attempt to convince system administrators of their bogus credentials to receive a new password for an existing account or a new account entirely. Unidirectional gateways also prevent many social engineering attacks, as gateways cannot communicate attacks back to protected networks. Two-factor authentication also helps, since it requires more than just a password to access networks.
The third method for attacking firewalls covered in Ginter’s paper is to compromise a domain controller or other trusted external asset. In recent years, control systems have relied increasingly on IT domain controllers, domain name servers or enterprise resource planning servers, even though they may not be managed as safety-critical or reliability-critical assets. That means one controller can be made into a single point of failure for all others, making the entire network only as strong as its weakest link. To protect industrial networks, security professionals should not allow systems to trust a corporate domain controller.
Zero-day vulnerabilities, the fourth class of firewall attack, allow attackers to exploit never-before-attacked weaknesses in a network or device. Most systems utilize a signature-based network or host intrusion detection system, but these methods are ineffective against novel attacks. According to Ginter, industrial security researchers report finding a dozen or more zero-day vulnerabilities in each industrial network or software device they examine. Anomaly-based detection and prevention can detect some zero-day attacks, but application control and whitelisting systems are more effective preventive tools.
The fifth class of firewall attack is to attack exposed clients. Clients’ industrial software is as vulnerable as an operation’s industrial servers, and compromised servers on business networks can bring intrusions back onto industrial networks. A mistake as simple as downloading a file or pulling a webpage from an infected external server can result in a virus or malware on an industrial network. Ginter recommends not allowing industrial clients to access servers on less-trusted networks, either by changing firewall rules or deploying unidirectional gateways.
Session hijacking represents the sixth class of firewall attack. Attackers can insert their own commands into existing authenticated communications streams either on a segment of a local area network (LAN) or by impersonating a wireless hotspot. Consequently, communications sessions carrying commands should always be encrypted, and network users should be trained not to click through or ignore encryption error messages and warnings. Unidirectional gateways may also be employed to prevent the receipt of commands from less-trusted networks.
The seventh class of firewall is piggybacking on VPN commands. Malware on a trusted user’s computer terminal can traverse VPN connections ending in that computer, allowing attackers to launch remote attacks on industrial assets via VPN connections. Ginter suggests not allowing VPN connections to the industrial network through firewall or unidirectional gateway protection.
Firewall vulnerabilities constitute the eighth class of attack in Ginter’s paper. Firewalls, like all software, have defects. Some security defects discovered recently in industrial firewall software have been as basic as hard-coded passwords and security keys. Others are design vulnerabilities—security vulnerabilities that cannot be fixed because of their essential role in carrying out the software’s operation. The most effective mitigation for firewall vulnerabilities is to use hardware-enforced unidirectional gateways instead of software-based firewalls.
Ninth on the list are errors and omissions due to the complexity of modern firewalls. Minor errors can expose equipment to attack, and tracking down the original errors can be difficult. In this case, security professionals can deploy unidirectional gateways with hardware designed to protect industrial networks regardless of the software’s configuration.
Some attackers have attempted to forge IP addresses to persuade a firewall to accept communications. Forging an IP address is extremely simple, and works best if the attacking computer shares a LAN segment with the computer it will present itself as. To thwart IP forgeries, security professionals can use unidirectional gateways to block all access by untrusted networks regardless of IP address.
The next class of firewall vulnerability involves bypassing a network security perimeter. Non-obvious, unprotected paths from business to industrial networks, as well as rogue wireless access points set up by well-meaning insiders, can compromise network security. Physical network perimeters can also extend beyond security perimeters, exposing sections of a network to untrusted connections. Strict network monitoring can help detect new wireless connections and foreign IP addresses.
The twelfth firewall vulnerability on Ginter’s list is physical access. Many firewalls contain administrative ports that allow unauthenticated users to change settings. They may be returned to factory settings or simply replaced with a router. Security professionals can be sure physical security programs are in place to protect the network perimeter’s physical integrity.
The thirteenth and final class of firewall vulnerability is the use of sneakernet. CDs, USB drives or laptops carried past security perimeters can expose networks to malicious attack by disgruntled insiders. Ginter urges training for end-users teaching the dangers of movable media, using device/media control software to limit the malware’s effectiveness on the physical media.
ISA-99 series and other industrial security standards offer a great deal of information on how to manage a firewall to keep it secure, but the complexity makes it difficult to keep firewalls secure without expending plenty of effort on processes, testing, audits, documentation and other activities.
Ginter says using hardware-based unidirectional gateways is an effective method of ensuring firewall security, but cautions that no one method can allay all firewall security threats. It’s important for most operations to take a layered approach to security while understanding the limitations of each.