Feature Article
SDN-Based Solutions Strengthen Cyber Security in Industrial
Control Infrastructure
Jay Friedman, President
Distrix, Inc.
There's a time-honored adage that goes, "When you're through changing, you're through." As the pace of information technology (IT) and
operational technology (OT) development accelerates, and the need to close
the IT/OT divide becomes ever more important in applications involving
machine-to-machine (M2M) communications, the Internet of Everything
(IoE), and industrial control networks, this adage resonates more deeply
than ever.
Far more important than the
willingness to change, however,
is a clear understanding of how
technological challenges are evolving and what kinds of changes we
need to make in order to remain
successful long term. With industrial control systems, where the
close collaboration of IT and OT
is essential, two emerging trends
warrant special attention.
The first involves widely adopted ICS/SCADA systems, which
run much of the global industrial
infrastructure and sit outside traditional IT data center networks.
Today, the pressure to leverage the
data collected by these systems to
reduce both operating and capital
costs is growing dramatically. At
the same time, these systems need
to evolve to address the rapidly growing adoption of M2M communications if we're going to realize the vision of "The Industrial Internet of
Things." On one hand, the stage is being set for more centralized management with intelligent systems gleaning insights from analytics using data
extracted from operational devices to provide greater M2M control. This
also paves the way for something unprecedented that's expected to occur
in the next few years, hundreds of billions of new devices being added to
networks worldwide. On the other hand, however, ICS/SCADA systems
are also giving these organizations additional headaches, foremost among
them being the security issues they present. Because they sit outside the
traditional IT datacenter, and because most were originally designed to be
closed systems not accessible from the outside, they're especially vulnerable to cyber attacks.
The second trend is one that seems to grab the headlines several times
every week: the increasing frequency of cyber attacks on major institutions in areas ranging from utilities to the factory floor operations, as well
as across many industries. One attack that caused a major stir in late 2013,
for example, was the massive breach at the US retailer Target that put the
personal data of more than 100 million of the company's shoppers at risk.
Earlier that year, experts from the security firm Cylance demonstrated how
it would be relatively easy to break into tens of thousands of ICS systems,
allowing hackers to take control of building heating systems, elevators and
other industrial equipment and, in some cases, to cause these systems to
malfunction. In fact, one of these experts, Billy Rios of Cylance had previously compared the security of these systems to Apple's iTunes, calling the
security software of the entertainment site "more robust than most ICS software." Also in 2013, a report from the US Congress stated that sophisticated cyber saboteurs might already be plotting to trigger a massive blackout
across the country. One utility company even shared with congressional
investigators that, in a typical month, it must contend with a mind-boggling
10,000 plus cyber attacks.
12
www.RemoteMagazine.com
Yes, the writing is on the wall. In fact, we might even turn that writing
into flashing neon lights on a billboard: "As ICS/SCADA systems remain
vulnerable to cyber attacks, the number and severity of these attacks continues to grow."
SDN Can Strengthen Cyber Security
While many who've considered these issues have presented helpful
insights and, in some cases, suggested solutions, we haven't yet achieved
any real consensus about what to do. However, one of the most promising
advances in network technology is
software defined networking (SDN).
The reality of SDN, whether
used for remote on-site network
management, is that it offers enormous potential value for utilities,
factories, retailers, and numerous
other organizations in several areas,
notably security.
In a nutshell, SDN enables
administrators to manage network
services by decoupling the system
that makes decisions about where
traffic is sent (the control plane)
from the underlying systems that
forward traffic to the selected destination (the data plane). In addition
to reducing the cost of managing
a large, remote network, SDN can
benefit industrial control systems in
several other ways.
One is by simplifying the tasks of provisioning and maintaining network
resources. This not only lowers the cost of network management, but it also
reduces the need to constantly reconfigure networks, a process that's both
time consuming and prone to error.
Another is by leveraging its sophisticated traffic-management and linkbonding capabilities to make networks far more flexible, responsive and
resilient. By using built-in traffic-engineering algorithms, managers can prioritize traffic by application, protocol or port. Or, by employing store-andforward features, they can assure that all data gets to the proper destinations
while the network also optimizes bandwidth utilization.
A third benefit critical to this discussion is SDN's ability to offer significantly higher levels of network security for both IT and OT control system
networks in order to, as technologists at Distrix like to say, reduce the "attack surface" the opportunities for hackers to breech a network's security.
Particularly challenging in M2M applications and environments using
industrial control systems is that many rely on huge investments previously
made in older, legacy radio-telemetry communication and devices. What's
particularly compelling is the ability of the SDN approach to address security issues not simply on one front or another, but on multiple fronts. This
might sound overly diligent, it may even seem like overkill to some, but
for security personnel who are the first to be criticized whenever a systems
breech occurs, there can never be too much diligence.
Six Effective SDN Security Strategies
Here are six strategies we've found that have proven to be particularly
effective for network administrators using SDN to combat security threats:
1. "Virtualize" Networks - SDN operates as an overlay, which abstracts
the network from the underlying network hardware, relying on the hardware
only for transport. When traveling over public or private networks, this virtualization makes it more difficult for hackers to eavesdrop or gain access to
the virtual network.
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - M2M 2014