In January 2020, the US Department of Homeland Security issued a National Terrorism Advisory Alert warning American targets that the Iranian government may carry out physical or cyber attacks in retaliation for the US strike that killed Iranian IRGC-Quds Force commander Qassem Soleimani in Iraq. The alert highlighted that Iran has an advanced cyberwarfare program capable of at least temporary disruption of critical infrastructure and other targets, and possibly much worse.
The Federal Government has recommended a starting point for security that highlights some elementary cyber hygiene, such as backups and multi-factor authentication. Most operators, however, will need a much more robust cybersecurity plan to defend against a concerted nation-state-class cyber assault.
Hostile State-level Cyber Plays
To formulate a robust industrial cybersecurity strategy in response to this alert we must first ask: if Iran or any other hostile state is going to launch a cyberattack against a target, how will they go about it and what should a really robust defense look like? Will Iran fly their operatives into the country and have them drive up to power plants and refineries, cut their way through barbed-wire perimeters and insert USB drives into PLCs?
No. If Iranian state actors launch a real cyber retaliation, they will launch their attacks through the Internet, while sipping coffee in the comfort and safety of their offices in Tehran. They will route their attacks through unsuspecting third parties to frustrate attribution. They will use zero-days and custom malware to bypass even sophisticated software-based protections.
What would constitute robust protection against such attacks? The recommended “data backups and employing multifactor authentication” can be one facet of a multi-faceted security program. Many practitioners will immediately look to intrusion detection and security monitoring as well, but this misses the point. Detection and monitoring have a role to play, but in terms of the NIST Framework, IDS are detective security controls, not preventive ones. The first priority in any robust cyber defense for industrial networks is threat prevention.
The most robust and most practical protection against remote attacks of this nature is a hardware-enforced perimeter solution implemented at the IT/OT network interface. Unidirectional gateway technology is physical, hardware-based protection for industrial sites that prevents all incoming traffic from entering a control system network, while replicating servers to enable real-time monitoring of OT systems and networks. The gateways render interactive remote-control attacks impossible while enabling safe IT/OT integration, straightforward visibility into industrial operations, and disciplined control of operations.
This class of industrial cyber defense technology is used ubiquitously at critical infrastructure sites in “high risk” jurisdictions such as Israel, Singapore, and South Korea. But – are these jurisdictions really at any greater risk of cyber attacks than are North American or other Western targets?
Not exactly, Iranian and North Korean regimes have it in for the rest of the free world, and the Internet reaches everywhere. “High risk” states are not deploying unidirectional gateways because they are at greater risk of crippling cyber attacks than other targets, these nations deploy the gateways because they have a deeper understanding of enemy motives and capabilities than is the case in most of the Western world.
Robust, unidirectional protection against Internet-based cyber attacks are standard in threat-aware jurisdictions. The threat against us all is clear. The time has come for the vast majority of critical infrastructure sites world-wide to adopt these standard protections.