Photo Credit: Dreamstime
My last post “Attack Vectors: The Exploding Cyber Threat to Air Gapped IIoT Systems” was excerpted from the recent TechTonics report “An Air Gap Firewall Provides Better Cyber Defense that Internal Firewalls”. That post focused attention on the rapid growth in attack vectors caused by increased vulnerabilities from an expanded attack surface as more operational technology (OT) devices and industrial control systems (ICSs) are connected to information technology (IT) systems over the Internet.
This post, also excerpted from that paper, zeros in on the deficiencies of internal firewalls and VPNs to protect against modern cyberattacks. It also recommends that only a purpose-built architecture – call it an air gap firewall – with advanced IIoT capabilities can help organizations address the growing threat to their IIoT initiatives.
TechTonics believes that cyberattacks on critical infrastructure will be the cybersecurity story for the next decade. A prior paper, “Securing Critical Infrastructure against Cyberattack”, discussed the unique characteristics and vulnerabilities of these previously air gapped systems. The catastrophic loss from such an attack has the potential to dwarf the devastation caused by convention warfare.
Internal Firewalls and VPNs are No Match for Modern Cyberattacks
More organizations seek to connect OT devices and ICSs to their IT networks to reduce costs, improve processes and optimize decision-making. The security tool they default to for protecting this new traffic is the internal firewall. However, given the many breaches that have occurred, it is becoming clear that these firewalls, as well as VPNs, are overmatched by today’s cyberattacks on critical infrastructure.
Even next-generation firewalls (NGFWs), while being equipped with greater functionality, including application awareness, intrusion detection/prevention, spam filtering and spyware detection, cannot effectively protect traffic moving between converged OT and IT systems.
That’s because firewalls were architected for an era of simpler networking and malware. They are effective at protecting against north-south traffic, which come in from and goes out to the Internet. But they do not defend efficiently against east-west traffic, or lateral traffic, which is the majority of traffic that moves within a network and across converged OT/IT infrastructure.
Moreover, in the face of increased complexity resulting from modern, cloud-based applications, newer network architectures and the number of connected users and devices, the method of updating and managing firewalls has not changed much over the years. One of the persistent challenges with firewalls is that their rules engine must be constantly updated with the changing characteristics of applications and network traffic.
In reality, it has become more difficult and costly for security teams to keep up. Errors or oversights, such as a misconfigured firewall, can potentially be as hazardous as having no firewall at all. Meanwhile, the myriad of false positive alerts that firewalls generate distract and frustrate security teams, rendering them as less effective tools. As a result, they actually increase availability/safety/downtime risks and add extra complexity which can undermine the integrity of defense.
VPNs were created to provide a secure tunnel between remote users and the IP network through encrypted access. The basic premise for deploying a VPN was that a network perimeter existed, and that the perimeter was protected by firewalls and other security technologies, such as intrusion detection/prevention systems (IDS/IPS).
However, VPNs are ineffective against modern attacks, as they allow all traffic to pass once a user has been authenticated. Moreover, many deployed VPNs have been shown to have algorithmic flaws and are susceptible to brute force attacks.
In fact, the NSA recently issued a bulletin warning that state-sponsored attackers are actively targeting remote takeover and connection hijacking flaws in VPNs. This bulletin comes after a similar warning issued in April.
The Air Gap Firewall for the IIoT Edge
IIoT is driving growth in edge computing. Edge devices and edge data centers gaining more processing and decision autonomy translate into reduced downtime risks, allowing users and devices to continue using products and services even when portions of the network go down.
However, the resulting air gap exposes these devices to cyberattacks. And once inside the network, attackers can expand laterally to exploit internal systems built with an edge-only security mentality.
Supervisory control and data acquisition (SCADA) systems are particularly vulnerable. They operate on IIoT and edge computing protocols, as they are essential to critical infrastructure and a key component in many manufacturing systems. SCADA systems are difficult to update, often impervious to patching.
An air gap firewall is an overlay on top of existing infrastructure. As such, one option is to deploy it as an extra layer of protection beyond the capabilities of the existing internal firewall.
An air gap firewall with cryptographic keys embedded in an IIoT chip can facilitate authentication to mitigate modern threats. Further, communication among and between local devices can also be encrypted. Microsegmentation, when used in conjunction with Host Identity Protocol (HIP) in air gap firewalls, secures edge computing endpoints and the devices using edge networks to keep information cloaked from intruders.
This contains lateral movement, rendering them invisible to cyber threats. In essence, an intruder cannot attack what they cannot see. As a result, both the attack surface and attack vectors are dramatically reduced. An air gap firewall is also cost effective, as it requires no additional staff or support skills.
If, however, an existing firewall is being used to protect IIoT devices and is approaching its replacement cycle, TechTonics recommends that an air gap firewall be deployed instead.
Today, as the network perimeter has disappeared, purchasing a new firewall or VPN is a high-risk, high-cost false investment. Their do not effectively defend against modern IIoT cyberattacks, further exposing the organization to downtime, data exfiltration or worse, catastrophic loss. Purchasing a replacement internal firewall also perpetuates the cycle of inefficiencies and errors endemic to internal firewalls (misconfigurations, false positives, incompatibility with ICS systems), and still requires staff with specialized skill set.
This blog is adapted from the new TechTonics Advisors report “An Air Gap Firewall Provides Better IIoT Cyber Defense than Internal Firewalls”. The report is freely downloadable here.