2012 May 27 by Hardened I.T.
In Process Control environments where the network is isolated and thought to be protected the question often comes up, “What should we do to protect ourselves from infected USB media?” The reason for this question is that the only way to get files to and from the environment is usually using USB media. My answer is not what they wanted to hear when the question was asked. The high level answer is to install an Anti-Malware and a Patch Management solution into the environment, prevent unauthorized media being introduced into the system, and have a fully tested backup and recovery solution in place. Saying it in one sentence does not make it any simpler than it sounds. I will detail each part as much as possible.
In most cases Process Control environments are setup on an isolated network. Sometimes totally isolated while others are firewalled off of a corporate network. In either case, this gives a false sense of security. If isolation is your only measure of security, then you are fooling yourself. Consider a case where an application engineer accidentally introduced some form of Malware (Malicious Software) into the environment. Without any Anti-Malware on your systems, you may not even know that you are infected. Even in a case of a Zero-Day vulnerability infection where the definitions do not yet know of the vulnerability, they eventually will. So sometimes it is not about prevention but identification and remediation.
In my experience, I have found that most process control applications publish how to implement an Anti-Malware solution properly without adversely affecting the operation. I have also seen cases where an Anti-Malware solution was implemented without any thought to the application and did adversely affect the operation. So I would strongly advise getting with the vendor of the applications and obtaining their recommended configuration for installing a solution. It would also be advisable to test it prior to introduction into the production environment. Once you have the solution in place, you will need to keep the definitions updated. This can be done using a firewall and allowing the Anti-Malware server to be able to pull the definitions from the source or better yet, from an upstream server in your corporate environment.
As for a Patch Management solution goes, I do not recommend patching Process Control systems the same way as one would corporate I.T. systems. I would never set any system to be automatically patched. We all know Process Control systems are quite different and the thought is to not change anything. “If it isn’t broke, don’t fix it” mentality. However, a Patch Management solution will give you visibility into your environment to keep you informed to what level of Operating System patches you are currently running. You may not even have a schedule to patch any server. But having it in place will give you the ability, when needed, to apply patches in a controlled consistent approach. Keep abreast of the known published vulnerabilities and patch during a maintenance outage for those vulnerabilities. Again, like the Anti-Malware solution, the vendors also publish what patches they have tested and validated with their application. I would also recommend testing the patches for yourself in your environment as much as is possible. Because you would not be using any automated approach, you will have full control of what servers you patch in what order. For example, patch a secondary server in a redundant pair first and test its operation before proceeding. The last thing regarding patching would be to create groups by application not process area. Creating your groups by application will allow you to approve patches in the system based on what the vendor has validated for that application. Grouping by process area will provide no additional value as you will manually control when those process areas are patched.
To prevent unauthorized media from being introduced into your environment you will have to have a couple of layers of security. First, you should remove the ability for a user/operator from being able to physically plug in a USB or any other media. Servers should be in a secured environment, locked data center or computer room. Workstations can have their USB ports disabled. But the best approach would be to implement thin clients. Thin clients, specifically ThinManager thin clients, allow you more control over what the client does. The security model for workstations is to lock down or remove access while the security model for thin clients is to grant access as required. If you miss something, the former would introduce an unidentified vulnerability while the latter would be identified immediately and easily resolved.
User/operator access has been addressed but with regard to application engineers and administrators, you will need another layer of security. This layer will be more procedural. As application engineers and administrators, we often need to be able to transfer files to and from our systems. The preferred method is to carry a USB memory key around with us. The problem comes when we have an infected device and we introduce it into our environment without any Anti-Malware solution. We infect the system without knowing it. When we plug it into our corporate system we may only then find out we are infected. Will we realize or consider that we may have been infected when we used the device in our process control system? We should never introduce external media in any system that does not have an Anti-Malware solution. As an alternative to implementing an Anti-Malware solution onto all of your servers, you should at the very least have an administrator machine in your environment that does have an Anti-Malware solution where you transfer your files to and from. Keep in mind that this process would be procedural and administrators can do anything to the system they want. You would need to stress discipline in following such procedures.
It is also recommended to disable autorun on your systems regardless of who is introducing any media. Microsoft publishes how to do this on all their mainstream operating systems here:
http://support.microsoft.com/kb/967715. This does not protect you by itself but it just prevents applications from automatically starting when the media is introduced into a system.
Lastly, you need to prepare for the worst case. What will you do if you have been infected. You need to have a fully tested backup and recovery process in place. This should be in place regardless of this topic. Hardware and systems do fail and we need to be able to recover or rebuild to get back up and running. The key to any backup solution is the recovery plan. This includes when your backup solution too has been compromised or destroyed. Recovery procedures need to be regularly tested and verified that they are current and still valid. Tapes are on their way out from a recovery standpoint but are still quite prevalent. The thing with tapes is that they keep changing. If you have to replace a tape drive, you may not be able to find one specific to your current solution. And they often only work 1 or 2 revisions back. So I can not stress enough keeping your backup and recovery plans current, tested, and verified.
