The Need for Network Segregation in Critical Infrastructure Systems

16 Apr

A recent article in the NY Times claims:

The vast majority of targeted computer attacks now start with a malicious e-mail sent to a company employee. Now evidence suggests that the same technique could be used to attack watersheds, power grids, oil refineries and nuclear plants.

This cannot be allowed to happen, here I explore the issue in a little more detail.

The NY Times is identified the risk as:

…all it takes is one click for an attacker to get inside a system. In one case, Critical Intelligence could see an instant messaging exchange between two employees that discussed critical systems. And while it would be difficult for attackers to inflict catastrophic damage from one employee’s machine, a patient attacker would simply wait for that employee to connect his or her laptop to an electrical substation, or move around the network to an employee who connected to critical systems regularly.

This is only true if the networks are connected. Air gaps are a candidate solution, but this also prevents legitimate business processes. As explored in air gap security failures, this need for the exchange of data is one reason why air gaps all too often fail.

Data Diode

In Air-Gaps, Firewalls and Data Diodes in Industrial Control Systems an alternative approach is explored that looks at putting one way network connections in place, based on Data Diode technology. This enables the business process, while reducing the risk. The briefing then looks further at how Data Guard technology can further minimise the risk, using content filtering to ensure only data related to the allowed business can pass the one way connection.

We cannot avoid the need to join systems, but we can manage the risks by understanding the business information exchange needs, and build solutions to enable those, but only those, data flows.

How are you achieving network segregation in your environment? Please leave your comments below.

See Also

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: