Re-examine the industrial information security, starting with the industrial mainframe
Abstract
With the development of industrial information security for many years, extortion software attacks against industrial enterprises have broken the existing security situation, once again verified the vulnerability of industrial control system, and also broken the normal operation of industrial control system with long-term illness.Re-analysis of the security awareness of heavy border protection. Most of the security incidents are attacked by industrial hosts. To strengthen the protection of industrial hosts and to ensure the bridge between the information world and the physical world is the starting point of ensuring industrial information security.
1 Introduction
Industrial safety is a big concept, which includes not only the so-called functional safety, but also the information security which is very popular now. However, no matter which aspect, the production safety of industrial enterprises is the primary task.Even the most serious consequence of industrial information security is affecting the production of enterprises.No matter how stated, industrial information security has gradually risen to the same level as functional security.Academic and scientific circles are constantly discussing how to integrate functional safety, information security and operational safety of industrial control system.Therefore, industrial information security has become an indispensable safety element for industrial enterprises.
Reviewing the development process of industry over a hundred years, it is actually the development history of industrial control system, that is, the history of production safety, from which functional safety emerges.Compared with control theory and engineering development, the time of informatization is only a few decades, and the information application in the industrial field leads to the information security of industrial control.Especially in the last 20 years, the history of industrial information security is somewhat "black"。
2 Black History of Industrial Information Security
Industrial information security, which is commonly referred to as industrial control information security, is included in the latest interpretation of industrial Internet security.Why is it a black history?Because the industrial control system is black more and more.
The main reason is that the industrial controller still takes functional security as the main line and does not integrate the information security thoughts into the general concept of industrial security with the time.As a result, information security incidents such as Australian sewage treatment plants, US nuclear power plants, Polish subway, etc. continue to occur.Until 2007, the Idaho National Laboratory conducted a near-real-world test that proved that network attacks could cause physical damage to industrial control systems, laying a foundation for the 2010 outbreak of Iranian Seismic Network Virus.
It is generally mentioned that industrial information security is a must-lift network event.Since 2010, attacks on critical infrastructure have included a large number of attacks on industrial control systems and viruses.Another landmark event in 2015 was the blackout of the Ukrainian power grid, another blackout, another physical loss, and most importantly, what we commonly think of as hackers, who are already very familiar with the processes and business processes in the industrial sector."In 2017, the emergence of Eternal Blue extortion software, along with various subsequent variations, shifted the goal from the initial education and medical fields to higher-value industrial areas. The goal was to point directly at the industrial mainframe and also break the industrial environment, which can be ignored as long as the virus Trojan does not affect production.""Run sick" state, broken by blackmail software.
3 The "fence" is still the "fence"
A fence is a facility used to protect a yard."Hedge" of industrial control system, the traditional method is isolation, such as physical isolation, which protects the safety of industrial control system in the way of physical gap.Even in the era of deep information, isolated thinking is still the mainstream protection measure of industrial control system.For example, according to No. 36 of the Energy Administration, the isolation requirement in the management information area and the production control area is to "approach or even reach the physical isolation level" for the safety protection requirements of the power monitoring system.
Even in industrial areas where the level of requirements is not high enough, the information security construction is not as good as that of the power industry, and basic boundary isolation requirements exist.The requirements of physical and logical isolation and consideration of various isolation methods are mentioned in various fields of industry.Isolation is safety, and it is a universal safety thought pattern. How to effectively verify the effect of protection can not be verified.Even individual companies think that having a border guard is a good thing, and do not consider whether this "fence" is applicable to them or whether it really protects them.There has also been a boundary with only transparent mode, no internal safety protection, industrial control system operation conditions at a glance.
Therefore, the simple "fence" thinking that isolation is safety requires a change in thinking.
4 Blackmail software breaks the illusion
The 2017 outbreak of the Eternal Blue extortion virus has a wide impact.In response to this global security incident, there was no specific industry differentiation and in-depth analysis.And then there was an interesting change.The target of extortion virus is to target the industrial sector.Many domestic industrial enterprises have been attacked by extortion virus, and industrial mainframe has been locked, blue screen and restarted continuously, which has seriously affected the normal production of industrial enterprises.A domestic manufacturer has stopped production for nearly a month due to the outbreak of extortion virus.In the process of dealing with this security incident, it is found that the firewall is set at the border, but there is a large network inside the enterprise, which can interconnect office, OA, finance and control networks. With brutal expansion, there are hundreds of security loopholes. In addition to border protection, information security equipment is blank.Management system is nominal and the mobile media is abused.In addition to extortion viruses, there are more than 10,000 traditional viruses and trojans.During interviews with business personnel, there have been viruses and Trojans in the control network for many years, because they have not caused downtime or made any safety measures.In the process of disposal and analysis of this security problem, even GHOST files used for system recovery have been implanted with viruses and Trojans.In fact, the safety problems and incidents of such enterprises are representatives of a large number of enterprises.If it hadn't been for the outbreak of extortion virus that caused the shutdown, the enterprise might still not really care about the construction of industrial information security.
5 Industrial Information Security, Beginning with Protecting the Security of Industrial Host Computer
After so many years of industrial control safety "baptism", pilot verification work has been done in many industries and enterprises, and even systematic safety planning and construction has been carried out.However, according to the research reports of ICS-CERT, CNVD and Kabaski Industrial Control Safety Emergency Response Center in the United States, the number of industrial control vulnerabilities has not decreased because of the construction of industrial control safety, but increased year by year.But we believe the publicly disclosed vulnerabilities in industrial controls are only the tip of the iceberg.
In the process of analyzing these open vulnerabilities of industrial control security, we find that software and communication protocol vulnerabilities run by industrial mainframe dominate.Through investigation, an intermediate programmer will have a bug in writing 1000 lines of code, while most of the vulnerabilities in industrial software are focused on software bugs.Of course, there are other reasons for the continuous increase of software vulnerabilities in industrial mainframe, including multiple channels for obtaining industrial software and low cost.Analyzing the technology of industrial software vulnerability by using the experience, methods and tools of IT software vulnerability analysis;The host system in industrial field is old and hardly updated safely, with many loopholes and poor protection.
"Virulent operation" is normal before industrial environments, and extortion viruses will make this normal past.In the previous industrial environment, as long as viruses and Trojans did not threaten the normal production of industrial enterprises, industrial enterprises were almost at liberty, mostly because viruses and Trojans led to slow system operation;However, the emergence of extortion virus breaks this situation. For example, in August this year, the security incident of Taiwanese power accumulation and the outbreak of extortion virus caused business shutdown, with direct economic loss of nearly $200 million and gross margin loss of 1%. This is still a safety event in industrial enterprises with certain safety capabilities.In fact, domestic industrial enterprises are more or less affected by extortion virus, mainly distributed in automobile manufacturing, electronic manufacturing, tobacco, energy and other industries.High-value, low-protection industrial machines will be ideal extortion targets for cybercrime groups.
APT attacks are no longer just a "wolf is coming" stage, but a "wolf is coming".Repeated outbreaks of power outages from Stuxnet, BlackEnergy2, Havex to Ukraine and the recent Triton/TriSYS attack on Saudi oil and gas plants.The Triton Attack Framework interacts with Schneider's Triconex Security Instrument System Controller (SIS) to cause irreversible shutdown operations and physical damage to equipment by reprogramming the SIS controller.As you can see, attacks on key national infrastructure, such as the energy industry, key manufacturing and water treatment industries, which are centered on industrial control systems, have been ongoing.APT attacks, like the sword of Damocles, hang high above the heads of industrial enterprises and have to be a source of concern.
In the face of these problems and challenges, this paper conducts in-depth research on the main threats of industrial control system. The research results are as follows: the development of information technology, the demand of industrial interconnection, the industrial host is the connection point of integration of IT and OT technology, the channel and bridge between the information world and the physical world, and the implementation point of attack with low cost and excellent effect.It is extremely critical to do a good job of safety protection and control of industrial mainframe.Therefore, according to the characteristics of industrial enterprises and the three major security threats they face, three corresponding countermeasures are put forward:
_Take immediate action to ensure industrial information security starts with host protection;
_Open mindset and establish cooperative governance mechanism for industrial control loopholes;
_Collaborative linkage to establish a coordinated emergency response mechanism for industrial control safety events.
he operating environment of industrial mainframe is very special. After most of the industrial mainframe is installed and deployed, there will be no fundamental upgrade or modification.Due to the particularity of industrial host and software, anti-virus software mainly based on black prevention is difficult to adapt and use in industrial environment.Therefore, whitelist technology is widely used in the industry for safety protection of industrial mainframe.
In the field of Internet security, it is 360 that first proposed the whitelist technology, and the anti-malware software based on the whitelist mechanism is also 360's strength.Therefore, the concept of integrated security protection for industrial mainframe is put forward, which is based on whitelist technology, integrates functions of asset management, peripheral control, virtual patch, access control, and integrates specific virus detection tools, host reinforcement tools, etc.In which, virtual patch technology is very critical. In the case that the industrial host can not be patched and updated, after the vulnerability of the industrial host is found, virtual patch technology can be used to effectively protect the vulnerability by combining the whitelist mechanism, not only prohibiting the illegal software start-up, but even preventing the illegal software from invading the host.For example, the protection module against extortion virus is built on such technology and can effectively defend extortion virus.
However, in terms of protection of industrial hosts, single whitelist technology can not provide more comprehensive protection, and some advanced malicious attack codes can bypass the simple whitelist mechanism.Therefore, the technology of industrial host protection needs to introduce the technology of "white behavior" based on the technology of "white list".
Industrial control system has two "limitations": first, the operating state of equipment is limited, and secondly, the control instructions under the operating state are limited.The protection of industrial mainframe also has such characteristics.The limited control instructions just prove that the operation behavior of industrial host is stable and knowable. It is easy to establish a stable "white behavior" baseline of industrial host using large data technology, and abnormal behavior of industrial host deviating from the baseline is also very easy to detect.Therefore, the white behavior of industrial host operation based on industrial host as important node is established. By monitoring the operation behavior, the detection capability of known host is expanded, the known legal behavior is determined, and the operation against unknown threat is prevented.Real-time monitoring of industrial control system assets, operations, etc., in case of abnormalities, real-time alarm, start the emergency disposal process;To track the origin of threats in combination with industrial Threat Intelligence and provide a more robust active defense capability for industrial mainframe.
The defense strategy of industrial control system in depth has been deployed in many industrial enterprises.However, security is dynamic and defense in depth is more static and does not have the ability to keep pace with the times.In the era of industrial internet, with the continuous development of business and the incremental growth of data, a safety baseline is established with business rules as the core, and the information flow and operation instructions of industrial Internet are monitored dynamically and in real time. With limited control instructions as the principle, abnormal behaviors are monitored and alarmed, so as to establish a knowledge base of "white behaviors" of industrial internet.Establish a secure operation system based on real-time monitoring.
Nature of Security: Vulnerabilities are the source and response is the best practice.Therefore, the establishment of emergency response mechanism for security incidents is also imminent.Safety response is not only a matter for safety manufacturers, but also for industrial users, automation manufacturers and safety manufacturers to work together to solve difficult safety problems and build a good safety emergency response mechanism.
6 Summary
In conclusion, the system of industrial information security is still in the continuous development stage so far. Although static defense strategy in depth is generally recognized by the industry, security is dynamic and continuous, and simple "hedging" has proved to be a serious deficiency.Only by strengthening the safety of industrial mainframe, establishing the safety foundation, establishing the behavior baseline with real-time monitoring technology and guaranteeing the linkage safety response, can the old and difficult problems of industrial control information security in industrial enterprises be effectively solved.