![]() If it is small enough and has protocol conformance checks it may even be able to be exhaustively tested. One other benefit of this approach is the small attack surface available to the cloud service provider can be tested. It is the will that is lacking.Įven a high required access case such as SCADA Operations / Operators in the cloud, can have restrictions that would prevent changing logic, loading software and firmware, and perhaps controlling the highest consequence parameters. Again the technology is proven and available. ![]() ![]() Perhaps some that have lost in the detection market should pivot providing a closed loop ICS cloud services gateway / edge device offering, ideally partnering with the cloud service provider. The parsing of ICS protocols is also a key technology in the detection products from Claroty, Nozomi and ~15 other companies pursuing this market. The benefit was worth the effort and expense of deploying Tofino themselves for this asset owner after the cloud service provider stuck to the anytime / all access required stance. A very security conscious client deployed Tofino to limit closed loop ICS cloud services to a small set of IP addresses, Modbus, write function code, and a small number or registers that could be written to. This has been available from ICS firewall/gateway products such as Tofino and mGuard for over a decade and there are a number of new entrants. And to check that the packets follow the protocol to stop malformed packet/protocol attacks. For example, a cloud service could be restricted to write (change a setting) on one or more boilers on certain coils/registers within a certain value range. If the asset owner trusts an any time, all access “secure” connection why put in the limitation that will make selling and deploying future services more difficult?Īs noted in the title, the technology exists. The stealth reason - if a secure gateway or edge device with DPI limits access from the cloud to the ICS to minimal protocols, function codes, and tags/points/coils/registers, it will be more difficult to add on new services.As in, you will deploy it in an insecure mode if I don’t pay you for this option? Some vendors are offering secure deployment as an add on cost, but this does cause market angst. Deployment teams are already dealing with a great deal of complexity, and if the customer is not demanding security, the ICS will most often be deployed in the insecure by default configuration. It is an extension of why we still see most ICS deployed in a manner not following the ICS vendor’s own secure deployment guides, even in cases where the ICS vendor deploys the system. It adds complexity to the project / service.Asset owners are not requesting it, let alone insisting on it.This isn’t happening in most cases for three reasons: We should be using the existing ICS deep packet inspection (DPI) technology to implement granular least privilege access from the cloud to the asset owner ICS. Most closed loop ICS cloud services do not require an all or nothing access decision. This risk should decrease over time if more asset owners start auditing the promised security controls. Shockingly failing audits that were pre-scheduled and performed in conjunction with the cloud service provider. In my audit experience to date, many are not. The asset owner has to trust the ICS cloud service provider is following those nicely written security controls.Get into the cloud service provider, in any way hack, bribe, extortion, nation state demand, physical attack, and the adversary now may have access to 1800 power plants or 680 factories or … The cloud service provider is a big, juicy target that is even more attractive to an adversary as they sign up more customers.Trust that the cloud service provider is actually implementing the VPN, patching, two-factor authentication, background checks, physical security, that is described in the security section of the offering. The closed loop ICS cloud service offerings I’ve seen through working with both cloud service providers and asset owners purchasing the cloud service have been based on trust. Most of the sectors and use cases will fall between these two extremes. And a small amount where the consequence of compromise is so low that simply putting in a VPN and trusting the cloud service provider will be sufficient. Sure there will likely be some sectors and use cases, such as nuclear, where this will not happen anytime soon. The benefits of the ICS cloud services can be substantial, and the available services and benefits are almost certain to increase rapidly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |