cyber security emerging threats
Separation
In today’s world, both government and the private sector are struggling to provide a secure, efficient, timely, and separate means of delivering essential services internationally. As a result, these critical national infrastructure systems remain at risk from potential attacks via the Internet.
It is the policy of the United States to prevent or minimize disruptions to the critical national information infrastructure in order to protect the public, the economy, government services, and the national security of the United States.The Federal Government is continually increasing capabilities to address cyber risk associated with critical networks and information systems.
Please explain how you would reduce potential vulnerabilities, protect against intrusion attempts, and better anticipate future threats.
1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter
3
Separation
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• Using a firewall to separate network assets from
intruders is the most familiar approach in cyber
security
• Networks and systems associated with national
infrastructure assets tend to be too complex for
firewalls to be effective
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Introduction
3
• Three new approaches to the use of firewalls are
necessary to achieve optimal separation
– Network-based separation
– Internal separation
– Tailored separation
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Introduction
4
Fig. 3.1 – Firewalls in simple and
complex networks
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
5
• Separation is a technique that accomplishes one of
the following
– Adversary separation
– Component distribution
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
What Is Separation?
6
• A working taxonomy of separation techniques: Three
primary factors involved in the use of separation
– The source of the threat
– The target of the security control
– The approach used in the security control
(See figure 3.2)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
What Is Separation?
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.2 – Taxonomy of separation
techniques
8
• Separation is commonly achieved using an access
control mechanism with requisite authentication and
identity management
• An access policy identifies desired allowances for
users requesting to perform actions on system
entities
• Two approaches
– Distributed responsibility
– Centralized control
– (Both will be required)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Functional Separation?
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.3 – Distributed versus centralized
mediation
10
• Firewalls are placed between a system or enterprise
and an un-trusted network (say, the Internet)
• Two possibilities arise
– Coverage: The firewall might not cover all paths
– Accuracy: The firewall may be forced to allow access that
inadvertently opens access to other protected assets
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
National Infrastructure Firewalls
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.4 – Wide area firewall
aggregation and local area firewall
segregation
12
• Increased wireless connectivity is a major challenge
to national infrastructure security
• Network service providers offer advantages to
centralized security
– Vantage point: Network service providers can see a lot
– Operations: Network providers have operational capacity
to keep security software current
– Investment: Network service providers have the financial
wherewithal and motivation to invest in security
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
National Infrastructure Firewalls
13
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.5 – Carrier-centric network-based
firewall
14
• Network-based firewall concept includes device for
throttling distributed denial of service (DDOS) attacks
• Called a DDOS filter
• Modern DDOS attacks take into account a more
advanced filtering system
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
DDOS Filtering
15
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.6 – DDOS filtering of inbound
attacks on target assets
16
• SCADA – Supervisory control and data acquisition
• SCADA systems – A set of software, computer, and
networks that provide remote coordination of
control system for tangible infrastructures
• Structure includes the following
– Human-machine interface (HMI)
– Master terminal unit (MTU)
– Remote terminal unit (RTU)
– Field control systems
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
SCADA Separation Architecture
17
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.7 – Recommended SCADA system
firewall architecture
18
• Why not simply unplug a system’s external
connections? (Called air gapping)
• As systems and networks grow more complex, it
becomes more likely that unknown or unauthorized
external connections will arise
• Basic principles for truly air-gapped networks:
– Clear policy
– Boundary scanning
– Violation consequences
– Reasonable alternatives
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Physical Separation
19
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.8 – Bridging an isolated network
via a dual-homing user
20
• Hard to defend against a determined insider
• Threats may also come from trusted partners
• Background checks are a start
• Techniques for countering insider attack
– Internal firewalls
– Deceptive honey pots
– Enforcement of data markings
– Data leakage protection (DLP) systems
• Segregation of duties offers another layer of
protection
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Insider Separation
21
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.9 – Decomposing work functions
for segregation of duty
22
• Involves the distribution, replication, decomposition,
or segregation of national assets
– Distribution: creating functionality using multiple
cooperating components that work together as distributed
system
– Replication: copying assets across components so if one
asset is broken, the copy will be available
– Decomposition: breaking complex assets into individual
components so an isolated compromise won’t bring down
asset
– Segregation: separation of assets through special access
controls, data markings, and policy enforcement
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Asset Separation
23
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.10 – Reducing DDOS risk through
CDN-hosted content
24
• Typically, mandatory access controls and audit trail
hooks were embedded into the underlying operating
system kernel
• Popular in the 1980s and 1990s
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Multilevel Security (MLS)
25
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
Fig. 3.11 – Using MLS logical separation
to protect assets
26
• Internet separation: Certain assets simply shouldn’t
be accessible from the Internet
• Network-based firewalls: These should be managed
by a centralized group
• DDOS protection: All assets should have protection in
place before an attack
• Internal separation: Critical national infrastructure
settings need an incentive to implement internal
separation policy
• Tailoring requirements: Vendors should be
incentivized to build tailored systems such as firewalls
for special SCADA environments
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3
–
S
e
p
a
ra
tio
n
National Separation Program