In the Information Age it has become more of a requirement than a luxury that everything is Internet enabled, as we see connectivity being incorporated in structures, automobiles, and even accessories. In the industrial space, however, the need for connectivity presents problems that don’t exist in other verticals, principally because many industrial networks were intentionally designed to be closed/private environments. As a result, industrial networks often don’t have cyber protections commonly found in the IT world, and therefore many of the systems and devices that comprise these networks aren’t equipped with the resources to even run everyday AntiVirus (AV) software.
While these and other security issues – such as protecting remote devices – pose significant challenges for industrial device manufacturers and network administrators, Intel and the 250+ members of the Intel® Internet of Things (IoT) Solutions Alliance are working to mitigate threats through both hardware-assisted and software-based security. In conjunction with Intel, Associate Members of the Alliance McAfee and Wind River Systems are providing cyber threat prevention through software and middleware solutions that run on Intel silicon with Intel® vPro™ Technology, enabling comprehensive security for Industrial Control Systems (ICSs) from the edge to the cloud, and back again.
Industrial edge devices – resource constraints and hardware-level security
At some point in 2007, an operator at a uranium enrichment facility inserted a USB memory device infected with the Stuxnet malware into an ICS running a Windows Operating System (OS). Over the next three years, the Stuxnet worm propagated over the facility’s internal network by exploiting zero-day vulnerabilities in a variety of Windows OSs, eventually gaining access to the Programmable Logic Controllers (PLCs) on a number of Process Control Systems (PCSs) for the facility’s gas centrifuges. Stuxnet then injected malicious code to make the centrifuges spin at their maximum degradation point of 1410 Hz. One thousand of the facility’s 9,000 centrifuges were damaged beyond repair.
The above illustrates the risks associated with connected industrial systems, as their lack of protection enables malware to spread throughout ‘clean’ industrial environments much more quickly than they would in enterprise environments. In the case of Stuxnet, a rootkit-based attack was used to conceal the malware for an extended period of time so that it could proliferate throughout the Natanz nuclear facility nearly unimpeded (Figure 1).
Figure 1. A rootkit is a type of malware that eventually makes its way underneath the core Operating System (OS) to the middleware layer and manipulates code to conceal its presence and alter system code/code calls.
To mitigate the effects of rootkit-based attacks like Stuxnet, McAfee Deep Defender is a hardware-assisted AV solution built on McAfee DeepSAFE technology co-developed with Intel. Available on Intel® Virtualization Technology (Intel® VT)-enabled 64- and 32-bit processors, Deep Defender works in conjunction with DeepSAFE to provide clamshell-type OS protection that resides between the OS and system memory (Figures 2 & 3). Deep Defender employs an AV component to continuously monitor the CPU and block kernel-based rootkits before they can load, even working beyond the core OS to detect, block, and remediate advanced attacks. In addition, leveraging Intel VT-x provides additional defenses in that virtualization allows malwares that have compromised a system to be effectively quarantined to certain portions of the network.
Figure 2. Intel® Virtualization Technology (Intel® VT-x) rides on top of a system’s hardware architecture to perform Operating System (OS) and application monitoring, as well as enhanced control of CPU primitives.
Figure 3. McAfee Deep Defender works in conjunction with McAfee DeepSAFE technology to protect the middleware layer between the Operating System (OS) and system memory to detect and block malware before they can load with the kernel.
As mentioned earlier, one of the limitations facing security in fixed-function embedded devices is the typical size of an AV package, which is usually around 300 MB, consumes more than 20 MB of memory, and increases boot time by about 20 seconds. For most industrial systems, this amount of overhead for a single application is a non-starter.
To eliminate cyber threats while still managing the resource constraints of industrial devices, all Intel Architecture (IA) platforms support application “whitelisting” through McAfee Embedded Control (Figure 4). Where most conventional AV security is implemented through a “blacklisting” approach in which programs that are known to be malignant are prevented from running by AV software, application whitelisting takes the reverse approach by only allowing predefined, ‘known good’ applications to run. By shielding applications and binaries at the kernel level, the application whitelisting feature of McAfee Embedded Control prevents malware and zero-day exploits and minimizes the need for frequent OS security patches on systems nearing End-Of-Life (EOL). This allows Original Equipment Manufacturers (OEMs) to lock down firmware images for control and monitoring, and because application whitelisting is low-overhead software with negligible memory usage and no file scanning, it has little-to-no impact on system performance. For legacy systems application whitelisting can be delivered as a McAfee Embedded Control upgrade package, and can be included on new IA-based device deployments.
Figure 4. McAfee Embedded Control provides application ‘whitelisting,’ which prevents any program from running that has not been defined for a particular system. The small-footprint package is an ideal solution for fixed-function industrial devices, particularly as they typically don’t require the software flexibility needed in IT environments. When excluded programs attempt to access the system, they are denied and the event is logged in McAfee ePolicy Orchestrator (ePO).
Enacting Security through Industrial Gateways
McAfee Embedded Control is one component of the recently announced family of Intel-based intelligent gateway solutions, which also comprise the Wind River Intelligent Device Platform (Wind River IDP), a scalable software development environment for building industrial Internet of Things (IoT) gateways. Wind River IDP integrates the whitelisting capability of Embedded Control, and also extends device side security by providing secure boot with a hardware root of trust based on IA processors equippedwith Intel® Trusted Execution Technology (Intel® TXT). Intel TXT is another Intel vPro Technology-enabled hardware-based solution that protects against software-based cyber attacks through a sequence:
Verified Launch -> Launch Control Policy (LCP) -> Secret Protection –> Attestation (Figure 5)
Figure 5. Intel®Trusted Execution Technology (Intel® TXT) conducts a Verified Launch, Launch Control Policy (LCP), Secret Protection, and Attestation process to provide a Trusted Platform Module (TPM) that can be used to securely boot industrial devices.
This sequence establishes a Trusted Platform Module (TPM), which Wind River IDP uses for a secure boot process that verifies applications haven’t been tampered with or replaced during device power on and firmware startup, all the way until the OS loads. IDP provides integrity monitoring of the kernel to ensure that programs requesting to run on a device are in fact the ‘real’ applications, doing so through a variety of trusted boot techniques that include:
• Conducting TPM measurements of firmware, boot loader, kernel, and all associated configuration data before use
• Storing TPM measurements using a hardware root of trust (when available)
• Verifying that TPM measurements are consistent and as expected
Secure boot also provides secure storage through an encrypted local file system and secure key management using the TPM to offer seal/unseal key protection. Figure 6 depicts a trusted boot implementation in an IA-based platform.
Figure 6. Secure boot with the Wind River Intelligent Device Platform (IDP) establishes a hardware root of trust in a Trusted Platform Module (TPM) to ensure a trusted boot process from power-on through firmware startup until the Operating System (OS) loads.
Where available, Wind River IDP also uses TPM hardware supported by the OpenSSL TPM engine to conduct secure backend network communications. In typical SSL or TLS-based network communication where data transported during the handshake period is encrypted for a peer’s public key prior to the exchange, IDP stores private keys in the TPM chip so that it can never be extracted or used for decryption on any other platform. This guarantees that exchanged data can only ever be received by the correct peer as it ensures that only the correct peer has the private key required to decrypt it. In addition, IDP provides an image signing tool that verifies device-side software updates are only done with validated images; remote attestation; and Secure Remote Management (SRM) that offers secure, role-based access control to device data. Figure 7 depicts the security mechanisms that can be used to protect different areas of the IDP software stack, and thus the industrial devices it runs on.
Figure 7. Wind River’s Intelligent Device Platform (IDP) provides hardware root-of-trust security based on Trusted Platform Modules (TPMs) based on Intel® Trusted Execution Technology (Intel® TXT) as well as secure network communications using TPM-enabled OpenSSL encryption, among other software security provisions.
Securing industrial networks – from edge to cloud and back – in the IoT age
As industrial systems are increasingly required to add connectivity to perform their basic functions, comprehensive cyber security measures – rooted in both hardware and software – will be critical to guaranteeing not only data security, but the physical integrity of devices themselves. In response, members of the Intel Internet of Things (IoT) Solutions Alliance like McAfee and Wind River Systems are leveraging the hardware-assisted security provisions of processors such as the Intel® Core™ vPro™ processor family and the Intel® Xeon® processor E5-2600, E5-1600, and E3-1200 product families to build software and middleware security solutions for centralized image management, secure network storage, and out-of-band protection – on both sides of the firewall.
To learn more about cybersecurity solutions from Intel and the 250+ members of the Intel Internet of Things (IoT) Solutions Alliance, visit the Solutions Directory.
OpenSystems Media*, by special arrangement with the Intel® Internet of Things (IoT) Solutions Alliance
Follow me on Twitter: @BrandonLewis13
Contact Featured Members:
Solutions in this blog: