Being the ever-vigilant security practitioner for ICS and SCADA, you’ve probably noticed, we recently announced the release of our newest operating system, PAN-OS 7.1. For ICS and SCADA customers, I want to share some ideas about how this new platform could be leveraged in the plant production environment.
Deploy Two-Factor Authentication with GlobalProtect
The need for real-time data to remain competitive is a major element that has ushered in the need for connectivity between ICS environments and the enterprise. This need for connectivity, if not done correctly, could truly come at a premium. Even though most ICS environments have little or no access to the Internet, the established connectivity back to the enterprise places these systems at extreme risk. Oftentimes, lacking segmentation, the systems are easily seen and easily accessible by those who have no reason to access them. Due to the age and nature of these systems, access control is difficult to implement and sustain; therefore, special care and consideration must be taken to ensure access for the mobile workforces that support them. By using the Palo Alto Networks Next-Generation Security Platform and leveraging the extensibility we can provide to end-user devices, we can help ensure that the only people accessing the systems are the ones who need to. Most importantly, we can ensure that their systems are free of infections that could compromise them.
With the release of PAN-OS 7.1, we can secure access to these remote plants and field devices that have simple or weak passwords and non-existent authentication capabilities with GlobalProtect™, which can implement two- factor authentication to the zone where they are located.
As security practitioners, we know that the use of Active Directory (AD), usernames and passwords are not sufficient for allowing remote access to these devices, as they can be compromised by phishing attacks. We also know attackers can use stolen credentials to gain access to these resources and put the control systems at risk. Most organizations mandate two-factor authentication, or 2FA for VPN authentication to safeguard against stolen credentials, and the same should apply to ICS and SCADA PCN.
Common and acceptable options for 2FA are the use of a unique client certificate per client device, in addition to the AD credentials or a one-time password (OTP) with RSA-secure ID.
In PAN-OS 7.1, the GlobalProtect portal can now interface with the enterprise public key infrastructure as a Simple Certificate Enrollment Protocol, or SCEP, client and facilitate secure distribution of unique client certificates. GlobalProtect now has enhancements to cache the result of a successful OTP authentication for subsequent authentications. This will significantly reduce the number of times a user must input the OTP to stay connected to GlobalProtect.
And don’t worry too much about that automation tech who lost their ruggedized device. To mitigate the risk of lost or stolen equipment, just revoke the client certificate or the cached cookie.
Bootstrapping Device Deployment
For owners and/or operators of ICS and SCADA systems in remote locations where there is no personnel with the necessary skills set to configure and deploy equipment or where a third-party provider is needed for the physical deployment of equipment, the new bootstrapping capability of Palo Alto Networks next-generation firewalls will simplify the process of configuration and deployment.
In remote environments, physical firewalls generally require trained personnel to perform the sequence of manual configuration before the firewall is ready for operation. At the very least, a field technician who has a wireless modem connected to a laptop is needed. The laptop must be configured to allow a remote desktop session so that someone at a corporate office can work through that machine. Our new bootstrapping feature helps simplify and automate the process of deployment, whether it’s to replace or upgrade an existing unit or to undergo a completely new installation.
With PAN-OS 7.1, when a firewall is first deployed or has been factory reset, it will look for a configuration package (located on a USB flash drive). Once found, it will automatically load it as part of the boot-up process. Our bootstrapping process is incredibly flexible. The configuration can be as simple as a basic network configuration and a Panorama™ IP address to the latest software versions, content updates, policies and licenses. This new feature will reduce the time required to get remote sites with new deployments live or back online due to site mishaps. Additionally, it can reduce the level of frustration during the deployment or recovery process.
With this new feature, your deployment abilities in remote, disconnected environments could be improved by delivering all the required configurations through the bootstrapping package without the aid of the Internet. When you call the field and request a pair of hands to do the deployment you truly mean just a pair of hands.
Bidirectional Forwarding Detection
It is not uncommon for operators of ICS and SCADA systems to use the dynamic routing capabilities of the Next-Generation Firewall to meet their Layer 3 connectivity needs, especially in situations where space and power are at a premium and network downtime must be kept at a minimum. The need for fast, reliable network convergence in these environments is essential to ensuring the safe operation of these real-time systems. Bidirectional Forwarding Detection, or BFD, in PAN-OS 7.1 allows sub-second failure detection, immediately triggering convergence in routing protocols, such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) to re-establish viable paths in traffic flow across the firewall. This helps reduce production network outages. Just think: The device that gets blamed the most for causing communication disruptions is now the device that’s keeping the communication going.
Want to learn more?
Details about what’s new in this release can be found on our PAN-OS 7.1 Technical Documentation page with additional resources available below.
- Technical Documentation: Enhanced Two-Factor Authentication
- Technical Documentation: Bootstrapping Firewalls for Rapid Deployment
- Technical Documentation: Failure Detection with BFD
[Palo Alto Networks Research Center]