Month: June 2016

In our Reference Blueprint for Industrial Control and SCADA, we describe the need to isolate remote communication technologies into a separate zone. Devices like iNets, unlicensed and licensed microwave, satellite, AMI meters and other forms of longer-range, radio-based communications need to be looked at carefully before being implemented and extra consideration of these types of technology is essential to preventing unintentional access into enterprise and OT systems.

Benefits of Remote Communication Technologies

With the advent of the Industrial Internet of Things (IIoT), or Industry 4.0, new highly efficient, low-energy and low-cost wide-area communication devices are continually being produced, providing more bandwidth and flexibility in deployment items deemed essential in an ICS/SCADA environment.

Improvements in communication technology not only make the possibility of remote automation doable but also attractive, if not a necessity. These advancements in communication help with automation, and make it possible to place more intelligent devices further out, and they reduce labor costs, as an army of people would no longer be required to travel to remote destinations, retrieve information and bring it back. Improved communications would allow operators to gather this information back to a single location, cutting many of the expenses associated with vehicle maintenance, gas and hourly wages.

Remote automation is not only cost-effective, dependable, and safe, it enables owner/operators to be competitive in several ways:

• It helps improve the efficiency of the system, allowing for real-time, or near real-time, information at regular intervals.
• It produces data for analytics, which helps improve system performance, increase efficiencies and produce higher yields in a product.
• It increases visibility into our systems, allowing us to adjust as necessary.

There is, however, a downside to these innovations in communications for ICS/SCADA, which is the need for greater enforcement of security at remote locations.

Challenges of Remote Communication Technologies

Putting high-speed, high-bandwidth connections in remote unmanned areas makes them ideal beachhead attack points, and some areas can take hours to reach due to the remoteness and terrain, serving as an excellent foothold for an adversary because of the access to both enterprise and OT systems. The remoteness of the asset provides attackers with ample time to come and go as needed.

At remote facilities, it is possible for someone to install micro-computing devices that can be left in place and go unnoticed for months, if not years, if the physical placement of equipment and site layout goes unaudited for a long period of time. On-premise equipment could be reloaded with weaponized or malicious code and leveraged against the owner/operator’s internal systems, giving the ability to cause major disruptions.

Placing more intelligent devices further out at remote locations – devices with far more computing power than those previously used – can give attackers better internal resources with which to attack our systems.

Today’s broadband technology, in most cases, is some form of shared medium, meaning people with the right skill set and tools are capable of eavesdropping on others, making for insecure communications on systems that run critical real-time production.

One other key element many fail to consider when deploying communication technologies, such as satellite or microwave, is that many of these technologies are easy to remove and relocate. It is not uncommon for satellite dishes to go missing. Just think about what happens when the outdoor unit, dish and block upconverter (BUC), and the indoor unit (IDU) satellite modem go missing, and the relocation still shows online.

Another nefarious scenario is using these remote access points as an attack vector against a competitor or generating denial of service (DoS) attacks against others routed through the owner/operator’s network.

With all of these advances in communication technologies, older forms like frame relay or dedicated leased lines are no longer in use. If they are, they are very expensive to maintain. But older technologies, being point-to-point in nature, do provide slightly more security at remote facilities, unlike most of today’s Internet-based communication technologies, which is why greater attention much be paid to the security, both physical and cyber, of remote communication technologies.

Securing Remote Communication Technologies

Physical security at these locations is difficult to maintain due to their remoteness, but cybersecurity and ensuring the traffic coming in from a field site is only that which is required – and nothing more – is an achievable, sustainable objective.

At Palo Alto Networks® we believe in and follow the best practices of Zero Trust networking. In the Zero Trust networking model, it is highly advised that access to and from remote assets be set in an entirely separate zone, and that communications be restricted to only the applications, ports, and protocols needed for the process.

By following this tactic, a company can minimize its attack surface and limit possible exposure caused by breaches with their communications link. By zoning remote connections into a separate isolated enclave restricted by application and user ID, the field of focus is narrowed, providing better visibility into attempts to use the sites’ communications.

Unauthorized attempts to access the OT/IT networks would be painfully obvious in the logs, which would be seen as failed or dropped attempts at communication, especially if contact attempts are made with resources that the zone has no need to communicate with. This would be a clear indicator of compromise (IoC) from that device or facility.

To learn about other useful strategies to help you better secure your ICS/SCADA/PCN networks, go to visit the ICS/SCADA industry page at paloaltonetworks.com and download our reference blueprint architecture for industrial control and SCADA systems.

Lionel Jacobs

[Palo Alto Networks Research Center]

Palo Alto Networks recently bagged the Next-Generation Firewall award category at NetworkWorld Asia’s Information Management Awards in Singapore. We won the same category last year, and are pleased at the consistent growth and recognition of our platform in this fast-growing region.

NetworkWorld Asia is one of the leading publications in the region that provides CIOs, CTOs, Head of IT, IT Directors and IT Managers with updates, perspectives, tips and guides on how to leverage leading-edge technologies, tools and strategies to achieve performance, cost savings and business success.

This particular award recognizes Asia’s leaders in Information Security, Storage and Data Management for the huge advanced made in these fields over the last few years. It is an honor!

 KP Unnikrishan, Senior Marketing Director, Asia Pacific & Japan for Palo Alto Networks (left) receiving the award from Tan Hoon Chiang, CIO, National Institute of Education (right)

Victor Ng, South East Asia Editor in Chief (left) and Khoo Boo Leong, Senior Editor (Right) at Questex Media Group with KP Unnikrishnan

Martina Schulze-Warnecke

[Palo Alto Networks Research Center]

You have less than one month to prepare for the first ever Unit 42 Capture the Flag (CTF) challenge: LabyREnth! Hone your skills and get ready to test yourself against challenges designed by the best threat research teams across Palo Alto Networks.

The CTF will be open to the public starting July 15, 2016, at 4:00 pm PST, and we’ve asked our technical teams to craft challenges that delve into their most used skills across, but not limited to, the following areas:

• Reverse Engineering
• Malware Analysis
• Programming
• Threat Intelligence Analysis
• Critical Thinking

Winning will require being a master of many disciplines, and you should expect challenges in lots of different mediums and architectures. Trust us when we say the prizes will be worth it! The challenge will start on Friday July 15, 2016, at 4:00 pm PST and will run until August 14,^, 2016, at 11:59pm PST. 

The LabyREnth challenges were developed by members of Palo Alto Networks’ threat research and security engineering groups, led by Richard Wartell. Richard runs the GSRT Malware & Countermeasures team at Palo Alto Networks, and is also known for having created the first FLARE-On challenge previously.

Follow the countdown at LabyREnth, and check out the overview of the challenge. Information about the rules and prizes are also there, if you are clever enough to find them! We’ll announce updates here on the blog and through Twitter: @unit42_intel, @wartortell, and keep an eye out for our hashtag, #labyrenth.

Ryan Olson

[Palo Alto Networks Research Center]

SaaS‐based applications are typically adopted by users because they’re fast and easy to use, not to mention accessible from anywhere there’s a reliable Internet connection. Many of these applications are built for use on mobile devices, where speed is even more critical to users. The industry has made great strides in securing mobile devices, but the explosive growth of SaaS adoption means organizations are concerned about data that resides outside the traditional network perimeter, especially if those SaaS applications fall into the category of “Shadow IT.”

Last year, as part of a concerted effort to help organizations better secure mobile devices, we expanded our strategic partnership with VMware AirWatch. You’ll recall three important takeaways from that announcement:

1. VPN & Network Security: Palo Alto Networks GlobalProtect provides a secure connection between AirWatch managed mobile devices and the Palo Alto Networks Next-Generation Firewall at the device or application level utilizing per-app VPN.
2. Network Protection: AirWatch integration with Palo Alto Networks GlobalProtect HIP (Host Information Profile) provides a direct tie between information about the mobile device, its configuration and what data and applications the device can access.
3. Prevention of Malware: Palo Alto Networks WildFire identifies known and previously unknown mobile malware. By integrating the intelligence provided by WildFire with AirWatch, our customers can identify infected applications and take immediate and automated action for security and containment.

Now, as a member of the AirWatch Mobile Security Alliance, we are proud to announce that we have further expanded our relationship with VMware to include Aperture, another part of the Palo Alto Networks Next-Generation Security Platform. Aperture delivers complete visibly and granular enforcement across user, folder and file activity within sanctioned SaaS applications to prevent data risk, malware insertion and compliance violations.

With this integration, customers will have Enterprise Mobility Management (EMM) through the VMWare AirWatch platform, network security thanks to GlobalProtect and the next-generation firewall, and SaaS application visibility and control from Aperture, to enforce policy and remediate any risks across mobile and cloud environments. Add to all that threat intelligence through WildFire, and we will be able to detect malware on any device or the propagation of malware through SaaS apps on these devices. These capabilities that combine the power of the VMware platform and our next-generation security platform open the door to many new possibilities in preventive security, and will deliver the most complete mobile-cloud security platform in the industry.

We will post more updates on the details of the integration as we bring together our engineering teams to build the necessary interfaces for exchange of information between the VMware AirWatch platform and Aperture.

For more information:

Aperture Product Resources

• Airwatch Marketplace

Anuj Sawani

[Palo Alto Networks Research Center]