You gotta give to grow, so thank you to the SANS ICS survey participants! - Part 2

By
Erik Giesa, VP of Products

I had a very timely and relevant call immediately after the SANS ICS Security webinar. I had the good fortune to speak with one of our new customers who just deployed Tempered Networks’ platform. I was interviewing them in order to understand their experience with our products so we can continually improve what we do and how we do it. I love talking to customers because (a) they’re smarter than me, and (b) I always learn something from them because of (a).

“The puck WILL drop.” I stole this phrase from the customer. It’s beautiful because it captures the time urgency they faced in trying to secure Industrial Control Systems across dozens of buildings that were due for completion and going to be occupied by the end of this summer. “The puck will drop.” Either they’d be secure or exposed, and exposure has significant implications. “If just one research lab’s temperature increases just a few degrees for only five minutes, the research is lost costing tens of thousands of dollars.” The construction process has been chaotic with contractors jacking in wireless access points and riding on top of their exposed flat Layer 2 network. Ethernet ports in rooms were live and exposed, they’d find rogue access switches in telecom rooms despite physical security. Mayhem!

Insanity is doing the same thing over again, but expecting a different result

They looked at traditional IT technologies: next-gen firewalls, VPNs, Network Access Control, port lockdown etc. But in every evaluation they drew the exact same insane conclusion – it was going to cost a small fortune to acquire and a king’s ransom to maintain, take forever to deploy, and they still wouldn’t be truly secure. Why? Because all of those solutions are based on a flawed foundation. They all use IP addresses and / or MAC as identity in order to enforce policy. But IP is spoofable. Can you imagine if we used our home address as not only our location but also our identity? How effective would it be to define who could enter your house, access your bank account, or use your car? You wouldn’t need a key, just an address. It would be insanity – but that’s traditional IT networking and security.

Think differently – resist the cartel’s spin, and a better path can be made

Our customer realized that this was his opportunity to do things right and base secure networking not on addresses but on provable identity. Enter Tempered Networks and the Host Identity Protocol (HIP). The future of networking and security–in fact all IP-based technologies--will be an identity-defined model. I predict that 3 – 5 years from now the shift will be in full swing and naked TCP/IP (TCP/IP without HIP) will go the way of SNA.

That’s the prescription I tried to provide the SANS ICS security webinar attendees. The results can be quickly realized as our customer experienced. Deploying and enforcing local and wide-area micro-segmentation for a single building to a central datacenter was done in less than 20 minutes by two team members with no formal training on Tempered Networks’ solution. ICS segmentation for all Building Automation Systems (BAS) running over BACnet can’t be traversed, spoofed, or violated. ICS and BAS elements are now invisible even if a hacker, or contractor, penetrates the local network - no host identity, no entry. BACnet storms are a thing of the past because only authorized machines can discover and communicate with other authorized machines instead of broadcasting UDP messages to all 3,000 gateway routers. The move to a Layer 3 network will be simpler because they won’t have to maintain ineffective access control lists (ACLs) in a futile attempt to prevent attacks or unauthorized traffic. Identity-Based Routing is now a reality. Oh, and what about the cost vs. the traditional alternatives – our customer said it best, “You’re a fourth of the acquisition cost, zero complexity, and no new headcount required. With the others it would have taken 5 days per site, new headcount to maintain, and required 3 am calls whenever someone made a firewall rule change.” Simpler networking and better security at a fraction of the cost. That’s value realized and why the shift to identity is happening.

Now is the opportunity to pave a new path for ICS security and bypass the vulnerabilities and pitfalls that enterprise IT has unfortunately inherited with traditional IP-based tools and technologies. It just requires all of us to think differently. Oh, and don’t forget to watch the SANS ICS security webinar.