protection of critical infrastructures via an kiosk solution

It’s been almost a decade since Stuxnet put critical infrastructure cybersecurity on the map. Since then, all 16 critical infrastructure sectors identified by the U.S. Department of Homeland Security have been forced to adapt to the new normal of maintaining mission-critical operations and business continuity under constant threat of cyberattack. Despite the expanded focus on risk reduction, including advanced technology implementation, employee training and the adoption of enforceable industry and federal security regulations such as NRC, NERC-CIP and HIPAA, attacks targeting critical infrastructure sectors continue to accelerate in both complexity and frequency. In 2018, 90% of professionals in industrial control system (ICS) and operational technology (OT) environments reported that their organizations had been negatively impacted by at least one cyberattack in the past two years, according to the Ponemon Institute. The control systems that act as the “brain” within mission critical environments are both inherently and increasingly vulnerable to actions of nation state threat actors, hacktivists and insider threats. Unlike Fortune 500 companies, attacks on critical infrastructure are sometimes, but not always motivated by financial gain. Reputational and operational disruption, as well as fear, nation-state espionage, antipathy and ideology are often the drivers. Within critical infrastructure sectors, cyber risk is most commonly amplified by: • Insufficient number of skilled workers • Ineffective people, process and technology policies • networks are vulnerable to attacks from portable media and other file transfer technologies • Flawed IT/OT integration • Complexities of legacy SCADA system • Lack of asset visibility OPSWAT protects critical infrastructure. Our goal is to eliminate malware and zero-day attacks. We believe that every file and every device pose a threat. Threats must be addressed at all locations at all times—at entry, at exit, and at rest. Our security solutions focus on threat prevention and process creation for secure data transfer and safe device access. The result is productive systems that minimize risk of compromise. Critical networks are especially challenging for security practitioners because isolated and air-gapped networks are vulnerable to attacks from portable media and other file transfer technologies. OPSWAT creates a secure end-to-end process for transferring files to and from critical networks, which is widely used in manufacturing, energy, government, banking, pharmaceutical, and entertainment industries. Managing and especially securing critical networks is hard. 1) The first challenge is to implement and enforce a secure data transfer process. 2) The critical network is often targeted by hackers and otherwise exposed to zero-day attacks. 3) In addition to targeted attacks, the critical network is increasingly more exposed to advanced malware. 4) Malware is especially dangerous because it can often explore software vulnerabilities. 5) Organizations that run critical networks also have to worry about the loss of sensitive data from the network (and in some cases, also have to block sensitive data from entering the network for outside). 6) And last, but by no means least, is the requirement that critical networks operators have to comply with a growing number of tightening regulations. The secure network is often air gapped or otherwise isolated from the rest of the outside environment. The secure data transfer process enables the organization to have an employee, contractor or another party bring required data into the network without exposing it to a risk of infection. Similarly, data needs to be taken out of the network without loss of any sensitive information. 1. Critical networks are usually air gapped – (not connected to the internet) to maximize its cyber security resilience , However they are fully functioning networks that includes IoT , SCADA , any other systems such as email systems , web servers , ERP that requires: a. Software updates b. Data communication – such as PDF, documents, presentations, Excelsheets, images, videos, plans... 2. This data is usually brought by mobile phone, USB, CD , or laptops and even floppy drives 3. The challenge is to create a policy that focuses on: a. Who can bring data b. What type of data can be brought by an outsider c. Audit trail of the data MetaDefender Kiosk helps protect your network by enabling control over the flow of data into and out of your organization. It can be used as a media scanning station on your own hardware or on OPSWAT's custom-made kiosks. Typically, media such as USB devices, DVDs, card readers, SD cards, flash drives, or floppy disks, are scanned by MetaDefender Kiosk by inserting the media device into the appropriate drive. After the scan is complete, Kiosk generates a detailed report. MetaDefender Kiosk serves as a security checkpoint for preventing cyber security threats from entering critical networks via peripheral devices. Kiosk offers software and hardware form factors for any type of deployment environment. Kiosk is used by organizations that require the highest level of security, including critical infrastructure, government agencies, and financial institutions. MetaDefender Kiosk is used by the majority of North American nuclear operators, making MetaDefender the leading hardware-based portable media detection and file sanitization solution for the North American nuclear industry. A media security station or media security kiosk is the entry point for data and files going into an air-gapped or isolated network. An air gap is an extremely good protection mechanism, which allows you to focus your defenses on that remaining limited attack surface that is the province of the media security kiosk. The items for consideration for setting up a secure process or what we call a secure data workflow can be extensive, and we wanted to go through some of our recommended best practices on how to use a media security kiosk as part of a secure data workflow to keep threats out of your isolated network. 1) Physical Access to the Kiosk: The most expensive but the most secure method of physically protecting your kiosk against tampering is only allowing facility security personnel access to the kiosk. In this scenario, the user gives the media with the files that she wants to move into the facility and then security personnel scan the media for the user. The security personnel then transfer the media into the facility. The user never physically interacts with the kiosk. If having security personnel scan media is cost prohibitive, at the minimum the kiosk must be in an area that is difficult to physically access unobserved, secured during off hours, and there should always be video surveillance on the kiosks. 2) Facility-owned Media: Non-facility (personally owned) media should never be allowed into a facility (isolated network). All media should be asset controlled, very clearly marked, and should be wiped using industrial class wiping software after every use. By only allowing the use of facility owned media you eliminate many types of potential attacks, especially those that involve accidental malware infections, or any type of attack that attempts to infect media before it enters a facility. 3) Logging: Logging should be enabled at a very granular level. At the minimum the user, date and time of scan, file names, and hashes of every file scanned should be collected. A kiosk should not allow infected files to be processed and should have the ability of quarantining infected files on the kiosk for later analysis. 4) Multi-factor Authentication: A kiosk should be configured so that multi-factor authentication is required to access it. Typically, this might be a combination of a security or smart card used in conjunction with a password. Even vendors and maintenance personnel should have an account created in advance and be issued a temporary time-limited access card and password if they are to be allowed to use the kiosk. Access cards, accounts, and passwords should never be shared. 5) Role-based Secure Data Workflows: A kiosk should allow for the configuration of many aspects of the workflow to support a secure data workflow. Here is a list of some of the more useful kiosk features: allowing only certain file types to be processed, allowing only certain media types to be used, configuring what a given user is allowed to do using some type of role-based control, USB drive white listing, not allowing files larger than a configured size to be processed, the ability to stop processing if a blocked file is found. As you can see security kiosks can be very configurable. The key to secure data workflow configuration is using role-based method to apply the principle of “least privilege” to the process of using the kiosk. 6) Wipe Media: After it is used in the facility there should be a procedure to wipe the facility-owned media using industrial grade wiping software after each use and a separate system should be used to verify the media was wiped. Some security kiosks also support media wiping – this should be enabled as a complementary safeguard procedure – but should never be the primary method of wiping media. 7) Use an intrusion detection system on the kiosk: The kiosk should have some form of Host Intrusion Detection System (HIDS) or a File Integrity Management (FIM) system in place to detect tampering of the kiosk. If an integrity violation is triggered by the intrusion detection system, the kiosk should be able to immediately disable itself until security personnel can fully investigate the issue. 8) Secure Hardened Image: The operating system image that is used by the kiosk software should be hardened as much as possible. The two recommended standards for OS hardening are either the Center for Internet Security (CIS) or the Defense Information Systems Agency (DISA) Secure Technology Implementation Guide (STIG) standards, which are both excellent. Since the kiosk is a very special purpose device, the system should be hardened as much as feasibly possible. 9) Isolate the Security Kiosks: If you have more than one kiosk, you may want to look at connecting them to each other on an isolated network to make it easier to maintain them. The three primary maintenance tasks are: updating the kiosks with the latest anti-malware definitions, updating the operating system, and collecting log data. The kiosks should be kept isolated from any other networks to prevent them from being used a point of entry into any networks, or on the flip side to prevent a connected network to be used as an access point to attempt to tamper with the kiosk. There are many issues to consider when setting up your media security stations to protect your isolated networks from portable media threats. The key is to use a solid framework to analyze your secure data workflow process to make sure you don’t have any holes. We are indebted to many of our customers that use our kiosk products for giving us their feedback and best practices so that we can share them with the entire community that uses isolated networks.