Perimeter protection is part of every industrial cyber security strategy. Companies create demilitarised zones (DMZs) to isolate control and corporate systems and use sophisticated, next-generation firewalls (NGFW) to prevent malicious intrusions from external networks.
Virtual private networks (VPNs) are commonly used to manage control system connections with remote engineering offices and service providers.
While powerful, none of these approaches is foolproof. DMZs can be compromised. Attackers bypass firewalls with camouflaged malware. VPN connections provide no protection against infections in remote endpoint devices. At a minimum, each of these approaches requires additional protection and ongoing maintenance.
End User Concerns
ARC conducted industrial cyber security research surveys in 2013 and 2014 that included questions about unidirectional communications. Companies that had already deployed this technology were quite pleased with their decision. Companies that evaluated the technology and decided not to apply it had two primary reasons for their decision: a belief that this level of security is only required for ultra-high security facilities, like nuclear plants; and, a belief that their organization could not tolerate the perceived limitations of one-way communications, despite the recognized security benefits.
We Don't Need High Security
Clearly nuclear plants need to be as secure as possible, but this does not mean that other plants can accept less security. It depends upon the potential impact of a cyber intrusion. If a compromised system might lead to a refinery explosion, a chemical plant disaster, or other life-threatening incident, the system needs the best possible cyber security.
This also applies (to a somewhat lesser extent) to situations where a successful intrusion could significantly affect the company's supply chain, financial performance, or reputation.
Most people understand the potential impact of cyber incidents, but justify less security based on the perceived low likelihood of an intrusion.
This reflects an "expected value" (Risk = Likelihood x Impact) view of risk management. This approach might be reasonable for an accountant evaluating the financial risks of a cyber intrusion, but not for someone responsible for personal and process safety. Even accountants recognise that outcomes with major negative impact deserve maximum avoidance efforts regardless of their likelihood (Black Swan events). Industrial companies need to take the same approach to cyber security defenses.
Some people will also use the existence of safety systems to help justify their decision to accept lesser levels of cyber security. Certainly safety systems can reduce the likelihood that a compromise will lead to significant damage to physical equipment.
But, safety and security are not same thing and a cleverly designed cyber intrusion might exploit safety systems to cause spurious shutdowns of all operations. Furthermore, Stuxnet taught us that knowledgeable, cyber warfare attackers can overcome every safety measure that a plant employs. These kinds of advanced persistent threats (APTs) are clearly growing and must be considered in cyber security strategies.
Also consider that that while nuclear plants have the most sophisticated safety systems possible, they still use unidirectional cyber security technology to avoid cyber intrusions. They recognize that safety systems and cyber security are complementary strategies for preventing catastrophes.
We Need Two-Way Communications
Many plants need to interface with external systems. They receive production orders electronically from corporate planning systems. Many plants also rely upon remote groups for asset management, process optimisation, and IT support and this will likely increase as companies adopt trends like Industrial IoT.
Clearly these cases require two-way communications. But this does not mean that these companies have to accept the significant risks of conventional, bi-directional security strategies. Instead, they can use unidirectional communications for all transfers out of the control system and tightly controlled bi-directional channels for incoming communications.
This has the benefit of isolating "insecurity" to specific communications and specific periods of time. As the bulk of communications in most plants are outbound, the net effect is a much higher level of security than is possible using conventional, bi-directional methods for all communications.
All information transfers are also disciplined under the supervision of unidirectional Gateway agents that block malicious messages.
A properly designed, combined approach will limit the opportunities and pathways for attacks during bi-directional communication to a significant degree and still provide all the benefits of unidirectional communications for normal information flows.