Last month, hackers gained access to the control systems of a power grid in Ukraine using spear phishing, leaving over 100 cities without electricity. The attack started with a highly tailored spear phishing email to the employees of Ukrainian power companies, with a malicious XLS or Word document, which the employees opened on a system with access to the control systems of the power grid.
In response, Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has just issued improved security guidelines.
Of note within these guidelines is the concept of building a defensible environment by using network segmentation. Network segmentation is an important design principle which helps contain and isolate attackers, preventing them from gaining access to critical systems. The idea is to separate restricted networks from more accessible ones.
The recommendation says:
“Build a Defendable Environment – Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Enclaving limits possible damage, as compromised systems cannot be used to reach and contaminate systems in other enclaves.”
For example, the systems where an employee checks their email and downloads attachments should not be connected to the systems that control a power plant. If they are separated, then if an employee accidentally downloads malware to their PC, it’s much more difficult for the malware to connect to other systems on the network.
Another example is if a third-party partner needs access to a company’s internal network, and the partner’s credentials are stolen (via spear phishing), network segmentation would prevent the attacker from hopping from a system the third party company has access to, to a restricted-access system, or a database containing confidential data. A lack of segmentation led to the notorious Target data breach, as described in our Top Ten Attacks post. An external HVAC company had access to Target’s systems to monitor energy consumption to help save on costs, but their employees’ access was not cordoned off from Target’s internal payment system. As a result, the attackers were able to install malware on Target’s point-of-sale system and steal millions of credit card numbers.
Many of the same guidelines that apply to power plants and retail giants like Target also apply to other enterprises who want to protect their confidential data, intellectual property and critical systems from intruders. Deciding who should have access to what is an age-old problem in computer security, but careful design can protect your assets without causing disruption to ordinary network communication.