ISP private networks are getting a lot of play these days, and we know that they are certainly an option organizations may evaluate in considering network security vendors. To make a fair evaluation, it’s important to get a full understanding of what we’re talking about when we propose using an ISP as a
cyber-security service.

The ISP private network offering is an outsourced mix of private APN, MPLS, network ACLs, VPNs, and firewalls, and varying levels of integration and service offerings around these technologies. The private APN is a wireless network segregation mechanism, similar to a VLAN or a WiFi SSID, and is used to allow the cell phone to bind a client to a particular network with specific properties and services; the private APN can also be tied into wired infrastructure with MPLS. Note that these segregation mechanisms do not natively provide integrity protection, confidentiality, authentication, or authorization. Within these APNs, additional segmentation mechanisms like Access Control Lists (ACLs) and VPN encryption can be layered within the APN.

When I think of ISPs, I think of network connectivity as being just another utility, like power and water. However, I have four main cautionary reservations around these same ISPs providing cybersecurity services:
1. Risks and challenges of ISP lock-in
2. Benefits of an independent layer of security
3. Appropriate levels of visibility, auditing, governance, and change control
4. Standards-based solutions that are open and vetted

First, let’s discuss the ISP as a network utility. Tight integration with the utility looks good on some levels, but what about an event that forces you to change utilities? With power or water, hooking up to a new utility is easy: there are standards around electrical interconnects and plumbing. We have great standards around Layer 2 and 3 network communications. But when a complex and proprietary security architecture is tightly integrated into the core network layer, the switching costs (no pun intended) to a new ISP get very high. Also, any one ISP has only limited geographic coverage, and the integration boundary between providers (and indeed our own corporate networks) is complex, expensive, and slow to change. These realities lead to vendor lock-in, hidden costs, and long-tail risks. The need to drop in a new network can come at any time, particularly in disaster recovery scenarios, and we need an operational model that smoothly accommodates these dramatic changes.

Second, there are plenty of proof points to justify an independent layer of security sitting between critical infrastructure components and the critical network communications layers that connect them. Network components have patch and obsolescence issues just like industrial automation equipment. Weak link-layer encryption algorithms (2G GSM), rogue cell tower attacks, and recent breaches at the encryption layer of the mobile network level all reinforce this point. More than ever, cyber-security is an ongoing process and must be positioned as a highly dynamic and flexible defense-in-depth approach to protect, detect, and respond in a virtuous cycle with both operations and the network.

My third point ties into the defense-in-depth model. A key aspect of implementing defense-in-depth is having a governance model that is appropriate for your organization. This is not a fixed line in the sand, but rather a continuum along which your organization will move back and forth. Without the appropriate visibility, use of ISP private networks will lead to gaps between the ISP and operations that are similar to the IT-OT divide that is present in many industrial enterprises today. For example, what does change management look like when the asset owner needs an ACL change to allow the SCADA system to poll data from a new pump station? Do you submit change requests to the ISP, including revocation? Can you do this on your own? Where is the audit trail? How about troubleshooting and having the appropriate level of role-based visibility and control into the connectivity and security configuration?

Finally, when considering the technologies we deploy to strengthen the operational integrity and availability of our critical infrastructure, we must avoid security through obscurity. Rather, we should discuss architecture models, protocols, and implementation standards in open forums so they can be vetted, solve real problems, and evolve as necessary. These standards exist, but is the ISP using them for security? Unfortunately the answer is no; otherwise, you could mix private APNs from multiple providers out of the box. This is a great topic for discussion, and with the ongoing escalation in the threat environment, its importance is recognized from the shop floor to the top floor. Tempered Networks is committed to bringing the conversation to the forefront. Along with Polk County Utilities (Florida), we will be presenting a peer-reviewed, accepted paper to discuss this very topic at the ISA Water / Wastewater symposium in August 2015.

Wednesday, March 4, 2015 By David Mattes