Securing critical infrastructure against cyber-attacks has come into sharp focus thanks to the Colonial Pipeline shutdown. While the attack appears to be financially motivated it highlights how adversaries at home and abroad could seek to disrupt critical infrastructure for ideological or geo-political reasons.
The North American Electric Reliability Corporation Critical Infrastructure Protection Plan (NERC CIP) consists of several security standards designed to help electrical energy supply and delivery systems protect themselves from attacks – may they be physical or electronic-based. It’s worth noting the petroleum and natural gas industries have similar protection plans in place.
The CIP standards include areas such as personnel training, physical security, and supply chain risk management. But most of the CIP standards are focused on specific areas of cybersecurity to protect the Bulk Electric Systems (BES) from attack. For example, CIP-005-6 covers Electronic Security Perimeter(s) and the management of access to BES cyber systems.
Due to the Covid-19 pandemic, many workers have moved to a full or partial remote work status and the use of remote access solutions, e.g., VPNs, has grown significantly as a result. The compromise of outdated VPNs has been the genesis for many cyber-attacks, which apparently includes the Colonial Pipeline breach. While stolen access credentials are one point of compromise, another issue with remote access, or any encrypted network connection for that matter, is that the encryption keys used to create the encrypted tunnels that secure network traffic are sent on the same session as the data that they protect. This means an attacker has just a single connection to monitor and compromise to gain access to the network and all of the secret information. This inherent vulnerability of legacy encryption is about to become a much bigger problem.
The rapid evolution of next-generation computing platforms will break network encryption as we know it. NIST is expediting the evaluation of algorithms to replace the vulnerable RSA and ECC PKI algorithms that currently negotiate symmetric encryption keys used to secure our digital universe. This means that in the not-so-distant future, organizations will need to be able to switch to new encryption technologies quickly without disrupting current business processes. This global cryptographic transition will be the largest in history and requires crypto agility and highly scalable solutions.
But changing algorithms that are built into commercial encryption solutions is a disruptive task and depends on the vendor’s ability to deliver on these changes. New algorithms may also come with an unacceptable performance or reliability cost. Historically, new algorithms have fallen prey to unanticipated implementation flaws and/or side-channel attacks resulting in data breaches. For these reasons, security vendors and end-users are hesitant to move forward. Arthur Herman of the Hudson Institute’s Quantum Alliance Initiative says, “complacency disguised as confidence” is no way to be. It puts our enterprises, digital economy, and national security at risk.
There is a way to add a simple overlay architecture that addresses these issues and extends your encryption infrastructure, and investment, into the future.
While the original sin of sending the key with the data was necessary back when communications networks consisted of point-to-point dedicated T1 lines, times have changed. Today every device can create sessions with diverse hosts, over disparate logical and/or physical networks. It makes sense that we try to use that network diversity to secure communications.
For example, two-factor authentication secures network authentication by delivering a secondary credential out-of-band from the user identification and password. Deploying this same architecture, we can secure communications by sending a secondary key out-of-band from the first key and the data that is being protected. This effectively decouples key generation and delivery from data transmission thereby overcoming the inherent flaws and outdated architecture of legacy encryption.
With this new out-of-band key delivery architecture, man-in-the-middle (MITM) attacks can no longer succeed, as there is no single point of attack. If an algorithm is compromised, the data is not exposed because the attacker has to obtain two sets of keys and determine how and when they were used. This is in stark contrast to the impact of a compromise in a one-key system. Another benefit is that with minimal effort, enterprises can build secure remote networks that behave as if they are running on-premises in the enterprise.
A compelling energy use case for this architecture is to secure remote access to critical management networks. Since these networks access core BES cyber assets, they fall under several NERC CIP standards including CIP-011-2 Information Protection, and CIP-005-6 Electronic Security Perimeter(s). By invoking a secondary key that is tied to a managed VPN device, even if an attacker managed to steal an administrator’s credentials, they would not be able to login, because the secondary key will only be delivered to the sanctioned VPN device.
If the attacker tries to act as a MITM by breaking the key-negotiation process, they will also fail because there are now two keys involved, and the context of how and when those keys were applied is known only to the sanctioned devices. This effectively reduces the attack surface – which is currently the length of the entire network – down to the sanctioned devices doing the encryption. The end result is as small an attack surface as you can have.
By decoupling key generation and delivery from the data, several additional benefits are realized:
- Performance of the existing data delivery infrastructure is not impacted.
- New algorithms or key-delivery technologies such as QKD can be rapidly integrated into the new architecture without impacting the production data delivery networks.
- Keys can be generated from high-entropy sources such as QRNGs, delivered to low-entropy systems such as virtual appliances and IoT devices.
- Large high-entropy keys can be delivered to endpoints that use them to generate one-time pads (OTP) via local pad-generating functions – avoiding the doubling of data volumes associated with OTPs.
- Large, high-entropy keys can be delivered to endpoints that use as seeds for single-use streaming ciphers, which are similar to OTPs but provide data integrity features absent with use of OTPs.
Cyber security threats are rapidly advancing and evolving. New technologies and new architectures will be required to combat these threats. Separating encryption keys from the data they protect is a foundational change that will reduce risk and support current and future key generation and key-delivery technologies in a crypto-agile manner.
