Secure Software Update Service (SSUS ) White Paper

Transcription

1 White Paper Secure Software Update Service (SSUS ) White Paper Author: Document Version: r03c Jeffrey Menoher Publish Date: 9/6/2013 Secure. Reliable. Fast Problem Many software updates, including operating system patches and antivirus signature update files, are obtained from trusted enclaves that are accessible across the Internet. When software must be updated on platforms that are isolated, a security problem arises because isolated Industrial Control System (ICS) networks cannot be connected to the Internet; the risk of cyber attack is too great. The problem is how to get the software update onto the isolated ICS network without incurring an unacceptable risk of cyber attack. Solution This paper describes the Secure Software Update Service (SSUS ), a software product that provides a controlled file transfer interface that restricts passage to one of three paths: 1) a predetermined set of white list files, which are verified by hash number; 2) scanning by one or more anti-malware scanning engines; or 3) both anti-malware scanning and white list verification. SSUS file transfer is machine-to-machine, eliminating vulnerabilities associated with manual transfer of portable media ( walk-net ). SSUS is specifically designed to satisfy data filter security requirements for transferring software updates across cyber-domain perimeters, and specifically addresses the security requirement for transferring approved executable software application files into isolated ICS networks. Software updates include operating system patches, antivirus signature updates, and other executable files that are particularly difficult to filter. SSUS may be implemented as a standalone software application or as an appliance integrated with DualDiode one-way data transfer technology. Keywords SSUS, DualDiode, OwlCTI, software update, OS patch, data filter, white list, manifest 38A Grove Street Suite 101 Ridgefield, CT Toll Free: P: F:

2 Table of Contents 1 Introduction The Problem The Isolated Platform Update Problem The Antivirus Update Catch-22 Problem Business Requirement The Virtues of White Lists Hash Number Authentication Secure Software Update Service SSUS Functions and Feature Summary SSUS Administration SSUS Architecture Creation of the White-List Manifest Table DualDiode Technology DualDiode Hardware SSUS Integration with Owl Hardware Summary Table of Figures Figure 1: Isolation of ICS Cyber Asset Computer Platforms... 2 Figure 2: Secure Update Transfer Gateway Concept... 3 Figure 3: Hash Number Verification Paradigm... 4 Figure 4: SSUS Concept... 5 Figure 5: SSUS Architecture Diagram... 7 Figure 6: DualDiode Card Installation... 9 Figure 7: Small Form Factor DualDiode and Server Package... 9 Figure 8: SSUS Integrated with OPDS White-Paper_SSUS_r02g.docx Page ii

3 1 Introduction This white paper identifies a software update business requirement and problem of transferring software updates and virus signature updates into a sensitive or secure network environment, and indicates how the Secure Software Update Service (SSUS) product from OwlCTI solves the problem. In addition to moving software update files, SSUS is also capable of securely moving general-purpose files. SSUS comprises a file transfer system integrated with a hash verification system that can compare the hash numbers of incoming files with a white list of hash numbers that have been pre-approved. SSUS can also submit incoming files to one or more anti-virus scan engines. SSUS is designed to integrate cleanly with existing corporate software update processes. SSUS is easy to install in existing network architectures and is easy to use. SSUS specifically addresses the security requirement for transferring approved executable software application files into isolated ICS networks. Approved executable software application files include operating system patches and anti-malware signature files that must be updated on a regular basis without introducing vulnerabilities associated with walk-net. 1.1 The Problem Protection of data from undesired and unauthorized data disclosure, interception, or alteration has been a perennial concern in the field of network security. For example, firewall and antimalware software have been developed to address security concerns for computers and networks connected to the internet and to protect them from possible cyber attacks. Despite great progress in firewall technology and malware detection methods, these solutions still suffer from a number of vulnerabilities. These vulnerabilities may be exploited through the network, or by malicious or subverted human operators; the so called insider threat problem. Software applications and operating systems, whether for direct use on a computer or embedded in other devices, often need to be installed before initial use and updated periodically during the lifetime of such computer or device. This is also true for firmware, whether running on a general-purpose computer or embedded in a special-purpose device or system. Examples of software/firmware updates include new versions (software releases) to add features, fix known problems, or support the connection and use of additional hardware or software components and subsystems. Many software updates, including operating system patches and antivirus signature update files, are obtained from trusted enclaves that are accessible across the internet. When software must be updated on platforms that are isolated, a security problem arises because isolated ICS networks cannot be connected to the internet; the risk of cyber attack is too great. The problem is how to get the software update onto the isolated ICS network without incurring an unacceptable risk of cyber attack. It is increasingly popular for software sources to publish software updates on internet servers for retrieval by end users who wish to update their platforms. However, regulatory and/or security requirements may forbid the network updating and/or the introduction of physical media into a facility where the systems requiring the install payload are located because of the sensitive or critical nature of such facility. ICS networks associated with electrical power, oil pipelines, and other Critical Infrastructures are good examples of sensitive networks that must remain isolated from the internet or other networks. White-Paper_SSUS_r02g.docx Page 1 of 10

4 1.1.1 The Isolated Platform Update Problem The following diagram, Figure 1, shows an isolated ICS network and a corporate administration network that are isolated from one another. Though secure from the perspective of denying unauthorized network access, this approach results in other operational inefficiencies and difficulties, such as severely inhibiting the flow of necessary information from the applications or devices attached to the isolated network and complicating the software update and maintenance of the applications and devices on the protected network and its computers. Figure 1: Isolation of ICS Cyber Asset Computer Platforms When an online-based approach is used in enterprise settings for software updates, it is common for payloads to be first moved from the source manufacturer or developer onto a staging server where they reside awaiting verification, testing, and installation. Administrators retrieve the payloads, or automatic routines operate to proactively provision the updates, and deliver them to other devices connected to the server s network. This network-connected automatic updating is allowed by some security policies. Alternatively, systems administration personnel access the staging server, or the manufacturer or developer source, to retrieve installation payloads on various media (CD, USB, laptop, or other portable media). This manual process is a common method allowed under company security policies. This manual carriage of portable storage media across network boundaries is popularly referred to a "walk-net". In practice, software update files are often written to portable media such as USB drives and DVDs. While the ICS network remains isolated by "air gap" using this method, the ICS network is still vulnerable to a variety of cyber attack threats that may be carried by portable media. The Stuxnet worm is a prime example of such a threat The Antivirus Update Catch-22 Problem In order to protect isolated ICS networks, a frequently-encountered security requirement states that all incoming files must be scanned with anti-virus software. There are two problems with this security requirement: 1. Anti-virus software applications have a poor track record of protecting against malicious software that has not yet been identified as such. These attacks are popularly called "zero day" attacks. Again, Stuxnet provides a useful example of a successful zero-day attack. While Stuxnet contained some code fragments from previously-identified malware, it was not detectable as malware in its most-recently-evolved form. 2. Anti-virus software applications typically block their own anti-virus signature update files, which are executable and contain virus code fragments. This creates a "Catch-22" problem White-Paper_SSUS_r02g.docx Page 2 of 10

5 for anti-virus software maintenance, and a problem maintaining security standards on isolated ICS networks. Similar problems exist for operating system patches, which are also executable, which have been known to introduce bugs as well as bug fixes, and are often blocked by perimeter access systems that enforce a non-executable-files-only security policy. 1.2 Business Requirement Let us assume that the organization that owns the ICS network also has a corporate network connected to the internet and an internal approval authority empowered to approve updates to platforms on the ICS network, as shown below in Figure 2. While read/write media may be used to deliver software updates into isolated platforms on the ICS network, this method is prone to a variety of human errors. It is far more desirable to create a trusted automated transfer method to convey software updates in the form of files while maintaining robust isolation of sensitive networks. A better method is to provide an independent authorization method that imposes a "two person" authentication process. The authorization/authentication method may be implemented using hash numbers as described below and may be supplemented with anti-virus scanning. Figure 2: Secure Update Transfer Gateway Concept 2 The Virtues of White Lists Let us assume that the source of a software update is, in fact, a trusted entity. Examples of trusted entities include security companies, such as McAfee and Symantec, and software companies that issue application updates and OS patches, such as Microsoft and Apple. If the source is trusted, then the update file may be considered pristine at its source. Furthermore, a unique authentication (hash) key may be created for the file by the source or another trusted entity. White-Paper_SSUS_r02g.docx Page 3 of 10

6 These assumptions imply that a specific list of approved files could be created for transfer into the ICS network. Such a list is usually referred to as a "white list". If a file can be verified or authenticated as a white list entry, then further security scanning such as anti-virus scanning may not be required. From these assumptions, the following transfer scenarios may be considered safe: The file passes from the trusted source to the ICS network via a trusted path that is not subject to malicious or inadvertent tampering (not as easy as it sounds). The file passes from the trusted source to a controlled-access gateway on the ICS network via an untrusted path, but is tested against an authentication (hash) key and/or scanned for viruses and malware before transfer into the ICS network. 2.1 Hash Number Authentication The following algorithm uses hash numbers to verify the integrity of a file transported across an untrusted path. It is shown below in Figure 3. This algorithm is routinely used to validate software updates downloaded from the internet. Figure 3: Hash Number Verification Paradigm Note that the reference hash numbers may be produced by the software update source organization, or by an independent (trusted) Quality Assurance testing organization. 3 Secure Software Update Service This paper describes the Owl Secure Software Update Service (SSUS), a software product that provides a controlled file transfer method that restricts transfer to a predetermined set of "white-list" files, with or without anti-virus scanning. The SSUS software filtering solution enables a secure one-way transfer of files into highly-secure ICS networks. Software updates include operating system patches and anti-virus signature updates. SSUS also permits transfer of data files (non-executables). SSUS may be implemented as a standalone software application or as an appliance integrated with DualDiode one-way data transfer technology. SSUS permits files to pass through only if White-Paper_SSUS_r02g.docx Page 4 of 10

7 they are listed on a "white list" or "manifest" of approved files that includes verifiable hash numbers, or if they pass the selected anti-virus scans, or both. This paper explains how SSUS can help maintain a resilient, current cyber-defense infrastructure while maintaining robust isolation of ICS networks in Critical Infrastructures. With Owl s SSUS, an executable or data file can be individually validated against a manifest (or white list) consisting of pre-configured hash numbers, or signatures, held within the platform. These hash numbers are provided by the file originator and certify the file s integrity. Files which produce a hash number matching an entry in the manifest are considered valid and are transferred across the DualDiode one-way link. Those files with no manifest match are denied transfer and are quarantined or deleted by the SSUS software. In addition to providing the standard anti-malware option for file validation, SSUS enables the reliable and auditable transfer of software patches and executable files, such as anti-malware signature updates, which are otherwise blocked by the most-frequently-used anti-malware filtering techniques. The SSUS is flexible, supporting multiple options for transferring a file across the security perimeter into a secure ICS network. The SSUS concept is shown below in Figure 4. Figure 4: SSUS Concept 3.1 SSUS Functions and Feature Summary SSUS is a robust, highly-scalable solution that cost-effectively addresses the need to thoroughly screen files for malware prior to transferring them across an electronic security perimeter. Owl s patented DualDiode technology enforces the electronic security perimeter, and our perimeter defense platform also serves as a central facility for file scanning. Owl s architectural White-Paper_SSUS_r02g.docx Page 5 of 10

8 approach is designed to reduce operational cost and maintenance time by deploying a centralized scan engine resource that can support hundreds of geographically-dispersed users. AV scan or manifest signature updates are applied instantly and uniformly to all users regardless of their location. The following is a summary of key features of Owl s SSUS solution: SSUS is a highly-scalable solution, deployable with any Owl platform, such as OPDS-100, OPDS-MP, and server-based EPDS solutions, or as a standalone package that can be added to an existing system. SSUS can be configured to support up to three unique scan paths: an AV scan path, a manifest path, and a combined AV scan and manifest scan path. The system can support multiple AV scan engines and allows the Security Administrator to add, delete, and update AV scan engines. SSUS supports a manifest file which can be updated by the Security Administrator. The manifest file stores the hash keys for files that are allowed to be transferred to the highsecurity domain. SSUS supports three roles: User, System Administrator, and Security Administrator. o o o The User role is allowed to log into the system and select and upload files to be scanned and transferred across the DualDiode to the higher-security domain. The System Administrator role is responsible for configuring system parameters and monitoring usage, along with adding and deleting users. The Security Administrator role sets system security parameters and monitors system logs and usage activity. The Security Administrator also has access to all files transferred through the system. SSUS can be integrated into an existing active directory. The System Administrator function has the ability to define system access privilege on a per-user basis. SSUS can be optioned with the Owl Performance Management Service (OPMS) to enhance Administrator notification of malware detection or other alert conditions. 3.2 SSUS Administration SSUS is administered according to Role Based Access Control (RBAC) that enforces separation of duties and access restrictions according to administration role type. The system supports three roles: a User role, a System Administrator role, and a Security Administrator role: From the source network, the User role is granted permission to access the system for the purpose of uploading files to be scanned. On the destination network, the User is allowed to copy scanned files that have been transferred across the electronic security perimeter to removable media. The System Administrator role configures system operation and can monitor system status. This role has the ability to add or delete users, set system configuration parameters, and view system logs. The Security Administrator role can restrict file scans and transfers to specific file classes by creating a white list of file classes. All other files types will be quarantined. In addition, the Security Administrator is able to view system status and system logs, view user activity, and access all files transferred across the security boundary by any user. White-Paper_SSUS_r02g.docx Page 6 of 10

9 3.3 SSUS Architecture Figure 5: SSUS Architecture Diagram Referring to Figure 5 above, there are three possible paths through the SSUS system: The first option allows users to transfer files only after they have gone through successful examination by one or more anti-malware engines. SSUS allows a Security Administrator to update AV scan signatures available for the anti-malware engines, ensuring protection against the latest known threats. Future capability will be to support automatic updates. A second option is based on white list filtering of files, ensuring that only previouslyapproved files or file classes are transferred across the security perimeter. This option or data path involves the calculation of a file hash (signature) for each file the user intends to transfer. The file s hash must match a corresponding hash in the manifest or the file will be blocked from transferring. If no match is found, the incident will be logged and the file will be quarantined or deleted. The manifest file is managed by a trusted administrator, ensuring tight control over which files are transferred. Strict RBAC on SSUS ensures that only authorized administrators can manipulate the manifest contents. The third option leverages the security benefits of both options by first scanning the file with the latest anti-malware examination and then checking if the file s hash matches a hash in the manifest. White-Paper_SSUS_r02g.docx Page 7 of 10

10 Additional security is enforced by Owl s Remote File Transfer Service (RFTS), which manages all file transfers as well as manifest updates within SSUS. Hash signatures are placed in the manifest by RFTS via a dedicated TCP port. Files sent by a properly-authenticated user and destined for the secure ICS network are moved to SSUS by RFTS. Once the files are transferred across the DualDiode one-way link, Owl RFTS or other file transfer protocols (such as FTP) may be used to transport the files to their destination on the secure ICS network. This example uses Owl s Secure Network Transfer System (SNTS) to move the files across the DualDiode. 3.4 Creation of the White-List Manifest Table The customer creates an Owl file manifest table: The customer defines the files that are allowed to be transferred. The file manifest table is sent to the Owl Send Server using RFTS. The file manifest table is stored on the Owl Send Server. The file manifest table supports the following hash values: MD5-SHA160 SHA224-SHA256 SHA384-SHA512 Example: File Name ( v5i32.exe) Hash Value (5B0E88F4E5F8CEAC5D1E485430EC6C2B) Source ( 4 DualDiode Technology Among other advantages, one-way data transfers deny the possibility of network probing for vulnerability, a prelude for cyber attacks. When one-way data transfer security policy is rendered in hardware, it is physically impossible to send messages of any kind in the reverse direction. Physical one-way links cannot be hacked with software and are used by the US Department of Defense (DoD) and Intelligence Community (IC) for isolating their high-security networks. Hardware-enforced data diodes are considered the most secure. The US National Institute of Standards and Technology (NIST) provides a specific security control (AC-4.7) that describes hardware-enforced, one-way information flow control as a threat-mitigation method. 4.1 DualDiode Hardware DualDiode hardware comprises a pair of one-way communication cards that are specifically engineered to transfer data in one direction only. The Send-Only card is installed in the Send Host Server platform and the Receive-Only card is installed in the Receive Host Server platform as shown below in Figure 6. The two cards (and the two platforms) communicate through a single optical fiber that connects the communication cards. White-Paper_SSUS_r02g.docx Page 8 of 10

11 Figure 6: DualDiode Card Installation Once cards are installed in their respective host servers, the servers operate as Send and Receive communication gateways for their respective networks. Send and Receive gateway platforms may be packaged in a single 1U rack-mount enclosure as shown below in Figure 7. Figure 7: Small Form Factor DualDiode and Server Package Note that the DualDiode system comprises a hardware pipeline architecture that contains two diodes and a clear network boundary located between the diodes. Should one diode fail, the other will be unable to pass any kind of data, including malicious data; the connected networks remain isolated. DualDiode transfer systems do not lose data, and no forward error correction methods are required. Multiple levels of data integrity checking, along with inherently-high quality of service of underlying ATM technology, enable the DualDiode to move terabyte-size files consistently and without error and to move large numbers of very small files efficiently. 4.2 SSUS Integration with Owl Hardware SSUS may stand alone as a software application or may be integrated into Owl hardware platforms equipped with DualDiode technology to provide robust isolation for the ICS network. A representation of SSUS integrated with an Owl Perimeter Defense Solution (OPDS) is shown below in Figure 8. A sample SSUS system comprises the following components: An OPDS DualDiode hardware platform RFTS software application modules SNTS software application modules SSUS software application module White-Paper_SSUS_r02g.docx Page 9 of 10

12 5 Summary Figure 8: SSUS Integrated with OPDS This paper describes the Secure Software Update Service (SSUS), a software product that provides a controlled file transfer interface that restricts passage of executable software to a predetermined set of "white list" files. These files are verified by hash number. Files may also be subjected only to scanning by one or more anti-virus scan engines, and a path may be chosen that includes both anti-virus scans and hash number verification. SSUS file transfer is machine-to-machine, eliminating vulnerabilities associated with manual transfer of portable media ("walk-net"). SSUS is specifically designed to satisfy data filter security requirements for transferring software updates across cyber-domain perimeters, and specifically addresses the security requirement for transferring approved executable software application files into isolated Industrial Control System (ICS) networks. Software updates include operating system patches, anti-virus signature updates, and other executable files that are particularly difficult to filter. SSUS may be implemented as a standalone software application or as an appliance integrated with DualDiode one-way data transfer technology. E N D O F D O C U M E N T White-Paper_SSUS_r02g.docx Page 10 of 10