Industrial Control Systems (ICS) play a pivotal role in modern manufacturing and critical infrastructure, controlling processes and ensuring operational efficiency. With the increasing interconnectivity of these systems, ensuring robust cybersecurity has become paramount.
When considering Transport Layer Security (TLS) 1.2 versus TLS 1.3 for network monitoring in industrial networks, there are specific factors to take into account, given the unique requirements and constraints of industrial environments. Industrial networks often involve critical infrastructure and sensitive data, so the choice of TLS version can impact security, compatibility, and monitoring capabilities.
What is TLS anyway?
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP).
TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organisation, and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was published in 2018.
A TLS connection is initiated using a sequence known as the TLS handshake. When a user navigates to a website that uses TLS, the TLS handshake begins between the user's device (also known as the client device) and the server.
During the TLS handshake, the user's device and the server:
- Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
- Decide on which cipher suites they will use
- Authenticate the identity of the server using the server's TLS certificate
- Generate session keys for encrypting messages between them after the handshake is complete
The TLS handshake establishes a cipher suite for each communication session. The cipher suite is a set of algorithms that specifies details such as which shared encryption keys, or session keys, will be used for that particular session.
TLS can set the matching session keys over an unencrypted channel thanks to a technology known as public key cryptography.
TLS 1.2
TLS 1.2 has widespread support and has been in use since 2008, many industrial systems and devices may have been designed with compatibility for this version. Network monitoring tools and security appliances are likely to support TLS 1.2. All TLS versions were further refined in RFC 6176 in March 2011, removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0. There is currently no formal date for TLS 1.2 to be deprecated.
Industrial environments often have legacy equipment that might not support newer TLS versions. TLS 1.2 provides a balance between security and compatibility, allowing communication with a broader range of devices.
Some cipher suites supported by TLS 1.2 may have known vulnerabilities. System engineers need to carefully manage the cipher suite configurations to ensure the security of communications.
TLS 1.3
TLS 1.3 is designed with a focus on security, removing older and insecure cryptographic algorithms. It mandates Perfect Forward Secrecy (PFS), which is beneficial for protecting communications even if long-term secret keys are compromised.
The streamlined handshake process in TLS 1.3 can lead to lower latency, which can be important in industrial networks where real-time communication is critical. Some older industrial devices or systems may not support TLS 1.3. Upgrading or replacing these devices may be necessary to fully adopt TLS 1.3 and should be considered when looking at obsolescence and new asset acquisitions.
The improved security features, especially the encryption of the handshake process, can make it more difficult to monitor and inspect encrypted traffic in industrial networks.
Why Should We Consider TLS 1.3 for Industrial Networks
Improved Security: TLS 1.3 provides stronger encryption algorithms, reducing the risk of data breaches and unauthorised access. Its enhanced security features protect sensitive information exchanged between devices within an Industrial Control System (ICS).
Reduced Latency: TLS 1.3 is designed to minimise handshake times, resulting in lower latency. In industrial settings, where real-time communication is essential, this reduction in latency contributes to improved system performance.
Forward Secrecy: TLS 1.3 introduces Perfect Forward Secrecy, ensuring that even if a long-term secret key is compromised, past communications remain secure. This is particularly beneficial in ICS, where long-term integrity is critical.
Considerations When Using TLS 1.3 in Industrial Networks
Compatibility Challenges: Implementing TLS 1.3 may pose compatibility challenges with legacy systems and devices that only support earlier versions of the protocol. This can result in integration difficulties and potential operational disruptions.
Resource Intensiveness: The increased security features of TLS 1.3 may require more computational resources, impacting the performance of resource-constrained devices commonly found in industrial environments.
Network Monitoring Challenges Within ICS
While the adoption of TLS 1.3 enhances the security of industrial networks, it creates challenges in terms of network monitoring. Traditional monitoring tools may struggle to inspect encrypted traffic, limiting the visibility into potential threats and vulnerabilities.
Blind Spots: Encrypted traffic acts as a blind spot for most monitoring solutions, preventing the detection of malicious activities within the encrypted communication channels. This is not limited solely to TLS1.3, where data flows are currently encrypted with older versions of TLS. Changes to the standard now mean that there is no longer easy access to monitor communications with man in the middle techniques used in TLS 1.2.
TLS 1.3 also removes the ability to perform detailed passive inspection, again making it tougher to spot malicious traffic and defend against attacks hidden in that encrypted traffic.
The performance boost TLS 1.3 offers is a welcome upgrade; however, this is at the expense of detailed monitoring. If confidentiality and integrity is your key driver, then this is less of an issue.
Limited Threat Intelligence: Without the ability to inspect encrypted traffic, network monitoring tools may fail to provide accurate threat intelligence, hampering the ability to respond promptly to potential cyber threats.
This is why additional steps are required to gather additional situational awareness of assets and encrypted data flows.
Tenable OT Security
Tenable OT Security is a solution designed specifically for Operational Technology (OT) environments, providing comprehensive visibility and security monitoring. It offers features that help address the challenges posed by the adoption of TLS 1.3 in ICS. Tenable OT employs deep packet inspection techniques to analyse network traffic data flows for OT and IT protocols allowing the detection of anomalies and potential threats.
Asset Discovery and Vulnerability Management: Tenable OT excels in asset discovery, helping organisations maintain an updated inventory of devices within their ICS environment. It also provides vulnerability management to identify and remediate potential security weaknesses.
Integration with Threat Intelligence Feeds: Tenable OT integrates with threat intelligence feeds, enhancing its ability to detect and respond to emerging threats. This feature is crucial for staying ahead of evolving cybersecurity risks.
Considerations When Using Tenable OT Security
Tenable OT Security is an industrial security solution for the modern industrial enterprise. It can help identify assets in the OT environment, communicate risk, prioritise action and enable your IT and OT security teams to work better together.
With a comprehensive set of security tools and reports, Tenable OT Security provides unmatched visibility across IT and OT security operations and delivers deep situational awareness across assets from Windows servers to PLC backplanes, all in a single interface.
Understanding your assets, the inherent risks, vulnerabilities and communication paths are essential to establish a security baseline. If you cannot inspect the traffic due to encryption then you are missing some parts of the security puzzle, however, you still know who is talking to who and can be alerted if this baseline changes from the operational norm.
Implementing Tenable OT Security does require investment in time and resources. There is no point in deploying a monitoring solution if the data collected is not actioned, this just becomes another OT nightmare to manage and monitor. OT networks are deterministic, therefore once the ‘pattern of life’ is established on your plant, the only alerts that you’ll see will be events that you will want to validate.
The complexity of deployment may pose challenges for organisations depending on the network architecture and the detail of visibility required, often we see customers looking for 100% visibility where in fact this is often not required to establish a strong security baseline.
Where we cannot hear conversations, we simply query using the correct OT language in the same way an engineering workstation would, asking questions such as, who are you and how are you doing.
Protecting Industrial Protocols
In addition to network monitoring, safeguarding industrial protocols, such as Modbus or OPC, is essential. Solutions such as Cogent DataHub and the use of OPC UA help address these issues.
Tunnellers provide easy-to-configure, secure, and robust networking for data protocols that are difficult to connect or that rely on insecure architectures. Cogent DataHub Tunnellers go beyond the basics, letting you integrate your data without exposing your networks.
Protocol Interoperability: Cogent DataHub facilitates protocol interoperability, allowing different devices and systems to communicate seamlessly. This reduces the reliance on insecure protocols and enhances overall system security.
Reliable networking of OPC servers/clients without DCOM
Do you need to collect OPC data from multiple remote locations, or connect to OPC DA servers on a different network?
Now you can, easily and securely, without the hassles of DCOM, using the DataHub DA Tunneller.
What it does
- Connects OPC Classic DA servers and DA clients over a network
- Eliminates DCOM problems
- More robust and secure than DCOM
Benefits
- Eliminates VPNs
- Eliminates inbound firewall ports into operations networks
- Quickly reconnects after network failures
- Multiple connections can share one tunnel to reduce network loads
Secure Data Sharing: DataHub supports secure data sharing between various industrial applications, ensuring that critical information is exchanged without compromising the integrity and confidentiality of the communication.
OPC UA
OPC UA (Unified Architecture) is designed with security in mind, incorporating features such as TLS encryption and authentication. This makes it a robust choice for securing communication in ICS environments.
The DataHub UA Tunneller provides reliable networking and seamless integration for OPC UA and OPC DA (Classic) servers and clients. With a single tool you can avoid the hassles of DCOM, protect your OPC DA investment, and make a smooth transition to the IIoT and Industrie 4.0.
With DataHub tunneling you get support for HTTP CONNECT and basic proxy authentication, so IT no longer needs to change their security policies to fit OT requirements.
What it does
- Connects OPC UA systems to OPC DA (Classic) systems, locally or over a network
- Enables OPC DA clients to read from OPC UA servers
- Enables OPC UA clients to read from OPC DA servers
Benefits
- Eliminates VPNs
- Eliminates inbound firewall ports into operations networks
- Maintains the OPC UA data model, while other gateways flatten it
- Multiple connections can share one tunnel to reduce network loads
OPC UA offers reliability and scalability, essential for large-scale industrial systems. Its standardised approach ensures consistent security measures across different devices and platforms.
Conclusion
For industrial networks, the choice between TLS 1.2 and TLS 1.3 involves a trade-off between compatibility and enhanced security. If compatibility with legacy systems is crucial, TLS 1.2 might be a more practical choice. However, if the network can accommodate the necessary updates and the focus is on maximising security, TLS 1.3 is a strong candidate.
Ultimately, the decision should be based on a thorough risk assessment and consideration of the specific requirements of the industrial environment.
The adoption of TLS 1.3 in industrial control systems represents a significant step forward in securing communication channels. However, the challenges it presents in terms of network monitoring necessitate the implementation of specialised solutions like Tenable OT Security.
This, coupled with the use of products such as Cogent DataHub and OPC UA, provides a comprehensive approach to securing critical OT protocols.
At SolutionsPT we survey the everchanging security landscape and provide guidance on approaches that make a marked difference to your security posture. In an era where cyber threats continue to evolve, a multi-layered approach to cybersecurity is paramount. By combining the strengths of TLS 1.3, Tenable OT, Cogent DataHub, and the adoption of OPC UA, industrial organisations can fortify their defences, ensuring the resilience and integrity of their control systems in the face of emerging cyber risks.
