The recent news of 5,800 fuel tank monitoring systems being hacked, commonly known as Automated Tank Gauges (ATGs), has highlighted the risks posed by remotely managed devices on corporate network security. ATGs are classic examples of this, and are used at most of our nations’ convenience stores to manage fuel inventories and protect against spills. They have also proven to be convenient entry points into corporate networks.
While the announced breaches of ATGs largely affect the petroleum retail industry, it is a sentinel indicator of the risks that internet-connected devices bring to overall security efforts. The good news is that these risks are largely dependent upon the method of remote system connection.
The breached ATGs were connected [to the internet] for remote monitoring of fuel inventories and to report fuel leakage for EPA compliance. The breached systems utilized assigned public IP addressing to allow gauge access by a third party monitoring company or the C-store corporate compliance group. In many cases the public IP addresses were not secured with firewalls, although many were. Given the fact that 88% of network perimeter breaches are accomplished using remote access vulnerabilities (2014 Verizon Data Breach Study), this was not to be unexpected. Even if the IP addresses were implemented with firewall controls, opening firewall holes is necessary to enable remote access to the system. Adding inbound and outbound access control policies around these firewall openings becomes complex and are often implemented incorrectly. At some point, a random hacker or someone with knowledge of this type of vulnerability decided to exploit the opportunity.
It is unclear at this time if any of the 5,800 ATG breaches (Rapid7.com) have resulted in a broader propagation to critical data systems within the convenience store retailers’ networks. The direct risk posed is high when ATG systems are connected to POS systems. It is often very difficult to determine the extent of a breach until the intruder begins to export data out of the network, even if advanced malware detection systems are in place. This is due to the complexity of the network and the inability to respond effectively even if the malware detection system works correctly.
So where do business owners start in addressing the problem?
Start by eliminating the perimeter exposure. While it is difficult to define all of your network perimeter exposures, addressing the ATG exposure is easy. It begins and ends with the public IP address that is used to remotely access the device. Eliminating this exposure can be accomplished by switching the ATG connection to a Virtual Application Network (VAN) that utilizes private IP connectivity. The VAN creates a direct connection between the ATG system and the remote monitoring system, wherever it may reside. The monitoring provider will use a private IP address that is not visible to the Internet to access the ATG and provide you the information you need.
What is the perimeter in the average retail store?
Like most modern enterprise networks the broader perimeter is composed of a variety of Internet facing systems and applications which collectively define your perimeter. These system can include Wi-Fi networks, email systems, payment networks, cloud services, employee Internet access, remote access connections and physical access to networking equipment to name a few. The issue is that most enterprise networks cannot effectively define their perimeter; therefore, they cannot effectively defend their perimeter.
What is the best defense to an undefinable network perimeter?
The harsh reality is that you have to assume you will be breached. A 2014 study by Mandiant Crossing (The Maginot Line) found that 97% of companies have already been breached. Additionally, the 2014 Verizon Data Breach Study found 99% of POS breaches were identified by third parties and not the company itself. This means that it is a probability you will be breached and an improbability you will detect it before it is too late. Therefore, containing the breach at the point of entry is the best defense.
How do businesses contain network breaches?
The best way to implement containment based security in your network is to place each application into its own separate end-to-end network that does not share common routing and security elements. This can be accomplished either through physical segmentation or virtual segmentation. Physical segmentation requires separate routers and wide area circuits and can be cost prohibitive. Virtual segmentation accomplishes the same goal but does so through virtual router and firewall instances that can leverage a single wide area circuit.
What does this mean to the ATG problem?
It is important to note that many of the ATG systems deployed today do not rely on public IP addressing for remote access. ATGs implemented at many of the largest petroleum retailers utilize Virtual Application Networks (VANs) which provide virtual application segmentation. This network connectivity method utilizes dedicated logical networks customized to the specific needs of the ATG network itself.
VANs utilize private IP addressing and have dedicated virtual routing and security policies for each specific use. VANs are virtual overlay networks that are segmented from end-to-end and do not share common routing and security policy elements with other network segments. This approach creates distinctively defined network perimeters which can be better defended; concise logs which can be more easily analyzed and isolated; and eliminates the potential of breach propagation to other network segments. None of the ATGs that are connected using Virtual Application Networks (VANs) were breached.
A deterministically defined application network perimeter can be defended more effectively, reducing the chance of vulnerabilities and the chance of a breach in the first place. In the event an application network is breached, the logs have a defined baseline which can detect anomalies more effectively, reducing the chance of a breach going undetected. If a breach of an application network is not detected, the lack of shared routing and security elements reduces the chance the breach can propagate to other network segments. Simply put, virtual application networks reduce “chance” as a part of the network security program yielding improved security effectiveness.
Convenience store retailers should immediately evaluate their exposure to ATG breaches and the methods they are using for connectivity and security. If they are utilizing public IP based methodologies, migrating to private IP based methods is very prudent. Specifically utilizing VAN connection methods has proven to be a more secure, and often more cost-effective approach.