NetAPT and NP-View: How We Developed a Network Security Analysis Solution for Power Utilities
I’m part of a team at Illinois that’s spent years developing the tool called NetAPT, which is short for Network Access Policy Tool. We’re getting ready to launch a start-up company, Network Perception, that will market the tool commercially under a new name, NP-View. It’s worth looking back to see where the tool came from, why it’s important, and how it evolved to meet the needs of the power industry far more fully than its first creators originally envisioned.
First, what is NetAPT today? It’s a software tool that performs an automated, comprehensive security policy analysis to identify any respects in which a network containing firewalls deviates from global access policy. It runs on Windows or Macs, has an intuitive user interface, and requires minimal setup time, so system administrators with ordinary skill sets can easily use the tool. Although--as I discuss below--it contains features tailored to the needs of the power industry, it can be useful for any system that contains firewalls.
The idea behind NetAPT is that it provides a means for a system analyst to review his or her security controls and ensure that they do what the analyst intends them to do. If you’re concerned about an outsider getting through your firewalls, a rule review can provide for an assurance--a second set of eyes telling you that your firewall is doing what you intended it to do. The whole idea is to reduce the number of people that can access critical systems and potentially compromise those systems. The system can also highlight possible typos or misconfigurations, so it helps to show where you might want to direct any mitigation efforts.
NetAPT can be useful in many types of industrial settings, but it can be especially important in critical infrastructure and SCADA (“supervisory control and data acquisition”) systems, which are a large-scale type of industrial control system commonly used in power generation and distribution. The reason is that critical infrastructure, such as the national power grid, often contains components that are perhaps one or two generations behind the technological state-of-the-art. That happens because systems inside critical infrastructure stay in production much longer than typical information technology systems. You can easily find eight- to ten-year-old equipment still in use in critical systems, and anything that uses software that was developed that long ago can be problematic. Hence the critical need to analyze its security posture.
So how was NetAPT developed? The original version of the tool that became NetAPT was a little command-line-driven program that ran on a Unix box. It would go out and download configuration information directly from firewalls and then check policies; if there were any changes, then it would report on all the rules that would hit certain policies that we generated. There was a graphical interface, but it lacked many of the features needed for full-fledged industrial use.
At that time, I wasn’t yet working at the University of Illinois. I was doing information security at Ameren, and my colleagues and I were interested in finding a way to get more information about changes that might be occurring in our firewalls. We sat down and talked with the NetAPT team from Illinois, which at that time included Mouna Bamba, David Nicol, William H. Sanders, and Sankalp Singh, who has since moved to Google. It was at that point that we really seized on the idea of taking that original access policy tool and making it into something that was much more usable by process control system cyber security professionals, providing a rich variety of reports that could be directly used for compliance assessment. Such functionality would not only help technical people like ourselves analyze our systems, but would help us explain our security profile to potentially less technical people, such as management personnel.
That explanatory or documentary function was suddenly becoming especially important to the power sector at that time, because NERC (the North American Reliability Corporation, a regulatory body) was then forming its original CIP (Critical Infrastructure Protection) compliance rules. So we really needed a handy way to visually show managers and auditors our firewall rules and security conditions, so they could easily see exactly where we were allowing access into critical infrastructure. And creating such graphics by hand was a very painstaking process. For example, at that time, if I was reviewing just one firewall, I might spend 40 hours making a Visio diagram or a map of all the different flows that were allowed by the rules.
Well, I’d done some research with Sandia National Labs, and they had a tool called ANTFARM that was a way to map the relation between firewalls. We at Ameren told the Illinois researchers that we’d really like to have something like an ANTFARM map integrated with the flows identified by NetAPT, so that the flows are shown on the visual map. And a few months later, they came back to us with a prototype of just what we had asked for! As it happened, we were just going into our first round of CIP compliance review, and I was able to perform an analysis of the results of the tool against the Ameren network before we went into compliance. What the tool allowed me to do was in a very short amount of time, less than a week, perform a review of over ten or twenty thousand lines of firewall configuration. It allowed me to be far more productive in the time that I was using to assess whether or not Ameren was going to be in compliance.
So then I went back to the Illinois team, and that’s when we really started the iterations of improvements in the tool, both through being able to handle more data and being more efficient. Once we got a visual view of the network, there were lots of different things that came up as possible improvements to the tool, among them support for VPN connections; there was a process of the tool becoming more and more mature and tuned towards NERC CIP compliance. And then over the course of the next year or two I used the tool in actual audits performed at Ameren. It helped us get through analysis a lot faster. Review tasks that were planned for a day, we were able to get finished in an hour. And so it had a really positive and significant impact on my ability as an analyst to go into an audit and explain to auditors what was going on; I was able to visually show auditors things that they’d previously only seen in firewall configurations. Whenever you can visually show someone complex concepts like network attack surfaces in a visual manner, it helps things move quicker and it’s very appealing.
There’s now a lot of customized reporting in the tool specifically for NERC CIP compliance regulation. It helps to provide reports that auditors and utilities can use to communicate about things that need to be reported due to the regulations. It makes it much easier to provide succinctly and clearly the information that an auditor needs in order to perform an audit in a productive and timely manner. Because currently, in some audits, a lot of this review is done manually, and firewall configurations from critical infrastructure can be very complex, with hundreds and thousands of lines; it can take an inordinate amount of time to review. In the industry today, a huge amount of human time is spent on providing audit data. There’s potential cost savings for a utility in the entire audit process, in using a tool like this that provides a streamlined way to get at information that needs to be presented or required to show audit compliance.
So now I’m employed at the University of Illinois, and NetAPT is one of the main projects I work on. Some other developers have joined the NetAPT team as well: Robin Berthier, Rakesh Kumar, George Yu, and Zach Yordy. We’re looking forward to doing the commercial launch in the near future, and helping other utilities benefit from the tool the same way Ameren has.