Automated Network Access Policy Hardening

Summary Statement

The objective of this research and development activity is to design and implement an open-source software module that takes as input open source format descriptions of (1) a network topology graph, (2) access control policy rules, and (3) a device-to-device connectivity map to compute a risk exposure index for connection. This index can then be used to automatically translate the initial network access policy into a hardened security policy in which asset exposure is better constrained and protected against adversarial access via lateral movement. The policy optimization algorithm will leverage firewall configuration best practices, plus inferred knowledge about connectivity requirements, and externally provided vulnerability advisories. Users will be offered an actionable improvement plan to deploy the new policy incrementally. The risk exposure index will also offer to users a solution to rank connectivity path according to their likelihood of being used by intruders for lateral movements. Finally, this project will provide organizations with 1) an approach to objectively compare network architecture and access policies from different business units, and 2) a solution to measure progress towards adopting network security best practices.

 

The graphic below illustrates the information flow and the proposed contribution. The user (assumed to be an owner/operator of an OT network) has access to information about the OT network which is supplied to a commercial tool capable of network analysis. Potential tools include Skybox, RedSeal, NP-View/Live. That tool is assumed to be able to produce (1) a description of the network topology, (2) a description of the access control rules used to admit and constrain network flows, (3) a map of connectivity between devices, including the IP and application protocol particulars required for the connection, and (4) a description of available services and vulnerabilities (this component is widely available already through network scan tools and analysis of CVSS vulnerability reports). One element of the proposed work refine open source formats for all of this information. The Internet Engineering Task Force has invested considerable effort into the YANG [1]  modeling framework which is especially tuned to networks, the services they provide, and access-control.  We believe that using YANG as the open source format will enable companies and researchers to use existing open source tools for creating and interpreting YANG model descriptions.  A second component of the proposed project is the (external) software module (ANAPH) that implements the proposed algorithms for hardening access control policy. The algorithms involved will be analyzing the network and connectivity information through the lens of (configurable) best practice recommendations, and optimizations which seek to maximize improvements to network security—particularly protections against penetrations enabled by lateral movement, and to express those recommendations through a plan of modified access control rules, optionally including recommendations for additional access control devices. These recommendations will be expressed in the same open source format as was the input to ANAPH.

 

Energy Delivery System (EDS) Gap Analysis

Organizations are adopting a culture of cyber resilience in which access controls among connected assets have to comply with best practices and be continuously monitored. Examples of access control include connection requirements implied by network, host, and application firewalls, as well as mechanisms such as role-based access control. The growing scale of information technology and industrial networks makes intractable for human operators the problem of understanding the implications of all the inter-meshed policies. This project introduces a solution to automate the hardening of network access policies by leveraging network modeling, graph theory, and context-based risk assessment.

 

As an example, a vulnerability is discovered and announced by a prominent industrial equipment manufacturer. The impact of this vulnerability could be devastating for organizations with a large install-base from this manufacturer. Cyber security analysts are struggling to assess the potential damages and prioritize a network containment approach before launching a large-scale patching campaign. This results in weeks of manual labor during which impacted organizations remain highly vulnerable.

More Information

• (Sept. 2020): Refinement of open source format YANG for topology, access rules, connectivity, vulnerability map, and risk exposure metrics
• (Dec. 2020): Definition of algorithms to be implemented in ANAPH
• (Sept. 2021): Prototype of ANAPH completed
• (Dec. 2021): Integration of ANAPH algorithms and output into Network Perception NP-Live product. Start testing/validation with utility partner
• (May 2022): project completion, ANAPH capabilities embedded in Network Perception product roadmap

Financial constraints have limited Network Perception’s interest in spending their own time integrating the results of P3 into their product line.  We know that risk assessment is of strategic interest to them, but they are presently consumed with tactical issues in maintaining their existing code base and customers.  The student involved in this project has graduated, we will close it out putting ANAPH into an open source repository, and continue to touch base with Network Perception on integration.