216 Chapter 5
bandwidth
total amount of data that can be carried from one point to another in a given period of time, typically measured in Megabits per second (Mbps) or Gigabits per second (Gbps) is not usually a concern in industrial networks, as most ICS devices require very little bandwidth to operate
Wireless Mesh topology
logically similar to wired mesh topologies, only using wireless signaling to interconnect compatible devices with all other compatible devices. Unlike wired meshes where the physical cabling dictates the available network paths, wireless meshes rely on provisioning to control information flow
types of ICS networks
may be local-area switched networks as common with distributed control system (DCS) architectures, or wide-area routed networks more typical of supervisory control and data acquisition (SCADA) architectures.
types of Communication flow control:
Absolute- no communication is allowed traffic blocked in both directions Conditional only explicitly defined traffic is allowed via Access Control Lists, filters etc. Bidirectional Traffic is allowed in both directions. Conditions may be enforced in both directions Unidrectional traffic only allowed in one direction for example a diata diode or unidirectional gateway
Countermeasures to ICS network segmentation problems
Implement defense-in-depth security controls at the demarcation points where networks can be segmented. Example: Deploy a network-based security control in the process network, using a transparent firewall or IPS, that can monitor and enforce traffic without blocking multicasts or other expected process control traffic. Implement network security controls immediately upstream of the process network VLAN switch where this is not possible. Monitor process network activity. If network controls are deployed, these controls can provide security event logging and alerting to provide security analysts with the needed visibility to the process network. If they are not (or cannot) be deployed, consider deploying IDS devices on mirrored or spanned switch interfaces, so that the same degree of monitoring can occur out of band.
Layer 3 switches
In ICS networks with critical real time issues Layer 3 switches provide significantly improved performance, and by replacing separate Layer 2 and Layer 3 devices with a single device, several hops are eliminated.
types of Segmentation: Data-Link Layer
Occurs at Layer 2,r, it is typically performed using Virtual Local Area Networks, or VLANs. Network switches are used to separate systems, and VLANs are used to limit their broadcast domains. VLANs therefore cannot communicate with other VLANs without traversing at least one Layer 3 hop to do so (when trunks are used), or by physically connecting VLAN access ports (when untagged access ports are used). The use of VLANs provides easy and efficient segmentation. If inter-VLAN communication is only allowed via a Layer 3 device, VLANs can also enforce some security by implementing segregation via Access Control Lists (ACLs) on the intermediary router(s). Newer Layer 2 switches provide the capability to implement ACLs at the port level as traffic enters the switch, allowing options to help improve VLAN security since this ACL is applied to all VLANs on a given port. Security concerns: because VLANs are easy to implement, they are commonly used for network segmentation, which in turn will minimize the impact of many Ethernet issues and attacks, such as floods and storms. However, VLANs are also the least secure method of segmentation. Improperly configured networks are susceptible to VLAN Hopping attacks, easily allowing an attacker to move between VLANs.
types of Segmentation: Network Layer
Occurs at Layer 3, and is performed by a network router, a network switch with Layer 3 capabilities, or a firewall. For any protocols utilizing the Internet Protocol (IP)—including industrial protocols that are encapsulated over TCP/IP or UDP/IP—routing provides good network layer segmentation as well as strong security through the use of router ACLs, IGMP for multicast control, etc. However, IP routing requires careful IP addressing. The network must be appropriately separated into address subnets, with each device and gateway interface appropriately configured. Network firewalls can also filter traffic at the network layer to enforce network segregation. Security concerns: Most Layer 3 switches and routers support access control lists (ACLs) that can further strengthen access controls between networks. Layer 3 network segmentation will help to minimize the attack surface of network-layer attacks. In order to protect against higher-layer attacks such as session hijacking, application attacks, etc. "extended" ACLs must be deployed that can restrict on communication port and IP addresses. This reduces the attack surface to only those allowed applications when configured using a "least privilege" philosophy.
types of Segmentation: Transport, Session, Presentation, Application (Layers 4-7)
Occurs at Layers 4-7, and includes means of controlling network traffic carried over IP (i.e. above the network layer). This is important because most industrial protocols have evolved for use over IP, but are often still largely self-contained—meaning that functions such as device identity and session validation occur within the IP packet payload. For example, two devices with the IP addresses of 10.1.1.10/24 and 10.1.1.20/24 are in the same network, and should be able to communicate over that network according to the rules of TCP/IP. However, if both are slave or client devices in an ICS, they should never communicate directly to each other. By "segregating" the network based on information contained within the application payload rather than solely on the IP headers, these two devices can be prevented from communicating. This can be performed using variable-length subnet masking (VLSM) or "classless" addressing techniques. Security concerns: This is a powerful method of segmentation because it offers granular control over network traffic. In the context of industrial network security, application layer "content filtering" is able to enforce segregation based upon specific industrial protocol use cases. Application layer segregation is typically performed by a "next generation firewall" or "application aware IPS," both of which are terms for a device that performs deep packet inspection (DPI) to examine and filter upon the full contents of a packet's application payload. Filtering can be very broad, limiting certain protocol traffic from one IP address to another over a given port, or very granular, limiting certain protocols to performing specific functions between pre-defined devices—for example, only allowing a specific controller to write values that are within a certain range to specific, explicitly defined outputs
Characterisitics of Segmentation: Data-Link Layer
Provided by: VLAN Management Moderate Performance: Good Network Security Very Broad ICS Protocol Support: High OT Applicability: High
Characterisitics of Segmentation: Physical Layer
Provided by: data diode Management: None Performance: Good Network Security: Absolute ICS Protocol Support: N/A OT Applicability: High
Application Firewalls
able to inspect traffic "higher up" in the layers of the OSI model, they are also able to make filtering and forwarding decisions with greater precision. For example, session-aware firewalls are able to consider the validity of a session, and can therefore protect against more sophisticated attacks. Application layer firewalls are application-aware, meaning that they can inspect traffic to the application layers (OSI Layers 5-7), examining and making decisions on the application's contents. For example, a firewall may allow traffic through to "read" values from a PLC, while blocking all traffic that wants to "write" values back to the PLC. firewalls that can operate in "transparent mode" or "bridge mode" are often easier to deploy in ICS environment
remote access
an ICS commissioned in a manufacturing facility will typically include third-party contracts with explicitly defined service requirements, often requiring 24×7 response, with measured response times and guarantees around problem resolutions that require remote access can introduce multiple attack vectors at the same time. Even if secure remote access methods are used, such as virtual private networks, two-factor authentication, and so on, a node can be compromised remotely, because the underlying infrastructure used with remote access is connected to public, untrusted networks like the Internet.
Advanced Metering Infrastructure(AMI)
an advanced technique to monitor energy consumption on the consumer side (from homes, offices and factories). This metering system is gaining popularity throughout the United States. The meters are considered "smart" because of various integrated technologies to allow for calculations, display, storage and communication with a central server. Data recordings are made every hour (or more frequently) and the data is sent to the utility company for constant monitoring and billing. This two-way communication between the meter and the central system run by the service provider is done via cellular telecommunication technologies and makes remote reporting and problem solving easier.
segregation
an occur at any layer of the OSI model, provided that the segregated environments do not share hardware or protocol implementations. These segregation methodologies are physical, network, and application. act of isolating a device, network, or protocol
industrial network
any network that supports the interconnectivity of and communication between devices that make up or support an ICS redundancy is critical for ICS control and process area
bus topology
are linear, and often used to support either serially connected devices, or multiple devices connected to a common bus via taps. Bus topologies often require that the bus network be terminated at either end by a terminator used to prevent signal reflections. In a bus topology, the resources of the network are shared among all of the connected nodes, making bus networks inexpensive but also limited in performance and reliability. The number of devices connected to a single bus segment is relatively small for this reaso
Specal ICS security considerations
becuase ICS often span outside builing peimeter consider WAN network security issues as well consider smart grid security issues as smart grids provide broad and easy access to a network that ultimately interconnects the electric utility transmission and distribution infrastructure to many homes and businesses.
Ring topology
circular, with each node connected serially, but with the final node connected back to the first node, rather than terminating the network at either end. This topology can cover endpoints, but is more commonly used to interconnect network access switches.
Mesh topology
common for the connectivity of critical devices that require maximum performance and uptime, such as core Ethernet network devices like switches and routers, or critical servers. Because many paths exist, the loss of one connection—or even the failure of a device—does not (necessarily) degrade the performance of the network.
Branch or Tree topology
hierarchically connected topologies where a single topology (typically a bus, representing the "trunk") supports additional topologies (typically bus or star topologies, representing the "branches"). One practical example of this is the "chicken foot" topology used in FOUNDATION Fieldbus H1 deployments where a bus is used to interconnect several junction boxes or "couplers," which then allows a star connection to multiple field devices.
ICS Network Services
identity and access management (IAM), directory services, domain services, and others are required to ensure that all industrial zones have a baseline of access control in place. While these systems are most likely already in place within the business network, utilizing them within industrial networks can introduce risk. Domain servers and other identity- and access-control systems should be maintained separately for the industrial network. This is counter-intuitive to most IT security professionals who recognize the value of centralized network services. However, the risk that a domain controller in the business zone could be compromised is much higher than the risk to a domain controller that is isolated within the plant zone. The user credentials of OT managers should therefore not be managed by IAM systems that have been deployed within the business zone. Rather, they should be managed exclusively from within the plant zone.
SIS purpose
intended to detect a potentially hazardous state of operation, and place the system into a "safe state" before that hazardous state can occur. SISs are designed for maximum reliability (even by the already-high standards of automation), and often include redundancy and self-diagnostics to ensure that the SIS is fully functional should a safety event occur. The idea is that the SIS must be available when called upon to perform its safety function.
network security controls
introduce latency, typically to a greater degree than network switches and routers. This is because, as in switches and routers, every frame of network traffic must be read and parsed to a certain depth, in order to make decisions based upon the information available in Ethernet frame headers, IP packets headers, and payloads. The same rule applies as before—the deeper the inspection, the greater the imposed latency. Typically, when performing deep packet inspection (a technique used in many firewalls and IDS/IPS products), more processing and memory is required. This will increase relative to the depth of the inspection and to the breadth of the analysis, meaning the more sophisticated the inspection, the higher the performance overhead. This is typically not a problem for hardware inspection appliances, as the vendor will typically ensure that this overhead is accommodated by the hardware. However, if a network security appliance is being asked to do more than it has been rated for in its specifications, this could result in errors, such as increased latency, false negatives, or even dropped traffic. this is one reason why the deployment of traditional IT controls like IDS/IPS in OT environments must be carefully reviewed, and "tuned" to contain only the signatures necessary to support the network traffic present (this will also help to reduce false positives). If an industrial network does not have Internet access, then signatures relating to Internet sites (i.e. gaming websites or other business-inappropriate sites) could easily be removed or disabled.
class of service (CoS)
is identified at Layer 2 using the 802.1p protocol—a subset of the 802.1Q protocol used for VLAN tagging. 802.1p provides a field in the Ethernet frame header that is used to differentiate the service class of the packet, which is then used by supporting network devices to prioritize the transmission of some traffic over other traffic.
Importance of network segmentation
is important for both process and control networks that often utilize UDP multicasts to communicate between process devices with the least amount of latency. Layer 2 network segmentation within a common process may be impossible because it would break up the required multicast domain. The lack of segmentation between unrelated processes could also cause issues because multicasts would then be transmitted between disparate processes, causing unnecessary contention as well as potential security risks. Process networks often segment broadcast domains using VLANs when segmentation is possible, supporting multiple processes from a single Ethernet switch. Each process should utilize a unique VLAN unless open communication between processes is required, and/or communication between services should be limited or disabled at the switch. Communication between control networks and process networks are handled at a higher tier of the overall architecture using Layer 3 switching or routing.
type of service (ToS)
is similar to CoS, in that it identifies traffic in order to apply a quality of service. However, ToS is identified at Layer 3 using the 6-bit ToS field in the IPv4 header
Physical segregation of systems (air-gapped)
is still widely used in industrial networks when talking about the coexistence of basic process control and safety systems overseeing the same process
jitter
is the "variability" in latency over time as large amounts of data are transmitted across the network. A network introduces zero jitter if the time required transferring data remains consistent over time from packet-to-packet or session-to-session. Jitter can often be more disruptive to real-time communications than latency alone. This is because, if there is a tolerable but consistent delay, the traffic may be buffered in device memory and delivered accurately and with accurate timing—albeit somewhat delayed.
ICS wireless networks
more difficult to physically contain because they are bound by the range of the radio wave propagation from an access point rather than by physical cables and network interfaces. This means that any device that is equipped with an appropriate receiver and is within the range of a wireless access point can physically receive wireless signals. Similarly, any device equipped with a suitable transmitter that is within range of an access point can physically transmit wireless signals commonly used to support remote, difficult, and/or costly connectivity between field devices and basic control components like PLCs and asset management systems. In areas where local power is unavailable, power can be extracted from the same line used for communications (e.g. Power over Ethernet, or PoE), or utilize local batteries. This is an important consideration, as the availability of power directly impacts the availability of the process. In the case of battery power, battery life versus communication speed and update rate must be considered, and typically limits the deployment of wireless field technologies in closed-loop control applications.
tiered segmentation
network segmentation often results in a hierarchical or tiered design. Because of this, it will take more hops to reach some networks (e.g. process networks) than others (e.g. plant networks). This facilitates the use of increasingly stricter access controls when a network is designed properly, Defense-in-depth strategies can (and should) add additional layers of security controls as one navigates deeper into the network hierarchy.
VLAN vulnerabilites: Switch spoofing
occurs when an attacker configures a system to imitate a switch by mimicking certain aspects of 802.1Q. VLAN trunks allow all traffic from VLANs to flow, so that by exploiting the Dynamic Trunking Protocol (DTP), the attacker has access to all VLANs.
Star topology
point-to-multipoint networks where a centralized network resource supports many nodes or devices. This is most easily illustrated with a standard Ethernet switch that provides individual connections to endpoints or other switches that can also be connected to additional endpoints.
contention
refers to competition between active nodes in a network segment for the use of available bandwidth can be an issue on heavily populated networks, large flat (Layer 2) networks, or "noisy" networks. Areas to watch out for include links between large VLAN-segmented networks and a centralized switch or router that connects these to upstream networks
Logical Segmentation
refers to the use of logical functions within a single network device to achieve essentially the same result. In this example, two different VLANs are used in a single Switch and a trunk connection to a Layer 3 Switch or router is used to control access between the network
Physical Segmentation
refers to the use of two separate physical network devices (both passive and active components) to perform the isolation between networks. For example, Switch 1 would support Network 1, and Switch 2 would support Network 2 with a router managing traffic between the two. still popular in highly critical areas (such as between safety- and non-safety-related levels in a nuclear power generating station) via the use of data diodes and unidirectional gateways.
quality of Service (QoS)
the ability to differentiate and prioritize some traffic over other traffic. For example, prioritizing real-time communications between a PLC and an HMI over less critical communications. Both ToS and CoS values are used by QoS mechanisms to shape the overall network traffic. . In many network devices, these levels will map to dedicated packet queues, meaning that higher priority traffic will be processed first, which typically means lower latency and less latency variation. Note that QoS will not improve the performance of a network above its baseline capabilities. QoS can ensure that the most important traffic is successfully transmitted in conditions where there is a resource constraint that might prevent the transmission of some traffic in a timely manner (or at all).
deterministic performance
the output is consistent for a given input—a desirable feature in real-time ICS architectures. Latency variation means that each packet suffers a different degree of delay. If this variation is severe enough, timing will be lost—an unacceptable condition when transporting data from precision sensors to controls within a precisely tuned automation system
throughput
the volume of data that can flow through a network. measured in packets per second (pps) impacted by a variety of physical, MAC, network, and application layer factors—including the cabling (or wireless) medium, the presence of interference, the capabilities of network devices, the protocols used, and so on an important measurement when real-time networking is a requirement if the network traffic generated in real-time networks (such as in process and control networks) exceeds the rated throughput of the network infrastructure, packets will be dropped
line rate throughput
A device that can transfer data at the full capability of the network interface
network hops
Every network device that traffic encounters must process that packet, creating varying degrees of latency. Routers and some security devices that operate at Layers 4-7 may incur measureable amounts of latency.
Remote access security counter meausres
Minimize attack vectors. Only provide one path over which remote access may occur when implementing a remote access solution. This allows the single path into and out of the network to be carefully monitored and controlled. If multiple paths are allowed, it is more likely that security controls might be eliminated (due to the added cost of securing multiple paths), or that a specific security control might be overlooked or misconfigured.[4] Follow the principle of "least privilege," allowing users to only access those systems or devices with which they have a specific need or authority.[5] This means that if a user only needs to view data, they should not be provided mechanisms to download and change data. To enforce "least privilege," the network may require further segmentation and segregation to isolate systems that allow remote access from other systems not accessed remotely. Ideally, third parties, such as subcontractors and vendors, should be restricted access to only their devices, which may impact network segregation design, and only allowed to perform those functions they are authorized to perform remotely (e.g. view configuration versus download new configuration and software to devices). This will be explained in greater detail in Chapter 9, "Establishing Zones and Conduits."[6] Application control may also be required to further limit remote users to only those applications with which they are authorized. Requiring remote users to authenticate directly to a secure application server rather than just using a remote access server (RAS) limits the remote access session to a specific application rather than to the network on which the server resides.[7] Prevent direct access to any system that is considered critical or where the risk to a system outweighs the benefit of remote access. Force remote access through a secure semitrusted or demilitarized zone (DMZ) or proxy so that additional security controls and monitoring can be implemented if remote access is required for these systems.[8] The security policy deployed for an endpoint connecting via remote access should be equal to or better than that of the hosts directly connected to the trusted industrial network. This can be very difficult to enforce, especially with third parties, and is why the preferred approach may be to create a "jump station" that is always used to provide a landing point for the remote user before accessing the final trusted industrial network-connected device. This physically separates the remote user's local computer and associated resources (removable media, file system, clipboard, etc.) from that computer accessing the industrial network. Avoid storing credentials on the remote end of the connection (e.g. the vendor support personnel) that are transmitted and utilized on the most trusted industrial network, even if they are transmitted within encrypted tunnels. Procedures should be established and tested that allow for site personnel to terminate and disconnect remote access mechanisms locally in the event of a cyber incident. Log everything. Remote access, by its nature, represents an attack vector where only one end of the connection is 100% known and controlled. All remote access attempts, successful or not, should be logged, and all activity performed by remote users during their entire session should be logged. This provides a valuable audit trail for investigators during incident response and disaster recovery efforts. In addition, if security analytics—such as advanced security information and event management systems (SIEMs) or anomaly detection systems—are used, these logs can provide proactive indicators of an attack, and can greatly reduce incident response times, which in turn will minimize losses in the event of an attac
Characterisitics of Segmentation: Application Layer
Provided by: Application proxy IPS, Next Generation Firewall, IPS content Filter: Management High Performance: Poor Network Security: Very Specfic ICS Protocol Support: Low OT Applicability: Low
Characterisitics of Segmentation: Session Layer
Provided by: Firewall IPS Protocol Anomaly Detection Management: Moderate Performance: Low Network Security: Specific ICS Protocol Support: Moderate OT Applicability: Moderate
Characterisitics of Segmentation: Network Layer
Provided by: Layer 2 switch (via VLAN switches only) Layer 3 Switch Router Management Low Performance: Moderate Network Security: Broad ICS Protocol Support: High OT Applicability: High
ICS Networks: Business Networks Requirements
Real-time Operation: Best Effort Realiability/Resilency: Best Effort Bandwidth sessions/latency: High many transmissions acceptable Network:Ethernet Protocols: Non-real time, Open
ICS Networks: Industiral Network Control and process area requirements
Real-time Operation: Critical Realiability/Resilency: Critical Bandwidth sessions/latency: Low, few, explicitly defined Low, Consistent Network: serial, etherenet Protocols: real-time Proprietary
ICS Networks: Industrial Network Supervisory Area Requirements
Real-time Operation: High Realiability/Resilency: High Bandwidth sessions/latency: Medium, Few Low, consistent Network Etherent Protocols Near real-time Open
types of Segmentation: Physical Layer
Refers to separation of two networks at the physical layer, meaning that there is a change or disruption in the physical transmission medium that prevents data from traversing from one network to another. An example could be as simple as a disconnected phone cable to a modem or a data diode to block wired transmission, a faraday cage or jammer to isolate wireless signals, etc. The mythical "air gap" is a physical layer segmentation method. Note that the term "physical layer segmentation" should not be confused with "physical segmentation," Security concerns: can be physically bypassed, via "sneaker net" attacks. In many cases, the excessively restrictive nature of the control motivates end users to bypass security by carrying data on thumb drives or other portable removable media, introducing new attack vectors that may not have controls in place.
SIS security considerations
SIS exists to prevent unsafe conditions. When implementing an SIS, do so in a way that a malicious actor who successfully compromises control and process zones will not be able to also compromise the SIS. Preference should be to keeping the SIS completely segregated from upstream networks (including supervisory networks), and when integration or interfacing is necessary, direct point-to-point connections are recommended. Comply with the Principle of Least Privilege when implementing an SIS to minimize the potential vectors that an attacker might take to access the safety systems. Consider failures and unsafe states when implementing an SIS that may be the result of a manipulation of the controller, process, protocols, and systems of the industrial network by an attack
Risks associated with network segmentation
The implementation of additional security controls within a process network can be difficult for the same reason as just explained. This may be of some concern because VLAN segmentation can be bypassed. In larger process networks, or in broadly distributed process networks (where geographically distributed devices make physical network access more difficult to prevent), this can introduce an unacceptable level of risk. This concept is discussed within ISA 62443-3-3 in terms of a relative "Security Level" assigned to each segment or zone. Logical segmentation is only allowed between those segments/zones that require minimal security against cyber threats.
types of ICS wireless networks
WirelessHART and OneWireless. WirelessHART is a wireless implementation of the HART Communication Protocol using IEEE 802.15.4 radio and TDMA communication between nodes, while OneWireless is an implementation of ISA 100.11a wireless mesh networking based on IEEE 802.11 a/b/g/n standards and is used to transport common industrial protocols, such as Modbus, HART, OPC, General Client Interface (GCI), and other vendor-specific protocols. Both systems support mesh networking and use two devices: one to manage connected nodes and communications between nodes, and one to enforce access control and security.
purpose built network
a specialty network designed to fulfill a single, well-established purpose. Purpose built networks that follow the Principle of Least Route are the antithesis of the modern, open, general-purpose networks of today.
latency
amount of time it takes for a packet to traverse a network from its source to destination host. This number is typically represented as a "round-trip" time that includes the initial packet transfer plus the associated acknowledgment or confirmation from the destination once the packet has been received. each network hop will add latency the deeper into a packet the device reads to make its decision, the more latency will be accrued at each hop. layer 2 switch will add less latency than layer 3 router which will add less than application firewall
Multi-homing or dual-homing
describes the connection of a single node to two or more networks. Dual homing can be used for redundancy has also been used as a method of making resources assessable to multiple zones but this is not recommended . In the case of a dual-homed connection between a plant zone and a business zone, any successful break of the dual-homed server would provide a bridge between the two zones, fully exposing the plant zone to the outside world.
network segmentation
division of a larger network into smaller networks, by imposing appropriate network controls at a given layer of the Open Systems Interconnection (OSI) model. concerned with improving network uptime typically occurs at Layer 3 (the network layer) by a network device providing routing functions (i.e. traditional routers, layer 3 switches, firewalls, etc.) Can use at layer 2 with VLAN's network segmentation should be used to support zone segmentation whenever possible
zone segmentation
division of industrial systems into grouped subsystems, for the primary purpose of reducing the attack surface of a given system, as well as minimizing attack vectors into and out of that system. This is accomplished by "limiting the unnecessary flow of data" between zones. concerned with improving security,
VLAN hopping countermeausre
restricting the available VLANs that are allowed on the trunk or, when possible, disabling VLAN trunking on certain links. VLAN trunks allow multiple VLANs to be aggregated into a single physical communication interface (i.e. switch port) for distribution to another switch or router via an uplink. Without VLAN trunking, each VLAN resident in a switch that needs to be distributed would require a separate uplink.
AMI security concerns
specialized device are essentially computing platforms and thus can be exploited the interconnectivity of AMI's makes for easy pivoting with exploits
The principle of least route
states that a node must only possess the minimum level of network access that is required for its individual function
VLAN vulnerabilites
susceptible to a variety of Layer 2 attacks. This includes flood attacks, which are designed to cripple Ethernet switches by filling up their MAC address table, Spanning Tree attacks, ARP Poisoning, and many more.
VLAN vulnerabilites: VLAN hopping
works by sending and receiving traffic to and from different VLANs. This can be very dangerous if VLAN switches are trunked to a Layer 3 router or other device in order to establish inter-VLAN access controls, as it essentially invalidates the benefits of the VLAN. VLAN Hopping can be performed by spoofing a switch, or by the manipulation of the 802.1Q header.