building an industrial security fabric · 2018-06-21 · 4 scada = basis of industrial automation...

© Copyright Fortinet Inc. All rights reserved.

Building an Industrial Security Fabric

An innovative approach to protecting the industrial environment

2

Agenda

▪ ICS versus IoT

▪ Industrial Control System and IoT Attacks are on the rise

▪ Fortinet Security Fabric for IoT and Industrial Security

▪ Fortinet Fabric Alliance Partner Nozomi

▪ ICS and IoT Use Cases

▪ Q&A

ICS versus IoTAn overview of ICS and IoT fundamentals and its evolution

4

SCADA = Basis of Industrial Automation

Operational Technology (OT) is hardware and

software that detects or causes a change through the

direct monitoring and/or control of physical devices,

processes and events in the industrial environment.

Industrial Control Systems (ICS) play a main role

in OT and includes Supervisory Control and Data

Acquisition (SCADA) systems and Distributed

Control Systems (DCS).

Supervisory Control and Data Acquisition

(SCADA) refers to a system that collects data from

various sensors at a factory, plant or in other remote

locations and then sends this data to a central

computer which then manages and controls the data.

5

Key SCADA Components

Human-Machine Interface (HMI): is the

component in charge of displaying process

data to a human operator. The

operator monitors and controls the process

through the HMI.

SCADA Master: is the component in

charge to collect all data from different

devices and control the entire process.

Remote Terminal Units (RTU): connect to

sensors and convert their signals to digital

data and send it to the supervisory system.

Programmable Logic Controller (PLC):

used as field devices because they are

more economical, versatile, flexible, and

configurable than special-purpose RTUs.

Valve

Fan

Pump

Operator

6

Standard SCADA Architecture

DMZ: Systems that need to interact

with IT Systems (i.e. Remote

Management Server, Historian,

Antivirus, DNS, Patch Management).

Process Network: Systems that

need to interact with IT Systems (i.e.

HMI, SCADA Master, MTU,

Supervisory Controller).

Control Network: Systems that

collect and transmit data between

field devices (actuators and sensors)

and Supervisors (i.e. RTU, PLC).

Field Network: Actuators and

Sensors directly connected to RTU

and PLC by close network

connections (i.e. Serial Cable, Fiber

Ring, Proprietary protocols).

Valve

Fan

Pump

7

Typical SCADA components as RTU and PLC are Vulnerable

▪ Programmable Logic Controllers (PLC)

or Remote Terminal Units (RTU) are low

computational computers built to control

physical components such as valves,

pumps, motors, etc.

▪ They communicate with dedicated

protocols that are prone to attacks

» No identity

» Lack authentication

» Lack encryption

» Backdoors

» Buffer overflow

8

SCADA Protocols

Different communication protocols are

used in a SCADA system, encapsulating

data in standard TCP/IP network packet.

Usually these protocols were designed

for serial communications, so they lack

basic security mechanism such as

identity, authentication, encryption and

integrity checks.

Application

SCADA Protocols (i.e. Modbus, DNP3, Profinet, IEC 101/104)

Presentation

Session

Transport TCP UDP

Network Internet Protocol

Data Link Ethernet Data Link layer

Physical Ethernet Physical layer

9

What is a Headless IoT Device?

+ =

10

▪ Hardware based

▪ Has an IP address and Mac Address

▪ No UI on the device itself (relies on a smartphone

or website)

▪ No user login attached to it

▪ A device that doesn’t have an authentication

mechanism

▪ Capable of accessing a network resource

▪ Cannot install security/anything on it

▪ Some will probably never be patched

What is a Headless IoT Device?

11

IoT Examples – the daily stuff

Ralph Lauren Shirt

Mimo Monitor

Smart Thermostats

Apple Watch

Smart Fridge

Google glass

Smart TV

Smart Phones

12

IoT Examples – the serious stuff

Smart Metering Windmills

Power plantsSCADA systems

13

IoT Security challenges

IoT is all around us

We see it in home environments (smart home devices, smart tv, smart tv),

corporate environment (printers, coffee machines, etc.) and industrial environments

(tracking, metering, SCADA)

The big questions:

» what do we have to be afraid of

» what do we need to secure

» how do we secure it

14


Very fast “time to market”

No time for proper security

Embeded developers

No knowledge about IT security

Lots of low cost devices

No money for security

We are seeing the same security bugs

of the last 20 years again

15

IoT Security problems

Device memoryCleartext keys and credential

Device physical interfacesunprotected local CLI

Device web interfaceSQL injection, Buffer overrun, Cross site scripting, TLS bugs, etc.

Device firmwarehard coded credentials and crypto keys

Device network servicesUnencrypted communication, bad/weak encryption, UPnP, Buffer overflow

Admin interfaceDefault credentials, weak passwords, SQL injection (again), etc.

16

IoT Security problems

Summary

most of IoT security has to be done on the devices

themselves

Result

As you don’t have any influence on that, you should treat

IoT devices in your network as HOSTILE and keep them in

separate zones, as much as possible

Industrial Control System and IoTAttacks are on the Rise

Cyber threats to industrial networks are a real and

fast-growing challenge

18

August 27th, 2014

Major cyber attack hits Norwegian oil industryMore than 50 Norwegian oil and energy companies have been hacked by unknown attackers, according to government security

authorities. State-owned Statoil, Norway's largest petro company, appears to be the main target of what's described as the country's

biggest ever hack attack. http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/

December 23rd, 2015

Iranian Hackers Claim Cyber Attack on New York DamAn Iranian hacktivist group has claimed responsibility for a cyber attack that gave it access to the control system for a dam in the suburbs

of New York — an intrusion that one official said may be "just the tip of the iceberg”.

http://www.nbcnews.com/news/us-news/iranian-hackers-claim-cyber-attack-new-york-dam-n484611

January 1st, 2015

A Cyberattack Has Caused Confirmed Physical Damage Hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree

that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.

http://www.wired.com/2015/01/german-steel-mill-hack-destruction/

September 23th, 2010

Stuxnet worm 'targeted high-value Iranian assets’Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.Unlike most viruses,

the worm targets systems that are traditionally not connected to the internet for security reasons. Instead it infects Windows machines

via USB keys - commonly used to move files around - infected with malware. http://www.bbc.com/news/technology-11388018

Industrial Cybersecurity News Goes Mainstream

http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/

http://www.nbcnews.com/news/us-news/iranian-hackers-claim-cyber-attack-new-york-dam-n484611

http://www.wired.com/2015/01/german-steel-mill-hack-destruction/

http://www.bbc.com/news/technology-11388018

19

IoT Security gone bad .. hunderds of examples…

Miray Botnet (2016)Attacked cameras, DVRs, etc. and was then user for DDoS. Attack: Default passwords

Jeep hack (2015)Firmware update was not protected, so hacker could inject own code and then “drive by wire” ;-)

Vulnerable medical devices (2014)pacemakers and defibrilators. Attack: Weak protection of data transmission between device and “mobile app”

20

IoT Security gone bad .. hunderds of examples…

https://github.com/nebgnahz/awesome-iot-hacks

21


Don’t trust ANY of these IoT devices

22

2009 Sayano–Shushenskaya Hydroelectric Power Station Accident

Number of Units

10Rated Power Rated Discharge Per Unit Nominal Speed

650 MW each 358.5m3/s 142.86 rpm

Turbine Type

Francis (16 blades)

Operation Date Runner Diameter

1978 6.77m

23

Before the Incident…

Power Units

Generator floor

Air-Oil Tanks

Power UnitsAir-Oil Tanks

24

Sequence of Events

Turbine 2 functioning

band was changed to a

specific load forbidden

from the manufacturer

The turbine cover shot

up and the 920-ton

rotor then shot out of

its seat

On 21 August 2009, a

rebel group in Chechnya

claimed that they were

responsible for the blast

The forbidden band

created an extra

vibration registered also

from a seismograph

Water immediately

flooded the engine and

turbine rooms and caused

a transformer explosion

25

After the Incident…

Air-Oil Tanks

Sump Tank

Floor

Crosshead - Unit 2

Unit 2

Collector Ring

Unit 1

26

Casualties

75

The Total Impact

Damages of Property and Equipment

Power Station Reconstruction Cost

Power Station Reconstruction Time

million Euros

310billion Euros

1.3years

~2

27

How are ICS Networks Vulnerable?

RESULTS:

Attackers can create changes in the physical process such as electrical, chemical, mechanical etc..

STEP 1Access the Network

STEP 2Run Standard Attacks

STEP 3Specific ICS Attacks

▪ IT bridge ways

▪ Social engineering/phishing

▪ USB keys

▪ ICS maintenance contractors

Once the network is

accessible, standard

attacks can be

performed using well

known tool kits

Run tailored attacks

in order to gain control

of system components,

gather sensitive and

critical data, and/or

disrupt operations

Get access to the

network through standard

techniques such as

28

Recent ICS surveys tell the story as well.

Fortinet Security Fabric for Industrial SecurityProviding End-to-End Segmentation for IT/OT security

30

Fortinet Security Fabric from IoT to Cloud

Network Secure LAN

Access

Secure WLAN

Access

Secure Cloud

Secure Devices

SandboxingPolicy

Email

SecurityWeb

Security

Network & Security

Operations

Threat

Intelligence

Partner

Integration

Automated Operations

▪ Inner Core Network Security

▪ Outer Core Security

» Access, Cloud & Endpoints

▪ Extended Security

» ATP, Email, Web & Policy

▪ Threat Intelligence

▪ Security Operations

▪ Partner Integration

Infrastructure

31

Device Access Network Cloud

Distributed

Enterprise

Edge Segmentation

Branch

Data Center

North-South

Carrier Class

SDN/NFVPrivate Cloud IaaS/SaaS

WLAN / LAN

Rugged

Embedded System on a Chips Packet and Content Processor ASIC Hardware Dependent

Device

>1G

Appliance

>5G

Appliance

>30G

Appliance

>300G

Chassis

>Terabit

Virtual Machine

SDN/NFV

Virtual Machine

On Demand

Client

Endpoint/IoT Application

Security

FLOW

Appliance

Virtual

Cloud

From IoT to Cloud

Security

Updates

IPS AVAPPFW VPN

32

FortiGate Rugged 30D/35D/60D/90D

• Fully enclosed, fanless design, DC/AC

• Operates in extreme (-40 to 75 C) temperatures

• IEC 61850-3, IP67, IEEE 1613, Division1 Class 2 Compliant,

• Integrates wireless, 3G/4G expansions, Bypass modules

FortiSwitch Rugged 112D-POE/124D

• Built to IP30 standards, no fans or moving parts


• FortiGate Switch Controller Compatible

FortiAP 222C

• IEEE 802.11a/b/g/n/ac standards-based, and operates on both 2.4 GHz and 5 GHz spectrums


• Managed by FortiGate wireless controller

Purpose-Built Rugged Devices for Industrial Solutions

33

IEC-61850 describes a unified communications system design for use in electrical

sub-stations. IEC-61850-3 provides guidance on the hardware requirements of

equipment deployed in this demanding environment.

EMI ThermalEMIUnprotected devices can fail or be destroyed when exposed to high levels of electromagnetic interference

✓ A strong electromagnetic compatibility (EMC) design is required

ThermalA wide (-20 to +75C) operating temp can be expected in a hash environment.

✓ Requires efficient heat dissipation system and self warming

Vibration✓ Devices must survive being

dropped from a cabinet rack mount

✓ 50G anti-shock & 5-500 Mhzanti-vibration requirement is present

✓ Protective components are used to cushion the device

Industrial Standard and Compliance ready

34

IPS/ Application Control for Industrial Systems

Supported Protocols

--------------------------------✓ BACnet

✓ DNP3

✓ Modbus

✓ EtherNet/IP

✓ IEC 60870-6 (TASE 2) /

ICCP

✓ EtherCAT

✓ IEC 60870-5-104

✓ IEC 61850

✓ OPC

✓ Elcom

Supported Applications and Vendors

-----------------------------------------------------✓ 7T Technologies/

Schneider Electric

✓ ABB

✓ ADvantech

✓ Avahi

✓ Broadwin

✓ CoDeSys

✓ Cogent

✓ Control Automation

✓ Datac

✓ GE

✓ Iconics

✓ InduSoft

✓ Intellicom

✓ Measuresoft

✓ Microsys

✓ MOXA

✓ PcVue

✓ Progea

✓ Promotic

✓ RealFlex

✓ Rockwell

Automation

✓ RSLogix

✓ Siemens

✓ Sunway

✓ TeeChart

✓ TwinCAT

✓ WellinTech

✓ xArrow

35

Evolution of Industrial Control Systems

▪ Industry 4.0: Operational Efficiencies = Cyber Exposure

▪ Moving from Proprietary to standards. IP communications.

▪ Convergence of ICS and IT infrastructure

▪ Commercial off the shelf products

(COTS), IOT and Cloud

▪ B2B communications, Vendor/Partner

access

Isolated and Proprietary

Serial /IP connectivity. Protocol Standards

Networked, Process Control Network

IT and ICS convergence. COTS/Cloud

Operational Efficiencies

Cyber

Exposure

4th Generation

36

Typical ICS and IT Network Architecture

▪ HMI and RTU

▪ Air Gap

▪ IT and ICS Networks

Industry 4.0 -

Convergence

Partners/

VendorsCorporate LAN

Domain

Controller

Business

Systems

Supervisory Control System and

associated databases

Human Machine Interface

(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level

Oil levels and Maintenance alarms

Radioactivity levels

Water levels

Temperature

Flow RateRemote

Terminal Unit

37

Breach points everywhere

▪ Outside threat: Black Hat

▪ Inside threat: Hard Hat

▪ Air gap breached

▪ RTU or HMI exploits

▪ DOS attack of Protocols

▪ Droppers USB

Corporate LAN

Domain

Controller

Business

Systems

Air gap breached in multiple

locations allowing threats to

propogate




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

RTU security compromised and

SCADA system vulnerable to DoS

and malicious control

Remote

Terminal Unit

38

Fortinet Security Fabric for IT/OT Convergence

Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Prevent threats from entering with NGFW

(FortiGate), Secure Email Gateway (FortiMail) and

Sandbox (FortiSandbox)

39


Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Segregate networks, prevent malware (FortiGate)

and control access (FortiAuthenticator)

40


Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Secure SCADA communications with hardware

accelerated VPN back to the Management HMI

network (FortiGate)

41


Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Prevent malware propagation and non-authorized

communication channels (FortiGate)

42

Fortinet Security Fabric Strategy

Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Protect web based HMI from exploitation with Web

Application Firewalling (FortiWeb)

43


Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Vulnerability assessment, patch management and

auditing of all organizational assets (FortiClient)

44


Corporate LAN

Domain

Controller

Business

Systems




(HMI)

Remote

Terminal Unit

Sensors

Pressure

Pump/fan speed

Noise Level



Water levels

Temperature

Flow Rate

Implement FSF (Fortinet Security Fabric) for end-

to-end awareness and control across both IT and

OT environments

45

SCADA Partner Integration

Fortinet Security Fabric

SIEM

SDN

Endpoint

CloudVirtual

Management

Ecosystem Alliance Partners

ICS/SCADA

Fortinet and Nozomi IntegrationA Proactive Approach to SCADA Security

47

IT/OT Convergence Creates New Security Challenges

Business

Process

Automation

Industrial

Process

AutomationOperational Technology (OT)Information Technology (IT)

Since OT has started to progressively adopt IT-like technologies (i.e. Windows OS or TCP/IP

protocol stack) and is being more exposed to business networks, the attack surface has increased

and 'Security through obscurity’ has become an outdated approach.

Enhanced Performance Cost Reduction Scalability and Flexibility

IT/OT CONVERGENCE

48

Behavioral

Analysis

Deep SCADA

Understanding

Unintrusive

Passive

Monitoring

… our Answer is an Active Integration between SCADAguardian and Fortigate

Automatically learns ICS

behavior and detects

suspicious activities

Security Policy

Enforcement

Flexibility to enforce security

policies with different degree

of granularity

Deep understanding of all

key SCADA protocols,

open and proprietary

Active Traffic

Control

Proactive filtering of

malicious and unauthorized

network traffic

Real-time passive monitoring

guarantees no performance impact and

permits visibility at different layers of the

Control and Process Networks

In-line

Protection

In-line separation

between IT and OT

environments

Turn–key Internal and

Perimeter Visibility

Fine Tuning, Control and

Monitoring of the Firewall Ruleset

Proactive SCADA

Security

49

Fortinet/Nozomi Networks Security Architecture

Full Protection, Visibility

and Monitoring Thanks

to Nozomi Networks and

Fortinet

Valve

Fan

Pump

The Nozomi Networks

solution passively monitors

the network, thus not

affecting the performance

of the control system

The appliance is connected

to the system via a SPAN

or mirror port on a switch

50

Valve

Fan

Pump

Responding to Threats in Real Time

1

1 MonitorA threat is detected by SCADAguardian

and an alert is generated

2 DetectUser-defined policies are examined and

the appropriate corresponding action is

triggered

2

3 ProtectFortiGate responds according to the

user-configured action (Node Blocking,

Link Blocking, or Kill Session) in order to

mitigate the issue

3

3

3

3

51

Fortinet Nozomi Use Case

52

FW Policy

53

Modbus Attack

54

Nozomi Web UI

55

Fortinet Securtiy Fabric Nozomi Integration

56

Fortinet Config Change Log

57

FW Policy Change

58

Nozomi Log

59

IoT Use Case Expanded intelligence for Fortinet Security Fabric

▪ Device Asset Tagging & Profiling

▪ Device Auto Detection

▪ New Device Types Added

» More headless IoT device types added

▪ Server

» Identify ‘Rogue servers’ in LAN segments

» Further differentiation: Web, Mail & FTP

▪ Enhanced Visibility & Control

» IoT Device Visibility in Fabric

» FortiSIEM Auto Discovery

60

IoT Device Asset Tagging in FortiView

▪ IoT device identified and tagged

▪ Custom groups to associate IoT devices

61

Headless Device Auto Detection

▪ Intelligent detection of devices based on signature database

▪ 21 device categories in the database, new devices continually added

62

IoT Device Visibility in Security Fabric

IoT Device Visible in Fabric Topology:

▪ View connectivity to security

elements in the network

▪ Device configuration

information

▪ Take action to allow or block

communications

▪ Proactive approach to

remediation

63

Summary

By incorporating the particularities

of ICS and IoT in our solutions,

Fortinet can provide the same level

of actionable security in an

Industrial network as it does in an

Enterprise network.

building an industrial security fabric · 2018-06-21 · 4 scada = basis of industrial automation...

Documents