CCCCYBERSECURITYYBERSECURITYYBERSECURITYYBERSECURITY ISSUESISSUESISSUESISSUES ININININ THETHETHETHE ICS: ICS: ICS: ICS: VIEWVIEWVIEWVIEW FROMFROMFROMFROM RRRRUSSIAUSSIAUSSIAUSSIA

Dmitry GusevDmitry GusevDmitry GusevDmitry GusevDeputy Director General, Infotecs JSC

Joint meeting of the IBC Joint meeting of the IBC Joint meeting of the IBC Joint meeting of the IBC “Information and Communication” Working Committee“Information and Communication” Working Committee“Information and Communication” Working Committee“Information and Communication” Working Committee

©2017 Infotecs JSC

ABOUT US

Infotecs JSC (Information Technologies and Communication Systems)Infotecs JSC (Information Technologies and Communication Systems)Infotecs JSC (Information Technologies and Communication Systems)Infotecs JSC (Information Technologies and Communication Systems)

Founded in 1989. Since 1991, registered among the first Russian joint-stock companies. 25 years of experience in the development of cryptographic and network data protection tools

A major player in the Russian market of Network security solutions: more than 1 million client software licenses and more than 60,000 server products (software, appliances) sold

A secretary company of TC 26 (Technical Committee for Standardization “Cryptography and Security Mechanisms”)

700 7

Employees Products Offices Subsidiaries Partners

3 20050

©2017 Infotecs JSC

ViPNet

Crypto routers / VPN

Firewalls/IDS/HIDS

Threat IntelligenceEmbedded Crypto

Modules / SDKs

PKI and Applied Cryptography

VIPNET PRODUCTS PORTFOLIO

©2017 Infotecs JSC

ATTACKS ON ICS - A MYTH OR REALITY?

� �

Japan,Nuclear power

plant

Ukraine,Energy

Germany,Steel mill

USA, Transport

Jeep Cherokee remote hacking

Finland, Smarthome

Iran,Stuxnet

2010

2014

2015

2015

2015

Nov.2016

©2017 Infotecs JSC

https://www.shodan.io/

YOUR ICS PROTECTED BY ISOLATED INFRASTRUCTURE ?

components available components available components available components available through non secure through non secure through non secure through non secure industrial protocolsindustrial protocolsindustrial protocolsindustrial protocols

96%

6,3% of available components of available components of available components of available components have known vulnerabilitieshave known vulnerabilitieshave known vulnerabilitieshave known vulnerabilities

of all components of all components of all components of all components available through Internetavailable through Internetavailable through Internetavailable through Internet

200 000

©2017 Infotecs JSC

PROGRESS VS SECURITY� Mass implementation of typical

ICS

� Using the Internet as a universal data transport

� Integration of ICS with ERP andMES

� Poor updates of ICS

� Rapid development of remote monitoring and control systems

� New global concepts and visions: Industry 4.0, IIoT, Digital Factory, PLM

� Service models in industry(Industry Cloud, SECaaS)

Even one incident on

critical infrastructure

are enough

©2017 Infotecs JSC

REGULATORY FRAMEWORK IN RUSSIA / ICS SECURITY

ГОСТГОСТГОСТГОСТ

ФСБФСБФСБФСБФСТЭКФСТЭКФСТЭКФСТЭК

Отраслевые Отраслевые Отраслевые Отраслевые требованиятребованиятребованиятребования

PRESIDENT/GOVERNMENT

Decree of the President of the Russian Federation No. 683 of December 31, 2015 "On the National Security Strategy of the Russian Federation“

"The Doctrine of Information Security of the Russian Federation", 12/05/2016

Authorized Bodies(Federal Security Service, Federal Service for Technical and Export Control)

FSTEC Order No. 31 of March 14, 2014 «On Approval of Requirements for Providing Information Protection in Automated Control Systems»

"Requirements for firewalls," FSTEC, 2016 (inc. industrial FW).

«The concept of the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation», December 12, 2014, FSS

No.256-FL "On the safety of fuel and energy facilities“

Draft federal law "On the Security of the Critical Information Infrastructure of the Russian Federation" of December 2016.

FEDERAL LAW

©2017 Infotecs JSC

RUSSIAN NATIONAL TECHNICAL COMMITTEE FOR STANDARDIZATION«CRYPTOGRAPHY AND SECURITY MECHANISMS» (TC 26)[ISO/IEC JTC1/SC27]

Sub-Committee 1

State secret cryptography

Sub-Committee 3

Cryptography for payment

systems (National Card Payment System)

Sub-Committee 2

Cryptography for sensitive information for government

organization

Sub-Committee 4

Mass cryptography, blockchains and IoT/IIoT

TC 26

www.tc26.ru

Cryptography for ICS

©2017 Infotecs JSC

INFORMATION SECURITY FOR ENTERPRISES

o Centralized management and monitoring

o Support of arbitrary communication technologies

o Support of arbitrary network topologies

o Scaling up to dozens of thousands hosts within a single protected network

o Network-level virtualization for integration of several local networks with mismatched IP addresses

o Provision of cryptographic services for customer’s application software

©2017 Infotecs JSC

TOWARDS AND INTEGRATED IS: ENTERPRISE + ICS

©2017 Infotecs JSC

ALL ABOUT PRIORITY

Confidentiality

Integrity

Availability

Enterprise

solutions

ICS

solutions

Availability

Integrity

Confidentiality

©2017 Infotecs JSC

TWO WAYS TO PROTECT ICS

External (overlay)

tools

Built-in (embedded)

tools

©2017 Infotecs JSC

ENTERPRISE AND ICS MIXED INFRASTRUCTURE

WAN

©2017 Infotecs JSC

EMBEDDED CRYPTOGRAPHY IN FIELD LEVEL OF ICS

©2017 Infotecs JSC

APPLIED CRYPTOGRAPHY FOR ICS

Data and command protection

• Integrity

• Confidentiality

• Replay attack protection

• Authenticity

• Legal relevance

Personnel authorization and authentication

• Multifactor authentication

• Secret sharing

©2017 Infotecs JSC

VIPNET INDUSTRIAL/ENTERPRISE SECURITY GATEWAY MODELS

[WITH GOST CRYPTO]

55 Mbit/s

100 Mbit/s

1 Gbit/s

2,7 Gbit/s

5,5 Gbit/sHW100

HW1000

HW2000

HW50

HW5000

ViPNet Coordinator IG1010 Mbit/s

©2017 Infotecs JSC

ICS PROTECTION: VIPNET COORDINATOR IG10

Secured Gateway with failover function, L3 VPN with L2overIP support(up to 10 Mbps), firewall.

Industrial design (-200… +600C, IP30, 10…30 V DC, DIN rail)

Router (DNS, DHCP, VLAN)

Wireless interfaces (3G, LTE, Wi-Fi)

RS-232/RS-485 - Ethernet gateway,Modbus TCP to Modbus RTU bridge

Discrete I/O ports (GPIO) to connect external sensors/actuators

©2017 Infotecs JSC

VIPNET SIES CORE: FIELD LEVEL CRYPTOGRAPHY

o Hardware appliance intended to integration in | with protected device

o Provides basic cryptographic operations in order to implement security scenarios as a simple crypto API

o Protected Keys management and storage

o Passive mode connection to the protected

device via UART, SPI, USB, I2C technical

interfaces

o Designed as an SOM module, 64x36 mm

o Industrial design and power supply: -40…+750C,

4 …17 V DC, 0.7 W (at 5 V)

or

o A set of software crypto libraries for integration, Windows/Linux and x86, ARM, MIPS architectures (Baikal)

Ha

rdw

are

So

ftw

are

©2017 Infotecs JSC

VIPNET SIES SERVER: SCADA LEVEL CRYPTOGRAPHY

Based on the ViPNet HSM appliance

(certified the Russian Federal Security Service under Russian high security classes, like FIPS 140-2 Level 3)

Protected secret key storage and 10,000+ cryptooperations per second

Backup feature

Full (PKCS#11) and simple crypto-API for integration with SCADA servers

Designed as an appliance or a virtual machine (Virtual Appliance)

Thank you foryour attention!