13-06-2013
1
1
Cyber Security
Presenter
Jakob Drescher
Industry
Schneider Electric 2- Division - Name – Date
Cyber Security?
● Measures used to protect assets against computer threats.
● Covers both intentional and unintentional attacks.
● Malware or network traffic overloads can effect a control system.
● Accidental miss configuration or well intentioned but unauthorized control
system changes.
● Directed attacks by internal or external threats.
● Increasing the security of the assets also increases the integrity of
the production system.
13-06-2013
2
Schneider Electric 3- Division - Name – Date
Why Now?
●The rapidly changing world of technology makes computer systems more vulnerable
to a cyber attack.
● Increase in attacks on general IT systems and directed attacks on companies results in an increase in threats to control systems.
● Open systems have proven to be desirable and effective but expose a control system to greater risks.
●Government and Companies are responding with cyber security standards for
control systems.
●Awareness that control systems contain valuable data, can effect business and are
vulnerable has increased the focus.
● Dedicated attacks increasing for Industrial companies.
● Researcher focus on control systems is increasing awareness and providing tools.
Schneider Electric 4- Division - Name – Date
Security
● Security implementation is a solution and not a product
● People, Policies, Architectures, Products
● Security requires a multilayer or Defense in Depth (DiD) approach
● Security Plan, Network Separation, Perimeter protection, Network
Segmentation, Device Hardening, Monitoring & Update
● Vendor’s responsibilities
● Design products & solutions with security features
● Ensure they enable customers to comply with security standards
● Provide recommendations and methodologies to guide implementation
● End User’s responsibilities
● Define security procedures (organizational security)
● Mandate responsible people (personal security)
● Ensure compliance with security standards
13-06-2013
3
Schneider Electric 5- Division - Name – Date
How to “Secure” a System
●Protect the perimeter
●Routers, Firewalls, VPN
●Segment the network
●DMZ between Trusted Zones
●Segments within Trusted Zones
●Protect the computers
●AntiVirus, White-listing, Access
control
●Harden the controllers / devices
●Device security, External protection
●Monitor and React
● Logs, traffic monitoring, alarms
●Act on unauthorized events
Policies and Procedures, Staff Training, Secure Architecture
Schneider Electric 6- Division - Name – Date
Security is a risk evaluation
●Customers and vendors should both handle security based on risk
●Evaluate the risks, take actions on the risks above a defined level.
●Both systems and products can be evaluated for risk and should be.
●Risks on a product can be mitigated by another component of the system
●Risk = Threat x Vulnerability x Consequence
● Threat, a person or event with the potential to cause a loss.
●Vulnerability, a weakness that can be exploited by an adversary or an
accident.
●Consequence, the amount of loss or damage that can be expected from a
successful attack.
●Mitigation - Something that is done to reduce the risk,
●Normally reducing the vulnerability or raising the skills needed to exploit it
13-06-2013
4
Schneider Electric 7- Division - Name – Date
Address the highest risks first
●The highest risk for cyber security is the most exposed systems.
● IT Systems
●Remote access systems
●PC Systems
●SCADA Systems
●7 largest cyber security issues from Industrial Defender(number 1 company in Industrial cyber security)
● Inadequate security staffing / training
● Insecure perimeter firewalls
● Insufficient patching of PCs and software
● Inadequate separation on corporate and plant networks
●Weak Passwords
●Unnecessary 3rd party products
● Inadequate documentation
Schneider Electric 8- Division - Name – Date
How to “Manage” a Secure System
●Keep the computers protected
●A/V protection
●Appl. White-listing
●Administer access control
●Monitor Device Hardening
●Device settings
●External devices
●Monitor traffic, log users, log
events, and trap alarms
●Act when unauthorized events
occur
●Patch! Patch! Patch!
IT
OT
DMZ
13-06-2013
5
Schneider Electric 9- Division - Name – Date
6 key steps:
1. Security Plan
2. Network
Separation
3. Perimeter
Protection
4. Network
Segmentation
5. Device
Hardening
6. Monitoring &
Update
Schneider Electric’s Recommendation
2
3
4
5
5
The “Defence in Depth” Approach (DiD)
Schneider Electric 10- Division - Name – Date
Defense-in-Depth Step #1: Security Plan
●Define:● Roles and responsibilities.● Allowed activities, actions and processes.● Consequences of non-compliance.
●Full network assessment:
● Communication paths.● Audit of all devices.● Security settings.● Network drawings.
●Vulnerability assessment:
● Potential threats.● Consequences.● Risk assessment and mitigation.
Assessment
and Design
Service
Connexium
Network
Manager
Product Alerts
13-06-2013
6
Schneider Electric 11- Division - Name – Date
●Separate the Industrial Automation & Control System from
the outside world
● Create a ‘buffer’ network (DMZ) between the IACS network and the rest of the world, using routers and firewalls
● Block inbound traffic to the IACS except through the DMZ firewall
● Limit outbound traffic to essential and authorized traffic only
“Defence in Depth” Step #2: Network Separation
Connexium
Eagle 20
ETG Routers
Hirschmann
Routers,
Mach, Mice
●DMZ host for servers● Vijeo Historian mirror● Web servers● Authentication server● Remote access server● Anti-virus server
Schneider Electric 12- Division - Name – Date
●Protect the Industrial Automation & Control System perimeter using a firewall
● Validate packets and protocols
● Manage authorization of certain data packets
● Restrict IP address or user access via authorization and authentication
●Protect critical parts of the process with additional firewalls within the IACS
●Secure remote accesses
● Use the VPN technology of routers and firewalls
● Use the latest authentication and authorization technologies. They’re evolving fast.
“Defence in Depth” Step #3: Perimeter Protection
Connexium
Eagle
Connexium
Tofino
ETG
Gateways
13-06-2013
7
Schneider Electric 13- Division - Name – Date
●Create Security Zones● Limit and monitor access
between zones.● Limits the effect of a security
issue, alerts when an issue occurs.
●Use managed switches● Limit access to network
packets.● Precisely segment the network
using VLANs● Limit rates of ‘multicast’ and
‘broadcast’ messages to protect from DoS type attacks
● Limit physical connections using port security
“Defence in Depth” Step #4: Network Segmentation and
Zones
ConneXium
Switches
Connexium
Tofino
Firewall
Schneider Electric 14- Division - Name – Date
●On all devices● Replace default passwords with ‘strong’ passwords● Shut off unused ports, communication services and
hardware interfaces● Set up broadcast limiter functions● Use multicast message filtering● Avoid generating requests faster than system can
handle
●On PCs and HMI terminals● Forbid or seriously control the use of any external
memory
●On Unity Pro and Vijeo Citect● Set up all security features: passwords, user profiles,
operator action logging
●On ConneXium switches● Restrict access on ports to assigned addresses only
●On remote I/Os● Restrict access to authorized PACs only
“Defence in Depth” Step #5: Device Hardening
• Vijeo Citect PCs• Vijeo Historian PCs
• Unity Pro PACs• Magelis HMI terminals• ConneXium switches
• Modicon STB I/O islands• Altivar speed drives
• Any I/O or instrument on fieldbus
13-06-2013
8
Schneider Electric 15- Division - Name – Date
●Monitor, Manage and Protect service
● 24/7 remote security monitoring
● Configuration monitoring
● Reporting for Audit Compliance
● Network and Host Intrusion Detection systems
●Monitor
● Authentication traps.
● Unauthorized login attempts.
● Unusual activity.
● Windows Event Viewer.
● Network load.
● Device log files.
“Defence in Depth” Step #6: Monitor and Update
• Monitor, Manage, Protect Service
•Citect Log Files
•Unity Pro log files
•PLC Event Viewers
•PLC Diagnostics and access lists
Schneider Electric 16- Division - Name – Date
Defense in Depth – Why?
●Every mitigation mentioned has a weakness, method to break through
●Eg IP address spoofing
●An attack can be launched from behind the devices
● Internal attacker
●Capture of a device already in the system
6 key steps:
1. Security Plan
2. Network Separation
3. Perimeter Protection
4. Network Segmentation
5. Device Hardening
6. Monitoring & Update
13-06-2013
9
Schneider Electric 17- Division - Name – Date
Schneider Electric’s Security Solution
● Information for Customers● Web portal for guidance, vulnerabilities and information
● Secure products● New products developed to Industrial security standards.
● Legacy products protected using pre configured security appliances.
● Secure Network Infrastructure.
● Security Certification Lab
● Secure reference architectures● Secure PlantStruxure architectures validated by leading security experts.
● Assessment and Design Services● Assessment Service – allowing security to be applied where it is needed most.
● Design Service – customizing the secure PlantStruxure architecture creating a unique solution for each customer.
● Monitoring Services● Tools and services to continually monitor a plant configuration and operation to ensure
security and production is maintained.
Schneider Electric 18- Division - Name – Date
Cyber Security Web Presence
http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page
●White Papers
●Product Vulnerability data
● Vulnerability list for all products
● Mitigation recommendations
● Patches and Firmware updates
●Secure Vulnerability reporting
●Cyber Security news stories
● Product releases and updates
● Industry News
●RSS feed for vulnerability and news
13-06-2013
10
Schneider Electric 19- Division - Name – Date
Secure Products
●New products developed to Industry security standards
● Achilles certified for robustness, ISA Secure certified for complete security.
● Legacy Products
● Protected using industry leading Connexium Tofino application firewalls.
●Low cost, Industrially rated.
●Deep packet inspection for read only access or fixed variable access
●Secure Network Infrastructure
● Connexium range of secure networkinfrastructure products.
● Includes Schneider Connexium Eagleand Tofino firewalls.
●Security certification Center
Schneider Electric 20- Division - Name – Date
Secure Reference Architectures
●How can I … Reduce Vulnerability to Cyber Attacks.
●Guidelines on Industrial Control System Security.
● Risk Assessment, Security Planning, Recommended Architectures, Methods of Attack.
●Secure PlantStruxure architectures incorporating key
security features
● Network Separation and server locations
● Perimeter Protections product and settings
● Network Segmentation and security zonesrecommendations with data flows identified.
● Device Hardening and Monitoringrecommendations for PlantStruxure devices.
13-06-2013
11
Schneider Electric 21- Division - Name – Date
Design and Assessment Service
● Identify vulnerabilities in a customers system
●Quantify the risks to the system based on threats and
identified vulnerabilities
●Make recommendations on
● Architecture
● Product hardening
● Training
● Processes
●Partnership with Wurldtech and SiS
● Leaders in security assessments
● Strong player in security standards
Schneider Electric 22- Division - Name – Date
Monitor, Manage, Protect
●Monitoring and Management of Control System
● Devices, Protocols, Communications, User Accounts, Product/Firmware Versions, Device Settings.
● Host Intrusion Detection
● Network Intrusion Detection
●Protection of Control System
● Boundary and Security Zone Firewalls
● Application White listing
●Compliance audit and change management
●Partnership with Industrial Defender
● Number 1 in Smart Grid security (Pike Research)
● Hardware and service offer
13-06-2013
12
Schneider Electric 23- Division - Name – Date
Summary
● Cyber Security is becoming critical for control systems.
● IT-based lessons, methods, and tools apply – with adaptation.
● A Defense-in-Depth approach is the best approach:
●Mitigates risk.
● Improves system reliability.
●Schneider Electric offers
● Information
●Assessment and Design Services
●Secure Products
●Recommended Architectures
●Monitor, Manage and Protect Services
24Schneider Electric – PlantStruxure NOW! – PRESENTER & SESSION NOW!