holistic view of industrial control cybersecurity -...
TRANSCRIPT
Holistic View of Industrial Control Cyber Security
A Deep Dive into Fundamentals of Industrial Control Cyber Security
© Copyright 2014 Netsecuris Inc. All rights reserved
Learning Goals
o Understanding security implications involving industrial control systems and environments
o Understanding design considerations for industrial control networks
o Understanding differences between traditional IT networks vs. industrial networks
o Understanding solutions and techniques to harden security of industrial networks
© Copyright 2014 Netsecuris Inc. All rights reserved
What is Industrial Control?
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Defined
o A system that controls a process
o Industrial Control System – traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS)
o Supervisory Control and Data Acquisition System (SCADA)
o Remote Terminal Units (RTU)
o Programmable Logic Controllers (PLC)
© Copyright 2014 Netsecuris Inc. All rights reserved
Why learn about this topic?
o Industrial controls are everywhere!
o Utilities
o Factories
o Automobiles
o Military
o Data Centers
o Appliances
o Industrial controls are being networked like traditional IT networks.
© Copyright 2014 Netsecuris Inc. All rights reserved
Some industrial controls that might surprise you o Environmental controls in your data center
o Missiles launched by the military
o Assembly line controller in a factory
o SCADA systems at utilities
o Gasoline pumps at a convenience store
© Copyright 2014 Netsecuris Inc. All rights reserved
Distributed Control System
© Copyright 2014 Netsecuris Inc. All rights reserved
Basic DCS Configuration
Distributed Control System
© Copyright 2014 Netsecuris Inc. All rights reserved
Example of a DCS HMI Display
Distributed Control System
© Copyright 2014 Netsecuris Inc. All rights reserved
Functional Levels of DCS Example
SCADA
© Copyright 2014 Netsecuris Inc. All rights reserved
Example of a SCADA Network
SCADA
© Copyright 2014 Netsecuris Inc. All rights reserved
Example of a Electric SCADA Network
SCADA
© Copyright 2014 Netsecuris Inc. All rights reserved
Example of a SCADA HMI Display
Evolution 1
o Transition from mechanical switches or relays to Programmable Logic or Relay Logic
© Copyright 2014 Netsecuris Inc. All rights reserved
Programmable Logic Controllers (PLC)
© Copyright 2014 Netsecuris Inc. All rights reserved
Example of a PLC Panel
Programmable Logic Controllers (PLC)
© Copyright 2014 Netsecuris Inc. All rights reserved
Example of PLC Programming
PLC vs. RTU
o RTUs are utilize to collect data over a wide geographic area as input to SCADA. o Such as with a network of electric substations
o PLCs are utilized in a localize fashion to control a process. o Such as with a local area network on a factory floor
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Evolution 2
o Transition from Standard Serial Communications (e.g. RS-232, RS-485, Async 2 wire) to higher performance non-Ethernet Fieldbus communications (e.g. BACnet MS/TP, ModBus RTU, CAN, ProfiBus, InterBus, LonWorks, SERCOS).
© Copyright 2014 Netsecuris Inc. All rights reserved
T-shirt Question 1
oWhat has been considered the first “Industrial Control” virus?
oWhat did it do?
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Evolution 3
o Transition from Non-Ethernet Fieldbuses to Ethernet-based Communications (e.g. EtherCAT, Ethernet POWERLink).
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Ethernet vs. Non-Ethernet Fieldbuses Advantages o Better performance
o Greater bandwidth and larger data packages for communications with intelligent industrial devices
o Faster real-time communications and synchronization for demanding control applications
o Simple to integrate with networks that already exist in the business office environment
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Ethernet vs. Non-Ethernet Fieldbuses Disadvantages o It is collision-based and not inherently
deterministic—and process controls demand real-time operation.
o Universal acceptance of Ethernet tempts users to try to do too many things that could generate security issues.
o Standard telephone-type connectors do not meet the physical demands of industrial equipment.
© Copyright 2014 Netsecuris Inc. All rights reserved
Impact of “Industrial Internet” o GE reported that “enabling Internet-connected
machines to communicate and operate automatically can bring substantial efficiency gains.”
o According to GE, the Industrial Internet will help eliminate hundreds of billions of dollars of wasted time and resources across critical industries.
o “The Industrial Internet has the potential to add $10 to 15 trillion U.S. dollars to the global GDP by 2030.”
© Copyright 2014 Netsecuris Inc. All rights reserved
Rise of Industrial Internet o IMS Research predicts that in 2016, “Ethernet
will account for over 30 percent of all new nodes installed in industrial applications.”
o Ethernet TCP/IP was estimated to account for over one-third of new Ethernet nodes installed in 2011.
o Wireless networking to grow 75% by 2017 compared to 2012.
o Fieldbus protocols still have the high ground but Industrial Ethernet adoption is on the rise.
© Copyright 2014 Netsecuris Inc. All rights reserved
Evolution 4
o Transition from Ethernet-based Non-TCP/IP Communications to Ethernet-based TCP/IP Communications (e.g. BACnet/I, ModBus-TCP, EtherNet-IP, PROFINET-IO).
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Implications
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Implications
o Cybersecurity failures have the potential to cause physical consequences.
o Cybersecurity issues can manifest as process anomalies.
o Cybersecurity is hard to manage.
o Cybersecurity threats or issues can be complex.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cybersecurity Implication – Physical Consequences o Electric Power Blackouts
o September 2007 cyber attack in Brazil
o 2003 Northeast blackout
o 1999 Southern Brazil blackout
o 1965 Northeast blackout
o 1979 Three Mile Island Nuclear Plant Accident
o 2000 Maroochy Shire cyber event
o 2007 Aurora Generator Test
o 2009 Stuxnet
o 2010 San Bruno natural gas pipeline explosion
© Copyright 2014 Netsecuris Inc. All rights reserved
Aurora Generator Test
© Copyright 2014 Netsecuris Inc. All rights reserved
Implications – Process Anomalies
o Actual cyber security issue vs. real process problem o Can be difficult to distinguish a real cyber security
issue from a process anomaly.
o Inadequate cyber security training for operators could lead to an attack not being recognized.
© Copyright 2014 Netsecuris Inc. All rights reserved
Implications – Security Management Difficulties
o Introduced latency and jitter o Measurement of time for packets to travel between
nodes.
o Variation in time between packets arriving to be process.
o Difference in managing IT vs. OT
© Copyright 2014 Netsecuris Inc. All rights reserved
Implications – Complexities
o Non-typical network protocols
o Commands that cannot be blocked due to safety or production issues.
o Attackers using valid communications in invalid ways.
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security - Performance Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Availability Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Risk Management Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Change Management Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
Survey of Specialized Communications Protocols
© Copyright 2014 Netsecuris Inc. All rights reserved
Modbus
© Copyright 2014 Netsecuris Inc. All rights reserved
o Open protocol standard
o Moves raw bits or words without placing many restrictions on vendors.
o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.
DNP3 (Distributed Network Protocol)
© Copyright 2014 Netsecuris Inc. All rights reserved
o Open Standard
o Designed to be reliable but not secure.
o Header may look perfectly normal but the data payload could crafted to carry malicious code.
o No authentication mechanism in basic DNP3. o Secure DNP3
OPC (Open Platform Communications
© Copyright 2014 Netsecuris Inc. All rights reserved
o Based on the OLE, COM, and DCOM technologies developed by Microsoft.
o Any vulnerabilities in these technologies is carried into this protocol.
o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports.
o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors.
o OPC is complicated to setup so some vendors leave exposures in their products.
Cyber Security Problems and Issues
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - TCP/IP Stack and Industrial Protocols
o Problems exist due to original design and purpose for Internet.
o Poor software design
o Fragility caused by deviation from RFC o Internet Protocol (IP version 4) (RFC 791)
o User Datagram Protocol (UDP) (RFC 768)
o Transmission Control Protocol (TCP) (RFC 793)
o Address Resolution Protocol (ARP) (RFC 826)
o Internet Control Messaging Protocol (ICMP) (RFC 792)
o Internet Group Management Protocol (IGMP) (RFC 1112 & 2236)
o IEEE 802.3 (Ethernet) as defined in RFC 894
o Protocol Complexity o ModBus TCP adds additional fields to standard TCP (Function Codes)
o Session Manipulation
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - Lack of Strong Authentication
o Risk of compromise o Spoofing
o Brute Force Attacks
o Session Hijacking
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - Lack of Strong Authorization Practices
o Malicious actors could gain access or perform a function that they are not entitled to perform.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - Lack of Strong Encryption Practices o Commands and addresses passed in clear text;
which can be captured and spoofed or manipulated.
o Some encryption mandates are making it into regulations in some industrial control using industries.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - Programmability
o ICS devices are meant to be programmable; which makes them inherently vulnerable.
o A whole lot of Fuzzing going on.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - Lack of Message Checksum
o Ability to spoofed commands is easier since the checksum is generated at the Transmission Layer and not the Application Layer.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues - Accessibility
o Some protocols are meant to be used for Wide Area networks making them highly accessible and susceptible to many kinds of attacks.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls - Firewall
o A firewall can become a sieve.
o Not a “catch all”, “be all” security control but still a necessity.
o Protocol recognition.
o Don’t forget a secure default rule; Deny All.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls - Intrusion Detection and Prevention
o Intrusion Prevention vs. Intrusion Detection
o Why is IPS a necessity?
o Behavior recognition
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls - ICS Honeypots
o Sets a trap
o Decoy
o ICS Capable
o SCADA HoneyNet Project
o http://scadahoneynet.sourceforge.net/
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls - Anti-Malware
o If you cannot install host-based anti-malware software on any particular ICS system, implement network-based anti-malware.
o Implement and configure host-based firewalls; if possible.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls - Security Information and Event Management
o Log, Log, Log!
o Real-Time or Near Real-Time Alerts
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Recommendations
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Network Cyber Security Recommendations o Defend against the unknown
o Advanced Persistent Threats (APTs)
o Advanced Evasion Techniques (AETs)
o Alternative threat detection or prevention
o Situational Awareness
o Behavior Analysis and Detection
o Practice Defense in Depth o Patch, Patch, Patch
o Whitelisting
o Collect and analyze logs
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Network Cyber Security Recommendations
o Avoid misconceptions o Avoid the Air Gap Myth
o “We have a firewall!”
o “We’re just a small site, we’re not a target”
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Network Cyber Security Recommendations
o Utilize Egress Filtering
o Change Default Accounts and Passwords
o Check your IP addresses with Shodan
© Copyright 2014 Netsecuris Inc. All rights reserved
Shodan
o An industrial control system and network search engine.
o http://www.shodanhq.com/
© Copyright 2014 Netsecuris Inc. All rights reserved
Shodan
© Copyright 2014 Netsecuris Inc. All rights reserved
Netsecuris
o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments.
o Contact Information o Leonard Jacobs, MBA, CISSP
o President/CEO
o 952-641-1421
© Copyright 2014 Netsecuris Inc. All rights reserved
Questions and Answers
Thank you
© Copyright 2014 Netsecuris Inc. All rights reserved