how vulnerable is your network to cyber-threats? presented by … · 2020-04-13 · industrial...

attendmia.com

How vulnerable is your network to cyber-threats?

Presented by Paul Nuss

Manufacturing in America │ April 2020

Unrestricted © Siemens 2020

Unrestricted

How vulnerable is your network to cyber-threats?

Presented by Paul Nuss

Manufacturing in America │ April 2020

attendmia.comUnrestricted © Siemens 2020

visit usa.siemens.com/network-security Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.

Check with your security expert and appropriate security standard before implementation for any specific application.

Page 3 Community. Collaboration. Innovation.visit usa.siemens.com/network-security Unrestricted © Siemens 2020 All rights reserved.


How vulnerable is your industrial network to cyber-attacks?

Presentation agenda

What’s driving security?

IIoT benefits and risks

Asset protection

Productivity*

Recommended approach

Defense in Depth

People Process Technology

Partners

1

2

* Government regulations are a

significant driver in some industries

How to get started

Assessment

Standards

Segmentation

IT OT & DMZ

Remote access

Training

Evaluation questions,

examples &

recommendations

3

Not necessarily

in this order

http://www.usa.siemens.com/network-security






What's driving security? The Industrial Internet of Things (IIoT)

Benefits and the need to protect more assets

Opportunities & benefits Billions of devices are being connectedby the Internet of Things, and are the backbone of our infrastructure and economy

50.1B (2020)

IoT Inception (2009) 8.7B (2012)

11.2B (2013)

14.2B (2014)

18.2B (2015)

22.9B (2016)

28.4B (2017)

42.1B (2019)

0.5B (2003)

Connected Systems

Connected Facilities/Plant/Site

Connected Products

34.8B (2018)

Billions of Devices

… and risksExposure to malicious cyber attacks is also growing dramatically, putting our lives andthe stability of our society at risk

Blue BoxingCryptovirologyAOHell

Level Seven Crew hackDenial-of-service attacks

Cloudbleed

sl1nk SCADA hacks Meltdown/Spectre

Infineon/TPM

AT&T Hack Morris Worm Melissa Worm ILOVEYOUWannaCry

NotPetya

HeartbleedIndustroyer/Chrashoverride

Stuxnet

2000 2004 2008 2012 2016 202019961988 1992

IIoT market annual growth

at 18% through 2024*

*marketwatch.com







What's driving security?

A familiar goal: Protecting assets

Physical access

protection

Company Data:

Employee, processes,

trade secrets, IP, software

Equipment, machines,

materials, robots, AGVs

Assets requiring protection

Equipment, machines, materials, e.g. robots, AGVs

Software, applications, production and process data

Customer and or employee personal data and safety

Process documentation, programs, know how

Future plans, trade secrets, Intellectual Property (IP)

Production applications, process

documentation, know how

Personal safety

Enterprise (IT)

Production (OT)







What's driving security?

The goals are familiar, industrial security helps us achieve them

Increase plant

availability

Reduce total cost

of ownership

Benefit from better

data and IIoT









How to get started

Assessment

Standards

Segmentation

IT OT & DMZ

Remote access

Training


examples &

recommendations


Presentation agenda



Asset protection

Productivity*


Defense in Depth


Partners

1

2



3

Not necessarily

in this order







Recommended industrial security approach:

A successful strategy is multilayered

System Integrity

(Hardening, patch management)

Network

Security

Defense in depth

Security threats

demand action

Plant Security(Physical)

Check with you security expert and appropriate security standard before implementation








A successful strategy includes People, Process and Technology

People

TechnologyProcess

Training

Certifications

Experience

Hardware

Software

Services

Standards

Policies

Programs








A successful strategy includes strong partners

Understands IIoT & digitalization

Has vertical industryexpertise

Understands industrial

communication

Expertise withindustrial security

products and services

Has processes and products that are

proven and certified

In a fast-paced industry full of challenges and risk, it’s important to have a reliable, qualified and proven partner for Industrial Network Security!







Securing industrial networks or Operational Technology (OT) is

different than securing IT networks

Industrial or OT networks typically have unique data requirements compared to IT networks

Enterprise (IT)

InteroperabilityInformation based- e.g. e-mails

- Seconds delay is not

critical

Data Type

Real-time or

Mission critical- e.g. Coordination of

physical machines and

processes

- Seconds delay and even

milliseconds is critical

Data Prioritization

1. Confidentiality

2. Integrity

3. Availability

1. Safety

2. Availability

3. Integrity

4. Confidentiality

Production (OT)








Presentation agenda



Asset protection

Productivity*


Defense in Depth


Partners

1

2



How to get started

Assessment

Standards

Segmentation

IT OT & DMZ

Remote access

Training


examples &

recommendations

3

Not necessarily

in this order







How vulnerable is your industrial network to cyber-threats?

Topics to help evaluate your OT network security

Security Assessment

Secure Remote Access

Asset Discovery & Management

Security Training

Secure IT OT Collaboration

1. Have you had an industrial network (OT) security assessment?

2. Have you selected a security standard?

Asset Discovery &

Management

Secure OT /

Automation Network

Security

Training

Secure

Remote

AccessSecure IT OT

Collaboration

Secure OT / Automation Network

Security

Assessment








Industrial Network Security Assessment

Analysis & Discovery Summary

• Discuss your security goals

• Identify a security standard for the assessment

• Question & answer sessions with appropriate staff

• Review relevant documentation, configurations and processes

• Create a mutually agreed upon assessment plan









Security and Vulnerability Scan Summary

• Perform a network scan based on the

mutually agreed upon plan

• Identify and verify network communication

• OT environment scan tools may include

Wireshark, OpenVAS, NESSUS or others

depending on the assessment goals

• Scan documentation is created for the report









Examples of Siemens Industrial Network Security Assessments

Customer: U.S. Electric Utility Company

Assessment period: Two months

Methodology: The security assessment included interviews

with engineers, technicians, IT and management. The

security was evaluated for physical access. The network was

assessed with packet captures, logs, configuration files and

network scanning tools. Systems evaluated included

workstations, servers, switches, routers, firewalls, encryption

and cellular devices.

Deliverable: The assessment report (less than 100 pages)

provided a comprehensive analysis of the current security

posture and a prioritized list of recommendations.

Customer: U.S. Industrial Manufacturing Facility

Assessment period: One week

Methodology: A security assessment of network

documentation, passwords, architecture, switches, routers,

firewalls, encryption, computers, servers and other devices

was completed. Data communication was verified with

traffic analysis and network health information from all

devices was evaluated.

Deliverable: The near 50-page assessment report provided

network health results, traffic load of the network, a network

validation checklist, data communication results and

recommendations on future enhancements to further secure

the network and eliminate potential vulnerabilities.








Select a security standard

NIST SP 800-82 Rev 2 ISA / IEC 62443








Select a security standard

Examples from NIST SP 800-82 Rev 2

“The aim of network segmentation and

segregation is to minimize access to sensitive

information for those systems and people

who don’t need it while ensuring that the

organization can continue to operate effectively.”

“Network segmentation and segregation is one of the

most effective architectural concepts that an organization

can implement to protect its ICS.”










Secure OT /

Automation Network










1. Is your OT network properly segmented and segregated?

2. Is network and device access controlled and monitored (including physical access)?

3. Are non-secure and unused protocols deactivated and / or have risk mitigation measures been taken?






Network segmentation and segregation

Protect the data that keeps your operation productive

✓ Risk mitigation by dividing an OT or automation network into different

protected segments or cells

✓ Allow only the communication paths and data types needed to reach

respective segments with VLAN

✓ Implement secure protocols, availability and access control

Secure OT /

Automation Network

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices






SC646-2C

Secure OT &

Automation Network


✓ Allow only data required for the operation to access specific network

segments with VLAN, Firewall, VPN, IPsec

✓ Protection with availability by using HRP / MRP, VRRPv3

✓ Secure protocols and NAT / NAPT

✓ Access control lists (e.g. MAC, password or RADIUS) and logging

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices






Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

ManagementProtect the data that keeps your operation productive

✓ Cell 1 is segmented (VLAN) so only essential traffic will have access

✓ Availability is achieved with HRP / MRP

✓ Secure protocols and NAT are implemented for additional security

Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices






Layer 2/3

OT

Layer 2

OT

Layer 3

IT / OT

Enterprise

IT

Field

Devices

Secure Plant

/ Physical

Secure OT &

Automation Network

Secure IT / OT

Collaboration

Asset Discovery &

Management

CP 1543-1

XC206-2SFP G

SC646-2C


✓ The Cell 1 VLAN segment has additional protection with a firewall,

VPN, IPsec

✓ Communication across the network for transparency is protected

✓ Availability protection with redundant VRRPv3, HRP / MRP

✓ Access control lists (e.g. MAC, password or RADIUS) and logging

Industrial Ethernet RJ45 Port Lock

Physical security







Security inside the automation cell

Protection against:

➢ Theft of intellectual property

➢ Unauthorized modification

➢ Unauthorized access

(approved PCs only)

➢ Manipulation

➢ Malware

➢ …

Bind to serial number of the CPU








Use of secure and non-secure protocols

FTP FTPS TFTP

OSPFv2

SNMPv3

RIPRIPv2

SNMP

HTTP HTTPS

OSPF

OSPFv3

SCPSSH /

TLS*SSL /

WPA

WPA2/AES

TELNET








Use of secure and non-secure protocols

FTP FTPS TFTPSCP

TELNET

OSPFv2SNMP

HTTP

OSPF

*TLS unencrypted mode is not secure

SSH /

RIPOSPFv3WPA

RIPv2WPA2/AES

TLS*SSL / SNMPv3

HTTPS









Secure IT / OT Collaboration

Secure IT OT

Collaboration










1. Is your OT network isolated from the IT network with firewall(s) and / or a demilitarized zone (DMZ)?

2. What type of firewall(s) are used (stateful, NGFW)?








Segmentation of the IT and OT networks

Enterprise Network Industrial Network

Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

• Several possible architectures with

advantages and disadvantages

• A DMZ is a commonly cited and

recommended architecture by

security standards

• “…no direct communication paths are

required from the corporate network

to the control network; each path

effectively ends in the DMZ.” - NIST

SP 800-82 Rev 2

• Let’s take a look at a recent example

where a DMZ may have helped…

Firewall(s) Firewall(s)








Segmentation of the IT and OT networks: Actual hack

February 18, 2020

• “CISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas

compression facility.”

• “A cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before

pivoting to its OT network.”

• “The threat actor then deployed commodity ransomware to Encrypt Data for Impact on both networks.”

• “Specific assets experiencing a Loss of Availability on the OT network included human machine interfaces (HMIs), data historians, and polling

servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting

in a partial Loss of View for human operators.”

• “The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations.”

• “…the decision was made to implement a deliberate and controlled shutdown to operations.“

A malicious link led to IT network access → OT access → loss of OT network availability → shutdown for 2 days → loss of revenue

Summary:

Source: https://www.us-

cert.gov/ncas/alerts/aa20-049a

Spearphising Ransomware Attack

reported by



https://www.us-cert.gov/ncas/alerts/aa20-049a






Segmentation of the IT and OT networks: Actual hack

February 18, 2020Source: https://www.us-

cert.gov/ncas/alerts/aa20-049a

Spearphising Ransomware Attack

reported by

“The victim failed to implement robust segmentation between the IT and OT networks, which

allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.”



https://www.us-cert.gov/ncas/alerts/aa20-049a








Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

• Robust segmentation between the IT

and OT networks” may look like this…


Example only, not a representative of actual events










Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OT Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

• No “robust segmentation between the

IT and OT networks” may look more

like this…











Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OT Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer



like this…

• A Spearphising attack email is crafted

to look and sound just right to target a

specific individual, company, or

industry with social engineering

• Attackers may circumvent some

security by tricking users already on

the network to infect the system

John,

Here are the options for next years’

health benefits. As you know,

enrollment ends next week.

www.company.benefits.com

- HR department




http://www.company.benefits.com/








Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OT Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer



like this…








• Once clicked, that malware may gain

access to the network and infect IT

and OT if proper security is not in

place











Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer


• With robust segmentation between

the IT and OT networks, the intrusion

may be stopped (prevented) or more

quickly known (detected)

John,

Here are the options for next years’

health benefits. As you know,

enrollment ends next week.

www.company.benefits.com

- HR department




http://www.company.benefits.com/








Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

• With robust segmentation between

the IT and OT networks, the intrusion

may be stopped (prevented) or more

quickly known (detected)

• Consult standards and security

experts to determine the best

approach for the specific application

• Some security technologies that may

help include Intrusion Detection

System (IDS), Deep Packet

Inspection (DPI), Intrusion Prevention

System (IPS) and Next Generation

Firewall (NGFW) among others









Technologies to help protect your network

Intrusion Detection System (IDS) is an application that monitors a network or systems for malicious activity or policy violations and is typically reported northbound to a centralized server or SIEM

IDS

Deep Packet Inspection (DPI) is a type of data processing that examines the data being sent over a network in detail, and usually takes action by blocking, re-routing, or logging it accordingly

DPI

Intrusion Prevention System (IPS) monitors a network for malicious activities such as security threats or policy violations. Identifies suspicious activity, creates logs, attempts to block or drop the activity, and finally reports it

IPS

Next Generation Fire Wall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line DPI and an IPS

NGFW

Applications for complex OT requirements

101010101010101010

101010101010101010

1010101010101010

101010101010101010

101010101010101010

101010101010101010







NGFW (Next Generation Firewall)

IDS + Deep Packet Inspection (DPI)

Intrusion Detection System (IDS)

RX1400

Execution of tested / qualified 3rd party

cybersecurity software in with Siemens

RUGGEDCOM Application Processing Engine

(APE1808)

Certified PLM process

based on IEC 62443-4-1

APE1808 with RX1500

Technology security solutions

Siemens RUGGEDCOM hardware with 3rd party security software

+



visit usa.siemens.com/network-security Page 46 Community. Collaboration. Innovation.Unrestricted © Siemens 2020 All rights reserved.







Secure

Remote

Access










1. Are you using VPN and unique user authentication?

2. Is access limited to only required devices? Is access logged?








Secure remote access


Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

• Secure remote access requires an

entry-point into the OT network

• Like any entry-point, it’s important to

secure and authorize the pathway

• One option, especially for wired

connections, is to utilize the securely

established DMZ and configure the

appropriate configuration

• Further protection like a physical

enable / disable switch on-site can be

used









Industrial Network



Enterprise Network

Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer



• Secure remote access should be

uniquely authenticated and logged

• Dedicated Device Access (DDA) only

allows access to specific devices by

configuration

• A physical enable / disable switch

allows local control of the connection

1100

1100

1100

Access

denied

Example of secure remote

access server On-Site

1011

1100

1100

Success!







Industrial Network



Enterprise Network

Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

IT OTRemote

Access

Industrial

DMZ

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer



• Secure remote access should be

uniquely authenticated and logged

• Dedicated Device Access (DDA) only

allows access to specific devices by

configuration

• A physical enable / disable switch

allows local control of the connection

1100

1100

1100

Access

denied

Example of secure remote

access server On-Site

1011Access

denied

1100

1100

Success!







Solution:

Software

• SRC Server

• SRC Client

Hardware

▪ Scalance S for hardwire connections

▪ Scalance M for mobile connections

• Key Plug (for M & S615)



SCALANCE S600 SIMATIC S7-1200

SINEMA Remote Connect – Client

VPN tunnel to SRC server

SINEMA Remote-Connect – server

Manages communication rights & connection between client and devices

Key-plug

Mobile

wireless

network

SIMATIC S7-1500

SINEMA

Remote Connect Server

/ Virtual Appliance

Internet router

Internet router

Internet

router

SCALANCE M876-4

Internet

Company network & DMZ

Remote host

network & DMZ

1011

1100

11001011








SINEMA Remote Connect Server /

Virtual Appliance can be hosted at

a remote location or on-site

Solution:

Software

• SRC Server

• SRC Client

Hardware

▪ Scalance S for hardwire connections

▪ Scalance M for mobile connections

• Key Plug (for M & S615)



SCALANCE S600 SIMATIC S7-1200

SINEMA Remote Connect – Client

VPN tunnel to SRC server

Key-plug

Mobile

wireless

network

SIMATIC S7-1500

SINEMA

Remote Connect Server

/ Virtual Appliance

Internet router

Internet router

Internet

router

SCALANCE M876-4

Internet

Company network & DMZ

1011

1100









Asset discovery and management

Asset Discovery & ManagementAsset Discovery &

Management










1. Do you have configuration management procedure and tools?

2. Is there an effective identification and authentication process?









Firewall Management

Policy based device configuration

Certificate Management

Firmware Management

Configuration File Management

Alarms / Notifications

Role Based Access Control incl. timeout

Network Access Control 802.1x (RADIUS - Server)

Receive security events (Syslog-Server)

Documentation and traceability of configuration changesSINEC NMS & SINEC INS









Security Assessment




Security Training


1. Have network users been trained on relevant security policies and procedures?

NIST SP 800-82 Rev 2:

“Awareness and Training (AT): policies and

procedures to ensure that all information system users

are given appropriate security training relative to their

usage of the system and that accurate training records

are maintained.“

“Incident Response (IR): policies and procedures

pertaining to incident response training, testing,

handling, monitoring, reporting, and support services.“

… More training guidance is available in the standard









Security Assessment




Security Training


Additional training (some free): ICS-CERT, ISA, SANS, EC-Council

Siemens network security training:

• Strengthen security knowledge to implement a security strategy

• Learn about proven security concepts, tools, implementation,

encryption, firewall, Next Generation Firewall (NGFW)

• Gain hands-on experience…➢ Creating firewalls

➢ Scanning non-secure and secure networks

➢ Enabling secure protocols, disabling non-secure protocols

➢ Implementing secure availability with VRRP

➢ Setting up and testing NAPT

➢ Segmenting at network with VLAN and firewall

➢ Creating a protected WLAN

➢ Enabling password protection and access control

➢ more…








Case study: Manufacturing facility










Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

Diagram is not actual topology of case study facility

DMZ with

RUGGEDCOM

firewalls and

SCALANCE XR500

IT OTRemote

Access

Industrial

DMZ











Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

Aggregation

Layer

SCALANCE

XM416-4C


IT OTRemote

Access

Industrial

DMZ











Core

Layer

Data Center

Distribution

Layer

Access

Layer

Server

Enterprise

NetworkInternet/

Cloud

Industrial

DatacenterMES

SCADA

NMS

INS

Industrial

Backbone

Layer

Aggregation

Layer

Cell

Layer

Cell layer

firewall

SCALANCE

SC636-2C with

SRC secure

remote access

capability

Cell layer

devices


IT OTRemote

Access

Industrial

DMZ









Summary

• Evaluation of the current

security status of an ICS

environment

• Risk mitigation through

implementation of

security measures for

reactive protection

• Monitor to detect

indicators of compromise

• Manage to keep security

up-to-date

• React fast upon security

relevant threats








More information available!

Videos

White papers,

articles, brochures

Case studies

New website!

Free consultation offer

at website!

familiar categories to

this presentation to

follow-along







Thank you for your attention

Questions?

Paul Nuss

Industrial Networking and Security Product Marketing Manager

Norcross, GA

E-mail: [email protected]



how vulnerable is your network to cyber-threats? presented by … · 2020-04-13 · industrial...

Documents