mitigating security risks in industrial control systems and smart...

71
1 Mitigating Security Risks in Industrial Control Systems and Smart Meter deployments A View from Symantec Michelle Lewis Device Authentication Specialist EMEA Region Industrial Security and Smart Grid: A View from Symantec Tom Thomassen Senior Development Manager Office of the CTO

Upload: others

Post on 13-Oct-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

1

Mitigating Security Risks in Industrial Control Systems and Smart Meter deployments A View from Symantec

Michelle Lewis Device Authentication Specialist EMEA Region

Industrial Security and Smart Grid: A View from Symantec

Tom Thomassen Senior Development Manager Office of the CTO

Page 2: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Agenda

• Industrial Security and Smart Grid – Setting the Stage

• Industrial Security and Smart Grid – Challenges

• Targeted Threats and Advanced Persistent Threats (APT)

• Prevention

• Detection

• Conclusions

2 Industrial Security and Smart Grid: A View from Symantec

Page 3: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

3

Industrial Security and Smart Grid – Setting the Stage

Industrial Security and Smart Grid: A View from Symantec

Page 4: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Grid Technology Operations Service Providers

Content

Data at Rest

• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub

Infrastructure

• Servers • Storage • Gateways • Grid IT asset

management

Network/Cloud

Data in Motion

• Private & public cloud /

networks • Networks are IP based

Embedded Devices

Data in Use

• Substations: Windows XP embedded (XPe), Linux, Intel

• Meters: ARM, Flash

Electrical Grid

GENERATION TRANSMISSION DISTRIBUTION CUSTOMER

Industrial Grid: IT and Operations Architecture

AMI Data

Private Wireless Network

Customer

Demand Response

Public / Internet

SCADA

Private & Public Networks

Industrial Security and Smart Grid: A View from Symantec 4

Operations Domain

Page 5: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec

• Utilize ‘defense-in-depth’ techniques

• Leverage years of network security experience in IP world

Operations Security

• Encrypt information

• Authenticate devices

• Manage keys

• Managed / hosted PKI & device level certificates

• Windows-based control systems: harden and control applications running on these systems

Embed Security Close to „Field‟ Manage Endpoints

• Manage Windows sub-station automation systems

• Securely update device firmware e.g. AMI collectors

• Securely invoke SSL services through trusted mechanisms resident on device

Manage Data Explosion

Symantec Industrial Security Solutions – ‘Four Pillars’

• Make state of the art IT security solutions ubiquitous in the operations control centers

• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs

Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting

Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery

5

Operations Domain

Page 6: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

6

Industrial Security and Smart Grid – Challenges

Industrial Security and Smart Grid: A View from Symantec

Page 7: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

Industrial Security and Smart Grid: A View from Symantec 7

Industrial Security and Critical Infrastructure Threats

Page 8: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Industry Challenges Rapid Change and Increased Complexity

Operational Grid

Networking

Distributed Data

Cyber Security

Utilities playing catch up National security issue – physical access not required

Operations Complexity

Convergence: Enterprise IT, TCP/IP w/field operations, SCADA; Smart Meter requires new thinking

Reliability

Expectations higher for uptime and recovery

Data Explosion

10M meters = 28 petabytes of data to manage

Privacy

Protect PII – now on internet

Visibility and Transparency

Threats more targeted and persistent. Monitoring, Risk Identification and mitigation needs to keep pace.

Regulation and Compliance

Existing Regulations Increased Focus on Consumer Protection

Insider Risk

Data and IP Leakage

Industrial Security and Smart Grid: A View from Symantec 8

Page 9: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 9

1.0%

1.5%

2.0%

2.5%

3.0%

Val

ue

of

Co

nn

ecti

vity

(%

of

Wo

rld

GD

P)

Number of Connections (# of devices, people, services)

Increased Networking

Growth in Connectivity (1959 – Today)

Thousands Billions

0.5%

Mainframe Era (1959 – 1981)

Internet Era (1996 – 2007)

Interaction Era (2007 – )

Client-Server Era (1981 – 1996)

Millions

Industrial Security and Smart Grid: A View from Symantec

Internet of Things (2010 – )

Page 10: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 10

1.0%

1.5%

2.0%

2.5%

3.0%

Val

ue

of

Co

nn

ecti

vity

(%

of

Wo

rld

GD

P)

Number of Connections (# of devices, people, services)

More Threats

Changes in Threat Landscape (1959 – Today)

Thousands Billions

0.5%

Data Corruption (1959 – 1981)

Era of Fame & Glory (1996 – 2007)

Era of Mass Cybercrime

(2007 – )

Era of Discovery (1981 – 1996)

Millions

Industrial Security and Smart Grid: A View from Symantec

Era of Targeted Threats Against Critical Infrastructure

(2010– )

Page 11: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

• The goal is to do damage, destruct, influence, reach political goals, or support a conventional attack.

Changing Threat Landscape

• Highly sophisticated

• Infinite financial resource

• Well-planned and executed with unprecedented levels of control.

Newest Motivation

Political

Espionage and Sabotage

11 Industrial Security and Smart Grid: A View from Symantec

Page 12: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Number of Targeted Attacks Increasing

0

50

100

150

200

250

300

350

400

450

500

Ave

rage

nu

mb

er

of

atta

cks

pe

r d

ay

Month Source: Symantec.cloud email scanning service.

Figures for June, July, August may be subject to revision.

Industrial Security and Smart Grid: A View from Symantec 12

Page 13: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Vulnerability Analysis of Energy Delivery Control Systems

13 Industrial Security and Smart Grid: A View from Symantec

25%

17%

16%

8% 7%

6%

5%

5% 4% 4% 3%

ICCP Services and Protocol Stack

Supervisory Control Protocol Services

SCADA Hosts

Historian Database

Supervisory Control Protocol

Control Protocol Services

Network Devices

Source: Vulnerability Analysis of Energy Delivery Control Systems , 2011, Idaho National Laboratory,Idaho Falls, Idaho 83415, http://www.inl.gov

NSTB = National Supervisory Control and Data Acquisition (SCADA) Test Bed

Page 14: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

BSI – Germany - ranking of Industrial Vulnerabilities

14

BSI ranking BSI Vulnerability descrption

1 Non authorized use of remote access

2 Online attacks over the Office and Enterprise Network

3 Attacks again standard ICS components (Application Server, DB)

4 (D) DOS attacks

5 User and Sabotage

6 Attacks over remote devices (USB)

7 Read and write of messages over the ICS network

8 Unauthorized access to resources

9 Attacks agains network and network components (Man-in-the-middle Attack)

10 Technical issues

Industrial Security and Smart Grid: A View from Symantec

(The Myth of the Network Air Gap)

Page 15: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Industrial Attacks in Detail

15 Industrial Security and Smart Grid: A View from Symantec

Page 16: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

16

Targeted Threats and Advanced Persistent Threats (APT)

Industrial Security and Smart Grid: A View from Symantec

Page 17: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Recent Attacks on Production Systems (ICS)

17

W32.Gauss

AUG 2012

Estonia DDoS

APR 2007

W32.Duqu

[dyü-kyü]

SEP 2011

W32.Disttrack

SEP 2012

W32.Stuxnet

JUL 2010

W32.Flamer

W32 FLAMER

MAY 2012

Industrial Security and Smart Grid: A View from Symantec

2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2

Page 18: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Advanced Persistent Threats (APT) – the Beginning…

18 Industrial Security and Smart Grid: A View from Symantec

Page 19: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Case Study: Stuxnet

19

Brought cyber-sabotage to the world’s attention

Key Features

• Targets very specific industrial processes associated with controls of high speed centrifuges

• Configuration of targeted systems known to attackers

• Modifications made to PLC code to change behavior of infected systems

Machine Code Injection

PLC

Control PC running Step 7 Software

Industrial Security and Smart Grid: A View from Symantec

Page 20: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Advanced Persistent Threats (APT) - Shamoon

20 Industrial Security and Smart Grid: A View from Symantec

Page 21: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

21

Recent Energy Industry Attacks

Industrial Security and Smart Grid: A View from Symantec

Page 22: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 22

What Happened?

Page 23: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 23

Sources:

www.bbc.com/news/technology-19293797

www.bbc.com/news/technology-19434920

15thAugust

31st August

Two Oil Companies Attacked

Page 24: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 24

Key Points

• Shamoon malware used in both attacks (also known as W32.Disttrack))

• Targeted attack using bespoke malware

• Malware written to run on both 64bit and 32bit systems

Spreader function disseminates malware over network

Exfiltration function passes data to attackers

Wiper function erases disks of infected machines

Malware modules

Page 25: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 25

ATTACKER

Company Network

Unknown vector

Initial point of

infection

Malware spreads

via network shares

Transmits

information

Receives

instructions

Command &

control over

internet

Spreads to

domain

controller

Spreads directlyCollects information

Issues commands

At predetermined

time wipes disksXX

Infection Schema

Page 26: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Case Study: W32.Disttrack – Shamoon Attacks

26

Destructive attacks against energy companies

Two middle eastern organizations targeted in quick succession

Multi Stage Attack

• Gather information about target network

• Acquire user credentials

• Gain access to domain controllers

• Spread to computers across network

• Trigger destructive payload

Industrial Security and Smart Grid: A View from Symantec

Page 27: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

27

Advanced Persistent Threats: Prevention and Detection

Industrial Security and Smart Grid: A View from Symantec

Page 28: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

The Targeted Attack

New Attackers… New Targets…

• New Attacker

– State-sponsored or state-condoned attacker

– Long-term, strategic goals rather than short-term gain

• New Strategies

– The attacker uses social engineering to infiltrate the network

– Attacks targeted at properly-placed individuals with access to key systems

– Multiple attacks launched simultaneously, over prolonged periods

• New Targets

– Ultimate targets are key intellectual property and critical infrastructure

• Intellectual Property: Emails, PKI credentials, strategic plans, Schematics, process documents

• Critical infrastructure: Industrial control systems – hydro, power, manufacturing

Industrial Security and Smart Grid: A View from Symantec 28

Page 29: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

APT Lifecycle

29

Activities APT Steps

Source: M-Trends, Symantec

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Initial Intrusion into the network

Establish a backdoor into the network

Obtain user credentials

Install various utilities

Privilege escalation / Lateral movement / Data exfiltration

Maintain Persistence

Step 1 Reconnaissance

Spear phishing

Log in as domain administrator

Staging servers

Camouflaged network traffic

Infect 10-150 hosts

Attackers respond to partial cleanup

Identify multiple victims in target organization, research using public information sources

Obtain domain admin credentials

Spread backdoors, dump passwords, etc with valid credentials

Target domain controllers to obtain password hashes en masse

Industrial Security and Smart Grid: A View from Symantec

Page 30: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

30

Symantec Four Pillars

Industrial Security and Smart Grid: A View from Symantec

Page 31: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Grid Technology Operations Service Providers

Content

Data at Rest

• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub

Infrastructure

• Servers • Storage • Gateways • Grid IT asset

management

Network/Cloud

Data in Motion

• Private & public cloud /

networks • Networks are IP based

Embedded Devices

Data in Use

• Substations: Windows XP embedded (XPe), Linux, Intel

• Meters: ARM, Flash

Electrical Grid

GENERATION TRANSMISSION DISTRIBUTION CUSTOMER

Industrial Grid: IT and Operations Architecture

AMI Data

Private Wireless Network

Customer

Demand Response

Public / Internet

SCADA

Private & Public Networks

Industrial Security and Smart Grid: A View from Symantec 31

Operations Domain

Page 32: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec

• Utilize ‘defense-in-depth’ techniques

• Leverage years of network security experience in IP world

Operations Security

• Encrypt information

• Authenticate devices

• Manage keys

• Managed / hosted PKI & device level certificates

• Windows-based control systems: harden and control applications running on these systems

Embed Security with Data Manage Endpoints

• Manage Windows sub-station automation systems

• Securely update device firmware e.g. AMI collectors

• Securely invoke SSL services through trusted mechanisms resident on device

Manage Data Explosion

Symantec Industrial Security Solutions – ‘Four Pillars’

• Make state of the art IT security solutions ubiquitous in the operations control centers

• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs

Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting

Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery

32

Operations Domain

Page 33: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

At the Center of Everything ...

33

Source: Koramis AG

Industrial Security and Smart Grid: A View from Symantec

Page 34: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

IT Security Policies & Procedures

Infrastructure Security

Security Operations & Management

Critical Information Protection

Device Protection

Immediate Risk Reduction Initiatives

Industrial Security and Smart Grid: A View from Symantec

Critical System Protection (CSP)

Network Protection

Mobile Security

Endpoint Security

Patch Management

Security Monitoring

Incident Response & Management

Security Operations

Threat & Vulnerability Management

Early Warning Alters

Data Backup

Data Encryption

Data Protection

Emergency Response

Risk Management

Crisis Management

Forensics

Governance & Compliance

Identity & Access Management

2 Factor Authentication

Device Authentication

34

Page 35: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

35

Prevention and Detection: SCSP – Symantec Critical System Protection

Industrial Security and Smart Grid: A View from Symantec

Page 36: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

SCSP – Real Time Exploit Prevention (IPS)

Industrial Security and Smart Grid: A View from Symantec 36

Symantec Critical

System Protection

creates a “shell”

around each program

and daemon/service

that defines

acceptable behavior

How it Works Files

Registry

Network

Devices

Read/Write Data Files

Read Only Configuration Information

Usage of Selected Ports and Devices

… Email Client

Office

Browser

Mail

Web

… crond

RPC

LPD Printer

Core OS Daemons

Application Daemons

Interactive Programs

Normal Resource Access Host Programs

Page 37: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Symantec Critical System Protection

37

Auditing & Alerting

Network Protection

System Controls

Exploit Prevention

• Monitor logs & security events

• Consolidate & forward logs for archives and reporting

• Smart event response for quick action

• Limit network connectivity by application

• Restrict traffic flow inbound and outbound

• Close back doors (blocks ports)

• Locks down configuration & settings

• Enforces security policy

• De-escalates user privileges

• Prevents removable media use

• Restrict application & O/S behaviors

• Protect systems from buffer overflow

• Intrusion prevention for day-zero attacks

• Application control

Real-Time Visibility. Maximum Control

Intrusion Detection System (IDS) Intrusion Prevention System (IPS) System Hardening and Application Control

Industrial Security and Smart Grid: A View from Symantec

Page 38: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

SCSP = Least Privilege Application Control (LPAC) …

38

• Windows UAC

• Google Chrome

• Adobe Reader X

• Android OS

• Apple

• SELinux & Others

Industry Examples Also known as Sandboxing…

.. Processes

• Based on Fundamental Security Principles • Highly effective against malware (known & unknown) • Containment model limits the potential for exploitation • Proactive, policy-based security complements AV solutions • Applicable to all environments and applications • Dramatically improves security posture & reduces IA costs

Industrial Security and Smart Grid: A View from Symantec

Page 39: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

SCSP – advantages agains Anitvirus and System lockdown

• Low system impact (RAM, CPU and Hard disk) - a CSP agent is using 14MB on Windows and 9MB on Linux

• Low operational cost

• 24h protection, no recalculating as on a System lockdown approach is necessary

• No pre requirement checks are requested (an System lockdown approach is needing a initial check like AV)

• Resistant against persistent methods and CA attacks

• Is supporting Patch mitigation

• Is supporting (case based) non Antivirus Solution on device

• In most cases customer a take the standard Strict Policy with additional tasks

Industrial Security and Smart Grid: A View from Symantec 39

Page 40: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Correlate SCSP Events with SSIM

• Rules

– Pre defined out of the box rules

– CSP events map to EMR

– Custom rules based on CSP data

– Cross correlate rules of different type

40 Industrial Security and Smart Grid: A View from Symantec

Page 41: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

41

Prevention and Detection: SSIM – Symantec Security Information Manager

Industrial Security and Smart Grid: A View from Symantec

Page 42: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Symantec Information Manager

Identified .

threats

Known vulnerabilities

Business-critical IT assets

Risk-based Prioritization Threat Determined

Firewalls/ VPN

Intrusion Detection Systems

Vulnerability Assessment

Network Equipment

Server and Desktop OS Anti-Virus Applications Databases

User Activity Monitoring

Critical file modifications

Policy

Changes

Malicious IP

Traffic

Web Traffic

Tens of Millions:

Raw Events

Millions:

Security Relevant Events

Hundreds:

Correlated Events

42 Industrial Security and Smart Grid: A View from Symantec

Page 43: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Symantec Security Information Manager

“Optional”

Intelligence

Feed

(GIN)

Universal

Collector

Other

sources…

Firewall

Intrusion

Prevention

Windows

Events

Syslog

Collectors

Correlation

Manager

Manager

Console

Pre-built

Queries

LiveUpdate

Service

Log

Archiving

Infrastructure

Components Reports and

Dashboards

All Inclusive Solution

150+

Pre-defined

Reports

• Only 1 Optional Component

• No excessive “add-on” costs

• Single deployment supports evolving needs

43 Industrial Security and Smart Grid: A View from Symantec

Page 44: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

APT Detection: Data Sources Used by SSIM

• Account and identity data to detect account compromise

• Log repeated login attempts

• Identity Access logging

• Integrate key logs (firewall, VPN, DNS, DHCP, etc)

• Messaging Gateway detects suspect payload (exe) and alerts SIEM

Infiltration Backdoor Lateral

Movement

Data

Discovery Exfiltration

• Change control information logged and compared to CMDB asset information

• IPS observes phone-home attempt, notes in log

• HIPS systems note changes to registry

• File reputation detects unknown program

• IPS detects remote service initiation

• Privilege escalation flagged by HIPS to SIEM

• Several login attempts logged for database and email systems

• Systems attacked compared against vulnerability database

• IPS flags admin login to privileged account

• DLP detects access to password file

• Database and application monitoring to detect access to critical information systems

• Data Insight and DLP log sensitive documents being encrypted and accessed by privileged users

• IP addresses of outbound connection on external data blacklist

Industrial Security and Smart Grid: A View from Symantec 44

Page 45: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

45

Security Risk translated for the Business

Industrial Security and Smart Grid: A View from Symantec 45

Page 46: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

46

Prevention and Detection: Device Authentication

Industrial Security and Smart Grid: A View from Symantec

Page 47: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Connected Devices need to be secured

47 Industrial Security and Smart Grid: A View from Symantec

Page 48: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Smart Grid Domains

Industrial Security and Smart Grid: A View from Symantec 48

Gas Electric

IHD

Hub / Gateways

Metropolitan Area Network (MAN)

Home Area Network (HAN)

Controllable Local Systems

Device Domain Application Domain (Multi-tenant Cloud)

M2M Application Platforms

Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay as you go billing

Network Domain

Mobile / Fixed Line Network (WAN)

SGSN

GGSN

Base Station

GSM / GRPS / UMTS

S-GWY P-GWY

MME

HSS

EPC - Evolved Packet Core

4G / LTE

Page 49: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Smart Grid Domains - challenges

Industrial Security and Smart Grid: A View from Symantec 49

Gas Electric

IHD

Hub / Gateways

Metropolitan Area Network (MAN)

Home Area Network (HAN)

Controllable Local Systems

Device Domain Application Domain (Multi-tenant Cloud)

M2M Application Platforms

Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay- as you go

Network Domain

Mobile / Fixed Line Network (WAN)

SGSN

GGSN

Base Station

GSM / GRPS / UMTS

S-GWY P-GWY

MME

HSS

EPC - Evolved Packet Core

4G / LTE

Application Domain

M2M Application Platforms

Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay- as you go

Various network bearers

Various communication protocols

Internet / All-IP networks

Denial of Service attacks

Less sophisticated devices need good network protection

Detection of network-based attacks against the AMI/Grid

Page 50: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 50

PKI – A Renaissance

Industrial Security and Smart Grid: A View from Symantec

Page 51: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

History of PKI

• Initially discovered by GCHQ scientists in 1969

• Commercially available in 1976

PKI’s have been typically used for

• Web Servers (SSL)

• Email, document and/or user encryption and authentication

• Bootstrapping secure communications protocols

• Mobile environments e.g. Code signing

51 Industrial Security and Smart Grid: A View from Symantec

Page 52: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Smart Grid Eco System

Source: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0

52

Device Manufacturer

Smart PKI

• Large companies are typically active in multiple domains

• Markets are regulated in several countries

Appliance Man.

Industrial Security and Smart Grid: A View from Symantec

Page 53: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Smart PKI

• Smart grid devices need to be authenticated in order to protect smart grids against attacks. As a consequence such devices need cryptographic keys for authentication and encryption.

• PKI is best practice for large scale key management. It is proposed to be used for smart grids1.

• As most households will be connected to the smart grid in the future, a scalable and robust PKI supporting millions of devices is required.

• Smart Grid projects are complex.

53

1: IEEE Transactions on Smart Grid: Security Technology for Smart Grid Networks

Industrial Security and Smart Grid: A View from Symantec

Page 54: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

PKI Benefits to Industrial Security and Smart Grid

• By implementing PKI into the meters themselves, ...

– the smart grid can be secured at the communication layer,

– Verifies that the meters are configured correctly

– No tampering

– Validates the meters for network access.

• PKIs are ideal for large-scale security deployments that require a high level of security with minimal impact on performance.

• In a PKI environment, it is essential that private keys and certificates are guarded with a reliable key management solution that protects against ever-evolving data threats

Industrial Security and Smart Grid: A View from Symantec 54

Page 55: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 55

Smart Meter Security Design Considerations

Industrial Security and Smart Grid: A View from Symantec

Page 56: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

PKI Related Smart Grid Security Measures

Gas Electric

IHD

Hub

56

Concentrator

or Back-end

Metropolitan Area Network (MAN)

Home Area Network (HAN)

Controllable Local Systems

WAN + FAN

• Only trusted devices

• Only authenticated access through WAN, FAN, MAN and HAN to Hub

• Hub must authenticate itself to Back-end and MAN+HAN devices

• It must be possible to change security domain of Hub to different utility

• Authenticated firmware updates for Hubs and Smart Meters

• Integrity of measurement data from meters needs to be protected

• Encrypted data transmission WAN: Wide Area Network

FAN: Field Area Network

Industrial Security and Smart Grid: A View from Symantec

Page 57: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

PKI Related Smart Grid Security Measures

• Only trusted devices

• Only authenticated access through WAN, FAN, MAN and HAN to Hub

• Hub must authenticate itself to Back-end and MAN+HAN devices

• It must be possible to change security domain of Hub to different utility

• Authenticated firmware updates for Hubs and Smart Meters

• Integrity of measurement data from meters needs to be protected

• Encrypted data transmission

Manufacturer device certificate attesting device certification

Operator device certificates for authenticating Hubs and other devices

Firmware Code Signing

Signing of metering data

Encryption certificates

57 Industrial Security and Smart Grid: A View from Symantec

Page 58: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Certificate Purposes

Manufacturer Security Domain

Device type attestation

Attestation of

- device id

- device type

- device certification

Firmware signing

Operator Security Domain

Strong device authentication and authorization

Persistent signing of meter data

Encryption of metering data

58 Industrial Security and Smart Grid: A View from Symantec

Page 59: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Device Certificate – Project Focus

CI Plus LLP • Content protection of premium pay

TV services

• Batch issuance of manufacturer

device certificates for TV sets

• Device certificates - delivered world

wide to the major TV set

manufacturers - attest device

identity and compliance to CI+

security standard

• More than 60 million certificates

issued in 2010.

Confidential I • Authenticating LTE devices when

accessing backbone network

• Online (real-time) issuance of

operator device certificates to LTE

devices.

• Certificates are delivered to LTE

devices operated by our customer.

• Device certificate attests authenticity

of the LTE device.

• Specifics: SHA2; CMPv2 according to

3GPP standard

Confidential II • Authenticating smart meters to the

back-end system

• Online (real-time) issuance of

operator device certificates to

smart meters.

• Certificates are delivered to smart

meters operated by our customer.

• Certificate attests authenticity of

the smart meter device.

• Specifics: ECDSA, SHA2

59 Industrial Security and Smart Grid: A View from Symantec

Page 60: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Spotlight on EMEA Utility – Device Certificates for Smart Grid

• Symantec is providing:

– A fully managed cloud based PKI solution

– Extremely easy to manage, portal access for Utility Admin staff

– Highly scalable – this particular solution will support in excess of 12 million smart meters

– Online solution where certificates are implemented at time of Meter Installation

• Device Certificates are implemented in Smart Meters and Head End Communications Devices

• The solution ensures that genuine devices are the only ones on the Smart Grid network, and also ensures that any data sent from the Meters to the Head End Systems is protected and unable to be viewed, compromised or tampered with

• The certificates are installed at time of meter installations in consumer homes. When certificates expire and new ones are issues, this is all done online with no requirement for engineer attendance

Industrial Security and Smart Grid: A View from Symantec 60

Page 61: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Symantec’s Pedigree: A Proven Enterprise Approach

Cross-platform

Applications

Browsers

Devices

Transparent

Automated

Flexible

Simplified

Reliable

Efficient

Extensible

Robust and Scalable

61

5.7m PKI seats loaded to

accounts at Symantec last year

>200m device certificates

issued to date

Millions more PKI seats loaded to

Processing Centers and CLPs

11,500 secure online

transactions enabled every second

Industrial Security and Smart Grid: A View from Symantec

Page 62: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Industrial Security: Things to Consider

• Windows systems are still a significant part of any industrial operations domain

• But typical enterprise approaches must be modified

• Authentication of device identity ensures integrity & security for the device, protecting the network and the device

• Operator certificates to protect the operator

• Contractor system: was on internet, now on private LAN

• Testing, and pushing applications directly to the field

• USB drives … do not allow automatic execution

• Security for SCADA systems – security needs to be built-in from the ground up

• Networking SCADA devices can help secure the operations domain by enabling more powerful systems for detection

Industrial Security and Smart Grid: A View from Symantec

Windows

Systems

Security

Certificate

Management

Air gaps

do not protect

SCADA

Security

62

Page 63: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Data Sharing Among Symantec Solutions

• Symantec solutions share information among compliance, data control, application control, monitoring and archiving systems. Some examples of solutions:

– Critical System Protection (CSP – application, device, file & execution control, system intrusion protection)

– SSIM (Symantec Security Incident Manager – security event correlation)

– Control Compliance Suite (CCS – Compliance reporting and monitoring)

– Symantec Protection Center (SPC – security console)

– Symantec Storage Foundation HA

– Data Loss Prevention (DLP) for content aware security policy

• For categorizing, archiving and controlling information, high level of integration among Symantec solutions including:

– Data Loss Prevention & Data Insight (Critical information control and discovery)

– Enterprise Vault (Archiving)

– Backup Exec (Backup

Industrial Security and Smart Grid: A View from Symantec 63

Page 64: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Grid Technology Operations Service Providers

Content

Data at Rest

• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub

Infrastructure

• Servers • Storage • Gateways • Grid IT asset

management

Network/Cloud

Data in Motion

• Private & public cloud /

networks • Networks are IP based

Embedded Devices

Data in Use

• Substations: Windows XP embedded (XPe), Linux, Intel

• Meters: ARM, Flash

Electrical Grid

GENERATION TRANSMISSION DISTRIBUTION CUSTOMER

Industrial Grid: IT and Operations Architecture

AMI Data

Private Wireless Network

Customer

Demand Response

Public / Internet

SCADA

Private & Public Networks

Industrial Security and Smart Grid: A View from Symantec 64

Operations Domain

Page 65: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec

• Utilize ‘defense-in-depth’ techniques

• Leverage years of network security experience in IP world

Operations Security

• Encrypt information

• Authenticate devices

• Manage keys

• Managed / hosted PKI & device level certificates

• Windows-based control systems: harden and control applications running on these systems

Embed Security with Data Manage Endpoints

• Manage Windows sub-station automation systems

• Securely update device firmware e.g. AMI collectors

• Securely invoke SSL services through trusted mechanisms resident on device

Manage Data Explosion

Symantec Industrial Security Solutions – ‘Four Pillars’

• Make state of the art IT security solutions ubiquitous in the operations control centers

• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs

Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting

Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery

65

Operations Domain

Page 66: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Infection Recovery

Recent Oil Industry Attacks 66

Prevent

Detect

Review & Improve

Identify vulnerabilities for affected systems

Establish data perimeter

Stop the attackers reacting

Stop the attack repeating

Identify the infection & affected systems

Stop infection spread

Keep vital systems functioning

Prioritise systems to restore first

Engage, communicate with users and public

Learn from the experience

Page 67: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Prepare in Advance

Recent Oil Industry Attacks 67

Prepare response team now

• Include an executive who has authority to approve actions

• Include appropriate stake holders

• Include technical experts

• Will you need external resources?

Prepare response plan

• Define policies, roles & responsibilities

• Define procedures

• How will the response plan be triggered?

• Who will do what?

Practice, practice, practice

• Paper simulations

• Live penetration testing

Page 68: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Symantec helps Industrial Security challenges across various dimensions

Compliance and Privacy Protection Control Compliance Suite, Data Loss Prevention

Compliance & Privacy

Threats Infrastructure Protection: SEP, Critical System Protection; Insider Threat: Data …… Loss Prevention; Field security: NAC,

Data Growth & Complexity Storage Foundation-HA, Command Central Storage, Netbackup, Backup

Outage Management Symantec Security Information Manager, Symantec Workflow

Engine, CMDB; SF/HA and Clustering for failover and disaster recovery

Endpoint Management Endpoint Management Solutions: Server Management Suite, Client Management Suite, Configuration Management Database (CMDB), LiveUpdate

Data Deluge & Complexity

Availability

Management Security & Insider Risk

SEP for Embedded , MSS Deepsight, Cloud based security & Key Mgment

Exec, Enterprise Vault, Control Compliance Suite, Data Loss Prevention, Cloud based Data Protection

Industrial Security and Smart Grid: A View from Symantec 68

Page 69: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Tom Thomassen Office of the CTO [email protected]

Michelle Lewis Device Authentication Specialist [email protected]

Industrial Security and Smart Grid: A View from Symantec 69

Page 70: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Attacks in Detail

70 Industrial Security and Smart Grid: A View from Symantec

Page 71: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to

SYMANTEC VISION 2012

Example: SCADA Attacks in Production Systems (ICS)

71

1982|...|1994|…|1999|2000|…|2003|…|2006|2007|2008|2009|2010

Roosevelt Dam (1994): Hacker breaks into floodgate SCADA systems

California Canal System (2007): Insider hacks SCADA systems

Trans-Siberian Pipeline Explosion (1982): Trojan inserted into SCADA software that caused an explosion

Slammer (2003): Knocks nuclear monitoring system offline;

GAZPROM (2000): Hackers gain control of Russian natural gas pipeline

Stuxnet Ring Runs First SCADA operations (2009): Early proof-of-concept attacks launched and detected by Symantec

Sewage Dump (2000): Insider attack on sewage systems in Australia; Dumps 1 million gallons of raw sewage

Industrial Security and Smart Grid: A View from Symantec

W32.Stuxnet

JUL 2010