process control networks - honeywell level 4 - business network router esc experionesf ace est...
TRANSCRIPT
1
Process Control Networks Secure Architecture Design
2
Instructor
Chee Ban Ngai Industrial IT Solutions, Leader Asia Pacific
Chee Ban leads Honeywell’s Industrial IT Solutions in Asia Pacific. For over 18 years, he has provided consulting expertise in the oil & gas, and corporate IT sectors focusing on cyber security, remote services and information risk management. He graduated from Nanyang Technological University in mechanical engineering and also received his master in software engineering from the National University of Singapore. A mechanical engineer by training, he was with a risk management consultancy in Singapore and headed IT security offices in Malayan Banking and PETRONAS before joining Honeywell.
Chee Ban holds Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications, and is based out from Kuala Lumpur.
ISACA
3
Agenda
• Defining Secure Network Architecture
– Why a secure network architecture
– Who needs a secure network architecture
• What is a Secure Network Architecture
– Defense in depth
– Layers of security
– ISA-95 4-Levels
• IEC 62443 (ISA 99) on Secure Process Control Network Architecture
– Zone and Conduit Models
– Security levels
• Questions & Answers
4
Stuxnet: The attack that changed the ICS’s perspective about cyber
security
“Stuxnet is really a paradigm shift, as Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication, e.g. by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates, and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool. The fact that perpetrators activated such an attack tool, can be considered as the "first strike", i.e. one of the first organized, well prepared attack against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future. After Stuxnet, the currently prevailing philosophies on CIIP will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods. Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks. All security actors will thus have to be working more closely together and develop better and more coordinated strategies.” Dr Helmbrecht concludes.
The Executive Director of ENISA, Dr Udo Helmbrecht, comments:
5
Why A Secure Network Architecture
• “Open” Systems
• Targeted Attacks
• Skill-Resource
Limitations
• Compliance and
Regulation
6
Who Needs A secure Network Architecture
• Critical Infrastructure
• Regulated Industries
• Manufacturing
• Businesses that depend
on Process Systems
7
How do you know if your Network Architecture is
secure?
Industry Control Systems (ICS/SCADA) saw more than
six fold increase in vulnerabilities from 2010 to 2012 NSS Labs, Inc. 2013 VULNERABILITY THREAT TRENDS
8
Layered Approach to Process Network Security
Physical Access Control
Secure Network Architecture
Monitoring & Interceptions
Application Layer Security
Redundancy
Secure Network Architecture Design
9
Defense in depth approach provides layers of
security to protect critical assets.
Defense in depth
Multiple protection
mechanisms
Layers of protection
Resilient to attack
10
Typical PCS Network Topology
Router
ESC ESF EST ACE Experion
Server
ESVT Safety Manager
Terminal
Server
Qualified Cisco Switches
Optional HSRP
Router
Domain
Controller ESF EAS
PHD
Server Experion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
Server Patch
Mgmt
Server
Anti
Virus
Server
eServer PHD
Shadow
Server
Level 2
Domain
Controller
Level 1
L1 to L1
Lim
ite
d L
2 t
o
L1
L2 to L2
L3 to L3
Lim
ite
d L
2 t
o
L3
Limited L3.5 to L3.5
Very
L
imit
ed
L
3
to L
3.5
Very
L
imit
ed
L2
to L
3.5
Comm flow
L4 to L4
Very
L
imit
ed
L
3.5
to
L4
N
o D
irec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
o
r L
2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
o
r L
4
11
ISA-95: 4-Levels Security
– Level 1 - Controllers and real time control
– Level 2 – Servers, Operator Stations and supervisory control.
– Level 3 - Historians and Advanced Control and other Level 2 areas or units.
– Level 3.5 - DMZ accessed from the Business Network and the PCN.
– Level 4 - Is the business network with clients for Historians or Advanced Control applications.
– Level 3 and 3.5 utilizes standard open systems Ethernet technology and Level 4 utilizes standard open systems LAN technology.
12
Level 4 - Business Network
Router
ESC ESF EST ACE Experion
Server
ESVT Safety Manager
Terminal
Server
Qualified Cisco Switches
Optional HSRP
Router
Domain
Controller ESF EAS
PHD
Server Experion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
Server Patch Mgmt
Server
Anti
Virus
Server
eServer PHD
Shadow
Server
Level 2
Domain
Controller
Level 1
L1 to L1
Lim
ite
d L
2 t
o
L1
L2 to L2
L3 to L3
Lim
ite
d L
2 t
o
L3
Limited L3.5 to L3.5
Very
L
imit
ed
L
3
to L
3.5
Very
L
imit
ed
L2
to L
3.5
Comm flow
L4 to L4
Very
L
imit
ed
L
3.5
to
L4
N
o D
irec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
o
r L
2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
o
r L
4
– Is the business network with clients for Historians or Advanced Control applications.
– Untrusted Network
– Separated by a firewall
– No direct connection to Level 3 or below
– Managed by Business IT department
– Level 4 utilizes standard open systems LAN technology.
13
Level 3.5 – Demilitarized Zone (DMZ)
Router
ESC ESF EST ACE Experion
Server
ESVT Safety Manager
Terminal
Server
Qualified Cisco Switches
Optional HSRP
Router
Domain
Controller ESF EAS
PHD
Server Experion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
Server Patch
Mgmt
Server
Anti
Virus
Server
eServer PHD
Shadow
Server
Level 2
Domain
Controller
Level 1
L1 to L1
Lim
ite
d L
2 t
o
L1
L2 to L2
L3 to L3
Lim
ite
d L
2 t
o
L3
Limited L3.5 to L3.5
Very
L
imit
ed
L
3
to L
3.5
Very
L
imit
ed
L2
to L
3.5
Comm flow
L4 to L4
Very
L
imit
ed
L
3.5
to
L4
N
o D
irec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
o
r L
2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
o
r L
4
– Is commonly called the DMZ
– Typical nodes WSUS, Anti-Virus Server, Terminal
Server, etc.
– Provides connectivity for devices that are to be accessed from the Business Network and the PCN.
– Security zone between the PCN and outside networks
– Can be redundant, but not FTE capable
14
Level 3 – Advanced Control
Router
ESC ESF EST ACE Experion
Server
ESVT Safety Manager
Terminal
Server
Qualified Cisco Switches
Optional HSRP
Router
Domain
Controller ESF EAS
PHD
Server Experion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
Server Patch
Mgmt
Server
Anti
Virus
Server
eServer PHD
Shadow
Server
Level 2
Domain
Controller
Level 1
L1 to L1
Lim
ite
d L
2 t
o
L1
L2 to L2
L3 to L3
Lim
ite
d L
2 t
o
L3
Limited L3.5 to L3.5
Very
L
imit
ed
L
3
to L
3.5
Very
L
imit
ed
L2
to L
3.5
Comm flow
L4 to L4
Very
L
imit
ed
L
3.5
to
L4
N
o D
irec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
o
r L
2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
o
r L
4
– Connections for Historians and Advanced Control
– Routing
– Access List control
– Connect other Level 2 areas or units
– Can be redundant, but not FTE capable
– HSRP
15
Level 2 – Supervisory Control
Router
ESC ESF EST ACE Experion
Server
ESVT Safety Manager
Terminal
Server
Qualified Cisco Switches
Optional HSRP
Router
Domain
Controller ESF EAS
PHD
Server Experion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
Server Patch
Mgmt
Server
Anti
Virus
Server
eServer PHD
Shadow
Server
Level 2
Domain
Controller
Level 1
L1 to L1
Lim
ite
d L
2 t
o
L1
L2 to L2
L3 to L3
Lim
ite
d L
2 t
o
L3
Limited L3.5 to L3.5
Very
L
imit
ed
L
3
to L
3.5
Very
L
imit
ed
L2
to L
3.5
Comm flow
L4 to L4
Very
L
imit
ed
L
3.5
to
L4
N
o D
irec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
o
r L
2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
o
r L
4
– Connections for Servers and Operator Stations
– Supervisory control
– Connection to Level 1
– Protection for Level 1 with access lists
– FTE capable
16
Level 1 – Process Control
Router
ESC ESF EST ACE Experion
Server
ESVT Safety Manager
Terminal
Server
Qualified Cisco Switches
Optional HSRP
Router
Domain
Controller ESF EAS
PHD
Server Experion
Server
Firewall
3RD Party App Subsystem
Interface
Enterprise Switch
Level 3
Level 3.5 DMZ
Level 4
Terminal
Server Patch
Mgmt
Server
Anti
Virus
Server
eServer PHD
Shadow
Server
Level 2
Domain
Controller
Level 1
L1 to L1
Lim
ite
d L
2 t
o
L1
L2 to L2
L3 to L3
Lim
ite
d L
2 t
o
L3
Limited L3.5 to L3.5
Very
L
imit
ed
L
3
to L
3.5
Very
L
imit
ed
L2
to L
3.5
Comm flow
L4 to L4
Very
L
imit
ed
L
3.5
to
L4
N
o D
irec
t c
om
mu
nic
ati
on
s b
etw
ee
n L
4 &
L3
o
r L
2
No
co
mm
un
ica
tio
ns
be
twe
en
L1
&
L3
o
r L
4
– Controllers and real time control
– Controllers and Console Stations.
– FTE Bridge (FTEB) or C300
– Protected by all other levels
17
IEC 62443 / ISA 99 – Key References
Key references:
• IEC 62443-3-2 SL, zones & conduits
• IEC 62443-3-3 Security Requirements
• IEC 62443-2-2 Non-technical controls
18
Security Levels (SL)
• SL 1 – PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e.
changing a setpoint to a value outside engineering defined conditions,
interception of a password send over the network in clear text.)
• SL 2 – PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE
MEANS (I.e. virus infection, exploiting commonly known vulnerabilities of DMZ
hosts)
• SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols.
Attacker requires advanced security knowledge, advanced domain knowledge,
advanced knowledge of the target system. I.e. password cracking.)
• SL 4 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but
attacker now has extended resources to their disposal. I.e. StuxNet attack)
Online Shopping Portal – Unauthorized Pricing Alteration
Application compromised.
Immediate impact of financial loss.
Shopping portal reputation at stake.
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS – Case Example
With a legitimate online
account login, the tester
purported to buy this
In a Penetration
Test , this Online
Shopping Portal
was found with a
“form-field
manipulation”
security weakness.
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS – Case Example
Unit price
was
$449.00
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS – Case Example
Tester
proceeded to
“buy” 5 units
of this and
placed in
online
shopping cart
for $2,245.
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS – Case Example
The tester exploited
on the found
vulnerability, by
altering the unit price
from $449 to $1.00
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS – Case Example
The tester
successfully
changed the total
payable amount
from $2,245 to
$1.00.
The Online
shopping portal
was successfully
hacked.
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS – Case Example
25
Using Zones: An Example Oil Refinery
Courtesy: Tofino
26
Specifying the Zones
Courtesy: Tofino
27
Defining the Conduits
Courtesy: Tofino
28
Defining the Data Flow Between Zones
Courtesy: Tofino
29
Security Levels (SL): Mapping of SRs & REs
SL 1 – PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e.
changing a setpoint to a value outside engineering defined conditions,
interception of a password send over the network in clear text.)
SL 2 – PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE MEANS
(I.e. virus infection, exploiting commonly known vulnerabilities of DMZ hosts)
SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols.
Attacker requires advanced security knowledge, advanced domain knowledge,
advanced knowledge of the target system. I.e. password cracking.)
SL 4 – PROTECTION AGAINST INTENTIONAL VIOLATION USING
SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but
attacker now has extended resources to their disposal. I.e. StuxNet attack)
30
SLs as a Vector : Using Foundational Requirements (FR)
• Instead of compressing SL down to a single number
• Concept of SL-Target, SL-Capabilities, SL-Achieved
• Use of vector approach based on 7 Foundational Requirements (FRs)
• As defined by ISA-62443-1-1 (99.01.01)
1. IAC – Identification & Authentication Control
2. UC – Use Control
3. SI – System Integrity
4. DC – Data Confidentiality
5. RDF – Restricted Data Flow
6. TRE – Timely Response to Events
7. RA – Resource Availability
Example: SL-T (Zone A) = { 2 2 0 1 3 1 3 }
IAC UC SI DC RDF TRE RA
31
SLs as a Vector : Using FRs, translated into SRs & REs
For eg.
The requirements for the four SL levels that relate to RDF are:
SL-C(RDF, control system) 1: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4
SL-C(RDF, control system) 2: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4
SL-C(RDF, control system) 3: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4
SL-C(RDF, control system) 4: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4
+ RE(1) + RE(1)
+ RE(1)
+ RE(2)
+ RE(3)
+ RE(1)
+ RE(2)
+ RE(1)
+ RE(1)
+ RE(2)
+ RE(3)
+ RE(1)
+ RE(2)
+ RE(3)
+ RE(1)
Example: SL-T (Zone A) = { 2 2 0 1 3 1 3 }
RDF IAC UC SI DC TRE RA or SL-T (RDF, Zone A) = 3
SR = Security Requirement
RE = Requirement Enhancement
32
SLs as a Vector : Using FRs, translated into SRs & REs
33
SLs as a Vector : Capabilities vs. Target, & Achieved
Example:
SL-T (Zone A) = { 2 2 0 1 3 1 3 }
vs.
SL-C (Zone A) = { 1 1 0 1 2 3 4 }
Ok
Ok
Ok
Shortfall – needs enhancement
(component level security improvements)
Ok
Final outcome after enhancements implementation:-
SL-A (Zone A) = { 2 2 0 1 2 3 4 }
34
Questions
Contacts
2012 35 Honeywell Proprietary
Follow us: Blog: http://insecurity.honeywellprocess.com
Website: http://www.honeywellprocess.com
Website: http://www.becybersecure.com
Chee Ban Ngai Industrial IT Solutions, Leader, Asia Pacific
phone: +603 7958 4988
cell: +6012 233 0915
Mike Spear Global Operation Manager, Industrial IT Solutions
phone: +1 (770) 689-1132
cell: +1 (678) 447-6422