using cisco firesight to protectd2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/brksec-2088.pdf · using...

Using Cisco FireSIGHT to protect ICS/IOT systems

BRKSEC-2088

Dominic Storey, Security Engineering Manager, Cisco GSSO/GET

© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public

Abstract

3

Process Control Networks (PCN) and Industrial Control Systems (ICS)

are the ‘brains’ and ‘nervous systems’ of most modern factories.

Unfortunately for many organizations, attention to effectively securing

these critical resources lags equivalent initiatives that are applied to data

center and office automation networks. The perfect storm of ageing

equipment, insecure protocols, a lack of patching, a lack of

comprehensive security management and an ever-increasing connectivity

to the corporate network (and therefore the Internet) is building. What

practical approaches can Cisco bring to the table in securing these

systems?


Objectives

• Understand differences between IT and OT perspectives

• Grasp the kind of threats that can be leveled against process control networks

• Understand how Cisco FireSIGHT, AMP and Genesis systems can help address the security gaps.

• Observe a hack against a live SCADA system and see how Cisco systems can mitigate such attacks

4


Agenda

• Introduction – The Perfect Storm

• Cisco FireSIGHT for ICS

• FireSIGHT protection profile

• Snort rules for Modbus

• Live Demo – SCADA hack by employee

• Conclusion

5


> IP Connectivity

+

> PCN connectivity

+

Nation-state cyber programs

+

Commercialization of Hacking

+

“Hactivism”

We’ve created the perfect storm …

=


Process control computer hardware

• Process-specific

• Hardware constrained

• Mix of COTS and vendor-specific hardware architecture

• AIC, IAC not CIA!

Unique challenges

Level 0Distributed I/O

Level 3Site Ops & Control

Level 2Supervisory control

Level 1Programmable

Automation

Level 4Site Planning &

Logistics

Level 5Enterprise Network

Sensors, actuators & RTUs

PLCs

HMIs, alarms & alerting

Control room workstations, file & patch

servers, historians

Site back office, email, inventory,

performance, etc.

Corporate network

infrastructure, maintained by Enterprise IT

Vendor

specific

COTS

Process

specific

General

purpose

Software Hardware Purdue


Attack ScenarioExternal compromise of Aluminum smelting plant

Attacker scans facebook for night

operators

Attacker befriends operator

Attacker discovers personal context about operator

Attacker crafts specific social

engineering exploit

Operator opens fake link, gets ‘owned’

Attacker downloads& brute- forces SAM

database

Attacker logs in, starts shutdown

procedure

Operator slow to respond (cannot believe it’s him!)

Attacker sets distrust of SCADA network

Power plant loses remote restart

capability

Power plant remains offline for 3+ days

Pot lines compromised

due to thermal cycling


• http://www.wired.com/2015/01/german-steel-mill-hack-destruction/

– Manipulation of control system preventing shut down of blast furnace

– Access to control system through business network

– Access to business network via spear-phishing

– Compromised many systems: this lead to impossibility of shutdown

– Attackers had advanced knowledge of the control systems

Realistic?

http://www.wired.com/2015/01/german-steel-mill-hack-destruction/


Barriers: Different Perspectives …

• IT/Security

– Service Providers

– Do not understand

engineers

– Concerned with all

networks

– Project lifecycle ~ 2

years

– Patching vital

– Security paramount

• Engineers

– May be customers of IT

– May not trust IT

– Speak a different

language

– Concerned with PCN

only

– Project lifecycle ~ 20

years

– Patching often

impossible

– Availability is paramount


Cisco Security Model

Detect

Block

Defend

DURINGBEFOREControl

Enforce

Harden

AFTERScope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Point in time Continuous


What Cisco brings to the table

Open, flexible Security

NGFW /

ISENGIPS AMP

Attack Continuum

Network Endpoint Virtual Cloud

Cisco FIreSIGHT Management Center


Dealing with present threatCisco IPS

Failure

Attack

Misconfiguration

Environment

User AwarenessThreat

awareness

DAQ

Network Awareness

Detection Engines

Correlation engine

Rules engine

Presentation engine

Directory mapping

Directory Services

Reputation services

User Interface

Reporting engine

Geolocationservices

Remediation services

Anomaly Detection

10000 events

500 events

50 events

10 events

+20 events

3 events


Passive

Discovery

+Netflow

Environmental visibilityScanning + SCADA = Danger of death

Hosts

Services

Applications

Users

Communications

Vulnerabilities

All the time

In real-time


• IPS rules,

– Dynamic content matching

– Third-party rules (e.g. Digital Bond, CERTs)

• FireSIGHT discovey

– Application detectors

– Service detectors (can be client-written or SF-supplied)

• Correlation Rules– Rich data “mashups”

– Statistical anomaly detection

Modeling the ICS environment


Control, enforcement & hardening

• Embedded NGIPS – content inspection & intruder protection

• Embedded FireSIGHT – Network discovery & context-awareness

• Security intelligence & blacklist control

• Comprehensive access control by network zone, VLAN, IP, port, protocol, application, user, URL

• And it’s all beautifully integrated

Cisco NGFW

Firewall Policy

IPS Policy

File policy

Malware policy

Controlled

traffic

Switching, Routing VPN, High Availability

URL awareness

Security Intelligence

IP Geo-location


Sensor platform options:

• FirePOWER

– Optimized for IPS, NGFW, AMP

– Specialized hardware for IPS on SSL traffic

– Highly Scalable

• ASA

– FirePOWER services on ASA

– Sophisticated, multi-protocol support, including asymmetric routing

– Hardened platform support coming soon

• Virtual Machine

– Operate on your choice of hardware, such as Cisco UCS or specific hardened platform


The Advanced Malware Problem


Attacks against ICS are specially crafted

• Attackers have deep knowledge of target systems

– Will craft specific malware

– Will invest resources and time

– Multiple attack vectors

• Unlikely they will be kept out by perimeter security

• Thus the game moves on from simple prevention to speedy detection, constraint and remediation

The attack chain

SurveyEvaluate target

countermeasures

WriteCraft context-aware

malware

TestValidate malware evades

countermeasures

ExecuteDeploy droppers &

move laterally

Accomplish

Use multiple Command

and control connections

to accomplish mission


Requirements for Advanced Malware Protection

• Prevent

– Basic forms of attack

– Potential code reuse

• Detect

– Polymorphic evasion

– Dropper behavior

– Command and control traffic

• Provide

– Forensic capabilities to track point of entry

– Control surface to prevent execution of detected malware across plant

– Analysis capability to determine what malware can do

• Should run on limited hardware typically found in ICS installations

24


Architecture for advanced malware protection

SaaS Manager

FireSIGHT/ASA Sensor

FireSIGHT Management Center

AMP Malware

license

#

✔✖

#

Detection Services &

Big Data analytics

AMP for Networks AMP for Endpoints

SSL:443 | 32137

Heartbeat: 80

The catch? Detection is “in the cloud”.

“On-prem” addresses cloud objections.

On-Prem

proxy


Sophisticated and Continuous Protection

Retrospective Security

Continuous Analysis

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 1101000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Breadth and Control points:

File Fingerprint and Metadata

File and Network I/O

Process Information

Telemetry

Stream

Continuous feed

WebWWW

Endpoints

NetworkEmail

Devices

IPS

Point-in-Time Protection

File Reputation & Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics

One-to-One

Signature


Mapping to a SCADA standard model

Putting it all together


Site Business Planning and Logistics Network

Batch

Control

Discrete

Control

Supervisory

Control

Hybrid

Control

Supervisory

Control

Enterprise Network

Patch

Mgmt

Web Services

Operations

AV

Server

Application

Server

Email, Intranet, etc.

Production

ControlHistorian

Optimizing

Control

Engineering

Station

Continuous

Control

Terminal

Services

Historian

(Mirror)

Site Operations

and Control

Area

Supervisory

Control

Basic

Control

Process

Control

Zone

Enterprise

Zone

DMZ

Level 5

Level 3

Level 1

Level 0

Level 2

Level 4

HMI HMI

SP99 / Purdue Model

IDS

IPS


Site Business Planning and Logistics Network

Batch

Control

Discrete

Control

Supervisory

Control

Hybrid

Control

Supervisory

Control

Enterprise Network

Patch

Mgmt

Web Services

Operations

AV

Server

Application

Server

Email, Intranet, etc.

Production

ControlHistorian

Optimizing

Control

Engineering

Station

Continuous

Control

Terminal

Services

Historian

(Mirror)

Site Operations

and Control

Area

Supervisory

Control

Basic

Control

Process

Control

Zone

Enterprise

Zone

DMZ

Level 5

Level 3

Level 1

Level 0

Level 2

Level 4

HMI HMI

SP99 / Purdue Model

IDS

IPS

FireSIGHT

NGIPS (IDS)+ SCADA rules

FireSIGHT / NGIPS (IDS/IPS) + Windows rules

SCADA rules + AMP

“Classic” Security Solution


• What mayhem can ensue if a disgruntled employee has the opportunity for some Modbus fun?

• What can we do about it?

DEMO


What could our disgruntled employee do?

Operation Difficulty level Impact Comments

Halt system Easy Immediate Simple to detect and remediate

Shut down actuators Easy Immediate Simple to detect and remediate

Alter set points Easy Delayed May not be detected at all until later Q&A stage

Change calibration factors Medium – requires

deeper knowledge

Delayed Very hard to detect and undo – may require

restore from backup. End result similar to

altering set points

Compromise firmware (à la

Stuxnet)

Hard Delayed May be undetectable. Would require blanket

restore from backup to overcome


Demo architecture quick view

• Simple (but faithful) SCADA model

• Linux HMI-> ARM-based RTU architecture communicating over Modbus/TCP

HMI

Genesis

Firmware

query engine


“Smart” vs “Dumb” RTU’s

PLC

Process logic & set Points

Dumb RTU HMISensors & actuators

PID and process loops

Smart RTU

Process logic & set points

HMISensors & actuators

PID and process loops


Introducing the RTU-2000

• Smart RTU

• Arm CPU, Atmel MCU – real time I/O

• Multi-function, process control

• Process data, set points and control functions all accessible over Modbus

ARM/Linux General Purpose ProcessorRaspberry Pi Model B

RTU Server KLISH Cli

FTP ServerUpgrade Interface

SSHServer

Intelligent Display

Serial I/O

Sound Server

Amtel 328P Real-time I/O Processor

Power switch

I2C temperature sensor (5V)

Analog proximity sensor (0-5V)

(+3 GPIO)

RTC

USB Actuators and Sensors

433 MHz transmitter (actuators)

Diagnostic Serial port

MODBUS Server


Modbus Communications Protocol

• An open data communication protocol, published by Modicon

• Widely deployed due to zero licensing cost

• Serial or network

• Modbus/TCP

– Type less, no authentication, no data validation other than in network transport

• Register-orientated, query response protocol

– Bit-orientated digital data (ON/OFF)

– Analog values in 16 bit words

– 32-bit and 64-bit values represented in multiple registers

– Read/only and read/write registers

– Commonly transports measurements using IEEE754 32-bit floating point

P.37


Modbus Registers

• Read-only

– Discrete Registers

– Input Registers

• Read-write

– Coils

– Holding Registers

– If they’re writable, they’re hackable

• Size

– 1-bit (coils, descrete reg.)

– 16 bit (input, holding)

• Floating point, strings

– Multiple 16 bit registers

© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco PublicP.39

Modbus Request/Reply protocol

• 01: read coils (0xxxx)

• 02: read discrete input (1xxxx)

• 03: read holding registers (4xxxx)

• 04: read input registers (3xxxx)

• 05: write single coil (0xxxx)

• 06: write single register (4xxxx)

• 15: write multiple coils (0xxxx)

• 16: write multiple registers (4xxxx)


Let’s do it!

40


Device Specific Snort Rules

• Built on existing library of rules

• OT-friendly message

• Check binary values, integer values and (with a little effort) floating point values

– Use helper applications to “write the rules for you”

• Collections of rules, specific to a device and/or device application can be stored in text files and imported as necessary

41


Rules Example

42

alert tcp $EXTERNAL_NET any -> $HOME_NET 502 \

(gid:1; flow:established,to_server; metadata:impact_flag red; \

reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; \

modbus_unit:255; modbus_func:read_coils; modbus_data; content:"|00 00|"; within:2; \

msg:"PROTOCOL-SCADA Modbus RTU-2000 cooler actuator state read from external source"; \

classtype:attempted-admin;)

Unauthorized Source

Valid TCP connection

Force high impact to ensure attention

Further reading

Unit number always 255 in Modbus/TCP

Modbus function being executed

Modbus register value ($temperature_actuator)

Check two bytes only

OT-friendly message


Forensics view

43

ehacker@hacker:~$ mbpp -h rtu $temperature_setpoint:float=20 --debug=4

Host data: 20.000000 [00 00 a0 41]

Connecting to [rtu]:502

Modbus.Write(): HOLDING_REGISTER: [4, 2] (float)

Executing WRITE_MULTIPLE_REGISTERS

[00][01][00][00][00][0B][FF][10][00][04][00][02][04][41][A0][00][00]


Mitigation

• Good visibility paramount

• Contextual relevance to rules vital

• How difficult is it to develop such rules?

– Cisco provides extensive library, or use third parties

– Lots of Snort experts out there!

– Modify, test, improve

44


What about a Stuxnet-style exploit?


Exploiting embedded systems architecture

• Software stack

– Operating system executive (Linux, RTOS)

• Firmware stack

– May be real-time kernel extensions to OS

– Otherwise, real-time co-processor for peripheral support

– Updated by executive

– May not be well secured.

I2C/SPI communications stack

RTU Server

Modbus stack

CLI

Bootloader

RT IO

Update Server

RTU Executive

Firmware Exec


Mitigation

• Effective detection and remediation

– E.g. monitor ftp, http uploads for OS upgrade

• Deploy advanced malware prevention technologies

• Monitor running firmware in your devices


Sneek Peek: Cisco Genesis firmware monitor

• Hardened system to validate running firmware on ICS devices (PLC’s smart RTUs)

• Mode of operation does not require agents installed on devices

– Optional agent approach for enhanced operation

• Can check firmware, dynamic variables (e.g. process steps)

• Does not interfere with upgrade process for firmware or process logic

• Defends against Stuxnet-style attacks

48

Discover assets

Build image database

Periodically query devices

Alert on differences

Validate against image database

G E N E S I S


• Leverage our strengths in:

– Networking

– Security

– Service design and validation

– Operations

Cisco in Process Control / IoT

IoTSolutions

Network Infrastructure

Access Control

Detection & prevention

Advance Malware

Protection

Firmware validation

Design and validation

Operations


Summary

• All businesses have a “third network”

• Visibility paramount (you cannot protect what you don’t know)

• Passive detection is critical in closed loop processes

• Be imaginative in your protection

• Don’t be driven by the SCADA vendor –it’s your plant!


Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations

51

using cisco firesight to protectd2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/brksec-2088.pdf · using...

Documents