using cisco firesight to protectd2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/brksec-2088.pdf · using...
TRANSCRIPT
Using Cisco FireSIGHT to protect ICS/IOT systems
BRKSEC-2088
Dominic Storey, Security Engineering Manager, Cisco GSSO/GET
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Abstract
3
Process Control Networks (PCN) and Industrial Control Systems (ICS)
are the ‘brains’ and ‘nervous systems’ of most modern factories.
Unfortunately for many organizations, attention to effectively securing
these critical resources lags equivalent initiatives that are applied to data
center and office automation networks. The perfect storm of ageing
equipment, insecure protocols, a lack of patching, a lack of
comprehensive security management and an ever-increasing connectivity
to the corporate network (and therefore the Internet) is building. What
practical approaches can Cisco bring to the table in securing these
systems?
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Objectives
• Understand differences between IT and OT perspectives
• Grasp the kind of threats that can be leveled against process control networks
• Understand how Cisco FireSIGHT, AMP and Genesis systems can help address the security gaps.
• Observe a hack against a live SCADA system and see how Cisco systems can mitigate such attacks
4
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Agenda
• Introduction – The Perfect Storm
• Cisco FireSIGHT for ICS
• FireSIGHT protection profile
• Snort rules for Modbus
• Live Demo – SCADA hack by employee
• Conclusion
5
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
> IP Connectivity
+
> PCN connectivity
+
Nation-state cyber programs
+
Commercialization of Hacking
+
“Hactivism”
We’ve created the perfect storm …
=
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Process control computer hardware
• Process-specific
• Hardware constrained
• Mix of COTS and vendor-specific hardware architecture
• AIC, IAC not CIA!
Unique challenges
Level 0Distributed I/O
Level 3Site Ops & Control
Level 2Supervisory control
Level 1Programmable
Automation
Level 4Site Planning &
Logistics
Level 5Enterprise Network
Sensors, actuators & RTUs
PLCs
HMIs, alarms & alerting
Control room workstations, file & patch
servers, historians
Site back office, email, inventory,
performance, etc.
Corporate network
infrastructure, maintained by Enterprise IT
Vendor
specific
COTS
Process
specific
General
purpose
Software Hardware Purdue
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Attack ScenarioExternal compromise of Aluminum smelting plant
Attacker scans facebook for night
operators
Attacker befriends operator
Attacker discovers personal context about operator
Attacker crafts specific social
engineering exploit
Operator opens fake link, gets ‘owned’
Attacker downloads& brute- forces SAM
database
Attacker logs in, starts shutdown
procedure
Operator slow to respond (cannot believe it’s him!)
Attacker sets distrust of SCADA network
Power plant loses remote restart
capability
Power plant remains offline for 3+ days
Pot lines compromised
due to thermal cycling
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
• http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
– Manipulation of control system preventing shut down of blast furnace
– Access to control system through business network
– Access to business network via spear-phishing
– Compromised many systems: this lead to impossibility of shutdown
– Attackers had advanced knowledge of the control systems
Realistic?
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Barriers: Different Perspectives …
• IT/Security
– Service Providers
– Do not understand
engineers
– Concerned with all
networks
– Project lifecycle ~ 2
years
– Patching vital
– Security paramount
• Engineers
– May be customers of IT
– May not trust IT
– Speak a different
language
– Concerned with PCN
only
– Project lifecycle ~ 20
years
– Patching often
impossible
– Availability is paramount
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Cisco Security Model
Detect
Block
Defend
DURINGBEFOREControl
Enforce
Harden
AFTERScope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Point in time Continuous
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
What Cisco brings to the table
Open, flexible Security
NGFW /
ISENGIPS AMP
Attack Continuum
Network Endpoint Virtual Cloud
Cisco FIreSIGHT Management Center
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Dealing with present threatCisco IPS
Failure
Attack
Misconfiguration
Environment
User AwarenessThreat
awareness
DAQ
Network Awareness
Detection Engines
Correlation engine
Rules engine
Presentation engine
Directory mapping
Directory Services
Reputation services
User Interface
Reporting engine
Geolocationservices
Remediation services
Anomaly Detection
10000 events
500 events
50 events
10 events
+20 events
3 events
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Passive
Discovery
+Netflow
Environmental visibilityScanning + SCADA = Danger of death
Hosts
Services
Applications
Users
Communications
Vulnerabilities
All the time
In real-time
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
• IPS rules,
– Dynamic content matching
– Third-party rules (e.g. Digital Bond, CERTs)
• FireSIGHT discovey
– Application detectors
– Service detectors (can be client-written or SF-supplied)
• Correlation Rules– Rich data “mashups”
– Statistical anomaly detection
Modeling the ICS environment
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Control, enforcement & hardening
• Embedded NGIPS – content inspection & intruder protection
• Embedded FireSIGHT – Network discovery & context-awareness
• Security intelligence & blacklist control
• Comprehensive access control by network zone, VLAN, IP, port, protocol, application, user, URL
• And it’s all beautifully integrated
Cisco NGFW
Firewall Policy
IPS Policy
File policy
Malware policy
Controlled
traffic
Switching, Routing VPN, High Availability
URL awareness
Security Intelligence
IP Geo-location
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Sensor platform options:
• FirePOWER
– Optimized for IPS, NGFW, AMP
– Specialized hardware for IPS on SSL traffic
– Highly Scalable
• ASA
– FirePOWER services on ASA
– Sophisticated, multi-protocol support, including asymmetric routing
– Hardened platform support coming soon
• Virtual Machine
– Operate on your choice of hardware, such as Cisco UCS or specific hardened platform
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
The Advanced Malware Problem
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Attacks against ICS are specially crafted
• Attackers have deep knowledge of target systems
– Will craft specific malware
– Will invest resources and time
– Multiple attack vectors
• Unlikely they will be kept out by perimeter security
• Thus the game moves on from simple prevention to speedy detection, constraint and remediation
The attack chain
SurveyEvaluate target
countermeasures
WriteCraft context-aware
malware
TestValidate malware evades
countermeasures
ExecuteDeploy droppers &
move laterally
Accomplish
Use multiple Command
and control connections
to accomplish mission
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Requirements for Advanced Malware Protection
• Prevent
– Basic forms of attack
– Potential code reuse
• Detect
– Polymorphic evasion
– Dropper behavior
– Command and control traffic
• Provide
– Forensic capabilities to track point of entry
– Control surface to prevent execution of detected malware across plant
– Analysis capability to determine what malware can do
• Should run on limited hardware typically found in ICS installations
24
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Architecture for advanced malware protection
SaaS Manager
FireSIGHT/ASA Sensor
FireSIGHT Management Center
AMP Malware
license
#
✔✖
#
Detection Services &
Big Data analytics
AMP for Networks AMP for Endpoints
SSL:443 | 32137
Heartbeat: 80
The catch? Detection is “in the cloud”.
“On-prem” addresses cloud objections.
On-Prem
proxy
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Sophisticated and Continuous Protection
Retrospective Security
Continuous Analysis
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 1101000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous feed
WebWWW
Endpoints
NetworkEmail
Devices
IPS
Point-in-Time Protection
File Reputation & Sandboxing
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-printing
Advanced
Analytics
One-to-One
Signature
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Mapping to a SCADA standard model
Putting it all together
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Site Business Planning and Logistics Network
Batch
Control
Discrete
Control
Supervisory
Control
Hybrid
Control
Supervisory
Control
Enterprise Network
Patch
Mgmt
Web Services
Operations
AV
Server
Application
Server
Email, Intranet, etc.
Production
ControlHistorian
Optimizing
Control
Engineering
Station
Continuous
Control
Terminal
Services
Historian
(Mirror)
Site Operations
and Control
Area
Supervisory
Control
Basic
Control
Process
Control
Zone
Enterprise
Zone
DMZ
Level 5
Level 3
Level 1
Level 0
Level 2
Level 4
HMI HMI
SP99 / Purdue Model
IDS
IPS
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Site Business Planning and Logistics Network
Batch
Control
Discrete
Control
Supervisory
Control
Hybrid
Control
Supervisory
Control
Enterprise Network
Patch
Mgmt
Web Services
Operations
AV
Server
Application
Server
Email, Intranet, etc.
Production
ControlHistorian
Optimizing
Control
Engineering
Station
Continuous
Control
Terminal
Services
Historian
(Mirror)
Site Operations
and Control
Area
Supervisory
Control
Basic
Control
Process
Control
Zone
Enterprise
Zone
DMZ
Level 5
Level 3
Level 1
Level 0
Level 2
Level 4
HMI HMI
SP99 / Purdue Model
IDS
IPS
FireSIGHT
NGIPS (IDS)+ SCADA rules
FireSIGHT / NGIPS (IDS/IPS) + Windows rules
SCADA rules + AMP
“Classic” Security Solution
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
• What mayhem can ensue if a disgruntled employee has the opportunity for some Modbus fun?
• What can we do about it?
DEMO
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
What could our disgruntled employee do?
Operation Difficulty level Impact Comments
Halt system Easy Immediate Simple to detect and remediate
Shut down actuators Easy Immediate Simple to detect and remediate
Alter set points Easy Delayed May not be detected at all until later Q&A stage
Change calibration factors Medium – requires
deeper knowledge
Delayed Very hard to detect and undo – may require
restore from backup. End result similar to
altering set points
Compromise firmware (à la
Stuxnet)
Hard Delayed May be undetectable. Would require blanket
restore from backup to overcome
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Demo architecture quick view
• Simple (but faithful) SCADA model
• Linux HMI-> ARM-based RTU architecture communicating over Modbus/TCP
HMI
Genesis
Firmware
query engine
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
“Smart” vs “Dumb” RTU’s
PLC
Process logic & set Points
Dumb RTU HMISensors & actuators
PID and process loops
Smart RTU
Process logic & set points
HMISensors & actuators
PID and process loops
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Introducing the RTU-2000
• Smart RTU
• Arm CPU, Atmel MCU – real time I/O
• Multi-function, process control
• Process data, set points and control functions all accessible over Modbus
ARM/Linux General Purpose ProcessorRaspberry Pi Model B
RTU Server KLISH Cli
FTP ServerUpgrade Interface
SSHServer
Intelligent Display
Serial I/O
Sound Server
Amtel 328P Real-time I/O Processor
Power switch
I2C temperature sensor (5V)
Analog proximity sensor (0-5V)
(+3 GPIO)
RTC
USB Actuators and Sensors
433 MHz transmitter (actuators)
Diagnostic Serial port
MODBUS Server
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Modbus Communications Protocol
• An open data communication protocol, published by Modicon
• Widely deployed due to zero licensing cost
• Serial or network
• Modbus/TCP
– Type less, no authentication, no data validation other than in network transport
• Register-orientated, query response protocol
– Bit-orientated digital data (ON/OFF)
– Analog values in 16 bit words
– 32-bit and 64-bit values represented in multiple registers
– Read/only and read/write registers
– Commonly transports measurements using IEEE754 32-bit floating point
P.37
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Modbus Registers
• Read-only
– Discrete Registers
– Input Registers
• Read-write
– Coils
– Holding Registers
– If they’re writable, they’re hackable
• Size
– 1-bit (coils, descrete reg.)
– 16 bit (input, holding)
• Floating point, strings
– Multiple 16 bit registers
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco PublicP.39
Modbus Request/Reply protocol
• 01: read coils (0xxxx)
• 02: read discrete input (1xxxx)
• 03: read holding registers (4xxxx)
• 04: read input registers (3xxxx)
• 05: write single coil (0xxxx)
• 06: write single register (4xxxx)
• 15: write multiple coils (0xxxx)
• 16: write multiple registers (4xxxx)
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Device Specific Snort Rules
• Built on existing library of rules
• OT-friendly message
• Check binary values, integer values and (with a little effort) floating point values
– Use helper applications to “write the rules for you”
• Collections of rules, specific to a device and/or device application can be stored in text files and imported as necessary
41
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Rules Example
42
alert tcp $EXTERNAL_NET any -> $HOME_NET 502 \
(gid:1; flow:established,to_server; metadata:impact_flag red; \
reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; \
modbus_unit:255; modbus_func:read_coils; modbus_data; content:"|00 00|"; within:2; \
msg:"PROTOCOL-SCADA Modbus RTU-2000 cooler actuator state read from external source"; \
classtype:attempted-admin;)
Unauthorized Source
Valid TCP connection
Force high impact to ensure attention
Further reading
Unit number always 255 in Modbus/TCP
Modbus function being executed
Modbus register value ($temperature_actuator)
Check two bytes only
OT-friendly message
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Forensics view
43
ehacker@hacker:~$ mbpp -h rtu $temperature_setpoint:float=20 --debug=4
Host data: 20.000000 [00 00 a0 41]
Connecting to [rtu]:502
Modbus.Write(): HOLDING_REGISTER: [4, 2] (float)
Executing WRITE_MULTIPLE_REGISTERS
[00][01][00][00][00][0B][FF][10][00][04][00][02][04][41][A0][00][00]
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Mitigation
• Good visibility paramount
• Contextual relevance to rules vital
• How difficult is it to develop such rules?
– Cisco provides extensive library, or use third parties
– Lots of Snort experts out there!
– Modify, test, improve
44
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
What about a Stuxnet-style exploit?
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Exploiting embedded systems architecture
• Software stack
– Operating system executive (Linux, RTOS)
• Firmware stack
– May be real-time kernel extensions to OS
– Otherwise, real-time co-processor for peripheral support
– Updated by executive
– May not be well secured.
I2C/SPI communications stack
RTU Server
Modbus stack
CLI
Bootloader
RT IO
Update Server
RTU Executive
Firmware Exec
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Mitigation
• Effective detection and remediation
– E.g. monitor ftp, http uploads for OS upgrade
• Deploy advanced malware prevention technologies
• Monitor running firmware in your devices
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Sneek Peek: Cisco Genesis firmware monitor
• Hardened system to validate running firmware on ICS devices (PLC’s smart RTUs)
• Mode of operation does not require agents installed on devices
– Optional agent approach for enhanced operation
• Can check firmware, dynamic variables (e.g. process steps)
• Does not interfere with upgrade process for firmware or process logic
• Defends against Stuxnet-style attacks
48
Discover assets
Build image database
Periodically query devices
Alert on differences
Validate against image database
G E N E S I S
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
• Leverage our strengths in:
– Networking
– Security
– Service design and validation
– Operations
Cisco in Process Control / IoT
IoTSolutions
Network Infrastructure
Access Control
Detection & prevention
Advance Malware
Protection
Firmware validation
Design and validation
Operations
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Summary
• All businesses have a “third network”
• Visibility paramount (you cannot protect what you don’t know)
• Passive detection is critical in closed loop processes
• Be imaginative in your protection
• Don’t be driven by the SCADA vendor –it’s your plant!
© 2015 Cisco and/or its affiliates. All rights reserved.BRKSEC-2088 Cisco Public
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
51