wonderware conference. schneider electric...
TRANSCRIPT
Wonderware Conference. Schneider Electric confidential.
TSS-02 WSP 2014 R2 Whitelisting & Cyber Security Recommendations Alicia Rantos Principal Technical Support Engineer Global Customer Support
Wonderware Conference. Schneider Electric confidential.
Introduction: Alicia Rantos ● Principal Technical Support Engineer, Global Customer Support (GCS) for WSP.
● Project lead for GCS Training, GCS vCloud and GCS Cyber Security Lead & Liaison for
R&D and other Schneider Electric entities.
● B.S. in Computer Information Systems from Chapman University and MBA from University of California, Irvine.
● Trained with the Department of Homeland Security via CSSP and SANS in 2014.
● GIAC Global Industrial Cyber Security Professional (GICSP) certified 2015.
Wonderware Conference. Schneider Electric confidential.
Summary
This session covers whitelisting as an industrial controls cyber security solution and recommended configuration details for Whitelisting our Wonderware System Platform (WSP) 2014 R2 products with Intel Security’s McAfee ePolicy Orchestrator (ePO) products. Plus, other important industrial security recommendations
Wonderware Conference. Schneider Electric confidential.
Agenda
●Whitelisting as a cyber security solution ●McAfee ePO and Application Control for whitelisting ●Compatibility, Installation and Administration ●Whitelisting specifics for WSP 2014 R2 and related components ● Installing system updates ●Additional defense-in-depth cyber security recommendations
Wonderware Conference. Schneider Electric confidential.
Whitelisting Solution Overview
●Application Whitelisting is a proactive security technique where only a limited set of approved programs are allowed to run, while all other programs are blocked from running by default.
●Application Whitelisting is not a replacement for traditional security software, such as antivirus and host firewalls. It should be used as one layer in a defense-in-depth strategy.
Wonderware Conference. Schneider Electric confidential.
Whitelisting Solution Overview
●Many control systems are isolated.
●Most control systems cannot be rebooted or can be rebooted only at specific times in very tight maintenance windows.
●Control systems generally have limited memory and hardware resources.
●Many control systems today are running on older operating systems.
● Trend is BMS and Microgrids are adopting a whitelisting solution.
Wonderware Conference. Schneider Electric confidential.
Whitelisting Solution Overview NERC’s Critical Infrastructure Protection Standards (CIP Standards) address cyber attacks specifically and the ability of cyber attacks to create multiple, simultaneous failures in the grid. Utilities that fail to comply with applicable CIP Standards do so at considerable cost: a penalty of up to $1,000,000 per violation. Requirements R3 and R4 of CIP-007 are directly related to securing the critical process control systems at the core of the electric infrastructure: Energy Management Systems (EMS), Distributed or Digital Control Systems (DCS), and Plant Control Systems (PCS). Whitelisting is an effective malicious software prevention tool that satisfies the requirements of CIP-007, R3 and R4.
Wonderware Conference. Schneider Electric confidential.
Whitelisting Solution Overview ●Stuxnet - The virus that ravaged Iran's Natanz nuclear facility
●Known for reportedly destroying roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control.
●The complicated malware included a .dll file with additional code to load and perform the attack.
●Whitelisting would have detected the modified .dll and stopped it.
Wonderware Conference. Schneider Electric confidential.
McAfee Application Control ● McAfee Application Control software provides an effective way to block unauthorized
applications and code servers, workstations and fixed function devices.
● After the installation and activation of McAfee Application Control, all executable applications and files are protected against modification. Updates of authorized applications in the list can be integrated via, trustworthy: ● Users (user) ● Manufacturers (certificate) ● Directory ● Binary file ● Updaters (updating programs, e.g. Windows Update or virus scanners)
Wonderware Conference. Schneider Electric confidential.
McAfee Application Control
●Offers functions that monitor the main memory, provide protection against buffer overflow, and protect files that are running in the main memory.
● Is a component of McAfee Integrity Control. McAfee Integrity Control includes the components McAfee Application Control and McAfee Change Control.
● In the WSP environment, only the functionality of the whitelisting, McAfee Application Control, has been tested.
Wonderware Conference. Schneider Electric confidential.
Compatibility, Installation, Administration ●Currently WSP 2014 R2 (or higher) is compatible with McAfee ePO version 5.1
and Application Control version 6.1.3.
●Administration ●The administration of McAfee Application Control can be done in two
different ways: ● Locally on a computer system (standalone) ●Centrally via the administration software McAfee ePolicy Orchestrator (ePO) ●We recommend central administration using ePO which is what we’ve
tested our WSP products with.
Wonderware Conference. Schneider Electric confidential.
Central Administration ●Central administration of the whitelisting takes place via the McAfee ePO. ●All local McAfee Application Control commands and options are centrally
managed via the ePO.
● The McAfee ePO administration software must be installed on its own computer with up-to-date hardware and a respectively compatible, McAfee supported Windows Server operating system ● Windows 2008 R2 or Windows 2012 R2.
●Notes:
● McAfee ePO must not be installed on a WSP computer or an Active Directory domain controller. ● We highly recommend using Active Directory for Access Control.
Wonderware Conference. Schneider Electric confidential.
Central Administration
Wonderware Conference. Schneider Electric confidential.
Whitelisting WSP 2014 R2 Installation Preparations Installation and Configuration; Central administration via ePO ● Installation of the ePO server
● Install McAfee ePolicy Orchestrator (ePO). ● Install Solidcore Extension Package. ● Apply license for Solidcore or McAfee Application Control.
The standard settings recommended by McAfee for the installations of these products can be used.
Wonderware Conference. Schneider Electric confidential.
Whitelisting WSP 2014 R2 Installation Preparations
1. Setup of the system based on the recommendations of the WSP documentation. Reference the WSP Readme.
2. Install and configure the operating system including available security updates.
3. Install the required programs and components including WSP. 4. Install all available security updates for the program and program related
components. 5. Install a virus scanner including security updates and the newest, available
virus signature files.
Wonderware Conference. Schneider Electric confidential.
Whitelisting WSP 2014 R2 Installation Preparations
6. If possible, isolate the connection to external / third-party networks. 7. Execute a complete virus scan of the computer. 8. Install McAfee Application Control via ePO. 9. Run and test systems in Observe Mode. 10. Execution of the "Solidify" process for all local hard drives and partitions. 11. Activate McAfee Application Control. 12. Restart the computer
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for Application Server, InTouch, Historian ● Publishers:
●Updater Label: Any name (we used Invensys Certificate in our example) ●Issued To: Invensys System, Issued By: VeriSign Class 3 Code Signing 2010 CA ●Extracted From: WSP 2014 R2 (or later) Setup.exe
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for WSP 2014 R2
● Updaters:
● Updater By Name: Framework\Bin\aaDCOMTransport.exe ● Updater Checksum(for aaDCOMTransport.exe):
64695e7b00763efb0ea975950f566078e0445c39 ● Updater By Name: c:\program files
(x86)\archestra\framework\filerepository\t_object.msi
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for WSP 2014 R2 ● Updaters
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for WSP 2014 R2 ● Installers:
●aaDCOMTransport.exe ●aaPim.exe ●******_Temp.msi ****** = Platform node name (an entry for each node) ●T_Object.msi ●AAMXCore.msm ●MxAccess.msm ●LmxProxy.msm ●SmartCardAL.msm ●RTCommon_IDEGR_Runtime.msm
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for WSP 2014 R2
● Installers: ●Security_IDEGR_Runtime.msm ●SysObject_IDEGR_Common_Deploy.msm ●SysObject_GR_Common_Deploy.msm ●ObjectIcons_Common.msm ●PFServer_GR_Runtime.msm ●LegacyIGDSupport.msm ●DASClientRedist.msm ●DCOMConfig.msm ●DASRedist.msm
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for WSP 2014 R2 ● Installers
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for WSP 2014 R2 ● To enable installers, set the following in Solidcore 6.1.3: Application Control Options
(Windows) on the Features tab for your policy in the System Tree of the ePO: • Package Control # • Bypass Package Control
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for FS Gateway
●FS Gateway is included in the WSP installation which is digitally signed. Once the WSP setup.exe is added as a Publisher, FS Gateway is allowed to run and update the system.
●Nothing additional is needed for FS Gateway in the Whitelisting process.
Wonderware Conference. Schneider Electric confidential.
Whitelisting Specifics for DAS ABCIP Updaters:
Updater Checksum(for Setup.exe DASABCIP): 36c05f9fad9971aee17a631cce7d117bb09e8774
Wonderware Conference. Schneider Electric confidential.
Whitelisting WSP 2014 R2
Video
Wonderware Conference. Schneider Electric confidential.
Installing Updates
Service packs, updates, hotfixes and patches from WSP can only be installed during completed runtime and the activation of the update mode of McAfee Application Control.
1. Power down and close all WSP applications. 2. Restart the computer. If Autologin and Autostart have been configured for WSP
systems, they must be deactivated prior to the restart. 3. Switch on Update Mode of Application Control via Client Task in the ePO. 4. Install the WSP and / or other product update.
Wonderware Conference. Schneider Electric confidential.
Installing Updates
Service packs, updates, hotfixes and patches from WSP can only be installed during completed runtime and the activation of the update mode of McAfee Application Control.
4. Restart the computer. 5. Start the completely updated WSP application. 6. Activate the Autologin and Autostart if those have been deactivated previously. 7. Terminate Update Mode of Application Control via Client Task in the ePO.
Wonderware Conference. Schneider Electric confidential.
Whitelisting Summary and Important Notes ●There is no out-of-the box whitelisting configuration.
●Each configuration must be tailored to meet needs based on software
and hardware of a system.
●Multicore processors eliminate latency that can occur on single processor systems with the Sha-1 hash comparison operation.
●Not a silver bullet solution.
●Defense-in-depth, multi-layered approach is required.
Wonderware Conference. Schneider Electric confidential.
Questions
Wonderware Conference. Schneider Electric confidential.
Defense-In-Depth Security Recommendations
Wonderware Conference. Schneider Electric confidential.
Defense-In-Depth Security Recommendations ●Cyber Security Framework: IEC-62443
Wonderware Conference. Schneider Electric confidential.
Defense-In-Depth Security Recommendations ●People, Policies and Procedures, Technologies
People Training Policies SOP’s and
Tools Technology
Wonderware Conference. Schneider Electric confidential.
People, Policies and Procedures, Technologies All 3 security pillars can be used to protect a simple control system. • The technology pillar includes the firewall protecting the system and the
login accounts to the control system. In a secure environment the login accounts for the control system would be separate from the general corporate accounts.
• Policies and procedures provide a second pillar by specifying who can be granted login accounts and what training is required before access is granted.
• Training required of employees, people, before they are granted system access. Including reasons for the secure environment, any known risks, and consequences for failing to protect that environment.
Wonderware Conference. Schneider Electric confidential. From the NIST Cyber Security Framework
Wonderware Conference. Schneider Electric confidential.
Defense-In-Depth Security Recommendations Common Attack Vectors ● External/Removable Media:
● Attack executed from removable media, such as USB drive, CD or a peripheral device. ● Attrition:
● Attack that employs brute force methods to compromise, degrade, destroy systems, networks, or services.
● Web: ● Attack executed from a website or web-based application.
● Email: ● An attack executed via an email message or attachment.
● Improper Usage ● Any incident resulting from violation of an organization’s acceptable usage policies by an
authorized user. ● Loss or Theft of Equipment
● Loss or theft of a computing device or media used by the organization; a laptop or smartphone.
Wonderware Conference. Schneider Electric confidential.
Defense-In-Depth Security Recommendations
• A security incident is an event that breaches a baseline
• This implies that you know what the baseline is • And know that the baseline has been breached
Average time an organization gets breached to when they find out about the breach = 250 days
Wonderware Conference. Schneider Electric confidential.
Defense-In-Depth Security Recommendations ● Incident Response - Prepare Capability ●Create an Incident response policy and plan ●Develop procedures performing incident handling and reporting ●Set guidelines for communicating with outside parties ●Select a team structure and staffing model ●Establish relationships and lines of communication between the incident
response team and other groups ●Determine what services the incident response team should provide ●Staff and train the incident response team
Wonderware Conference. Schneider Electric confidential.
Industrial Controls Cyber Security Resources ● The Schneider Electric security team offers a comprehensive portfolio of cyber security
solutions to help address any internal, industry or regulatory requirement needs.
● Schneider Electric’s Global Cyber Security Services ● Bernie Pella (706)504-7753 ● [email protected]
•Product Selection/Specification •Compliance •Program Definition •Assessment •Remediation •Program Deployment •Audit Preparation •Audit Support
Wonderware Conference. Schneider Electric confidential.
Communication Channels Security • Security Central
• Product Security Bulletins • Microsoft Security Bulletins
https://softwaresupportsp.invensys.com/Pages/securitycentral.aspx
Wonderware Conference. Schneider Electric confidential.
Communication Channels Assistance, Reporting, Feedback
• GCS: Global Customer Support • [email protected] • [email protected] • (800)966-3371
https://softwaresupportsp.invensys.com/pages/ContactUsWW.aspx
Wonderware Conference. Schneider Electric confidential.
Communication Channels Cyber Security Blogs
• Thought Leadership from Doug Clifton • http://blog.schneider-
electric.com/author/dclifton/
Wonderware Conference. Schneider Electric confidential.
Training • DHS: https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
• SANS: http://www.sans.org/critical-security-controls/
• InfoSec: http://www.infosecinstitute.com/
• ISA: http://www.isasecure.org/en-US/
• McAfee/Intel: http://www.mcafee.com/us/services/mcafee-education-
services.aspx
Wonderware Conference. Schneider Electric confidential.
Industrial Control Cyber Security Resources
McAfee Application Control Software http://www.mcafee.com/us/products/application-control.aspx
ICS CERT Targeted Cyber Intrusion Detection and Mitigation Strategies – Update B https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
National Security Agency – Central Security Service
www.nsa.gov
Wonderware Conference. Schneider Electric confidential. ©2015 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies or their respective owners.
Thank you!
Wonderware Conference. Schneider Electric confidential.