Transcript Cyber Security in Critical Infrastructure Control Systems

Cyber Security in
Critical Infrastructure
Control Systems
A practical approach
Entelec Spring 2013
Presented by:
Motty Anavi
VP Business Development
Entelec Spring 2013 Slide1
Growing Awareness for ICS CyberSecurity
VIRUS INFECTION AT AN ELECTRIC UTILITY (Source: ICS CERT Jan. 2013)
In early October 2012, a power company contacted ICS-CERT to report a virus infection in a turbine control system which impacted
approximately ten computers on its control system network. Discussion and analysis of the incident revealed that a third-party
technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the
technician, the USB-drive was infected with a variant of the Mariposa virus. The infection resulted in downtime for the impacted
systems and delayed the plant restart by approximately 3 weeks.
Entelec Spring 2013 Slide2
Advanced Persistent Threats
• Escalation: “bragging rights”
-> organized crime
-> nation states
• Opportunistic versus Targeted
• Recent examples:
– Stuxnet – industrial sabotage
-> Iranian uranium enrichment program
– Ghostnet – stole diplomatic communications
-> embassies, Dhali Llama
– Aurora – stole source code and other intellectual property
-> Google
– Night Dragon – industrial and commercial intelligence
-> large oil companies
Entelec Spring 2013 Slide3
Stuxnet – Targeted Attack on ICS
Entelec Spring 2013 Slide4
“Most Sophisticated Worm Ever”
• Exploited multiple Windows zero-day vulnerabilities
• Targets Siemens PLC's to sabotage physical process
• Spreads via multiple media:
– USB/Removable Media
– 3 Network Techniques
– PLC Project Files
– Windows Database Connections
• Drivers digitally signed with legitimate (stolen)
certificates
• Installs cleanly on all windows variants
• Conventional OS rootkit, detects and avoids major
anti-virus products
• Advanced reverse-engineering protections
Entelec Spring 2013 Slide5
How Stuxnet Infects a System
Infected Removable Media:
1.
2.
Exploits vulnerability in Windows Shell handling of .lnk files
(0-day)
Used older vulnerability in autorun.inf to propagate
Local Area Network Communications:
3.
4.
5.
Copies itself to accessible network shares,
including administrative shares
Copies itself to print servers
Uses “Conficker” vulnerability in RPC
Infected Siemens Project Files:
6.
7.
Installs in SQL Server database
via known and legitimate (stolen) credentials
Copies into project files
Source: Byres Security
Entelec Spring 2013 Slide6
“Secure” Private industrial
network – The Smart Grid
• MV/LV transformers on poles now enhanced with
Smart-Grid equipment
 Distributed automation in Secondary sub-stations
• Inter-connected by regional Ethernet networks with
overlaying application communication using simple
automation control protocols (IEC60870 , DNP3)
 An attacker gaining access to 1 site can manipulate the
operation of the devices in other sites
Vulnerability: Distributed large-scale open internal networks
“smart grid cyber-security guidelines did not address an important element…
risk of attacks that use both cyber and physical means”
Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011
Entelec Spring 2013 Slide7
The Great Wall of China Defense
• Firewall are designed to keep intruders out
• Some provide impervious walls
• BUT: Once you break the physical constraint you can reach
every point in the internal network
• Antivirus software is designed to identify known signatures
and flag or block “suspicious activity”
• Antivirus software does not “know” what each application
does
• These defenses – restrict access, but once overcome are
ineffective
• The great wall is only as effective as it’s weakest link
Entelec Spring 2013 Slide8
Vulnerability in Many Current
Design
You’re part of
Thou
Shall Not
the Secure
Pass- Pass
Network
Solution: Defense-in-Depth security architecture
Secure
“An aggregated security posture help defend against cyber-security threats
Network
and vulnerabilities that affect an industrial control system”
Strategy for securing control systems, US DHS, October 2009
Remote
Substation
Entelec Spring 2013 Slide9
Origin of Defense-in-Depth – in IT
“A military strategy sometimes called elastic defense.
Defense in depth seeks to delay rather than prevent the
advance of an attacker, buying time and causing additional
causalities by yielding space.”
http://en.wikipedia.org/wiki/Defense_in_depth
“…the practice of layering defenses to provide added
protection. Defense in depth increases security by raising
the cost of an attack. This system places multiple barriers
between an attacker and your business critical information
resources: the deeper an attacker tries to go, the harder it
gets.”
Brooke Paul, Jul 01, Security
Workshop at Network
Computing
Entelec Spring 2013 Slide10
Defense-in-Depth Strategy
Information Assurance Strategy
Ensuring confidentiality, integrity, and
availability of data
People
People
-Hire talented people, train and reward
them
Information
Assurance
Strategy
Technology
-Evaluate, Implement, Test and Assess
Operations
-Maintain vigilance, respond to intrusions,
and be prepared to restore critical services
IAS Thomas E. Anderson
Briefing Slides
Technology
Operations
Entelec Spring 2013 Slide11
Defense-in-Depth Security Model
Data
Applications
Hosts
Internal
Perimeter
Entelec Spring 2013 Slide12
Distributed Firewall Deployment
• Secure end-devices
+ Integrated  Space, Power
– Operational stability
– Install-base
• Mini-firewall per site
+ Available technology
– Stand-alone  Space, Power
– Network complexity
• Network-based firewalls
+ Integrated  Space, Power
+ Network simplicity
– Technology emerging
Integrated firewalls as part of the network design
Entelec Spring 2013 Slide13
Utilities Cyber Security Threats &
Counter-measures
Attack vector
Security Measure
•
•
•
•
•
•
•
•
Control-Center malware
Field-site breach
Man-in-the-Middle
Remote maintenance
Service-aware firewall
Distributed firewalls
Encryption
Secure remote access
Control Center
HMI
Controller1
Engineering
Station
Controller2
Dev1.1
Dev2.1
Dev1.2
Dev2.2
Facility1
Facility2
Entelec Spring 2013 Slide14
Defense-in-Depth tool-set
• Advanced security measures integrated in the switch using a dedicated
service-engine to
• Enables easy deployment of an extensive defense-in-depth solution
Service validation
App-aware firewall
Remote access
SSH gateway
Inter-site VPN
IPSec tunnels
Access Control
L2-L4 filters
Function
Required Feature
Entelec Spring 2013 Slide15
Inter-site connectivity
• GRE tunnels used for transparent connectivity of private
Ethernet networks across the Internet
• IP Sec used to encrypt the GRE tunnels
Internet
Private ETH
Network
Private ETH
Network
Entelec Spring 2013 Slide16
Secure Remote Access
• Integrated remote access gateway using an encrypted SSH tunnel
•
•
Optionally use reverse-SSH initiated from the secure site
Access rights per user (locally or from RADIUS server)
• SSH tunnel used a secure transport for any user IP-based session
•
•
•
User session re-routed to a local-host which sends the data via the SSH tunnel
Gateway as session proxy hiding the local network
On-line app-aware session security checks are performed
Ethernet
Internet
RS-485
RS-232
Entelec Spring 2013 Slide17
Distributed service-aware firewall
deployment
• Service-aware inspection of traffic in
every end-point
Control Center
HMI
Engineering
Station
– Rule-based validation of SCADA flows
– Blocking an “insider” attack
• Firewall integrated in multi-service
network switches
– Efficient IPS deployment for distributed
small sites
Controller2
Controller1
Dev1.1
Dev2.1
Dev1.2
Dev2.2
Facility1
Ethernet & IP
Header
Facility2
Protocol
Header
Function
Code
Function
Parameters
– Protection for Serial & ETH devices
• Central service management tool
– End-to-end provisioning of security rules
– Reporting network-wide security events
Defense-in-depth is the answer to securing distributed utility networks
Entelec Spring 2013 Slide18
Firewall IPS inspection flow
IP
Port
• Packet originated from and designated to a service member (source/destination IP)
• Packet holds a service permissible TCP/UDP port number
(examples - IEC 104 :2404 ; Modbus : TCP 502 ;SNMP :UDP161)
• Validation according to protocol specific device addresses
(Originator address ;Link address ;ASDU ;IO objects)
address
• In-depth packet payload inspection to comply with the “firewall rules” file.
payload • Firewall rules are configured uniquely between each pair of service members
login
• Visual alerts and logging of firewall violations
Entelec Spring 2013 Slide19
Security – Modbus Application
Aware Firewall Example
• Modbus Function Codes
Entelec Spring 2013 Slide20
Application aware Firewall
• Using a network management tool the user plans his network
and maps the service groups in it
• For each pair of devices specific firewall rules on the application
level can be applied (function codes, address ranges, etc.)
– The user can select multiple device pairs to apply the same firewall
profile
Entelec Spring 2013 Slide21
Auto-Learning Capabilities
• Any deviation from the firewall rules is logged in the switch and
reported to the central management tool
– Security events are shown on the map and in a dedicated events log
• Simulate mode can be used to learn the network traffic flows
– The “illegal” traffic is reported but not blocked
Entelec Spring 2013 Slide22
Connecting the sub-station LANs –
Current status
Control Center
Remote
Technician
Network Limitations
• SCADA direct access to S.S.
IEDs
SCADA
Storage
Internet
• Field technician access to:
– Other sub-stations
– Central storage
– Facility RTU
SONET/Packet
Network
• Remote technician access to
RTUs and IEDs in all S.Ss
• Data-sharing between S.Ss
Need a unified sub-station LAN with secure intersite connectivity
Sub-Station
Sub-station
RTU
Facility RTU
Sub-station IEDs
Field
Technician
Entelec Spring 2013 Slide23
Connecting the sub-station LANs –
Future evolution
Use a secure switch
connecting the LAN
devices to the backbone
Control Center
Remote
Technician
SCADA
Storage
Internet
• Network
segmentation using
VLANs/Subnets
SDH/Packet
Network
Sub-Station
Facility RTU
• App-aware firewall
per-device
• Secure remote access
• Serial-to-ETH protocol
gateway
S.S.
RTU
Sub-station IEDs
Field
Technician
Entelec Spring 2013 Slide24
Summary
• When modern critical infrastructure deployments use
Ethernet
– Intra-network security is mandatory
• To meet evolving security standards and threats Serviceaware Industrial Ethernet solutions must have
– Unique distributed service-aware firewall
– Integrated defense-in-depth
– Reliable network capabilities
– Easy management and configuration
– Optimized to minimize integration cost
Entelec Spring 2013 Slide25
Cyber Security Sub Committee
• Goal:
– Enhance understanding of Cyber Security Issues as they
relate to ICS and SCADA
– Advocate for the industry with the most effective ways to
tackle ICS security
•
•
•
•
In the process of defining priorities
Survey in process
Looking for more participation
Please contact me via board or directly at:
[email protected] , 201-378-0213 if interested
Entelec Spring 2013 Slide26
Thank You
For Your
Attention
For more information:
Motty Anavi
VP Business Development
[email protected]
(201) 378-0213
www.rad.com
Entelec Spring 2013 Slide27