- Whatcom Community College
Download
Report
Transcript - Whatcom Community College
CriticalInfrastructureCybersecurity
Module 3
Technologies
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Lesson Objectives
• List several types of networking hardware and explain the
purpose of each.
• List and describe the functions of common communications
protocols and network standards used within CI.
• Identify new types of network applications, such as TCP/IP<, and
how they can be secured.
• Identify and understand the differences between IPv4 and IPv6.
• Discuss the unique challenges/characteristics of devices
associated with industrial control systems.
• Explain how existing network administration principles can be
applied to secure CIKR.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Comparison of Information Technology versus Operational Technology
Information Technology (IT)
Operational Technology (OT)
Purpose
Process transactions, provide
information
Control or monitor physical processes and
equipment
Architecture
Enterprise-wide infrastructure
and applications
Event-driven, real-time, embedded hardware and
software (custom)
Interfaces
GUI, web browser, terminal,
and keyboard
Electromechanical, sensors, actuators, coded
displays, hand-held devices
Performance
Non real-time, high
throughput
Real-time, response is time-critical, modest
throughput is acceptable
Connectivity
Corporate network, IP-based
Control networks, hard-wired twisted pair and IPbased
Role
Supports people
Controls machines
Throughput
Requires high throughput
Time-critical, but does not need high throughput
Source: CNSSI No. 1253
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Major Components of an ICS
• Control Server
• SCADA Server or Master Terminal Unit (MTU)
• Remote Terminal Unit (RTU)
• Programmable Logic Controller (PLC)
• Intelligent Electronic Devices (IED)
• Sensors/Actuators
• Human-Machine Interface (HMI)
• Data Historian
• Input/Output (IO) Server
From top left, clockwise:
Programmable Logic
Controller (PLC); rack and
servers located in an
Energy Operations
Center; temperature
sensor; actuator. Source:
CNISSI No. 1253
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Network Components
Many different architectures and network topologies exist within control systems.
Most of these networks now communicate over the Internet or over corporate
networks, connecting to corporate networks
Major components of an ICS network may include:
◦ Fieldbus network
◦ Communications routers
◦ Firewall
◦ Modems
◦ Remote Access Points
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Fieldbus Network – IEC 61158
• An industrial network system connecting instruments, sensors, and
other devices to a PLC or controller.
• Eliminates the need for point-to-point wiring between the controller
and each device, as devices share a common communication channel.
• Typically fieldbus protocols are proprietary, and controllers interfacing
with fieldbus usually have less computing capability.
• Inherently insecure, due to its shared nature.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Routers
• Routers are network layer devices that
transfer data between two different
networks.
• Commonly used in SCADA networks to
connect MTUs and RTUs to long-distance
medium for SCADA communication.
• Routers used in SCADA environments may
be “ruggedized” as they must operate in
field conditions.
• Many come with SCADA-aware firewall
capability.
Router between 3
LonTalk networks
Source: CNSSI No. 1253
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Firewalls
A network security device that monitors and filters traffic on a network using
predefined “rules” or policies.
Used to segregate ICS networks from corporate networks.
Different types of firewalls can be deployed:
◦ Stateless, or packet filtering – Older firewalls that operated at the Network (Layer 3) only, using
“rules” matching traffic to pre-defined rules. Because of their size and cost-efficiencies, these
are commonly built into devices but have many security vulnerabilities.
◦ Stateful – Operate at the Transport and Network Layer of the OSI model, examining each packet
and making determinations about whether or not each packet is allowed based on context
(what has been received before).
◦ Application – Examine application-layer data (http, ftp, browser requests). Because they have to
read further into the data packets, they are often too slow for ICS networks.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Modems
• Modulators/demodulators. Modems convert digital signals
to analog so that they can be transmitted over analog phone
lines.
• Used in SCADA systems to transmit data between MTUs and
remote field devices.
• Also used in SCADA systems, DCSs, and PLCs for gaining
access to manage devices and perform maintenance or
diagnostics to troubleshoot issues.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Remote Access Points
Devices, such as personal digital assistants (PDAs), phones,
tablets, or laptops, that remotely access data over a local area
network (LAN) through a wireless connection.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Communications Protocols
Proprietary – Specific to a hardware manufacturer. Limited,
if any, compatibility with other equipment or protocols.
Open Architecture – Designed to be interoperable with
equipment and standards.
Popular open communication protocols:
◦ LonWorks
◦ BACNet
◦ Modbus
◦ DNP3
◦ HART
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Modbus
• Created by PLC manufacturer
Modicon in 1979 for use with
its programmable logic
controllers (PLCs); now owned
by Telemechanique
• Established (de facto)
standard as it is a simple
protocol to transmit data over
serial lines between electronic
devices
• Modbus TCP/IP runs over a
TCP/IP network
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
IPv4 vs. IPv6
As with ModBus, many systems are converging with data networks, or sending data
over the Internet, encapsulated in TCP/IP packets.
TCP/IP is a protocol suite, developed in 1974, that was adopted for communications
over the Internet.
IPv4, developed in 1974, is limited with its 32-bit address space in its ability to
support the number of devices that would be needed with large-scale addressable.
IPv6 was developed in 1998 and, in addition to supporting 128-bit address space,
contains many security features not in IPv4:
◦ Support for authentication of origin (prevents spoofing)
◦ Encryption
While the Internet backbone is IPv6, many private networks run IPv4 to support
legacy devices.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
ICS Device Challenges
“Compromise of devices that run or are connected to different
critical infrastructure systems could have the potential for
major economic disruption, kinetic damage impacting public
safety, or in extreme cases , catastrophic failure of national
infrastructure or critical systems.”
— NSTAC Report to the President on the Internet of Things
National Security Telecommunications
Advisory Committee
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
ICS Device Challenges (cont. 1)
Summary of NSTAC findings:
• It is estimated that, by 2020, there will be as many as 50 billion or more Internetconnected devices (sensors, processors, actuators), most of these directly
supporting the nation’s critical infrastructure systems.
• Most of these will be controlled remotely, across the public Internet, from
personal smartphones or tablets.
• If security is not a made a core consideration, “there will be significant
consequences to both national and economic security.”
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
ICS Device Challenges (cont. 2)
The many required connections to other networks and the Internet afford
opportunities to attackers.
◦ Absence of basic security “hygiene” in legacy networks.
◦ Many ICS devices are too small to support authentication or encryption.
◦ Patching is difficult; most often devices are disposed of rather than patched.
◦ Many field-located devices must operate in harsh conditions, requiring them to be
“ruggedized.”
◦ Prolific use of proprietary protocols and even operating systems complicate
interoperability, security, and support.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Network Architecture for Nuclear Power Plant
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Securing Critical Infrastructure and Key Resources
(CIKR)
• Practice “defense-in-depth,” integrating people, technology, and operations
capabilities. 1
• Minimize known vulnerabilities and design devices to be future compatible. 2
• Identify and assess security vulnerabilities. 2
• Develop interoperable security and trust frameworks to enable threat information
sharing. 2
• As industries update to new technologies, need to segment/separate from networks
still containing legacy devices. 3
1
Glossary of Key Information Security Terms, NISTIR 7298 Revision 2, NIST.
2 NSTAC Report to the President on the Internet of Things, National Security Telecommunications Advisory Committee.
3 Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 1.
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
ICS Firewall Design Considerations
ICS networks should be segregated (separated)
from the corporate network.
Use a stateful inspection firewall:
◦ Deny all, grant by exception, blocking all
traffic to the ICS network, except specific ICS
traffic.
◦ Enable strong authentication (passwords,
multi-factor authentication using tokens,
biometrics, smart cards) to the ICS network.
◦ Design in the capability to disconnect the
ICS network from the corporate network in
the event of a compromise to either.
“Firewall with DMZ between Corporate Network and Control Network”
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.
Last Slide
CyberWatch West
Is funded by a National Science Foundation
Advanced Technology Education Grant and is
located at Whatcom Community College
237 West Kellogg Road
Bellingham, WA 98226
T: 360.383.3176
www.cyberwatchwest.org
Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.