Cyber Defense for Industrial Control Systems - ISACA Presentations... · Cyber Defense for...

1 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]

SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016

11 22

Cyber Defense for Industrial Control

and Utility SCADA

Systems

Daniel Ehrenreich,

SCCE, Israel

3

……. Introduction

• 1976 -1990 Tadiran Inc.

• 1991 - 2011 Motorola Ltd,

• 2011 - 2013 Siemens - Ltd

• 2014 - 2014 Waterfall Security Ltd

• 2014 - SCCE Consulting

• 2014 - SCCE Training

Daniel Ehrenreich

SCCESecure Communication and Control Experts

Tel: +972-54-9151594

[email protected]

40 years of activity industrial activity

4

Cyber Risks Everywhere....

Organization which know that they already were under cyber attack

Organization which does not know, they are under attack. The Virus is already there!

Organization which will be under cyberattack as soon as tomorrow!



5

IT Security Topics

• Viruses

• Spyware

• Trojans

• Botnets

• Phishing & Spam

• Identity Theft

• Cyber Harassment

• ..... more

Confidentiality

AvailabilityIntegrity

6

SCADA Security Topics

• People “create” technical vulnerabilities

– Incorrect architecture, added signals, zone crossing

– Software bugs, unsecured network wiring, etc.

– Software patches, upgrades and ”minor” modifications

– Software updates without proper testing

• People “create” procedure vulnerabilities

– Allow connection of backdoors for maintenance

– Using same default password for all devices

– Authorized people might perform wrong actions

– Not pay attention to physical perimeter security

7

SCADA assure “Safety & Reliability”

• Prevent people causing damage to assets

• Prevent equipment from hurting people

• Reliable operation and high productivity

Confidentiality

Integrity Availability

IT Security Challenges

Safety

Reliability Productivity

SCADA Security Challenges

8

SCADA Vulnerabilities 1/2

• Outdated Hardware:

– Can not be replaced as it works 24/7

– Any replacement may cause an unexpected risk!

• Outdated Operating system


– New OS – may not be compatible

– Upgrade may cause unexpected behaviour

• Application Program Risks


– Change may cause unexpected behaviour



9

SCADA Vulnerabilities 2/2• Computers and Software contain Vulnerability

– Attackers are more Creative that Defenders 1:000

– For every “better” defense there will be a new offense

– For every offense one may deploy a stronger defense

• SCADA systems are never perfectly safe

– Internally and externally generated “harms”

– Unauthorized people might access the system

– Authorized people might perform wrong actions

• Expect the Unexpected

– Strange system-behavior my look like an attack

– “Back-doors” might by-bass all defenses

10

Internal and External Attacks

• Internally Generated Cyber Attacks

– Start with breaching of the physical perimeter

– Attacker can be an employee or a hacker

– Start with connecting a USB stick to a computer

– Smart attacks can spread w/o remote control

• Externally Generated Cyber attack

– Starts through with Social Engineering

– May last long prior it is detected

– Requires compromising of safety barriers

Internally Generated Attack is Easier!

Stuxnet

2010

Ukraine

2015

11

Internal Attack on SCADA Systems

Public

Internet

firewall

CORPORATE NETWORK

CONTROL NETWORK

SCADA SYSTEM

SOFTWARE TEST LAB

VENDOR EXPERT CENTER

Eng. Station

View Consoles

12

Remote Attacking on SCADAEngineeringWorkstation

ModemPool

Web Server

BusinessWorkstation

DataHistorian

SCADA (OT)Network

Corporate (IT)Network

Domain NameServer (DNS)

enterpriseFirewall

IT-OTFirewall

Attacker

Email Server

Database Server

RTU

PLC

Vendor Web Server

Internet

Internet

1

2

3

4

5

6

87

9

10

12

11



13

Advanced Persistent Threats (APT)

• Advanced

– Attacker can develop or buy Zero-Day exploits

• Persistent

– Attacker will continue until succeed

• Threats

– Significant entity is behind the attack

Our goal is to mitigate such risks by boosting the “cost” of attack

14

Know the “Zero-Day” Terminology

• Zero Day Vulnerability

– “Recently published” vulnerability

– There is no defense measure available !

• Zero Day Exploit

– An exploit was developed for that vulnerability

– None else except the attacker has that exploit

• Zero Day Attack

– Using the exploit for that specific vulnerability

– More attacker can use it after the publication

0Day

15

“Back door” Vulnerability=high risk!

• Employee’s & Vendor modems

– Activity of “very helpful” employees !

– Negligent connections w/o firewall

• Negligent – unsecured connections

– Hackers might identify these connections

• Direct connection to partner’s network !

– Remember Target USA- 40 M credit cards

• The system owner might no know!!

– Temporary connection turn to permanent

– Periodic assessment by external people helps

Security

Assessment

actions

16

Infection spreading in SCADA Systems

Infolevel

Control/Automation level

Operational level

Field level (sensors, actuators)



17

Lockheed Martin Cyber Kill Chain

18

How Secure are IoT and IIoT Devices?

• Industrial

– Industrial sensors

– Security CCTV

– Alarm system

– More .......

• Commercial

– Washing machine

– Refrigerator

– Air-condition

– Home cameras

– More ........Remember the IoT DDoS in USA 10-2016

19

SCADA Deserves Strong Defense

• Coordinated use of multiple security measures

– The Goal: Protecting the industrial assets.

– Remember: Zoning, zoning, zoning – where possible

• Multi-layered structure is more difficult to defeat

– Physical security

– Electronic Security

– Cyber Security

– Active SOC

Without adequate physical security you can not deploy an

effective cyber security. .......... Remember the Stuxnet attack

20

Security Intrusion & Detection

• Industrial Intrusion Detection System (IIDS)

– Monitors and analyzes SCADA system events

– Detects anomaly behavior on process and communication

– Real-time warning of unauthorized attempts to access

• Intrusion Prevention System (IPS)

– Same as above but also prevent the attack

Definition: “Security Intrusion is a Combination

of multiple events/actions, that constitutes a

security incident in which an intruder gains

unauthorized access to a critical asset/resource”

Rarely allowed

for SCADA-ICS



21

Industrial Cyber Security Challenges

There is no single cyber defense measure (no Silver bullet) which can

absolutely protect any industrial operation from a cyber attack

Firewall & Network

Access Control (NAC)

Antivirus OT Operation

OT Network

Communication

RTUs, PLC, IEDs,

Sensors,

Actuators

• Perimeter

security

• End Point

Security

• Network

Security

• Control Device

security

22

Network Isolation - Zoning

• Segregated segments

– Internal from External

– Different Hierarchy levels

– Highly critical SCADA sections

– ..... Wherever possible-do it!

• Achieve enhanced Defense

– Helps collecting Forensic Data

– Slows the worm spreading

– Block hacker’s “instructions” to the malware

– Analyze the direction of the application data

Application

HMI-ENG level

CorporateIntranet

Automation

DMZ

UnsecuredInternet

23

DMZ Basic Principles

• Preventing In/Out path to SCADA

– Limited inbound traffic to Control Zone

– Controlled outbound traffic from SCADA

– No direct connection between In/Out

– Emergency disconnect; inside or outside

– No network management from outside

• More Cyber security Benefits

– Allows collecting Forensic Data

DMZ – Demilitarized Zone

Lower Security

Section

Higher Security

Section

24

Security Information Event Management

• Collection of information from multiple sites

– More reliable and faster detection of cyber attacks

Security Information and Event Management (SIEM)

Antivirus

Event Tracking

Reports/Alerts

Active Directory/Radius

Computer

Event Logs

Firewall/Event Logs DHCP/DNS

SIEM

Processing



25

Data Sanitizing Kiosk

• Data sanitization, file’s inspection to detect

malware in document and software

– Provides an extra level of insurance against zero day attacks without reducing the value of the files

• Transfer of Sanitized files to the Network

– Manually, on transferable media

– Through direct connection to network

• Special Challenges

– The Sanitizing Kiosk is periodically updated with new signatures supplied by the AV vendor

Data

Certified

Data

Scanning

26

IDS-IIDS Performs Cyber Defense

• IIDS- Industrial Intrusion Detection System

– Collecting data in critical points in the system

• Anomaly detection – Big Data Analysis

– Analysis done on the process and communication

• The “Normal” is dynamically changing

– Must deploy effective self learning mechanism

• Secure data collection

– Using “replica server” for analyzing the data

If you do not assume that you are targeted and not

start searching the attack code, you will never find it

27

SCADA Cyber Defense Solutions 1/3

• Accurate Access Control Definition downloaded to

the Remote site to specify:

– Who Can access the site

– Which devices can be accessed

– What action can be performed

– Time slot for service execution

• Benefits of the APA

– Eliminate need for Instant process

– Precise white list definitions

• Audit Trail

– All actions are recordedAuthenticated Proxy Access (APA)

28


Network Visualization

and Modeling

Cyber Events Detection

within SCADA Network

Secure Remote Access

During Maintenance

Integration With SIEM

& HMI for Cyber Events



29


• Used among zones – single direction data flow

– Generates a replica server for external access

• Primarily SCADA defense against external access

– Impossible connecting the SCADA- only the replica server

• No defense against internally generated attacks

– Internal IDS linked to SCADA may report on the event

SCADA

SCADA based Historian

Server


Server


Server

Replica Historian

Server

Corporate NetworkIndustrial Network

Unidirectional link

30

Creating Robust SCADA System

• Preventing authorized Control Center configuration

• Using frequently changing strong HMI passwords

• Preventing printer sharing in the control room

• Blocking all unused hardware and software ports

• Blocking services which are not linked to process

• Installing software patching supplied by the vendor

• PLC/RTU passwords must be unique and different

• Physical Security !!!

• http://energy.gov/oe/downloads/21-steps-improve-

cyber-security-scada-networks

31

Towards Better Secured SCADA Systems

• Conduct periodic cyber drills and exercises

• You must train your technical staff and users

• Become and experts and analyze cyber events

• Establish security policy for all operation levels

• Remember to be prepared for new challenges

3232

Cyber Defense for Industrial Control Systems - ISACA Presentations... · Cyber Defense for...

Documents

Transcript of Cyber Defense for Industrial Control Systems - ISACA Presentations... · Cyber Defense for...