Cyber Security in Critical Infrastructure Control Systems
27
Entelec Spring 2013 Slid Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach Entelec Spring 2013
description
Cyber Security in Critical Infrastructure Control Systems. Presented by: Motty Anavi VP Business Development. A practical approach Entelec Spring 2013. Growing Awareness for ICS Cyber-Security. VIRUS INFECTION AT AN ELECTRIC UTILITY (Source: ICS CERT Jan. 2013) - PowerPoint PPT Presentation
Transcript of Cyber Security in Critical Infrastructure Control Systems
Entelec Spring 2013 Slide1
Cyber Security in Critical Infrastructure Control Systems
Presented by:Motty AnaviVP Business Development
A practical approachEntelec Spring 2013
Entelec Spring 2013 Slide2
Growing Awareness for ICS Cyber-Security
VIRUS INFECTION AT AN ELECTRIC UTILITY (Source: ICS CERT Jan. 2013)In early October 2012, a power company contacted ICS-CERT to report a virus infection in a turbine control system which impacted approximately ten computers on its control system network. Discussion and analysis of the incident revealed that a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the technician, the USB-drive was infected with a variant of the Mariposa virus. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks.
Entelec Spring 2013 Slide3
Advanced Persistent Threats
• Escalation: “bragging rights” -> organized crime -> nation states
• Opportunistic versus Targeted• Recent examples:
– Stuxnet – industrial sabotage -> Iranian uranium enrichment program
– Ghostnet – stole diplomatic communications -> embassies, Dhali Llama
– Aurora – stole source code and other intellectual property -> Google
– Night Dragon – industrial and commercial intelligence -> large oil companies
Entelec Spring 2013 Slide4
Stuxnet – Targeted Attack on ICS
Entelec Spring 2013 Slide5
“Most Sophisticated Worm Ever”
• Exploited multiple Windows zero-day vulnerabilities• Targets Siemens PLC's to sabotage physical process• Spreads via multiple media:
– USB/Removable Media– 3 Network Techniques– PLC Project Files– Windows Database Connections
• Drivers digitally signed with legitimate (stolen) certificates
• Installs cleanly on all windows variants• Conventional OS rootkit, detects and avoids major
anti-virus products• Advanced reverse-engineering protections
Entelec Spring 2013 Slide6
Source: Byres Security
How Stuxnet Infects a System
Infected Removable Media:1. Exploits vulnerability in Windows Shell handling of .lnk files
(0-day)2. Used older vulnerability in autorun.inf to propagate
Local Area Network Communications:3. Copies itself to accessible network shares,
including administrative shares4. Copies itself to print servers5. Uses “Conficker” vulnerability in RPC
Infected Siemens Project Files:6. Installs in SQL Server database
via known and legitimate (stolen) credentials7. Copies into project files
Entelec Spring 2013 Slide7
“Secure” Private industrial network – The Smart Grid
• MV/LV transformers on poles now enhanced with Smart-Grid equipment Distributed automation in Secondary sub-stations
• Inter-connected by regional Ethernet networks with overlaying application communication using simple automation control protocols (IEC60870 , DNP3) An attacker gaining access to 1 site can manipulate the
operation of the devices in other sites
Vulnerability: Distributed large-scale open internal networks“smart grid cyber-security guidelines did not address an important element… risk of attacks that use both cyber and physical means”Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011
Entelec Spring 2013 Slide8
The Great Wall of China Defense• Firewall are designed to keep intruders out• Some provide impervious walls• BUT: Once you break the physical constraint you can reach
every point in the internal network• Antivirus software is designed to identify known signatures
and flag or block “suspicious activity”• Antivirus software does not “know” what each application
does• These defenses – restrict access, but once overcome are
ineffective• The great wall is only as effective as it’s weakest link
Entelec Spring 2013 Slide9
Vulnerability in Many Current Design
Secure Network
Thou Shall Not Pass
Remote Substation
You’re part of the Secure
Network - Pass
Solution: Defense-in-Depth security architecture“An aggregated security posture help defend against cyber-security threats and vulnerabilities that affect an industrial control system”Strategy for securing control systems, US DHS, October 2009
Entelec Spring 2013 Slide10
Origin of Defense-in-Depth – in IT
“A military strategy sometimes called elastic defense. Defense in depth seeks to delay rather than prevent the advance of an attacker, buying time and causing additional causalities by yielding space.”
http://en.wikipedia.org/wiki/Defense_in_depth
“…the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business critical information resources: the deeper an attacker tries to go, the harder it gets.”
Brooke Paul, Jul 01, Security Workshop at Network Computing
Entelec Spring 2013 Slide11
Defense-in-Depth Strategy
People
Technology
Information
Assurance Strategy
Operations
IAS Thomas E. Anderson Briefing Slides
Information Assurance StrategyEnsuring confidentiality, integrity, and availability of data
People- Hire talented people, train and reward
themTechnology
- Evaluate, Implement, Test and AssessOperations
- Maintain vigilance, respond to intrusions, and be prepared to restore critical services
Entelec Spring 2013 Slide12
Perimeter
Internal
Hosts
Applications
Data
Defense-in-Depth Security Model
Entelec Spring 2013 Slide13
Distributed Firewall Deployment
• Secure end-devices+ Integrated Space, Power– Operational stability– Install-base
Integrated firewalls as part of the network design
• Mini-firewall per site+ Available technology– Stand-alone Space, Power– Network complexity
• Network-based firewalls+ Integrated Space, Power+ Network simplicity– Technology emerging
Entelec Spring 2013 Slide14
Utilities Cyber Security Threats & Counter-measures
Attack vector• Control-Center malware• Field-site breach• Man-in-the-Middle• Remote maintenance
Security Measure• Service-aware firewall• Distributed firewalls• Encryption• Secure remote access
HMI EngineeringStation
Controller1 Controller2
Dev1.2
Dev2.1
Dev2.2
Dev1.1
Facility1 Facility2
Control Center
Entelec Spring 2013 Slide15
Defense-in-Depth tool-set
L2-L4 filtersAccess Control
Inter-site VPN
Remote access
Service validation
IPSec tunnels
SSH gateway
App-aware firewall
Required FeatureFunction
• Advanced security measures integrated in the switch using a dedicated service-engine to
• Enables easy deployment of an extensive defense-in-depth solution
Entelec Spring 2013 Slide16
Inter-site connectivity
• GRE tunnels used for transparent connectivity of private Ethernet networks across the Internet
• IP Sec used to encrypt the GRE tunnels
Internet
Private ETH Network
Private ETH Network
Entelec Spring 2013 Slide17
Secure Remote Access• Integrated remote access gateway using an encrypted SSH tunnel
• Optionally use reverse-SSH initiated from the secure site• Access rights per user (locally or from RADIUS server)
• SSH tunnel used a secure transport for any user IP-based session• User session re-routed to a local-host which sends the data via the SSH tunnel• Gateway as session proxy hiding the local network• On-line app-aware session security checks are performed
RS-232
Ethernet
RS-485
Internet
Entelec Spring 2013 Slide18
Distributed service-aware firewall deployment
• Service-aware inspection of traffic in every end-point– Rule-based validation of SCADA flows– Blocking an “insider” attack
• Firewall integrated in multi-service network switches– Efficient IPS deployment for distributed
small sites– Protection for Serial & ETH devices
• Central service management tool– End-to-end provisioning of security rules– Reporting network-wide security events
HMI EngineeringStation
Controller1 Controller2
Dev1.2
Dev2.1
Dev2.2
Dev1.1
Facility2
Control Center
Facility1ProtocolHeader
FunctionCode
FunctionParameters
Ethernet & IPHeader
Defense-in-depth is the answer to securing distributed utility networks
Entelec Spring 2013 Slide19
Firewall IPS inspection flow
IP •Packet originated from and designated to a service member (source/destination IP)
Port •Packet holds a service permissible TCP/UDP port number (examples - IEC 104 :2404 ; Modbus : TCP 502 ;SNMP :UDP161)
address •Validation according to protocol specific device addresses (Originator address ;Link address ;ASDU ;IO objects)
payload •In-depth packet payload inspection to comply with the “firewall rules” file.•Firewall rules are configured uniquely between each pair of service members
login •Visual alerts and logging of firewall violations
Entelec Spring 2013 Slide20
Security – Modbus Application Aware Firewall Example
• Modbus Function Codes
Entelec Spring 2013 Slide21
Application aware Firewall• Using a network management tool the user plans his network
and maps the service groups in it• For each pair of devices specific firewall rules on the application
level can be applied (function codes, address ranges, etc.)– The user can select multiple device pairs to apply the same firewall
profile
Entelec Spring 2013 Slide22
Auto-Learning Capabilities• Any deviation from the firewall rules is logged in the switch and
reported to the central management tool– Security events are shown on the map and in a dedicated events log
• Simulate mode can be used to learn the network traffic flows– The “illegal” traffic is reported but not blocked
Entelec Spring 2013 Slide23
Connecting the sub-station LANs – Current status
Network Limitations• SCADA direct access to S.S.
IEDs• Field technician access to:
– Other sub-stations– Central storage– Facility RTU
• Remote technician access to RTUs and IEDs in all S.Ss
• Data-sharing between S.Ss
SCADA
Sub-Station
Control Center
SONET/PacketNetwork
Sub-stationRTU
Facility RTU
Sub-station IEDs
FieldTechnician
Internet
RemoteTechnician
Storage
Need a unified sub-station LAN with secure inter-site connectivity
Entelec Spring 2013 Slide24
Connecting the sub-station LANs – Future evolution
Use a secure switch connecting the LAN devices to the backbone
• Network segmentation using VLANs/Subnets
• App-aware firewall per-device
• Secure remote access
• Serial-to-ETH protocol gateway
SCADA
Sub-Station
Control Center
SDH/PacketNetwork
S.S.RTU
Facility RTU
Sub-station IEDs FieldTechnician
Internet
RemoteTechnician
Storage
Entelec Spring 2013 Slide25
Summary
• When modern critical infrastructure deployments use Ethernet– Intra-network security is mandatory
• To meet evolving security standards and threats Service-aware Industrial Ethernet solutions must have– Unique distributed service-aware firewall– Integrated defense-in-depth– Reliable network capabilities– Easy management and configuration– Optimized to minimize integration cost
Entelec Spring 2013 Slide26
Cyber Security Sub Committee
• Goal:– Enhance understanding of Cyber Security Issues as they
relate to ICS and SCADA– Advocate for the industry with the most effective ways to
tackle ICS security• In the process of defining priorities• Survey in process• Looking for more participation• Please contact me via board or directly at:
[email protected] , 201-378-0213 if interested
Entelec Spring 2013 Slide27
www.rad.com
Thank You For Your Attention
For more information:Motty AnaviVP Business [email protected] (201) 378-0213
