Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial...
-
Upload
schneider-electric -
Category
Documents
-
view
1.444 -
download
2
description
Transcript of Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial...
![Page 1: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/1.jpg)
1
Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution
Hatem
MohammedSchneider ElectricIndustry NOW Express
![Page 2: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/2.jpg)
Schneider Electric 2- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Agenda●What is Cyber Security and why now?
●A security incident●Vulnerability tracking●Vendor responsibility●Customer responsibility
●How to Secure a System?●The Schneider Electric 6-Step Defense in Depth (DiD) approach to
cyber security
●Cyber Security demo ●Features of the Schneider Electric ConneXium
Switch and Industrial Firewall
![Page 3: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/3.jpg)
Schneider Electric 3- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Cyber Security?
●
Measures used to protect assets against computer threats.
●
Covers both intentional and unintentional attacks.●
Malware or network traffic overloads can affect a control system.●
Accidental miss configuration or well intentioned but unauthorized control system changes.
●
Direct attacks by internal or external threats.
●
Increasing the security of the assets also increases the integrity of the production system.
![Page 4: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/4.jpg)
Schneider Electric 4- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
What is a Security Incident?●Customer site issue –
attack or misuse
●Vulnerability disclosure –
internal or external●
Becoming aware of an issue in our products or systems that could
allow an attacker to modify the behavior, obtain information that should not be available, or impact the availability.
●US Government Agency Computer Emergency Readiness Team●
ICS-CERT disclosures up from 38 (2010) to 136 (2011)
●500 predicted in 2013●
Schneider Electric product disclosures up from
2 (2010) to 11 (2011)
● 4 in Jan 2012 alone (3 in Industry)
![Page 5: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/5.jpg)
Schneider Electric 5- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●Potential risks:● Safety of personnel (injury, fatality)● Production, equipment and financial loss● Loss of sensitive data
●Key security principles:●Confidentiality –
prevent disclosure of private information.● Integrity –
data cannot be modified without authorization. ● Availability –
the information must be
available
when it is needed.
●In the industrial world the priorities are integrity, availability, confidentiality.
Why
is
Cyber Security Important?
![Page 6: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/6.jpg)
Schneider Electric 6- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Why Now?●
The rapidly changing world of technology makes computer systems more vulnerable to a cyber attack.
●
Increase in attacks on general IT systems and directed attacks on companies result in an increase in threats to control systems.
●
Open systems have proven to be desirable and effective but expose a control system to greater risks.
●
Government and companies are responding with cyber security standards for control systems.
●
Awareness that control systems contain valuable business data and are also vulnerable has increased the focus on cyber security.
●
Dedicated attacks are increasing for industrial companies.●
Researcher focus on control systems is increasing awareness and providing tools.
![Page 7: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/7.jpg)
7Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
What language are you speaking on Ethernet?
What
is
the Trend?
![Page 8: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/8.jpg)
8Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
![Page 9: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/9.jpg)
9Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Ethernet Trend in Automation
Standard in data transmission, Internet
and business networks
Standard in data transmission, Internet
and business networks
Fastest growing technology in
Industrial networks –
Expanding from
control to fieldbus
Fastest growing technology in
Industrial networks –
Expanding from
control to fieldbus
Complete Industrial Ethernet
solutions
Complete Industrial Ethernet
solutions
Past Present Future
Indu
stria
l Net
wor
k P
enet
ratio
n
![Page 10: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/10.jpg)
10Schneider Electric - Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
The Future is an Integrated
Ethernet Architecture
● Increase plant uptime
●Network (hence data) is accessible yet secure
●Lower cost to maintain
●Ethernet will be the common link for IT, process, control, energy management and building automation
![Page 11: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/11.jpg)
Schneider Electric 11- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Intrusion vulnerability points
Integrated
Architectures –
ICS Vulnerabilities
![Page 12: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/12.jpg)
Schneider Electric 12- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
What is a Cyber Security Vulnerability?
●A weakness within a product or a system that could allow the system to be attacked.
●Security researchers are exposing product vulnerabilities●
Profit, publicity●
To force improvements by vendors
●Vulnerabilities are very common●
Microsoft fixes 10-50 each month●
Over 500 vulnerabilities predicted in industrial control systems in 2013
![Page 13: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/13.jpg)
Schneider Electric 13- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
ICS Security Researchers●Exposing vulnerabilities in industrial control
systems and products●
Release exploit examples to drive vendors to improve security
●
Exploit examples make hacking a system easier
●Motivation●
Desire to change the industry●
Publicity, money
●Vendors and customers share responsibility for response
![Page 14: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/14.jpg)
Schneider Electric 14- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●Provide fixes and patches to vulnerabilities
●Keep customers informed of latest fixes
●Recommend mitigations to limit the risks or remove vulnerability●
Use industrial firewalls when needed●
Securing your ConneXium
switches
●Analyze vulnerabilities to understand their impact on a customer’s system●
A PLC command vulnerability on FTP is only an issue for a system if FTP access is allowed from people that will send that command
Vendor’s Responsibility to a Vulnerability
![Page 15: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/15.jpg)
Schneider Electric 15- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●A sound security plan and employee training
●Stay informed on vulnerabilities applicable to their system
●Analyze risk involved with every vulnerability and understand impact on application
●Apply mitigations to limit the risks or remove vulnerability●
Use industrial firewalls when needed●
Securing ConneXium
switches●
Applying vendor fixes and patches
Customer’s Responsibility to a Vulnerability
![Page 16: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/16.jpg)
Schneider Electric 16- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
How are Vulnerabilities Tracked?●Vulnerabilities are tracked by US-CERT and other National CERT bodies
●
Customers should watch these databases for issues with products they use
●Many vulnerabilities reported on blogs and online magazines
●Schneider Electric updates US-CERT for fixes and recommends mitigations for our products
●Schneider Electric Cyber Security Web Site●
Lists all product vulnerabilities●
Lists mitigation actions and patches
![Page 17: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/17.jpg)
Schneider Electric 17- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Schneider Electric Cyber Security Website●
White Papers
●
Product vulnerability data●
Vulnerability list for all products●
Mitigation recommendations●
Patches and Firmware updates
●
Secure vulnerability reporting
●
Cyber security news stories●
Product releases and updates●
Industry news
●
RSS feed for vulnerability and news
Global Main Page: Support Cyber Security
![Page 18: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/18.jpg)
Schneider Electric 18- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Security is a Risk Evaluation
●Customers and vendors should both handle security based on risk●
Evaluate the risks, take actions on the risks above a defined level●
Both systems and products can and should be evaluated for risk ●
Risks on a product can be mitigated by another component of the system
●Risk = Threat x Vulnerability x Consequence●
Threat -
a person or event with the potential to cause a loss●
Vulnerability -
a weakness that can be exploited by an adversary or an accident
●
Consequence -
the amount of loss or damage that can be expected from a successful attack
●Mitigation -
something that is done to reduce the risk●
Normally reducing the vulnerability or raising the skills needed
to exploit it
![Page 19: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/19.jpg)
Schneider Electric 19- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Exercise –
Discuss in your group:●Has your management asked about cyber security?
●Are you doing anything right now for cyber security?
●How are you and your team trained in security?
●Do you have an automation and operation policy?
●Are you willing to change behavior for a more secure system?
![Page 20: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/20.jpg)
Schneider Electric 20- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Agenda●What is Cyber Security and why now?
●A security incident●Vulnerability tracking●Vendor responsibility●Customer responsibility
●How to Secure a System?●The Schneider Electric 6-Step Defense in Depth (DiD)
approach to cyber security●Cyber Security demo
●Features of the Schneider Electric ConneXium
Switch and Industrial Firewall
![Page 21: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/21.jpg)
Schneider Electric 21- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
•
Developed by US Gov’t
Control Systems Security Program (CSSP)
•
Multi-layer approach:
•
Appliances•
Architectures
•
Policies•
Training
Security Best Practice -
Defence-in-Depth
![Page 22: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/22.jpg)
Schneider Electric 22- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
6 key steps:1.
Security Plan
2.
Network
Separation
3.
Perimeter
Protection
4.
Network
Segmentation
5.
Device
Hardening
6.
Monitoring &
Update
Schneider Electric’s Recommendation
2
3
4
5
5
The “Defence in Depth”
Approach (DiD)
![Page 23: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/23.jpg)
Schneider Electric 23- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Defence-in-Depth Step #1: Security Plan
●
Define:●
Roles and responsibilities●
Allowed activities, actions and processes●
Consequences of non-compliance
●
Full network assessment:●
Communication paths●
Audit of all devices●
Security settings●
Network drawings
●
Vulnerability assessment:●
Potential threats●
Consequences●
Risk assessment and mitigation
Assessment and Design Service
ConneXium Network
Manager
Product Alerts
![Page 24: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/24.jpg)
Schneider Electric 24- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Separate the Industrial Automation & Control System (IACS) from the outside world
●
Create a ‘buffer’
network (DMZ) between the IACS network and the rest of the world, using routers and firewalls
●
Block inbound traffic to the IACS except through the DMZ firewall
●
Limit outbound traffic to essential and authorized traffic only
“Defence in Depth”
Step #2: Network Separation
PlantStruxure Secure
Reference Architectures
●
DMZ host for servers●
Vijeo
Historian mirror●
Web servers●
Authentication server●
Remote access server●
Anti-virus server
![Page 25: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/25.jpg)
Schneider Electric 25- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Secure PlantStruxure
architectures incorporating key security zones:
●Control Room DMZ●Operation Network●Control Network●Device
Network/Functional
“Defence in Depth”
Step #2: Network Separation Secure Reference Architectures
![Page 26: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/26.jpg)
Schneider Electric 26- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Data flows between zones
●
Defines the settings for conduits/firewalls
“Defence in Depth”
Step #2: Network Separation Secure Reference Architectures
![Page 27: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/27.jpg)
Schneider Electric 27- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Protect the Industrial Automation & Control System perimeter using a firewall
●
Validate packets and protocols●
Manage authorization of certain data packets
●
Restrict IP address or user access via authorization and authentication
●
Protect critical parts of the process with additional firewalls within the ICS
●
Secure remote accesses●
Use the VPN technology of routers and firewalls
●
Use the latest authentication and authorization technologies. They’re evolving fast.
“Defence in Depth”
Step #3: Perimeter Protection
Examples:
ConneXium Firewall
Configuration
Remote Access/VPN
![Page 28: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/28.jpg)
Schneider Electric 28- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Firewall -
a device for filtering packets based on source/destination IP address and protocol.
●
Ingress and Egress filtering●
Source IP addresses should be very few
●
Rule placement●
Firewalls should be configured with a default Deny All rule●
Rules that address the expected traffic
●
Permit Rules should have specific IP
addresses and TCP/UDP port numbers
●
Only pre-defined traffic should be
allowed from the IT network to control network
“Defence in Depth”
Step #3: Perimeter Protection ConneXium
Firewall
![Page 29: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/29.jpg)
Schneider Electric 29- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
The National Institute of Standards and Technology (NIST) has provided the following guidelines:●
The base rule set should be “deny all, permit none.”●
Ports and services enabled on a specific case-by-case basis.●
Risk analysis and a responsible person identified for every permit rule.●
All “permit”
rules should be both IP address and TCP/UDP port specific.●
All rules should restrict traffic to a specific IP address or range of addresses.●
Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in a DMZ.
●
All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port.
●
Control network devices should not be allowed to access the Internet even if protected via a firewall.
“Defence in Depth”
Step #3: Perimeter Protection Industrial Firewall Configuration
![Page 30: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/30.jpg)
Schneider Electric 30- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Description ●
Used to provide secure communications across non-trusted networks●
Provides security through encryption and authentication, restricting access and protects the data as it moves.
●
Client VPN (telecommuter for example), or Site-to-Site ●
Basics ●
An extended protection of network or allow client access across internet●
Two flavors IPsec
and SSL/TLS ●
Can utilize RADIUS -
uses several different types of authentication; examples are username and password, digital signatures, and hardware tokens
●
Can also use LDAP in making access decisions
“Defence in Depth”
Step #3: Perimeter Protection Remote Access / Virtual Private Network
![Page 31: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/31.jpg)
Schneider Electric 31- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●Create Security Zones●
Limit and monitor access between zones
●
Limits the effect of a security issue, alerts when an issue occurs
●Use managed switches●
Limit access to network packets.
●
Precisely segment the network using VLANs
●
Limit rates of ‘multicast’
and ‘broadcast’
messages to protect from DoS
type attacks
●
Limit physical connections using port security
“Defence in Depth”
Step #4: Network Segmentation and Zones
ConneXium Switches
ConneXium Firewalls
![Page 32: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/32.jpg)
Schneider Electric 32- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●Switches●
Limit traffic flow to prevent data gathering●
Implement VLANs
to allow the logical and physical architectures to be different (less hardware cost but more complex setup and maintenance)
●Segmenting the network is…●
Good network design but also assists with security●
Allows the creation of concentration points to move from one zone to another, allowing a single place for security checks
●
Limits the impact of a security breach
●Weakness●
Can be bypassed by flooding the switches●
Can cause difficulty when trying to connect and login
“Defence in Depth”
Step #4: Network Segmentation and ZonesConneXium
Switches
![Page 33: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/33.jpg)
Schneider Electric 33- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Separate security zones using ConneXium
deep packet inspection firewalls
●
Apply normal firewall rules
●
Deep packet inspection●
Filter modbus
requests to read/write●
Limit access to specific registers/ports●
Allow or disallow programming●
MAC address filtering
●
Use special rules to mitigate vulnerabilities by blocking before
they reach the device●
Example: FTP buffer overflow rule for PLC, allows FTP access but
prevents overflow packets
“Defence in Depth”
Step #4: Network Segmentation and ZonesConneXium
Firewalls
![Page 34: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/34.jpg)
Schneider Electric 34- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●On all devices●
Replace default passwords with ‘strong’
passwords
●
Shut off unused ports, communication services and hardware interfaces
●
Set up broadcast limiter functions●
Use multicast message filtering●
Avoid generating requests faster than system can handle
●On PCs and HMI terminals●
Forbid or seriously control the use of any external memory
●On Unity Pro and Vijeo
Citect●
Set up all security features -
passwords, user profiles, operator action logging
●On ConneXium
switches●
Restrict access on ports to assigned addresses only
●On remote I/Os●
Restrict access to authorized PACs
only
“Defense
in Depth”
Step #5: Device Hardening
• Vijeo
Citect
PCs• Vijeo
Historian PCs
• Unity Pro PACs• Magelis
HMI terminals• ConneXium
switches
•
Modicon
STB I/O islands• Altivar
speed drives
•
Any I/O or instrument on fieldbus
![Page 35: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/35.jpg)
Schneider Electric 35- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Password Management●
Fundamental tools of device hardening●
Passwords that can easily and quickly be implemented but are too
often neglected in the control system network.
●
Policies and procedures on password management are often lacking
or missing entirely.
●
Password Management Guidelines●
Change all default passwords immediately after installation :●PC / SCADA / HMI user and application accounts●Network control equipment ●Devices with user accounts
●
Grant passwords only to people who need access. Prohibit password sharing.●
Do not display passwords during password entry●
Passwords should contain at least 8 characters and should combine upper and lowercase letters, digits, and special characters such as !, $, #, %
●
Require users and applications to change passwords on a scheduled interval. ●
Remove employee access account when employment has terminated.●
Require use of different passwords for different accounts, systems, and applications.
●
Password implementation must never interfere with the ability of an operator to respond to a situation (e.g. emergency shut-down)
●
Passwords should not be transmitted electronically over the unsecure Internet, such as via e-mail.
![Page 36: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/36.jpg)
Schneider Electric 36- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
PC Hardening●
Restrict physical access to administrators or similar authorized personnel.●
Locate physical machines outside of operator access areas
●
Restrict network access using a DMZ if possible.
●
Disable or remove unused programs and services.
●
Hardening of servers, particularly user account management and patching, should be a continuous process improvement. All file systems should be NTFS.
●
Harden the PC server and its operating system via strong and unique user and administrative account passwords.
●
Use enterprise grade operating systems, such as Windows 2008R2 Standard Server, maximizing the benefits of DEP (Data Execution Prevention) and UAC (User Account Controls) provided by these operating systems.
●
Patch operating system to current required levels on a documented, monitored schedule.
●
Implement Microsoft Windows authentication, perhaps centrally using Active Directory if possible.
![Page 37: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/37.jpg)
Schneider Electric 37- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Anti-Virus●Description
●
Monitoring of the system and blocking / removal of programs matching a known virus
●Basics●
Anti Virus is a blacklisting technology –
defines what is not allowed.●
Based on signatures of known bad items (software, files etc.)
●Weakness●
Processor intensive since the system must be scanned against the
known signature list.
●
Most system contain < 1/3 of the virus signatures that are known.●
Anti Virus vendors distribute signatures based on active viruses
and location in the world.
![Page 38: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/38.jpg)
Schneider Electric 38- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Switch Hardening●
SNMP ●
Deactivate SNMP V1 & V2 and use SNMP v3 whenever possible●
Change default passwords / community strings●
If SNMP V1/V2 is needed use access settings to limit the devices
(IP Addresses) that can access the switch. Assign different read, read/write passwords to devices.
●
Telnet/Web Access (HTTPS)●
Both active in default state and allow full switch configuration●
Deactivate the telnet server if not using the command line interface to configure switch●
Change the default read and read/write passwords for the telnet and Web servers ●
After configuration and operational verification disable the web
server for highly secure systems●Note: Disabling both the telnet server and the web server will result in only being able to access the switch via the V.24 port.
●
Ethernet Switch Configurator Software Protection ●
The Ethernet Switch Configurator
Software protocol allows users to assign an IP address, net mask and default gateway IP to a switch.
●
Once configuration is complete disable the Ethernet Switch Configurator Software Protocol frame or limit the access to read-only.
●
Ethernet Switch Port Access ●
A malicious user who has physical access to an unsecured port on
a network switch could plug into the network behind the firewall to defeat its incoming filtering protection.
●
Ethernet switches maintain a table called the Content Address Memory (CAM) that maps individual MAC addresses on the network to the physical ports on
the switch.●
A MAC flooding attack fills the CAM table and the switch becomes
a hub allowing capture of data. ●
Ethernet Switch Port Risk Mitigation●
Disable unused ports●
Lock specific MAC addresses to specific ports on the Ethernet switch.●
Lock specific IP addresses to specific ports on the Ethernet switch
![Page 39: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/39.jpg)
Schneider Electric 39- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
PLC Hardening●Modify HTTP passwords when possible●Block access to unused services using an external firewall
●
HTTP Soap●
FTP●
SNMP (not a big issue due to read only access)●Limit Modbus
access using Access Control List
![Page 40: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/40.jpg)
Schneider Electric 40- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
PLC Hardening -
Access Control Lists
●Description●
Limits Modbus
access using a list of permitted IP addresses●
Only protection available today on the PLC for Modbus
Protocol (external protection is better)
●Basics●
Similar to a firewall but only
applicable for Port 502
●Weakness●
Easy to bypass with IP address
spoofing or “man in the middle”
attack
![Page 41: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/41.jpg)
Schneider Electric 41- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Citect
Hardening
●
Run Citect with non-administrative privileges only.
●
Do not install developer tools on a running production Vijeo Citect server.●
These tools should be installed only on dedicated workstations
●
Provide operator access to the server via Vijeo Citect Web Clients.●
Use Web clients instead of internet display clients
●
Limit who can see specific information by configuring roles within Vijeo Citect.
●
Prevent web and e-mail access on systems directly on or accessing the Vijeo Citect system. It is recommended that web and e-mail access be highly restricted, if not disabled entirely for any system in the control room.
![Page 42: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/42.jpg)
Schneider Electric 42- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Monitor, manage and protect service●
24/7 remote security monitoring●
Configuration monitoring●
Reporting for audit compliance●
Network and host intrusion detection systems
●
Monitor●
Authentication traps●
Unauthorized login attempts●
Unusual activity●
Windows Event Viewer●
Network load●
Device log files
“Defense
in Depth”
Step #6: Monitor and Update
•
Monitor, Manage, Protect Service
•Citect
Log Files
•Unity Pro log files
•PLC Event Viewers
•PLC Diagnostics and access lists
![Page 43: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/43.jpg)
Schneider Electric 43- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Description ●
IDS monitors events occurring in a computer system or network and detects signs of possible incidents (malware, worms, virus, attacks, etc)
●
Network and Device IDS systems are possible●
Alert administrators (emails, user interface etc) and logs issues
●
Basics ●
Can be configured per FW rule set, or policy●
Classes of detection methodologies -
signature-based, anomaly-based, and stateful
protocol analysis or some combination
●
Signature –
known threat, Anomaly –
normal/abnormal deviations. Stateful
understands and can track state of certain stateful
protocols●
Network IDS requires a concentration point to collect traffic when used in a switched network●
Can be very useful to develop custom rules to address new threats
●
Weaknesses ●
False positives, false negatives, true Positive, true negative●
Requires significant skill and full time effort ●
Architecture placement is important
“Defense
in Depth”
Step #6: Monitor and Update Intrusion Detection Systems (IDS)
![Page 44: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/44.jpg)
Schneider Electric 44- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Description ●
Similar to IDS but add the ability to prevent vs
detect●
Mostly end device not network●
Alert administrators (emails, user interface etc) and logs issues ●
Basics ●
Can be configured per FW rule set, or policy●
Classes of detection methodologies-
signature-based, anomaly-based, and stateful
protocol analysis or some combination
●
Signature –
known threat, Anomaly –
normal/abnormal deviations. Stateful
understands and can track state of certain stateful
protocols●
Commonly use White Listing as a prevention technique●
Weaknesses ●
False positives, false negatives, true positive, true negative●
IPS –
can shut down traffic that is ok to have on the network●
Requires significant skill and full-time effort ●
Architecture placement is important
“Defense
in Depth”
Step #6: Monitor and Update Intrusion Prevention Systems (IPS)
![Page 45: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/45.jpg)
Schneider Electric 45- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
●
Monitoring and management of control system●
Devices, protocols, communications, user accounts, product/Firmware versions, device settings
●
Host intrusion detection●
Network intrusion detection
●
Protection of control system●
Boundary and security zone firewalls●
Application White Listing
●
Compliance audit and change management
●
Partnership with Industrial Defender●
Number 1 in Smart Grid security (Pike Research)●
Hardware and service offer
“Defense
in Depth”
Step #6: Monitor and Update Monitor, Manage, and Protect
![Page 46: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/46.jpg)
Schneider Electric 46- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Secure Products●
New products developed to Industry Security Standards●
Achilles certified for robustness, ISA Secure certified for complete security
●
Legacy products●
Protected using industry-leading ConneXium
Tofino
application firewalls
●
Partner products for advanced security●
Access to Hirschmann
network infrastructure●
Access to Industrial Defender industrial security suite
●
Secure network infrastructure●
ConneXium
range of secure network
infrastructure products.
●
Includes Schneider Electric ConneXium
Eagle
and Tofino
firewalls.
●
Security Certification Center
![Page 47: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/47.jpg)
Schneider Electric 47- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Industry Cyber Security Solution
Protect within a zone
DeviceHardening
Restrict trafficbetween zones
Protect the perimeterProtect large zones
Securely connectzones
Protect communications
Protect the SCADA
Monitor the securityand adapt
Monitor
Acc
ess
cont
rol,
Secu
re c
onfig
urat
ion
Win
dow
s In
tegr
ated
Sec
urity
App
licat
ion
Whi
te L
istin
g
IDS,
IPS,
Sec
urity
Eve
nt M
anag
er
![Page 48: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/48.jpg)
Schneider Electric 48- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Industry Cyber Security Solution
Secure Solutions
Secure Products
Adaption by local project teams
Advise and AssistancePSX Competency Center
Assessment and Expertise(Americas, Europe, Asia)
Bas
icPr
oduc
tsG
ener
icSo
lutio
nsC
usto
miz
edSo
lutio
ns
ReferenceArchitectures (TVDA)
Provider
(Worldwide) (Americas, Europe) (Asia)
(USA, France, China)
![Page 49: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/49.jpg)
Schneider Electric 49- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Agenda●What is Cyber Security and why now?
●A security incident●Vulnerability tracking●Vendor responsibility●Customer responsibility
●How to Secure a System?●The Schneider Electric 6-Step Defense in Depth (DiD)
approach to cyber security
●Cyber Security demo ●Features of the Schneider Electric ConneXium
Switch
and Industrial Firewall
![Page 50: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/50.jpg)
Schneider Electric 50- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Summary●
Security implementation is a solution
and not a product ●
People, Policies, Architectures, Products
●
Security requires a multi-layer
or Defense in Depth (DiD) approach●
Security Plan, Network Separation, Perimeter Protection, Network
Segmentation, Device Hardening, Monitoring & Update
●
A Defense-in-Depth approach is the best approach-
mitigates risk, improves system reliability
●
Vendor’s responsibilities●
Design products & solutions with security features●
Ensure they enable customers to comply with security standards●
Provide recommendations and methodologies to guide implementation
●
Customer’s responsibilities●
Define security procedures (organizational security)●
Mandate responsible people (personal security)●
Ensure compliance with security standards
![Page 51: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/51.jpg)
Schneider Electric 51- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
SummaryThe Schneider Electric Security Solution●
Information for customers●
Web portal for guidance, vulnerabilities and information
●
Secure products●
New products developed to industrial security standards●
Legacy products protected using pre-configured security appliances●
Secure network infrastructure
●
Secure reference architectures●
Secure PlantStruxure
architectures validated by leading security experts
●
Assessment and design services●
Assessment Service –
allowing security to be applied where it is needed most●
Design Service –
customizing the secure PlantStruxure
architecture creating a unique solution for each customer
●
Monitor, manage and protect services●
Tools and services to continually monitor a plant configuration and operation to ensure security and production is maintained
![Page 52: Industrial Control System Cyber Security and the Employment of Industrial Firewalls as a Partial Solution](https://reader033.fdocuments.net/reader033/viewer/2022052321/554dbc87b4c905c7488b49cd/html5/thumbnails/52.jpg)
Schneider Electric 52- Industrial Control Cyber Security and the Employment of Industrial Firewalls as a Partial Solution– 2012
Thank You!