Secure Connectivity for Critical Infrastructure · ISOLATING AND PROTECTING ASSETS:...

Secure Connectivity for

Critical Infrastructure

Shodan Project SHINE

Shodan Intelligence Extraction = SHINE

• Study using Shodan on ICS Devices exposed on the

Internet

• Focused on Industrial Control Systems

Project RUGGEDTRAX:

• Public Sourced an ICS Device

• Deployed as actual cyber asset controlling

critical infrastructure

• Exposed it to the Internet

Result:

• First Attack within 2 hours

• Shodan Found it in 2 Days

• After 70 days:

• 140,430 Access Attempts

• 651 different IP Addresses

• 90% from China

SHINE Findings Report: http://01m.us/l/ltjify8p2a1r

RUGGEDTRAX Preliminary Report: http://01m.us/l/gltlhotyw69j

Targets: Critical Infrastructure

Consider what’s at risk.

Critical infrastructure is compromised daily…

Nuclear Water Oil processing Gas Electric

The not so really bad guys?

http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html

• Twelve people were injured in one derailment,

and the boy is suspected of having been

involved in several similar incidents.

• He treated it like any other schoolboy might a

giant train set, but it was lucky nobody was

killed. Four trams were derailed, and others

had to make emergency stops that left

passengers hurt. He clearly did not think

about the consequences of his actions

• The 14-year-old, described by his teachers as

a model pupil and an electronics "genius",

adapted a television remote control so it could

change track points in the city of Lodz.












How bad can it get?

http://securityaffairs.co/wordpress/36536/cyber-warfare-2/iran-accused-blackout-turkey.html












Recent major attacks

Target

Anthem

Premera Blue Cross

Home Depot

Staples

Sony

JP Morgan Chase

Community Health Systems

Michael’s

Source: “9 Recent Cyber Attacks Against Big Business, NY Times 2/2015

Existing Security Solutions are Fighting a Losing Battle

What do they all have in common?

They had lots of dedicated

security engineers helping to

manage routing, switching,

firewalls and VPNs…

DHS Guidelines are outdated:

Improving Industrial Control

Systems Cyber security with

Defense-In-Depth Strategies

ISOLATING AND PROTECTING ASSETS:

DEFENSE-IN-DEPTH STRATEGIES

3.1.1 Architectural Zones

Leverage best practices can include:

1. Firewalls (single, multi-homed, dual, cascading)

2. Routers with Access Control Lists (ACLs)

3. Configured switches

4. Static routes and routing tables

5. Dedicated communications media.

Following Documented Guidelines DHS, NIST, AWWA, WaterISAC, NERC-SIP…

https://ics-cert.us-cert.gov/Field-ControllerRTUPLCIED-Documentation










Firewalls: Complexity, the enemy of security

“The key to effective firewall protection is a simple Rule Base. One of the greatest dangers to the security of your organization is

misconfiguration… To keep your Rule Base simple, ensure that it is concise and therefore easy to understand and maintain. The more rules you have, the more likely

you are to make a mistake.

Basic Rules.

Rule Order

Rule order is a critical aspect of an effective Rule Base. Having the same rules, but

putting them in a different order, can radically alter the effectiveness of your

firewall. It is best to place more specific rules first and more general rules last. This order

prevents a general rule from being applied before a more specific rule and protects your

firewall from misconfigurations.

Best Regards,

Firewall Vendor

passwd g00fba11

enable password gen1u$

hostname Buster

asdm image disk0:/asdm.bin

boot system disk0:/image.bin

interface gigabitethernet 0/0

nameif outside

security-level 0

ip address 209.165.201.3 255.255.255.224

no shutdown


nameif dept2

security-level 100

ip address 10.1.2.1 255.255.255.0

mac-address 000C.F142.4CDE standby 000C.F142.4CDF

no shutdown

rip authentication mode md5

rip authentication key scorpius key_id 1


nameif dept1

security-level 100

ip address 10.1.1.1 255.255.255.0

no shutdown


nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

no shutdown

same-security-traffic permit inter-interface

route outside 0 0 209.165.201.1 1

nat (dept1) 1 10.1.1.0 255.255.255.0

nat (dept2) 1 10.1.2.0 255.255.255.0

! The dept1 and dept2 networks use PAT when accessing the outside

global (outside) 1 209.165.201.9 netmask 255.255.255.255

! Because we perform dynamic NAT on these addresses for outside access, we need to perform

! NAT on them for all other interface access. This identity static statement just

! translates the local address to the same address.

static (dept1,dept2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (dept2,dept1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

! The syslog server uses a static translation so the outside management host can access

! the server

static (dmz,outside) 209.165.201.5 192.168.2.2 netmask 255.255.255.255

access-list MANAGE remark Allows the management host to access the syslog server

access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq ssh

access-group MANAGE in interface outside

! Advertises the adaptive security appliance IP address as the default gateway for the

downstream

! router. The adaptive security appliance does not advertise a default route to the

upstream

! router. Listens for RIP updates from the downstream router. The adaptive security

appliance does

! not listen for RIP updates from the upstream router because a default route to the

! upstream router is all that is required.

router rip

network 10.0.0.0

default information originate

version 2

ssh 209.165.200.225 255.255.255.255 outside

logging trap 5

! System messages are sent to the syslog server on the DMZ network

logging host dmz 192.168.2.2

logging enable

! Enable basic threat detection:

threat-detection basic-threat

threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100

! Enables scanning threat detection and automatically shun attackers,

! except for hosts on the 10.1.1.0 network:

threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0

threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20

threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20

! Enable statistics for access-lists:

threat-detection statistics access-list

Simple router Firewall Rules

Router>enable

Router>#configure terminal

Router(config)#hostname CORP

ISP(config)#interface serial 0/0/0

CORP(config-if)#description link to ISP

CORP(config-if)#ip address 192.31.7.6 255.255.255.252

CORP(config-if)#no shutdown

CORP(config)#interface fastethernet 0/1

CORP(config-if)#description link to 3560 Switch

CORP(config-if)#ip address 172.31.1.5 255.255.255.252


CORP(config-if)#exit

CORP(config)#interface fastethernet 0/0

CORP(config-if)#duplex full


CORP(config-if)#interface fastethernet 0/0.1

CORP(config-subif)#description Management VLAN 1 – Native VLAN

CORP(config-subif)#ip address 192.168.1.1 255.255.255.0

CORP(config-subif)#interface fastethernet 0/0.10

CORP(config-subif)#description Sales VLAN 10

CORP(config-subif)#encapsulation dot1q 10



CORP(config-subif)#description Engineering VLAN 20




CORP(config-subif)#description Marketing VLAN 30


CORP(config-subif)#exit

CORP(config-if)#exit

CORP(config)#router eigrp 10

CORP(config-router)#network 192.168.1.0





Configuring VLANs

How does this work with my firewall rules???

Water Treatment Facility: Misconfigured Equipment During a recent network infrastructure upgrade, a water utility implemented a

misconfigured switch configuration, which flooded the network with traffic. This error led to massive resource consumption on control

system endpoints. To the entity, it looked as though the systems had been infected with malware.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) analyzed the router and switch configurations and found

an error in how the spanning-tree protocol, which prevents network traffic re-broadcasting loops, was configured. The misconfiguration

caused too much network traffic to be sent to endpoint devices, which overloaded the system processors.

Industrial Control Systems Cyber Emergency Response

Team (ICS-CERT)

Complexity, not just the enemy of security!

https://ics-cert.us-cert.gov/advisories






SCADA Network Enterprise Network

Cellular Network

80/20 Rule: Reduce the attack vectors with Micro-segmentation

Summary

• Prioritize Security

• Be Realistic

– Manage Risk, Reward, Cost, Manageability

– Defense in Depth (Layers)

• Goals:

– Understand your High Value (High Target) Assets

– Identify Soft Spots (Network, Access Points, Devices, Encryption …)

– Always work to Improve Your Security Posture

– Lower Operational Costs

Thank you!

Thank You.

Gary Zaleski Tempered Networks

[email protected]

Secure Connectivity for Critical Infrastructure · ISOLATING AND PROTECTING ASSETS:...

Documents

Transcript of Secure Connectivity for Critical Infrastructure · ISOLATING AND PROTECTING ASSETS:...