Protecting Critical Infrastructure. Secure Fashion. Kevin McPoland GarrettCom

Transcription

1 Protecting Critical Infrastructure Leveraging Ethernet in a Secure Fashion Kevin McPoland GarrettCom

2 Environment Today Multiple networks/ owners Operations Legacy serial, SCADA, building automation Physical Security Legacy video, IP Video, Building Access Enterprise/ Office Network , web browsing

3 Elements of Utility Cyber Security Enterprise Access Control Center 6-Wall Physical Security Intranet AVP Partners/ Remote Access Internet AMS CMS IDS Electronic Security Perimeter Firewalls AVP: Anti-Virus Protection AMS: Access Mgt. System IDS: Intrusion Detection System CMS: Compliance Mgmt. Sys. Network Critical Substation RTU IED IED RTU Substation Non-critical Assets

4 Overview Switch Security Firewalls Contents Virtual Private Networks Access Management Conclusion

5 What is Security? Office network security = confidentiality Industrial network security = availability l ANSI/ISA-99 Security for Industrial Automation and Control Systems IEC Industrial communication networks - Network and system security NERC CIP Cyber security framework for the identification and protection of Critical Cyber Assets

6 Network Security Prevention of misuse of assets or disruption of operations Focus on improper access and/or corruption of electronic systems Example vulnerabilities: Network hacker: unauthorized access and misuse Inside job: misuse of a system by employee Corruption via virus/worm: e.g., malicious internet software Attacks may be targeted, random or broad-based Requires Defense in Depth with multiple security measures

7 Attacks Attacks have different purposes : System intrusion (hacking) Destruction / sabotage / terrorism Fraud Theft of information Web site attack Revenge Accidental manipulation

8 Attacks What percentage of network security attacks do you believe originate from inside or outside of your company? 13% 4% Inside Outside Don't know 83% Source: AT&T/Economist Intelligence Unit Networking and Business Strategy Survey, March-April 2004

9 Managed Switches

10 Lock it up! Physical Network Security Alternative connectors

11 Password protected Managed Switches Port Security RADIUS Authentication VLAN QoS Rated for harsh environments

12 Physical LAN Operations Enterprise Security

13 Virtual LANs Operations Enterprise Security

14 Firewalls

15 AMHCSRIH NAMHCSRIH NNAMHCSRIH AMHCSRIH NAMHCSRIH NNAMHCSRIH What is a Firewall? A firewall is a system or group of systems that enforces an access control policy between two networks. HIRSCHMANN N N

16 Firewall Functions Basic Protects against attacks from unsecure networks Hides the internal network structure Advanced Access control: when and how may computers may communicate with each other User control: which users can access which services Protocol and Services control: which protocols and services can run over which ports Data control: which data can be transmitted and received Logging, Accounting, and Auditing Alarming during attacks and failures

17 Limitations A firewall offers limited or no protection against: Internal attacks Social engineering attacks Attacks over permitted connections Malware such as Trojans, Viruses, Spyware, Phishing, or damaging active components (ActiveX, Java Applets, JavaScript) Passive attacks (Sniffing the LAN, traffic analysis, etc.) Improper use of mobile computers Removable media

18 Security Deployment Hardened Perimeter Defence in Depth Remote Access

19 Security Scenario - Unprotected Networks Office Network Industrial Network

20 Security Scenario - Hardened Perimeter Office Network

21 Security Scenario - Defence in Depth Office Network

22 Security Scenario - Remote Access Office Network Internet VPN

23 SRIH AMHC SRIH MHC NNA SRIH Hardened Perimeter with Demilitarized Zone Enterprise Network Process Network DMZ HIRSCHMANN PLC NN AMHC NN I/O Historian

24 SRIH AMHC SRIH MHC NNA SRIH What is a DMZ? Enterprise Network Process Network DMZ HIRSCHMANN PLC NN AMHC NN I/O Historian

25 SRIH AMHC SRIH MHC NNA SRIH Functionality of a DMZ Enterprise Network Process Network DMZ HIRSCHMANN PLC NN AMHC NN I/O Historian

26 SRIH AMHC SRIH MHC NNA SRIH SRIH AMHC SRIH MHC NNA SRIH Paired Firewalls with DMZ Enterprise Network Process Network HIRSCHMANN PLC NN AMHC NN NN AMHC N I/O Historian

27 SRIH AMHC SRIH MHC NNA SRIH SRIH AMHC SRIH MHC NNA SRIH Defence in Depth Enterprise Network Process Network HIRSCHMANN Production Cell HIRSCHMANN NN AMHC NN NN AMHC N HIRSCHMANN Production Cell Historian

28 Firewalls and the OSI Model Deep Packet Inspection Application Presentation Session Stateful Inspection Packet Filter Packet Filter Transport Network Data link Physical

29 Stateful Inspection Communication is analyzed at Layer 4 (Transport) The firewall maintains a table of which devices are communicating Data is only allowed through the firewall from the unsecure network if it has been requested from the secure network. Advantages The status of the connection is checked Cheaper and faster than Application Layer Firewalls Disadvantage The data inside the packet is not checked

30 Packet Filter Packets are analyzed and filtered at the Layer 3 (Network) level. Source IP address Source port Destination IP address Destination port Protocol Access Rules define which communication is allowed. Three alternative principles: Deny all (all traffic not explicitly permitted is denied) Laissez faire (all traffic not explicitly denied is permitted) Transparent (all traffic is permitted)

31 Packet Filter Special considerations Only the header of the packet is checked not the enclosed data (payload) Each individual packet is checked, but not the data stream itself Often implemented in a router (Access Control Lists) Advantages Fast to implement Disadvantages Neither the connection nor the data is checked Large number of rules Easy to make a mistake

32 Deep Packet Inspection Examines the data inside a packet Accepts or denies packets based on data values Protocol conformance Ethernet IP TCP/UDP Data Data Packet

33 Firewalls- Good Practice Two-port firewall with no DMZ: Use exact rules Avoid unsecure protocols Firewall(s) with DMZ: No direct communication between networks Combinations of unsecure protocols Disjointed communication

34 Internal and external Firewall Logs Must be checked regularly Somebody must be responsible

35 Firmware Patches Subscribe to the relevant mailing lists Manufacturer User groups CERT security alerts t

36 Change Management Documentation Same change management procedure as an automation network Minimum information Source IP address Source port Destination IP address Destination port Protocol Purpose Requested by Risks Templates from SANS Institute

37 Incident Response Plan Plan in advance Who has authority to make decisions? What are the decision criteria? What steps will be taken?

38 Adding Security to an Existing Network In a perfect world, you design the network security when you design the network. What if you want to add security to an existing network? Most firewalls are routers.

39 NAT / PAT Network Address Translation 1 to n / Port Address Translation All internal IP address are mapped to a single external IP address Hides the protected network s addressing scheme Reduces cost by sharing a single valid Internet address Network Address Translation 1 to 1 Individual internal addresses are mapped to individual external addresses Hides the network addressing while allowing incoming connections

40 Network Address Translation 1:n Maps multiple internal addresses to a single external address Source Source Source Source

41 Network Address Translation 1:1 Maps internal and external addresses 1 to 1. Source Source Source Source

42 Multiple Identical Cells Automation Cell Core Network Automation Cell

43 Virtual Private Networks

44 What is a VPN? A virtual private network (VPN) is a secure, encrypted connection between two points across an insecure network. Information is sent via tunneling, which is the practice of encrypting and encapsulating IP packets.

45 VPN Protocols Point to Point Tunneling Protocol (PPTP) Old protocol Easy to configure Layer 2 Tunneling Protocol Combines best of Microsoft and Cisco VPN protocols IPSec Complex More secure than PPTP Secure Socket Layer (SSL) Browser-based No Client required OpenVPN

46 VPN Topologies C2S Client to Site (C2S) Connecting a single PC to a network for example, a teleworker, a mobile worker, or a support technician C2S connections are usually temporary Requires either: VPN Client software (IPSec-VPN) Windows integrated VPN connection (PPTP-VPN) Suitable web browser (SSL-VPN)

47 VPN Topologies S2S Site to Site (S2S) Connects two networks together, for example Two corporate locations One company to another company Industrial networks across a corporate WAN S2S connections are usually permanent (24x7) Unlike C2S, S2S connections are almost always created using IPSec

48 Symmetric Encryption Symmetric cryptography is based on the usage of a single key The key is secret, but shared The key is used to encrypt and decrypt the data Sender Secret Key Secret Key Receiver Clear text Encrypted text Clear text Algorithms : DES, 3-DES, AES, RS2, RC4,...

49 Asymmetric Encryption Asymmetric encryption is based on the use of: A public key to encrypt the data A private key to decrypt the data Data cannot be decrypted using the public key Sender Public Key Private Key Receiver Clear text Encrypted text Clear text Algorithm : RSA

50 Session Key This system uses a mixture of the previous two systems, without the overheads. Symmetric keys are exchanged using the asymmetric method. The keys can be discarded at the end of the session, or periodically changed during a session Sender Public Key Private Key Receiver Session Key Encrypted Session Key Session Key Algorithm : Diffie-Hellman

51 X.509 Certificate Issuer Validity Issued To Public Key Digital Signature

52 Certification Authority Certificate Internet Explorer Firefox

53 Secure Wireless WEP Wired Equivalent Protocol - Type of encryption used to make data more secure. WEP is an older encryption method and is easily broken. WPA WiFi Protected Access - Type of encryption used to make data more secure. Newer standard and much more secure than WEP. Not supported by some devices due to added hardware support.

54 IEEE Legacy Wireless was first made standard in 1997 by the IEEE 2.4GHz Frequency Very low data rates (1-2Mbps) No encryption standards Little to no interoperability between manufacturers Not widely accepted/used

55 802.11b/g 2.4GHz operation 11-54Mbps Today's Standards WEP/WPA and Radius authentication Interoperability among various manufacturers a 5GHz operation 54Mbps WEP/WPA and Radius authentication Interoperability

56 802.11n Today's Standards 2.4 or 5GHz operation MIMO (Multiple Input Multiple Output) Up to 600Mbps WPA2 and Radius authentication Backwards Compatibility Interoperability RF Diversity built in

57 VPNs Advantages and Disadvantages Advantages Future-proof technology Relatively low cost Can be used to build complex networks Encryption mechanisms ensure confidentiality, integrity, and availability of information Disadvantages Complex to configure and maintain S2S how secure is the connected network? C2S how secure is the Client? Antivirus software Firewall Access from public PCs

58 Access Management

59 Utility Network

60 Remote Access to IED Adapt IED settings as needed Help analyze and correct line faults and otherwise resolve disturbances Identify optimal timing i to repair/replace equipment and systems Make best use of assets by safely operating closer to tolerances Better forecast load to reduce need for spare equipment capacity Streamline operations

61 Impact of NERC/CIP Reduced productivity: IED monitoring and maintenance becomes time-consuming and more costly (e.g., travel time from service centers to substations). Reduced value added by personnel: Inefficient processes force personnel to focus on obtaining access, rather than on making use of the information obtained. Lack of centralization: Staffing shortages and aging workforces are further strained. Increased risks: On-site (at substation) monitoring and maintenance increases risks of errors, outages, and failures; and may compromise worker safety. Reduced employee satisfaction: Inefficient processes are frustrating for employees.

62 NERC/CIP Compliance NERC CIP effectively requires utilities to maintain adequate equipment and system password complexity, address password frequency of change, and change default/factory passwords prior to placing equipment in service. The requirements also affect shared account access, user account access privileges review, and securing accounts after personnel changes. In total, utilities must effectively manage access to protected critical cyber asset information. NERC monitors compliance via periodic compliance audits, and failure to meet the standards can result in fines of up to U.S. $1 million per day.

63 Password Management Challenge Grows Rapidly When Considering System-wide Assets First consider one substation 1 Substation x 30 Devices x 4 Levels of passwords for each device = 120 Passwords to manage But you may manage 1,000 substations 1,000 Substations x 30 Devices x 4 Levels of passwords for each device = 120,000 Passwords to manage!

64 NERC/CIP Password Compliance Indentifying Devices Utilities need to specifically identify and document Critical Cyber Assets (CCAs) in the system. CCAs are typically logged and maintained in a database. Password Complexity Considerations Utilities need to understand the password complexity capabilities for each of the different types of IED included in the list above. Password length and support for special character subsets differ from vendor to vendor and even model to model from the same vendor. Generation of Compliant Passwords Utilities need to design and implement a process to ensure compliant passwords are generated for these specific IEDs. Per NERC CIP standards, passwords must be at least six characters and use special characters. Maintaining Passwords Inventory Utilities need to create and maintain a list of all current IED passwords and a history of all password changes. Maintaining Password Update Frequency Utilities need a method to track the frequency of password changes per IEDs to ensure that all device passwords are changed at least once a year or more often as required.

65 NERC/CIP Password Compliance Maintaining Historical Audit Trail Utilities need a method to track the history of password changes and track who has had access to these passwords. This is typically managed through h manually updated d lists. Protecting IEDs from Unauthorized Access Utilities need a method to secure the list of passwords and control who has access to these lists. Typically, these password lists are stored in a secure network folder, with access to this folder maintained manually. Maintaining Password Update Process Utilities need a method to maintain manual procedures, including detailed password change steps. Maintenance of these procedures can be cumbersome and prone to human error. Notification of Password Changes Utilities need a method to inform operators of password changes because password updates on IEDs typically trigger SCADA alarms. Personnel performing the password updates are usually responsible for manually notifying others of pending changes through phone calls or s sent to operators in advance of the password updates.

66 Access Management System (AMS) Enterprise Access Control Center Intranet AMS Partners/ Remote Access DS RSA CMS Internet Network PC with Access Client AMS: Access Mgt. System CMS: Compliance Mgmt. Sys. RSA: RSA SecureID server DS IED IED RTU Substation DS RTU Substation

67 Access Management Benefits Improved efficiency of expert personnel Improved access of substation data by authorized personnel Enhanced security Reduces risk of injury Minimizes substation disruption Facilitated compliance with NERC CIP legislation, avoiding fines Minimizes disturbances, improving reliability Minimized travel, reducing maintenance costs

68 Conclusion Managed switches provide a range of security features A control network should only be connected to another network via a firewall Use Defence in Depth for maximum protection and availability External network connections, even within a company, should be created using VPNs Access Management provides ease of Password Control and limits access appropriately p