How can I. protect a system from cyber attacks? Design your architecture. System Technical Note Cyber security recommendations

Transcription

1 How can I protect a system from cyber attacks? System Technical Note Cyber security recommendations Design your architecture

2 2

3 Disclaimer This document is not comprehensive for any systems using the given architecture and does not absolve users of their duty to uphold the safety requirements for the equipment used in their systems or compliance with both national or international safety laws and regulations. Readers are considered to already know how to use the products described in this System Technical Note (STN). This STN does not replace any specific product documentation. 3

4 The STN Collection The implementation of an automation project includes five main phases: Selection, Design, Configuration, Implementation and Operation. To help you develop a project based on these phases, Schneider Electric has created the Tested, Validated, Documented Architecture and System Technical Note. A Tested, Validated, Documented Architecture (TVDA) provides technical guidelines and recommendations for implementing technologies to address your needs and requirements, This guide covers the entire scope of the project life cycle, from the Selection to the Operation phase, providing design methodologies and source code examples for all system components. A System Technical Note (STN) provides a more theoretical approach by focusing on a particular system technology. These notes describe complete solution offers for a system, and therefore support you in the Selection phase of a project. The TVDAs and STNs are related and complementary. In short, you will find technology fundamentals in an STN and their corresponding applications in one or several TVDAs. Development Environment PlantStruxure, the Process Automation System from Schneider Electric, is a collaborative system that allows industrial and infrastructure companies to meet their automation needs while also addressing growing energy management requirements. Within a single environment, measured energy and process data can be analyzed to yield a holistically optimized plant. 4

5 Table of Contents 1. Security Overview Purpose Introduction Why is Security a Hot Topic Today? What is Cyber Security? Cyber Attack Profile How Attackers Can Gain Access to the Control Network How Attackers Attack Accidental Events Control System Vulnerabilities Schneider Electric Cyber Security Defense Security Plan Network Separation Protecting the Plant Perimeter Network Segmentation via VLAN Device Hardening Monitoring Appendix Methods of Attack IP Spoofing Denial of Service Attacks TCP SYN Flood Attack Land Attack ARP Spoofing ICMP Smurf

6 4.7. The PING of Death UDP Flood Attack Teardrop Attack References

7 1-Security Overview 1. Security Overview 1.1. Purpose 1.2. Introduction The intent of this System Technical Note (STN) is to describe the capabilities of the different Schneider Electric solutions that answer the most critical applications requirements, and consequently increase the security of an Ethernet-based system. It provides a description of a common, readily understandable, reference point for end users, system integrators, OEMs, sales people, business support and other parties. PlantStruxure openness and transparency provides seamless communication from the enterprise system or the internet to the control network. With this transparency comes security vulnerabilities that can be exploited to negatively impact production, equipment, personnel safety, or the environment. Security practices should be deployed to prevent these unwanted incidents from disrupting operations. Security is no longer a secondary requirement but should be considered mandatory and be viewed as important as safety or high availability. To meet the security challenges, Schneider Electric recommends a defense-in-depth approach. Defense-in-depth is a concept that assumes there is no single approach that provides all security needs. Rather, defense-in-depth layers the network with security features, appliances, and processes to ensure that disruption threats are minimized. Schneider s defense-in-depth approach includes: Eagle20 Security Router, from its partner Hirschmann Electronics, to secure the control network perimeter using secure links such as VPN and DMZ. Eagle Tofino firewall, from its partner Hirschmann Electronics, to secure communication zones within the control network using basic firewall rules, stateful packet inspection and deep packet inspection. ConneXium infrastructure devices to limit internal access to areas of responsibility and act as a second line of defense in the event of a firewall breech. PACs and Ethernet modules hardened with password protection, access control and the ability to turn off unneeded services. 7

8 1-Security Overview RTUs that offer secure links via VPN and strong authentication technology. The intent of this document is to understand what constitutes cyber security in the industrial market, why cyber security has become such a hot topic, risks caused by system vulnerabilities, methods of network penetration and Schneider Electric s recommendations to mitigate those risks. Remember, there is not one single product that can defend the network, rather a defense-in-depth approach ensures the best coverage for a secured, highly available operation Why is Security a Hot Topic Today? Industrial control systems based on computer technology and industrial-grade networks have been around for decades. The earlier control system architectures were developed with proprietary technology and were isolated from the outside world and therefore security was a primary concern. Physical perimeter security was adequate to feel comfortable about the systems reliability. Today the control systems have migrated to open systems using standardized technologies such as Microsoft Windows operating system and Ethernet TCP/IP to reduce costs and improve performance. Additionally, direct communications between control and business systems has been employed to improve operational efficiency and manage production assets more cost-effectively. 8

9 1-Security Overview This technical evolution has exposed control systems to vulnerabilities previously only affecting office and business computers. Although the malware found in the world has been used to target home, office, or business computers, the industrial computers employing the same technology has become exposed through lax internal security practices, external contractors with access to systems, and through inadvertent publicly accessible networked interfaces. Ethernet and TCP/IP have provided many new and attractive capabilities: Integrated applications through networked intelligent devices Embedded web servers for remote access Wireless connectivity Remote access for maintenance Automated software management Distributed control Instant access of information with the business systems inventory, production, shipping and receiving, purchasing, etc. With the use of standard technologies such as Ethernet, control systems are now vulnerable to cyber attacks from both inside and outside of the industrial control system network. The security challenges for the control s environment are: Physical and logical boundaries vary. Systems can span over large geographical regions with multiple sites. Security implementation can adversely impact process availability. With the heightened threats caused by political terrorism, cyber attacks, and internal security threats, companies must be more diligent than ever with how their systems are protected. Motivations can be hard to understand, but the implications can be devastating; from lost production, damaged company image, environmental disaster, or loss of life. Companies need to be more conscious of security than ever before. No longer will barbed wire and security guards satisfactorily protect industrial assets. Lessons learned from the IT world must be employed to protect industrial facilities and infrastructure from disruptions, damage, or worse. 9

10 2-What is Cyber Security 2. What is Cyber Security? Cyber security is a branch of security designed to address attacks on or by computer systems and through computer networks. The objective of cyber security is to protect information and physical assets from theft, corruption, or natural disaster, while allowing the information and assets to remain accessible and productive to its intended users. It is composed of procedures, policies, equipment; both software and hardware. Cyber security is an ongoing process. Cyber attacks are actions that target computers and network systems designed to disrupt the normal operations of the system. These actions can be initiated locally (from within the physical facility) or remotely (from outside). These attacks are normally intentional, but in fact could be unintentional due to poor security threat prevention. All potential causes of cyber attacks need to be considered when employing a defense-in-depth approach Cyber Attack Profile Cyber attacks to the control network system can come from a number of sources: Internal (employees, vendors and contractors) o o o Accidental events Inappropriate employee/contractor behavior Disgruntled employees/contractor External opportunistic (non-directed): o o o Script kiddies Recreational hackers Virus writers External deliberate (directed): o o o o Criminal groups Activists Terrorists Agencies of foreign states The intent of the cyber attacks on a control system is to: Disrupt the production process by blocking or delaying the flow of information. 10

11 2-What is Cyber Security Damage, disable, shutdown equipment to negatively impact production or the environment. Modify or disable safety systems to cause intentional harm or death. Most cyber attacks that penetrate the control network system originate from the enterprise system followed by the internet and trusted third parties How Attackers Can Gain Access to the Control Network The following information is extracted from US-CERT's Control Systems Security Program and is paraphrased from content on the US-CERT Control Systems: Overview of Cyber Vulnerabilties web page located at Schneider Electric recommends reviewing all the materials at this web site to gain a better understanding of control system vulnerabilities and potential threats. In order to attack the control system network, the attacker must bypass the perimeter defenses to gain access to the control system LAN. The most common methods of gaining access are: Dial-up access to RTU devices Supplier access (Technical support) IT controlled network products 11

12 2-What is Cyber Security Corporate VPN Database links Poorly configured firewalls Peer utilities Dial-up Access to the RTU Devices Most control systems have a backup dial-up modem in the event that the main network is no longer available. The attacker must know the protocol of the RTU in order to gain access. Most RTUs don t have strong security mechanisms employed and identify themselves to any caller. Authentication mechanisms are not widely employed Supplier Access In order to minimize down time and reduce costs, suppliers are often given VPN access for remote diagnostics or maintenance. The suppliers frequently leave ports open on the equipment to simplify their tasks, giving the attacker access to the equipment and links to control system network. 12

13 2-What is Cyber Security IT Controlled Communication Equipment The automation department s network authority is often limited to the control network within the facility. The IT department assumes the responsible for longdistance communication controlled and maintained from the business. A skilled attacker can access the control network via holes in the communication architecture and reconfigure or compromise communications to the field control devices Corporate VPNs Engineers working in the corporate offices and will often use VPN from the company broadband to gain access to the control network. The attacker waits for the legitimate user to VPN into the control system network and piggybacks on the connection. 13

14 2-What is Cyber Security Database Links Most control systems use real-time databases, configuration databases, and multiple historian databases. If the firewall or the security on the database is not configured properly, a skilled attacker can gain access to the database from the business LAN and generate SQL commands to take control of the database server on the control system network Peer Utility Links Partners and peers are granted access to information located on either the business or control network. With the peer-to-peer link, the security of the system is as strong as the security of the weakest member. 14

15 2-What is Cyber Security 2.3. How Attackers Attack The following information is extracted from US-CERT's Control Systems Security Program and is paraphrased from content on the US-CERT Control Systems: Overview of Cyber Vulnerabilties web page located at Schneider Electric recommends reviewing all the materials at this web site to gain a better understanding of control system vulnerabilities and potential threats. Depending on motives and skills, the attacker may or may not need to know details of the process to cause problems. For example, if the motive is simply to shut down the process, very little knowledge of the control process is needed. However, if the attacker wants to strategically attack a specific process, then specific details and knowledge is required. The two most vulnerable processes are: Data acquisition database HMI/SCADA display screens Names of databases differ from suppliers but most use a common naming convention with a unique number (i.e. Pump1, pump2, breaker1, breaker2 ). On the communications protocol level, the devices are simply referred to by number (memory location or register address). For a precise attack, the attacker needs to translate the numbers into meaningful information. Gaining access to the HMI screens is the easiest method for understanding the process and the interaction between the operator and the equipment. The information on the screen allows the attacker to translate the reference numbers into something meaningful. 15

16 2-What is Cyber Security Control of the Process Once an attacker has enough information about the process, the next step is to manipulate it. The easiest way to gain control of the process is to connect to a data acquisition device, such as a PAC, that also has access to field devices and send it properly formatted commands. Most of the PACs, gateways or data acquisition servers lack basic authentication and will accept any commands that have been formatted correctly Exporting the HMI Screen Another method of attack is to export the HMI screen back to the attacker to gain control of the operations. A sophisticated attacker may also modify the operator s screen to display normal operations in order to disguise the attack. The attacker is normally limited to the commands allowed for the currently logged-in operator. 16

17 2-What is Cyber Security Changing the Database The attacker accesses the database and modifies the data in order to disrupt normal operation of the control system or change stored values to affect the system s integrity Man-in-the-Middle Attacks Man-in-the-middle is a type of attack where the attacker intercepts messages from one computer (Host A), manipulates the data prior to forwarding to the intended computer (Host B) and vice versa. Both computers appear to be talking to each other and are unaware of an intruder in the middle. In order for the attacker to be successful in manipulating the packets, the protocol must be known. The man-in-the-middle attack allows the attacker to spoof the operator HMI screens and take full control of the control system. 17

18 2-What is Cyber Security 2.4. Accidental Events While many threats exist from disgruntled employees, hackers, terrorists, or activists, the majority of system outages related to networks are caused by accidental events. In this case, we are referring to personnel not following proper procedures, accidentally connecting network cables in wrong ports, poor network design, programming errors, or badly behaving network devices. Experts attribute >75% of network-related system outages to accidental events. Many of the security features and processes discussed in this document can also prevent these types of accidental events. In many cases, contractors are necessary contributors to system design, commissioning, or maintenance. Proper procedures should be defined that ensure that contractors don t bring malware, viruses, or other problems into the control network. Another example of proper procedures involves how USB keys; a convenient method to transfer files, can be safely employed in the control network environment. USB keys are a common source of malware and viruses and must be carefully screened before permitting their use. Network architectures are designed and configured at design time to comply with robust behaviors; including segmenting, filtering, and topological rules. Individuals who inadvertently connect a network cable into the wrong port on a multi-port switch might create outages or broadcast storms bringing a network to its knees. Many of the broadcast storm protections discussed in this document apply to this accidental events as well as Denial of Service attacks. In general, the cause might be accidental, but the features, practices, and procedures used to protect from cyber attack work equally well to prevent accidental system outages. In this case, disaster recovery methods should be 18

19 2-What is Cyber Security employed and tested to make sure that recovery from an outage or device failure can be quickly and reliably managed, minimizing downtime and lost production. High availability and redundant architectures play a role in this area when even short duration system outages can t be tolerated Control System Vulnerabilities The North American Electric Reliability Corporation (NERC) performed a study identifying the top 10 vulnerabilities of control systems: 1. Inadequate policies, procedures, and culture that govern control system security: Clash between operational culture with modern IT security methods. IT often does not have an understanding of operational requirements of a control system. Lack of overall awareness and appreciation of the risk associated with enabling the networking of these customized control systems. Absence of control system information security policy. Lack of auditing, enforcing, or adhering to control system information security policy not adhered to, enforced or audited. Lack of adequate risk assessment. 2. Inadequately designed control system networks that lack sufficient defensein-depth mechanisms: Network security of control system devices were not adequately considered when originally designed. These systems were designed with availability and reliability in mind. Control systems may not be capable of secure operation in an internet/intranet working environment without significant investment to reengineer the technology so it is in accordance with appropriate risk assessment criteria. 3. Remote access to the control system without appropriate access control: Inappropriate use of dial-up modems. Use of commonly known passwords or no use of passwords. Implementation of non-secure control system connectivity to the corporate Local Area Network (LAN). Practice of un-auditable and non-secured access by vendors for support. 19

20 2-What is Cyber Security 4. System administration mechanisms and software used in control systems are not adequately scrutinized or maintained: Inadequate patch management Lack of appropriately applied real time virus protection. Inadequate account management. Inadequate change control. Inadequate software inventory. 5. Use of inadequately secured wireless communication for control: Use of commercial off-the-shelf (COTS) consumer-grade wireless devices for control network data. Use of outdated or deprecated security/encryption methods. 6. Use of a non-dedicated communications channel for command and control and/or inappropriate use of control system network bandwidth for non-control purposes: Internet-based Supervisory Control and Data Acquisition (SCADA). Internet/Intranet connectivity initiated from control system networks: File Sharing Instant Messaging 7. Insufficient application of tools to detect and report on anomalous or inappropriate activity: Underutilized intrusion detection systems. Under-managed network system. Implementation of immature Intrusion Prevention Systems. 8. Unauthorized or inappropriate applications or devices on control system networks: Unauthorized installation of additional software to control system devices. Peripherals with non-control system interfaces, e.g., multi function or multi-network printers. Non-secure web interfaces for control system devices. Laptops. USB memory. 20

21 2-What is Cyber Security Other portable devices e.g., personal digital assistants (PDAs). 9. Control systems command and control data not authenticated: Authentication for LAN-based control commands not implemented. Immature technology for authenticated serial communications to field devices. Lack of security implemented on an object by object basis on the control displays. 10. Inadequately managed, designed, or implemented critical support infrastructure: Inadequate uninterruptible power supply (UPS) or other power systems. Inadequate or malfunctioning HVAC systems. Poorly defined 6-wall boundary infrastructure. Insufficiently protected telecommunications infrastructure. Inadequate or malfunctioning fire suppression systems. Lack of recovery plan. Insufficient testing or maintenance of redundant infrastructure. 21

22 3. Schneider Electric Cyber Security Defense No single solution can provide adequate protection against all cyber attacks on the control network. Schneider Electric recommends employing a defense in depth approach using multiple security techniques to help mitigate risk. The defense in depth approach recommends six layers of defense for a PlantStruxure network: 1. Security Plan Creating the security plan is the first step to secure the control system network. Polices and procedures must be defined, implemented and most importantly updated and maintained. The planning process involves perform a vulnerability assessment, mitigating the risk and creating a plan to reduce or avoid those risks. 2. Network Separation Physically separating the control system network from other networks, including the enterprise, by creating demilitarized zones (DMZs). 3. Perimeter Protection Preventing unauthorized access to the control system through the use of firewall, authentication and authorization, VPN (IPsec) and anti-virus software. This includes remote access. 22

23 3.1. Security Plan 4. Network Segmentation Use VLANs to sub-divide the network providing containment in the event of a security breach within a subnet. It can be further enhanced using the concept of communication zones. Each zone would be buffered from other zones by use of a security firewall to limit access, monitor communications and report incidents. 5. Device Hardening Device hardening is the process of configuring a device to protect it from communication-based threats. It involves password management, access control and disabling all unnecessary protocols and services. 6. Network Monitoring No network is 100% secure due to the constant evolution of new threats. Constant monitoring for control network system is necessary to block intruders before damage is done. The first step towards a secure network is to create a security plan with procedures and policies. A cross-functional team consisting of management, IT staff, control engineer, operator and a security expert should participate in the creation of a comprehensive security plan. The security plan should clearly define: Roles and responsibilities of those affected by the policy. Actions, activities and processes that are allowed and not allowed. Consequences of non-compliance. For existing networks, a full assessment is needed prior to creating the plan: Identify communication paths into and out of the control network. Identify communication paths within the control system network. Perform a complete audit of devices on the network. Record security settings of each device. Draw a detailed network diagram. 23

24 Once the infrastructure diagram is completed, a vulnerability assessment is required to identify weaknesses, potential threats and origins of threats. Vulnerabilities assessed are then: Prioritized by threat Prioritized by business consequences Prioritized by business benefits Annual business impact is estimated Ri$k = % Probability of Threat of Attack * % Probability of a Vulnerability Being Exploited * Reasonably Predictable (Financial) Consequences Introduction to Information Security, Dave Norton, CISSP Program Manager, Transmission IT Security Entergy New Orleans 24

25 The plan should consist of: Security policies - Security policies should be developed for the control system network and its individual components. The policies should be reviewed periodically for changes in threats, environment or adequate security level. Blocking access to resources and services Protecting the perimeter through the use of firewalls or proxy servers, access control and anti-virus software. Limiting communications between separate communications zones through the use of firewalls and inline security devices. Detecting malicious activity Intrusion detection such as monitoring audit and event logs is necessary to identify problems on the network. Mitigating possible attacks The more secure the network becomes, the greater the impact on latency. In order for the process to run correctly a level of vulnerability may be required. Fixing core detected problems Fixing detected problems usually involves updating, upgrading, or patching the software vulnerability or removing the vulnerable application Network Separation One of the critical elements of designing a control system network is the physical separation between the control network and external communication networks. Data access between the internet, enterprise system and the control network should take place on servers located in a demilitarized zone (DMZ). A DMZ provides a safe and secure means of sharing data between zones. The DMZ should contain: Data servers such as Citect Historian that share and collect data from the control system and enterprise system. Patch management Antivirus server Web access server Wireless access point Remote access All communication links should end in the DMZ. There should be no direct communication path into the industrial control network. 25

26 DMZ Guidelines All traffic should terminate at servers in the DMZ. Inbound traffic to the control system should be blocked. Access to devices inside the control system should be through the DMZ. Outbound traffic through the control network firewall should be limited to essential communications only. All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. Firewalls should be configured with outbound filtering to stop forged IP packets from leaving the control network or the DMZ. Firewalls should be configured to forward IP packets only if those packets have a correct source IP address for the control network or DMZ networks. Internet access by devices on the control network should be strongly discouraged. The servers in the DMZ zone must be hardened. Security patches and anti-virus software must be continuously updated. 26

27 3.3. Protecting the Plant Perimeter Firewalls are used to protect the network perimeter by blocking unauthorized access while permitting authorized communications. A firewall is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) traffic between different security domains based upon a set of rules and other criteria. Firewalls play an important role in a control system network. Process control devices require fast data throughput and therefore cannot afford latency introduced by a over-aggressive security strategy. The control system relies heavily on perimeter protection to block all unwanted and unauthorized traffic. There are three categories of firewalls: Packet filtering: A low cost basic type of firewall having minimal impact on the network performance. Basic information in each packet, such as IP addresses is validated prior to forwarding. This type is not recommended due to lack of authentication. It does not conceal the protected network s architecture. Application-Proxy Gateway An application proxy gateway examines packets at the application layer and filters traffic based on specific application rules such as specified applications (e.g., browsers) or protocols (e.g., FTP). Application proxy gateways provide a high level of security, but can have 27

28 overhead delays impacting the network performance of the control system. Their use is therefore not recommended. Stateful Inspection Firewalls: Stateful multilayer inspection firewalls are a combination of the above firewall types. Stateful inspection filters packets at the network layer and validates that the session packets and their contents at the application layer are legitimate. Stateful inspection makes sure that all inbound packets are the result of an outbound request. Stateful inspection firewalls provide a high level of security and good performance but can be expensive and complex to configure Firewall Guidelines The National Institute of Standards and Technology (NIST) has provided the following guidelines: The base rule set should be deny all, permit none. Ports and services between the control system network environment and the corporate network should be enabled and permissions granted on a specific case-by-case basis. There should be a documented business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow. All permit rules should be both IP address and TCP/UDP port specific. All rules should restrict traffic to a specific IP address or range of addresses. Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in a DMZ. Any protocol allowed between the control network and the DMZ should explicitly NOT be allowed between the DMZ and corporate networks (and vice-versa). All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices. Control network devices should not be allowed to access the Internet. Control networks should not be directly connected to the Internet, even if protected via a firewall. 28