1 ISPE Automation Forum Cyber Security Where Do I Begin? Don Dickinson Project Engineer Phoenix Contact
2 ..50% more infected Web pages Click in the on one last and three you months won t of notice 2008 than anything. all of 2007 Your PC gets turned into an obedient bot deployed to attack other computers. All of your sensitive data get stolen. Source: USA Today
3 Computer Emergency Response Team (CERT) A widespread and coordinated attack on web sites for Departments of Homeland Security and Defense, the Federal Aviation Administration and the Federal Trade Commission
4 The Pentagon has spent more than $100M in the past six months responding to and repairing damage from cyber attacks and other network problems we recognize that we are under assault from the least sophisticated what I would say is the bored teenager all the way up to the sophisticated nationstate Source: USA Today
5 18 year olds have a lot of free time, and crave attention! Just hours before Microsoft officially released IE8 a German computer student hacked the browser and won a contest! broke into within minutes by exploiting a previously unknown vulnerability in the new browser, said the manager of security response at 3Com Corp s Tipping Point, THE CONTEST SPONSOR!
6 Spies hacked into the US electric grid and left behind computer programs that would let them disrupt the level of sophistication service, exposing potentially necessary to pull off such catastrophic vulnerabilities in key intrusions is so high that it was pieces of national infrastructure almost certainly done by state sponsors. Source: News & Observer
7 Hacking community spreads its knowledge (they even have camps)
8 Obama setting up better security for computers By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer Fri May 29, 2:52 pm ET Obama said the U.S. has reached a "transformational moment" when computer networks are probed and attacked millions of times a day. "It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation," Obama said, adding, "We're not as prepared as we should be, as a government or as a country."
16 Cyber threats unauthorized access to a control system directed from within an organization by trusted users or from remote locations by unknown persons using the Internet.
17 Industrial Network Security A real & growing imperative Deployment of Industrial Ethernet growing at 50% per year Increasing use of standard IT components in the industrial environment Systems become more open for integration and damage Vulnerabilities spread from office IT to the shop floor vulnerabilities and exploits reported each year Source: CERT Coordination Center
18 Securing Control Networks - More than just security March 2008 The Hatch nuclear plant in Georgia is forced into an emergency shutdown for two days as a result of a software update on a single business computer!
19 Why Networks Need Security Threats Network overload by technical defects, broadcast storms Accidental human errors: maloperation, introduction and dissemination of malware, Phishing Malware (Worms) Intended, targeted attacks from inside and outside: sabotage, espionage, white-collar crime, cyber terrorism Potential Damages (Risks) Loss of production Damage caused to health and environment Loss of intellectual property (process knowledge and data) Loss of compliance (e.g. FDA in pharmaceuticals) Damage to corporate image
20 Network Security: Industrial vs. Office Installations Protecting industrial networks is quite different Older operating systems - security software unavailable Heterogeneous hardware & software Tough environmental conditions System life cycles of years Never touch a running system Lack of IT security expertise Potential economic damage in production much more substantial
21 Use of Routers to secure control systems Routers provide key security functions Firewall Routing and NAT Routing VPN Allows for network separation and segmentation NAT allows for duplicate IP address schemes on a network Provides secure remote connectivity
22 Old security model perimeter based Initial security models had all defense efforts focused on the perimeter. Worked OK, but if it was breached the attacker had the run of the place. Great Wall of China was an awesome defensive structure, but when breached by the Manchurians, Ming dynasty fell. Better strategy is defense in depth
23 Defense in Depth Security concept borrowed from the military More difficult for an enemy to penetrate many smaller and varied layers of defense than 1 single large layer that may have a flaw. Limits scope of an attack to only the layer(s) that have been breached. The rest of the network is protected. Breach of outer layers can signal an alarm that an attack is ongoing, allowing protective measures to take place before all is lost.
24 Defense in Depth Internet Industrial router can be used in conjunction with IT s security infrastructure to enhance the safety of the network. IT Corporate Firewall typically protects from outside threats IT Router protects Corporate Office network segments Industrial router protects the Control and Industrial network segments and individual devices.
25 Firewall Application Scenarios Remember - Security isn t just IT s responsibility, it isn t just the plant floor s responsibility everyone has a role to play. A single mguard can protect a subnet of over 100 devices! This can be unmanaged or managed switch SFN, Lean, etc. Protecting a single device If this is a PC, you could use an mguard PCI
26 Why is a router used Back in Old Days of common bandwidth (half duplex and hubs), more nodes caused so many collisions communications was stifled. Routing reduces broadcast domain and collision domain Widespread and WAN communications Better security model Protect information by putting it on separate subnet. Better administration Separate traffic into logical groups like Accounting, HR, etc. Separate traffic into physical groups like 1 st Floor, 2 nd Floor, etc. Allows for redirection based on IP information or upper level protocols (e.g. TCP or UDP port information).
27 Routing What is it? OSI Model Routing vs. Switching Layer 3 vs. Layer 2 Logical IP Address vs. Hardcoded MAC Address Used to segment traffic into subnets. Calculate Paths to get from Point A to Point B, whether B is in the same row or around the world. Devices use Default Gateway address to point to a Router Gives access to Higher level protocols such as TCP and UDP. Application Presentation Session Transport Network Data Link Physical Managed by Applications Communicating (E- Mail, Web, etc) Routers/Firewalls/ Other Gateways Routers Switches Hubs
28 Routing / NAT Routing Application Scenarios Use routing to insulate and isolate control network from IT network or even other control networks. NAT Routing allows for equipment on the same network to use the same IP scheme. E.g. Identical production cells: mguard allows them to have unique external addresses, but same internal. Easier to program and maintain! mguard can be used to segment a LAN or connect to the Internet.
29 Network Address Translation (NAT) NAT is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. 1:1 NAT, maps each inside address to a unique outside address. For Example x = x Allows for multiple instances of the same IP addresses on the same network. Useful with multiple identical lines.
30 Virtual Private Networking (VPN) Establishes a tunnel across the Internet to allow for remote support, diagnostics, pulling data basically anything that requires communication between local and remote sites. Distance or intermediary hops are of no concern; that is, the circuit is a virtual one and the physical path to get from Point A to Point B can change without interruption or interference of the Tunnel. Ideal for secure communications between multiple networks or multiple hosts
31 Why do I need a VPN? Remote Connectivity Diagnostics and Alarming Data Pull or Push Support Security of Data Utilizing the ubiquitousness of the Internet instead of costly point to point (e.g. T1, T3) lines, or the poor speed, additional wiring and recurring costs of multiple analog connections. All in all a great way to improve support, ease administration, reduce downtime and cut travel costs.
32 Basic VPN concept Initial Authentication takes place between gateway & client A packet to be sent to a remote location is first encrypted at one VPN gateway. The receiving VPN gateway at the remote location is responsible for decrypting the packet and sending to host. Contents are safe from sniffing or corruption on the Internet Decryption Encryption Private Network Private network Internet IPsec VPN Encrypted Data
33 VPN Application Scenarios Secure, remote connectivity allows for better, more cost-effective support and the ability to communicate with remote sites to gather data, alarm events, remote config, control processes, etc. mguards can connect when they are in firewall (Stealth) or in router mode A single mguard can support multiple concurrent connections mguard can connect to another mguard directly A connection can be established going through another device, or even from another device, eg Cisco.
34 Software vs Dedicated Hardware VPNs Software VPNs are commonly used to access company network from remote sites. Is there a performance change on your computer when you are connected? mguard provides much higher throughput than software VPN 70mb/s vs 30-35mb/s for most software Heavy data flow over software clients is a heavy drain on CPU Depending on the encryption and compression algorithms used, can consume 95% CPU time mguard can handle 250 concurrent tunnels, software only 1 Is your industrial PCs job to function in the control network or to have its resourced siphoned off to handle VPN connectivity?
51 Request a White Paper HACKING THE INDUSTRIAL NETWORK Send to Subject: Cyber Security White Paper
52 ISPE Automation Forum Thank Questions? You Don Dickinson Project Engineer Phoenix Contact
Invensys is now White Paper Cyber Security Authors: Ernest Rakaczky, Director of Process Control Network Security, Invensys Paul Dacruz, Vice President, Power Industry Solutions What s Inside: 1. Introduction
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies October 2009 DISCLAIMER This report was prepared as an account of work sponsored by an agency of
VoIP Security Best Practice (Version: 1.2) NEC Corporation Liability Disclaimer NEC Corporation reserves the right to change the specifications, functions, or features, at any time, without notice. NEC
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
IP TELEPHONY POCKET GUIDE BY BARRY CASTLE 2nd Edition September 2004 ShoreTel, Inc. 960 Stewart Drive Sunnyvale, CA 94085 408.331.3300 1.800.425.9385 www.shoretel.com firstname.lastname@example.org TABLE OF CONTENTS
Network security: A guide for small and medium businesses (SMBs) A Star Technology White Paper March 2008 www.star.net.uk Summary Network security is essential as it helps to prevent threats from damaging
Industrial Ethernet: A Control Engineer s Guide Abstract As part of a continuing effort to make their organizations more efficient and flexible, manufacturers are rapidly migrating to Industrial Ethernet
Network Security: History, Importance, and Future University of Florida Department of Electrical and Computer Engineering Bhavya Daya ABSTRACT Network security has become more important to personal computer
GHz 2.4 802.11g WIRELESS Wireless-G ADSL Gateway with 2 Phone Ports User Guide Model No. WAG54GP2 Copyright and Trademarks Specifications are subject to change without notice. Linksys is a registered trademark
WHITE PAPER: ENTERPRISE SECURITY Security Incidents and Trends in the SCADA and Process Industries A statistical review of the Industrial Security Incident Database (ISID) Prepared by: Eric Byres David
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Building integrated services intranets A White Paper from Inalp Networks Inc Meriedweg 7 CH-3172 Niederwangen Switzerland http://www.inalp.com CONTENTS CONTENTS...2 1 EXECUTIVE SUMMARY...3 2 INTRODUCTION...4
June 17, 2015 Data Network Best Practices for ShoreTel SKY VoIP Description: The purpose of this document is to summarize the requirements for the ShoreTel hosted local customer network environment. Environment:
Security incidents and trends in SCADA and process industries NETWORK SECURITY 12 Supervisory Control and Data Acquisition and industrial control systems, with their traditional reliance on proprietary
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Bachelor s Thesis (UAS) Degree Program In Information Technology Specialization: Internet Technology 2012 SULAIMON ADENIJI ADEBAYO NETWORK SECURITY BACHELOR S THESIS ABSTRACT TURKU UNIVERSITY OF APPLIED
An ISS Technical White Paper Wireless LAN Security 802.11b and Corporate Networks 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Although a variety of wireless network
Security Guide for Small Business Enhance your computer and network security today Tell Us What You Think. ess with Genuine y, employee productivity, or installed with genuine Microsoft ess forward. Only
Planning for VoIP by John Q. Walker and Jeffrey T. Hicks a NetIQ Corporation whitepaper, April 2, 2002 Treating VoIP as a Major IT Project 2 Getting It Going...2 Keeping It Running Well...3 Planning, Analysis,
White Paper Nortel Networks Unified Security Architecture for enterprise network security A conceptual, physical, and procedural framework for high-performance, multi-level, multi-faceted security to protect
CYBERSECURITY A Resource Guide for BANK EXECUTIVES Executive Leadership of Cybersecurity CEO LETTER I am proud to present to you the CSBS Executive Leadership of Cybersecurity Resource Guide. The number