CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Transcription

1 CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

2 Challenges What challenges are there for Cyber Security in Industrial Control Systems (ICS)?

3 ICS Challenges Control Systems control real-world processes Manufacturing / Material Processing Critical Infrastructure Power, Water, Transport, Communications Speed, Reliability, Connectivity, Availability Focus on performance, not Security Plants run 24/7 with as little downtime as possible

4 Control System Lifecycle

5 Legacy Systems & thinking Security by Obscurity Proprietary protocols & bespoke operating systems One-off applications Specific knowledge required Isolated Networks Perimeter Firewall only defence IT stops at the Firewall, then Control Engineer s domain

6 Consequences IT Systems Defacing of website Damage to computer systems Loss of consumer personal information Loss of intellectual property Financial loss Control Systems Loss in productivity Downtime Damaged hardware Loss/theft of information or intellectual property Environmental Incident Licence to operate Personal Injury or Death Crippled Critical Infrastructure

7 So what s changed? Why is Cyber Security for ICSs only an issue now?

8 STUXNET Advanced worm, discovered July 2010 Targeted Siemens PCS7, S7 PLC and WinCC systems Infected at least 22 manufacturing sites worldwide Including it s supposed target, Iran s Nuclear program Unprecedented level of sophistication Gained media, industry, government and hacking community attention STUXNET code is available for modification

9 Not so obscure anymore Cyber Security is the current Hot Topic But previously it s all been about Standardisation Openness Connectivity Ethernet Everywhere Smart Devices / Instruments Control Networks are not isolated Often the only Security is a perimeter firewall

10 Standardisation Server % New ICS Sales in 2012 Server % Vista 1.2% Other 0.6% Win 7 35% 99.4% for Windows ~50% of new orders for obsolete OSes in Extended Support CE 19.7% XP 20.7% (2012 Sales data from 23 ICS Vendors)

11 Vulnerabilities, Exploits and Zero Days Software Vulnerability Flaw or weakness in code that could theoretically be exploited by a malicious program or user Exploit Working code that makes use of a vulnerability Client-Side Exploit Remote Exploit Zero-Day Exploit An exploit for which there is no patch The vendor has had zero days to respond

12 Drive-By Exploit When a legitimate Website is compromised and malicious code uploaded to attack visitors #1 Threat Trend for Critical Infrastructure (28/09/12) ENISA - European Network and Information Security Agency Feb ios App developer forum was used to deploy Zero-Day Java exploit code ( Microsoft, Apple, Facebook and Twitter have all reported they had corporate PCs compromised

13 Hacking tools & knowledge Easily accessible information YouTube, forums etc. Highly developed tools available Penetration Platforms / Frameworks Standardised all common functionality Regular updates for all newly published exploit code SCADA+

14 ShodanHQ.com Hardware Search Engine If your site / device is internet connected, it is indexed.

15 Java Vulnerabilities Multi-Platform 3 Billion Devices run Java, Windows, Linux, Mac Patches for 55 Security Vulnerabilities already in 2013 Vulnerability announcements almost a weekly occurrence From an audit on 25th March 75% of users use a version more than 6 months old 93.77% of Java users were still vulnerable to CVE months after it had been reported 20 days after a patch was released Versions below and still vulnerable

16 Demo Java Exploit Recorded version here: VM1 VM2 VM3 INTERNET HACKER VICTIM

17 Defence in Depth Mitigating the risks

18 Cyber Security Strategy There is no Magic Bullet Proper Cyber Security is a Defence in Depth strategy, consisting of: Secure Products Secure Architectures Security Policies & Employees

19 Secure Products

20 Secure Products Secure by Design Security Features Access Control Security Configuration Securely Coded / Developed Products WurldTech s Achilles Certification ISA Secure Certification New Cyber Security Certification Centre Achilles Certified Lab in North Andover (Boston) Constantly assessing our existing products Involved from development for new products

21 Secure Products Secure Implementation Device Hardening applies to all cyber assets PCs PLCs / PACs, HMI Panels Switches, Routers Smart Instruments, Legacy Field Devices Enable and configure the provided security features Non-default, Strong passwords Configure access control

22 Secure Products Secure Implementation Disable unused functionality Unused embedded Web portals Unnecessary plugins: Flash, Java etc. Disable USB Ports Disable unused ports on switches Keep firmware up to date Place higher priority on Security Updates Use downtime periods to apply and test other major upgrades

23 Industrial Firewalls

24 Secure Products Industrial Firewalls Connexium Industrial Firewall TCSEFEC Tofino Industrial Firewall TCSEFEA

25 Connexium Industrial Firewall (TCSEFEC) 3 Modes of operation Router (Layer 3) Switch / Transparent (Layer 2) PPPoE (Point to Point over Ethernet) Packet Filtering - Firewall Rules Denial Of Service protection VPN Built for Industrial conditions Din Rail, 0-60 C operating temp, MTBF = 50+ Years Configurable alarm relay connection Copper & Fibre variants Redundancy Dual Power Supply (12 48 VDC or 24 VAC) VRRP Virtual Router Redundancy Protocol (Layer 3)

26 ConneXium Tofino Firewall (TCSEFEA) Industrial Firewall, plus additional features MODBUS Enforcer Deep packet inspection for Modbus Can block traffic based on Function codes Register or coil addresses Station ID No. Non-standard Modbus traffic 1000 packets per second with full content inspection Ideal for protection of legacy Modbus devices Event Logger

27 ConneXium Tofino Firewall (TCSEFEA) Preconfigured firewall templates for Schneider Hardware

28 Secure Architectures

29 Secure Architecture Multiple levels of defence Network Separation Perimeter Protection Control Network Segmentation ENTERPRISE ZONE Business Servers OPERATION ZONE Historian Business Workstations SCADA Client Term Svr SCADA Server SCADA Client Unity Workstation DMZ CTRL 1 CTRL 2 SAFETY CTRL 3 Legacy / 3 rd Party

30 Security Policies & Employees

31 Security Policies Established, maintained and enforced by a crossdiscipline team Full asset audit / diagram / documentation Establish the baseline minimal configuration Risk Assessment Ownership / responsibilities Consider: Access Control (Physical) / Privileges / Password Policies Patch / Upgrade Management Change Management Backup / Recovery plans / procedures Incident Response / Forensics

32 Incident Handling How would you handle an Incident at your facility? Wipe and restore affected assets? Take plant offline and await forensic analysis? Contact Law enforcement? Contact Industrial authorities / regulators? Inform customers about potential data loss/leak? Establish the risks and responses for your site now

33 Employees Assign ownership & responsibilities Maintain & enforce Security Policies Monitor Network & Security logs Provide Training Awareness of Social Engineering & other security risks Security Policies Incident Detection and Handling

34 Patch Management Have a plan for patching Auto-update isn t safe or practical for ICS Assess the impact of the patch, test, deploy Prioritise patches based on risk Deploy Compensating measures until patches can be deployed Disable a vulnerable interface until patched Modify firewalls Deploy IDS rules to detect / block known attacks

35 Complimentary Technology Host-Based Anti-Virus / Application Control Traditionally using virus Signatures Whitelisting would work better for ICS Servers Block all, allow only approved programs VPN Two-Factor authentication IDS / IPS Systems HIDS / HIPS Host-based NIDS / NIPS Network-based SIEM Centralize Logs

36 Summary

37 Defence in Depth Assets Highest Value Assets Employees / Policies Segmentation Firewalls Perimeter Firewalls Network Monitoring DMZ Secure Products (Bricks) Threats

38 Further Information Schneider-Electric How Can I Reduce Vulnerability to Cyber Attacks in the Control Room? TVDA Control Room Cybersecurity DHS: Improving Industrial Control Systems Cybersecurity with defence-in-depth Strategies (2009) The original Defence-in-Depth strategy that Schneider has adopted DHS: Cyber Security Procurement Language for Control Systems (2009) Provides guidance and wordings for procurement, FAT, SAT and maintenance requirements DHS: Catalog of Control Systems Security: Recommendations for Standards Developers (2011) A good guideline on developing security standards and policies for End-Users SANS 20 Critical Controls for Effective Cyber Defence (2013) A concise list of 20 security measures derived from NIST SP r3 Includes steps on how to implement, automate and measure their effectiveness. ISA (Draft 4, Jan 2013) A comprehensive set of System Security Requirement. NIST rev2 Computer Security Incident Handling Guide (2012) How to organize a Computer Security Incident Response Capability and how to handle an incident NIST rev3 Guide to Enterprise Patch Management Technologies A guide to developing a Patch Management Strategy and the different technology available.