An Analysis of the Capabilities Of Cybersecurity Defense

Transcription

1 UNIDIRECTIONAL SECURITY GATEWAYS An Analysis of the Capabilities Of Cybersecurity Defense Michael Firstenberg, Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2015 by Waterfall Security Solutions

2 Information Security Standard Technology Technology Enterprise / IT Maturity Intent AntiVirus Mature Preventative Firewalls Aging Preventative Encryption Improving Preventative Patching Mature Preventative IDS Mature Detective Vulnerability Scanning Mature Detective Security Training Improving Directive Risk Management Mature Directive Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 2

3 Attack Tree Abbrev Attack Methodology BUFF Buffer Overflow SQL-I SQL Injection WORM Self Replication Worm RAT Remote Access Trojan TGTMAL Targeted Malware DoS Denial of Service / Resource Exhaustion INTERNAL Compromised Insider / E&O Graphic Impact Would have prevented / detected the attack Would prevent / detect some variants of the attack Would not have prevented / detected the attack Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 3

4 #1 AntiVirus Signature-based defense only effective against known attacks Constant testing for safety of new signatures is costly ICS vendors estimate 90% of customers never update ICS signatures Corporate AV servers are attack channels into every ICS host Bottom line: at best AV signatures in ICS networks lag IT networks by several days. More often, AV is not effective in ICS BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 4

5 #2 Next Generation Firewalls Well short of secure initially (out of the box) May not be able to operate in harsher conditions of plants and need to be replaced more often Multiple administration services New vulnerabilities are introduced with new software versions All TCP connections through the firewall are bi-directional Outbound access = Inbound C&C BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 5

6 #3: Encryption Encryption needs key management, and there have been many PKI & other key management attacks in recent years Encryption protects against MIM, but cannot protect against compromised endpoints Encryption is software, with vulnerabilities and zero-days To defeat encryption, compromise an endpoint BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 6

7 #4 Patching Every update is new code. Sometimes a lot of new code. Is it safe? Constant testing for safety of new code is extremely costly Corporate WSUS servers are attack channels into every ICS host Occasional spectacular failures effectively stall these programs at the DCS/SCADA perimeter Only addresses known vulnerabilities Delays from disclosure to deployment Reactive solution Preventative only in specific situations BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 7

8 #5 Intrusion Detection/Prevention (IDS/IPS) Signature-based, detective control only Software driven solution requiring significant tuning to eliminate noise from non-attack related traffic Can be network-based or host-based Anomaly based systems generally function by comparison with a known baseline Well documented evasion techniques Photo: Idaho National Labs BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 8

9 #6 Vulnerability Scanning Requires active polling of devices which can have disastrous effects in a control system environment Enumerates only vulnerabilities that are documented False positives create unnecessary challenges Authentication required for more accurate results BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Detective controls require corresponding preventative controls to be effective Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 9

10 #7 Security Awareness Training Typically isolated and infrequent Based on the belief that people will do what they are told Assumes people will react in the same way and have similar baseline knowledge base as a starting point Diminishing returns as attention focuses on responsibilities Directive controls always require preventative technical controls and detective systems to alert on violations BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 10

11 #8 Risk Management Risk = Threat Vulnerability x Likelihood x Consequence Bottom line: We are attempting to use the IT Risk calculations to determine the risk, but the factors are incomplete. Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 11

12 CyberScurity: How Much Is Enough? From a recent panel of oil & gas executives and experts: Security is pure cost There has to be an ROI for every one of our security investments We use a risk-based approach, but risk calculations for deliberate attacks are never quantitative It all depends on the risk appetite of your board and executive Never be the highest-ranked person in the company to sign off on a risk always make your boss sign The security department always asks for more money when should we get it? Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 12

13 Reliability + Safety Risks = Soft ICS Interior Cyber safety and reliability risks arise from ability to control physical equipment Testing security updates and AV updates for reliability and safety takes longer sometimes much longer There are tens of thousands of vulnerabilities are waiting to be discovered in ICS software Old, out-of-support hardware and software Encrypted/authenticated communications debate for critical devices may never be resolved Strong perimeter protection will always be disproportionately important in ICS defense-in-depth programs Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 13

14 Device Control & Whitelisting Whitelisting: strictly control what software is allowed to run where Currently used more for devices with complex embedded operating systems than for entire ICS systems Device control: forbid entirely the execution of software from removable media, control what kinds of USB devices (e.g. keyboards, mice) are allowed to be connected to which ports Less intrusive than whitelisting, applied more commonly to larger parts of ICS systems No silver bullet: Cannot prevent remote control of legitimate applications Kernel Application System Calls Authorization Hooks Execute Read Write Allowed List Executable File Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 14

15 ICS Security Technology: Application White Listing Only recognized files are executed Detects new viruses before signatures are issued No signatures to update Read Write BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Pure application control provides limited or no protection from: In-memory & scripted attacks Attacks on software update mechanisms Remote mis-use of legitimate credentials (local too) Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 15

16 Unidirectional Security Gateways: Server Replication Hardware-enforced unidirectional server replication Replica server contains all data and functionality of original External clients communicate only with replica historian 100% secure from online attacks from external networks Replicate historian servers, OPC servers, RDB servers, Modbus, etc. Industrial Network Corporate Network Workstations Historian Waterfall TX agent Waterfall RX agent Replica Historian PLCs RTUs Waterfall TX appliance Waterfall RX appliance Unidirectional Historian replication Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 16

17 ICS Security Technology: Unidirectional Security Gateways Hardware based security solution Data is replicated to a less secure environment Built for Industrial Control Systems Data replication can be interrupted, but the process is not affected by the disruption BUFF SQL-I WORM RAT TGTMAL DoS INTERNAL Not a silver bullet Can be physically bypassed External data repositories require protection Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 17

18 ICS Security Training Control System Security Training ISA (IC32) SANS (GICSP) DoE/DHS ICS Cert Need to go further Offense informs the defense Information Assurance is only loosely related to Industrial Control System Cybersecurity Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 18

19 Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors 2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 19

20 Which of Our Networks are Expendible? Attacks only become more sophisticated over time Modern attacks routinely defeat firewalls & other security software Best practices are evolving hardware-enforced Unidirectional Security Gateways are stronger than firewalls Absolute protection from network attacks originating on external neworks Waterfall s unique solutions have the potential to be the industry s next game changing standard So which of our networks are expendable enough to protect with software alone? Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 20