WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World

Transcription

1 Slide 1

2 WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World Chris J Smith for Paul Forney, MCSE, CSSLP Chief Technologist R&D Security Team Invensys Operations Management 2012 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

3 Acknowledgements Pike Research Monitoring and Securing SCADA Networks The Department of Homeland Security CSSP All the folks at McAfee (thanks for your help and support) Ernie Rakaczsky Program Manager, Invensys Cyber- Security The Invensys Critical Infrastructure & Security Practice Team Slide 3

4 Stealth Attacks Increasing More than 1,200 new rootkits detected each day AURORA: STUXNET: SLAMMER: ZEUS: More than 2.1M unique rootkits detected More than 75M malware detected Government Physical Harm Sponsored Hacking Organized For Crime Fun Cyber Espionage Number of reports of data breaches via hacking, malware, fraud, and insiders has more than doubled since 2009 TDSS rootkit is used as a persistent backdoor to install other types SpyEye is hidden with a rootkit to steal banking credentials STAKES Are Rising Rapidly Stuxnet used a rootkit to hide an APT targeting government infrastructure Slide 4

5 Typical Network Architecture An Attacker has three challenges 1. Gain access to the control system LAN 2. Through Discovery, gain understanding of the process 3. Gain control of the process Slide 6

6 Reported ICS Vulnerabilities ACTUAL Slide 11

7 Community of Concern Oil EPRI Chemical Nuclear Power Industry Sectors Owner\Operators Water Gas Electric LOGIC2 I3P Academia & Research SRI IFAC IEEE NERC NIST Standards ISA/ISCI IEC TSWG CSSP NCSD Department of Homeland Security ICSJWG ISAC US- CERT HSARPA Control System Cyber Security Community Engineering Firms INL ARGONNE API PNNL National Labs AGA LLNL SANDIA Control Systems Vendors Labs & Research Security Consultants Security Technologies Slide 13

8 A successful Cyber Security Program has 3 major areas of focus with People Policy and Procedures 65% 15% 20% Technology Dennis Brandl Three Pillars of Industrial Cyber Security Slide 15

9 Security Objectives Prevent unauthorized changes to values in a Controller, PLC, process or configuration Prevent misrepresentation of process values on the HMI Reduce possibility of a production slowdown due to ICS software Protect integrity of process and event information Prevent loss of genealogy information Provide availability of the system and safety for the plant personnel and surrounding environment Slide 16 Slide 16

10 Special Restrictions for ICS Security Products* Do nothing that negatively impacts network latency Restrict SCADA traffic to known and expected message types Isolate the SCADA network from any other networks, including the enterprise Collect and analyze from multiple sources beyond only IT events Prioritize situational awareness to prevent cyber incidents Implement strong change management for all SCADA modifications Use security products that are simple to deploy and manage Involve SCADA operations personnel in all SCADA security decisions *Pike Research Monitoring and Securing SCADA Networks Slide 17

11 What We Need to Protect Endpoint Network Data Enterprise Apps SCADA, HMI Ladder Logic Ethernet, TCP/IP Ethernet, Serial Ethernet, Serial, Relays Modern Computers (Windows, Linux, Mac) Legacy Computers (Windows) Special Function (Embedded OS) Corporate IT SCADA Device Network Slide 20

12 Established Adaptation for over 8 years Internet Internet Zone Perimeter Firewall Data Center Zone Intrusion Prevention Network Monitoring Server Monitoring Service Level Management Content Filtering Web Usage Reporting User Management Anti-Virus Wireless Security Server Management Remote Access Anti-SPAM Internet Firewall Plant Network Zone Control Network Firewall PC Workstation File & Print Services Wireless Controls Network Zone Intrusion Prevention Anti-Virus Application Workstation Control Station Control Node Bus Interface Interface PC Portal Field I/O I/O I/O PLC I/O I/O I/O I/O Multiple Zone Network Slide 21

13 Best Practices for Securing an ICS Maintain the latest Invensysauthorized Operating System (OS) and application patches. Test every patch to ensuring deployment does not impact operations. Always use current anti-virus definitions. Verify update was successfully installed. Update authorized application software. Enable Network Anti-Virus / Intrusion Prevention System. Enable System policies on all capable network appliances Slide 23

14 Best Practices, USB Devices Do not use a USB stick unless it has been scanned Designate and use specific USB equipment To bridge airgaps, use a specific designated station WITHOUT restriction on USB devices, their portable nature can be used to compromise your security perimeter! Slide 24

15 Machine Hardening (typically no negative effects on the ICS) Harden Servers and Workstations and Non-ICS assets Ensure all software and hardware patches and updates are current. Run A/V scans. Disable all unused ports and services. Harden Bios. Use static IP addresses, disable DHCP Disable NetBIOS and NetBIOS over TCIP/IP. Slide 25

16 Best Practices, Cont. Change default admin passwords. Use strong passwords consisting of more than 6-8 characters using special characters when applicable. Control User Rights. Do not use accounts across domains. Implement password aging, history, and complexity requirements. Always implement Backup and Restore to a network repository. Slide 26

17 More To Do s! Inventory network assets and keep it up to date. Run regular network audits Use physical network isolation when possible Use logical network segmentation (secure zones) when possible with strict Firewall Rules. Isolate and control flow of information between Business Network(s) from PCN through use of firewalls. Require strict firewall rules with specific (/32) source, destination, port, and protocol. Use DMZs Slide 27

18 Network Access Enable Firewall Logging and Monitor as appropriate Implement NMS to provide system audit and logging and monitor Don t click links or files that aren t verified ICS assets should not have internet access Some ICS assets may need to have access to business network website interfaces so verify all access leaving the ICS network to un-trusted networks Slide 28

19 In the event of a Cyber incident Create an Incident Response Plan before an incident so that you are prepared. Steps that are typically part of incident response plans are: Do get a triage team together. Do make a VM image of the affected system. Do get copies of all the logs. Work with the antivirus vendor and other agencies to collect the necessary forensics. Do not start updating anti-virus. Do not start running anti-virus patches. Slide 29

20 Vendor Responsibility - Secure By Design Secure Software is responsible to provide: Confidentiality: Protect against unauthorized information disclosure. Integrity: Prevent unauthorized changes to data. Availability: Provide the required services uninterrupted 24x7 Authenticity: Determine identity of components and users in reliable and consistent manner. Authorization: Control access to various parts of the system based on the user or code s credentials. Non-repudiation: Establish audit trails through system and establish evidence to track a system operation. Slide 30 Slide 30

21 Security: Meeting Cyber Security Requirements As a supplier we are positioned to support cyber security requirements throughout the Life-Cycle from within our: Software Development Lifecycle SDL, Testing, Certification, Source Code validation, etc. Project Execution FAT/SAT Security Baseline, Possible Security features and function fully implemented and updated, etc. Life-Time Support Patch Validation, Security updates, vulnerability mitigation, etc. Slide 31

22 Project Ozone Cyber Security Initiative Vision To create and enhance processes, knowledge and an ingrained culture for building secure and robust solutions our Customers can trust. What is it: Why is it Important: Success is Defined As: Assess existing vulnerabilities in solution offerings Enhance products, processes and tools from a security view Improve responsiveness to Cyber Security issues Increased awareness in the Industry to Cyber Security threats and their impact Impact on credibility and cost after Cyber Security attacks is severe Strategic Alignment for an enterprise connected platform Real-time Indicators: SDL Process Violations (Reduced prerelease process violations per product) Security vulnerabilities per product (Reduction in reported vulnerabilities closed proactively, found pre-release) Primary Indicators: Security Defect Reports (Zero post release reports) Responsiveness to threats/issues (Response time less than 35 days) Slide 32

23 Cyber Security Updates Released Date Notice Identification Number Security Vulnerability Description Detailed Information LFSEC Stack Based buffer overflow in the InBatch BatchField ActiveX Control A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server. April 8, LFSEC LFSEC Server lm_tcp buffer overflow A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server. February 18, LFSEC LFSEC Wonderware ArchestrA ConfigurationAccessCo mponent ActiveX Stack Overflow A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) and if exploited, could allow remote code execution. July Security Update LFSEC Slide 33

24 Project Execution Approach People Training Process Enhancements SOP s and Tools Product Enhancements Institutionalized Across Invensys Operations Management Slide 34

25 Secure By Design Security Built in not Added On The Microsoft SDL is a software development policy for all products with meaningful business risk and/or access to sensitive data Key part of Invensys commitment to protect its customers Implementing the SDL reduces the Total Cost of Ownership (TCO) for Software Products Fewer security patch events required for our products Secure software is by nature Quality software Slide 35 Slide 35

26 Threat Modeling Approach A Careful study of the design of an application to identify weaknesses and vulnerabilities includes 5 steps 1. Identify security objectives 2. Create an application overview 3. Decompose the application 4. Identify threat vectors 5. Identify vulnerabilities Slide 36 Slide 36

27 Defend Against S.T.R.I.D.E. Attacks S T R I D E Spoofing Identity: Allows an attacker to pose as something or someone else Tampering with Data: Involves malicious modification of data or code. Repudiation: Allows an attacker to perform actions that other parties can neither confirm or contradict Information Disclosure: Involves the exposure of information to individuals who are not supposed to have access to it Denial of Service: DoS attacks deny or degrade service to valid users Elevation of Privilege: Occurs when a user gains increased capability often as an anonymous user taking advantage of a coding error to gain admin capability Slide 37

28 Our Solution Stop incurring Technical Debt New Code Reduce Technical Debt Legacy Implement the Security Development Lifecycle for all new projects. Evaluate and model our most critical software for threats, strengthening with tools from the SDL Institutionalize Across Invensys Operations Management R&D Slide 38

29 Please Subscribe to Security Central! Slide 39

30 Slide 40

31 Conclusion Secure systems start with design both hardware, software and application deployments The security journey must be a collaboration between people, processes and technology there is no silver bullet! No substitute for a practical security program that provides a long term, self perpetuating maturity model that can be engrained into the culture of an organization to produce the foundation for secure and robust solutions we can trust. Within Invensys Operations Management R&D, our journey has begun for a more Secure Critical Infrastructure. Slide 41