NETWORK SEGMENTATION FOR INDUSTRIAL CONTROL SYSTEM SECURITY

Transcription

1 September 2013 Trusted Computing Conference: Demonstration Guide Demonstration Topics Include: Network Segmentation for Industrial Control System Security A Resilient Infrastructure for Point of Sale Systems TNC Endpoint Compliance Profile Trusted Embedded Computing with Infineon s New TPM with I2C Interface Continuous Endpoint Compliance with Juniper UAC Mobile Threat Defense Solid-State Drives with Self-Encryption: Solidly Secure Secure Authentication: TPM for Virtual Smartcard Using OPAL-Compliant Drives with Windows 8 and Secure Boot

2 NETWORK SEGMENTATION FOR INDUSTRIAL CONTROL SYSTEM SECURITY Trusted Network Connect (TNC) IF MAP and Metadata for Industrial Control Systems Security enables dynamic protection for control system networks interconnecting with enterprise and public networks. Integration of Industrial Control Systems (ICS) with enterprise IT and shared public networks is increasing, driven by considerations from cost to monitoring. With this increased connectivity comes increased risk; poorly managed systems are exposed to infection from shared networks, and protocols and devices never designed for security are accessible to attackers. An industrial automation device is controlling the operation of local control system inputs and outputs. A Human Machine Interface (HMI) is used to monitor and control the automation device for providing Supervisory Control and Data Acquisition (SCADA). The SimpleConnect Industrial Security Appliances (ISA) and Management Platform (SCMP) from Asguard Networks implement TNC standards to provide security and isolation for the ICS. TCG Technology Supported A TNC interface underlies this protection of the interconnection between a process control network and an enterprise network: IF MAP enables coordination of configuration, behavioral, location, and policy information between provisioning and network management applications, policy management and enforcement devices, and network intelligence / visibility components. IF MAP Metadata for Industrial Control Systems Security specifies the pattern of IF MAP usage for the various components providing enhanced security and management of control system networks.

3 Prototype for secure point of sale system infrastructures Motivation DEMONSTRATION Point-of-sale systems OVERVIEW (PoS) are often highly distributed infrastructures with stationary and mobile terminals interacting in uncontrolled environments. The range of POS systems on the market extends from highlyintegrated systems with own operating systems to common PC hardware/operating system environments, where the POS itself is executed as an application program. All POS systems, if unprotected, are vulnerable to a huge range type of attacks focusing on the network communication channels and the single POS systems themselves. The situation is aggravated by the fact that not only remote attacks are expected but also direct hardware and software manipulations on the terminals may occur at any time. Possible reasons for an attack of a concrete POS system range from simple information gathering up to more serious causes like fraud, corruption and money laundering. Concept and Architecture POS Terminal TNC established trusted/ encrypted communication channel periodic TPM-based remote attestation Central POS Server POS System Architecture monitor POS system via IF-MAP A secure POS system must prevent against all described threats and additionally protect the environment against local and remote attackers. Therefore the designed POS system focuses on two main security goals: 1. Protect the terminals from software and hardware manipulation 2. Protect the network communication against eavesdropping and communication data manipulation To reach these two security goals, the concept of secure PoS system is based on the following building blocks: Connect PoS terminals via Trusted-Network-Connect (TNC) and establish encrypted communication channels with the aid of strongswan Continuous health-checks of software and configuration of PoS terminals via remote attestation Monitoring and visualization of the status of the complete PoS system via IF-MAP Efficient management through zero-touch configuration The demonstration shows a prototype that integrates these building blocks on standard PC hardware. The solution is totally independent from the actual PoS software as it integrates itself transparently on top of the network layer. This means the POS software can be executed in its original unmodified version and remains completely untouched.

4 TNC ENDPOINT COMPLIANCE PROFILE This demo shows the first implementation of the new TNC Endpoint Compliance Profile which makes use of the Trusted Network Connect protocols IF M, IF TNCCS and IF T for TLS and maintains an inventory of SWID tags. In the TNC Endpoint Compliance Profile, compliance information is gathered by the TNC client running on the endpoint and is forwarded to the TNC server running on a Policy Decision Point (PDP) which stores it in a Configuration Management Database (CMDB). Version 1.0 of the Endpoint Compliance Profile collects the ISO/IEC Software Identification (SWID) tags of the software installed on the endpoint and stores it in the CMDB. In addition to the SWID tags, the strongswan PDP controlled by the strongtnc CMDB is able to collect information on the operating system and network ports of the endpoint and can do trustworthy remote attestation if a Trusted Platform Module (TPM) is present. TNC Client OS IMC SWID IMC Scanner IMC Attestation IMC OS IMV SWID IMV Scanner IMV Attestation IMV TNC Server IF T TLS IF T TLS Endpoint Network Access Requestor strongswan Policy Decision Point (PDP) strongtnc Configuration Management Database (CMDB)

5 TRUSTED EMBEDDED COMPUTING WITH INFINEON S NEW TPM WITH I2C INTERFACE Infineon s new OPTIGA TPM enables secure communication, allows secured remote access and the protection of applications and the operating system Infineon is presenting the new OPTIGA TPM family and is demonstrating embedded Trusted Computing on a Raspberry Pi board and LINUX. The demo features Infineon s new SLB9645 TPM with I2C interface, Raspberry Pi board, TPM Plug in board, device driver, Trousers software stack, certificate management and secure network communication with SSL. The Infineon OPTIGA TPM is designed for embedded applications supporting wide temperature range, low power consumption and the ability for field upgrades. Infineon was the first in the market, who provided a TPM certified by Common Criteria and the Trusted Computing Group (TCG). The Infineon OPTIGA TPM is also the first I2C TPM supported in the official Linux kernel starting from version 3.7. For more information about the Infineon OPTIGA TPM product family for embedded and industrial applications visit Infineon on the TCG booth or the website Company Logo for Demonstration

6 CONTINUOUS ENDPOINT COMPLIANCE WITH JUNIPER UAC Securing Devices through Open Standards TCG Trusted Network Connect interfaces enable continuous compliance monitoring and remediation The value of preventative compliance checking is well established. Network security experts have for years identified software updating and patching as a critical step for preventing network intrusions. Application white listing, patching applications and operating systems, and using the latest versions of applications top the Defense Signals Directorate s Top 4 Mitigations to Protect Your ICT System. Inventory of Authorized and Unauthorized Devices, Inventory of Authorized and Unauthorized Software, and Continuous Vulnerability Assessment and Remediation are Critical Controls 1, 2, and 4, respectively, of the SANS 20 Critical Security Controls. Compliance has two components: assessment and remediation. The point of compliance is to ensure that authorized users are using authorized software configured to be as resilient as possible against an attack. Juniper s Unified Access Control (UAC) solution provides continuous endpoint compliance monitoring starting when an endpoint connects to a network and continuing throughout the connection. If a compliance problem is detected, mitigation and remediation actions can be taken immediately or upon administrator or end user action. Because UAC is built on TCG s open TNC standards (now also IETF RFCs!) and certified by TCG as properly implementing these standards, it works seamlessly with products from many security vendors. This demo only scratches the surface of UAC s other capabilities, which include Security Automation, identity aware networking, etc. Ask the demonstrator for more information.

7 MOBILE THREAT DEFENSE Combining multiple IT network threat defense mechanism to achieve higher security and automated network defense using the TCG IF-MAP standard. In the face of today s Advanced Persistent Threats, attackers with knowledge and abundant resources at their disposal, no single security solution will be able to counter these threats. NCP offers a unique product portfolio for professional work in a VPN environment using cutting edge technology in VPN client/server components and a central remote access management. Integrating many open standards, NCP shows the combination of this VPN technology with modern threat defense technology using the TCG IF MAP standard. Interconnecting the security solutions in your network using open standards will be your first step to advanced security and active network defense. The increasing use of mobile introduces new threats to enterprise IT networks. While most of the well known security programs such as desktop firewalls, antivirus and hard drive encryption work pretty well for laptops, they are not available for mobile devices or remote VPN devices connecting to a central network. The only way to keep your network secure is by providing additional security on the central IT infrastructure. The problem is, most of today s security systems work isolated from each other and if they offer interoperability they do so only to a limited extent, which is insufficient to counter the new threats network security faces every day. TNC IF MAP provides the possibility to interconnect different IT security systems and provide an accurate representation of the health status of your IT network. The demonstration shows the integration of different IT security systems like firewalls, intrusion detection and VPN working together in real time to counter threats emerging from a smartphone. If the device should misbehave within the internal network this is detected and the device is limited in its access or shut off the network.

8 SOLID STATE DRIVES WITH SELF ENCRYPTION: SOLIDLY SECURE Solid State Drives (SSD) supporting TCG s Self Encrypting Drive (SED) technology provide robust protection of stored data using hardware based encryption built directly into the drive hardware and electronics, protecting sensitive data from loss or theft or during re purposing, warranty work, or end of life. Solid-state drives (SSD) offer many advantages over rotating magnetic media such as better reliability and performance, remarkable ruggedness, less weight, no noise, and significantly lower power consumption. Compared to a hard disk drive (HDD), the SSD's booting and application loading times are 50% less and file copy time is 60% less. The current price differential between SSDs and HDDs is steadily declining and the superior advantages of SSDs make that price difference even less consequential. The important cost comparison is not the initial cost, but the life cycle costs of using an SSD versus an HDD. Time savings in doing every task significantly reduces the "wait" time for active users and provides a more productive work experience. Ruggedness and longer life save on repair and replacement. National and international breach notification laws typically contain encryption 'safe harbors', which exempt stolen or lost data from public notifications. The penalties for notification have been tabulated and are significant. Add self-encryption to the list of SSD superlatives, which is a quantifiable business requirement for protecting stored data. Self-encryption offers faster performance, better security, standards-based, and is "always on", operating transparently, when compared to software-based encryption. The Trusted Computing Group has standardized self-encryption and all major drive manufacturers are providing interoperable products. Solid-state and self-encryption provide an unbeatable combination.

9 MODERN ACCESS CONTROL USING VIRTUAL SMART CARD Modern Access Control using Virtual Smart Card Wave Mobility Pro delivers MODERN ACCESS CONTROL today using Virtual Smart Cards on Windows 7 and Windows 8 tablets/pcs, enabling the use of both machine and user ID using hardware protected certificates through the Trusted Platform Module (TPM). This demo uses Virtual Smart Card to show password less machine login, web access and remote access.

10 USING OPAL COMPLIANT DRIVES IN WINDOWS 8 AND SECURE BOOT High Level Key Message: Leveraging Secure Boot removes security risks TCG Technology Supported: OPAL Self Encrypting Drive Specification Through this demonstration using WinMagic s SecureDoc, we will show how organizations can manage systems using OPAL SEDs in Windows 8 and UEFI. This demonstration will include a display of how using the SecureDoc Pre boot Authentication (PBA) application, we can authenticate in the native UEFI interface and boot into the device with UEFI Secure Boot verification of the PBA application. WinMagic will also demonstrate PBConnex Auto boot in conjunction with Secure Boot where the credentials required to unlock the Opal drive are obtained automatically and securely over the network from a server. With Windows 8 a new environment for security solution providers to utilize for PBA has arrived: UEFI. The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI is meant as a replacement for the Basic Input/Output System (BIOS) firmware interface, present in all Windows based personal computers.* When UEFI Secure Boot is turned on it means that the PBA software has to be signed by Microsoft or the OEM so that it can be trusted to execute. With Secure Boot turned on computers are less susceptible to attacks on the booting process such as the Evil Maid attack. Additional Information: *