26 January, 2012 U.S. Department of Energy Office of Electricity Delivery and Energy Reliability

Transcription

1 26 January, 2012 U.S. Department of Energy Office of Electricity Delivery and Energy Reliability

2

3 Defined Passive, Human-in-the-Loop Situational Awareness of SCADA/ICS network communication Greek translation: wisdom

4 Concept Where does it come from? Industry Need How instead of Why Legacy System Situational Awareness Control System Expert Tribal Knowledge Laboratory Assessments On-site Assessments User Group Participation Training Cyber Security Researchers

5 Concept Original Goals Hacker based Focused on Control Systems White lists Free Active and Passive Components

6 Concept Original Goals Hacker based Focused on Control Systems White lists Free Active and Passive Components

7 Concept Hacker Based Fingerprinting Hacker Identify what s on the network, so we know what we can attack. Hosts Ports & Services Server/Client Relationships Networks, Infrastructure Be passive when possible, so we are harder to see. Sophia Identify what s on the network, so we know how to defend. Hosts Ports & Services Server/Client Relationships Networks, Infrastructure Be entirely passive, so we can t break anything

8 Concept Original Goals Hacker based Focused on Control Systems White lists Free Active and Passive Components

9 Concept Focused on Control Systems (the CIA v.s. the AIC Model) Corporate IT Networking Prioritization Confidentiality Integrity Availability Network Reality Dynamic in Nature Many Supported Apps Significant Number of Users Control System Networking Prioritization Availability Integrity Confidentiality Network Reality Static in Nature Limited Number of Apps Highly Specialized Users

10 Concept Original Goals Hacker based Focused on Control Systems White lists Free Active and Passive Components

11 Concept White list of Communication Black lists are hard to do well (if not impossible) Easy to bypass With notable exceptions Building White lists can be very informative Focus on Devices and Communication between devices Informs all other security processes and tools

12 Concept Original Goals Hacker based Focused on Control Systems White lists Free Active and Passive Components

13 Concept Original Goals Hacker based Focused on Control Systems White lists Free Active and Passive Components

14 Proof of Concept Tested Proof of concept deployed at several locales with the following big takeaways: No active components Do not make it free. Support Contracts!

15 Selected Test Sites Idaho Falls Power Small Municipal Power Company Simplified Network Architecture IT Skill Level Entry Level Users 2 Mark Reed - Generation Superintendent: Idaho Falls Power was given the opportunity to test Sophia over the last few months and found it to be a great asset to our utility. Sophia adds the characteristics of a full time employee. With Sophia running 24hrs a day it continually monitors network traffic and flags anything that is out of the ordinary. We found it to be very robust, easy to install, and most importantly easy to use. Sophia would be a great addition to any network that has a need to monitor critical traffic.

16 Selected Test Sites Austin Energy - Large Municipal Power Company Complex, Multi-segmented Network IT Skill Level Advanced Users >15 at multiple levels Andy Ibara Manager, Automation Systems: Austin Energy is pleased that INL has proactively begun development of its Sophia tool, which will enhance our ability to determine and document our industrial control system network infrastructure for hardening. This functionality enhances our ability to properly secure and monitor our SCADA/EMS and DMS systems.

17 Selected Test Sites ABB Network Manager SCADA/EMS - Vendor Various Network Architectures IT Skill Level Advanced In-house & External Deployment Phil Beekman Chief Architect: While ABB's experience with Sophia to date is somewhat limited, we plan to integrate it into our system build-up and checkout process flow. We view Sophia as a valuable tool to understand the network traffic in our systems and to indicate if components of the system are improperly configured. One of the strengths of Sophia is that it collects its information for as long as we choose. It is not a short-term test that can miss significant traffic associated with infrequentlyused processes.

18 Current Concept New Concept Developed, released for Alpha testing Including: Use Cases Identified from Proof of Concept Testing 3D Visualization (oglnet) And the following focus: Use AIC Networking Model Static Environment Limited Apps Specialized Users Passive Zero Impact on Production System Ease of Use Should enhance capabilities with minimum effort Security Designed in, not added Extensible Allow for future needs

19 Status Project Funded October 15, 2010 Development Begins January 15, 2011 Alpha Release Ready April 1, 2011 Alpha Released June 1, 2011 Beta Release October 1, 2011 Commercialization October 1, 2012

20

21 Passive Collection Real-time Fingerprinting Static Fingerprinting Distributed Architecture Real-time or historic packet visualization Navigable virtual 3D rendering of fingerprint. Overview

22 Fingerprint Network Fingerprinting Defines both a whitelist and blacklist of conversations and devices on the network. Every Host and Conversation has a color: White: Ok Black: Bad Gray: Don t know

23 Building the Fingerprint Static Method Formative Method Real-time Fingerprint The fingerprint changes when the network changes. Real-time Fingerprint Alerts are generated whenever a blacklisted item is observed OR whenever new conversations or devices appear on the network

24 Real-time Fingerprinting

25 Distributed Architecture

26 Real-time Data Collection

27 Independent Clients database client (text) visualization client (3D)

28 Additional Use Cases Configuration Management: Alarm may indicate the addition of a new component or process triggering a configuration management review. Fielding New Systems: Use a fingerprint developed as part of the factory acceptance test (FAT) during the Site Acceptance Test (SAT) to identify required site specific communications. Firewall Rule Validation/Development: The fingerprint represents only what is needed for ICS operations, providing critical information necessary for simple quality firewall rules.

29 Additional Use Cases Switch and Router Configuration: Switches and routers can be configured based on what is needed as identified in the fingerprint. Port security such as Access Control Lists (ACL) are easily created and used. Component Hardening: All necessary ports are identified in the fingerprint. All other ports are not required for operation and can be disabled or blocked by a personal firewall reducing exposure to cyber attack.

30 Additional Use Cases Patch Testing: When used on a quality system, changes in normal operational communications will be quickly identified as patches are rolled out. Patches in some cases re-open previously disabled ports and services. If newly identified ports are required, Sophia provides useful information necessary for a safe rollout of the patch on the active control system. Configuration management issues are identified; firewall rules may need changing, ACLs may need updating, etc.

31 Final Design Detail Passive, online, real time ICS conversation analysis; no interaction with the ICS. Safe to use in a production environment. Works with new and legacy systems. Ease of use - can be learned in one to two days. Detects and alarms on conversations that are not part of normal ICS operations. Fingerprint export for offline analysis. Planned software hooks/library allow sharing fingerprint data with third party tools for offline analysis.

32 Sophia: Beta Testing We want your help! Oct Sept 1, 2012 Must sign up before June 1, 2012 Open to U.S. Utilities

33

34 Gordon Rueff Idaho National Laboratory Office: Cell: