How To Protect A Network From Attack

Transcription

1 Risks & Solutions within the Manufacturing IT 4 Februari 2009 Jan Paul van Hall Portfolio Manager Security

2 Who is AXIANS? AXIANS, is a division of the VINCI Energies Group and is European network integrator specialized in advising, design, implementation and network administration. In the field of Network Security, Network Infrastructure, Storage, Server-Based-Computing, Unified Communication and Network management Focus on: > Implementing networks to support modern applications. > Increasing the availability and security of applications. > Increasing the manageability. > Lowering maintenance costs.

3 Facts & Figures Nederland Europa 15 Years of experience 58 branches 80 network specialists 212 annual revenue 475 customers employees managed voice ports managed network ports

4 Scheme Projectmanagement Sales Consultancy & Prepare Plan & Design Project Management Implement & Test Contract mng Service Network Infrastructure Security Storage UC Network Management Templates - Checklists - Project Management tools & reports

5 What is the AXIANS approach? AXIANS s full service life cycle: Advice Management Design Maintenance Implement

6 Industrial IT Security Mythes

7 5 Mythes in Industrial IT Security 1. The Control System is Safe if We Don t Connect to the Internet 2. We Need to Focus on those Terrorists 3. The Bad Guys are all on the Internet 4. The IT Department Looks After Process Security 5. Hackers Don t Understand SCADA/PLCs

8 Mythes? In March 2002, the industrial world was in denial for CyberCrime: Most public utilities rely on a highly customized SCADA system. No two are the same, so hacking them requires specific knowledge. Scott Berinato; Debunking the Threat to Water Utilities CIO Magazine.

9 Mythes? and then: The Incident in Harrisburg, USA: In October 2006 a foreign-based hacker (via Internet) infiltrates the laptop of an employee at the Harrisburg water system. Uses the employee s remote access as the entry point into the SCADA system. The hacker then installs malware and spyware in a SCADA HMI computer to make it a distribution center for s & piracy software.

10 Mythes? *(

11 Industrial IT Security Incidents

12 Incidents? Nuclear Plant 1. *( Not just a SCADA system, but a network.

13 Incidents? Nuclear plant 2. (* August Operators at Browns Ferry Nuclear plant had to shut down the reactor due to a potentially dangerous condition. Cause was determined to be excessive traffic" on the control systems network according to the NRC.

14 Incidents? Maroochy Shire sewage. *( Environmental damage, disgruntled employee.

15 Incidents? (* January 8, 2008 Teenage boy hacks into the track control system of the Lodz city tram system, derailing 4 vehicles. He had adapted a television remote control so it could change track switches.

16 Security Incidents in the Water Industry Salt River Project SCADA Hack Maroochy Shire Sewage Spill Software Flaw Makes MA Water Undrinkable Trojan/Keyloggeron Ontario Water SCADA System Viruses Found on Auzzie SCADA Laptops Audit/Blaster Causes Water SCADA Crash DoS attack on water system via Korean telecom Penetration of California irrigation district wastewater treatment plant SCADA. (*Intrinsically Secure Control Systems Eric Byres)

17 Security Incidents in the Oil Industry Electronic Sabotage of Venezuela Oil Operations CIA Trojan Causes Siberian Gas Pipeline Explosion Anti-Virus Software Prevents Boiler Safety Shutdown Slammer Infected Laptop Shuts Down DCS Virus Infection of Operator Training Simulator Electronic Sabotage of Gas Processing Plant Slammer Impacts Offshore Platforms SQL Slammer Impacts Drill Site Code Red Worm Defaces Automation Web Pages Penetration Test Locks-Up Gas SCADA (*Intrinsically Secure Control Systems Eric Byres)

18 Security Incidents in the Chemical Industry IP Address Change Shuts Down Chemical Plant Hacker Changes Chemical Plant Set Points via Modem Nachi Worm on Advanced Process Control Servers SCADA Attack on Plant of Chemical Company Contractor Accidentally Connects to Remote PLC Sasser Causes Loss of View in Chemical Plant Infected New HMI Infects Chemical Plant DCS Blaster Worm Infects Chemical Plant (*Intrinsically Secure Control Systems Eric Byres)

19 Security Incidents in the Power Industry Slammer Infects Control Central LAN via VPN Slammer Causes Loss of Commsto Substations Slammer Infects Ohio Nuclear Plant SPDS Iranian Hackers Attempt to Disrupt Israel Power System Utility SCADA System Attacked Virus Attacks a European Utility Facility Cyber Attacks Reported by Asian Utility E-Tag Forgery Incident in Power PSE Power Plant Security Details Leaked on Internet (*Intrinsically Secure Control Systems Eric Byres)

20 Industrial IT Security Trends

21 Trend in Industrial Security Incidents (database) ISID: Industrial Security Incidents Database Security Incidents Database Actual and predicted ISID incidents from 1994 to 2005 Database of Industrial Cyber Security Incidents to be Resurrected April

22 How do the problems enter? Incident by entry point How the Bad Guys Get In 1. Corporate WANs & Business Networks 49% 2. Trusted 3rd Party Connection 10% 3. Internet Directly 17% 4. VPN Connection 7% 5. Dial-up modem 7% 6. Telco Network 7% 7. Wireless System 3%

23 Which categories of attackers/incidents? Internal (employees, vendors and contractors) Accidental events Inappropriate employee/contractor behavior Disgruntled employees/contractor External opportunistic: Script kiddies Recreational hackers Virus writers External deliberate: Criminal groups Activists Terrorists Agencies of foreign states

24 Typical multiple entry points in process control network (ISID)

25 So why is this threat evolving? 1. Industrial networks are more and more connected with corporate networks (MES, ERP) and third parties. Networks becoming more and more open for day to day business. 2. Communication protocols are increasingly TCP/IP based, less unknown proprietary communication protocols. 3. Plant networks are not yet protected by default like in IT security networks. (awareness) 4. Loss of a day of production cost lots of, possible criminal gains as well. 5. More people with a combination of brains, time and no money...

26 Industrial IT Security Industrial IT versus Corporate IT

27 Industrial IT Security comparable with Corporate IT Security? YES It does compare,..current Industrial IT Security has parallels with corporate IT Security as is was, some years ago. 1. Firewall is seen of as 1st layer of defense, sometimes the only defense. 2. Both networks contain various types of datastreams. 3. More proprietary communication protocols are changing to TCP/IP. 4. Industrial IT Security: industrial network is trusted, but the connecting corporate IT network is not. In corporate IT Security: corporate network is trusted and the connecting Internet is not. 5. Patching challenges of systems. Especially Windows.

28 Industrial IT Security comparable with Corporate IT Security? YES 6. Usage of security acronym C.I.A. (Confidentiality, Integrity and Availability) 7. Security standards available: IT Security ISO27000 and Industrial IT Security: ISA99. (new) 8. Human factor plays a key role in security. 9. Still people are in denial. 10. always missing: IT Security Policy.

29 Industrial IT Security comparable with Corporate IT Security? NO Some things are very different.. 1. Corporate IT: (C.I.A.) Confidentiality and Integrity are most important, vs Industrial IT: Availability is priority. 2. Corporate IT: it is all about information. (documents), vs Industrial IT: it is control data, and lots of it. 3. Corporate IT: security first and acceptance for slower processes. vs Industrial IT: realtime data, no delays. 4. Corporate IT: years of development lead to Commercial Of The Self (COTS), vs Industrial IT: no accepted guidelines in standard in firewalls. 5. Corporate IT: many players: vendors and integrators, vs Industrial IT: just a growing market.

30 Industrial IT Security comparable with Corporate IT Security? NO 6. Corporate IT: offices opened 8x5, vs Industrial IT: 24x7. non-stop. 7. Corporate IT: patches available and easily applied, vs Industrial IT: never touch a running system. 8. Corporate IT: EoL product are decommissioned, vs Industrial IT: one can find unpatched older OS systems. 9. Corporate IT: personal strong passwords or authentication tokens, vs Industrial IT: easy and shared password. 10. Corporate IT: automated vulnerability scans easily performed, vs Industrial IT: it is a risk for some systems.

31 Industrial IT Security comparable with Corporate IT Security? NO 11. Corporate IT: an incident is annoying and might cost some people s day work, vs Industrial IT: the damage can run into millions. 12. Corporate IT: TCP/IP, SMTP, FTP, HTTP(s), Telnet, vs Industrial IT: PCN, OPC, PLC, EtherNet/IP, MODBUS/IP, Profinet. 13. Corporate IT: a firewall is a 19inch rackmount, vs Industrial IT: it can be DIN rack format.

32 But if treated with care. The lessons learnt and the solutions available in corporate IT Security can be used, with care. Use years of experience.

33 Industrial IT Security Firewalling, first line of defense

34 Firewall sufficient? Firewall is not a goal but a tool. Better no firewall then a misconfigured one or with a difficult rulebase. A firewall is not a router, not a dual network connected PC. A firewall with no understanding of the communication inside used protocols can not see threats. Number of errors as a function of rule-set complexity. The green line represents the least-squares fit; the red and blue lines represent one standard deviation above and below the leastsquares fit. * Avishai Wool, A Quantitative Study of Firewall Configuration Errors, 2004.

35 Firewall sufficient? The Slammer Worm infiltrated a: 1. Nuclear plant via a contractor s T1 line; 2. Power utility SCADA system via a VPN; 3. Petroleum control system via laptop; 4. Paper machine HMI via dial-up modem. Firewalls existed in at least three of these cases. So or the firewalls were: mis-configured, bypassed or, could not intervene into bad data in an allowed connection.

36 Jericho Principle, Defense in Depth The Solution in the IT World: All IT network assets must have additional security software: 1.Firewall for De-Militarized-Zones 2.Patches 3.Anti-Virus Software in network 4.Intrusion Prevention 5.Laptop Firewalls + Anti-Virus 6.VPN Encryption, site-to-site, wireless, remote Eg: combined in 1 hardware solution: Unified Threath Management (UTM)

37 Industrial IT Security Vulnerabilities

38 Some vulnerabilities 1. One undefined network topology and assets 2. Connection with Internet 3. Unpatched software 4. Unpatchable software 5. Network worms and virussen from corporate network 6. New introduced proprietary process software 7. Weak passwords policy (default) 8. Wireless connections 9. Remote maintenance connections (laptop) 10. No responsible manager appointed 11. No awareness among users

39 Some vulnerabilities and possible solutions 1. One undefined network topology Segment network in zones divided with firewalls and apply De-Militarized Zones were needed. (DMZ) 2. Connection with Internet Only via properly configured firewall. Only necessary communication allowed. 3. Unpatched software Start patching procedures. 4. Unpatchable software Protect with Intrusion Prevention Systems. 5. Network worms and virussen from corporate network Introduce firewall with Anti Virus & Intrusion Prevention Systems in network. 6. New introduced proprietary process software Laboratory Test strength with software vulnerability scanning (Fuzzer). 7. Weak passwords policy (default) Adopt and enforce policy for passwords or adopt strong authentication methods.

40 Some vulnerabilities and possible solutions 8. Wireless connections Secure with VPN and authentication. 9. Remote maintenance connections (laptop) Force third parties to comply with policy. Use Firewall with IPS and VPN and NAC. 10. No responsible manager Appoint security officer for industrial IT Security networks. 11. No awareness among users Start awareness sessions, train personnel/administrators.

41 Industrial IT Security Security as a project

42 Project approach - Quick Security scan (network and assets), find vulnerabilities. - Quick Organisational scan (policies and responsibilites). - Find the risk and value them. - Take step-by-step approach when implementing a solution.

43 Project approach Other items - Selection of hardware and software. - Security magement (managed service?, SIEM). - Acknowledge responsibility whithin the company. - Report incidents and establish response team procedure.

44 Leveranciers Hardware vendors with products based on own proprietary solutions. - Siemens - Tofino - Fortinet - Honeywell - Phion - Cisco - Innominate - Archilles -.And many more to come

45 but remember.. Security is not a project but an ongoing process.

46 Thank you!

47 Deming: Plan-Do-Check-Act Quality of Security level

48 ISO Mindmap

49 SCADA diagram

50 Scada in oil production environments SCADA = Supervisory Control and Data Acquisition Protocols: Modbus, DNP3, ICCP, UCA 2.0, IEC, CAN, CIP, DeviceNet, ControlNet, OLE for Porcess Control (OPC), Profibus. SCADA components: Human operator, HMI, MTU, RTU

51 SCADA with firewalled segmentation in DMZ s.

52 IPS Intrusion Prevention Systems

53 Nomenclature Firewall Device through which network traffic passes. Communication is allowed or denied based on policy. (Source destination and protocol) VPN Virtual Private Network. Encrypted network traffic. Safe from others. DMZ De-Militarized Zone. Network zone only reachable by passing through firewalls. IPS Intrusion Prevention System. Against hacking activities. All network traffic is read and based on signature or behaviour the communication is allowed or stopped. Router device to guide traffic from one network segment to others. AV Antivirus, based on a signature database virussen are detected and stopped. Patch additional softwarecode to be executed to resolve (security) issues of existing sofware. SCADA - Supervisory Control and Data Acquisition. MES - Manufacturing Execution Systems, used to execute for process activities such as Production planning, maintenance, quality and insurance, logistic, etc. ERP - Enterprise resource planning, a central computer program for process support within a company. SIEM Security Information and Event Management. NAC Network Access Control.

54 SCADA display scheme

55 Everything is for sell. Current Previous Goods and Current Previous Range of prices Rank Rank services Percentage Percentage 1 2 Bank Accounts 22% 21% $10 $ Credit cards 13% 22% $0.40 $ Full identities 9% 6% $1 $15 4N/A Online auction site accounts 7% N/A $1 $8 5 8 Scams 7% $2.50/week $50/week for hosting, $25 for 6% design 6 4 Mailers 6% 8% $1 $ addresses 5% 6% $0.83/MB $10/MB 8 3 passwords 5% 8% $4 $30 9N/A Drop (request or offer) 5% N/A 10% 50% of total drop amount 10 6 Proxies 5% 6% $1.50 $30 * Symantec Global Internet Security Threat Report July-December 07