Modernizing Network Security in SCADA and Industrial Control Systems

Transcription

1 Modernizing Network Security in SCADA and Industrial Control Systems Geoff Shukin, Solutions Architect Palo Alto Networks , Palo Alto Networks..

2 Agenda Challenges in Securing SCADA/ICS Networks Four Strategies for Modernizing Control Network Cybersecurity Practical Solutions for Implementation , Palo Alto Networks..

3 Challenges in Securing SCADA/ICS Networks Managing Network Integration Control Network Lack of granular visibility and control over control network usage & traffic Control Network Enterprise Zone 1 Zone 2 Zone Zone 3 Zone 4 Increasing use of web-based Applications / SaaS h"p:// Corporate 3 rd Party Partner Typical challenges faced in SCADA/ ICS Network Security CIP Standards CFATS Protecting Legacy Systems Malware & APTs Exploits Reporting for Regulatory/ Customer Audits & Forensics Escalated Threat Landscape Addressing the above while ensuring high availability and performance , Palo Alto Networks. Confidential and Proprietary.

4 What Keeps SCADA Security Supervisors Up at Night? SANS 2014 Survey on Industrial Control Systems What are the top three threat vectors you are most concerned with? External threats (hacktivism, nation states) Malware Insider exploits phishing attacks Attacks coming from within the internal network Cybersecurity policy violations Industrial espionage Other Extortion or other financially motivated crimes 0% 5% 10% 15% 20% 25% 30% First Second Third Percent Respondents , Palo Alto Networks

5 Advanced Targeted Attacks Norway Oil & Gas Attacks Social Engineering: Spearphishing, Watering hole Goal: IP Theft and??? Social Engineering: Removable media Exploits zero-day vulnerabilities (Windows, Siemens) Propagation/Recon via general IT apps and file-types Goal: Disrupt uranium enrichment program Energetic Bear Social Engineering: Spearphishing, Watering hole, Trojan in ICS Software Enumerates OPC assets (ICS-protocol!) Goal: IP theft and ICS Attack PoC? , Palo Alto Networks

6 Malicious Insider Attack Sewage treatment facility in Maroochy Shire, Queensland, Australia Disgruntled employee of ICS vendor sought revenge on customer (shire council) and employer Used intimate knowledge of asset owner s ICS to gain access and wreak havoc Impact Spillage of 800,000 liters of raw sewage into local parks, rivers and hotel grounds Loss of marine life, damage to environment, health hazard Source: Applied Control Solutions , Palo Alto Networks

7 Unintentional Cyber Incidents SQL Slammer Platform shared by operator and royalty partner Slammer infection on rig via partner network Workstations and SCADA servers crashed Systems would not restart after reboot 8 hours to restore the SCADA and restart production Application Visibility and Risk Report conducted at energy company in E. Europe Plant manager insisted not internet-facing Rogue broadband link and risky web applications found on SCADA system Consequences Wuala (storage), emule (P2P), DAV (Collaboration) Immediate loss of monitoring down-hole wells Loss of production for all 4 major wells Total losses > $1.2M before production finally restored Concerns over loss of IP, network availability, malware introduction Source: Red Tiger Security Source: Palo Alto Networks , Palo Alto Networks

8 Requirements for Next-generation Control Network Security Situational Awareness Least Privilege Control Threat Prevention Applications (IT, SCADA, ICS) Users Groups Assets Content URLs Domain Countries Fine-grained control. Not just On or Off Not based on port, protocol, IP address Known and unknown threats Malware and Control System Vulnerabilities Natively supported Forensics & Incident Response Consolidated visibility and faster time to remediation , Palo Alto Networks..

9 4 Strategies for Modernizing Control Network Cybersecurity 1 Apply segmenta1on and advanced traffic classifica1on (L7) to improve situa1onal awareness 2 Enforce a least privilege network access model based on users, applica1ons, assets, URLs 3 Apply a life- cycle approach to threat preven1on that controls a"ack vectors before having to block known and unknown threats 4 Deploy centralized management and log collec1on to accelerate forensics, incident response and repor1ng , Palo Alto Networks..

10 Revisiting the Trust Model in ICS Vendor/Partner Remote Sta,on / Plant Floor PLCs / RTUs Enterprise Network Local HMI PLCs / RTUs PCN Internet PCN Servers WAN Local HMI Mobility HMI DEV PLCs / RTUs Internal Actors Local HMI , Palo Alto Networks

11 Observations Broken Trust Model Micro-segmentation is critical Granular visibility of traffic is an essential capability Applications, users, content Shared context End-to-end security is required Threats originate at endpoints and via networks Real and potentially high risks with ICS cyber incidents Must focus on prevention vs. just detection Advanced attacks will be zero-day The capability to detect and stop unknown threats quickly is needed Automated threat analysis and information sharing would be helpful , Palo Alto Networks

12 The Challenges with Legacy Solutions Splintered security - legacy stateful-inspection firewalls + firewall helpers Founded on port based policy in the legacy firewall, not application-based Multiple, non-shared contexts - difficult to really understand what is happening Difficult or impossible to implement desired control Higher chance of misconfiguration and leaving security holes Tedious and slow forensics and remediation Performance drops off dramatically with each stage Complex and costly to implement and maintain UTM Internet IPS DLP IM AV URL Proxy , Palo Alto Networks

13 Implement the Strategies with Palo Alto Networks Next-generation Security Platform Natively supported services Application Visibility and Control Threat Prevention AV, AS, Exploits URL Filtering Unknown Threat Prevention Mobile Security App-ID User-ID Content-ID Classification Engine (L7) Application signatures User/User-group mapping Threat / Vulnerability signatures URL database Additional Intelligence Next-generation security Legacy Firewall + IPS + URL + Next-generation security Unified Threat Management (UTM) , Palo Alto Networks

14 Palo Alto Networks SP3 Architecture Single-pass, Parallel Processing Redesigned from the ground up with next-generation security requirements in mind Single-pass processing Performs app, user, content scanning once per packet One policy that integrates apps, user and content Parallel processing hardware Function-specific parallel processing HW engines Separate data plane and control plane Our firewalls are powered by our single-pass, parallel processing architecture which delivers high performance and promotes high availability , Palo Alto Networks

15 User-ID: Many Ways to Identify User / User-group Policy enforcement based on users and groups 1 5

16 Traffic Shaping for Critical and Real-time Traffic In addition to being able to create policies based on apps, users & content You can also apply QoS profiles to specific apps, users, interfaces and more Possible use cases Ensure all PLC / IED / RTU traffic and alarms get highest priority Allocate just the right amount of bandwidth for video used for surveillance at PCN Prioritize Fault Location, Isolation, Restoration (FLISR) data in Smart Grid Traffic shaping overview Guaranteed, maximum and priority bandwidth can be applied across eight traffic queues Your policies can be applied to physical interface, IPSec VPN tunnels, applications, users, source, destination and more Diffserv marking is supported, enabling application traffic to be controlled by a downstream or upstream networking device , Palo Alto Networks. Confidential and Proprietary.

17 4 Strategies for Modernizing Control Network Cybersecurity 1 Apply segmenta1on and advanced traffic classifica1on (L7) to improve situa1onal awareness 2 Enforce a least privilege network access model based on users, applica1ons, assets, URLs 3 Apply a life- cycle approach to threat preven1on that controls a"ack vectors before actually blocking known and unknown threats 4 Deploy central management and repor1ng to accelerate forensics, incident response and repor1ng , Palo Alto Networks..

18 Proper segmentation is key Security Zone #1 Conduit Security Zone #2 Create zones for external access into the OT infrastructure as well as for sub-zones in the OT Enterprise / Remote Zone Corporate / Remote Access Network SCADA / HMI Zone Server Zone Work- sta1on Zone Control Center Field Device Zone 1 HMI Zone SIS Zone Field Device Zone 2 Remote Sta1on/Plant Floor , Palo Alto Networks

19 The Need for Better Segmentation in SCADA / ICS OPC SCADA Historian 3 rd Party Support / Service Provider Enterprise Network HMI / SCADA Client Workstation PLC / RTU / IED SIS Control Center Substation / Remote Station Perimeter Exposure to enterprise (IT-OT Integration) and 3rd-party / service provider networks Intra-OT Risk levels and security requirements vary among assets & tend to increase as you go deeper in the SCADA Intra-OT traffic visibility The internet is not the only source of malware (Removable media, mobile computing) Must create security zones with conduits that monitor/control inter-zone traffic , Palo Alto Networks. Confidential and Proprietary.

20 Network Segmentation with Palo Alto Networks Server Zone Remote / Support Zone OPC SCADA Historian Enterprise Zone 3 rd Party Support / Service Provider User Zone Process Zone Enterprise Network HMI / SCADA Client Workstation PLC / RTU / IED SIS Control Center Substation / Remote Station Define security zones and security policies that match the unique zone-to-zone security requirements Support for different types of segmentation schemes Layer 3, Layer 2, Layer 1, VLAN, VPN , Palo Alto Networks. Confidential and Proprietary.

21 Available Application Signatures for SCADA/ICS Protocol / Applica,on Protocol / Applica,on Protocol / Applica,on n Modbus base n ICCP (IEC / TASE.2) n CIP Ethernet/IP n Modbus func1on control n Cygnet n Synchrophasor (IEEE C ) n DNP3 n Elcom 90 n Founda1on Fieldbus n IEC base n FactoryLink n Profinet IO n IEC func1on control n MQTT n OPC n OSIsoa PI Systems Over 1950 application signatures including a growing list of SCADA/ICS-specific signatures , Palo Alto Networks. Confidential and Proprietary.

22 App-ID Function Control Example: Func,on Control Variants (15 total) Modbus- base Applipedia entry for Modbus-base App-ID Modbus- write- mul1ple- coils Modbus- write- file- record Modbus- read- write- register Modbus- write- single- coil Modbus- write- single- register Modbus- write- mul1ple- registers Modbus- read- input- registers Modbus- encapsulated- transport Modbus- read- coils Modbus- read- discrete- inputs Modbus- mask- write- registers Modbus- read- fifo- queue Modbus- read- file- record Modbus- read- holding- registers , Palo Alto Networks. Confidential and Proprietary.

23 App-ID Function Control Example: IEC Applipedia entry for IEC Base App-ID Available Variants for IEC App- ID , Palo Alto Networks. Confidential and Proprietary.

24 4 Strategies for Modernizing Control Network Cybersecurity 1 Apply segmenta1on and advanced traffic classifica1on (L7) to improve situa1onal awareness 2 Enforce a least privilege network access model based on users, applica1ons, assets, URLs 3 Apply a life- cycle approach to threat preven1on that controls a"ack vectors before actually blocking known and unknown threats 4 Deploy central management and repor1ng to accelerate forensics, incident response and repor1ng , Palo Alto Networks..

25 Data Center Security Control application/web usage Approved apps, users, content only OPC PI Data Center SCADA / ICS / DCS / EMS IT APPS HTTP SCADA/ICS: OPC, PI, Cygnet, etc General IT Apps Apply QoS for specific applications URL filtering for HTTP service Control administration To approved administrators User Admin SSH, Telnet, SNMP, FTP, etc Block malware & exploits known & unknown Monitor for botnets / C&C , Palo Alto Networks.

26 Remote Station / Plant Floor Security Limit traffic to control network protocols Substation 3 rd -Party Ruggedized Server with VM-Series Plant Floor Standard Appliance Modbus, DNP3, Ethernet IP, FactoryLink, etc Limit access to write commands to control devices (PLCs, IEDs, RTUs) OR Safely enable IT apps and web access SSH, FTP, Telnet, SMTP, SNMP, etc. Control with User-ID and URL filtering PLC / RTU HMI PLC / RTU HMI Block malware & exploits Malware: Antivirus, Antispyware Exploits: Vendor and protocol Known & unknown threats Monitor for botnets / C&C , Palo Alto Networks.

27 Application and Users in SCADA/ICS Networks Limited/specialized set of applications, meant to be used by a limited/ specialized set of users in the OT An even smaller set of people should have access from outside of the OT Protocol/Applica,on Category PLC / IED / RTU protocols Client/server soaware Industry- specific applica1ons General purpose networking Examples Modbus, DNP3, IEC , OPC, Historian, SCADA/HMI, Oil & Gas, Power EMS, SNMP, FTP, Telnet, SSH, RDP, SMTP, Similarly, access to external networks from the OT should be strictly controlled Enabling applications should not open unnecessary security risks, for example web based apps and other apps that open up a lot of ports Least privilege model based on applications and users simultaneously manages risk and enables the business , Palo Alto Networks. Confidential and Proprietary.

28 Securing VPN/Remote Access IT / 3 rd Party Access Control Network LAN VPN Terminal Server Monitor and Control VPN access by user and application Enterprise Vendor support Business Partner Gain user level visibility to terminal server users Enforce time of day policies for 3 rd party support users , Palo Alto Networks.

29 User-ID Example: RDP into Terminal Server Terminal Server (Single IP Address) Taylor, Richard (Internal employee) SSL RDP Application: Sharepoint User: Unknown VPN Router/FW To SCADA / Control Network SSL RDP Application: OSIsoft PI User: Unknown Smith, John (3 rd Party) Motivation: SCADA/ICS systems sometimes require support for 3 rd party access with RDP as the mechanism for remote access Challenge: Devices downstream of WTS server do not have visibility into which user initiated which application (all from the same IP address) Makes it difficult to monitor & control application usage by users accessing network , Palo Alto Networks. Confidential and Proprietary.

30 User-ID Example: RDP into Terminal Server Taylor, Richard (Internal employee) SSL SSL VPN Router/FW RDP RDP Terminal Server (Single IP Address) Terminal Services Agent Application: Sharepoint User: Taylor, Richard Port range: Palo Alto Networks Appliance To SCADA / Control Network Application: OSISoft PI User: Smith, John Port range: Smith, John (3 rd Party) Terminal Services Agent Allocates a port range to specific users and reports those allocations to our appliance Users sharing IP address on Terminal Server can now be identified Benefits Allows visibility to user and group visibility to each RDP session Enables administrator to implement application-user & application-group policies , Palo Alto Networks. Confidential and Proprietary.

31 Web Based Applications / SaaS Actual applications found running on servers and a PLC in the PCN of a energy company during a proof of concept (PoC) evaluation Cloud storage Peer-to-peer file sharing (Known vulnerabilities) Web-based distributed authoring & versioning (May carry DLLs that could be use for exploits) Are there valid business uses for these apps in a PCN? What if you could safely enable these applications? , Palo Alto Networks

32 4 Strategies for Modernizing Control Network Cybersecurity 1 Apply segmenta1on and advanced traffic classifica1on (L7) to improve situa1onal awareness 2 Enforce a least privilege network access model based on users, applica1ons, assets, URLs 3 Apply a life- cycle approach to threat preven1on that controls a"ack vectors before actually blocking known and unknown threats 4 Deploy central management and repor1ng to accelerate forensics, incident response and repor1ng , Palo Alto Networks..

33 - Vulnerabilities, Spyware, Viruses Database of the vulnerabilities/exploits, viruses, spyware that we can detect & prevent Every entry contains a description, severity ranking, links to more info Backed by the world class Palo Alto Networks threat research team Includes signatures for Digital Bond QuickDraw ICS vulnerabilities Any currently uncovered vulnerabilities from Digital Bond or other source (customer, SW/HW vendor) can be researched by the threat research team , Palo Alto Networks. Confidential and Proprietary.

34 SCADA/ICS Vulnerabilities & Exploits OPC Server (CVE ) Historian Server (CVE ) SCADA Master / HMI (CVE ) Multiple Vectors for Exploitation Internet / Support Network Removable Media Example CVE numbers for different types of SCADA/ICS system components Portable Computing PLC / RTU / IED (CVE ) Many systems with known vulnerabilities are left unpatched for a variety of reasons Don t fix it if it ain t broken, Patch only for most recent OS version, Don t know/care Multiple exploitation vectors exist & they include more than just the internet Yet to be discovered Zero-day Malware are of highest concern , Palo Alto Networks. Confidential and Proprietary.

35 Protocol-specific Exploits DNP3 ICCP Modbus , Palo Alto Networks..

36 Protecting Unpatched/Unpatchable Systems Protecting Unpatched Systems CVE Native threat prevention protects critical assets from viruses and spyware Apply exploit signatures to virtually patch SCADA/ICS and general IT exploits Protocol-specific exploits HMI / Workstation PLC / RTU / IED Server / Database , Palo Alto Networks.

37 What is Required? Platform Approach Focused on Prevention Threat Intelligence Cloud Gathers potential threats from network and endpoints Analyzes and correlates threat intelligence Disseminates threat intelligence to network and endpoints Next-Generation Network Security Inspects all traffic Blocks known threats Sends unknown to cloud Extensible to mobile & virtual networks Advanced Endpoint Protection Inspects all processes and files Prevents both known & unknown exploits Integrates with cloud to prevent known & unknown malware , Palo Alto Networks

38 Endpoint Security: The failures of traditional approaches Targeted Evasive Advanced EXE PDF Known signature? NO Known strings? NO Previously seen behavior? NO Malware direct execution Exploit vulnerability to run any code Legacy Endpoint Protection , Palo Alto Networks

39 Unknown Threat Prevention with WildFire 10 Gbps Threat Prevention and file scanning All traffic, all ports Web, , FTP and SMB Running in the cloud lets the malware do things that you wouldn t allow in your network. Updates to sandbox logic Stream-based without impacting malware the engine customer perform true inline enforcement , Palo Alto Networks. Confidential and Proprietary.

40 4 Strategies for Modernizing Control Network Cybersecurity 1 Apply segmenta1on and advanced traffic classifica1on (L7) to improve situa1onal awareness 2 Enforce a least privilege network access model based on users, applica1ons, assets, URLs 3 Apply a life- cycle approach to threat preven1on that controls a"ack vectors before actually blocking known and unknown threats 4 Deploy central management and repor1ng to accelerate forensics, incident response and repor1ng , Palo Alto Networks..

41 Centralized Network Administration Panorama Central Management Platform Central Administrators Local admin access Central admin access IT Admin Enterprise OT Admin Control Center Panorama central management platform Enables you to centrally manage the process of configuring devices and deploying security policies Allows role based management Enable different members of your team, both local and remote, to only have access to the features and functions that their job requires By implementing role-based administration you establish the appropriate levels of rights and access to the responsibilities of a given administrator , Palo Alto Networks. Confidential and Proprietary.

42 Centralized Logging and Reporting Panorama Central Management Platform Aggregate reports Central Administrators Local Device Logs/Reports IT Admin Enterprise OT Admin Control Center Aggregate local firewall logs and reports into Panorama and generate powerful, centralized reports Holistic view of network application usage and threats facilitates forensics and helps you make more informed decisions Simplify the process and save time when generating reports for regulatory/ customer audit process , Palo Alto Networks. Confidential and Proprietary. CIP Standards CFATS

43 Security Information & Event Management (SIEM) Technology partnerships with leading suppliers of SIEM solutions , Palo Alto Networks. Confidential and Proprietary.

44 Flexible Deployment Options Visibility Transparent In- Line Firewall Replacement Application, user and content visibility without inline deployment IPS with app visibility & control Consolidation of IPS & URL filtering Firewall replacement with app visibility & control Firewall + IPS Firewall + IPS + URL filtering , Palo Alto Networks. Confidential and Proprietary.

45 , Palo Alto Networks. Confidential and Proprietary.