Holistic View of Industrial Control Cyber Security

Transcription

1 Holistic View of Industrial Control Cyber Security A Deep Dive into Fundamentals of Industrial Control Cyber Security

2 Learning Goals o Understanding security implications involving industrial control systems and environments o Understanding design considerations for industrial control networks o Understanding differences between traditional IT networks vs. industrial networks o Understanding solutions and techniques to harden security of industrial networks

3 What is Industrial Control?

4 Industrial Control Defined o A system that controls a process o Industrial Control System traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS) o Supervisory Control and Data Acquisition System (SCADA) o Remote Terminal Units (RTU) o Programmable Logic Controllers (PLC)

5 Why learn about this topic? o Industrial controls are everywhere! o Utilities o Factories o Automobiles o Military o Data Centers o Appliances o Industrial controls are being networked like traditional IT networks.

6 Some industrial controls that might surprise you o Environmental controls in your data center o Missiles launched by the military o Assembly line controller in a factory o SCADA systems at utilities o Gasoline pumps at a convenience store

7 Distributed Control System Basic DCS Configuration

8 Distributed Control System Example of a DCS HMI Display

9 Distributed Control System Functional Levels of DCS Example

10 SCADA Example of a SCADA Network

11 SCADA Example of a Electric SCADA Network

12 SCADA Example of a SCADA HMI Display

13 Evolution 1 o Transition from mechanical switches or relays to Programmable Logic or Relay Logic

14 Programmable Logic Controllers (PLC) Example of a PLC Panel

15 Programmable Logic Controllers (PLC) Example of PLC Programming

16 PLC vs. RTU o RTUs are utilize to collect data over a wide geographic area as input to SCADA. o Such as with a network of electric substations o PLCs are utilized in a localize fashion to control a process. o Such as with a local area network on a factory floor

17 Industrial Control Evolution 2 o Transition from Standard Serial Communications (e.g. RS-232, RS-485, Async 2 wire) to higher performance non-ethernet Fieldbus communications (e.g. BACnet MS/TP, ModBus RTU, CAN, ProfiBus, InterBus, LonWorks, SERCOS).

18 T-shirt Question 1 owhat has been considered the first Industrial Control virus? owhat did it do?

19 Industrial Control Evolution 3 o Transition from Non-Ethernet Fieldbuses to Ethernet-based Communications (e.g. EtherCAT, Ethernet POWERLink).

20 Industrial Ethernet vs. Non-Ethernet Fieldbuses Advantages o Better performance o Greater bandwidth and larger data packages for communications with intelligent industrial devices o Faster real-time communications and synchronization for demanding control applications o Simple to integrate with networks that already exist in the business office environment

21 Industrial Ethernet vs. Non-Ethernet Fieldbuses Disadvantages o It is collision-based and not inherently deterministic and process controls demand real-time operation. o Universal acceptance of Ethernet tempts users to try to do too many things that could generate security issues. o Standard telephone-type connectors do not meet the physical demands of industrial equipment.

22 Impact of Industrial Internet o GE reported that enabling Internet-connected machines to communicate and operate automatically can bring substantial efficiency gains. o According to GE, the Industrial Internet will help eliminate hundreds of billions of dollars of wasted time and resources across critical industries. o The Industrial Internet has the potential to add $10 to 15 trillion U.S. dollars to the global GDP by 2030.

23 Rise of Industrial Internet o IMS Research predicts that in 2016, Ethernet will account for over 30 percent of all new nodes installed in industrial applications. o Ethernet TCP/IP was estimated to account for over one-third of new Ethernet nodes installed in o Wireless networking to grow 75% by 2017 compared to o Fieldbus protocols still have the high ground but Industrial Ethernet adoption is on the rise.

24 Evolution 4 o Transition from Ethernet-based Non-TCP/IP Communications to Ethernet-based TCP/IP Communications (e.g. BACnet/I, ModBus-TCP, EtherNet-IP, PROFINET-IO).

25 Cyber Security Implications

26 Cyber Security Implications o Cybersecurity failures have the potential to cause physical consequences. o Cybersecurity issues can manifest as process anomalies. o Cybersecurity is hard to manage. o Cybersecurity threats or issues can be complex.

27 Cybersecurity Implication Physical Consequences o Electric Power Blackouts o September 2007 cyber attack in Brazil o 2003 Northeast blackout o 1999 Southern Brazil blackout o 1965 Northeast blackout o 1979 Three Mile Island Nuclear Plant Accident o 2000 Maroochy Shire cyber event o 2007 Aurora Generator Test o 2009 Stuxnet o 2010 San Bruno natural gas pipeline explosion

28 Aurora Generator Test

29 Implications Process Anomalies o Actual cyber security issue vs. real process problem o Can be difficult to distinguish a real cyber security issue from a process anomaly. o Inadequate cyber security training for operators could lead to an attack not being recognized.

30 Implications Security Management Difficulties o Introduced latency and jitter o Measurement of time for packets to travel between nodes. o Variation in time between packets arriving to be process. o Difference in managing IT vs. OT

31 Implications Complexities o Non-typical network protocols o Commands that cannot be blocked due to safety or production issues. o Attackers using valid communications in invalid ways.

32 IT Cyber Security vs. OT Cyber Security

33 IT Cyber Security vs. OT Cyber Security - Performance Requirements Source: Derived from the NIST Standard

34 IT Cyber Security vs. OT Cyber Security - Availability Requirements Source: Derived from the NIST Standard

35 IT Cyber Security vs. OT Cyber Security - Risk Management Requirements Source: Derived from the NIST Standard

36 IT Cyber Security vs. OT Cyber Security - Change Management Requirements Source: Derived from the NIST Standard

37 IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements Source: Derived from the NIST Standard

38 Survey of Specialized Communications Protocols

39 Modbus o Open protocol standard o Moves raw bits or words without placing many restrictions on vendors. o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.

40 DNP3 (Distributed Network Protocol) o Open Standard o Designed to be reliable but not secure. o Header may look perfectly normal but the data payload could crafted to carry malicious code. o No authentication mechanism in basic DNP3. o Secure DNP3

41 OPC (Open Platform Communications o Based on the OLE, COM, and DCOM technologies developed by Microsoft. o Any vulnerabilities in these technologies is carried into this protocol. o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports. o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors. o OPC is complicated to setup so some vendors leave exposures in their products.

42 Cyber Security Problems and Issues

43 Cyber Security Problems and Issues - TCP/IP Stack and Industrial Protocols o Problems exist due to original design and purpose for Internet. o Poor software design o Fragility caused by deviation from RFC o Internet Protocol (IP version 4) (RFC 791) o User Datagram Protocol (UDP) (RFC 768) o Transmission Control Protocol (TCP) (RFC 793) o Address Resolution Protocol (ARP) (RFC 826) o Internet Control Messaging Protocol (ICMP) (RFC 792) o Internet Group Management Protocol (IGMP) (RFC 1112 & 2236) o IEEE (Ethernet) as defined in RFC 894 o Protocol Complexity o o ModBus TCP adds additional fields to standard TCP (Function Codes) Session Manipulation

44 Cyber Security Problems and Issues - Lack of Strong Authentication o Risk of compromise o Spoofing o Brute Force Attacks o Session Hijacking

45 Cyber Security Problems and Issues - Lack of Strong Authorization Practices o Malicious actors could gain access or perform a function that they are not entitled to perform.

46 Cyber Security Problems and Issues - Lack of Strong Encryption Practices o Commands and addresses passed in clear text; which can be captured and spoofed or manipulated. o Some encryption mandates are making it into regulations in some industrial control using industries.

47 Cyber Security Problems and Issues - Programmability o ICS devices are meant to be programmable; which makes them inherently vulnerable. o A whole lot of Fuzzing going on.

48 Cyber Security Problems and Issues - Lack of Message Checksum o Ability to spoofed commands is easier since the checksum is generated at the Transmission Layer and not the Application Layer.

49 Cyber Security Problems and Issues - Accessibility o Some protocols are meant to be used for Wide Area networks making them highly accessible and susceptible to many kinds of attacks.

50 Cyber Security Controls

51 Cyber Security Controls - Firewall o A firewall can become a sieve. o Not a catch all, be all security control but still a necessity. o Protocol recognition. o Don t forget a secure default rule; Deny All.

52 Cyber Security Controls - Intrusion Detection and Prevention o Intrusion Prevention vs. Intrusion Detection o Why is IPS a necessity? o Behavior recognition

53 Cyber Security Controls - ICS Honeypots o Sets a trap o Decoy o ICS Capable o SCADA HoneyNet Project o

54 Cyber Security Controls - Anti-Malware o If you cannot install host-based anti-malware software on any particular ICS system, implement network-based anti-malware. o Implement and configure host-based firewalls; if possible.

55 Cyber Security Controls - Security Information and Event Management o Log, Log, Log! o Real-Time or Near Real-Time Alerts

56 Cyber Security Recommendations

57 Industrial Control Network Cyber Security Recommendations o Defend against the unknown o Advanced Persistent Threats (APTs) o Advanced Evasion Techniques (AETs) o Alternative threat detection or prevention o Situational Awareness o Behavior Analysis and Detection o Practice Defense in Depth o Patch, Patch, Patch o Whitelisting o Collect and analyze logs

58 Industrial Control Network Cyber Security Recommendations o Avoid misconceptions o Avoid the Air Gap Myth o We have a firewall! o We re just a small site, we re not a target

59 Industrial Control Network Cyber Security Recommendations o Utilize Egress Filtering o Change Default Accounts and Passwords o Check your IP addresses with Shodan

60 Shodan o An industrial control system and network search engine. o

61 Shodan

62 Netsecuris o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments. o Contact Information o Leonard Jacobs, MBA, CISSP o President/CEO o [email protected] o

63 Questions and Answers Thank you