CYBER SECURITY. Is your Industrial Control System prepared?

Transcription

1 CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect Operation & Optimization Software Activity Schneider-Electric

2 Challenges What challenges are there for Cyber Security in Industrial Control Systems (ICS)?

3 ICS Challenges Control Systems control real-world processes Manufacturing / Material Processing Critical Infrastructure Power, Water, Transport, Communications Speed, Reliability, Connectivity, Availability Focus on performance, not Security Plants run 24/7 with as little downtime as possible

4 Control System Lifecycle

5 Legacy Systems & thinking Security by Obscurity Proprietary protocols & bespoke operating systems One-off applications Specific knowledge required Isolated Networks Perimeter Firewall only defence IT stops at the Firewall, then Control Engineer s domain

6 Consequences IT Systems Defacing of website Damage to computer systems Loss of consumer personal information Loss of intellectual property Financial loss Control Systems Loss in productivity Downtime Damaged hardware Loss/theft of information or intellectual property Environmental Incident Licence to operate Personal Injury or Death Crippled Critical Infrastructure

7 So what s changed? Why is Cyber Security for ICSs only an issue now?

8 STUXNET Advanced worm, discovered July 2010 Targeted Siemens PCS7, S7 PLC and WinCC systems Infected at least 22 manufacturing sites worldwide Including it s supposed target, Iran s Nuclear program Unprecedented level of sophistication Gained media, industry, government and hacking community attention STUXNET code is available for modification

9 Not so obscure anymore Cyber Security is the current Hot Topic But previously it s all been about Standardisation Openness Connectivity Ethernet Everywhere Smart Devices / Instruments Control Networks are not isolated Often the only Security is a perimeter firewall

10 Standardisation Server % New ICS Sales in 2012 Server % Vista 1.2% Other 0.6% Win 7 35% 99.4% for Windows ~50% of new orders for obsolete OSes in Extended Support CE 19.7% XP 20.7% (2012 Sales data from 23 ICS Vendors)

11 Vulnerabilities, Exploits and Zero Days Software Vulnerability Flaw or weakness in code that could theoretically be exploited by a malicious program or user Exploit Working code that makes use of a vulnerability Client-Side Exploit Remote Exploit Zero-Day Exploit An exploit for which there is no patch The vendor has had zero days to respond

12 Client-Side Exploits Exploit code that is triggered on the Client PC Connect Back to the Attacker Not blocked by most firewalls Attacker does not need to consider perimeter defences at all Triggering a Client-Side exploit Social Engineering Malicious File, Malicious Websites, Infected USB key Drive-by Downloads Legitimate Websites, compromised to contain malicious code

13 Drive-By Exploit When a legitimate Website is compromised and malicious code uploaded to attack visitors #1 Threat Trend for Critical Infrastructure (28/09/12) ENISA - European Network and Information Security Agency Feb ios App developer forum was used to deploy Zero-Day Java exploit code ( Microsoft, Apple, Facebook and Twitter have all reported they had corporate PCs compromised

14 Cyber Threat Landscape Exploits detected & blocked by Microsoft anti-malware from 1Q11 to 2Q12

15 Java Vulnerabilities Multi-Platform 3 Billion Devices run Java, Windows, Linux, Mac Patches for 55 Security Vulnerabilities already in 2013 Vulnerability announcements almost a weekly occurrence From an audit on 25th March 75% of users use a version more than 6 months old 93.77% of Java users were still vulnerable to CVE months after it had been reported 20 days after a patch was released Versions below and still vulnerable

16 Hacking tools & knowledge Easily accessible information YouTube, forums etc. Highly developed tools available Penetration Platforms / Frameworks Standardised all common functionality Regular updates for all newly published exploit code SCADA+

17 ShodanHQ.com Hardware Search Engine If your site / device is internet connected, it is indexed.

18 ShodanHQ.com

19 Defence in Depth Mitigating the risks

20 Cyber Security Strategy There is no Magic Bullet Proper Cyber Security is a Defence in Depth strategy, consisting of: Secure Products Secure Architectures Security Policies & Employees

21 Secure Products

22 Secure Products Secure by Design Security Features Access Control Security Configuration Securely Coded / Developed Products WurldTech s Achilles Certification ISA Secure Certification New Cyber Security Certification Centre Achilles Certified Lab in North Andover (Boston) Constantly assessing our existing products Involved from development for new products

23 Secure Products Secure Implementation Device Hardening applies to all cyber assets PCs PLCs / PACs, HMI Panels Switches, Routers Smart Instruments, Legacy Field Devices Enable and configure the provided security features Non-default, Strong passwords Configure access control

24 Secure Products Secure Implementation Disable unused functionality Unused embedded Web portals Unnecessary plugins: Flash, Java etc. Disable USB Ports Disable unused ports on switches Keep firmware up to date Place higher priority on Security Updates Use downtime periods to apply and test other major upgrades

25 Industrial Firewalls

26 Secure Products Industrial Firewalls Connexium Industrial Firewall TCSEFEC Tofino Industrial Firewall TCSEFEA

27 Connexium Industrial Firewall (TCSEFEC) 3 Modes of operation Router (Layer 3) Switch / Transparent (Layer 2) PPPoE (Point to Point over Ethernet) Packet Filtering - Firewall Rules Incoming, Outgoing, TCP, MAC, PPPoE Denial Of Service protection Stops excessive network traffic flooding with TCP connections, ping packets or ARP packets, without hindering the data traffic VPN

28 Connexium Industrial Firewall - TCSEFEC Built for Industry Copper & Fibre variants 25mm Din Rail, 0-60 C operating temp MTBF = 50+ Years Configurable alarm relay connection Redundancy Dual Power Supply (12 48 VDC or 24 VAC) VRRP Virtual Router Redundancy Protocol (Layer 3)

29 ConneXium Tofino Firewall (TCSEFEA) Industrial Firewall, plus additional features MODBUS Enforcer Deep packet inspection for Modbus Can block traffic based on Function codes Register or coil addresses Station ID No. Non-standard Modbus traffic 1000 packets per second with full content inspection Ideal for protection of legacy Modbus devices Event Logger

30 ConneXium Tofino Firewall (TCSEFEA) Preconfigured firewall templates for Schneider Hardware

31 Secure Architectures

32 Secure Architecture Multiple levels of defence Network Separation Perimeter Protection Control Network Segmentation

33 Secure Architecture Network Separation Isolation is over Connect Enterprise and Automation Networks in a secure, controlled fashion via a DMZ Provide Terminal Sessions in DMZ for remote access Monitor/Patch all DMZ assets!

34 Secure Architectures Perimeter Firewall Start at Block All Whitelist communication from DMZ assets Restrict outbound communications Provide alternate access

35 Secure Architectures Segmentation Zones & Conduits, ISA 99 VLAN and Subnets alone offer performance, not security Connexium Firewalls add IP/Port or Mac Filter Rules Access Control for legacy devices DOS Protection Deep Packet Inspection

36 Security Policies & Employees

37 Security Policies Established, maintained and enforced by a crossdiscipline team Full asset audit / diagram / documentation Establish the baseline minimal configuration Risk Assessment Ownership / responsibilities Consider: Access Control (Physical) / Privileges / Password Policies Patch / Upgrade Management Change Management Backup / Recovery plans / procedures Incident Response / Forensics

38 Incident Handling How would you handle an Incident at your facility? Wipe and restore affected assets? Take plant offline and await forensic analysis? Contact Law enforcement? Contact Industrial authorities / regulators? Inform customers about potential data loss/leak? Establish the risks and responses for your site now

39 Employees Assign ownership & responsibilities Maintain & enforce Security Policies Monitor Network & Security logs Provide Training Awareness of Social Engineering & other security risks Security Policies Incident Detection and Handling

40 Patch Management Have a plan for patching Auto-update isn t safe or practical for ICS Assess the impact of the patch, test, deploy Prioritise patches based on risk Deploy Compensating measures until patches can be deployed Disable a vulnerable interface until patched Modify firewalls Deploy IDS rules to detect / block known attacks

41 Complimentary Technology Host-Based Anti-Virus / Application Control Traditionally using virus Signatures Whitelisting would work better for ICS Block all, allow approved programs only VPN Two-Factor authentication IDS / IPS Systems HIDS / HIPS Host-based NIDS / NIPS Network-based SIEM Centralize Logs

42 Summary

43 Defence in Depth Assets Highest Value Assets Employees / Policies Segmentation Firewalls Perimeter Firewalls Network Monitoring DMZ Secure Products (Bricks) Threats

44 More resources Schneider s Page support/cybersecurity/cybersecurity.page New Schneider TVDA released March 2013 How Can I Reduce Vulnerability to Cyber Attacks in the Control Room? Questions?