How to Design and Maintain a Secure ICS Network

Similar documents
Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Vulnerability Management

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

How To Manage Security On A Networked Computer System

Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

SANS Top 20 Critical Controls for Effective Cyber Defense

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

How To Manage Sourcefire From A Command Console

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

FIREMON SECURITY MANAGER

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

The Hillstone and Trend Micro Joint Solution

Network Security Deployment (NSD)

Best Practices for PCI DSS V3.0 Network Security Compliance

This is a preview - click here to buy the full publication

Concierge SIEM Reporting Overview

Critical Security Controls

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Top 20 Critical Security Controls

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

IoT & SCADA Cyber Security Services

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

RAVEN, Network Security and Health for the Enterprise

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Compliance Management, made easy

Update On Smart Grid Cyber Security

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Data- Centric Enterprise Approach to Risk Management Gregory G. Jackson, Sr. Cyber Analyst Cyber Engineering Division Dynetics Inc.

CORE Security and GLBA

Cyber Security for NERC CIP Version 5 Compliance

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

McAfee epolicy Orchestrator * Deep Command *

Ellipse The Enterprise Asset Management (EAM) solution for asset intensive industries

Introduction to Network Discovery and Identity

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Seven Strategies to Defend ICSs

FREQUENTLY ASKED QUESTIONS

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

NERC CIP VERSION 5 COMPLIANCE

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

1 Introduction Product Description Strengths and Challenges Copyright... 5

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Netzwerkvirtualisierung? Aber mit Sicherheit!

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Enterprise Security Platform for Government

The Cyber Threat Profiler

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

STEALTHWATCH MANAGEMENT CONSOLE

Secure Networks for Process Control

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Dealing with Big Data in Cyber Intelligence

Bridging the gap between COTS tool alerting and raw data analysis

Total Protection for Compliance: Unified IT Policy Auditing

Using ISA/IEC Standards to Improve Control System Security

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Bringing Continuous Security to the Global Enterprise

Eliminating Cybersecurity Blind Spots

Cyber Security for SCADA/ICS Networks

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Feature. SCADA Cybersecurity Framework

INSERT COMPANY LOGO HERE

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

THE TOP 4 CONTROLS.

Architecture Overview

INTRUSION PREVENTION AND EXPERT SYSTEMS

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Defending Against Data Beaches: Internal Controls for Cybersecurity

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

On-Premises DDoS Mitigation for the Enterprise

Obtaining Enterprise Cybersituational

SCADA Security Training

DeltaV System Cyber-Security

White Paper The Dynamic Nature of Virtualization Security

Embracing Microsoft Vista for Enhanced Network Security

UF Risk IT Assessment Guidelines

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

Transcription:

Whitepaper How to Design and Maintain a Secure ICS Network Support IEC 62443 Compliance with SilentDefense ICS Authors Daniel Trivellato, PhD - Product Manager Industrial Line Dennis Murphy, MSc - Senior ICS Security Engineer 16 June 2015

Contents Preface 2 The IEC 62443 Standards 3 Standards Overview and Implementation Steps.................. 3 Limitations of the IEC 62443 Standards...................... 5 Building a more secure network with SilentDefense ICS 6 Trac ows and asset discovery.......................... 6 Network segmentation and threat detection.................... 8 Conclusions 10 About SecurityMatters............................... 10 About the Authors................................. 10

Preface Industrial network operators are subject to a constant demand from management to increase productivity and reduce costs. To achieve these goals and accommodate management demands, operators are shifting towards the use of standard communication technologies and commercial-o-the-shelf (COTS) equipment, and are opening up links between industrial and enterprise networks to enable sharing of process information in real time across multiple industrial and enterprise systems for analytical purposes. In spite of the clear business advantages, this paradigm shift has considerably reduced the resilience of industrial networks, opening the door to a new class of threats: cyberattacks directed against industrial control systems (ICS). To limit the exposure of industrial networks to this new and actual threat, a group of network security and industrial automation domain experts have worked to establish the ANSI/ISA-99 family of standards, which is now known as IEC 62443 [1]. These standards provide a framework to help control system vendors, system integrators and operators deal with the security threats that arise from the \push for productivity" initiatives and the resulting openness towards enterprise and third-party systems, and also to ward o the specter of Stuxnet-like malware attacks. This whitepaper briey reviews the IEC 62443 standards, discusses their limitations, and illustrates how SilentDefense ICS helps to overcome them, thereby supporting industrial network operators to comply with these standards and improve the security of industrial networks. c 2015 SecurityMatters 2 www.secmatters.com

The IEC 62443 Standards The IEC 62443 family of standards is a exible framework designed to facilitate the mitigation of current and future vulnerabilities in industrial control systems and networks, by applying necessary security controls and best practices. The standards dene requirements at dierent technical and organizational levels, in order for organizations to achieve an adequate cybersecurity posture. The gure below provides an overview of the IEC 62443 standards. Standards Overview and Implementation Steps In this whitepaper we focus exclusively on the technical standards of the IEC 62443 family, which are those targeting the network and its components (the lower levels of Figure 1, labeled as \System" and \Component"). The following is a short overview of the content of those standards: The IEC 62443-3-1 standard provides an introductory description to all existing technologies for protecting industrial networks and systems (e.g., network- and host-based solutions, etc.), their advantages and limitations. The IEC 62443-3-2 standard describes how organizations should segment their network into zones and conduits, grouping systems which are similar in functionality, purpose and/or location, and conduct risk analysis and denition of security requirements per zone. A target security level (in a 1-to-4 scale) is assigned to each zone. The focus of this standard is on zone-based risk management, and at this stage network segmentation is to be done only on paper; the actual segmentation of the network is discussed in the IEC 62443-4-2 standard. The IEC 62443-3-3 standard describes general system security requirements in terms of identication and authentication, data condentiality, and system integrity, specifying how these requirements dier for ICS networks with respect to IT networks. In particular, the standard stresses the fact that performance and availability should not be aected in the attempt to accommodate these requirements. c 2015 SecurityMatters 3 www.secmatters.com

Figure 1: Overview of the IEC 62443 family of standards (www.isa99.org) The IEC 62443-4-1 standard denes a development process that aims at reducing the number of security vulnerabilities in industrial control systems. The standard denes a number of techniques and processes based on best practices for secure design. The IEC 62443-4-2 standard denes the technical requirements for securing the individual components of an industrial network. These requirements are based on the system level security requirements specied in IEC 62443-3-3; security goals focus on system availability, plant protection, plant operations, and time-critical system response. Furthermore, the standard discusses the enforcement of data ow restrictions to achieve proper network segmentation. In particular, it treats application partitioning, security function isolation, and boundary protection. Based on the IEC 62443 framework, we can identify four incremental steps that operators should follow - with the support of qualied third parties - to design and maintain more secure and resilient industrial networks. 1. Data gathering: the rst step consists of gathering all information required to underc 2015 SecurityMatters 4 www.secmatters.com

stand how the network is built and the process operates; 2. Security assessment: the second step leverages the information gathered in step 1 to determine the current security posture of the industrial network, ascertain its exposure to cyberthreats, and identify appropriate countermeasures; 3. Solution build: based on the criticalities and priorities identied in step 2, operators apply the required changes to the network, and prepare it for the implementation of selected countermeasures; 4. Solution deployment: nally, selected countermeasures will be deployed and integrated into the day-to-day operations to preserve network and process security. Figure 2 illustrates the four steps along with the main activities involved in each step. Figure 2: Four steps to implement the IEC 62443 standards Limitations of the IEC 62443 Standards The security and resiliency of the industrial network resulting from the implementation of the IEC 62443 standards are strictly dependent on the completeness and accuracy with which the activities within steps 1 and 2 in Figure 2 are carried out. In fact, only comprehensive and accurate data gathering and security assessment steps will result in the selection and successful implementation of adequate countermeasures. Those activities, however, are typically carried out manually, or with the help of inadequate tools not designed for that specic purpose. As a consequence, the process is lengthy, error prone, and often incomplete, because it is dicult to characterize all relevant aspects without the support of an automated toolset. In the next paragraphs we present how the network monitoring and intelligence platform SilentDefense ICS can support operators to carry out some of those activities in a much more precise and complete way. c 2015 SecurityMatters 5 www.secmatters.com

Building a more secure network with SilentDefense ICS SilentDefense ICS is specically designed to provide the missing visibility into industrial networks and processes. SilentDefense ICS listens, analyzes, and automatically models the behavior of the network, presenting the operator with all the information needed to understand how the network is actually built and operates, and identify the weaknesses or possible trouble spots. It does all of this in a completely passive manner, to provide the most accurate picture possible of the network behavior with minimal eort, and without risk of introducing latency or aecting the performance of systems and process. SilentDefense ICS oers the ideal support in dierent steps of the implementation of the IEC 62443 standards. In particular, it: Enables an instant and accurate determination of the trac ows and active network devices; Supports the enforcement of network segmentation into zones and conduits, guaranteeing that no undesired communication or information ow occurs; And provides the best possible day-to-day protection of the network; thanks to the most advanced threat detection engine currently available, you can detect new and yet unknown cyberattacks as easily as every day's threats to the network. We will next illustrate the contributions of SilentDefense ICS more in details. Trac ows and asset discovery Operators can build an exhaustive asset and process inventory, determining information ows, protocols used and operations performed by each individual discreet network device by exploiting SilentDefense ICS's powerful, self-conguring analysis engine and advanced visual analytics platform. The result is an instant, clear and accurate picture of the network, which facilitates c 2015 SecurityMatters 6 www.secmatters.com

the operator's understanding of the underlying process and identies possible weaknesses and security breaches, from sources like using insecure protocols and services to the excessive use of the industrial network bandwidth. In addition, all of this information is captured using a passive network mirror port without reconguring the ICS network or actively scanning the network. Figure 3: Some of the views enabled by the SilentDefense ICS visual analytics platform The network picture is provided by a set of visual widgets, each of which is ideally designed to highlight certain aspects of the network's behavior. For example: Time series show the evolution of network/protocol communications over time; Pie charts put in proportion dierent aspects of the communications { like the most used protocols - to determine the structure of the network; Chord diagrams show in detail all the communication patterns observed in the network, and help identifying undesired information ows; Table elements list the network assets and their characteristics, or document undesired events in a given time interval. All graphs and analytics screens are fully customizable and may be used to represent multiple aspects of a communication ow, for instance the number of exchanged bytes or protocol messages. The information displayed can be ltered and cross-ltered with respect to dierent dimensions. The graphs provide a real-time view into the network, but can also be used to dig into the past and analyze network communications in relation to events. In fact, behind the visual analytics platform there is a full-featured data warehouse that allows operators to combine all their query preferences with historical data, giving them all the power they need to deeply analyze the behavior of the industrial network. c 2015 SecurityMatters 7 www.secmatters.com

Besides the graphical representation provided by the visual analytics, SilentDefense ICS also oers a detailed view of the information ows within the network in the form of \rewalllike" rules, which are automatically generated by a dedicated analysis engine. Each rule indicates which hosts have been observed communicating, over which port, using which protocols, and running which operations/commands over those protocols. This information is key to identify the presence of undesired information ows, insecure services run by the network devices, or undesired process operations. Figure 4: Information ows, protocols and commands identied by SilentDefense ICS The output of this analysis can be used to determine the security status of the network, clean up existing miscongurations, and instruct rewalls to stop specic undesired information ows. Furthermore, it includes all the required input to support the denition of network \zones" and \conduits", as recommended by IEC 62443. In other words, it is the big rst step towards the design and implementation of a secure network. Figure 5: network Alert generated by SilentDefense ICS when two unknown hosts appear in the Network segmentation and threat detection But SilentDefense ICS is not only a great platform to support network assessments; it can be also used to guarantee that the security posture is always preserved. In fact, the rules c 2015 SecurityMatters 8 www.secmatters.com

automatically generated by SilentDefense ICS can be enforced to guarantee that whenever communications diverge from the intended network behavior, the operator is immediately alerted. For example, SilentDefense ICS will alert in real-time in case a new, previously unseen host starts communicating in the network, or an undesired protocol or service is used (see Figure 5). In other words, SilentDefense ICS will report any violation of the network segmentation determined in the \solution build" step (step 3 of the IEC 62443 framework implementation). Figure 6: SilentDefense ICS reports the use of unauthorized operations and suspicious values Further to this ne-grained control over information ows, SilentDefense ICS features the most advanced detection engine to analyze communications over industrial protocols. SilentDefense ICS uses a learning mode to automatically generate a model of messages being actively used by the control network. Using Deep Protocol Behavioral Inspection, a tree-based model is generated and stored to allow for automatic real-time analysis of ICS communications. Figure 6 below is an example of a tree model that was auto-generated by SilentDefense ICS while monitoring some Modbus/TCP communications. The result is that SilentDefense ICS is capable of analyzing every single eld and value contained in an industrial protocol message, to ensure that the message is not only compliant with the protocol specications, but also with the intended operations and value ranges specically used in the monitored network. As soon as an outsider or disgruntled insider tries to exploit a vulnerability in network devices, SilentDefense ICS will detect it and report it. This goes beyond the capabilities of other existing network monitoring systems, which stop their analysis at the protocol 11command" level. Therefore, SilentDefense ICS oers protection from a more comprehensive set of cyberthreats, from the simplest to the most advanced ones. c 2015 SecurityMatters 9 www.secmatters.com

Conclusions SilentDefense ICS is the ideal platform to gain and maintain all the required visibility of industrial network activities, at any time. It empowers operators to achieve the gain in productivity requested by the management without losing sight of the security of the network, as advocated by the IEC 62443 standards. SilentDefense ICS brings value that goes well beyond that of traditional cybersecurity solutions. It identies and reports operations and networking issues that can have the same devastating eects of a cyberattack. All in all, it is the most comprehensive and powerful platform for monitoring industrial networks and industrial control systems. About SecurityMatters SecurityMatters is an international company with business in all major critical infrastructure and industrial automation sectors. Its network monitoring and intelligence platform Silent- Defense ICS has been deployed for years at customers across multiple continents, providing daily value to operations and protecting their networks from emerging cyberthreats. About the Authors Daniel Trivellato Daniel Trivellato received his PhD in computer security from the Eindhoven University of Technology in 2012. During his PhD, he worked in collaboration with Thales Netherlands on the design and implementation of an access control framework for protecting con- dential data in dynamic distributed systems. In 2012, Daniel joined SecurityMatters as a project leader; his responsibilities encompassed marketing and sales, account management, and the organization and management of deployment projects at customers. Since 2014, Daniel is product manager for SecurityMatters' Industrial Products portfolio, and is responsible for the evolution and commercialization of the line of products targeting the industrial control systems domain. c 2015 SecurityMatters 10 www.secmatters.com

Dennis Murphy Dennis Murphy is a Sr. Cybersecurity Engineer at Security Matters. He has 12 years of experience in SCADA and ICS design, development and implementation and 10 years of experience in computer security as it applies to critical infrastructure networks. Mr. Murphy directed multiple SCADA security tests at Idaho National Labs Critical Infrastructure Test Range while he was a program manager at BAE Systems in their cybersecurity division in Merrimack, NH. During his tenure at a Wonderware distributer in New England, he designed, installed and supported dozens of dierent SCADA systems in the Electric Power, Water, Biopharmaceutical, Oil & Gas, Chemical, Food & Beverage and Pulp & Paper industries. He has a masters degree in Systems Engineering from Johns Hopkins University. He is a member of the Boston, MA chapter of the FBI's infragard program and he is a member of the Control System Integrator Association's Cybersecurity Best Practices Working Group. c 2015 SecurityMatters 11 www.secmatters.com

Bibliography [1] International Society of Automation (ISA). Isa 99/iec 62443: Industrial automation and control systems security. https://www.isa.org/isa99/. c 2015 SecurityMatters 12 www.secmatters.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information