The Electronic Arms Race of Cyber Security 4.2 Lecture 7 ISIMA Clermont-Ferrand / 04-February 2011 Copyright 2011 Dr. Juergen Hirte
List of Content Why Process Automation Security? Security Awareness Issues Stuxnet & Co. How to Protect Industrial Environments Risk Mitigation Concepts Defense-in-Depth Strategy DHS 2010 Recommendations ISA-99 Specifications Industrial Security Configurations Examples Top Software Development Issues Tools, Process etc. Process Automation Security Initiatives & Organizations ENISA, CERT, INL-Lab Conclusions
(Cyber-) Security Awareness Concerns (some reasons) Plant Management and Operators set highest priorities on production and plant safety and less on system-protection measures Vendors are primarily focusing on system features, development roadmaps and plant services Security problems usually are not visible during normal operation and testing Lack of expertise : system administrators and developers are not sensitive and not skilled enough in security technologies The high complexity of the subject (concept/design, implementation, validation, operation procedures & logistics)
Stuxnet & Co. video Reuters : BOSTON 19-July 2010
Microsoft Protection Center Virus Tracking Report
US-CERT 2010-07-15 This is the US-CERT stuxnet alert report! III. Solution Apply an update. This issue is addressed in Microsoft Security Bulletin MS10-046. Also consider the following workarounds:
US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) US-CERT is charged with information sharing and collaboration with state and local government, industry and international partners. US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. Information is available from the US-CERT web site, mailing lists, and RSS channels.
How to Cyber-Protect an Industrial Plant?
Defense In-Depth-Strategy (IDS) : Key Elements (I/II) PC Network Management Virus Scanning Software on all PCs (periodically, remotely) Central Release Management & Deployment of Security Patches and Software Updates Traffic control (load monitoring, pattern matching, statistical methods) User Account Management Role-based access-control (admin, operator, maintenance, ) Login-monitoring Potential Threat Control System
Defense In-Depth-Strategy (IDS) : Key Elements (II/II) Secure Architectures Firewalls to control communication into and out of security zones Demilitarized Zones (DMZs) to isolate Network-Servers against external network VPN Communication (secure communication across a non-secure network (Internet) Corporate Security Policies and Procedures (Training, Assessments) Physical Security (building access control) Potential Threat
Traditional Isolation of Corporate and Control Domains More or less physically isolated Vulnerable data transmission paths Internal risks between office workstations and high-sensitive data servers
Prepared by Idaho National Laboratory : External Report # INL/EXT-06-11478 (2006) US-CERT : Control Systems Security Program (CSSP) Secure Architecture Design ( IDS-Concept ) Firewall protection Firewall plus dedicated protection server isolation plus through isolation DMZ-sub-net through DMZsub-net Control System LAN & Corporate LAN now connected!
People who develop June 2010 Catalog of Standards Control! System Security (I/II)
June 2010 Catalog of Control System Security (II/II)
ISA-99 : Industrial Automation and Control System Security (I/II)
ISA-99 : Industrial Automation and Control System Security (II/II)
Process Control System PCS7 Industrial Security Scalance S, X, W
Source : Siemens Scalance Manual Scalance : Secure Network Configuration (Example) Security Configuration Tools Integrated firewall, authentication, data encryption,
SIMATIC S7 Communication The most secure communication is obviously via peer-topeer and without any peripheral network S7 MPI Interface But. how about the integrity of your PC??? B-S-K Industrievertretungen
Automation System Communication Standards Open Communication is common State-of-the-Art S7-mEC embedded controller S7-1200 Industrial Ethernet
SANS TOP 25 Report 2010 Software Error Category: Insecure Interaction Between Components Information Security Training, Certification & Research Institute [1] CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting') Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...if you're not careful, attackers can... [2] CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') If attackers can influence the SQL that you use to communicate with your database, then they can [4] CWE-352: Cross-Site Request Forgery (CSRF) With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...more >> [8] CWE-434: Unrestricted Upload of File with Dangerous Type You may think you're allowing uploads of innocent images...more >> [9] CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection') When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...more >> [17] CWE-209: Information Exposure Through an Error Message If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...more >> [23] CWE-601: URL Redirection to Untrusted Site ('Open Redirect') While much of the power of the World Wide Web is in sharing and following links between web sites, typically there is...more >>
http://www.owasp.org Top 10 Critical Web Application Security Risks A1 Injection A2 Cross Site Scripting (XSS) A3 Broken Authentication and Session Management A4 Insecure Direct Object References A5 Cross Site Request Forgery (CSRF) A6 Security Misconfiguration (NEW) A7 Failure to Restrict URL Access A8 Invalidated Redirects and Forwards (NEW) A9 Insecure Cryptographic Storage A10 - Insufficient Transport Layer Protection
Industrial Cyber-Security Development Process, Assessments and Code Analysis (Examples) http://www.isasecure.org http://www.microsoft.com/security/sdl/learn/default.aspx http:// www.fortify.com http://www.wurldtech.com
INL : External Report # INL/EXT-06-11478 Here you can learn about some constraints to your possible software security IT versus Process Control Security : Different solutions! views
2005-2010 by the European Network and information Security Agency (ENISA) Organizations (Europe) : ENISA ENISA -the European Network and Information Security Agency ENISA is helping the European Commission, the Member States and the business community to address, respond and especially to prevent Network and Information Security problems. ENISA is as a body of expertise, set up by the EU to carry out very specific technical, scientific tasks in the field of Information Security. The Agency also assists the European Commission in the technical preparatory work for updating and developing Community legislation in the field of Network and Information Security. http://www.enisa.europa.eu
CERT Coordination Center (CERT/CC) The CERT Coordination Center (CERT/CC), arguably the most widely known group within the CERT Program, addresses risks at the software and system level. CERT focus. Identifying and addressing existing and potential threats Incidentally notifying system administrators and other technical personnel of these threats Coordinating with vendors and incident response teams world wide to address the threats. Security Assessments, Workshops, Audits, Prevention programs
Idaho National Laboratory (INL)
INL@Work
Conclusions Security must be mandatory part of the Software- and Hardware- Engineering Education at Universities and Engineering Schools Industry (operations and vendors) must establish adequate organization and procedures, e.g. Establish appropriate roles & procedures in your Product Lifecycle Management Process (most relevant for vendors of industrial components) Establish appropriate policies Have own specialists for requirements, implementation, testing etc. Continuous management support Work together with Standard Organizations & external consultants Frequent Assessments (internal, external audits) ; Certification Training & Education
Je vous remercie de votre attention!