Holistic View of Industrial Control Cyber Security

Similar documents
Keeping the Lights On

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

Network Security Infrastructure Testing

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Security Testing in Critical Systems

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Defending Against Data Beaches: Internal Controls for Cybersecurity

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

From Fieldbus to toreal Time Ethernet

OPC & Security Agenda

An Introduction to SCADA-ICS System Security. Document Number IG-101 Document Issue 0.1 Issue date 03 February 2015

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Innovative Defense Strategies for Securing SCADA & Control Systems

IT Security and OT Security. Understanding the Challenges

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Securing EtherNet/IP Using DPI Firewall Technology

SCADA Systems. Make the most of your energy. March 2012 / White paper. by Schneider Electric Telemetry & Remote SCADA Solutions

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Generic term for using the Ethernet standard in automation / industrial applications

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

ISACA rudens konference

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Using Tofino to control the spread of Stuxnet Malware

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Secure Networks for Process Control

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Benefits of Network Level Security at the RTU Level. By: Kevin Finnan and Philippe Willems

Chapter 9 Firewalls and Intrusion Prevention Systems

Dr. György Kálmán

PLCs and SCADA Systems

Missing the Obvious: Network Security Monitoring for ICS

New Era in Cyber Security. Technology Development

What happens when you use nmap or a fuzzer on an ICS?

How Secure is Your SCADA System?

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Using ODVA Common Industrial Protocol to Enhance Performance White Paper

Wireless Communications for SCADA Systems Utilizing Mobile Nodes

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Waterfall for NERC-CIP Compliance

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

How To Protect Power System From Attack From A Power System (Power System) From A Fault Control System (Generator) From An Attack From An External Power System

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

Proxy Server, Network Address Translator, Firewall. Proxy Server

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

NERC CIP Version 5 and the PI System

NEW GENERATION PROGRAMMABLE AUTOMATION CONTROLLER

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Solution of Exercise Sheet 5

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Vulnerability Testing of Industrial Network Devices

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Basic Vulnerability Issues for SIP Security

Host/Platform Security. Module 11

NETWORK SECURITY (W/LAB) Course Syllabus

Firewalls. Chapter 3

Protocols and Network Security in ICS Infrastructures 2

A Proposed Integration of Hierarchical Mobile IP based Networks in SCADA Systems

CLOUD BASED SCADA. Removing Implementation and Deployment Barriers. Liam Kearns Open Systems International, Inc.

The State-of-the-State of Control System Cyber Security

Cyber Security for SCADA/ICS Networks

13 Ways Through A Firewall What you don t know will hurt you

INTRUSION DETECTION SYSTEMS and Network Security

EVALUATING INDUSTRIAL ETHERNET

Industrial Communication Whitepaper. Principles of EtherNet/IP Communication

Vulnerabilities in SCADA and Critical Infrastructure Systems

13 Ways Through A Firewall

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

ModbusFW Deep Packet Inspection for Industrial Ethernet

Improving SCADA Control Systems Security with Software Vulnerability Analysis

CompTIA Network+ (Exam N10-005)

patriotscada Distributed Firewall for SCADA and Industrial Networks

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Guideline on Firewall

Process Control and Automation using Modbus Protocol

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Data Security Concerns for the Electric Grid

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

FOXBORO. I/A Series SOFTWARE Product Specifications. I/A Series Intelligent SCADA SCADA Platform PSS 21S-2M1 B3 OVERVIEW

Cyber Security Design Methodology for Nuclear Power Control & Protection Systems. By Majed Al Breiki Senior Instrumentation & Control Manager (ENEC)

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cyber Security Implications of SIS Integration with Control Networks

Networking Basics and Network Security

Industrial Security Solutions

This is a preview - click here to buy the full publication

Lessons Learned from AMI Pioneers Follow the Path to Success

Network Access Security. Lesson 10

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Firewalls. Network Security. Firewalls Defined. Firewalls

Transcription:

Holistic View of Industrial Control Cyber Security A Deep Dive into Fundamentals of Industrial Control Cyber Security

Learning Goals o Understanding security implications involving industrial control systems and environments o Understanding design considerations for industrial control networks o Understanding differences between traditional IT networks vs. industrial networks o Understanding solutions and techniques to harden security of industrial networks

What is Industrial Control?

Industrial Control Defined o A system that controls a process o Industrial Control System traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS) o Supervisory Control and Data Acquisition System (SCADA) o Remote Terminal Units (RTU) o Programmable Logic Controllers (PLC)

Why learn about this topic? o Industrial controls are everywhere! o Utilities o Factories o Automobiles o Military o Data Centers o Appliances o Industrial controls are being networked like traditional IT networks.

Some industrial controls that might surprise you o Environmental controls in your data center o Missiles launched by the military o Assembly line controller in a factory o SCADA systems at utilities o Gasoline pumps at a convenience store

Distributed Control System Basic DCS Configuration

Distributed Control System Example of a DCS HMI Display

Distributed Control System Functional Levels of DCS Example

SCADA Example of a SCADA Network

SCADA Example of a Electric SCADA Network

SCADA Example of a SCADA HMI Display

Evolution 1 o Transition from mechanical switches or relays to Programmable Logic or Relay Logic

Programmable Logic Controllers (PLC) Example of a PLC Panel

Programmable Logic Controllers (PLC) Example of PLC Programming

PLC vs. RTU o RTUs are utilize to collect data over a wide geographic area as input to SCADA. o Such as with a network of electric substations o PLCs are utilized in a localize fashion to control a process. o Such as with a local area network on a factory floor

Industrial Control Evolution 2 o Transition from Standard Serial Communications (e.g. RS-232, RS-485, Async 2 wire) to higher performance non-ethernet Fieldbus communications (e.g. BACnet MS/TP, ModBus RTU, CAN, ProfiBus, InterBus, LonWorks, SERCOS).

T-shirt Question 1 owhat has been considered the first Industrial Control virus? owhat did it do?

Industrial Control Evolution 3 o Transition from Non-Ethernet Fieldbuses to Ethernet-based Communications (e.g. EtherCAT, Ethernet POWERLink).

Industrial Ethernet vs. Non-Ethernet Fieldbuses Advantages o Better performance o Greater bandwidth and larger data packages for communications with intelligent industrial devices o Faster real-time communications and synchronization for demanding control applications o Simple to integrate with networks that already exist in the business office environment

Industrial Ethernet vs. Non-Ethernet Fieldbuses Disadvantages o It is collision-based and not inherently deterministic and process controls demand real-time operation. o Universal acceptance of Ethernet tempts users to try to do too many things that could generate security issues. o Standard telephone-type connectors do not meet the physical demands of industrial equipment.

Impact of Industrial Internet o GE reported that enabling Internet-connected machines to communicate and operate automatically can bring substantial efficiency gains. o According to GE, the Industrial Internet will help eliminate hundreds of billions of dollars of wasted time and resources across critical industries. o The Industrial Internet has the potential to add $10 to 15 trillion U.S. dollars to the global GDP by 2030.

Rise of Industrial Internet o IMS Research predicts that in 2016, Ethernet will account for over 30 percent of all new nodes installed in industrial applications. o Ethernet TCP/IP was estimated to account for over one-third of new Ethernet nodes installed in 2011. o Wireless networking to grow 75% by 2017 compared to 2012. o Fieldbus protocols still have the high ground but Industrial Ethernet adoption is on the rise.

Evolution 4 o Transition from Ethernet-based Non-TCP/IP Communications to Ethernet-based TCP/IP Communications (e.g. BACnet/I, ModBus-TCP, EtherNet-IP, PROFINET-IO).

Cyber Security Implications

Cyber Security Implications o Cybersecurity failures have the potential to cause physical consequences. o Cybersecurity issues can manifest as process anomalies. o Cybersecurity is hard to manage. o Cybersecurity threats or issues can be complex.

Cybersecurity Implication Physical Consequences o Electric Power Blackouts o September 2007 cyber attack in Brazil o 2003 Northeast blackout o 1999 Southern Brazil blackout o 1965 Northeast blackout o 1979 Three Mile Island Nuclear Plant Accident o 2000 Maroochy Shire cyber event o 2007 Aurora Generator Test o 2009 Stuxnet o 2010 San Bruno natural gas pipeline explosion

Aurora Generator Test

Implications Process Anomalies o Actual cyber security issue vs. real process problem o Can be difficult to distinguish a real cyber security issue from a process anomaly. o Inadequate cyber security training for operators could lead to an attack not being recognized.

Implications Security Management Difficulties o Introduced latency and jitter o Measurement of time for packets to travel between nodes. o Variation in time between packets arriving to be process. o Difference in managing IT vs. OT

Implications Complexities o Non-typical network protocols o Commands that cannot be blocked due to safety or production issues. o Attackers using valid communications in invalid ways.

IT Cyber Security vs. OT Cyber Security

IT Cyber Security vs. OT Cyber Security - Performance Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Availability Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Risk Management Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Change Management Requirements Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements Source: Derived from the NIST 800-82 Standard

Survey of Specialized Communications Protocols

Modbus o Open protocol standard o Moves raw bits or words without placing many restrictions on vendors. o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.

DNP3 (Distributed Network Protocol) o Open Standard o Designed to be reliable but not secure. o Header may look perfectly normal but the data payload could crafted to carry malicious code. o No authentication mechanism in basic DNP3. o Secure DNP3

OPC (Open Platform Communications o Based on the OLE, COM, and DCOM technologies developed by Microsoft. o Any vulnerabilities in these technologies is carried into this protocol. o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports. o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors. o OPC is complicated to setup so some vendors leave exposures in their products.

Cyber Security Problems and Issues

Cyber Security Problems and Issues - TCP/IP Stack and Industrial Protocols o Problems exist due to original design and purpose for Internet. o Poor software design o Fragility caused by deviation from RFC o Internet Protocol (IP version 4) (RFC 791) o User Datagram Protocol (UDP) (RFC 768) o Transmission Control Protocol (TCP) (RFC 793) o Address Resolution Protocol (ARP) (RFC 826) o Internet Control Messaging Protocol (ICMP) (RFC 792) o Internet Group Management Protocol (IGMP) (RFC 1112 & 2236) o IEEE 802.3 (Ethernet) as defined in RFC 894 o Protocol Complexity o o ModBus TCP adds additional fields to standard TCP (Function Codes) Session Manipulation

Cyber Security Problems and Issues - Lack of Strong Authentication o Risk of compromise o Spoofing o Brute Force Attacks o Session Hijacking

Cyber Security Problems and Issues - Lack of Strong Authorization Practices o Malicious actors could gain access or perform a function that they are not entitled to perform.

Cyber Security Problems and Issues - Lack of Strong Encryption Practices o Commands and addresses passed in clear text; which can be captured and spoofed or manipulated. o Some encryption mandates are making it into regulations in some industrial control using industries.

Cyber Security Problems and Issues - Programmability o ICS devices are meant to be programmable; which makes them inherently vulnerable. o A whole lot of Fuzzing going on.

Cyber Security Problems and Issues - Lack of Message Checksum o Ability to spoofed commands is easier since the checksum is generated at the Transmission Layer and not the Application Layer.

Cyber Security Problems and Issues - Accessibility o Some protocols are meant to be used for Wide Area networks making them highly accessible and susceptible to many kinds of attacks.

Cyber Security Controls

Cyber Security Controls - Firewall o A firewall can become a sieve. o Not a catch all, be all security control but still a necessity. o Protocol recognition. o Don t forget a secure default rule; Deny All.

Cyber Security Controls - Intrusion Detection and Prevention o Intrusion Prevention vs. Intrusion Detection o Why is IPS a necessity? o Behavior recognition

Cyber Security Controls - ICS Honeypots o Sets a trap o Decoy o ICS Capable o SCADA HoneyNet Project o http://scadahoneynet.sourceforge.net/

Cyber Security Controls - Anti-Malware o If you cannot install host-based anti-malware software on any particular ICS system, implement network-based anti-malware. o Implement and configure host-based firewalls; if possible.

Cyber Security Controls - Security Information and Event Management o Log, Log, Log! o Real-Time or Near Real-Time Alerts

Cyber Security Recommendations

Industrial Control Network Cyber Security Recommendations o Defend against the unknown o Advanced Persistent Threats (APTs) o Advanced Evasion Techniques (AETs) o Alternative threat detection or prevention o Situational Awareness o Behavior Analysis and Detection o Practice Defense in Depth o Patch, Patch, Patch o Whitelisting o Collect and analyze logs

Industrial Control Network Cyber Security Recommendations o Avoid misconceptions o Avoid the Air Gap Myth o We have a firewall! o We re just a small site, we re not a target

Industrial Control Network Cyber Security Recommendations o Utilize Egress Filtering o Change Default Accounts and Passwords o Check your IP addresses with Shodan

Shodan o An industrial control system and network search engine. o http://www.shodanhq.com/

Shodan

Netsecuris o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments. o Contact Information o Leonard Jacobs, MBA, CISSP o President/CEO o sales@netsecuris.com o 952-641-1421

Questions and Answers Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information