Cyber Security Where Do I Begin?

ISPE Automation Forum Cyber Security Where Do I Begin? Don Dickinson Project Engineer Phoenix Contact

..50% more infected Web pages Click in the on one last and three you months won t of notice 2008 than anything. all of 2007 Your PC gets turned into an obedient bot deployed to attack other computers. All of your sensitive data get stolen. Source: USA Today 03.17.09

Computer Emergency Response Team (CERT) A widespread and coordinated attack on web sites for Departments of Homeland Security and Defense, the Federal Aviation Administration and the Federal Trade Commission

The Pentagon has spent more than $100M in the past six months responding to and repairing damage from cyber attacks and other network problems we recognize that we are under assault from the least sophisticated what I would say is the bored teenager all the way up to the sophisticated nationstate Source: USA Today 04.08.09

18 year olds have a lot of free time, and crave attention! Just hours before Microsoft officially released IE8 a German computer student hacked the browser and won a contest! broke into within minutes by exploiting a previously unknown vulnerability in the new browser, said the manager of security response at 3Com Corp s Tipping Point, THE CONTEST SPONSOR!

Spies hacked into the US electric grid and left behind computer programs that would let them disrupt the level of sophistication service, exposing potentially necessary to pull off such catastrophic vulnerabilities in key intrusions is so high that it was pieces of national infrastructure almost certainly done by state sponsors. Source: News & Observer 04.10.09

Hacking community spreads its knowledge (they even have camps)

Obama setting up better security for computers By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer Fri May 29, 2:52 pm ET Obama said the U.S. has reached a "transformational moment" when computer networks are probed and attacked millions of times a day. "It's now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation," Obama said, adding, "We're not as prepared as we should be, as a government or as a country."

Cyber threats unauthorized access to a control system directed from within an organization by trusted users or from remote locations by unknown persons using the Internet.

Industrial Network Security A real & growing imperative Deployment of Industrial Ethernet growing at 50% per year Increasing use of standard IT components in the industrial environment Systems become more open for integration and damage Vulnerabilities spread from office IT to the shop floor 1000+ vulnerabilities and exploits reported each year Source: CERT Coordination Center

Securing Control Networks - More than just security March 2008 The Hatch nuclear plant in Georgia is forced into an emergency shutdown for two days as a result of a software update on a single business computer!

Why Networks Need Security Threats Network overload by technical defects, broadcast storms Accidental human errors: maloperation, introduction and dissemination of malware, Phishing Malware (Worms) Intended, targeted attacks from inside and outside: sabotage, espionage, white-collar crime, cyber terrorism Potential Damages (Risks) Loss of production Damage caused to health and environment Loss of intellectual property (process knowledge and data) Loss of compliance (e.g. FDA in pharmaceuticals) Damage to corporate image

Network Security: Industrial vs. Office Installations Protecting industrial networks is quite different Older operating systems - security software unavailable Heterogeneous hardware & software Tough environmental conditions System life cycles of 10-20 years Never touch a running system Lack of IT security expertise Potential economic damage in production much more substantial

Use of Routers to secure control systems Routers provide key security functions Firewall Routing and NAT Routing VPN Allows for network separation and segmentation NAT allows for duplicate IP address schemes on a network Provides secure remote connectivity

Old security model perimeter based Initial security models had all defense efforts focused on the perimeter. Worked OK, but if it was breached the attacker had the run of the place. Great Wall of China was an awesome defensive structure, but when breached by the Manchurians, Ming dynasty fell. Better strategy is defense in depth

Defense in Depth Security concept borrowed from the military More difficult for an enemy to penetrate many smaller and varied layers of defense than 1 single large layer that may have a flaw. Limits scope of an attack to only the layer(s) that have been breached. The rest of the network is protected. Breach of outer layers can signal an alarm that an attack is ongoing, allowing protective measures to take place before all is lost.

Defense in Depth Internet Industrial router can be used in conjunction with IT s security infrastructure to enhance the safety of the network. IT Corporate Firewall typically protects from outside threats IT Router protects Corporate Office network segments Industrial router protects the Control and Industrial network segments and individual devices.

Firewall Application Scenarios Remember - Security isn t just IT s responsibility, it isn t just the plant floor s responsibility everyone has a role to play. A single mguard can protect a subnet of over 100 devices! This can be unmanaged or managed switch SFN, Lean, etc. Protecting a single device If this is a PC, you could use an mguard PCI

Why is a router used Back in Old Days of common bandwidth (half duplex and hubs), more nodes caused so many collisions communications was stifled. Routing reduces broadcast domain and collision domain Widespread and WAN communications Better security model Protect information by putting it on separate subnet. Better administration Separate traffic into logical groups like Accounting, HR, etc. Separate traffic into physical groups like 1 st Floor, 2 nd Floor, etc. Allows for redirection based on IP information or upper level protocols (e.g. TCP or UDP port information).

Routing What is it? OSI Model Routing vs. Switching Layer 3 vs. Layer 2 Logical IP Address vs. Hardcoded MAC Address Used to segment traffic into subnets. Calculate Paths to get from Point A to Point B, whether B is in the same row or around the world. Devices use Default Gateway address to point to a Router Gives access to Higher level protocols such as TCP and UDP. Application Presentation Session Transport Network Data Link Physical Managed by Applications Communicating (E- Mail, Web, etc) Routers/Firewalls/ Other Gateways Routers Switches Hubs

Routing / NAT Routing Application Scenarios Use routing to insulate and isolate control network from IT network or even other control networks. NAT Routing allows for equipment on the same network to use the same IP scheme. E.g. Identical production cells: mguard allows them to have unique external addresses, but same internal. Easier to program and maintain! mguard can be used to segment a LAN or connect to the Internet.

Network Address Translation (NAT) NAT is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. 1:1 NAT, maps each inside address to a unique outside address. For Example 192.168.11.x = 214.136.75.x Allows for multiple instances of the same IP addresses on the same network. Useful with multiple identical lines.

Virtual Private Networking (VPN) Establishes a tunnel across the Internet to allow for remote support, diagnostics, pulling data basically anything that requires communication between local and remote sites. Distance or intermediary hops are of no concern; that is, the circuit is a virtual one and the physical path to get from Point A to Point B can change without interruption or interference of the Tunnel. Ideal for secure communications between multiple networks or multiple hosts

Why do I need a VPN? Remote Connectivity Diagnostics and Alarming Data Pull or Push Support Security of Data Utilizing the ubiquitousness of the Internet instead of costly point to point (e.g. T1, T3) lines, or the poor speed, additional wiring and recurring costs of multiple analog connections. All in all a great way to improve support, ease administration, reduce downtime and cut travel costs.

Basic VPN concept Initial Authentication takes place between gateway & client A packet to be sent to a remote location is first encrypted at one VPN gateway. The receiving VPN gateway at the remote location is responsible for decrypting the packet and sending to host. Contents are safe from sniffing or corruption on the Internet Decryption Encryption Private Network Private network Internet IPsec VPN Encrypted Data

VPN Application Scenarios Secure, remote connectivity allows for better, more cost-effective support and the ability to communicate with remote sites to gather data, alarm events, remote config, control processes, etc. mguards can connect when they are in firewall (Stealth) or in router mode A single mguard can support multiple concurrent connections mguard can connect to another mguard directly A connection can be established going through another device, or even from another device, eg Cisco.

Software vs Dedicated Hardware VPNs Software VPNs are commonly used to access company network from remote sites. Is there a performance change on your computer when you are connected? mguard provides much higher throughput than software VPN 70mb/s vs 30-35mb/s for most software Heavy data flow over software clients is a heavy drain on CPU Depending on the encryption and compression algorithms used, can consume 95% CPU time mguard can handle 250 concurrent tunnels, software only 1 Is your industrial PCs job to function in the control network or to have its resourced siphoned off to handle VPN connectivity?

Request a White Paper HACKING THE INDUSTRIAL NETWORK Send e-mail to ddickinson@phoenixcon.com Subject: Cyber Security White Paper

ISPE Automation Forum Thank Questions? You Don Dickinson Project Engineer Phoenix Contact