CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect Operation & Optimization Software Activity Schneider-Electric
Challenges What challenges are there for Cyber Security in Industrial Control Systems (ICS)?
ICS Challenges Control Systems control real-world processes Manufacturing / Material Processing Critical Infrastructure Power, Water, Transport, Communications Speed, Reliability, Connectivity, Availability Focus on performance, not Security Plants run 24/7 with as little downtime as possible
Control System Lifecycle 1950 2010 http://endangereddurham.blogspot.com.au/2011/02/north-side-treatment-plant.html
Legacy Systems & thinking Security by Obscurity Proprietary protocols & bespoke operating systems One-off applications Specific knowledge required Isolated Networks Perimeter Firewall only defence IT stops at the Firewall, then Control Engineer s domain
Consequences IT Systems Defacing of website Damage to computer systems Loss of consumer personal information Loss of intellectual property Financial loss Control Systems Loss in productivity Downtime Damaged hardware Loss/theft of information or intellectual property Environmental Incident Licence to operate Personal Injury or Death Crippled Critical Infrastructure
So what s changed? Why is Cyber Security for ICSs only an issue now?
STUXNET Advanced worm, discovered July 2010 Targeted Siemens PCS7, S7 PLC and WinCC systems Infected at least 22 manufacturing sites worldwide Including it s supposed target, Iran s Nuclear program Unprecedented level of sophistication Gained media, industry, government and hacking community attention STUXNET code is available for modification
Not so obscure anymore Cyber Security is the current Hot Topic But previously it s all been about Standardisation Openness Connectivity Ethernet Everywhere Smart Devices / Instruments Control Networks are not isolated Often the only Security is a perimeter firewall
Standardisation Server 2008 13.8% New ICS Sales in 2012 Server 2003 9.0% Vista 1.2% Other 0.6% Win 7 35% 99.4% for Windows ~50% of new orders for obsolete OSes in Extended Support CE 19.7% XP 20.7% (2012 Sales data from 23 ICS Vendors)
Vulnerabilities, Exploits and Zero Days Software Vulnerability Flaw or weakness in code that could theoretically be exploited by a malicious program or user Exploit Working code that makes use of a vulnerability Client-Side Exploit Remote Exploit Zero-Day Exploit An exploit for which there is no patch The vendor has had zero days to respond
Client-Side Exploits Exploit code that is triggered on the Client PC Connect Back to the Attacker Not blocked by most firewalls Attacker does not need to consider perimeter defences at all Triggering a Client-Side exploit Social Engineering Malicious File, Malicious Websites, Infected USB key Drive-by Downloads Legitimate Websites, compromised to contain malicious code
Drive-By Exploit When a legitimate Website is compromised and malicious code uploaded to attack visitors #1 Threat Trend for Critical Infrastructure (28/09/12) ENISA - European Network and Information Security Agency Feb 2013 - ios App developer forum was used to deploy Zero-Day Java exploit code (www.iphonedevsdk.com) Microsoft, Apple, Facebook and Twitter have all reported they had corporate PCs compromised http://blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx http://arstechnica.com/security/2013/02/microsoft-joins-apple-facebook-and-twitter-comes-out-as-hack-victim/
Cyber Threat Landscape Exploits detected & blocked by Microsoft anti-malware from 1Q11 to 2Q12
Java Vulnerabilities Multi-Platform 3 Billion Devices run Java, Windows, Linux, Mac Patches for 55 Security Vulnerabilities already in 2013 Vulnerability announcements almost a weekly occurrence From an audit on 25th March 75% of users use a version more than 6 months old 93.77% of Java users were still vulnerable to CVE-2013-1493 2 months after it had been reported 20 days after a patch was released Versions below 1.7.15 and 1.6.41 still vulnerable http://community.websense.com/blogs/securitylabs/archive/2013/03/22/how-are-java-attacks-getting-through.aspx
Hacking tools & knowledge Easily accessible information YouTube, forums etc. Highly developed tools available Penetration Platforms / Frameworks Standardised all common functionality Regular updates for all newly published exploit code SCADA+
ShodanHQ.com Hardware Search Engine If your site / device is internet connected, it is indexed.
ShodanHQ.com
Defence in Depth Mitigating the risks
Cyber Security Strategy There is no Magic Bullet Proper Cyber Security is a Defence in Depth strategy, consisting of: Secure Products Secure Architectures Security Policies & Employees
Secure Products
Secure Products Secure by Design Security Features Access Control Security Configuration Securely Coded / Developed Products WurldTech s Achilles Certification ISA Secure Certification New Cyber Security Certification Centre Achilles Certified Lab in North Andover (Boston) Constantly assessing our existing products Involved from development for new products
Secure Products Secure Implementation Device Hardening applies to all cyber assets PCs PLCs / PACs, HMI Panels Switches, Routers Smart Instruments, Legacy Field Devices Enable and configure the provided security features Non-default, Strong passwords Configure access control
Secure Products Secure Implementation Disable unused functionality Unused embedded Web portals Unnecessary plugins: Flash, Java etc. Disable USB Ports Disable unused ports on switches Keep firmware up to date Place higher priority on Security Updates Use downtime periods to apply and test other major upgrades
Industrial Firewalls
Secure Products Industrial Firewalls Connexium Industrial Firewall TCSEFEC Tofino Industrial Firewall TCSEFEA
Connexium Industrial Firewall (TCSEFEC) 3 Modes of operation Router (Layer 3) Switch / Transparent (Layer 2) PPPoE (Point to Point over Ethernet) Packet Filtering - Firewall Rules Incoming, Outgoing, TCP, MAC, PPPoE Denial Of Service protection Stops excessive network traffic flooding with TCP connections, ping packets or ARP packets, without hindering the data traffic VPN
Connexium Industrial Firewall - TCSEFEC Built for Industry Copper & Fibre variants 25mm Din Rail, 0-60 C operating temp MTBF = 50+ Years Configurable alarm relay connection Redundancy Dual Power Supply (12 48 VDC or 24 VAC) VRRP Virtual Router Redundancy Protocol (Layer 3)
ConneXium Tofino Firewall (TCSEFEA) Industrial Firewall, plus additional features MODBUS Enforcer Deep packet inspection for Modbus Can block traffic based on Function codes Register or coil addresses Station ID No. Non-standard Modbus traffic 1000 packets per second with full content inspection Ideal for protection of legacy Modbus devices Event Logger
ConneXium Tofino Firewall (TCSEFEA) Preconfigured firewall templates for Schneider Hardware
Secure Architectures
Secure Architecture Multiple levels of defence Network Separation Perimeter Protection Control Network Segmentation
Secure Architecture Network Separation Isolation is over Connect Enterprise and Automation Networks in a secure, controlled fashion via a DMZ Provide Terminal Sessions in DMZ for remote access Monitor/Patch all DMZ assets!
Secure Architectures Perimeter Firewall Start at Block All Whitelist communication from DMZ assets Restrict outbound communications Provide alternate access
Secure Architectures Segmentation Zones & Conduits, ISA 99 VLAN and Subnets alone offer performance, not security Connexium Firewalls add IP/Port or Mac Filter Rules Access Control for legacy devices DOS Protection Deep Packet Inspection 1 5 4 2 3
Security Policies & Employees
Security Policies Established, maintained and enforced by a crossdiscipline team Full asset audit / diagram / documentation Establish the baseline minimal configuration Risk Assessment Ownership / responsibilities Consider: Access Control (Physical) / Privileges / Password Policies Patch / Upgrade Management Change Management Backup / Recovery plans / procedures Incident Response / Forensics
Incident Handling How would you handle an Incident at your facility? Wipe and restore affected assets? Take plant offline and await forensic analysis? Contact Law enforcement? Contact Industrial authorities / regulators? Inform customers about potential data loss/leak? Establish the risks and responses for your site now
Employees Assign ownership & responsibilities Maintain & enforce Security Policies Monitor Network & Security logs Provide Training Awareness of Social Engineering & other security risks Security Policies Incident Detection and Handling
Patch Management Have a plan for patching Auto-update isn t safe or practical for ICS Assess the impact of the patch, test, deploy Prioritise patches based on risk Deploy Compensating measures until patches can be deployed Disable a vulnerable interface until patched Modify firewalls Deploy IDS rules to detect / block known attacks
Complimentary Technology Host-Based Anti-Virus / Application Control Traditionally using virus Signatures Whitelisting would work better for ICS Block all, allow approved programs only VPN Two-Factor authentication IDS / IPS Systems HIDS / HIPS Host-based NIDS / NIPS Network-based SIEM Centralize Logs
Summary
Defence in Depth Assets Highest Value Assets Employees / Policies Segmentation Firewalls Perimeter Firewalls Network Monitoring DMZ Secure Products (Bricks) Threats
More resources Schneider s Page www.schneider-electric.com/sites/corporate/en/ support/cybersecurity/cybersecurity.page New Schneider TVDA released March 2013 How Can I Reduce Vulnerability to Cyber Attacks in the Control Room? www.tofinosecurity.com Questions?