Stronger than Firewalls And Cheaper Too Andrew Ginter Director of Industrial Security Waterfall Security Solutions 2012
Emerging Threat: Low Tech, Targeted Attacks Night Dragon, Shady RAT, Anonymous Trick users into providing passwords, installing malware Custom malware, tested to evade anti-virus Remote control: steal credentials, propagate Steal administrator credentials, create own passwords Patching: no need for vulnerabilities if you have passwords Create accounts, don t guess long passwords Firewalls allow connections with passwords Conventional ICS security guidance does not address targeted attacks 2
Unidirectional Security Gateways One-way optical hardware enforces security / network isolation no attack from business network can affect operations Software replicates industrial servers from operations network to business network Faithful replica business users can not tell they are using a copy Single point of management all configuration changes are propagated from master server on control network 3
Firewalls Are Not Enough Errors and omissions leave you open to attack Every allowed connection is vulnerable Steal the password and you are in Even if you trust the users, but should you trust their workstations? Their cell phones? Firewalls are software - even firewalls have vulnerabilities and zero days Costly: procedures, training, management, log reviews, audits, assessments Firewalls are software they rely on process and people to keep them secure Photo: Red Tiger Security 4
Firewalls How Many? Demilitarized zone (DMZ) extra network, no connections straight through, different protocols in vs out Single-firewall DMZ one firewall to compromise Two-firewall DMZ two firewalls, from two vendors HA doubles firewall count 5
Firewalls CapEx FIREWALL CAPEX Number of firewall layers - 2- firewall DMZ = 2, 1-firewall DMZ = 1 Parallel firewalls - none = 1, High-availability = 2 or more Per-firewall purchase price $10,000 1 2 2 Total number of firewalls $20,000 CapEx: Firewalls 6
Remote Access Server Remote Access via Remote Desktop, VNC, Citrix, or equivalent Best practice: no direct connection from business network into control network Remote Access Server in DMZ Daisy-chain to Remote Desktop / VNC in control network, or Access control equipment directly from DMZ 7
Remote Access - CapEx REMOTE ACCESS CAPEX Terminal Server with 5 concurrent user license $3,600 $3,600 CapEx: Remote Access 8
Network Intrusion Detection System (NIDS) Defense-in-depth what protects you when firewalls are compromised or mis-configured? NERC-CIP v5 (draft) requires NIDS, other defense-in-depth advice recommends NIDS or other protections NIDS sensor scans all network traffic for attack / suspicious patterns scanning may be one-way hardware NIDS management station collects, correlates, visualizes traffic and alerts 9
NIDS - CapEx NIDS CAPEX Per-sensor cost $35,000 Number of sensors 1 $35,000 CapEx: NIDS 10
Firewall Management Support & signature costs: 70-80% of cost of firewall purchase, per year Routine management costs: $1500-$5000 per firewall per month Add/remove remote access users, change passwords, change rules and other configurations Log monitoring, incident response, emergency replacements Keep firmware & signatures up to date Periodic costs periodic reviews, audits, vulnerability assessments, penetration tests, risk assessments Documentation costs to comply with regulations or corporate policies 11
Firewalls - OpEx FIREWALL OPEX HW/SW/Support/signature cost per firewall per yr $8,000 Average firewall administrator fully-loaded / yr $120,000 Routine management average number of firewalls per administrator 7 Days per year updating each firewall's compliance / engineering documentation - days/firewall/year Days per year reviewing firewall configurations for regulatory / standards compliance Security audits / assessments / pen-tests per year 1 Security assessment cost - per assessment $50,000 Fraction of assessment effort spent on firewalls / perimeter protections 10% 10 7 $16,000 OpEx: Firewall support+sig/yr $34,286 OpEx: Firewall routine mgmt /yr $17,362 OpEx: Firewall standards / regulatory - related costs / yr $5,000 OpEx: Assessment costs / year $72,647 OpEx: Firewalls 12
Remote Access - Training and Background Checks Malware and targeted attacks can jump through VPNs, and keystroke loggers can steal remote access passwords Remote laptops & desktops must be kept secure Users of remote access clients must understand how to keep their computers secure and how to use remote access securely Remote users must be authorized and pass background checks 13
Remote Access - OpEx REMOTE ACCESS OPEX Number of remote access users 20 Per-user days/year spent in training 1.5 Average end user fully-loaded labor cost / year $125,000 Per user, per day, training program cost $1,000 Number of remote end users needing background checks for remote access 10 who would not have needed them otherwise Background check cost / user $1,000 Number of years between background 5 checks $15,957 OpEx: Remote access training - user labor / year $30,000 OpEx: training program cost / year $2,000 $47,957 OpEx: Remote user background checks / year OpEx: Total remote access cost / year 14
NIDS Management Log monitoring often automated by NIDS management console Incident investigation, escalation and response Firmware, signature updates Ruleset / correlation engine customization to minimize false positives Industrial NIDS vendors tend to charge per-sensor, roughly twice what a managed firewall costs 15
NIDS - OpEx NIDS OPEX HW/SW/Support/Signature costs / sensor/ year $7,000 NIDS administrator cost/year $120,000 NIDS management - number of sensors per administrator $7,000 OpEx: Support/sigs / year 3.5 $34,286 OpEx: NIDS labour cost/year $41,286 OpEx: NIDS 16
Preventable Incidents Unidirectional Gateway strong security blocks all online attacks originating on external networks Serious incidents large damages, rare, per-site / per-year costs are modest Routine incidents malware on control system network triggers process safety shutdown, control infection, rebuild affected machines, forensic root-cause investigation costs Business-network insider incidents Data corruption & recovery costs Well-meaning errors and omissions shut machines down for daily backup, just wanted to do an nmap to understand the network, vulnerability scans never hurt my business machines! 17
Preventable Incidents - OpEx PREVENTABLE INCIDENT COSTS Major incident cost $1,000,000,000 Major incident frequency / decade - all major sites in North America 1 Total number of large / major industrial sites in North America 10,000 Routine incident cost $250,000 Routine incidents / site / decade 1 Business network insider cost/incident $40,000 Insider incidents / site / decade 4 $10,000 OpEx: Major incident costs / year $25,000 OpEx: Routine incident cost / year $16,000 OpEx: Insider incident cost / year $51,000 OpEx: Preventable incident costs / site / year 18
Unidirectional Comparison COMPARISON Firewall Total CapEx Firewall Total OpEx Comparable Unidirectional $250,000 CapEx Comparable Unidirectional OpEx $50,000 $58,600 CapEx: Total $212,891 OpEx: Total $191,400 CapEx: Difference $162,891 OpEx: Difference 15 Months to Payback 19
Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors Frost & Sullivan: Entrepreneurial Company of the Year Award for ICS network security Pike Research: Waterfall is key player in the cyber security market Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Market leader for server replication in industrial environments 20
Strong Security Reduces Operating Costs Majority of sites are not managing firewalls according to best practice Most practitioners do not believe realistic calculations regarding their annualized dollar risk due to preventable cyber incidents Unidirectional customers report payback periods from operational cost savings of 12-18 months Stronger than firewalls, and cheaper, too 21