Holistic View of Industrial Control Cyber Security A Deep Dive into Fundamentals of Industrial Control Cyber Security © Copyright 2014 Netsecuris Inc. All rights reserved Learning Goals o Understanding security implications involving industrial control systems and environments o Understanding design considerations for industrial control networks o Understanding differences between traditional IT networks vs. industrial networks o Understanding solutions and techniques to harden security of industrial networks © Copyright 2014 Netsecuris Inc. All rights reserved What is Industrial Control? © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Control Defined o A system that controls a process o Industrial Control System – traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS) o Supervisory Control and Data Acquisition System (SCADA) o Remote Terminal Units (RTU) o Programmable Logic Controllers (PLC) © Copyright 2014 Netsecuris Inc. All rights reserved Why learn about this topic? o Industrial controls are everywhere! o o o o o o Utilities Factories Automobiles Military Data Centers Appliances o Industrial controls are being networked like traditional IT networks. © Copyright 2014 Netsecuris Inc. All rights reserved Some industrial controls that might surprise you o o o o o Environmental controls in your data center Missiles launched by the military Assembly line controller in a factory SCADA systems at utilities Gasoline pumps at a convenience store © Copyright 2014 Netsecuris Inc. All rights reserved Distributed Control System Basic DCS Configuration © Copyright 2014 Netsecuris Inc. All rights reserved Distributed Control System Example of a DCS HMI Display © Copyright 2014 Netsecuris Inc. All rights reserved Distributed Control System Functional Levels of DCS Example © Copyright 2014 Netsecuris Inc. All rights reserved SCADA Example of a SCADA Network © Copyright 2014 Netsecuris Inc. All rights reserved SCADA Example of a Electric SCADA Network © Copyright 2014 Netsecuris Inc. All rights reserved SCADA Example of a SCADA HMI Display © Copyright 2014 Netsecuris Inc. All rights reserved Evolution 1 o Transition from mechanical switches or relays to Programmable Logic or Relay Logic © Copyright 2014 Netsecuris Inc. All rights reserved Programmable Logic Controllers (PLC) Example of a PLC Panel © Copyright 2014 Netsecuris Inc. All rights reserved Programmable Logic Controllers (PLC) Example of PLC Programming © Copyright 2014 Netsecuris Inc. All rights reserved PLC vs. RTU o RTUs are utilize to collect data over a wide geographic area as input to SCADA. o Such as with a network of electric substations o PLCs are utilized in a localize fashion to control a process. o Such as with a local area network on a factory floor © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Control Evolution 2 o Transition from Standard Serial Communications (e.g. RS-232, RS-485, Async 2 wire) to higher performance non-Ethernet Fieldbus communications (e.g. BACnet MS/TP, ModBus RTU, CAN, ProfiBus, InterBus, LonWorks, SERCOS). © Copyright 2014 Netsecuris Inc. All rights reserved T-shirt Question 1 oWhat has been considered the first “Industrial Control” virus? oWhat did it do? © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Control Evolution 3 o Transition from Non-Ethernet Fieldbuses to Ethernet-based Communications (e.g. EtherCAT, Ethernet POWERLink). © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Ethernet vs. Non-Ethernet Fieldbuses Advantages o Better performance o Greater bandwidth and larger data packages for communications with intelligent industrial devices o Faster real-time communications and synchronization for demanding control applications o Simple to integrate with networks that already exist in the business office environment © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Ethernet vs. Non-Ethernet Fieldbuses Disadvantages o It is collision-based and not inherently deterministic—and process controls demand real-time operation. o Universal acceptance of Ethernet tempts users to try to do too many things that could generate security issues. o Standard telephone-type connectors do not meet the physical demands of industrial equipment. © Copyright 2014 Netsecuris Inc. All rights reserved Impact of “Industrial Internet” o GE reported that “enabling Internet-connected machines to communicate and operate automatically can bring substantial efficiency gains.” o According to GE, the Industrial Internet will help eliminate hundreds of billions of dollars of wasted time and resources across critical industries. o “The Industrial Internet has the potential to add $10 to 15 trillion U.S. dollars to the global GDP by 2030.” © Copyright 2014 Netsecuris Inc. All rights reserved Rise of Industrial Internet o IMS Research predicts that in 2016, “Ethernet will account for over 30 percent of all new nodes installed in industrial applications.” o Ethernet TCP/IP was estimated to account for over one-third of new Ethernet nodes installed in 2011. o Wireless networking to grow 75% by 2017 compared to 2012. o Fieldbus protocols still have the high ground but Industrial Ethernet adoption is on the rise. © Copyright 2014 Netsecuris Inc. All rights reserved Evolution 4 o Transition from Ethernet-based Non-TCP/IP Communications to Ethernet-based TCP/IP Communications (e.g. BACnet/I, ModBus-TCP, EtherNet-IP, PROFINET-IO). © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Implications © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Implications o Cybersecurity failures have the potential to cause physical consequences. o Cybersecurity issues can manifest as process anomalies. o Cybersecurity is hard to manage. o Cybersecurity threats or issues can be complex. © Copyright 2014 Netsecuris Inc. All rights reserved Cybersecurity Implication – Physical Consequences o Electric Power Blackouts o September 2007 cyber attack in Brazil o 2003 Northeast blackout o 1999 Southern Brazil blackout o 1965 Northeast blackout o 1979 Three Mile Island Nuclear Plant Accident o 2000 Maroochy Shire cyber event o 2007 Aurora Generator Test o 2009 Stuxnet o 2010 San Bruno natural gas pipeline explosion © Copyright 2014 Netsecuris Inc. All rights reserved Aurora Generator Test © Copyright 2014 Netsecuris Inc. All rights reserved Implications – Process Anomalies o Actual cyber security issue vs. real process problem o Can be difficult to distinguish a real cyber security issue from a process anomaly. o Inadequate cyber security training for operators could lead to an attack not being recognized. © Copyright 2014 Netsecuris Inc. All rights reserved Implications – Security Management Difficulties o Introduced latency and jitter o Measurement of time for packets to travel between nodes. o Variation in time between packets arriving to be process. o Difference in managing IT vs. OT © Copyright 2014 Netsecuris Inc. All rights reserved Implications – Complexities o Non-typical network protocols o Commands that cannot be blocked due to safety or production issues. o Attackers using valid communications in invalid ways. © Copyright 2014 Netsecuris Inc. All rights reserved IT Cyber Security vs. OT Cyber Security © Copyright 2014 Netsecuris Inc. All rights reserved IT Cyber Security vs. OT Cyber Security Performance Requirements Source: Derived from the NIST 800-82 Standard © Copyright 2014 Netsecuris Inc. All rights reserved IT Cyber Security vs. OT Cyber Security Availability Requirements Source: Derived from the NIST 800-82 Standard © Copyright 2014 Netsecuris Inc. All rights reserved IT Cyber Security vs. OT Cyber Security Risk Management Requirements Source: Derived from the NIST 800-82 Standard © Copyright 2014 Netsecuris Inc. All rights reserved IT Cyber Security vs. OT Cyber Security Change Management Requirements Source: Derived from the NIST 800-82 Standard © Copyright 2014 Netsecuris Inc. All rights reserved IT Cyber Security vs. OT Cyber Security Unintended Consequences Requirements Source: Derived from the NIST 800-82 Standard © Copyright 2014 Netsecuris Inc. All rights reserved Survey of Specialized Communications Protocols © Copyright 2014 Netsecuris Inc. All rights reserved Modbus o Open protocol standard o Moves raw bits or words without placing many restrictions on vendors. o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code. © Copyright 2014 Netsecuris Inc. All rights reserved DNP3 (Distributed Network Protocol) o Open Standard o Designed to be reliable but not secure. o Header may look perfectly normal but the data payload could crafted to carry malicious code. o No authentication mechanism in basic DNP3. o Secure DNP3 © Copyright 2014 Netsecuris Inc. All rights reserved OPC (Open Platform Communications o Based on the OLE, COM, and DCOM technologies developed by Microsoft. o Any vulnerabilities in these technologies is carried into this protocol. o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports. o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors. o OPC is complicated to setup so some vendors leave exposures in their products. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues TCP/IP Stack and Industrial Protocols o Problems exist due to original design and purpose for Internet. o Poor software design o Fragility caused by deviation from RFC o o o o o o o Internet Protocol (IP version 4) (RFC 791) User Datagram Protocol (UDP) (RFC 768) Transmission Control Protocol (TCP) (RFC 793) Address Resolution Protocol (ARP) (RFC 826) Internet Control Messaging Protocol (ICMP) (RFC 792) Internet Group Management Protocol (IGMP) (RFC 1112 & 2236) IEEE 802.3 (Ethernet) as defined in RFC 894 o Protocol Complexity o o ModBus TCP adds additional fields to standard TCP (Function Codes) Session Manipulation © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues Lack of Strong Authentication o Risk of compromise o Spoofing o Brute Force Attacks o Session Hijacking © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues Lack of Strong Authorization Practices o Malicious actors could gain access or perform a function that they are not entitled to perform. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues Lack of Strong Encryption Practices o Commands and addresses passed in clear text; which can be captured and spoofed or manipulated. o Some encryption mandates are making it into regulations in some industrial control using industries. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues Programmability o ICS devices are meant to be programmable; which makes them inherently vulnerable. o A whole lot of Fuzzing going on. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues Lack of Message Checksum o Ability to spoofed commands is easier since the checksum is generated at the Transmission Layer and not the Application Layer. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Problems and Issues Accessibility o Some protocols are meant to be used for Wide Area networks making them highly accessible and susceptible to many kinds of attacks. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Controls © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Controls Firewall o A firewall can become a sieve. o Not a “catch all”, “be all” security control but still a necessity. o Protocol recognition. o Don’t forget a secure default rule; Deny All. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Controls Intrusion Detection and Prevention o Intrusion Prevention vs. Intrusion Detection o Why is IPS a necessity? o Behavior recognition © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Controls ICS Honeypots o o o o o Sets a trap Decoy ICS Capable SCADA HoneyNet Project http://scadahoneynet.sourceforge.net/ © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Controls Anti-Malware o If you cannot install host-based anti-malware software on any particular ICS system, implement network-based anti-malware. o Implement and configure host-based firewalls; if possible. © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Controls Security Information and Event Management o Log, Log, Log! o Real-Time or Near Real-Time Alerts © Copyright 2014 Netsecuris Inc. All rights reserved Cyber Security Recommendations © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Control Network Cyber Security Recommendations o Defend against the unknown o o o o o Advanced Persistent Threats (APTs) Advanced Evasion Techniques (AETs) Alternative threat detection or prevention Situational Awareness Behavior Analysis and Detection o Practice Defense in Depth o Patch, Patch, Patch o Whitelisting o Collect and analyze logs © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Control Network Cyber Security Recommendations o Avoid misconceptions o Avoid the Air Gap Myth o “We have a firewall!” o “We’re just a small site, we’re not a target” © Copyright 2014 Netsecuris Inc. All rights reserved Industrial Control Network Cyber Security Recommendations o Utilize Egress Filtering o Change Default Accounts and Passwords o Check your IP addresses with Shodan © Copyright 2014 Netsecuris Inc. All rights reserved Shodan o An industrial control system and network search engine. o http://www.shodanhq.com/ © Copyright 2014 Netsecuris Inc. All rights reserved Shodan © Copyright 2014 Netsecuris Inc. All rights reserved Netsecuris o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments. o Contact Information o o o o Leonard Jacobs, MBA, CISSP President/CEO sales@netsecuris.com 952-641-1421 © Copyright 2014 Netsecuris Inc. All rights reserved Questions and Answers Thank you © Copyright 2014 Netsecuris Inc. All rights reserved