Holistic View of Industrial Control Cyber Security

Holistic View of Industrial
Control Cyber Security
A Deep Dive into Fundamentals of
Industrial Control Cyber Security
© Copyright 2014 Netsecuris Inc. All rights reserved
Learning Goals
o Understanding security implications involving
industrial control systems and environments
o Understanding design considerations for
industrial control networks
o Understanding differences between traditional
IT networks vs. industrial networks
o Understanding solutions and techniques to
harden security of industrial networks
© Copyright 2014 Netsecuris Inc. All rights reserved
What is Industrial Control?
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Defined
o A system that controls a process
o Industrial Control System – traditionally a
general term defining several types of
control systems used in industrial production
o Distributed Control System (DCS)
o Supervisory Control and Data Acquisition System
(SCADA)
o Remote Terminal Units (RTU)
o Programmable Logic Controllers (PLC)
© Copyright 2014 Netsecuris Inc. All rights reserved
Why learn about this topic?
o Industrial controls are everywhere!
o
o
o
o
o
o
Utilities
Factories
Automobiles
Military
Data Centers
Appliances
o Industrial controls are being networked like
traditional IT networks.
© Copyright 2014 Netsecuris Inc. All rights reserved
Some industrial controls that
might surprise you
o
o
o
o
o
Environmental controls in your data center
Missiles launched by the military
Assembly line controller in a factory
SCADA systems at utilities
Gasoline pumps at a convenience store
© Copyright 2014 Netsecuris Inc. All rights reserved
Distributed Control System
Basic DCS Configuration
© Copyright 2014 Netsecuris Inc. All rights reserved
Distributed Control System
Example of a DCS HMI Display
© Copyright 2014 Netsecuris Inc. All rights reserved
Distributed Control System
Functional Levels of DCS Example
© Copyright 2014 Netsecuris Inc. All rights reserved
SCADA
Example of a SCADA Network
© Copyright 2014 Netsecuris Inc. All rights reserved
SCADA
Example of a Electric SCADA Network
© Copyright 2014 Netsecuris Inc. All rights reserved
SCADA
Example of a SCADA HMI Display
© Copyright 2014 Netsecuris Inc. All rights reserved
Evolution 1
o Transition from mechanical switches or relays to
Programmable Logic or Relay Logic
© Copyright 2014 Netsecuris Inc. All rights reserved
Programmable Logic Controllers (PLC)
Example of a PLC Panel
© Copyright 2014 Netsecuris Inc. All rights reserved
Programmable Logic Controllers (PLC)
Example of PLC Programming
© Copyright 2014 Netsecuris Inc. All rights reserved
PLC vs. RTU
o RTUs are utilize to collect data over a wide
geographic area as input to SCADA.
o Such as with a network of electric substations
o PLCs are utilized in a localize fashion to control a
process.
o Such as with a local area network on a factory floor
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Evolution 2
o Transition from Standard Serial Communications
(e.g. RS-232, RS-485, Async 2 wire) to higher
performance non-Ethernet Fieldbus
communications (e.g. BACnet MS/TP, ModBus
RTU, CAN, ProfiBus, InterBus, LonWorks,
SERCOS).
© Copyright 2014 Netsecuris Inc. All rights reserved
T-shirt Question 1
oWhat has been
considered the first
“Industrial Control” virus?
oWhat did it do?
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Evolution 3
o Transition from Non-Ethernet Fieldbuses to
Ethernet-based Communications (e.g. EtherCAT,
Ethernet POWERLink).
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Ethernet vs. Non-Ethernet
Fieldbuses Advantages
o Better performance
o Greater bandwidth and larger data packages for
communications with intelligent industrial
devices
o Faster real-time communications and
synchronization for demanding control
applications
o Simple to integrate with networks that already
exist in the business office environment
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Ethernet vs. Non-Ethernet
Fieldbuses Disadvantages
o It is collision-based and not inherently
deterministic—and process controls demand
real-time operation.
o Universal acceptance of Ethernet tempts users
to try to do too many things that could generate
security issues.
o Standard telephone-type connectors do not
meet the physical demands of industrial
equipment.
© Copyright 2014 Netsecuris Inc. All rights reserved
Impact of “Industrial Internet”
o GE reported that “enabling Internet-connected
machines to communicate and operate
automatically can bring substantial efficiency
gains.”
o According to GE, the Industrial Internet will help
eliminate hundreds of billions of dollars of
wasted time and resources across critical
industries.
o “The Industrial Internet has the potential to add
$10 to 15 trillion U.S. dollars to the global GDP
by 2030.”
© Copyright 2014 Netsecuris Inc. All rights reserved
Rise of Industrial Internet
o IMS Research predicts that in 2016, “Ethernet
will account for over 30 percent of all new
nodes installed in industrial applications.”
o Ethernet TCP/IP was estimated to account for
over one-third of new Ethernet nodes installed
in 2011.
o Wireless networking to grow 75% by 2017
compared to 2012.
o Fieldbus protocols still have the high ground but
Industrial Ethernet adoption is on the rise.
© Copyright 2014 Netsecuris Inc. All rights reserved
Evolution 4
o Transition from Ethernet-based Non-TCP/IP
Communications to Ethernet-based TCP/IP
Communications (e.g. BACnet/I, ModBus-TCP,
EtherNet-IP, PROFINET-IO).
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Implications
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Implications
o Cybersecurity failures have the potential to
cause physical consequences.
o Cybersecurity issues can manifest as process
anomalies.
o Cybersecurity is hard to manage.
o Cybersecurity threats or issues can be complex.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cybersecurity Implication –
Physical Consequences
o Electric Power Blackouts
o September 2007 cyber attack in Brazil
o 2003 Northeast blackout
o 1999 Southern Brazil blackout
o 1965 Northeast blackout
o 1979 Three Mile Island Nuclear Plant Accident
o 2000 Maroochy Shire cyber event
o 2007 Aurora Generator Test
o 2009 Stuxnet
o 2010 San Bruno natural gas pipeline explosion
© Copyright 2014 Netsecuris Inc. All rights reserved
Aurora Generator Test
© Copyright 2014 Netsecuris Inc. All rights reserved
Implications – Process Anomalies
o Actual cyber security issue vs. real process
problem
o Can be difficult to distinguish a real cyber security
issue from a process anomaly.
o Inadequate cyber security training for operators
could lead to an attack not being recognized.
© Copyright 2014 Netsecuris Inc. All rights reserved
Implications –
Security Management Difficulties
o Introduced latency and jitter
o Measurement of time for packets to travel between
nodes.
o Variation in time between packets arriving to be
process.
o Difference in managing IT vs. OT
© Copyright 2014 Netsecuris Inc. All rights reserved
Implications – Complexities
o Non-typical network protocols
o Commands that cannot be blocked due to
safety or production issues.
o Attackers using valid communications in invalid
ways.
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security Performance Requirements
Source: Derived from the NIST 800-82 Standard
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security Availability Requirements
Source: Derived from the NIST 800-82 Standard
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security Risk Management Requirements
Source: Derived from the NIST 800-82 Standard
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security Change Management Requirements
Source: Derived from the NIST 800-82 Standard
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security Unintended Consequences Requirements
Source: Derived from the NIST 800-82 Standard
© Copyright 2014 Netsecuris Inc. All rights reserved
Survey of Specialized
Communications Protocols
© Copyright 2014 Netsecuris Inc. All rights reserved
Modbus
o Open protocol standard
o Moves raw bits or words without placing many
restrictions on vendors.
o TCP/IP packet may look perfectly normal but the
Modbus frame could crafted to carry malicious
code.
© Copyright 2014 Netsecuris Inc. All rights reserved
DNP3 (Distributed Network Protocol)
o Open Standard
o Designed to be reliable but not secure.
o Header may look perfectly normal but the data
payload could crafted to carry malicious code.
o No authentication mechanism in basic DNP3.
o Secure DNP3
© Copyright 2014 Netsecuris Inc. All rights reserved
OPC (Open Platform Communications
o Based on the OLE, COM, and DCOM
technologies developed by Microsoft.
o Any vulnerabilities in these technologies is
carried into this protocol.
o OPC is firewall unfriendly because OPC servers
dynamically assign TCP ports.
o DCOM and RPC are extremely complicated
protocols that can be translated into attack
surfaces for malicious actors.
o OPC is complicated to setup so some vendors
leave exposures in their products.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues TCP/IP Stack and Industrial Protocols
o Problems exist due to original design and purpose for
Internet.
o Poor software design
o Fragility caused by deviation from RFC
o
o
o
o
o
o
o
Internet Protocol (IP version 4) (RFC 791)
User Datagram Protocol (UDP) (RFC 768)
Transmission Control Protocol (TCP) (RFC 793)
Address Resolution Protocol (ARP) (RFC 826)
Internet Control Messaging Protocol (ICMP) (RFC 792)
Internet Group Management Protocol (IGMP) (RFC 1112 & 2236)
IEEE 802.3 (Ethernet) as defined in RFC 894
o Protocol Complexity
o
o
ModBus TCP adds additional fields to standard TCP (Function Codes)
Session Manipulation
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues Lack of Strong Authentication
o Risk of compromise
o Spoofing
o Brute Force Attacks
o Session Hijacking
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues Lack of Strong Authorization Practices
o Malicious actors could gain access or perform a
function that they are not entitled to perform.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues Lack of Strong Encryption Practices
o Commands and addresses passed in clear text;
which can be captured and spoofed or
manipulated.
o Some encryption mandates are making it into
regulations in some industrial control using
industries.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues Programmability
o ICS devices are meant to be programmable;
which makes them inherently vulnerable.
o A whole lot of Fuzzing going on.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues Lack of Message Checksum
o Ability to spoofed commands is easier since the
checksum is generated at the Transmission
Layer and not the Application Layer.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Problems and Issues Accessibility
o Some protocols are meant to be used for Wide
Area networks making them highly accessible
and susceptible to many kinds of attacks.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls Firewall
o A firewall can become a sieve.
o Not a “catch all”, “be all” security control but
still a necessity.
o Protocol recognition.
o Don’t forget a secure default rule; Deny All.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls Intrusion Detection and Prevention
o Intrusion Prevention vs. Intrusion Detection
o Why is IPS a necessity?
o Behavior recognition
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls ICS Honeypots
o
o
o
o
o
Sets a trap
Decoy
ICS Capable
SCADA HoneyNet Project
http://scadahoneynet.sourceforge.net/
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls Anti-Malware
o If you cannot install host-based anti-malware
software on any particular ICS system,
implement network-based anti-malware.
o Implement and configure host-based firewalls;
if possible.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Controls Security Information and Event Management
o Log, Log, Log!
o Real-Time or Near Real-Time Alerts
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Recommendations
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Network
Cyber Security Recommendations
o Defend against the unknown
o
o
o
o
o
Advanced Persistent Threats (APTs)
Advanced Evasion Techniques (AETs)
Alternative threat detection or prevention
Situational Awareness
Behavior Analysis and Detection
o Practice Defense in Depth
o Patch, Patch, Patch
o Whitelisting
o Collect and analyze logs
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Network
Cyber Security Recommendations
o Avoid misconceptions
o Avoid the Air Gap Myth
o “We have a firewall!”
o “We’re just a small site, we’re not a target”
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Network
Cyber Security Recommendations
o Utilize Egress Filtering
o Change Default Accounts and Passwords
o Check your IP addresses with Shodan
© Copyright 2014 Netsecuris Inc. All rights reserved
Shodan
o An industrial control system and network search
engine.
o http://www.shodanhq.com/
© Copyright 2014 Netsecuris Inc. All rights reserved
Shodan
© Copyright 2014 Netsecuris Inc. All rights reserved
Netsecuris
o A leading Managed Security Service Provider
specializing in protecting Industrial Control,
Financial Services, Healthcare, and Government
network environments.
o Contact Information
o
o
o
o
Leonard Jacobs, MBA, CISSP
President/CEO
sales@netsecuris.com
952-641-1421
© Copyright 2014 Netsecuris Inc. All rights reserved
Questions and Answers
Thank you
© Copyright 2014 Netsecuris Inc. All rights reserved