China Life Insurance Discussion PITS 生产网络安全 /////////// June 2019 / Colin Choo Production IT Security 生产网络安全 Mission Statement MIT Production IT Security safeguards Bayer’s manufacturing operations by 生产IT安全保证了拜耳的制造业务, 通过 • reducing the cyber risks posed to IT operations in production • 降低生产中IT运营的网络风险 • striving for effective and easy to maintain security solutions • 努力实现有效且易于维护的安全解决方 2 Our PITS Portfolio Comprehensive solutions, globally available 漏洞评估 防御和降低风险措施 咨询服务 3 Where does PITS fit ? Securing an Automated World 生产网络安全 传统的信息技术 生产运行技术 IT IT security IT安全 Operational Technology Operational Technology (OT) – the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc. Page 4 Our Motivation Page 5 How did we get here?我们如何去做生产网络安全 Security was not a major concern when Legacy Industrial Control Systems (ICS) were developed Closed Systems传统的工业控制系统不用担心安全因为那时的工业控制系统是封闭的系统 ICS system lifecycle Typically 15-20 years那时工业控制系统的生命周期大约是15-20年 ICS products are incorporating Commercial OTS technology from the business IT sector Ethernet, Windows OS, SQL, webservers, etc.渐渐地工业控制系统和商务运营系统合并就有了视窗等系统 Multi-vendor solutions at most ICS sites工控系统中多采用多供应商解决方案 Increasing need to share data between corporate and production networks公司和生产之间的数据分享增加 IIoT; Convergence of OT and IT生产和IT的数据交换 Data Integrity 数据完整性 Lack of experienced security personnel working on ICS工控系统的人员缺少安全经验和必要的知识 History of separate IT and ICS teams (typically Engineering)历史上把IT和工控系统分开 Page 6 Operational IT systems become targets 生产操作IT系统成为目标 Why? 原因 They’re easy targets. 容易的目标 Security wasn’t designed in 没有设计安全措施 How? 如何做? Machines running older operating systems 机器用旧的系统 Embedded accounts with default passwords Who?谁? Hacktivists 黑客 On a mission 有任务 Commercial Espionage 商业间谍 Competitive advantage 有竞争优势 Nation state国家行为 Political motivation 政治动力 用缺省的密码 Malicious Insider 内奸 Systems not updated with security patches White / Black / Gray (etc.) Hats 白客 系统么有和安全系统同步 Good / Bad / Profiteer 获益者 Organized Crime 犯罪团伙 Script Kiddies 顽童 “Just for fun” 好玩 Page 7 Some typical attack vectors 办公室网络 互联网 错误标定 的防火墙 受感 染的 电脑 不安全的无线 网 不安全的路 由器 工厂网络 外部网络 受感染的USB 控制网络 受感染的控 制逻辑 不安全的序列链接 Page 8 不安全的远程支 持 ICS for Production is being more vulnerable 工业控制系统正带来越来越多的漏洞 The causes:原因 The Number of discovered Vulnerabilities in ICS 工控系统发现的漏 洞数量 • The increased vulnerability of software, processes and the abuse of privileged accounts and passwords 越来越多的软件,程序, 以及滥用特权账号和密码 • Advanced, targeted, stealthy and persistent cyber attacks today 越来 越先进的,目标明确和持续的网络攻 击 Source: USA ICS-CERT ,“ICS-CERT Advisories” https://ics-cert.us-cert.gov/advisories Page 9 • Activities for safe, secure, reliable production require sustained attention! 因此需要取得安全可靠的 生产就需要对以上特别关注 Merck “In the morning, rolling out its Q3 numbers, Merck was forced to concede that the NotPetya cyber attack had cost the company $135 million in lost sales along with $175 million in related costs while forcing them to borrow $240 million worth of Gardasil from federal stockpiles. That extra $310 million in costs will be repeated in Q4, Merck noted in their quarterly call, as overall damages roll up to the $1 billion mark.” 今晨,当默克披露第三季数字是不得不承认受到网络攻击,造 成销售损失1.35亿美金,以及相关1.75亿美金成本去从联邦储 备借贷相当于2.4亿美金的宫颈癌疫苗。 这另外的3.1亿美金成 本在第四季还会再次发生。 所以总的损失是10亿美金 Page 10 Equifax Moody downgrade Equifax outlook to negative “Cybersecurity issues have been cited as the reason for a downgrade” The Equifax Data Breach - Equifax says a 2017 data breach exposed the sensitive personal information of 143 million Americans. 11 Vulnerability Assessment 漏洞评估 Page 12 Our Process Manufacturing Site Vulnerability Assessments 生产制造工厂/车间漏洞评估 完整版测评 Effort 所需的资源 ILLUSTRATIVE 简版测评 Assisted Self Assessment Light Assessment Full Security Assessment 协助自测 测评结果 Indication 指数 Output Detailed findings and mitigation measures 详细的发现和后续处理降低风险的措施 PITS offers three different types of vulnerability assessments covering the various needs of a site. The security assessments will take into consideration the specifics of the different plants within a site. 生产网络安全提供3个不同形式的漏洞评测方式,涵盖各种不同工厂。 生产安全网络评测要考虑不同工厂的特 殊要求。 Page 13 Systems in Scope 所涉及的系统和工作范围 第4层:企业 ◼ Manufacturing Execution Systems (MES):制造执行系统 ◼ Manufacturing Intelligence 造智能系统: ◼ Track & Trace 系统 (MI)制 Level 3: Production control (T&T):跟踪和记录 第2层:过程控制 第1层:现场控 制 Systems in scope:系统包括 ▪ ▪ ▪ ▪ ▪ ▪ ▪ Page 14 Level 4: Enterprise Heating, Ventilation & Air Conditioning (HVAC)暖通 Manufacturing Execution Systems (MES) 制造执行 Process Control Systems (PCS)过程控制 Laboratory (LAB)实验室 Building Control Systems (BCS)楼宇控制 Security Systems (Access control, CCTV)安保系统 Historian 历史数据库 Level 2: Process control 第3层:生产 控制 ◼ Production IT Security IT安全 ◼ Computer Aided (Process) Engineering (CAE/CAPE):计算机辅 助设计 Level 1: Control / Field level (PITS):生产 Vulnerability Assessment Process漏洞测评流程 1 Kick-Off启动 • Meeting with customer与客户会面 • Align goals and scope统一目标和范围 5 Fortification & Mitigation Services防御和降低风险 2 Information Analysis信息分析 • Information gathering through Interviews, Questionnaire 通过面谈 和问卷收集足够的信息 • Potential vulnerabilities detection by Location Inspection在现场进行潜在 漏洞侦测 • Follow up: Eliminate or reduce probability of found vulnerabilities去除或减少已发 现的漏洞 3 4 Reporting & Recommendations 报告及建议 • Create report for customer incl. found vulnerabilities and recommendations to mitigate them提交一份关于已发现 漏洞及如何减少和消除漏洞的报告 Page 15 Vulnerabilities Identification 漏洞确认 • Check-list walk-through 检查表 • Penetration Test if necessary如需 要进行渗透测试 • Evaluation & attestation评估 Module Details模型 3.4. Cyber Space Analysis Page 16 Questionnaire Documentation review 3.4.1. System Review 3.4.6. Building Control Systems 3.4.11. Password security 3.4.2. Active Scans 3.4.7 Application Security Assessment 3.4.12. MES/LIMS 3.4.3. Firewall Review 3.4.8. Attack Demonstration 3.4.14. File Share Analysis 3.4.4. Network Traffic Analysis 3.4.9. Wireless Network Security 3.4.20. Laboratory 3.4.5. Infrastructure Components 3.4.10. Virtualization Infrastructure 3.4.21. Databases Questionnaire Categories问询表分类 Organization and Governance组织机构 User Management进入 许可管理 Documentation文件 System Hardening系统 增强 Third Party Management 第三方管理 Lifecycle Management生 命周期管理 Business Continuity业务 团队 Physical Security安保 Network and Firewall网 络和防火墙 Access Protection and Page 17 Patch Management补丁 管理 Monitoring and Incident Management监控和事故 管理 Remote Access远程进入 管理 Findings Definitions漏洞发现的定义 critical risk – immediate mitigation is required 致命风险--立刻采取降低风险措施: • Domain-Administrator-Password on post-it 主机—管理员—密码 • Entire Production-IT network accessible from corporate network 整个生产IT网络可以从企业网络进入 • Sensitive data freely available to anyone任何人自由可以获取敏感数据 • LTE/3G surf stick or third-party connections without firewalls in production network在生产网络中有LTE/3G存 在或第三方在没有防火墙的情况下有连接 high risk – situation examples: 高风险 – 可能情况如下: • Missing patch management 没有补丁管理 • Significant security flaws in systems with sensitive data 与敏感数据的系统有明显的安保瑕疵 • Identified system opens access to additional systems (gateway) 确认系统开放接口至其它系统 • Administrative access is not secure enough 系统管理接口没有足够的安保 Page 18 Finding Example 发现样本 Finding Description描述 Key tags关键点 Impact * Likelihood = Risk 影响*可能性=风险 Risk Evaluation风险评估 Mitigation Recommendations降低措 施和建议 Measures can be created and linked to finding可测量 的方式 Customer/site owns findings客户自己的发现 Page 19 Pandora潘多拉 Recording and Reporting 记录和报告 Secure安保 Maturity Score得分 Findings发现 Questionnaire问卷 Remediation Measures推 荐的措施 Plan计划 Audit trail审计跟踪 Multiple-views Page 20 Reporting the Results报告结果 Reporting the results is to provide actionable information for management decision about the investment for future security 报告的结果是提供给管理层可行的信息做为将来对安全的投资决定 The reporting document includes:报告包括 Page 21 ▪ Executive Summary: A full description of the vulnerability assessment project 报告摘要:完整地描述漏洞测评项目 ▪ All of the vulnerabilities found during the assessment所有发现的漏洞 ▪ Recommendations to remediate or mitigate vulnerabilities建议和后续行动 ▪ All results stay with information owner -> site 所有结果仅提供信息所有者 ▪ Information Owner gives access to findings details信息所有者有权查看所 有发现 ▪ Program manager will have access to findings details项目群经理有权查看 所有发现 ▪ PITS Global Team will have access to findings for remediation生产网络安 全团队可查看所有发现以便进行漏洞消除工作 MITS Maturity Model制造IT安全完整性模型 The Road Map路径 Outstanding优秀 Solid完整 Basic基本 (Intermediate Stage) Insufficient不充分 Unknown未知 ▪ No data available无数据 ▪ Some MITS requirements already in place有一些制 造网络安全的要求 ▪ No minimum MITS ensured没有制造网络安 全保证 ▪ Minimum MITS ensured (no holistic protection level in place)有制造IT安全保障 的最低要求网络安保 ✓ Network Security网络安保 ✓ Enforce network segmentation 加强网络部分安保 ✓ External Access外部接入 ✓ Remote Maintenance远程维修 ✓ Mobile Devices (USB, etc.)移 动设备,如USB ✓ Emergency Response应急响应 ✓ Backup Management备份管理 ▪ MITS follows directive “IT Security for Manufacturing IT”制造IT 安全完全遵循要求 ▪ Solid security foundation against known threats针 对已知的威胁有完整的 基础 ▪ Advanced IT security technology先进的IT安全技 术 ▪ Immediate reaction on threats possible对可能的 威胁有快速响应 ▪ Continuous improvement in place有持续改进的机制 Maturity Model 0 Unmanaged Risks无法管理风险 22 1-99 100-199 200-299 300 Managed Risks风险可管理 目标 PITS 降低并减少生产网络对平稳,持续和高效生产的安全威胁。 23 /// Pittsburgh, PA, US R&D Assessment Kick-off / ver 1.0 /// C. Joseph Gonot /// 2019-05-06 Why 需要对生产网络网安全的重视 PITS Production IT Security 随着网络的发展,大数据,5G,及人工智能的广泛应用,以及国家2025战略目标和国际上特别是欧洲工业 4.0,生产的自动化智能化正给整个工业带来美好的愿景。 然而,所有这一切也让生产过程成为网络攻击的目标。 24 /// Pittsburgh, PA, US R&D Assessment Kick-off / ver 1.0 /// C. Joseph Gonot /// 2019-05-06 When何时需要对生产网络进行安全保护 PITS Production IT Security 据欧洲一家500强企业内部不完全的统计,其每天受到的邮件攻击就多达2000到3000次。如果攻击的目标转 成生产过程,对一个有些“真空”的生产过程其后果是不可想象的。 因此,应立刻对生产网络建立必要的安全机制和措施。 25 /// Pittsburgh, PA, US R&D Assessment Kick-off / ver 1.0 /// C. Joseph Gonot /// 2019-05-06 Why Choose US为何选择我们 PITS Production IT Security ➢ 5年的生产网络安全的经验; • 完善的工控专业知识和经验,熟悉不同种类的工控系统和运营系统,DCS、MES、LES、以及相关行 业标准如GMP; • 熟悉各种生产工艺,主要正对有工艺过程的行业如石化,化工及制药。。。 • 极强的网络知识和技能; ➢ 国际化的团队和本地资源 • 国际化的合作伙伴,了解行业的前沿讯息,掌握黑客的新动态; • 客户的多样性(500 强)可以带来多种的解决方案,从教训中更快的找到对策 • 本地的资源可以提供更具有中国特色的方法,更可行并高效 ➢ 陪伴客户一起健康成长 • 预防,门诊,急诊,保险 26 /// Pittsburgh, PA, US R&D Assessment Kick-off / ver 1.0 /// C. Joseph Gonot /// 2019-05-06 合作模式 ➢ 双方团队密切合作;制定目标; ➢ 漏洞检测和评估;提供详细的报告并告知目前的安全水准 ➢ 提供建议和可行的方案;包括根据评测结果对生产网络进行重新设计; ➢ 提供执行过程的咨询和相关服务; ➢ 检查改进的结果 27 /// Pittsburgh, PA, US R&D Assessment Kick-off / ver 1.0 /// C. Joseph Gonot /// 2019-05-06 More Hacking Cases Some Blockbusters Sabotage and espionage: Stuxnet, Blackenergy and Blackenergy2, Flame, Duqu, ProjectSauron, Havex, Industroyer Ramsonware : WannaCry, non-Petya, and co. Operations at Maersk, Ukranian banks http://www.bbc.com/news/technology-40428967 Renault stops production at several plants after ransomware cyber attack as Nissan also hacked http://www.mirror.co.uk/news/world-news/renault-stops-production-several-plants-10413994 Hack attack causes 'massive damage' at steel works http://www.bbc.com/news/technology-30575104 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile Stromnetz in der Ukraine durch Hacker lahmgelegt https://www.welivesecurity.com/deutsch/2016/01/08/stromnetz-der-ukraine-durch-hacker-lahmgelegt/ ThyssenKrupp Attackers Stole Trade Secrets In Massive Hack https://www.forbes.com/sites/leemathews/2016/12/08/thyssenkrupp-attackers-stole-trade-secrets-in-massive-hack/#379c072762dc Page 28