Introduction to SCADA Security Class 5: Mitigation Strategies 12/20/2013 Clint Bodungen Copyright 2013, Cimation. All Rights Reserved. Mitigation STRATEGY Now let’s take everything we’ve learned about Threats, Vulnerabilities, Exploits, and Attack Methodology, and apply it towards building mitigation strategies. FACT: A study by DHS reported that by the time an intrusion is discovered, an average of at least 90 days has passed since the initial exposure. FACT: That same study reported that relating to ICS/SCADA networks, it takes an average of about a year from the time a vulnerability is discovered within an application or firmware until the vulnerability is patched within the operator’s systems. (Idaho National Laboratories, “Empirical Estimates of Zero-Day Vulnerabilities in Control Systems”, 2009) 2 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: What are we protecting? Enterprise Confidentiality Integrity Availability VS. Industrial Availability Integrity Confidentiality 3 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Strategy Overview • • • Risk can never be fully mitigated Risk is either mitigated, reduced or accepted/managed Remember our Threats, Vulnerabilities, and Exploits? Now think of these like a fire triangle (ingredients required for a fire to burn): Fire Attack Threat Take any one leg out, and the Fire will be mitigated. This same principle applies with all 3 aspects of security. 4 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Strategy Overview • Eliminating Exploits – • Eliminating Threats – – • While you can’t eliminate exploits, understanding them will help you maximize your mitigation strategy later by knowing exactly what controls to implement and how to deploy them most effectively Like exploits, it is nearly impossible to eliminate the actual threats aside from terminating employees (not Arnold Schwarzenegger style) But understanding their methods allows you to anticipate how and when they will strike, thereby maximizing your mitigation deployments Eliminating Vulnerability – – Eliminating or blocking access to vulnerabilities is the only real direct control you have in the attack triangle scenario Primary methods of eliminating vulnerabilities: • • Restrict access to the system System Hardening (Eliminate the vulnerability, remove/block ability to exploit) 5 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Restricting Network Access • Network Segmentation – – – Concept of filtering by protocol/services/source and destination address to isolate network traffic and services from private or sensitive parts of the network; e.g., traffic restricted to an extranet Design the network architectures to separate “untrusted” traffic apart from “private” and “trusted” network segments/sub-domains Accomplished by: • • • – • Filtering by protocol/services Filtering by source and destination address Network design ISA99/IEC 62433, NERC CIP, API 1164 and many others process control security standards require it Technologies – – Firewalls • Implement stateful inspection • White list IP address access when possible • Explicit port ingress and egress when possible • Should block malformed packets. • Detect and mitigate against DDoS or DoS storms. • Bridged “bump in the wire” firewall for field devices and SCADA network segmentation DMZ Implementation • • Denies endpoints access to networks when endpoints do not meet security requirements Allows thin client access instead of direct network access 6 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Restricting Network Access • Network Segmentation 1. 2. 3. 4. 5. Process HSE/Control Supervisory Control Operations Management Enterprise 4 3 2 1 0 7 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Restricting Network Access • Technologies – – Firewalls • Implement stateful inspection • White list IP address access when possible • • Explicit port ingress and egress when possible Should block malformed packets. • Detect and mitigate against DDoS or DoS storms. • Bridged “bump in the wire” firewall for field devices and SCADA network segmentation DMZ Implementation • • – Denies endpoints access to networks when endpoints do not meet security requirements Allows thin client access instead of direct network access Switch Port Security • MAC Address filtering helps prevent unauthorized port access to switches • • It’s not fool proof as MAC addresses can be spoofed “Sticky MACs” tie specific MAC addresses to specific switch ports and add extra layers of security 8 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Restricting Network Access • • Never use WiFi (802.x) on your SCADA Network! But if you feel you must: – – – – – – – – Do NOT use WEP Enable WPA/WPA2 Use enterprise TKIP Change SSID default values from vendor’s configuration Disable SSID broadcast Implement another layer of authentication (IPSec) Logically place the AP in a DMZ with a firewall between the AP and internal network Physically place the AP in the center of the building if possible • Beware of windows and other rogue APs 9 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Restricting Host Access • Password Security – Poor, weak passwords have the following characteristics • • • • • • • – Contains less than eight characters Is a word found in a dictionary (English or foreign) Is a common usage word such as Birthdays and other personal information, such as addresses and phone numbers Word or number patterns like Common words spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics • • • • • • Contain both upper and lower case characters Contain special characters Are at least eight alphanumeric characters long (15 characters to defeat rainbow tables) Are not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Never be written down or stored online 10 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Restricting Host Access • Strong Authentication For Remote Access – – Something you know (i.e. a password) Something you have (i.e. token or smart card) NOTE - 2-Factor Authentication Should be used for physical access as well: – Proximity cards alone are simply RFID – Proximity card + pin or bio reader should be used – Proximity card access alone can be easily defeated – Most organizations don’t use two factor authentication with proximity card security 11 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Communications Security • • • Use VPN when possible Secure Shell (SSH) instead of telnet SSL instead of standard HTTP 12 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Blocking Exploitation/System Hardening • Security Patching & Anti-Virus Software – – – Should be done in accordance with vendor recommendation Should be tested in a test and development environment before deploying Typical Anti-Virus drawbacks • • • • • • Requires regular updates Signature based Only as good as the signatures and updates Does not protect against Zero-Day Use Heuristics based (can be difficult to “tune” and might cause problems in SCADA networks) Application White Listing (AWL) – – – – – – Provides an alternative when other malware prevention isn’t an option Only allows authorized processes to run instead of signature based Protects against most Zero-Day Small footprint Does not require updates “Learning modes” provide safe installation without interruption 13 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Blocking Exploitation/System Hardening • ICS/SCADA System Specific Security – SCADA, DCS or HMI Software • • • • • – Should be ran under a user account with least privileges. Security model of the software should be used for individual (not group) login accounts for accountability. All user actions should be logged. SCADA, DCS or HMI software should be on a patch cycle based on the frequency of change from the vendor. BHP should not allow its software to get more than (3) revisions old if an upgrade or patch can be safely made without affecting the operations of the facility. Set key executables, services and DLLs to auto-restart upon failure. Data Historian or Archival Applications • • • Should be installed in a neutral DMZ network not in SCADA or IT environments. Do not install multiple network cards in the historian server and directly connect it to all networks that it needs to communicate with. Specific firewall rules should govern the flow of data from SCADA to the data historian servers. 14 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Security 101: Monitoring • Intrusion Detection System (IDS) – – • Requires expertise Limited application Security Information and Event Management (SIEM) – – – Combines IDS, management console, log management, vulnerability assessment integration, etc. Adds threat intelligence Vendors • • • • • • AlienVault OSSIM (free AlienVault) Mcafee SIEM (Nitro) ArcSight Qradar Cisco MARS 15 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Layered “Defense in Depth” Strategy • • Standards and best practices recommend a layered defense model (a.k.a. – Defense in Depth) Multiple layers of security controls provide enhanced deterrence against all but the most determined attackers in addition to alternative defense where direct controls are not an option – For example: Anti-virus software may not be an option for some DCS environments so alternative, layered defense would be appropriate 16 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Layered “Defense in Depth” Strategy • • But this can be taxing on resources How can we maximize cost/benefit ratio? 17 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Topological Vulnerability Analysis Strategy (TVA) • • • The Topological Vulnerability Analysis (TVA) strategy is much more efficient in terms of resource utilization When combined with a proper risk analysis, TVA provides a strategy that still effectively mitigate security threats, while meeting budget requirements TVA provides comprehensive vision of your organization’s risk profile by overlaying system vulnerability details and potential attack paths onto a network diagram. 18 Copyright 2013, Cimation. All Rights Reserved. Mitigation Strategy Topological Vulnerability Analysis Strategy (TVA) • Inventory systems, diagram networks and communication paths • Determine system criticalities • Assess and rate threats and vulnerabilities • Estimate attack methodologies and likelihood according to communication paths • Prioritize mitigation by most critical systems with the highest level of vulnerabilities and the most communication pathways 19 Copyright 2013, Cimation. All Rights Reserved. Questions? If you liked this week’s cyber security training lectures on ICS/SCADA security, check out Cimation University! Coming January 2014: • • • • Introduction to ICS/SCADA Security ICS/SCADA Security Vulnerability Assessment (SVA) ICS/SCADA Security Risk Analysis and Mitigation Hacking SCADA: Advanced ICS/SCADA Vulnerability Assessment & Penetration Testing www.cimation.com/CimationUniversity Clint Bodungen Senior ICS/SCADA Security Researcher, Cimation 281.832.3129 cbodungen@cimation.com www.cimation.com 20 Copyright 2013, Cimation. All Rights Reserved.