Introduction to SCADA Security
Class 5: Mitigation Strategies
12/20/2013
Clint Bodungen
Copyright 2013, Cimation. All Rights Reserved.
Mitigation STRATEGY
Now let’s take everything we’ve learned
about Threats, Vulnerabilities, Exploits,
and Attack Methodology, and apply it
towards building mitigation strategies.
FACT: A study by DHS reported that by the time an intrusion
is discovered, an average of at least 90 days has passed since
the initial exposure.
FACT: That same study reported that relating to ICS/SCADA
networks, it takes an average of about a year from the time a
vulnerability is discovered within an application or firmware
until the vulnerability is patched within the operator’s
systems.
(Idaho National Laboratories, “Empirical Estimates of Zero-Day Vulnerabilities in Control Systems”, 2009)
2
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: What are we protecting?
Enterprise
Confidentiality
Integrity
Availability
VS.
Industrial
Availability
Integrity
Confidentiality
3
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Strategy Overview
•
•
•
Risk can never be fully mitigated
Risk is either mitigated, reduced or accepted/managed
Remember our Threats, Vulnerabilities, and Exploits? Now think of these like a fire triangle
(ingredients required for a fire to burn):
Fire
Attack
Threat


Take any one leg out, and the Fire will be mitigated.
This same principle applies with all 3 aspects of security.
4
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Strategy Overview
•
Eliminating Exploits
–
•
Eliminating Threats
–
–
•
While you can’t eliminate exploits, understanding them will help you maximize your mitigation strategy later
by knowing exactly what controls to implement and how to deploy them most effectively
Like exploits, it is nearly impossible to eliminate the actual threats aside from terminating employees (not
Arnold Schwarzenegger style)
But understanding their methods allows you to anticipate how and when they will strike, thereby
maximizing your mitigation deployments
Eliminating Vulnerability
–
–
Eliminating or blocking access to vulnerabilities is the only real direct control you have in the attack triangle
scenario
Primary methods of eliminating vulnerabilities:
•
•
Restrict access to the system
System Hardening (Eliminate the vulnerability, remove/block ability to exploit)
5
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Restricting Network Access
•
Network Segmentation
–
–
–
Concept of filtering by protocol/services/source and destination address to isolate network traffic and services
from private or sensitive parts of the network; e.g., traffic restricted to an extranet
Design the network architectures to separate “untrusted” traffic apart from “private” and “trusted” network
segments/sub-domains
Accomplished by:
•
•
•
–
•
Filtering by protocol/services
Filtering by source and destination address
Network design
ISA99/IEC 62433, NERC CIP, API 1164 and many others process control security standards require it
Technologies
–
–
Firewalls
•
Implement stateful inspection
•
White list IP address access when possible
•
Explicit port ingress and egress when possible
•
Should block malformed packets.
•
Detect and mitigate against DDoS or DoS storms.
•
Bridged “bump in the wire” firewall for field devices and SCADA network segmentation
DMZ Implementation
•
•
Denies endpoints access to networks when endpoints do not meet security requirements
Allows thin client access instead of direct network access
6
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Restricting Network Access
•
Network Segmentation
1.
2.
3.
4.
5.
Process
HSE/Control
Supervisory Control
Operations Management
Enterprise
4
3
2
1
0
7
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Restricting Network Access
•
Technologies
–
–
Firewalls
•
Implement stateful inspection
•
White list IP address access when possible
•
•
Explicit port ingress and egress when possible
Should block malformed packets.
•
Detect and mitigate against DDoS or DoS storms.
•
Bridged “bump in the wire” firewall for field devices and SCADA network segmentation
DMZ Implementation
•
•
–
Denies endpoints access to networks when endpoints do not meet security requirements
Allows thin client access instead of direct network access
Switch Port Security
•
MAC Address filtering helps prevent unauthorized port access to switches
•
•
It’s not fool proof as MAC addresses can be spoofed
“Sticky MACs” tie specific MAC addresses to specific switch ports and add extra layers of security
8
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Restricting Network Access
•
•
Never use WiFi (802.x) on your SCADA Network!
But if you feel you must:
–
–
–
–
–
–
–
–
Do NOT use WEP
Enable WPA/WPA2
Use enterprise TKIP
Change SSID default values from vendor’s configuration
Disable SSID broadcast
Implement another layer of authentication (IPSec)
Logically place the AP in a DMZ with a firewall between the AP and internal network
Physically place the AP in the center of the building if possible
•
Beware of windows and other rogue APs
9
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Restricting Host Access
•
Password Security
–
Poor, weak passwords have the following characteristics
•
•
•
•
•
•
•
–
Contains less than eight characters
Is a word found in a dictionary (English or foreign)
Is a common usage word such as
Birthdays and other personal information, such as addresses and phone numbers
Word or number patterns like
Common words spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics
•
•
•
•
•
•
Contain both upper and lower case characters
Contain special characters
Are at least eight alphanumeric characters long (15 characters to defeat rainbow tables)
Are not a word in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
Never be written down or stored online
10
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Restricting Host Access
•
Strong Authentication For Remote Access
–
–
Something you know (i.e. a password)
Something you have (i.e. token or smart card)
NOTE - 2-Factor Authentication Should be used for physical access as well:
–
Proximity cards alone are simply RFID
–
Proximity card + pin or bio reader should be used
–
Proximity card access alone can be easily defeated
–
Most organizations don’t use two factor authentication with proximity card security
11
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Communications Security
•
•
•
Use VPN when possible
Secure Shell (SSH) instead of telnet
SSL instead of standard HTTP
12
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Blocking Exploitation/System Hardening
•
Security Patching & Anti-Virus Software
–
–
–
Should be done in accordance with vendor recommendation
Should be tested in a test and development environment before deploying
Typical Anti-Virus drawbacks
•
•
•
•
•
•
Requires regular updates
Signature based
Only as good as the signatures and updates
Does not protect against Zero-Day
Use Heuristics based (can be difficult to “tune” and might cause problems in SCADA networks)
Application White Listing (AWL)
–
–
–
–
–
–
Provides an alternative when other malware prevention isn’t an option
Only allows authorized processes to run instead of signature based
Protects against most Zero-Day
Small footprint
Does not require updates
“Learning modes” provide safe installation without interruption
13
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Blocking Exploitation/System Hardening
•
ICS/SCADA System Specific Security
–
SCADA, DCS or HMI Software
•
•
•
•
•
–
Should be ran under a user account with least privileges.
Security model of the software should be used for individual (not group) login accounts for accountability.
All user actions should be logged.
SCADA, DCS or HMI software should be on a patch cycle based on the frequency of change from the vendor. BHP
should not allow its software to get more than (3) revisions old if an upgrade or patch can be safely made without
affecting the operations of the facility.
Set key executables, services and DLLs to auto-restart upon failure.
Data Historian or Archival Applications
•
•
•
Should be installed in a neutral DMZ network not in SCADA or IT environments.
Do not install multiple network cards in the historian server and directly connect it to all networks that it needs to
communicate with.
Specific firewall rules should govern the flow of data from SCADA to the data historian servers.
14
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Security 101: Monitoring
•
Intrusion Detection System (IDS)
–
–
•
Requires expertise
Limited application
Security Information and Event Management (SIEM)
–
–
–
Combines IDS, management console, log management, vulnerability assessment integration, etc.
Adds threat intelligence
Vendors
•
•
•
•
•
•
AlienVault
OSSIM (free AlienVault)
Mcafee SIEM (Nitro)
ArcSight
Qradar
Cisco MARS
15
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Layered “Defense in Depth” Strategy
•
•
Standards and best practices recommend a layered defense model (a.k.a. – Defense in Depth)
Multiple layers of security controls provide enhanced deterrence against all but the most determined
attackers in addition to alternative defense where direct controls are not an option
–
For example: Anti-virus software may not be an option for some DCS environments so alternative, layered
defense would be appropriate
16
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Layered “Defense in Depth” Strategy
•
•
But this can be taxing on resources
How can we maximize cost/benefit ratio?
17
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Topological Vulnerability Analysis Strategy (TVA)
•
•
•
The Topological Vulnerability Analysis (TVA) strategy is much more efficient in terms of resource
utilization
When combined with a proper risk analysis, TVA provides a strategy that still effectively mitigate
security threats, while meeting budget requirements
TVA provides comprehensive vision of your organization’s risk profile by overlaying system
vulnerability details and potential attack paths onto a network diagram.
18
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
Topological Vulnerability Analysis Strategy (TVA)
•
Inventory systems, diagram
networks and
communication paths
•
Determine system
criticalities
•
Assess and rate threats and
vulnerabilities
•
Estimate attack
methodologies and
likelihood according to
communication paths
•
Prioritize mitigation by most
critical systems with the
highest level of
vulnerabilities and the most
communication pathways
19
Copyright 2013, Cimation. All Rights Reserved.
Questions?
If you liked this week’s cyber security training lectures on ICS/SCADA security, check out
Cimation University!
Coming January 2014:
•
•
•
•
Introduction to ICS/SCADA Security
ICS/SCADA Security Vulnerability Assessment (SVA)
ICS/SCADA Security Risk Analysis and Mitigation
Hacking SCADA: Advanced ICS/SCADA Vulnerability Assessment & Penetration Testing
www.cimation.com/CimationUniversity
Clint Bodungen
Senior ICS/SCADA Security Researcher, Cimation
281.832.3129
cbodungen@cimation.com
www.cimation.com
20
Copyright 2013, Cimation. All Rights Reserved.