www.cyberoam.com
Protecting Critical Infrastructure with
Cyberoam’s Holistic Security
Integrated threat protection, situational awareness and security
controls for ICS including SCADA
Our Products
Modem Router
Network Security Appliances - UTM, NGFW
(Hardware & Virtual)
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Integrated Security
appliance
www.cyberoam.com
Overview of ICS (for those who are new to ICS)
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Overview
 What is ICS: Industrial Control System
 What is SCADA: Supervisory Control & Data Acquisition
 Role of ICS
- To operate critical infrastructure like nuclear reactors, manufacturing line, furnace etc
- Automated or operator-driven supervisory commands can be pushed to remote
station control devices
 Industries using ICS
Oil and Gas
Energy – Power,
Wind sector
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Manufacturing, Chemical,
Pharma and 0thers
Water treatment,
Waste Management
www.cyberoam.com
Components in ICS
 Supervisory Control System
- SCADA server is the device that acts as a
SCADA master
- Monitors and sends commands to
control devices & processes
Temperature level
Pressure level
 Remote Terminal Unit or PLC or
Controller
- Used generally at field level
- Originally designed to perform logical
functions executed by electrical
hardware (relay, drum, switches,
mechanical timers, actuators, valves etc)
- Usually act as slaves
- Converts signal from process centers to
digital data and sends to supervisory
system
Remote
Terminal
Unit
Oil level
HMI
Remote
Terminal
Unit
Maintenance alarm
Supervisory
control
system
Radioactivity level
Database/
Backup
Pump /Fan speed
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Components in ICS
 Database/Data Historian and backup
- Centralized database for logging all process information within ICS
- Database can be accessed to support various analysis
Temperature level
 HMI: Human Machine Interface
- Software & Hardware that allows
human operator to monitor state of
process under control, modify control
settings, manually override auto-control
operations, configure set points
- HMI can be dedicated platform in
control center
- Laptop in the LAN
- Browser on any system connected to
Internet
 Communication between Industrial
Control Systems (ICS) / devices take
place over protocols like Modbus,
DNP3, Bacnet
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Pressure level
Remote
Terminal
Unit
Oil level
HMI
Remote
Terminal
Unit
Maintenance alarm
Supervisory
control
system
Radioactivity level
Database/
Backup
Pump /Fan speed
www.cyberoam.com
General Layout
SCADA system general layout
Any command or instruction to ICS
from Engineering workstation is
considered trusted
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
PLC control system
Implementation example
www.cyberoam.com
The need for ICS security & Cyberoam solution
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Attacks on critical infrastructure that have made news
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Designed for segregated environment, ICS lack adequate security
Lack of user integrity check
Unencrypted traffic
(poor or no encryption)
Moving from closed
proprietary systems to
more open standardized
platforms
Typically use nonhardened networking
stacks, applications
seldom patched
But then, why such attacks now?
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Integration with IT/Corporate network
 Benefits: Management ease, Enhanced operational efficiency, Reduced costs
 SCADA system now accessible from corporate IT network
Temperature level
Pressure level
HMI
Remote
Terminal
Unit
Remote
Terminal
Unit
Engineering
workstation
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Oil level
Maintenance alarm
Supervisory
control
system
Radioactivity level
Database/
Backup
Pump /Fan speed
www.cyberoam.com
More users, Risk of accidental misuse and malicious intent
 ICS directly accessible by users in corporate network
 Risk of attacks and malware to spread between networks
Temperature level
Pressure level
HMI
Remote
Terminal
Unit
Remote
Terminal
Unit
Engineering
workstation
Oil level
Maintenance alarm
Supervisory
control
system
Radioactivity level
Database/
Backup
Pump /Fan speed
Need of protecting ICS control network from security risks
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Introducing Cyberoam holistic security
for ICS Infrastructure
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Network Security Appliances – UTM, NGFW
(Hardware & Virtual)
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Step 1. Add a Firewall between corporate
network & control network
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Add a Cyberoam Firewall between corporate network & control network
 Define a security perimeter for control network
 Segment control network from corporate network
 Contain faults /damage to the compromised zone and prevent from spreading further
DMZ
Data
historian
Data
server
Temperature level
Pressure level
Remote
Terminal
Unit
Corporate
Network
Control
Network
Remote
Terminal
Unit
Oil level
Maintenance alarm
Workstation
Printer
HMI
Radioactivity level
Pump /Fan speed
Application Server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Supervisory control
system
www.cyberoam.com
Step 2. Set up a VPN for secure remote access
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Challenge : Lack of controls over remote access to ICS /SCADA systems
 ICS accessed remotely by plant engineers, operator, vendor for monitoring status, fixing operational
problems
 Unsecured remote access of ICS/SCADA systems over web
 Hacker can intercept a weak remote communication & gain access to control network
Vendor
Plant engineer
Temperature level
Pressure level
HMI
Remote
Terminal
Unit
Oil level
Remote
Terminal
Maintenance alarm
Unit
Supervisory
control
system
Radioactivity level
Database/
Backup
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Pump /Fan speed
www.cyberoam.com
Cyberoam solution: Secure remote access with VPN (SSL, IPSec)
 Secure authorized access over SSL VPN (or IPSec) on Cyberoam appliances
 Encrypted communication over Internet
Vendor
Plant engineer
DMZ
Data
historian
Data
server
Temperature level
Pressure level
Remote
Terminal
Unit
Secure VPN
connection
Control
Network
HMI
Remote
Terminal
Unit
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Supervisory control
system
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Step 3. Visibility and control over ICS commands &
instructions sent to Control network
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Cyberoam Solution : Layer 7 visibility & control over ICS commands
 Firewall with application-aware (Layer 7) capabilities that provide granular visibility and control
over ICS & SCADA protocols such as Modbus, DNP3, Bacnet and more
MAC Filter
Possible
Ethernet
IP
Dest Port
Filter
TCP
Cyberoam understands
SCADA traffic
SCADA protocol Data
FCS
IP Src & Dest
Address Filter
Modbus
Bacnet
DNP3
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
IEC
Modbus read
Modbus write
Modbus return
Modbus diagnostics
and more…
www.cyberoam.com
Visibility into ICS commands sent to control network
- Which SCADA commands /instructions are being sent to Control network
- Were these commands supposed to be sent at that time
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Granular controls over ICS commands
 Selectively filter specific commands /functions like Modbus read, write, return, diagnostics etc
 Schedule-based control on when can specific SCADA apps be accessed
DMZ
Data
historian
Enterprise/
Outside World
Data
server
Temperature level
Pressure level
Remote
Terminal
Unit
Corporate
Network
Remote
Terminal
Unit
Control
Network
Modbus
Functions
Workstation Modbus - Read Coils
Printer
Modbus - Report Slave ID
Force Listen Only Mode
Modbus - Read Discrete Inputs
Modbus - Get Comm Event Counter
Clear Counters and Diag. Reg
Modbus - Read Holding Registers
Modbus - Get Comm Event Log
Return Bus Message Count
Modbus - Read Input Registers
Write Multiple Registers
Return Bus Comm. Error Count
Modbus - Write Single Coil
Modbus - Write Multiple Coils
Return Bus Exception Error Count
Modbus - Write Single Register
Read/Write Multiple Registers
Return Slave Message Count
Modbus - Read Exception Status
Read device Identification
Return Slave No Response Count
Modbus - Diagnostics
Modbus - Return Query Data
Modbus - Return Slave NAK Count
HMI
Modbus - Read FIFO Queue
Supervisory control
Restart Communications
Option
system
Modbus - Mask Write Register
Return Diagnostic Register
Return Bus Char. Overrun Count
Modbus - Write File Record
Change ASCII Input Delimiter
Clear Overrun Counter and Flag
Application Server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Modbus - Return Slave Busy Count
www.cyberoam.com
App visibility & control for Industrial Control Systems
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Step 4. Get visibility into devices accessing control
network and limit access to authorized users
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Visibility into devices accessing Control network
- From which devices are these commands sent? Is a non-approved
machine sending any commands?
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Challenge: Lack of user authentication over ICS protocols
 Lack of protection from an unauthorized user
 Attempting to access authorized machine
 Spoofing IP of authorized machine
 Accessing ICS/SCADA systems at unscheduled times
Temperature level
Pressure level
HMI
Remote
Terminal
Unit
Remote
Terminal
Unit
Unscheduled time to
access SCADA system
Unauthorized
user
Authorized to access ICS
IP-based access
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Oil level
Maintenance alarm
Supervisory
control
system
Radioactivity level
Database/
Backup
Pump /Fan speed
www.cyberoam.com
Cyberoam Solution : Adding user authentication for ICS/SCADA systems
with Cyberoam’s Layer 8 Technology
 Set user or role-based access. Only authorized users access ICS.
 Protection from an unauthorized user attempting to access authorized machine or spoof IP
 Schedule-based access to ICS
DMZ
Enterprise/
Outside World
x
Username: Alex
Data
Data
Password:
xxxxx
historian
server
Temperature level
Username: John
Password: xxxx
Pressure level
Remote
Terminal
Unit
Corporate
Network
Control
Network
x
Workstation
HMI
Remote
Terminal
Unit
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Application Server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Supervisory control
system
www.cyberoam.com
Cyberoam Solution : Adding user authentication for ICS/SCADA systems
with Cyberoam’s Layer 8 Technology
 Allow access to ICS based on combination of users and devices
Username: Alex
Password:
DMZxxxxx
MAC:
01-23-45-67-89-AB
Data
Data
historian
x
server
Pressure level
Remote
Terminal
Unit
Corporate
Network
Control
Network
Alex
Temperature level
Username: Alex
Password: xxxx
MAC: 02-12-45-13-59-EH
Remote
Terminal
Unit
Oil level
Maintenance alarm
x
HMI
Radioactivity level
Pump /Fan speed
Application Server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Supervisory control
system
www.cyberoam.com
Situational awareness with logs and reports giving real-time
visibility




Know who is accessing ICS with logs /reports
Visibility into commands given to ICS networks or actions with time
Visibility into unauthorized attempts, policy violations, VPN activities
IPS alerts for any ongoing attacks on ICS network
Plant engineer
On-appliance logging &
reporting gives reports on
Users
Unauthorized attempts
SCADA commands
IPS alerts
and more
Vendor
Temperature level
Pressure level
Remote
Terminal
Unit
Oil level
Remote
Terminal
Maintenance alarm
Unit
Corporate network
/Employees
HMI
Supervisory
control
Database
/Backup
Radioactivity level
Pump /Fan speed
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Over half a million ICS devices or related software products
connected to Internet that can be attacked
Project ‘SHINE’
Database of SCADA/ICS systems connected to internet are available
on Internet. Hackers can readily use this information to plan attack
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Step 5. Protect ICS from Cyber attacks like
malware and hackers
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Challenge: Cyber attack through malware implantation in network when
browsing online
Malware over email to employees
Temperature level
HMI
Remote
Terminal
Unit
Pressure level
Oil level
Remote
Terminal
Unit
Maintenance alarm
Supervisory
control
system
Radioactivity level
Database/
Backup
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Pump /Fan speed
www.cyberoam.com
Challenge: Cyber attack through malware implantation in network when
browsing online
Lure employees to visit an infected website or app
Temperature level
HMI
Remote
Terminal
Unit
Pressure level
Oil level
Remote
Terminal
Unit
Maintenance alarm
Supervisory
control
Radioactivity level
Database/
Backup
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Pump /Fan speed
www.cyberoam.com
Challenge: Cyber attack through malware implantation in network when
browsing online
Waterhole attacks
- Bad guys poison a website frequented by employee and/or company
- Hacker maliciously modifies the website code or some desired object on the website is poisoned
Temperature level
HMI
Remote
Terminal
Unit
Pressure level
Oil level
Remote
Terminal
Unit
Maintenance alarm
Supervisory
control
Radioactivity level
Database/
Backup
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Pump /Fan speed
www.cyberoam.com
Cyberoam Solution: Prevent malware implantation in network when
browsing online
Blocks
known
malware
Block malicious
websites and apps
DMZ
Block infected
and spam emails
Corporate
Network
Data
historian
Data
server
Temperature level
 Gateway Anti-Virus: Blocks infected emails, known
malware over websites from infecting network
Remote
 Website filtering: Block malicious and infected
Terminal
Unit
websites
 App filtering: Block risky apps
Remote
 Anti-Spam:
Blocks spam emails
Control
Network
Workstation
Printer
HMI
Terminal
Unit
Pressure level
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Application Server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Supervisory control
system
www.cyberoam.com
Challenge: Cyber attack by exploiting vulnerabilities to breach the network
defense
 Unpatched ICS systems
 Exploitation of ICS component vulnerabilities
Temperature level
Service-level exploits.
E.g. web attacks, FTP
attacks, Telnet or SSH
attacks
HMI
Exploitation
of RTU
vulnerability
Pressure level
Remote
Terminal
Unit
Remote
Terminal
Maintenance alarm
Unit
Exploitation of
Service vulnerability
Supervisory
control
system
Database/
Backup
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Oil level
Radioactivity level
Pump /Fan speed
www.cyberoam.com
Cyberoam Solution: Protection from hacking and vulnerability exploits
 IPS:
- SCADA-aware IPS with pre-defined category for ICS & SCADA signatures
- Block hackers, unauthorized attempts from exploiting ICS component vulnerabilities
 Web Application Firewall:
- Block web-attacks like exploitation of HMI web-app vulnerabilities
DMZ
Data
historian
Enterprise/
Outside World
Data
server
Temperature level
Protection from
service-level
exploits
Pressure level
Remote
Terminal
Unit
Corporate
Network
IPS + WAF
Workstation
Printer
Control SCADA
Network signatures
in IPS &
App filter
HMI
Remote
Terminal
Unit
Oil level
Maintenance alarm
Radioactivity level
Pump /Fan speed
Application Server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Supervisory control
system
www.cyberoam.com
 IPS signatures for Industrial Control System
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Ensure continuity of critical processes and operations
 High Availability: Active-Active & Active-Passive
 For both Route and Mixed deployments
High Availability
Corporate Network
Workstation
Printer
Control Network
Application
Server
HMI
x
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Supervisory
control system
Remote
Terminal
Unit
Data
server
Remote
Terminal
Unit
www.cyberoam.com
Cyberoam offers integrated security for Industrial Control Systems
/SCADA over single appliance
DPI Firewall
VPN
Layer-8 Identitybased security
Web Application
Firewall
UTM /NGFW appliances
Application
Visibility & Control
Anti-Virus
IPS
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Web & Content
Filtering
www.cyberoam.com
Centralized Mgt & Visibility of ICS/SCADA and Corporate network
Regional Control Center
HMI
Corporate network
Supervisory
control
Admin Finance
Main Control Center
HMI
RTU Remote Station
HMI
Supervisory
control
App server
Support Vendor
Data server
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com
Thank you
Contact: sales@cyberoam.com
© Copyright 2013 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
www.cyberoam.com