Firewall Deployment for SCADA-PCN

advertisement
FIREWALL DEPLOYMENT FOR SCADA/PCN







How closed need your network needs to
be?
How open can you afford your network to
be?
Where from the vulnerability is coming?
How to mitigate the vulnerability?
How to detect that anyone un-authorized is
trying to jeopardize the network services?
How the Business Continuity can be
maintained in the long run with the steps
taken?
How to envisage future requirements?
Network Security
1. Denial of Service
2. Unauthorized Access:
Attempt to access
command shell
3. Illicit command
execution:
 Hacking
Administrator’s
password
 Changing IP Address
 Putting a Start-up
Script
4. Confidentiality Breach
5. Destructive Attacks
 Data Diddling
 Data destruction
Types of
Attacks
Balancing act between:
 Keeping equipment and processes
protected.
 Allowing them to touch larger computing
realms via Ethernet protocols and the
internet to gain new connections and
capabilities.
Solution:
 Multiple Zone Network with Subzone.
Network Security
Generic IT security goals versus ICS security goals
Assessment process flow chart
OSI Model – 7 Layers






Network Security Tools
Intelligent Network Switches and Routers
Firewalls
Hardware and Software Devices for
managing network connections
User Authentication
Encrypting Data
DMZ
Network Security
Firewall
Firewall is a mechanism used to control and
monitor traffic to and from a network for the
purpose of protecting devices on a network.
 Compares traffic passing through it to a predefined security criteria
 Can be a hardware device (CISCO PIX or
Semantic Security Gateway)
 Can be a hardware/Software unit with OS
based firewall capabilities (“iptables” running
on a Linux Server)
 Host based software solution installed on the
workstation directly (Norton Personal Firewall
or Sygate Personal Firewall)
FIREWALL
Internet facing firewall protecting PC & PLC
Network Traffic
Network traffic is sent in discrete group of bits,
called a packet which includes
 Sender’s Identity (Source Address)
 Recipient’s Identity (Destination Address)
 Service to which the packet pertains (Port
Number)
 Network Operation and Status Flags
 Actual payload of data to be delivered to
service
A firewall analyzes these characteristics and
decides what to do with the packet based on
a series of rules, known as Access Control
Lists (ACL).
Content of Network Traffic
Host Based Firewalls
 Available on Windows or Unix based
platforms
 Primary function is Workstation or Server
Tasks like Database Access or Web
Services
 Can do little to regulate traffic destined
for Embedded Control Devices
Classes of Firewall
Packet Filter Firewall
 Simplest class of Firewall following a set
of static rules
 Only the IP Addresses and the port
number of the packet is examined
 No intelligence to identify spoofed (Forged
source IP Address) packages
Classes of Firewall
Packet Filter Firewall






Application Proxy Firewalls
Open Packets at Application Layer
Process them based on specific application
rules
Reassemble and forward to target devices
No direct connection to external server
Possible to configure internal clients to
redirect traffic without the knowledge of
the sender
Possible to apply access control lists
against the application protocol
Classes of Firewall





Acting as Intrusion Detection System;
Logging denied packets, Recognizing network
packages specifically designed to cause
problems, Reporting unusual traffic patterns
Blocking infected traffic by deploying
Front-line Anti-Virus Software on firewall
Authentication services through passwords
or Public Key Encryption
Virtual Private Network (VPN) gateway
services by setting up an encrypted tunnel
between firewall and remote Host devices
Network Address Translation (NAT)
where a set of IP addresses used on one side
of a firewall are mapped to a different set on
the other side.
Other Firewall Services
No direct connection from the Internet to the
PCN/SCADA Network and vice versa
 Restricted access from the enterprise network to
the control network
 Unrestricted (but only authorized) access from
the enterprise network to shared PCN/Enterprise
servers
 Secured methods for authorized remote support
of control system
 Secure connectivity for wireless devices
 Well defined rules outlining the type of traffic
permitted
 Monitoring the traffic attempting to enter PCN
 Secure connectivity for management of firewall

Overall Security Goals of PCN/SCADA Firewalls
Security:
The likely effectiveness of the architecture
to prevent possible attacks.
Manageability:
Ability of the architecture to be easily
managed (both locally as well as from
remote).
Scalability:
Ability of the architecture to be effectively
deployed in both large and small systems
or in large numbers.
Firewall Selection Criteria
Dual-Homed Computers
Common SCADA/PCN Segregation Architecture
Dual Homed Server with Personal Firewall
Software
Common SCADA/PCN Segregation Architecture
Packet Filtering Router/Layer-3 Switch
between PCN & EN
Common SCADA/PCN Segregation Architecture
Two Port Firewall between PCN & EN
Common SCADA/PCN Segregation Architecture
Router/Firewall combination between PCN &
EN
Common SCADA/PCN Segregation Architecture
DMZ is a critical part of a firewall.
 Neither part of un-trusted Network, nor
part of trusted network
 Puts additional layer of security to
DDCMIS LAN
 Physical or Logical sub-network that
provides services to users outside LAN
DMZ
Firewall with DMZ between PCN & EN
Common SCADA/PCN Segregation Architecture
Paired Firewalls with DMZ between PCN &
EN
Common SCADA/PCN Segregation Architecture
Firewall with DMZ and SCADA/PCN VLAN
Common SCADA/PCN Segregation Architecture
Comparison Chart for PCN/SCADA segregation
Architecture
DDCMIS NETWORK SECURITY MEASURES
TAKEN AT NTPC/TALCHER-KANIHA
PI Server
Port
5450
10.0.120.202
Office Network
Firewall
Firewall
Gateway PC
+
PI OPC
Interface
Honeywell
OPC Server
Firewall
ABT OPC
Server + PI
OPC
Interface
Gateway PC
+
PI OPC
Interface
Stage I Plant Network
Stage II Plant Network
ABT Network
Unit 3
Unit 6
Honeywell
Experion
System
Honeywell
Experion
System
Unit 1
Keltron
OPC
Server
Network Topology
Unit 2
Keltron
OPC
Server
Network Topology
PI
Server
Port
545
0
10.0.120.202
PI Client
Office Network (NTPC LAN)
Firewall-2
Firewall1
Gateway
PC
Honeywel
l WAN
Server
L-3 Switch
OPC
Server
Main
OPC
Server
Standby
L-3 Switch
Unit 3
Unit 6
Honeywell
Experion
System
Honeywell
Experion
System
Stage II Plant Network
Unit 1
DDCMS
Unit 2
DDCMS
Firewall
-3
ABT OPC
Server
(Redundant)
+ PI OPC
Interface
ABT Network
CHP-1
PLC
CHP-2
PLC
DM PLANT
PLC
PT PLANT
PLC
HEADS OF
- O&M
- OPER
- BOILER/TURBINE M/C
etc
COOLING
PC
TOWER2
HEAD
PLC
OF
PROJ
PT PLANT SWITCH
SERVICE BLDG SWITCH
Ash handling
PLC
PC1 … .. P C n
SERVER
IT
LA
N
OWS /
LVS
in CCR
AC
PLC
OWS
in PR
& CER
CPU
PLC
PR SWITCH
FIREWALL
MOR
PC
OWS
in PR
& CER
fire proof
PLC
SWAS
PC
ESP
PCs
#
3,4,5,6
PLC COOLING
TOWER-1
-C&I SHIFT M/C
ENGR
-C&I M/C ENGR
GATEWAY
PC
UNIT HMI
LAN
UNIT
-4
UNIT
-5
BPOS system
U#3,4,5 &6
STN LAN
SERVER
STATION LAN SWITCH
UNIT-3
C&I shift
Incharge PC
UNIT
-6
Unit 1
Unit 2
U#3 SWITCH
UNIT HMI SERVERS
CONTROL
SYSTEM
Typical
Station LAN of Talcher-II
before PI connectivity
CHP-1
PLC
CHP-2
PLC
DM PLANT
PLC
PT PLANT
PLC
HEADS OF
- O&M
- OPER
- BOILER/TURBINE M/C
etc
COOLING
PC
TOWER2
HEAD
PLC
OF
PROJ
PT PLANT SWITCH
IT
LA
N
PC1 … .. P C n
FIREWALL
PIInterface
MOR
PC
OWS
/ LVS
in
CCR
OWS
in PR
&
CER
CONTROL
SYSTEM
AC
PLC
GATEWAY
PC
SWAS
PC
DMZ
UNIT-3
UNIT
HMI LAN
Typical
CPU
PLC
UNIT
-4
UNIT
-5
C&I shift
Incharge PC
BPOS system
U#3,4,5 &6
STN LAN
SERVER
STATION LAN SWITCH
U#3 SWITCH
UNIT HMI SERVERS
fire proof
PLC
PR SWITCH
ESP PCs
#
3,4,5,6
OWS
in PR
&
CER
SERVICE BLDG SWITCH
Ash handling
PLC
PISERVER
PLC COOLING
TOWER-1
-C&I SHIFT M/C
ENGR
-C&I M/C ENGR
UNIT
-6
Unit 1
Unit 2
Station LAN of Talcher-II
after PI connectivity
PIServer
NTPC
Office LAN
- -
PI system connectivity
at Talcher-II
PIInterface
Steps:
1. Review the existing LAN of NTPC/Talcher
Kaniha
2. Perform a Bandwidth Assessment Test
3. Perform a Vulnerability Test
4. Conduct a Penetration Test
5. Conduct a Security Audit
6. Conduct a CCTV Demo between Talcher
Kaniha & EOC-NOIDA
7. Recommendation and Suggested UpGradation
Network Testing Methodology
Finding Vulnerability on the Operating System
Vulnerability of Servers
Tools:
NMAP: To Map Open Ports
NESSUS: To find the application running on Target
Servers.
MBSA: To find the missing patches on the
operating system and applications
Port Scanning and Network Mapping
Used Traceroute, Hping2, Xprobe2 and Nmap
tools.
Fingerprinting and Vulnerability Mapping
Server Operating system (Gateway PC)
Fingerprinting
 Security Patch Review using Microsoft
Baseline Security Analyzer (MBSA)


Vulnerability Test on Servers
Bandwidth Testing:
 To find out used Bandwidth of the
Network
 Identifying potential bottlenecks
Tool Used:
PRTG
Methodology:
Port Mirroring: All Tx/Rx Traffics of WAN
Server, MOR Server and Gateway PC are
mirrored into the Grapher
LAN Capacity Testing
Testing of Network and Components for
security weaknesses.
Flowchart:

NMA
P
Ness
us
Ether
eal
Hping2/
Firewalk
Password Cracking
Tool/Web Server
Scanner/OS
Fingerprinting/SNMP
Tests
Penetration Test





Ethereal: Sniffs Network Traffic to find cleartext username and passwords
Hping2: Command line oriented TCP/IP
Packet assembler/analyzer. Used for Firewall
Testing/Advanced Port Scanning, Remote OS
Fingerprinting
Firewalk: Used to enumerate the rules of the
firewall and ACLs
Cain & Abel,John the ripper, L0phtcrack:
Password auditing tool
Brutus: Password Cracker
Penetration Tools
Network Security To Do List:
 Turn ON Virus Protection software and be vigilant
about installing patches
 Use Complex Passwords that includes numbers
and mixed characters
 Install Firewall. Monitor them to check who is
accessing them and what software they are
using.
 Turn off unnecessary ports and devices
 Turn down and lock down PCs as much as
possible
 Train staff to follow security policies.
Network Security
Chairman(HOD-C&I)
Information Security Manager
Information Security Coordinator
System
Administrator
Network
Administrator
Database
Administrator
Information Security Team Structure
Download