1 / 27

Cyber Security in Critical Infrastructure Control Systems

Cyber Security in Critical Infrastructure Control Systems. Presented by: Motty Anavi VP Business Development. A practical approach Entelec Spring 2013. Growing Awareness for ICS Cyber-Security. VIRUS INFECTION AT AN ELECTRIC UTILITY (Source: ICS CERT Jan. 2013)

gavivi
Download Presentation

Cyber Security in Critical Infrastructure Control Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach Entelec Spring 2013

  2. Growing Awareness for ICS Cyber-Security VIRUS INFECTION AT AN ELECTRIC UTILITY (Source: ICS CERT Jan. 2013) In early October 2012, a power company contacted ICS-CERT to report a virus infection in a turbine control system which impacted approximately ten computers on its control system network. Discussion and analysis of the incident revealed that a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the technician, the USB-drive was infected with a variant of the Mariposa virus. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks.

  3. Advanced Persistent Threats • Escalation: “bragging rights” -> organized crime -> nation states • Opportunistic versus Targeted • Recent examples: • Stuxnet – industrial sabotage -> Iranian uranium enrichment program • Ghostnet – stole diplomatic communications -> embassies, Dhali Llama • Aurora – stole source code and other intellectual property -> Google • Night Dragon – industrial and commercial intelligence -> large oil companies

  4. Stuxnet – Targeted Attack on ICS

  5. “Most Sophisticated Worm Ever” • Exploited multiple Windows zero-day vulnerabilities • Targets Siemens PLC's to sabotage physical process • Spreads via multiple media: • USB/Removable Media • 3 Network Techniques • PLC Project Files • Windows Database Connections • Drivers digitally signed with legitimate (stolen) certificates • Installs cleanly on all windows variants • Conventional OS rootkit, detects and avoids major anti-virus products • Advanced reverse-engineering protections

  6. How Stuxnet Infects a System Infected Removable Media: • Exploits vulnerability in Windows Shell handling of .lnk files (0-day) • Used older vulnerability in autorun.inf to propagate Local Area Network Communications: • Copies itself to accessible network shares, including administrative shares • Copies itself to print servers • Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: • Installs in SQL Server database via known and legitimate (stolen) credentials • Copies into project files Source: Byres Security

  7. “Secure” Private industrial network – The Smart Grid • MV/LV transformers on poles now enhanced with Smart-Grid equipment • Distributed automation in Secondary sub-stations • Inter-connected by regional Ethernet networks with overlaying application communication using simple automation control protocols (IEC60870 , DNP3)  An attacker gaining access to 1 site can manipulate the operation of the devices in other sites • Vulnerability: Distributed large-scale open internal networks “smart grid cyber-security guidelines did not address an important element… risk of attacks that use both cyber and physical means” • Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011

  8. The Great Wall of China Defense • Firewall are designed to keep intruders out • Some provide impervious walls • BUT: Once you break the physical constraint you can reach every point in the internal network • Antivirus software is designed to identify known signatures and flag or block “suspicious activity” • Antivirus software does not “know” what each application does • These defenses – restrict access, but once overcome are ineffective • The great wall is only as effective as it’s weakest link

  9. Vulnerability in Many Current Design You’re part of the Secure Network - Pass Thou Shall Not Pass Secure Network Remote Substation • Solution: Defense-in-Depth security architecture “An aggregated security posture help defend against cyber-security threats and vulnerabilities that affect an industrial control system” • Strategy for securing control systems, US DHS, October 2009

  10. Origin of Defense-in-Depth – in IT “A military strategy sometimes called elastic defense. Defense in depth seeks to delay rather than prevent the advance of an attacker, buying time and causing additional causalities by yielding space.” http://en.wikipedia.org/wiki/Defense_in_depth “…the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business critical information resources: the deeper an attacker tries to go, the harder it gets.” Brooke Paul, Jul 01, Security Workshop at Network Computing

  11. IAS Thomas E. Anderson Briefing Slides Defense-in-Depth Strategy • Information Assurance Strategy • Ensuring confidentiality, integrity, and availability of data • People • Hire talented people, train and reward them • Technology • Evaluate, Implement, Test and Assess • Operations • Maintain vigilance, respond to intrusions, and be prepared to restore critical services

  12. Defense-in-Depth Security Model

  13. Distributed Firewall Deployment • Secure end-devices • Integrated  Space, Power • Operational stability • Install-base • Mini-firewall per site • Available technology • Stand-alone  Space, Power • Network complexity • Network-based firewalls • Integrated Space, Power • Network simplicity • Technology emerging Integrated firewalls as part of the network design

  14. Utilities Cyber Security Threats & Counter-measures • Security Measure • Service-aware firewall • Distributed firewalls • Encryption • Secure remote access • Attack vector • Control-Center malware • Field-site breach • Man-in-the-Middle • Remote maintenance

  15. Defense-in-Depth tool-set • Advanced security measures integrated in the switch using a dedicated service-engine to • Enables easy deployment of an extensive defense-in-depth solution • App-aware firewall Service validation Remote access • SSH gateway Inter-site VPN IPSec tunnels Access Control L2-L4 filters Function Required Feature

  16. Inter-site connectivity • GRE tunnels used for transparent connectivity of private Ethernet networks across the Internet • IP Sec used to encrypt the GRE tunnels Internet Private ETH Network Private ETH Network

  17. Secure Remote Access • Integrated remote access gateway using an encrypted SSH tunnel • Optionally use reverse-SSH initiated from the secure site • Access rights per user (locally or from RADIUS server) • SSH tunnel used a secure transport for any user IP-based session • User session re-routed to a local-host which sends the data via the SSH tunnel • Gateway as session proxy hiding the local network • On-line app-aware session security checks are performed Ethernet Internet RS-485 RS-232

  18. Distributed service-aware firewall deployment • Service-aware inspection of traffic in every end-point • Rule-based validation of SCADA flows • Blocking an “insider” attack • Firewall integrated in multi-service network switches • Efficient IPS deployment for distributed small sites • Protection for Serial & ETH devices • Central service management tool • End-to-end provisioning of security rules • Reporting network-wide security events Defense-in-depth is the answer to securing distributed utility networks

  19. Firewall IPS inspection flow

  20. Security – ModbusApplication Aware Firewall Example • Modbus Function Codes

  21. Application aware Firewall • Using a network management tool the user plans his network and maps the service groups in it • For each pair of devices specific firewall rules on the application level can be applied (function codes, address ranges, etc.) • The user can select multiple device pairs to apply the same firewall profile

  22. Auto-Learning Capabilities • Any deviation from the firewall rules is logged in the switch and reported to the central management tool • Security events are shown on the map and in a dedicated events log • Simulate mode can be used to learn the network traffic flows • The “illegal” traffic is reported but not blocked

  23. Connecting the sub-station LANs – Current status Control Center Remote Technician Network Limitations • SCADA direct access to S.S. IEDs • Field technician access to: • Other sub-stations • Central storage • Facility RTU • Remote technician access to RTUs and IEDs in all S.Ss • Data-sharing between S.Ss SCADA Storage Internet SONET/Packet Network Sub-Station Facility RTU Sub-station RTU Field Technician Sub-station IEDs Need a unified sub-station LAN with secure inter-site connectivity

  24. Connecting the sub-station LANs – Future evolution Control Center Remote Technician Use a secure switch connecting the LAN devices to the backbone • Network segmentation using VLANs/Subnets • App-aware firewall per-device • Secure remote access • Serial-to-ETH protocol gateway SCADA Storage Internet SDH/Packet Network Sub-Station Facility RTU S.S. RTU Field Technician Sub-station IEDs

  25. Summary • When modern critical infrastructure deployments use Ethernet • Intra-network security is mandatory • To meet evolving security standards and threats Service-aware Industrial Ethernet solutions must have • Unique distributed service-aware firewall • Integrated defense-in-depth • Reliable network capabilities • Easy management and configuration • Optimized to minimize integration cost

  26. Cyber Security Sub Committee • Goal: • Enhance understanding of Cyber Security Issues as they relate to ICS and SCADA • Advocate for the industry with the most effective ways to tackle ICS security • In the process of defining priorities • Survey in process • Looking for more participation • Please contact me via board or directly at: motty@radusa.com , 201-378-0213 if interested

  27. For more information: Motty Anavi VP Business Development motty@radusa.com (201) 378-0213

More Related