Trend Micro Cybersecurity Reference Architecture for Operational Technology

Transcription

1 Trend Micro Cybersecurity Reference Architecture for Operational Technology Richard Ku - Senior VP Commercial IoT Business & Market Development William Kam - Technical Marketing Manager - IoT 2017 November 1

2 This page intentionally left blank 2

3 Contents Section 1: Executive Summary... 4 Section 2: Real-world cyber attacks... 5 Section 3: Reference Architecture... 6 Section 3.1: OT Security Reference Architecture... 6 Section 3.2: OT Security Domains... 8 Section 3.3: OT Cybersecurity Controls... 9 Section 4: Solutions... 9 Section 4.1: Trend Micro IoT Security Section 4.2: Trend Micro SafeLock Section 4.3: Trend Micro Portable Security Section 4.4: Trend Micro TippingPoint Section 4.5: Trend Micro Deep Discovery Inspector Section 4.6: Trend Micro Deep Security Section 5: Summary Figure 1: Cybersecurity Fence... 4 Figure 2: ICS Security Reference Architecture... 7 Figure 3: Trend Micro OT Cybersecurity Reference Architecure

4 Section 1: Executive Summary There are two sides to the cybersecurity fence when addressing threats and other concerns. The first side is what we're most familiar with in corporate IT or Information Technology (IT): Internet access, servers, Intranet content resources such as database applications, web content, FTP, Remote Access, etc., and most importantly, endpoints. Corporate IT security is usually facilitated by a layered protection that starts at the cloud, external to the enterprise, then moves into the corporate network starting at the gateway, proceeding further within protecting middleware resources. Deep within the corporate network are the users and their endpoint devices such as desktop PC, laptops, and mobile devices. Figure 1: Cybersecurity Fence The other side of the cybersecurity fence is the Operational Technology (OT). Typically, these are the industrial plants, auxiliary buildings, and remote installation units. Within these facilities are the industrial control systems (ICS) which are made up of supervisor control and data acquisition (SCADA) systems, distributed control systems (DCS) and other control system configurations such as programmable logic controllers (PLC) and remote terminal units (RTU) found in the industrial control sectors. ICS are typically found in industries such as retail, manufacturing, utilities (electric, hydroelectric, and nuclear). SCADA systems are generally used to control assets distributed throughout a facility using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a specifically localized area within the facility using supervisory and regulatory control. PLCs and RTUs are generally used to control specific applications or discrete functions within the facility and generally provide regulatory control. Typically, these ICS s had no connectivity, and the human machine interfaces (HMI), programmable logic controllers, remote terminal unit (RTU) were all connected by either serial, parallel or specialized interfaces. Note: Industrial control system (ICS) is a general term that refers to several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC) and remote terminal units (RTU) most often found in the industrial sectors and their critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or generation of electricity). Initially, ICS environments within OT had little resemblance to the IT systems; ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas and the components were not connected to IT networks or systems. 4

5 However, the need to lower cost, have better performance and efficiency along with widely available, low-cost network devices, hardware, and software applications have replaced these proprietary ICS solutions. The Information Technology side of the cybersecurity fence was getting connected as network devices became more readily available and were less expensive and faster to implement. The OT side eventually decided that their facilities could further increase operational efficiencies by leveraging the same resources used by IT. These include solutions to promote corporate systems connectivity, such as remote access, along with using industry-standard computers, operating systems and network protocols. As ICS adopts solutions used within IT, OT environments are starting to resemble their IT counterparts. This adoption supports new capabilities, but provides significantly less isolation from the outside world than predecessor ICS configurations, creating a greater need to secure these systems. While security solutions have been designed and proven to deal with security issues in typical IT environments, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. ICS environments control the attributes in the physical world and an IT environment manages data. ICS have many characteristics that differ from traditional IT systems, including different risks and priorities. Some of these include significant risk to the health and safety of human lives, serious damage to the environment, and financial issues such as production losses and negative impact to a nation s economy. Security protections must be implemented in a way that maintains system integrity during normal operations as well as during times of a cyber-attack. Revolutionary changes to ICS environments have increased the possibility of cybersecurity vulnerabilities and incidents that were once of little concern. After the first IBM PC compatible virus, the Brain boot sector virus, was released in January 1986, cybersecurity became a mandatory discipline within the IT. However, it wasn't a mandatory discipline in the OT environments, and OT relied on IT for their cybersecurity concerns. Now, however, cyber-attacks on OT are commonplace, and increasing every year An effective cybersecurity program for an ICS is a strategy known as layered protection, or defense-indepth, layering security control mechanisms such that the impact of a failure in any one layer is minimized throughout the ICS environment. Section 2: Real-world cyber attacks Cyber attackers have sent phishing s to a number of industrial organizations in the Middle East, gained unauthorized access to a dam in upstate New York, leveraged BlackEnergy malware to cause a power outage and attack an airport in Ukraine, inflicted massive damage at a German steel mill by manipulating some of its ICS systems, and caused some disruption at an unnamed nuclear power plant. And in 2010, Stuxnet attacked the Iranian ICS network for controlling centrifuges. All OT industrial organizations must now confront the possible threat of a digital initiated cyberattack. To help defend against these bad actors, many enterprises have taken upon themselves to protect their OT domains with less reliance on their IT domain counterparts. 5

6 No longer can security in the OT domain rely on security from the IT domain for its protection and isolation. It has already been shown that compromising the IT domain eventually leaks over to the OT domain. The first known successful cyberattack on a power grid occurred on December 23, Hackers compromised the Ukraine power grid and were able to successfully compromise information systems of three energy distribution companies and temporarily disrupt electricity supply to customers. Thirty substations were switched off and about 230,000 people were left without electricity for a period from 1 to 6 hours. At the same time consumers of two other energy distribution companies were also affected by a cyberattack, but at a smaller scale. The cyberattack was complex, beginning with a prior compromise of IT corporate networks using phishing s with BlackEnergy malware. Lateral movement within the IT network found a system dedicated to accessing the OT domain. Failure to use 2-factor authentication allowed the hackers access to ICS network system. They seized SCADA controls, remotely switched substations off, and disabled or destroyed IT infrastructure components (uninterruptible power supplies, modems, RTUs, commutators). The hackers also used the KillDisk malware to destroy files stored on servers and workstations and launched denial-of-service attacks on a call-center to deny consumers upto-date information on the blackout. In total, up to 73 MWh of electricity was not supplied, or 0.015% of daily electricity consumption in Ukraine. Section 3: Reference Architecture Section 1 discussed that the OT realm is looking more and more like its IT counterpart using the same hardware, operating system, software and applications. Therefore, OT realm will be subject to similar if not the same cybersecurity threats and incidents. While security solutions have been designed to deal with the cybersecurity incidents in the IT networks, precautions must be taken when introducing some of these same solutions into the OT networks. In some incidents, alternative security solutions must be applied to the OT networks. It is beyond the scope of this document to discuss all of the Cybersecurity recommendations and cybersecurity control mechanisms. There are published guidelines from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), and SANS.org that provides details and recommendations. An effective cybersecurity strategy for an ICS environment should apply a layered protection/defense-indepth, a technique of layering cybersecurity controls mechanisms so that the impact of a compromise within a security domain is localized and minimized. The remainder of the document will focus on the ICS security architecture, security domains, and cybersecurity controls from the above mentioned organizations and its general recommend application. Section 3.1: OT Security Reference Architecture DHS, ICS-CERT, NIST, and SANS all have the same recommendation when designing and implementing a network architecture for an OT deployment, that it is highly recommended to separate the OT network from the corporate IT network. The nature of network traffic on these two networks is different. Internet access, FTP, , web, and remote access will typically be permitted on the corporate IT 6

7 network but should not be allowed on the OT network. Rigorous change control procedures for network equipment, configuration, and software changes that may not be in place on the corporate IT network, however, are typical for OT networks. By having separate networks, security and performance problems on the corporate IT network should not be able to affect the OT network and vice-versa. The aforementioned recognized institutions have all created an OT reference architecture specifically addressing the concerns for ICS networks, shown in Figure 2. This architecture indicates the general functional requirements typical for existing ICS networks (although actual implementations are highly variable). This example only attempts to identify notional topology concepts. Actual implementations of ICS segments may be hybrids that blur the lines between DCS, SCADA, PLC, and RTUs systems deployed. Figure 2: ICS Security Reference Architecture Practical considerations, such as cost-of-ownership and resources required to install and maintain an OT network within the corporate IT infrastructure, often mean that a connection is required between the OT and corporate IT networks. This connection is a significant security risk and should be protected by boundary protection devices. The recommended boundary protection devices are through a DMZ and firewall with additional cybersecurity control mechanisms, shown in Figure 2. Note: A DMZ is a separate network segment that isolates the OT and IT network connections directly through a firewall. Network isolation via segmentation and segregation addresses the requirements of further partitioning the ICS networks deployment into discrete security domains. Operational risk analysis should be performed to determine critical parts of each ICS environments and its operations. For example, a 7

8 separate security domain could be structured for the HMI, SCADA/DCS, and instrumentations systems deployed, as in Figure 2. The basic requirement for segmentation and segregation is to minimize access to systems and resources across security domains in the event of a cybersecurity attack or incident. Traditionally, network segmentation and segregation is implemented at the gateway between domains. Within the OT network, ICS environments often have multiple well-defined security domains, such as operational LANs, control LANs, and instrumentation LANs, for example. Gateways connect to non-ot and less trustworthy domains such as the Internet and the corporate LANs, shown in Figure 2. When implementing network segmentation and segregation correctly you are minimizing the method and level of access to sensitive information and system resources. This can be achieved by using a variety of technologies and security methods, the most common of which are listed below. This is only a subset of the full components available. See the documents from the aforementioned institutions for a more comprehensive list. Network traffic filtering, which can use a variety of technologies at various network layers to enforce security requirements and domains. Network layer filtering that restricts which systems are able to communicate with others on the network based on IP and routing information. State-based filtering that restricts which systems are able to communicate with others on the network based on their intended function or current state of operation. Port and/or protocol level filtering that restricts the number and type of services that each system can use to communicate with others on the network. Application filtering that commonly filters the content of communications between systems at the application layer. This includes application-level firewalls, proxies, and content-based filter. Boundary protection security controls should include gateways, routers, firewalls, network-based malicious code analysis (sandboxing), virtualization systems, intrusion detection/prevention systems, VPN encrypted tunnels, for example. Section 3.2: OT Security Domains From the security reference architecture the basic recommendations is for four security domains within the ICS environments. As mentioned, this is only a recommendation and actual implementation depends on the physical nation of the plant or facility. Adding additional security domains and segmentation or segregation of the ICS environments with firewalls and DMZ will complicate the network design and increase the cost and management of too complex of a network. The four domains: 1. Site Manufacturing Operations and Controls: General business operations in the support of facility operations. Traditional using the same security controls deployed within the Corporate IT network. 2. Area Controls: HMI, SCADA, DCS 3. Basic Controls: PLC, RTU 4. Instrumentation: Sensors, actuators, meters, etc. 8

9 Section 3.3: OT Cybersecurity Controls Section 3.1 discusses the hardware security control mechanisms. This section discusses the software and application security controls. Cybersecurity controls, including monitoring of sensors and logs, Intrusion Detections, antivirus, patch management, policy management software, and other cybersecurity control mechanisms, should be done on a real-time basis where feasible. It is interesting to note that the aforementioned institutions' recommendation is that an antivirus product chosen for ICS environment for protecting systems should not be the same as the antivirus product used for within the corporate IT network. As a result, the institutions suggest implementing whitelisting instead of blacklisting software (typically antivirus software uses blacklisting technology); that is, grant access to the known good applications and services, rather than denying access to execute known bad entities. Typically, the set or sets of applications that run within ICS environments is essentially static and few, making whitelisting more practical and feasible to maintain. This will also improve an organization s capacity to analyze log files and maintenance activities. For isolated or disconnected systems within the ICS environment, it is recommended to periodically run a real-time scan with external software. That is software not installed on the systems within the ICS environments but rather used by attaching an external device via USB, CD/DVD, etc. with up-to-date software for the scanning operations. The resulting operations can be analyzed at a later date if malware is not detected immediately. Section 4: Solutions Figure 3: Trend Micro OT Cybersecurity Reference Architecure 9

10 The following describes Trend Micro's IoT cybersecurity software. Section 4.1: Trend Micro IoT Security The evolution of the Internet of Things (IoT) has made life a lot more convenient and productive for both consumers and businesses alike over past few years. For example, with a smart camera, Consumers can check the status of their children using their mobile devices, while away from home and on business. But because security isn't always designed into these devices, the Internet of Things presents lots of security challenges for individuals, businesses, and security professionals alike. The Business environment, such as the automobile industry, faces an emerging challenge in the area of cybersecurity. For automobile original equipment manufacturers (OEMs), Tier 1 suppliers, car dealers, service providers, car owners and drivers, cyberattacks are now a reality that they have to grapple with. In the era of the Internet of Things (IoT), more and more key device functions rely on software rather than hardware. This is also true with vehicles. Unfortunately, as vehicles become increasingly automated and connected with the outside world, they tend to face growing security threats. Vulnerabilities arise particularly when just-in-time manufacturing and a faster speed to market leave less time for product safety testing. These vulnerabilities might not be uncovered until millions of vehicles have been released, in which case the necessary patching procedure is all but certain to prove even more costly not only to the affected carmaker s finances but also to its reputation. It s important, then, for security measures to be properly applied right from the outset of the car manufacturing process, starting in the design phase. That is why it is important for device manufacturer to integrate security into the device itself, to ensure consumers and businesses are protected from these challenges, the minute they install your IoT device. Because of these challenges, Trend Micro have developed a cybersecurity solution called Trend Micro Internet of Thing (IoT) Security consisting of File Integrity checking, Application Whitelisting, Hosted Intrusion Prevention Services (HIPS), Network Anomaly Scanning and Detection, System Vulnerability Scanning, and Virtual Patching. Trend Micro IoT Security (TMIS) is built-in IoT security software that monitors, detects and protects IoT devices from potential risks, including data theft and ransomware attacks. This ensures firmware integrity and reduces the attack surface, which not only prevents harm to your IoT devices, but also minimizes device maintenance costs and protects your reputation. Section 4.2: Trend Micro SafeLock System Lockdown Software for Fixed-Function Devices Trend Micro SafeLock for IoT TM Protect fixed-function devices such as industrial control systems and embedded devices, terminals in a closed system, and legacy OS terminals against malware infection and unauthorized use. Don t give up on security software because of the impact on performance and the need to update. Trend Micro SafeLock for IoT TM prevents the execution of malware with lockdown. 10

11 Lockdown is a technique that limits a system to running only day-to-day operations while controlling system resources and access. Where most anti-virus software uses blacklisting to forbid known malware from running, SafeLock uses whitelisting to allow only known and approved processes to run. The set of applications that run in fixed function devices is essentially static, making whitelisting practical and eliminating the need to regularly update a blacklist. SafeLock's approach has a limited impact on system performance and can improve an organization s capacity to analyze log files. Trend Micro SafeLock for IoT can protect terminals reserved for critical control systems, embedded devices, and legacy OS terminals. Also, its easy user interface and cooperation with Trend Micro Portable Security enables rapid deployment and a high degree of operability. Section 4.3: Trend Micro Portable Security 2 Malware Scanning and Cleanup Tool for Standalone PC & Closed Systems; No Internet connection does not mean safe and secure. The Internet is not the only way that malware can infect PC. A Trend Micro survey of companies in Japan found that 20% of stand-alone computers and PCs in closed networks were infected with malware. Devices brought in from outside the system by users, as well as the use of USB flash drives, can infect stand-alone PCs and those in close systems. Organizational restrictions on installing software on these PCs means that virus protection software either can t be installed at all or can t be updated to cover the latest generation of malware. Without access to the Internet, PCs that do have anti-virus software installed are difficult to scan with the latest malware pattern file. Trend Micro Portable Security for IoT solves the problem. The Portable Security for IoT hand-held tool plugs into a USB port to detect and eliminate malware, without the need to install software on the PC. The tool changes color to indicate whether or not it detects malware and whether it is eliminated or needs further intervention. For PCs on a network, Portable Security for IoT has a centralized management program that can manage malware pattern files and configurations. It can also compile the scan logs of the scanning tools in multiple locations in an integrated fashion. Moreover, the event log of the system lockdown security software Trend Micro SafeLock (separately charged) can be obtained with the Portable Security management program. Section 4.4: Trend Micro TippingPoint The threat landscape continues to evolve both in sophistication and in technology. This means a new security system that is both effective and flexible is needed due to the dynamic nature of the landscape one that allows you to tailor your security to meet the needs of your network. Selecting a network security platform is a critical decision because it serves as the foundation for advanced network security capabilities now and in the future. And, given the backdrop of the changing threat landscape, the importance of network security continues to increase, making it a difficult task. Trend Micro TippingPoint Threat Protection System (TPS) is a network security platform powered by XGen security, a technology that offers comprehensive threat protection shielding against 11

12 vulnerabilities, blocking exploits and defending against known and zero-day attacks with high accuracy. It provides industry-leading coverage from advanced threats, malware, and phishing, and other threat vectors with extreme flexibility and high performance. The TPS uses a combination of technologies, including deep packet inspection, threat reputation, and advanced malware analysis on a flow-by-flow basis to detect and prevent attacks on the network. The TPS enables enterprises to take a proactive approach to security to provide comprehensive contextual awareness and deeper analysis of network traffic. This complete contextual awareness, combined with the threat intelligence from Digital Vaccine Labs (DVLabs), provides the visibility and agility necessary to keep pace with today s dynamic, evolving enterprise networks. Section 4.5: Trend Micro Deep Discovery Inspector Hackers often customize targeted attacks and advanced threats to evade your conventional security defenses and to remain hidden while stealing your corporate data, intellectual property, and communications, and sometimes to encrypt critical data until ransom demands are met. To detect targeted attacks and advanced threats, analysts and security experts agree that organizations should utilize advanced detection technology as part of an expanded strategy. Deep Discovery Inspector is a physical or virtual network appliance that monitors 360 degrees of your network to create complete visibility into all aspects of targeted attacks, advanced threats, and ransomware. By using specialized detection engines and custom sandbox analysis, Deep Discovery Inspector identifies advanced and unknown malware, ransomware, zero-day exploits, command and control (C&C) communications and evasive attacker activities that are invisible to standard security defenses. Detection is enhanced by monitoring all physical, virtual, north-south, and east-west traffic. This capability has earned Trend Micro the rank of most effective recommended breach detection system for two years running by NSS Labs. Section 4.6: Trend Micro Deep Security Virtualization and hybrid cloud computing can help your organization achieve significant savings in data center hardware costs, operational expenditures, and energy demands while achieving improvements in quality of service and business agility. However, as data centers continue to transition from physical to virtual and now increasingly, cloud environments, traditional security can slow down provisioning, become difficult to manage, and cause performance lag. As you scale your virtual environment and adopt software-defined networking, evolving your approach to security can reduce time, effort, and impact on CPU, network, and storage. Trend Micro s modern data center security is optimized to help you safely reap the full benefits of your virtualized or hybrid cloud environment. Our virtualization-aware security offers many advantages including performance preservation, increased VM densities, and accelerated ROI. Trend Micro Deep Security offers a complete set of security capabilities with the features you need to benefit from the efficiencies of virtualized environments and help meet compliance. This integrated solution protects physical, virtual, cloud, and hybrid environments. 12

13 Section 5: Summary The purpose of this whitepaper is to present some of the challenges facing cybersecurity professionals managing and maintaining Operational Technology domains and the Industrial Control Systems and Networks within these networks. By adhering to a reference architecture based on the isa95 reference model, the cybersecurity professional can deploy time-proven and appropriate cybersecurity solutions that are easy to deploy, manage, and maintain, and that can easily reach a level of security for any Operational Technology and Industrial Control System where security matters. 13