Securing the Network: Understanding CIA, Segmentation, and Zero Trust. Jacek Szamrej VP of Cybersecurity SEDC

Transcription

1 Securing the Network: Understanding CIA, Segmentation, and Zero Trust Jacek Szamrej VP of Cybersecurity SEDC

2 Jacek Szamrej VP of Cybersecurity SEDC

3 C? A I

4 What are we protecting? Confidentiality DATA Availability Integrity

5 What are we protecting? Public Personal Secret Availability Confidentiality RTO RPO MTD DATA Cryptography Meta data Integrity

6 What are we protecting? Public Personal Secret Availability Confidentiality RTO RPO MTD DATA DATA DATA DATA Cryptography Meta data Integrity

7 Data Classification Example SCADA DATA AMI DATA DATA DATA PII & PCI Intranet, E&O

8 Defense in Depth Now we can support this defense with network segmentation We divided data into different categories for more effective protection

9 Data segmentation example Account Number Meter Number Usage Data , 0.5, 0.3, 1.2, MD5 HASH Account Number Meter Number Usage Data 2cb6128ecc85fa a626d876cfd MD5 HASH be799977f7b518b14 16daa371f Copy 0.2, 0.5, 0.3, 1.2,

10 No Segmentation labs.iro.umontreal.ca/~vaucher/history/ships_discovery/

11 Segmentation

12 Segmentation

13 Segmentation _of_the_worlds_largest_ever_container_ships

14 Segmentation reinstalled pcs and servers to recover from notpetya attack/

15 How do we apply CIA to our network? Office S1 S2 SCADA DMZ SCADA Substation

16 How do we apply CIA to our network? Office Untrusted S1 S2 Trusted Network SCADA DMZ DMZ SCADA Substation

17 Ukraine Power Grid Cyberattack 2015 Office S1 S2 SCADA DMZ SCADA Substation

18 Ukraine Power Grid Cyberattack with BlackEnergy malware Office S1 S2 SCADA DMZ SCADA Substation

19 Ukraine Power Grid Cyberattack 2015 Pivot to server and establish C&C Office S1 S2 SCADA DMZ SCADA Substation

20 Ukraine Power Grid Cyberattack 2015 Office S1 S2 They found pre shared key for VPN on SCADA firewall SCADA DMZ SCADA Substation

21 Ukraine Power Grid Cyberattack 2015 Office S1 S2 Firmware has been changed on SCADA devices SCADA DMZ SCADA Substation

22 Ukraine Power Grid Cyberattack 2015 Office S1 S2 They use SCADA HMI to open breakers SCADA DMZ SCADA Substation

23 Ukraine Power Grid Cyberattack 2015

24 Ukraine Power Grid Cyberattack 2015 Full document with all recommendations: ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

25 Network Segmentation Definition: Network segmentation in computer networking is the act or profession of splitting a computer network into subnetworks, each being a network segment. Advantages of such splitting are primarily for boosting performance and improving security.

26 Common Reasons for Network Segmentation Performance Security Compliance

27 Network Segmentation Examples Levels of Trust VLAN/ACL ACL Virtual Firewall Firewall Data Diode Air Gap Source: Gartner (July 2016)

28 Zero Trust Model

29 Concepts of Zero Trust Model All resources are accessed in a secure manner regardless of location Access control is on a need to know and is strictly enforced Inspect and log all traffic

30 Zero Trust Network Diagram steps to a zero trust network from theory to practice

31 Zero Trust Network Diagram Next Generation Firewall: FW Firewall IPS Intrusion Prevention System CF Content Filtering AC Activity Monitoring Crypto Cryptography AM Access Control steps to a zero trust network from theory to practice

32 Zero Trust Network Diagram Management jumpbox in separate zone steps to a zero trust network from theory to practice

33 Zero Trust Network Diagram MCAP (Micro Core and Perimeter): Protected L2 switching zone MCAP members have similar functionality steps to a zero trust network from theory to practice

34 Zero Trust Network Diagram DAN (Data Acquisition Network): Zone dedicated to log analysis SIEM Network Analysis and Visibility (NAV) steps to a zero trust network from theory to practice

35 Software Defined Perimeter All network connections are authenticated (using MFA and/or PKI), the health of each endpoint is inspected Originated at the Defense Information Systems Agency (DISA), now maintained by Cloud Security Alliance BeyondCorp is Google version of this concept lerner/2017/03/21/microsegmentation/

36 Software Defined Perimeter defined perimeter/#_overview

37 Micro Segmentation Software defined segmentation Isolates applications in virtual environment Focus on east west communication Security defined at granular level lerner/2017/03/21/microsegmentation/

38 Micro Segmentation Models Native micro segmentation Vendors examples: Amazon, Cisco, Microsoft, VMware lerner/2017/03/21/microsegmentation/

39 Micro Segmentation Models Native micro segmentation Third party model Vendor examples: Cisco, Check Point, Fortinet, Juniper Networks, Palo Alto Networks, SonicWall, Sophos, Huawei lerner/2017/03/21/microsegmentation/

40 Micro Segmentation Models Native micro segmentation Third party model Overlay model Vendor examples: Cisco, CloudPassage, Drawbridge Networks, GuardiCore, Illumio, Juniper Networks, ShieldX, varmour, Unisys, Tempered Networks lerner/2017/03/21/microsegmentation/

41 Micro Segmentation Models Native micro segmentation Third party model Overlay model Hybrid model lerner/2017/03/21/microsegmentation/

42 Example of Native Micro Segmentation segmentation with nsx/

43 How Overlay Segmentation Works Agent W1 Agent W2 Firewall Agent S1 Agent S2 SW3 Internet P1 P2 SW1 S3 PBX1 SW2 PR1 P3 SW-D1 SW4 DMZ-S1 DMZ-S2 Controller Agent W3 Agent W4-CC Controller: analyzing traffic, allows communication, apply and adjust policies

44 How Overlay Segmentation Works Agent W1 Agent W2 Firewall Agent S1 Agent S2 SW3 Internet P1 P2 SW1 S3 PBX1 SW2 PR1 P3 SW-D1 SW4 DMZ-S1 DMZ-S2 Controller Agent W3 Agent W4-CC Controller: analyzing traffic, allows communication, apply and adjust policies

45 How Overlay Segmentation Works Agent W1 Agent W2 Firewall Agent S1 Agent S2 SW3 Internet P1 P2 SW1 S3 PBX1 SW2 PR1 P3 SW-D1 SW4 DMZ-S1 DMZ-S2 Controller Agent W3 Agent W4-CC Some vendors are offering deception features

46 came but the french were prepared.html Cyber Deception Example

47 Purdue Enterprise Reference Architecture Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Enterprise network IT Applications (CIS, GIS, OMS, AMI?) SCADA Historian FEP, SCADA Master Meter, RTU CT, PT, other sensors Source:

48 Phases of Network Segmentation Classification Analysis Design Implementation Monitoring Data Classification Analyze network traffic (types, volume) Network structure, monitoring methods Select vendor, install equipment Monitor traffic, apply changes Source:

49 Bison Valley Electric Cooperative Network Segmentation Project

50 Our Guests Gary Jeger Palmetto Electric Co op George Buckner Central Florida Electric Co op Jack Daniels Bison Valley Electric Co op

51 Gary Jeger Palmetto Electric Cooperative

52 George Buckner Central Florida Electric Cooperative

53 Jack Daniels Bison Valley Electric Cooperative

54 BVEC Network Before After cleanup before and after photos/pg004.html

55 BVEC Network Segmentation Project Objective Follow Zero Trust Model and recommendations from PCI DSS and US CERT TA16 250A. Solution BVEC is considering three different approaches to segment their network. Questions How these options follow concept of Zero Trust Model, PCI DSS, and TA16 250A recommendations?

56 BVEC Network Segmentation Project US CERT Alert (TA16 250A) The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

57 BVEC Network Segmentation Project TA16 250A Recommendations: 1. Segregate Networks and Functions 2. Limit Unnecessary Lateral Communications 3. Harden Network Devices 4. Secure Access to Infrastructure Devices 5. Perform Out of Band Management 6. Validate Integrity of Hardware and Software

58 BVEC Network MS MS MS FIN CFO CEO CIS AMI MDM GIS OMS AD & FS Exchange Intranet DB1 DB2 Office S1 S2 VM1 VM2 E&O E&O E&O E&O LG COO DMZ Server Room Fiber & Radio Dispatch & SCADA Office DMZ District Office SCADA AMI Substation PTZ C SCADA AMI Substation PTZ C

59 BVEC Network Option 1 Segmentation Gateway

60 BVEC Network Option 1 Segmentation Gateway Multiple NGFW vendors: (Palo Alto, Checkpoint, Fortinet, Juniper, etc) Shall we use the same vendor as edge firewall or different? We will need High Availability option which is more expensive.

61 BVEC Network Option 2 VMWare NSX MS MS MS FIN CFO CEO CIS AMI MDM GIS OMS AD & FS Exchange Intranet DB1 DB2 Office S1 S2 VM1 VM2 E&O E&O E&O E&O LG COO DMZ Server Room Fiber & Radio Dispatch & SCADA Office DMZ District Office SCADA AMI Substation PTZ C SCADA AMI Substation PTZ C

62 BVEC Network Option 2 VMWare NSX Physical vsphere Distributed Switch VDS DFW Distributed Firewalls CIS AMI MDM GIS OMS DB2 DB1 Intranet Exchange AD & FS VM1 VM2

63 BVEC Network Option 2 VMWare NSX Throughput not tied to hardware, easy to scale, can be extended to the cloud. vsphere Distributed Switch Consultant might be needed to determine optimal configuration. VDS Physical Uses proprietary VMWare NSX solution, bare metal servers are not included. DFW Distributed Firewalls CIS AMI MDM GIS OMS DB2 DB1 Intranet Exchange AD & FS VM1 VM2

64 BVEC Network Option 3 Identity Defined Network HIP Client HIP Client HIP Server HIP Server CIS AMI MDM GIS OMS AD FS Exchange Intranet Apps Office Conductor S1 S2 VM1 VM2 HIP Server DMZ Server Room Fiber & Radio HIP Server Dispatch & SCADA DMZ District Office SCADA AMI Substation CCV C SCADA AMI Substation CCV C

65 BVEC Network Option 3 Identity Defined Network Does not require major CIS hardware installation. HIP Server AMI MDM GIS HIP Server OMS It can be extended to the cloud in the future. Conductor S1 S2 VM1 AD FS Exchange Intranet Apps VM2 Based on HIP standard, but IDN is a proprietary solution. HIP Client HIP Client Can be tested locally before installed. Office HIP Server DMZ Server Room Fiber & Radio HIP Server Dispatch & SCADA DMZ District Office SCADA AMI Substation CCV C SCADA AMI Substation CCV C

66 BVEC Network Option 1 Segmentation Gateway

67 BVEC Network Option 2 VMWare NSX MS MS MS FIN CFO CEO CIS AMI MDM GIS OMS AD & FS Exchange Intranet DB1 DB2 Office S1 S2 VM1 VM2 E&O E&O E&O E&O LG COO DMZ Server Room Fiber & Radio Dispatch & SCADA Office DMZ District Office SCADA AMI Substation PTZ C SCADA AMI Substation PTZ C

68 BVEC Network Option 3 Identity Defined Network HIP Client HIP Client HIP Server HIP Server CIS AMI MDM GIS OMS AD FS Exchange Intranet Apps Office Conductor S1 S2 VM1 VM2 HIP Server DMZ Server Room Fiber & Radio HIP Server Dispatch & SCADA DMZ District Office SCADA AMI Substation CCV C SCADA AMI Substation CCV C

69 Summary Classify your data by using CIA triad Network segmentation can be designed in house Consider segmenting SCADA, PCI, and PII first

70 Thank you! Jacek Szamrej, SEDC