ICS Security. Trends, Issues, and New Standards. Speaker: David Mattes CTO, Asguard Networks

Transcription

1 ICS Security Trends, Issues, and New Standards Standards Certification Education & Training Publishing Conferences & Exhibits Speaker: David Mattes CTO, Asguard Networks 2013 ISA Water / Wastewater and Automatic Controls Symposium August 6-8, 2013 Orlando, Florida, USA

2 David Mattes - Bio Focused on creating products that address the challenge of managing connectivity and information security for Industrial Control Systems (ICS) Spent 13 years at Boeing, working on advanced networking for manufacturing Led implementation and deployment of novel ICS Security architecture Worked to publish this architecture as international standards Founded Asguard Networks to commercialize this technology 2

3 Presentation Outline Security issues and trends for WWA New standards for ICS Security Commercialization efforts Case study 3

4 Security and Connectivity Evolution Connectivity today Need this now Need this soon Secure comms over Internet Security Posture today Secure comms over intranets A control panel intranet connected Using some IP Network technologies Isolated proprietary solutions 4

5 2010 Reported Incidents by Industry (RISI) RISI = Repository for Industrial Security Incidents 5

6 2010 Reported Incident Types (RISI) External Virus / Trojan / Worm 60 Control / SCADA System Failure 38 Accidental Software Failure 20 External System Penetration Accidental Inappropriate Control Accidental Network Failure Internal Sabotage External Sabotage Accidental Incident 5 Internal Non Authorized Access 4 External Denial of Service (DoS) 3 Internal Incident 2 External Information Theft RISI = Repository for Industrial Security Incidents 6

7 ICS Vulnerability Research Increased focus on ICS components Target-rich environment Info Sec has been low on list for ICS Design vulnerabilities Vendors slow to react Disclosed ICS vulnerabilities skyrocketing

8 ICS Vulnerabilities Markets Yes, your system (integrity) is for sale! Asset surveys, databases, maps Shodan, SHINE: 500,000 ICS devices on Internet Vulnerabilities vendors Mostly undisclosed vulnerabilities The ones we know about are the gray guys ReVuln, Vupen Researchers turning to vulnerability vendors Many complex motives Financial gain 8

9 Defense in Depth Defense in Depth is best-practice approach Multiple forms of protection Delay attacks Responsive capability Balance risk to target Expensive to implement Must find ways to take small steps Look for architectures that reduce long-term cost It s a process Never ending Needs executive sponsorship 9

10 Network Segmentation Goals Foundational building block of defense in depth Confine connectivity to necessary systems Isolate systems on the right performance network Increase system robustness Challenges Gets down into the network weeds Crossing network segments (trust boundaries) Sharing network resources Wifi, DMZ, Infrastructure, 10

11 Traditional Approaches to Segmentation Direct Connection (Nothing) Jump PC (Front-End PC) Data Diode Local Firewall/NAT/VPN VLAN DMZ Parallel Infrastructure 11

12 Traditional Approaches Shared Network Direct Connection Very common, even on Internet SHODAN search tool for internet connected devices Challenges No protection Connectivity management Wireless connectivity 12

13 Traditional Approaches VLAN 123 Shared Network VLAN Defined across Shared Network Terminates at individual network ports High cost per managed port Challenges Security configuration embedded in core network Control Plane / Data Plane is better model (like SDN) All the eggs in one basket Change is very difficult Adding mobile devices is hard 13

14 Traditional Approaches Shared Network Firewall/NAT/VPN Many COTS IT/Industrial products available Locally restrict connectivity to automation equipment Challenges Significant IT issues SOX Compliance Passwords Network configuration PKI Certificates Remote access challenges 14

15 ICS Network Segmentation Standards International Society for Automation (ISA) ISA100 TR (ISO/IEC TBD): Backhaul Architecture Model ISA99 (ISO/IEC ): Industrial communication networks Network and system security Zones and Conduits Model Trusted Computing Group (TCG) Interface for Metadata Access Points (IF-MAP): Coordination service Metadata for ICS Security: Policy configuration specification Internet Engineering Task Force (IETF) HIP Workgroup: HIP VPLS Draft PKIX Workgroup: Public Key Infrastructure 15

16 Network Segmentation Architecture Goals Leverage shared network infrastructure to minimize costs Isolate industrial systems from the shared network Dynamic and flexible network segmentation Minimize attack surface by limiting connectivity to absolute minimum Allow automation engineers to manage their own devices Create a clear delineation of roles and responsibilities of Operations and IT Keep CapEx/OpEx costs low and reliability high Be an enabler of additional defensive measures 16

17 Network Segmentation Solution Segmented, Secure Connectivity as an Internal Service Shared Network A Secure Network Management (Web-based) Network Security Appliances (NSA) 17

18 Transparent Drop-in Security Solution A Shared Network Network Connectivity Any link type: Ethernet, Cell, WiFi, WiMax, SatCom, etc. Network authentication Protection Authentication Confidentiality Integrity Policy Enforcement IP over Network Transparency Existing ICS protocols Layer 2-3 VPN Ethernet 18

19 Florida Water Utility Case Study Public Safety Network Shared network resource VLAN for SCADA IT Services appearing on SCADA VLAN Goals Fine grained control over connectivity policies Integrity protection of data over PSN backhaul SCADA-focused visibility and alerting at network layer Flexible and secure remote access 19

20 Water / Wastewater Implementation 20

21 Water / Wastewater Implementation 21

22 Fine-grained Connectivity Policy Control Host policies: On/Off + Firewall 2. Peer policies: Cryptographic ID whitelist 22

23 Summary Threat level is rising Duty to protect Connectivity is increasing And it s not going away tablets and mobile Operations needs to be at the table Networking Security Policy Awareness Resilience Standards are maturing Standards alone are not enough Solutions are here today to bridge the gaps 23