Frank Ignazzitto Ultra Electronics, 3eTI

Transcription

1 Demystifying Government-Validated Solutions: A Standards Based Approach to Protecting Process Control Networks Standards Certification Education & Training Publishing Conferences & Exhibits Frank Ignazzitto Ultra Electronics, 3eTI 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 Orlando, Florida, USA

2 Presenter 30+ years experience Power systems integration and deployment with US Army Corps of Engineers, Homeland Security, FAA, Department of Energy Drove new technology adoption with US Special Operations Command and the Intelligence Community Diverse technology experience includes humanmachine interface devices, electro-optical nanotechnology and advanced fuel cell systems Frank Ignazzitto Vice President Sales & Marketing, Ultra Electronics, 3eTI 14 years experience in the Oil & Gas sector US Army Air Defense BS Engineering, United States Military Academy, West Point 2

3 Session Agenda What are we talking about? ICS security challenges Standards: the defender s approach Vulnerabilities: the attacker s approach Who to trust? Case Study: Naval District Washington (NDW) Owning your risk 3

4 The Real Security Challenge Connecting everything has given us great value, but also a lot of new risks Risk is individual and unique, so mitigations and solutions are too Technology and attackers often outpace the assumptions made in the risk assessment Stop adopting a protect against the last attack approach this just wastes resources If we accept that this is ICS not IT, don t just look at IT-centric solutions If the attack is new or paradigm shifting (e.g. Stuxnet, Target) it takes the industry a long time to even begin to address it But, you are not alone and risk management is possible. People have been doing it a long time! Cyber security is really risk management 4

5 REAL-LIFE DANGERS Staged cyber attack reveals vulnerability in power grid Russia's Sayano- Shushenskaya Hydroelectric disaster 5

6 Cyber Security Standards Enabling a business risk-driven security regime 6

7 ISO Information security management code of practice Organizing ISO category for IT operational security process standards Comprehensive catalogue of security practices for IT system managers ISO 27001: Standard for establishing and maintaining information security management systems ISO Domains Conclusion Business management function focused Process, not result, driven Weak on implementation 7

8 IEC / ISA99 Industrial & enterprise network integration Security for industrial automation and control systems (IACS) Prevention of penetration, interference and inappropriate access IEC Elements Terminology, concepts and models Master glossary of terms and abbreviations System security compliance metrics IACS security lifecycle and use-case Requirements for an IACS system Implementation guidance for an IACS system Patch management Installation and maintenance requirements Security technologies Zone and Conduit security levels System security requirements and security levels Product development requirements Technical security requirements for components Conclusion Risk-based rather than process-driven Industrial-focused rather than IT-focused Dependent on right choice of zone/conduit architecture 8

9 Typical IEC TypicalZone zone andconduit conduit Deployment deployment Industrial Process ZONES: Group of assets based on functionality, location, ZONES: responsible organization Should define and the the results maximum of the highlevel risk size of assessment. acceptable The impacts. grouping of these assets shall reflect common security requirements for each zone. Process Control Network PLC PLC PLC Infrastructure Automation Facility Monitoring Support Network Engineering Terminal Wireless HMI External Networks Mirrored Data Servers Application Server Data/Historian Server Report/Alarm Server SCADA Server Enterprise Networks Authentication Server Remote Access Level 1-Level 2 Conduit Level 2-Level 3 Conduit Level 3-Level 4 Conduit 9

10 DIACAP DoD information assurance certification process What it is Certifies and accredits information systems through an enterprise process Process parallels the system lifecycle achieve DoD IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution of network centric warfare DoD Risk Management Framework Conclusion Very thorough, backed up with STIGs IT focused Heavily dependent on quality of assessors and assessments 10

11 Military Independent Validations FIPS Ensure design & Common & development Criteriaare done right Cryptographic Module Validation Program Performs a suite of conformance tests against a defined cryptographic module o Physical security o Ports & interfaces o Key management (entropy, key generation, establishment, storage, zeroization) o Self test o Roles & services o Electromagnetic interference/compatibility (EMI/EMC) o Design Assurance Levels basic security implementation 2 includes tamper-evidence & CC approved OS 3 includes tamper detection/response, split-key operations, higher assurance OS 4 includes tamper reactivity, highest assurance Common Criteria Evaluation & Validation Ensures product satisfy a common set of security functional requirements & security assurance requirements against a defined Protection Profile Functional requirements: o Security audit (generation & storage) o Cryptographic support (key generation, establishment, destruction, operation) o Identification & authentication o Security management & protection o Access & trusted paths Assurance requirements: o Development o Lifecycle o Tests o Vulnerability Assessment 11

12 Independent Validation Assures security robustness Component Validation Test components using standards such as FIPS and Common Criteria. Use national technical authorities (e.g. NSA) to conduct deep dive component vulnerability assessments System Validation Take system through thorough risk and vulnerability assessment to ensure mitigations and configurations are implemented correctly Solution Validation Thoroughly penetration-test a reference system by expert SCADA/ICS security red teams (e.g. DHS/INL) Installed Validation Undertake on-site live red-team exercise to test cyber and physical security in operation 12

13 Vulnerabilities & Threats What are the attackers thinking? 13

14 Who Launches Cyber Attacks You don t need to be a hacker to hack A World Full of Hackers Nation states Criminals Activists Employees Children! A Mix of Motivations Money Political protest Environmental activism Industrial espionage Retaliation Job security Fun The Unforgiving Impact An attacker doesn t even have to know what they are doing to cause a huge impact 14

15 Bringing the Internet to You The latest cyber weapons 15

16 Everyone is a Potential Target 16

17 Approach & Mitigations What is the answer? 17

18 Holistic Cyber Security Attacks & mitigations Data manipulation Voice eavesdropping Physical manipulation Backdoor Intelligence gathering Hardware Trojans Man in the middle Network eavesdropping Spoofing 1. Insider attacks 2. Data exfiltration 3. Traffic rerouting 4. Worm 5. Trojan 6. Virus 7. Root-kits 8. Web hacking 9. Drive-by download 10. Key logger 11. Denial of service 12. Phishing 13. Hackers 14. Spear phishing Coordinated attack Advanced persistent treat Remote access tools Unpatched infrastructure Brute force cracking Proxied attack Vulnerability probing Credential impersonation Foreign agents 1. Federal Government 2. DoD/Military 3. Corporate/Financial 4. Telecomms 5. Healthcare 6. Utilities 7. Distribution 8. Building Automation 9. Industrial Facilities 10. Energy Management 18

19 Multi-dimensional Approach Right tool for the right job Firewalls Keeps unauthorized traffic out Intentional holes for authorized traffic Encryption Maintains confidentiality & integrity of data Works just as well on malware as legitimate traffic Key management as important as algorithms Anti-Virus Prevents known malware from running Doesn t handle new malware Doesn t run on embedded systems VLANs Segregates traffic on networks Not originally designed as a security control Port Authentication Limits network resource access Can be hijacked Robust & Resilient End-point, network, & perimeter defense End-to-end security Multi-vendor approach Mitigate vulnerabilities not previous attacks 19

20 Holistic Risk-Management Knowledge is security Incomplete risk assessment will result in unaddressed risks and unacceptable impacts The Risk Management Lifecycle Policy Risk management is not risk elimination Understand your risk appetite Selectively harden critical elements to reduce total risk Operate & Monitor Plan & Design Mitigate vulnerabilities not attack vectors Appropriate solutions for realistic threats Don t rely on COTS Security by Design Use only independent validations Leverage known approaches DIACAP NIST/FISMA ISO ISA99 CIP-005 Review & Approve Develop & Deploy 20

21 Today s Cyber Threat Landscape Traditional security is not enough Office Network Historian Workstation Support Network Engineering Terminal Wider Enterprise Network PC Anti-Virus SCADA Server HMI Process Control Network Remote Site 1 Remote Site 2 No USBs Firewalls Remote Site N Maintenance Laptop Where are the security gaps? Security focused on PCs Devices on the control network are not PCs Minimal physical security of the control network No cyber security within the control network No awareness if malware is already present and manipulating operations 21

22 Tomorrow s Cyber Threat Landscape Endpoint protection for embedded devices & systems Office Network Historian Workstation Support Network Engineering Terminal Wider Enterprise Network PC Anti-Virus SCADA Server HMI Process Control Network Remote Site 1 Remote Site 2 No USBs Firewalls Remote Site N Maintenance Laptop SIEM Server Future cyber defenses Individually identify each device Protect critical devices from network attacks Control who talk to critical devices Control what is being said Alert on anomalies or malicious behavior Build independent security into devices 22

23 US Navy, Naval District Washington Creating a secure Enterprise Industrial Control System (EICS) Objectives Compliance with DoD and Federal mandates Efficiency savings through automation Optimization of plant operations and processes Safe & reliable operations Share information between stakeholders Connect equipment over an IP network Utilize open & common protocols Concerns Unauthorized external access to networks and systems Loss of command & control or data integrity Loss or degradation of system availability Malware infection manipulating operations Cyber-attack causing physical impact Reputation loss due to publicized vulnerabilities or attacks Intentional misuse of systems or control causing physical impacts Cyber security attacks impacting normal operations 23

24 Today s Military Challenges Meeting mandates in the face of constrained budgets Shore Infrastructure Energy Management Reduce Shore Infrastructure Costs Facility and Critical Infrastructure Protection Reduce Energy Expenditures Network Connectivity to the last mile Situational Awareness During EMIO Secure Video Conferencing Communications The need for hardened solutions for bases & platforms AMI EICS SMART GRID VPMS Real-time, advanced monitoring and collection of building-by-building energy usage Real-time monitoring and control of enterprise industrial systems Integrated, adaptive, intelligent energy management on a building, base and region level Virtual perimeter monitoring with remote video and sensors Seamlessly integrate with existing networks Connect legacy environments to improve efficiency Cut costs and streamline operations Secure connectivity to a central monitoring facility for project analysis and management SECURE WLAN Secure wireless access to base networks and networks on the move WRBS VTC Wireless Reach Back system for video, data, and voice connectivity with boarding teams Secure video conference switch systems for automated secure/non-secure communications Comply with strict cyber Information Assurance (IA) and military certification and accreditation mandates Be robust, reliable and cost-effective Meet stringent environment requirements, as well as military standards for shock, vibration and electromagnetic interference 24

25 US Navy, Naval District Washington EICS architecture Installation Operations Center Management Consoles Surveillance, SCADA/DDC, Advanced Metering Wide Network Area Video Server EnergyGuard Meter Server Firewall & Encryption EtherGuard Remote Cameras Perimeter/ CIP Video Surveillance SCADA DDC Industrial Control Systems Facility/Base Operations Remote Meters Data Acquisition, Region ICS, and Region Video Servers Advanced Metering Management Consoles EtherGuard Enterprise Systems Easier decision making from realtime monitoring of sensors Improved facility operations and control of vital utilities and infrastructure Full remote monitoring and control of HVAC, lighting, building access, water, waste water, steam, and power systems Regional Operations center Enabled analysis of regional energy usage data for demand response 25

26 US Navy, Naval District Washington EICS solution benefits Requirement Functionality Improve Operations Use real-time dashboard for easy decision making Controls vital utilities and infrastructure Cost Effective Integrates systems into a local, regional, and national system DoD Secure Provides a secure enclave for ICS management while ensuring no access to legacy systems Guards against terrorism Protects against vandalism and unlawful entry Central Monitoring Remote monitoring and control of HVAC, water, waste water, steam, and power systems Real-time sensor support system Critical Infrastructure Protection VPMS System Data Analysis Consolidated regional performance data and dashboard control Real-time demand response Accredited Solution Approval to Operate (ATO) certification U.S. Navy Unified Capabilities Approved Products List for the DoD 26

27 Summary The cyber risks are real, but probably not what you imagine It s getting easier & cheaper all the time Computers don t look like computers anymore Don t inadvertently drive attackers to your unprotected side Perimeter protection is not enough The Internet will be brought to you, whether you like it or not! You can t cheat off the person next to you Risk is something you must own & understand Security done right Security is not about eliminating the threat, but frustrating the attacker Be aware of YOUR threats, vulnerabilities, & impacts Push security to the edge (device level) This is a business problem, not an IT or ICS problem Security is end-to-end Don t just specify security requirements demand validated security Security is NOT standard compliance There is no one size fits all or single bullet solution Trust must be earned, but even then also verify 27

28 Questions Frank Ignazzitto Ultra Electronics, 3eTI Direct: Mobile: Standards Certification Education & Training Publishing Conferences & Exhibits 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 Orlando, Florida, USA