Vulnerabilities in Process Control Networks: What Are We Protecting Against?

Transcription

1 Vulnerabilities in Process Control Networks: What Are We Protecting Against? Mark Benedict Ultra Electronics, 3eTI Standards Certification Education & Training Publishing Conferences & Exhibits 2014 ISA Water / Wastewater and Automatic Controls Symposium 1 August 5-7, 2014 Orlando, Florida, USA

2 Mark Benedict VICE PRESIDENT, BUSINESS DEVELOPMENT Nearly 20 years of experience in network, data systems, information security, military research, technology acquisition, and operations Expertise in the field of Information Assurance, cryptography, high availability data centers, and network security Prior to joining 3eTI directed Department of Defense engineering and technology organizations with Top Secret /TK/SI/SCI security clearance. Senior Colonel in the Information Assurance Directorate, National Security Agency (NSA), responsible for development of secure communications used for space based reconnaissance and communication satellite platforms Source selection for Army officers on NSA Red Team and managed the sustainment of the Electronic Key Management System Retired from active military service to lead 3eTI s Business Development efforts, including directing 3eTI s strategic Sales and Marketing activities 2

3 Session Overview What are we talking about? ICS Security Challenges Standards: the defender s approach Vulnerabilities: the attacker s approach Who to trust? Owning your risk Risk = Threat x Vulnerability x Impact

4 3eTI & Ultra Electronics At A Glance 3eTI Leading provider of military-grade secure communications that enable critical systems security, infrastructure security, and facility management for customers worldwide. 3eTI was founded in US employees Subsidiary of Ultra Electronics Accredited and proven products and solutions 80+ years of industry expertise, including two NATO expert advisors Flexible OEM models for easy integration Ultra Electronics An internationally successful Defense and Aerospace, Security & Cyber, Transport and Energy company with a long, consistent track record of development and growth. Founded in 1993 Group consists of 30 specialized subsidiaries employees Over 180 specialty capabilities areas $1,238.4m in revenue $183.2m in profit Revenue by capability

5 The Real Security Challenge Connecting everything has given us great value, but also a lot of new risks Risk is individual and unique, so mitigations and solutions are too Technology and attackers often outpace the assumptions made in the risk assessment Stop adopting a protect against the last attack approach this just wastes resources If we accept that this is ICS not IT, don t just look at IT-centric solutions If the attack is new or paradigm shifting (e.g. Stuxnet, Target) it takes the industry a long time to even begin to address it But, you are not alone and risk management is possible. People have been doing it a long time! The current way of operating is insecure and potentially unsafe!

6 REAL-LIFE DANGERS Staged cyber attack reveals vulnerability in power grid Russia's Sayano- Shushenskaya Hydroelectric disaster

7 Cyber Security Standards Enabling a business risk-driven security regime

8 ISO INFORMATION SECURITY MANAGEMENT CODE OF PRACTICE What it is Overarching standard for operational security process in the IT world Comprehensive catalog of security practices for IT system managers ISO How to establish and maintain an information security management system Conclusion Management focused making security and business management function Weak on implementation Process driven, not results driven

9 IEC 62443/ISA99 INDUSTRIAL & ENTERPRISE NETWORK INTEGRATION What it is Security for industrial automation and control systems (IACS) Prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in IACS Zone and Conduit Model A network segmentation countermeasure strategy Barrier devices shall block all non-essential communications in and out of the security zone Asset owner shall establish zones and conduits by grouping assets based on functionality Conclusion Risk-based rather than process driven Industrial focused rather than IT focused Dependent on right choice of zone/conduit architecture

10 IEC TYPICAL ZONE & CONDUIT DEPLOYMENT Zones Definition Assets with common security requirements and functionality Reality impact area (compromise of one is the compromise of all) The size of a zone should be equal to the size of the accepted impact Level 1 (Zone) Level 2 (Zone) Level 1 Level 2 (Conduit) Level 3 (Zone) Level 2 Level 3 (Conduit) Level 4 (Zone) Level 3 Level 4 (Conduit)

11 DIACAP DOD INFORMATION ASSURANCE CERTIFICATION PROCESS What it is Certifies and accredits information systems through an enterprise process Process parallels the system life-cycle Achieve DoD IA through a defense-indepth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution of network centric warfare Conclusion Very thorough, backed up with STIGs IT focused Heavily dependent on quality of assessors and assessments

12 Independent Validation ASSURES SECURITY ROBUSTNESS Component Validation Test components using standards such as FIPS 1402 and Common Criteria. Use national technical authorities (e.g. NSA) to conduct deep dive component vulnerability assessments System Validation Take system through thorough risk and vulnerability assessment to ensure mitigations and configurations are implemented correctly Solution Validation Thoroughly penetration-test a reference system by expert SCADA/ICS security red teams (e.g. DHS/INL) Installed Validation Undertake on-site live red-team exercise to test cyber and physical security in operation

13 Vulnerabilities & Threats What are the attackers thinking?

14 A Growing List of Uncovered Vulnerabilities

15 Bringing the Internet to You CYBER WEAPONS

16 Cyber Attackers WHO CAN LAUNCH A CYBER ATTACK You don t need to be a hacker to hack. To launch a sophisticated cyber attack you need: Motivation why would they attack me? Money 30 min. watching a YouTube video Political protest $100 equipment from Amazon Environmental activism Notoriety Industrial espionage Those with the capability: Nation states Retaliation Criminals Job security Activists Fun Employees Children! Cyber attacks are a great equalizer. An attacker need not know what he/she is doing to cause a large impact!

17 Everyone is a Potential Target

18 Approach & Mitigations What is the answer?

19 Holistic Cyber Security ATTACKS & MITIGATIONS Federal Gov t DoD /Military Corporate/Financial Telcomms Healthcare Utilities Distribution Building Automation Industrial Facilities Energy Mgt

20 Multi-dimensional Approach RIGHT TOOL FOR THE RIGHT JOB Firewalls Keeps unauthorized traffic out Intentional holes for authorized traffic Encryption Maintains confidentiality and integrity of data Works just as well on malware as legitimate traffic Key management as important as algorithms Anti-Virus Prevents known malware from running Doesn t handle new malware Doesn t run on embedded systems VLANs Segregates traffic on networks Not originally designed as a security control Port Authentication Limits network resource access Can be hijacked Robust & Resilient End-point, network, and perimeter defense End-to-end security Multi-vendor approach Mitigate vulnerabilities not previous attacks

21 A Holistic Risk-Based Approach INTEGRATING CYBERSECURITY Security is not a destination; it s a journey. The better and more informed your risk management is, the farther you will get Policy Risk management is not risk elimination Understand your risk appetite Mitigate vulnerabilities not attack vectors Appropriate solutions for realistic threats Operate & Monitor Plan & Design Don t rely on COTS security by design Leverage known security approaches ISO NIST/FISMA DIACAP ISA99 CIP-005 Implement security the correct way by using independent validation Risk Management Review & Approve Develop & Deploy Solution should be easy to deploy, manage and maintain and should not interfere with existing operation An incomplete risk assessment will result in unaddressed risks & unacceptable impacts

22 How Much Risk is Acceptable? Office Network Historian Workstation Wider Enterprise Network Facility Network Engineering Terminal SCADA Server HMI Control Network Remote Site 1 Remote Site 2 Remote Site N Maintenance Laptop 1 Risk from an external attack 2 Risk from the large control network 3 Risk from internal device connections 4 Risk from internal compromise 5 Risk from unpatched zero-day vulnerabilities What risk will you accept today? Tomorrow?

23 Case Study Highlights US NAVY NDW OBJECTIVE: To build an enterprise industrial control system (EICS) using a secure platform that would meet government energy mandates under the customer s Smart Grid Program REQUIREMENTS Efficiency savings through automation Optimization of plant operations and processes Safe and Reliable operations Share information among stakeholders Connect equipment over an IP network Utilize open and common protocols CONCERNS Unauthorized external access to networks and systems Loss of command and control or data integrity Loss or degradation of system availability Malware infection manipulating operations Cyber-attack causing physical impact Reputation loss due to publicized vulnerabilities or attacks Intentional misuse of systems causing physical impacts Cybersecurity attacks impacting normal operations

24 Summary The cyber risks are real, but probably not what you imagine It s getting easier and cheaper all the time Computers don t look like computers anymore Don t inadvertently drive attackers to your unprotected side Perimeter protection is not enough The Internet will be brought to you, whether you like it or not! You can t cheat off the person next to you - risk is something you must own and understand Be aware of YOUR threats, vulnerabilities, and impacts This is a business problem, not an IT or ICS problem Don t just specify security requirements demand validated security There is no one size fits all or single bullet solution Trust must be earned, but even then also verify (you get what you ask for!) Security done right Push security to the edge (device level not network level) Security is end-to-end: how do you know that what was received was what was sent? Security is NOT standard compliance there s a reason why they don t specify validation Security is not about eliminating the threat, but frustrating the attacker

25 Questions & Answers Mark Benedict Ultra Electronics, 3eTI Phone

26 About Ultra Electronics, 3eTI Leading provider of certified communications that enable critical systems security, infrastructure security, and secure facility management for customers worldwide. Founded in 1995 Subsidiary of Ultra Electronics a $1.1B electronics group employees - sells systems, products and services in more than 60 countries Accredited and proven products and solutions 80+ years of industry expertise, including two NATO expert advisors 17 technology patents OIL & GAS PORT & CNI Adaptable systems meet customized requirements for government and industrial markets COMMUNICATION S NAVAL/MARINE LAND

27 EtherGuard END-POINT PROTECTION FOR EMBEDDED DEVICES Core End-point Security Features Control who communicates with the embedded device Protects the integrity of those communications Monitors and validates the commands being communicated Validated Capabilities Layer 2 and Layer 3 encryption Firewall Port authenticator Deep Packet Inspection (DPI) 3rd Party Independent Validations Component validation - Accredited for IA, industrial operation and implementation System validation Risk and vulnerability assessments to ensure mitigations and configurations implemented correctly Solution validation - Penetration tested by SCADA/ICS security team experts Installed validation - On-site live team tested for cyber and physical security in operation Flexible Deployment Options Enables bolt-on retro-fit security for existing deployments Available as OEM module for built-in new solutions Applications ICS/SCADA system cybersecurity Embedded systems cybersecurity M2M cyber security Encryption/ authentication Intrusion detection/prevention Network systems security Remote device connectivity Network-within-network provision