SCADA Security - how to safely audit and protect Industrial Control Systems?

Transcription

1 SCADA Security - how to safely audit and protect Industrial Control Systems? Mariusz Stawowski, Ph.D. CISSP, CEH Technical Director, CLICO

2 CLICO Competence Center +35 security and networking experts Biggest Security VAD (IDG) Security audits, ATC, PS, etc. Operating in Central and Eastern Europe: POLAND: Kraków HQ ROMANIA: Bucharest BULGARIA: Sofia CROATIA: Zagreb SLOVENIA: Ljubljana SERBIA: Belgrade HUNGARY: Budapest

3 SCADA Security Laboratory SCADA Server with a set of tools for programming and monitoring industrial drivers (including the Historian database) PLC - a set of industrial network controllers (eg ProfiNet network controller, ProfiNet islands, logic input and output logic) Managed industrial switch with the ability to connect security devices for testing (firewalls, IPS, NBA) Security testing station (Rapid7 Nexpose, Metasploit)

4 OT - Operational Technology ICS - Industrial Control System = IACS - Industrial Automation and Control System Advanced analytics and data storage MES Manufacturing Execution System APC - Advanced Process Control Data Historian Visualization, supervision and control SCADA - Supervisory Control and Data Acquisition DCS - Distributive Control System HMI - Human Machine Interface Control devices PLC - Programmable Logic Controller PAC - Programmable Automation Controller RTU - Remote Terminal Unit Industrial machinery and equipment Databases Web SSH / Remote Access, etc. Windows, Linux, etc. Exploits SQL-I, XSS Misuse Malware

5 Why OT connects to evil" IT Example functions of SCADA: Visualization, Alarming, Data acquisition Centralization and distribution of information Complete reporting, etc. Example functions of MES: Process management, quality management Resource allocation, labor management Product tracking, performance analysis, etc. Benefits: improves planning, reduces costs, improves quality, etc. More information:

6 What we learn from the OT staff? 1. We do not use SCADA We are safe! 2. OT is not connected to Internet We are safe!

7 Advanced analytics and data storage (MES, APC, Historian, etc.) LAN Internet Visualization, supervision and control (SCADA, DCS, HMI, etc.) VPN WAN OT Maintenance Cameras, IP phones, many more Control devices (PLC, PAC, RTU, etc.) LAN How do you manage OT systems? What tools do you use? Can OT Maintenace staff connect remotly to OT systems? Can "some people" in HQ see how OT works?

8 How to safely audit Industrial Control Systems? Penetration tests are risky! Only test environment Industry standards and security recommendations issued by recognized organizations: o International Society of Automation (ISA) o US National Institute of Standards and Technology (NIST) o UK Centre for the Protection of National Infrastructure (CPNI) o US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) o US Department of Homeland Security o SANS Institute o US Department of Energy o Others

9 ANSI/ISA ( )-2013, "Security for industrial automation and control systems", ISA 2013

10 Secure Architecture Design ICS-CERT Source: Architecture-Design

11 Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies - US Department of Homeland Security Source: cert.gov/sites/default/files/recommended_practices/nccic_ics- CERT_Defense_in_Depth_2016_S508C.pdf

12 Secure Architecture for Industrial Control Systems - SANS Institute Source:

13 Secure Data Transfer Guidance for Industrial Control and SCADA Systems - US Department of Energy Source: echnical_reports/pnnl pdf

14 How to protect SCADA/ICS? OT - Operational Technology ICS - Industrial Control System = IACS - Industrial Automation and Control System Advanced analytics and data storage MES Manufacturing Execution System APC - Advanced Process Control Data Historian Visualization, supervision and control SCADA - Supervisory Control and Data Acquisition DCS - Distributive Control System HMI - Human Machine Interface Control devices PLC - Programmable Logic Controller PAC - Programmable Automation Controller RTU - Remote Terminal Unit Industrial machinery and equipment Databases Web SSH / Remote Access, etc. Windows, Linux, etc. Exploits SQL-I, XSS Misuse Malware

15 Industrial/ Enterprise DMZ Advanced analytics and data storage (MES, APC, Historian, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) LAN FW, VPN & IPS Anti-Malware WAN (Sandbox) Incident Detection, etc. Internet VPN OT Maintenance Cameras, IP phones, many more LAN CLICO colaborates with: Control devices (PLC, PAC, RTU, etc.)

16 Industrial/ Enterprise DMZ Advanced analytics and data storage (MES, APC, Historian, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) Privileged Access Security WAN LAN Internet VPN OT Maintenance Cameras, IP phones, many more LAN CLICO colaborates with: Control devices (PLC, PAC, RTU, etc.)

17 Maintaining Web & Database security is difficult Many attack vectors (exploits, SQL-I, privilege misuse, etc.) Intruders Malware Web Application Firewall Sensitive Data Database Firewall Malicious admins and users Problems installing security patches in production systems

18 Industrial/ Enterprise DMZ Advanced analytics and data storage (MES, APC, Historian, etc.) Visualization, supervision and control (SCADA, DCS, HMI, etc.) WAN Web & Database Security Privileged Access Security LAN Internet VPN OT Maintenance Cameras, IP phones, many more LAN CLICO colaborates with: Control devices (PLC, PAC, RTU, etc.)

19 Imperva Web & Database Security SecureSphere Web Application Firewall SecureSphere Database Firewall SecureSphere Database Activity Monitoring User Rights Management for Databases Camouflage - Data Masking CounterBreach - User Behavior Analytics for incidents detection

20 Imperva Web & Database Security Full auditing and visibility into data usage Complete Audit Trail When? Who? Where? How? What?

21 Summary Myths" about SCADA/ICS security Safe auditing of SCADA/ICS security Real and (unfortunately) effective techniques of breaking into SCADA/ICS Standards and guidelines issued by recognized world organizations Security technologies to enhance the security of SCADA/ICS Defense in depth Industrial/ Enterprise DMZ FW, VPN & IPS Anti-Malware (Sandbox) Incident Detection, etc. Privileged Access Security Web Security Database Security Other Safeguards