Mission Critical Industrial Ethernet Network Design Seminar

Transcription

1 Mission Critical Industrial Ethernet 2010 Mission Critical Appliance Hirschmann Tofino Security Network Design Seminar Justin Nga Senior Application Engineering Manager 1

2 Agenda Belden and Hirschmann Security Perspectives Trends and Driving Factors Common Misconceptions Technologies Firewalls Applying the Tofino - Defence in Depth Hirschmann Tofino Live Demo Conclusion 2

3 Belden and Hirschmann 3

4 History of Belden, Hirschmann, and Lumberg Automation In 1902, Belden is founded by Joseph Belden in Chicago, Illinois. In 1993, Belden expands into Europe. In 2004, Belden and Cable Design Technologies merge to form Belden CDT Inc. In 2007, Belden CDT Inc. is renamed Belden Inc. In 1924, Hirschmann company is founded by Richard Hirschmann in Esslingen near Stuttgart, Southern Germany. In 2005, Hirschmann Automation and Control GmbH is formed. In 2007, Belden Inc. acquires Hirschmann Automation and Control. In 1933, Lumberg company is founded by Karl and Erich Lumberg in Schalksmühle near Düsseldorf, Germany. In 2002, Lumberg Automation Components GmbH is formed. In 2007, Belden Inc. acquires Lumberg Automation. End to End Signal Transmission Solutions 4

5 Hirschmann 88 Years Of Innovation Setting trends for new technologies in Industrial Connector Richard Hirschmann company founded Invention of the»one-two-plug«audio connectors Actuator»cube«connector Certification of entire laboratory connector range to IEC 1010 World smallest self-assemble sensor connector M8 MiniQuick Self assemble sensor connector VarioQuick M12 BusQuick Fieldbus connecting system for Profibus PA & Foundations Fieldbus Self assemble IEC 1010 laboratory connector range Installed the world s first optical ETHERNET network at University of Stuttgart Developed Redundant Ethernet Ring Co-development of the Actuator Sensor Interface Fieldbus system over fiber-optic - RS485 & Profibus repeater Industrial Ethernet Rail hub New FiberFieldbus-System FIP New Fiber Fieldbus-System GENIUS Fast redundancy in industrial Fast Ethernet switch 12 Mbit/s Profibus fiber-optic repeater Modularize gigabit Ethernet Backbone Switch - Mach 3000 Modular Industrial Fast Ethernet Switch - MICE IP67 Railway certified switch EEC enabled Industrial Ethernet Switch & RS2-16M, SPIDER / Eagle mguard Modular Industrial Gigabit Ethernet Switch - Power MICE OpenRail & MACH Fast Ethernet, Gigabit Ethernet Railway certified wireless switch Ruggedized switches for substations Wireless LAN IP67 for ATEX Zone 2 Zero milliseconds failover test (IEC HSR/PRP) for substation automation RSP switches with IEC PRP (HSR future release) Setting trends for new technologies in Industrial Networking

6 Security Perspectives 6

7 Differences between IT and ICS Networks IT security solutions are based on assumptions that are often not fully transferable into ICS and SCADA networks Differing Security Focus Differing Performance Requirements Differing Reliability Requirements Differing Operating Systems and Applications Differing Risk Management Goals Differing Security Architectures 7 7

8 Differing Security Focus I.T.: Privacy First - Protect the Data SCADA/ICS: Safety First - Protect the Process Priority IT SCADA/ICS #1 Confidentiality Availability #2 Integrity Integrity #3 Availability Confidentiality Byres Security Inc. 8 8

9 Security Perspectives Control Networks vs Corporate Networks 9

10 Trends 10

11 Critical Control and Automation Trends Control and Automation Systems and Applications are migrating from proprietary to open standards, to enable seamless connectivity From serial to ethernet Profibus to Profinet Modbus to Modbus TCP Ethernet/IP, etc Analog Signal Enhancements and Evolution: 4-20mA to Hart, Fieldbus technologies, FDT DTMs, etc Automation technology trends tend to lag off IT technology trends by approximately years before gaining wider acceptance and deployment, e.g. Unix to Windows operating systems Databases/Historians Oracle, SQL, Pi Middleware applications e.g. OPC MES applications Network convergence - Data, Voice, Video / Enterprise to Control layer Typically categorised under the banner of Industrial Ethernet / Networking 11

12 Communications Hierarchy Level 1: Corporate level Level 2: Management Level Level 3: Process Management and Control Level Level 4: Field Level ERP: SCADA: DCS: PLC: Enterprise Resource Planning Supervisory control and data acquisition Distributed Control Systems Programmable Logic Controller Process and manufacturing data is not just available at the field level, but is seamlessly integrated into higher-level data acquisition systems via Industrial Ethernet Business drivers - Sensor to Boardroom.. Real time decision making Efficiency Increased dependence on the network for Asset Management, OHS, Maintenance, etc. A Mission Critical Network must be robust, reliable with fault tolerance, manageable, maintainable and scalable. 12

13 Common Misconceptions 13

14 Famous Last Words Most public utilities rely on a highly customized SCADA system. No two are the same, so hacking them requires specific knowledge. Scott Berinato Debunking the Threat to Water Utilities CIO Magazine March 15,

15 Security Incidents in the Water Industry Salt River Project SCADA Hack Maroochydore Shire Waste Water Treatment Plant Software Flaw Makes MA Water Undrinkable Trojan/Keylogger on Ontario Water SCADA System Viruses Found on Auzzie SCADA Laptops Audit/Blaster Causes Water SCADA Crash DoS attack on water system via Korean telecom Penetration of California irrigation district wastewater treatment plant SCADA. SCADA system tagged with message, "I enter in your server like you in Iraq." 15

16 Security Incidents in the Oil Industry Electronic Sabotage of Venezuela Oil Operations CIA Trojan Causes Siberian Gas Pipeline Explosion Anti-Virus Software Prevents Boiler Safety Shutdown Slammer Infected Laptop Shuts Down DCS Virus Infection of Operator Training Simulator Electronic Sabotage of Gas Processing Plant Slammer Impacts Offshore Platforms SQL Slammer Impacts Drill Site Code Red Worm Defaces Automation Web Pages Penetration Test Locks-Up Gas SCADA System Contractor Laptop Infects Control System 16

17 Security Incidents in the Chemical Industry IP Address Change Shuts Down Chemical Plant Hacker Changes Chemical Plant Set Points via Modem Nachi Worm on Advanced Process Control Servers SCADA Attack on Plant of Chemical Company Contractor Accidentally Connects to Remote PLC Sasser Causes Loss of View in Chemical Plant Infected New HMI Infects Chemical Plant DCS Blaster Worm Infects Chemical Plant 17

18 Security Incidents in the Power Industry Slammer Infects Control Central LAN via VPN Slammer Causes Loss of Comms to Substations Slammer Infects Ohio Nuclear Plant SPDS Iranian Hackers Attempt to Disrupt Israel Power System Utility SCADA System Attacked Virus Attacks a European Utility Facility Cyber Attacks Reported by Asian Utility E-Tag Forgery Incident in Power PSE Power Plant Security Details Leaked on Internet Stuxnet 18

19 Where Do All These Come From? maintains the Repository for Industrial Security Incidents (RISI) which tracks network security incidents that directly impact industrial operations. World s largest collection of control system security incidents. Both malicious and accidental incidents are tracked. 19

20 Cyber Security Incident Types General Incident Type N/A 0% External Hacker Outsider 47% Insider 53% Intentional 20% Software or Device Flaw Disgruntled Employee Human Error Unintentional 80% Insider 14% N/A 48% Outsider 38% Malware Infection 2011 Security Incidents Organization 20

21 Where do Hackers start? Conferences e.g. Blackhat / Toorcon SHODANHQ the Google for Hackers Feb Security researcher Oscar Kouroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Other white papers on the Internet. ICS Cert Website 21

22 Technologies - Firewall 22

23 Firewalls A H/W or S/W mechanism used to control and monitor traffic to and from a network, based on predetermined security criterias, for the purpose of protecting devices on the network Firewall Classes: Packet Filter: Static rules (allow/deny) Low cost and low impact on network performance Lacks the ability to understand the relationships between a series of packets Stateful Inspection: Ability to intelligently track relationships of packets High security and good performance Expensive and complex Application Proxy: Opens packets at the application layer, process against rules, reassembles and forwards High security, potentially slower network performance Deep Packet Inspection: Application firewalling - offers filtering deeper into the application layer but at lesser load 23

24 Limitations A firewall offers limited or no protection against: Internal attacks Social engineering attacks Attacks over permitted connections Malware such as Trojans, Viruses, Spyware, Phishing, or damaging active components (ActiveX, Java Applets, JavaScript) Passive attacks (Sniffing the LAN, traffic analysis, etc.) Improper use of mobile computers Removable media 24

25 Applying the Tofino For Defence in Depth 25

26 Bastion Strategy vs Defence in Depth I. Hard-perimeter II. Defense-in-depth 26

27 Security Issues in Control Networks Soft Targets PCs run 24x7 without security updates or even antivirus Controllers are optimized for real-time I/O, not for robust networking connections Multiple Network Entry Points The majority of cyber security incidents originate from secondary points of entry to the network USB keys, maintenance connections, laptops, etc. Poor Network Segmentation Many control networks are wide-open with no isolation between different sub-systems As a result problems spread rapidly through the network 27

28 Typical Control Network Architecture 28

29 Typical Control Network Architecture 29

30 A Perimeter Defense is Not Enough We can t just install a firewall at the edge of the network and forget about security. The bad guys will eventually get in Many problems originate inside the plant network We must harden the plant floor. We re crunchy Defense in Depth. on the Outside - Soft in the Middle 30

31 Defense-in-Depth Strategy By defense-in-depth strategy, we mean the protection measures composed of more than one security control to protect the property. By the use of this kind of multi-layer measures, another layer will protect the property even if one layer is destroyed, so the property is protected more firmly. Yokogawa Security Standard of System TI 33Y01B30-01E Byres Security Inc. 31

32 ANSI/ISA-99: Dividing Up The Control System A core concept in the ANSI/ISA-99 security standard is Zones and Conduits Offers a level of segmentation and traffic control inside the control system. Control networks divided into layers or zones based on control function. Multiple separated zones help to provide defense in depth. 32

33 Security Zone Definition Security zone: grouping of logical or physical assets that share common security requirements. [ANSI/ISA ] A zone has a clearly defined border (either logical or physical), which is the boundary between included and excluded elements. HMI PLC 33

34 Conduits A conduit is a path for the flow of data between two zones. Any communications between zone must have a conduit. We need to identify all the conduits, not just the obvious ones. Conduit HMI PLC 34

35 Protecting the Network with Zones and Conduits A firewall in each conduit will allow only the MINIMUM network traffic necessary for correct plant operation Generate alarm messages when traffic is blocked Conduit HMI PLC 35

36 Zones and Conduits provide Defense in Depth 36

37 Zones and Conduits provide Defense in Depth 37

38 Zones and Conduits provide Defense in Depth 38

39 Defense in Depth via Distributed Security Appliances Add the missing layers of defense using external hardware security appliances that are specifically designed for the task Make sure the product is easy to install, configure, and manage in the plant environment Ultra-reliable hardware Install, configure, and manage with no plant down time Support the equipment and protocols commonly used on the plant floor Tools that are focused on the needs and capabilities of plant personnel Byres Security Inc. 39

40 Hirschmann Tofino 40

41 Hirschmann Tofino The Hirschmann Tofino Industrial Security Solution: Byres Security Tofino software Tofino Argon Applicance Hirschmann Hardware Eagle20 Tofino Hirschmann s Tofino Sept 2011 Hirschmann / Belden acquires Byres Security 41

42 EAGLE Tofino System What is the EAGLE20 Tofino? A network security system designed specifically for Industrial Automation No IT knowledge required for configuration or operation Predefined templates for: > 50 industrial communications protocols > 25 families of industrial controllers Provides Defence in Depth Secure zones inside a network 42

43 EAGLE Tofino Key Benefits No IT knowledge required Enhanced security and safety Extend Cyber Security down into the control network Simplified regulatory and standards compliance FERC / NERC CIP ANSI/ISA-99 IEC

44 EAGLE Tofino Architecture Corporate Network HIRSCHMANN Centralised Management HIRSCHMANN HIRSCHMANN Firewalls Cluster of DCS Controllers SCADA RTU PLC Controller 44

45 Key Tofino Components Tofino Central Management Platform (CMP) Centralized Security Management Tofino Security Appliance Zone Level Security for your control network Tofino Loadable Security Modules (LSM) Firmware modules that customize the security features on your Tofino Security Appliances 45

46 Tofino Central Management Platform (CMP): centralized security management Configure, manage and monitor all your Tofino Security Appliances from one workstation Built-in Network Editor to quickly model your control network Visual drag-and-drop editors for quick and easy configuration of security rules 46

47 CMP Close Up 47

48 Fort Sask Network Corporate Firewall Corporate Network DMZ HIRSCHMANN HIRSCHMANN HIRSCHMANN Fort Sask Control Network HIRSCHMANN HIRSCHMANN Sumas Pump Station Network Jasper Pipeline Network 48

49 Network Hierarchy View HIRSCHMANN HIRSCHMANN HIRSCHMANN HIRSCHMANN HIRSCHMANN 49

50 Controllers Pre-configured rules for more than 25 families of controllers Special rules to handle known vulnerabilities 50

51 Industrial Protocols Pre-defined templates for more than 50 industrial communications protocols Additional protocols can be added 51

52 Network Devices Support for Hirschmann network devices. 52

53 EAGLE20 Tofino Security Appliance Simple installation requires no networking knowledge and no pre-configuration Install and configure Tofino with no disruption to the control system Unique 'Test' mode allows testing with no risk to your plant 53

54 Tofino Loadable Security Modules LSMs are software plug-ins providing security services such as: Firewall Secure Asset Management Content Inspection (Deep Packet Inspection) VPN encryption Event Logger Each LSM is downloaded into the security appliance to allow it to offer customisable security functions, depending on the requirements of the control system. 54

55 Tofino Firewall LSM: Traffic Control for industrial networks Control engineer defines list of traffic rules Automatically blocks and reports any traffic that does not match your rules Simple rule definition using graphical drag-and-drop editor Drag the HMI on to the PLC. The correct rules are created automatically 55

56 Tofino Secure Asset Management LSM: Tracks and Protects Network Devices Passive Asset Discovery locates network devices without any process disruption Newly-discovered devices are reported to the Tofino Management Platform (CMP) as a security alert Keep current and detailed inventory lists for ANSI/ISA-99 and NERC standards compliance Assisted Rule Generation wizard guides users to create firewall rules from 'blocked traffic' reports 56

57 Tofino Modbus TCP Enforcer LSM: content inspector for Modbus Protocol 'Sanity Check' blocks any traffic not conforming to the Modbus standard Control engineer defines list of allowed Modbus commands, registers and coils Automatically blocks and reports any traffic that does not match your rules 57

58 OPC Classic OPC Classic is the world s leading technology for integrating different automation products. Formerly known as OLE for Process Control, (where OLE stood for Object Linking and Embedding) Includes all OPC standards that are based on Microsoft's DCOM Technology (i.e. all but OPC-UA) Unfortunately OPC is famous for its poor security 58

59 Typical TCP/IP Protocols Most protocols use Fixed Port Numbers to identify the application to handle an incoming packet Similar to an extension for accounts payable on a company phone system Example: Most Modbus TCP slaves use port 502 Modbus Command (Dst Port = 502) Modbus Reply (Src Port = 502) Modbus Master Operator Station Modbus Slave PLC 59

60 Typical TCP/IP Protocols Consistent TCP/UDP port numbers makes it easy to create firewall rules Example: To allow only Modbus traffic to get to a PLC and block all other messages: Allow Dst Port = 502 (Modbus), Deny All Else Modbus (Port 502) Modbus Master Operator Station Modbus Slave PLC 60

61 OPC Classic (aka OPC DCOM) OPC Classic dynamically assigns TCP ports to each executable process serving objects on a server Clients discover port associated with an object by connecting to the server and sending messages like: find COM object XXX for me and tell me what port it is on OPC Client OPC Connection Request (Port 135) OPC Server Server Response: Use Port OPC DA Connection (Port 12345) OPC DA Data (Port 12345) 61

62 Until Now - An Unfirewallable Protocol Because OPC is free to use any port between 1024 and it is IT firewall unfriendly You don t know in advance what port the server will use So you can t define the firewall rule You have to leave all ports open on your firewall Configuring your firewall to leave such a wide range of ports open creates a serious security hole 2222 Rockwell-CSP 2404 IEC Mitsibishi MELSCQNA 5450 PI Data Historian 9100 Omron FINS And 1000 s more! 62

63 It Gets Worse! OPC/DCOM in the Real World DCOM callbacks in OPC are not handled on the same connection that is used for client/server calls Some OPC servers reject the first few connection attempts after they tell the client to use a specific port, completely breaking most firewall state engines! All this has made the industry consider OPC Firewalls virtually impossible 63

64 Tofino OPC Enforcer LSM: content inspector for OPC Classic Automatically tracks TCP ports assigned by OPC servers for data connections Dynamically opens tracked ports in firewall only when they are needed Protocol 'Sanity Check' blocks any OPC requests not conforming to the DCE/RPC standard 64

65 Simple Configuration Deny by default including: Any attempted OPC traffic that is not between defined OPC client and server pairs will be blocked and reported Any attempted TCP connection that was not successfully negotiated between a valid OPC client and server will be blocked and reported User-settable options Sanity check enable/disable on OPC connection attempts Maximum time to wait for data connection to start 65

66 Tofino VPN: secure tunnels over untrusted networks Creates secure tunnels between Tofino Security Appliances; between Tofino and PCs; and between Tofino and supported third-party devices Simple set-up and management Inter-operates with other Tofino LSMs (eg Firewall, Modbus TCP Enforcer) to combine security features Corporate Network Internet 66

67 Layer 2 Bridging Pipeline Example Create an Ethernet bridge over the Internet using Rapid Spanning Tree Internet 67

68 Tofino Event Logger: Automonous Security Appliances Logs events locally on Tofino Security Appliance Logs events locally to a USB stick (persistent) Transmits event messages to a Syslog server Removes potential single point of failure (CMP) No CMP required in production network Events Syslog Server 68

69 Live Demo 69

70 Any Questions? 70