CONTROL SYSTEM SECURITY

Transcription

1 CONTROL SYSTEM SECURITY Presented by: Justin Johnson ebay Inc. A BRIEF HISTORY Egyptian Water Clock Romo-Woolridge 300 First digital computer based control system Ethernet and TCP/IP connectivity for PLCs Slammer and Blaster Worms Infect Millions Stuxnet discovered Introduction of PID Modicon 084 First Programmable Controller LONtalk standard accepted by ANSI Polish Teen Derails Commuter Trains s B.C. Early 1900s First Thermostat Falling Cost of Compute BACnet standard published by ASHRAE Zotob worm infects 13 US Automakers 2003 Target Breach First Professional Organization Industrial Instruments and Regulators Committee Modbus Protocol Introduced Maroochy Shire Sewage Plant Attacked Conficker Worm Infect US Power Generation 1

2 BY THE STATS DATA FROM A 2015 SANS.ORG SURVEY TYPES OF SYSTEM COMPROMISES Control System Compromised Loss of Production / Availability Damage to Equipment Impact to Life Safety Equipment Lost Time and Resources Corporate Network Compromised Loss of Sensitive or Business Critical Information Damage to Reputation Impact on Investors / Stock Value Disruption of Normal Business Activities 2

3 PROTOCOL LEVEL SECURITY Scratching the surface on some common protocols BACNET Most BACnet systems provide an illusion of security Credential Management and Authentication is provided at the operator workstation/server. Introduction of another operator workstation bypasses any implemented security. Physical access to the BACnet network provides nearly unrestricted control. Data is passed on the network without any encryption. Broadcast based discovery simplifies identification and manipulation of targets. Automatic routing presents multiple attack vectors Addendum G Accepted 2010 Provides message level security and encryption. Promising but not widely implemented. 3

4 MODBUS MODBUS has no provisions for device or message level security Credential Management and Authentication is provided at the operator workstation/server. Introduction of another operator workstation bypasses any implemented security. Physical access to the MODBUS network provides nearly unrestricted control. Data is passed on the network without any encryption. Obscurity provides the only *security* as documentation is required to contextualize registers, coils, etc. HELP FROM THE OSI MODEL Device level IP filtering can provide some level of security by whitelisting devices that should be communicating with a piece of equipment. 4

5 WHAT CAN WE DO? Securing the controls network PHYSICAL SECURITY 5

6 5/11/2016 WHERE ARE THE DEVICES INSTALLED? Servers Operator Workstations Installed in secure data center / IDFs. Installed in secure engineering rooms or command centers. HMIs Installed in secure locations where possible Controllers Installed in secure control panels. Appropriate NEMA rating for conditions Where possible installed in secure areas. CONTROL PANEL SECURITY Panel locking mechanisms are very often manufacturer specific not site specific. The same key that opens your IT cabinets may open your electrical gear and your control cabinets. Door contacts provide additional security at a relatively low price. 6

7 MANAGED VS UNMANAGED Managed Switches Port level security Link status monitoring Port Mirroring for network traffic monitoring Typically deployed in centralized and controlled locations More Expensive Unmanaged Switches Less Expensive WIRELESS SECURITY The use of wireless networks for control systems should be very limited. Wireless networks often extend beyond the bounds of any physical security. Wireless networks should be treated as hostile. As much so as the Internet. Who doesn t like chips? 7

8 PERIMETER SECURITY VPN Utilize VPN for any remote access to control systems or control system networks. Recommend 2 factor authentication. Recommend client policy enforcement. Do not allow direct HTTP/HTTPS connections to application servers. Do not allow direct RDP connections to application servers. 8

9 FIREWALLS Implement firewalls between controls networks and any other networks. Examples: Internet, Corporate Network, etc. Allow only required ports/applications to traverse. Review firewall rules on a regular basis. NETWORK AND OS SECURITY 9

10 NETWORK SECURITY Isolate systems with vlans. Disable unused ports. Implement intrusion prevention/detection systems. Implement change management for all changes. Do not allow unmanaged systems onto the network (NAC Policy). Limit or eliminate the use of wireless on control networks. OS SECURITY Use only current and supported operating systems Enable only required services. Implement a patch management strategy. Utilize policy based management. Implement and update anti-virus, anti-malware applications. 10

11 IDENTITY MANAGEMENT DIRECTORY SERVICES Use of local accounts for user access and/or service/application authentication should be avoided Utilize centralized directory services such as LDAP or Active Directory. Use domain accounts for application services. Implement password policies (complexity, expiration, etc.) 11

12 APPLICATION AUTHENTICATION Make sure all users have their own user account for application access. Restrict access to minimum required for job function. Enable any access logging provided within the application. Use directory integrated authentication whenever possible. If applications must maintain their own users, make sure credentials are stored securely. Audit security parameters on a regular basis DOCUMENTATION 12

13 DOCUMENTATION Network Diagrams Lists of computers, servers, and HMIs Firewall locations and policies User account lists and security group membership Services/protocols supported by each device. REVIEW Threats are out there and increasing Security needs to be implemented outside of the control system. Physical Security Perimeter Security Network and OS Security Identity Management Documentation and Policies 13

14 QUESTIONS? 14