Essentials of Cyber Security Intelligence for Protecting ICS

Transcription

1 November 3, 2016 Essentials of Cyber Security Intelligence for Protecting ICS Jeffery S. Bridgland Advisory Board Member N-Dimension Solutions

2 Lots of Ground to Cover ICS in General General Security Risks to ICS Detailed Risks in ICS How to Secure an ICS Attack Primer Case Studies - 2 -

3 A Simple Control System Sensor(s) + Actuator(s) + Controller(s) - 3 -

4 Breadth of ICS Supervisory Control And Data Acquisition (SCADA) Process Control Systems (PCS) Distributed Control Systems (DCS) Manufacturing Execution Systems (MES) - 4 -

5 Control Systems in a Power Grid SCADA HAN - 5 -

6 Historical ICS Proprietary Complete vertical solutions Custom Specialized communications Wired, fiber, microwave, dialup, serial, licensed spectrum, etc. 100s of different protocols Slow; e.g baud Long service lifetimes: years Not designed with security in mind - 6 -

7 Modern ICS Internet Enterprise Network Services Firewall Workplaces IP Enterprise Optimization Suite Enterprise Network Third Party Application Server Mobile Operator Network Connectivity Server Historian Server Application Server Engineering Workplace Control Network Serial, OPC or Fieldbus Device Network Redundant Third Party Controllers, Servers, etc

8 Security Risks to Modern ICS COTS + IP + Connectivity = Many Security Risks Poor separation from enterprise No security monitoring Poorly secured 3 rd party access Dialup modems Unpatched systems Limited use of anti-virus Limited use of host-based firewalls Improper use of ICS workstations Unauthorized applications Unnecessary applications Open FTP, Telnet, SNMP, HTML ports Fragile control devices Network scans by IT staff Legacy OSes and applications Inability to limit access Inability to revoke access quickly Unexamined system logs Accidental misconfiguration Improperly secured devices Lack of security features Improperly secured wireless Unencrypted links to remote sites Passwords sent in clear text Password management problems Default OS security configurations Unpatched routers / switches - 8 -

9 Consequences Loss of production Penalties Lawsuits Loss of public trust Loss of market value Physical damage Environmental damage Injury Loss of life Bellingham pipeline rupture, 1999 Queensland sewage release, 2000 Davis Besse nuclear plant infection, 2003 Northeast USA blackout, 2003 Browns Ferry nuclear plant scram, 2006 Stuxnet, 2010 Saudi Aramco, 2012 Ukrainian Energy Co s, BE3,

10 A Few More

11 A Few More

12 A Few More

13 Security Issues in a Control System

14 Availability, Integrity & Confidentiality Enterprise networks require C-I-A Confidentiality of intellectual property matters most ICS requires A-I-C Availability and integrity of control matters most control data has low entropy little need for confidentiality Many ICS vendors provide six 9 s of availability typical networking gear is five 9 s Ensuring availability is hard Cryptography does not help DDOS protection, resource management, QoS, redundancy, robust hardware with high MTBF

15 Poor Separation from Enterprise and poorly secured 3 rd party connections

16 Attack Vectors into Control Systems

17 Brittle ICS Devices Many IP stack implementations are fragile Some devices lockup on ping sweep or NMAP scan Numerous incidents of ICS shut down by uninformed IT staff running a well-intentioned vulnerability scan Modern ICS devices are much more complex PLCs include web server for config and status More lines of code leads to more bugs PLCs require patching just like servers

18 Unpatched Systems Many ICS systems are not patched to current Particularly Windows servers No patches available for older versions of windows OS and application patches can break ICS Uncertified patches can invalidate warranty Patching often requires server reboot Before installation of a patch: Vendor certification - typically a week Lab testing by operator Staged deployment on less critical systems first Avoid interrupting any critical process phases

19 No Anti-Virus AV operations can cause significant system disruption at inopportune times 2am is no better than any other time for a full disk scan on a system that operates 24x7 ICS vendors only beginning to support AV AV is only as good as the signature set Signatures may require testing just like patches

20 Poor Authentication & Authorization Machine-to-machine comms involve no user Many ICS have poor authentication mechanisms and very limited authorization mechanisms Many protocols use cleartext passwords Many ICS devices lack encryption support Device passwords are hard to manage appropriately Often one password is shared amongst all devices and users Passwords seldom if ever changed

21 Poor Audit and Logging Many ICS have poor or non-existent support for logging security-related actions Attempted or successful intrusions may go unnoticed When IDS logs are kept, they are often not reviewed Various regulatory requirements are driving some change in this area NERC North American Electric Reliability Corporation FERC Federal Energy Regulatory Commission

22 Unmanned Field Sites Many unmanned field sites Some with high-speed connectivity to control center Most with poor authentication and authorization Many with dialup or other telephony access Can be an easy backdoor to the control center

23 Legacy Equipment Usually impossible to update to add security features Difficult to protect legacy communications

24 Unauthorized Applications Unauthorized apps installed on ICS systems can interfere with ICS operation Many types of unauthorized apps have been found during security audits Instant messaging P2P file sharing DVD and MPEG video players Games, including Internet-based Web browsers

25 Inappropriate Use of ICS Systems Web browsing from HMI can infect ICS Browser vulnerabilities Downloads Cross-site scripting Spyware to/from control servers can infect ICS Sendmail and outlook vulnerabilities Disk storage exhaustion can crash OS Storage of music, videos

26 Requirement for 3rd Party Access Firmware updates and system programming are frequently done by vendor Many ICS have open maintenance ports Infected vendor laptops can bring down ICS

27 People Risks ICS network often managed by Operations Department, distinct from IT Department running enterprise network ICS personnel are not IT or networking experts IT personnel are not ICS experts Significant fraction of control systems workforce is older and nearing retirement Few young people entering this field Few academic programs

28 Limited Cyber Incident Data BCIT reports ~30 incidents per year vs. hundreds of thousands per year in CERT database Few ICS cyber attack incident details are public National Electric Sector Cybersecurity Organization (NESCO) runs a controlled sharing portal Executive orders - increased info sharing; creation of ISACs Difficult to estimate risk and show ROI for security But lots of data about significant financial losses in enterprise and e-commerce why would ICS be immune?

29 Other Challenges Extreme environments Unusual physical and geographical topologies Many special purpose, limited function devices Static network configurations Multicast Long service lifetimes Difficulties in scheduling downtime for maintenance

30 Adversaries Script kiddies Hackers Organized crime Disgruntled insiders Competitors Terrorists Hactivists Eco-terrorists Nation states Nations

31 How to Secure Control Systems?

32 Defense in Depth Perimeter Protection Firewall, IPS, VPN, AV Host IDS, Host AV DMZ Interior Security Firewall, VPN, AV Host IDS, Host AV Application Whitelisting NAC Monitoring Host & Network IDS Port & Vulner. Scanning Management IDS IPS DMZ VPN AV NAC Intrusion Detection System Intrusion Prevention System DeMilitarized Zone Virtual Private Network Anti-Virus (anti-malware) Network Access Control

33 A More Complete List Firewalls SPAM filters Pop-up Blockers Protocol Filters Virus Scanning (Is it dead? No!) Server, Desktop, Laptop, Tablets, other Intrusion Detection Systems Intrusion Prevention Systems Network Monitoring Data Encryption Remote Connection Gateway/Monitoring Updates/Patching/Service Packs/IOS Upgrades Training Cyber Insurance?

34 50,000 Foot View Internet IT Stuff Enterprise Network IDS FW VPN FW Proxy AV IPS Host IPS Host AV Control Network Host IDS Host AV Scan FW IPS Partner Site VPN IDS FW Field Site AV Field Site Scan Field Site

35 Cyber Security Assessments on ICS Various groups perform security assessments and penetration tests on ICS (generally under NDA) They always get in Not a question of if, but how long Types include white-box, grey-box and black-box penetration tests

36 Defending Utility Networks Separate control network from enterprise network Harden perimeter connection to enterprise network Protect all points of entry with strong authentication Make reconnaissance difficult from outside Harden interior of control network Make reconnaissance difficult from inside Limit single points of vulnerability Frustrate opportunities to expand a compromise Harden field sites and partner connections Monitor security events from perimeters and inside Monitor server and network behavior Periodically scan for changes in security posture

37 Control DMZ Architecture Enterprise Network has typical business systems , web, office apps, etc. Control DMZ provides business connectivity Contains only non-critical systems that provide connectivity between Control and Enterprise Networks Enforces separation between Enterprise and Control Networks May consist of multiple functional zones Separated by Firewall, IPS, Anti-Virus, etc. Control Network demarcates critical control systems May consist of multiple functional zones Internally protected by Firewall, IDS, Anti-Virus, etc

38 Control DMZ Design Principles Multiple functional security zones Traffic between zones undergoes firewall & IPS Only path in/out of Control Network Default deny for all firewall interfaces No/Minimal direct traffic across DMZ No common ports between outside & inside No control traffic to outside Highly limited outbound traffic No connections initiated from DMZ into Control Emergency disconnect at inside or outside No network management from outside

39 Field Site Protection Site-to-site VPN or SCADA VPN to field sites Firewall at both control center and field sites For IP-enabled sites with LANS IDS at field sites network access control at field sites port scanning server monitoring network monitoring

40 Anatomy of an Attack on an ICS - Confidential -

41 Threat Model Targeted and untargeted threats Targeted: human, specifically crafted worm/virus, botnet Untargeted: generic worm/virus, script kiddy Assume adversary has: Complete knowledge of network Beachhead in enterprise network Limited access to control network Limited physical access to field equipment

42 Anatomy of an Attack 1st Phase PLC PLC Engineering Workstation Management Console HMI Initiated by Phishing, Spear-phishing or BF attack RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server Enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

43 Anatomy of an Attack 2nd Phase PLC PLC Engineering Workstation Management Console HMI RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server Enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

44 Anatomy of an Attack 2nd Phase (Alt.) PLC PLC Engineering Workstation Management Console HMI Initiated by Flash Drive, Infected laptop, Internet D/L RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server Enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

45 Anatomy of an Attack 3rd Phase PLC PLC Engineering Workstation Management Console HMI RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

46 Anatomy of an Attack 4th Phase PLC PLC Engineering Workstation Management Console HMI RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

47 Anatomy of an Attack 5th Phase PLC PLC Engineering Workstation Management Console HMI RTU FEP Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

48 Anatomy of an Attack 5th Phase (Alt.) PLC PLC Engineering Workstation Management Console HMI Initiated by Flash Drive, Infected laptop, Internet D/L on Control Network RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

49 Anatomy of an Attack 6th Phase PLC PLC RTU SCADA Engineering Workstation Control System Network Management Console HMI Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

50 Anatomy of an Attack 7th Phase PLC PLC Engineering Workstation Management Console HMI RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Attacker

51 Anatomy of an Attack 8th Phase PLC PLC Engineering Workstation Management Console HMI RTU SCADA Control System Network Data Historian Server Web Server Communication Pool Vendor Web Server enterprise Firewall Web Server Firewall Enterprise Network Internet Business Workstation Database Server Domain Name Server (DNS) Command and Control

52 Case Study #1-52 -

53 Case Study #2-53 -

54 Case Study #3-54 -

55 - 55 -