What I learned about Firewalls:

Transcription

1 What I learned about Firewalls: A Decade of ICS Firewall Management Standards Certification Education & Training Publishing Conferences & Exhibits Michael H. Firstenberg, GICSP, GCIH, CISSP Director of Industrial Security Waterfall Security Solutions 2016 ISA Water / Wastewater and Automatic Controls Symposium August 2-4, 2016 Orlando, Florida, USA

2 Michael H. Firstenberg Mike Firstenberg is the Director of Industrial Security for Waterfall Security. Mike brings almost two decades of experience in Industrial Control System Security, researching, designing, and implementing strategic security solutions. Mike has an established background working with government institutions, regulatory authorities, and industrial utilities. The former chair of the American Water SCADA Council, Mike studied Computer Science, Chemical Engineering, and Mathematics at the University of Pennsylvania. Mike participates actively in ISA SP99 WG1, and served on the committees that drafted the AWWA Cybersecurity Guidance and the Roadmap to Cybersecurity in the Water Sector. 2

3 Presentation Outline Challenges of Firewalls Technical issues of Firewalls The need for Compensating Controls Additional Costs Water Plant Case Study Lessons Learned 3

4 No One Wants a Firewall Finance and Accounting don t want to pay for it HR does not want to limit access IT does not want to support it Operations does not want any potential effect to reliability Leadership does not want roadblocks to productivity There will be organizational challenges to implementing a firewall. 4

5 Industrial Network Connectivity: Drivers and Risks Predictive maintenance: crew scheduling, HR integration, spare parts inventories and ordering Just-in-time manufacturing, real-time inventories, batch records, LIMS integration, production planning, SAP/ERP integration Centralized support: more effective use of skilled personnel, critical mass of current experts next decade s experts But industrial network connects to business network, which connects to Internet & other networks These connections let attackers target critical network with remote, online attacks 5

6 Technical Shortcomings Well short of secure initially The deny any any rule Order of your firewall ruleset Multiple administration services Multiple passwords A Tufin Technologies survey found that 86% of hackers believe that they can break through any firewall. 6

7 Technical Shortcomings Part 2 Software and hardware issues (e.g. code updates, loose power cables) can affect ops and business. May not be able to operate in harsher conditions of plants and need to be replaced more often Dependencies on corporate network, where SLA (Service Level Agreeements) are not as high New vulnerabilities are introduced with new software Firewalls have external dependencies which affect their capabilities. 7

8 Technical Shortcomings Part 3 All TCP connections through the firewall are bi-directional Outbound access = Inbound Command & Control? 8

9 Technical Shortcomings Part 3 All TCP connections through the firewall are bi-directional Outbound access = Inbound C&C 9

10 The Firewall is never stand-alone The firewall always requires compensating security measures In most cases, a network redesign will be necessary Need more switches Routers may be required Authentication systems bolster both the administration of the firewall and the user access through the firewall Log management infrastructure SIEM (Security Information/Event Mgmt) Firewalls require compensating controls in order to maintain appropriate security postures. 10

11 The Firewall is never stand-alone - Part 2 The firewall always requires compensating security measures Network Intrusion Detection Host-based IDS and Anti-Virus to protect the soft, chewy interior Application White-listing and other emerging technologies may be compensating measures Compensating Security Measures will require additional funding and potentially additional staff. 11

12 Expansion will be required Footprint growth (e.g. acquisitions) New facilities New strategies (e.g. not just fw between corp and ICS, also between HMI and PLC) With each new firewall comes new connections that may let attackers target critical network with remote, online attacks 12

13 Complete the Security Program Include assets in all CMMS Rigorous testing is required Be prepared for 24x7 No security technology is a silver bullet. Be prepared to implement stringent support and review processes. 13

14 Costs beyond implementation Not just the firewalls and their supporting infrastructure Refresh schedule (may include technology re-evaluation) Integration among departments (legal, HR, Engineering, Ops, IT, Audit) More staff (24x7) Possibly different staff Training and development Security Lifecycle Planning will help to minimize unexpected expenses associated with firewall deployment. Photo: Red Tiger Security 14

15 Required Attacker Skill Level Threat Spectrum: Skill vs Automation Hacktivists Anonymous Nation-State (Automated with insider support) Stuxnet Shamoon Nation-State Chinese APT (Manual) Gauss DuQu Flame Night Dragon Insiders Maroochy IT Errors and Omissions Organized Conflicker Crime Zeuss Degree of Automation 15

16 Evolution The Modern Threat Attack Type UGW Fwall 1) Phishing / drive-by-download victim pulls your attack through firewall 4 2 2) Social engineering steal a password / keystroke logger / shoulder surf 4 1 3) Compromise domain controller create ICS host or firewall account 4 2 4) Attack exposed servers SQL injection / DOS / buffer-overflows 4 2 5) Attack exposed clients compromised web svrs/ file svrs / buf-overflows 4 2 6) Session hijacking MIM / steal HTTP cookies / command injection 4 2 7) Piggy-back on VPN split tunneling / malware propagation 4 2 8) Firewall vulnerabilities bugs / zero-days / default passwd/ design vulns 4 2 9) Errors and omissions bad fwall rules/configs / IT reaches through fwalls ) Forge an IP address firewall rules are IP-based ) Bypass network perimeter cabling/ rogue wireless / dial-up ) Physical access to firewall local admin / no passwd / modify hardware ) Sneakernet removable media / untrusted laptops 1 1 Total Score: Attack Success Rate: Impossible Extremely Difficult Difficult Straight- Forward UGW Unidirectional Gateway Fwall - Firewall 16

17 Low Tech Targeted Attacks Breach Firewalls Spear phishing pulls attack through firewall Low-volume Remote Administration Tools (RATs) evade anti-virus Steal/create passwords: keystroke logger, pass-the-hash, compromise domain With passwords: explore networks, firewalls, systems at leisure IT teams have admitted they are unable to block targeted attacks at the corporate perimeter. Low-tech targeted attacks easily breach plant firewalls 17

18 Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable you can send data out, but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Absolute protection against online attacks from external networks Industrial Network Corporate Network Transmit Server Receive Server TX appliance RX appliance 18

19 Detroit Water Original Network Third-party-managed HA (High Availability) firewall pair for control network $10,000/month cost Control network originates connections, but traffic is bi-directional Many data sources/destinations spaghetti code data flows Firewall configuration is opaque no reviews, no alerts Internal audit flagged firewall security as unacceptable 19

20 Detroit Water Stronger Than Firewalls Deployed OSIsoft PI Server and replica: aggregate all information to be shared with business network All data is available in standard format Adding business applications or data visibility requirements is straightforward Unidirectional Gateway solution provides absolute protection from online attacks from external networks 20

21 Lessons Learned Need cross-trained staffing Flexibility is a must Communications must be open and honest Strategy cannot be unilateral Leadership buy-in is a must Regular configuration review Documentation, Documentation, Documentation It isn t just about what you do, it often depends on how you do it. 21

22 Potential Solutions Match defensive technologies to offensive capabilities Establish cross-functional teams BEFORE implementation Pick Security leadership from Engineering teams Understand that costs are not simple firewall purchases. Prepare everyone. Inventory security weakness and work to close them, using a phased approach if necessary Build in feature after feature Avoid culture shock Use all affected groups change management practices Document everything know where you are vulnerable 22