Alternatives to Patching for more Secure and Reliable Control Systems

Transcription

1

2 Alternatives to Patching for more Secure and Reliable Control Systems Eric Byres, P.Eng., ISA Fellow Chief Technology Officer Tofino Security, a Belden Brand

3 The New World of Security For the past 30 years, Industrial Control System (ICS) products were designed for: Safety Reliability Efficiency Ease-of-use Security was not a design consideration: Protocols are not secure User processes not secure Underlying subsystems not secure

4 US ICS-CERT Security Advisories Prior to Stuxnet: 5 security advisories 3 vendors involved 2011: 176 publicly disclosed vulnerabilities 39 vendors involved 2012: 238 vulnerabilities 2013: 176 vulnerabilities 40% of disclosed vulnerabilities included working attack code

5 IT Approach to Vulnerabilities In the IT world we can scan for vulnerabilities on the network. Or our vendor announces that a vulnerability has been discovered Then we patch

6 Let s Scan for Vulnerabilities! EU gas utility hired a security company to conduct penetration testing on their corporate IT network Consultant ventured into SCADA network Penetration tool locked up SCADA system Gas utility was not able to send gas through its pipelines for four hours.

7 Then Let s Go Patch! Vulnerabilities are addressed in commercial IT world with a constant patch cycle Example: Adobe Reader patches in under 4 years!

8 How Many Patches Does ICS Need? PCN in US refinery studied in Fall Computers on PCN (good data for only 78) 272 distinct processes 48 processes had entries in NVD 5,455 published vulnerabilities found 2,284 vulnerabilities after patching of O/Ss

9 How Many Patches Does ICS Need? What about ICS applications not in NVD? Est. 60,181 Kilo Lines of Code (KLOC) of non- NVD/non-OS code per PC Vulnerability/KLOC ratio (0.03%) used to estimate residual vulnerabilities for ICS applications not listed in the NVD Estimated average of 1806 undiscovered vulnerabilities per control system computer

10 Impact of Patches 14.8% -24.4% of fixes for OS post-release bugs are incorrect and have impacts to end users 1 43% of the incorrect fixes resultedin crashes, hangs, data corruption or security problems 1 ZuoningYin, et al, How Do Fixes Become Bugs? --A Comprehensive Characteristic Study on Incorrect Fixes in Commercial and Open Source Operating Systems; 19th ACM SIGSOFT, September 2011.

11 Impact of Patches Faulty patches may: Fail to properly resolve the vulnerabilities Break functionality that was present in previous versions Good patches may: Require shutdown and restart of process Remove functionality previously relied on Require staff with special skills to be present

12 Patching For Slammer Vulnerability Major oil company with numerous production platforms in Gulf of Mexico MS released July company started roll-out Issues with server restart required Windows expert to be present Experts not certified for platform access Slammer hits 6 months later few systems patched

13 How Fast Can You Really Patch? 1 cycle = 34 working days 1. Central Test Platforms Devices of low regulatory impact Allows time for change control and scheduling Relies on success of previous waves, not on testing Responses by exception 4 days 34 Days between 2. Critical & Control Group decision Critical to 4 days Sample patch clients & and infrastructure servers (0.5%) completion of patches Mainly devices of high regulatory or safety impact Otherwise as for waves 3 & 4 Rapid deployment Formal responses gathered 3. Early Adopters 6 days 4. Mainstream 10 days 5. Late Adopters Validated servers High risk devices 10 days Source: Joakim Moby, Astra-Zeneca, ISA Expo 2006

14 ICS Vendor #1 Patching Case History Internal testing revealed security vulnerabilities in mission critical SIS product Embedded OS supplied by 3 rd party OS vendor refused to address vulnerabilities No patches possible

15 Tofino Patch Release Case History Tofino version 1.6 was released on Sept 23, 2010 Addressed security and performance issues Upgrade was offered to all users No charge if downloadedin 30 days (installation optional) All were contacted via multiple s Repeated offer for 30 days due to low initial acceptance Only 30% downloaded the free upgrade

16 Bad News About Patches for ICS Continuous patching will not work for ICS Vendor: Product QA requirements delay release No reasonable patch possible Patch impact on other functions End User: Downtime concerns Possible patch impact on operations or safety Legacy product support Manpower limitations

17 Avoiding the Patch Treadmill

18 Mitigations/Compensating Controls Consider mitigations (aka compensating controls) in addition to (or instead of) patches Widely used in large telco/enterprise operations VxWorks PLC module example

19 Benefits of Compensating Controls Independent of product development Less impact on product functionality Less QA, faster release Lower customer resistance Allows support of legacy product

20 Possible Compensating Controls Product Reconfiguration e.g. Disable the HTTP port Suggested Firewall Rules e.g. Block all HTTP traffic Suggested IDS Rules/Signatures e.g. Default Password Detection Signatures White listing the network traffic with Deep Packet Inspection

21 Requirements for Success Low Impact on Reliability and Safety Any solution that impacts process reliability or safety will be rejected by the end user Any solution must be simple: "We have to make this [security] something a plant superintendent, engineer, or senior operator can do in their spare time, or it will flop. End Users to the ISA-99 Security Committee

22 Fixed Configuration Firewalls Have fixed rule sets to match product and vulnerability requirements Example: Allow FTP/Modbus/SNMP Traps Deny all other protocols Benefits Trivial for customer to install Can be installed in live system Simple QA cycle in factory Upgradeable to address new threats

23 Example: Honeywell Safety System Firewall Need to protect safety instrumented systems No user configuration Security Requirements: Allow data to be read from system but not written (Read-only Firewall) Must provide sanity check of SCADA application protocols Configuration locked to SIS rule set New factory tested rule configurations can be field loaded Honeywell Modbus Read-only Firewall for SIS

24 Firewall Product Templates Templates with predefined rules can be created for specific control products. PLC Protection Template Can be released independently of product release

25 Securing Pipeline Compressor Controls Compressor packages are high risk systems BUT monitoring of platforms is critical Risk of rogue insiders and unpatched vulnerabilities (even with VPN)

26 Read-only Controller Firewall DPI firewall inspects each EtherNet/IP message to ensure only data-read commands are allowed to the turbine controllers

27 Future: Dynamically Loaded Firewall Rule sets loaded to field based on real-time events

28 Final Thoughts Control systems are hard to patch Patching is important but must be managed Security fixes must be separate from product fixes Any security solution must be: Simple for the end-user to deploy Separate from ICS product QA cycle Provably safe to the customer Upgradable in the field Reversible if thing go wrong

29 Questions?

30 Kuwait Industrial Automation & Control Systems Cyber Security Conference May 2014 thank you