ATS 2017 June 8. Do you need security incidents to come to a good design of your industrial automation network?

Size: px

Start display at page:

Download "ATS 2017 June 8. Do you need security incidents to come to a good design of your industrial automation network?"

Sheena Charles
5 years ago
Views:

1 Management of Security Vulnerabilities in Industrial Networks Do you need security incidents to come to a good design of your industrial automation network? Ing. Tijl Deneut Project assistant Industrial Security Lecturer Howest

2 Management of Security Vulnerabilities in Industrial Networks Industrial Security Center 2

3 Lessons Learned Within our security project, we had a lot of ICS factories and companies asking our help. Lessons Learned From Troubleshooting REAL companies 3

4 FicTile We Fake Your Tiles!

5 Management of Security Vulnerabilities in Industrial Networks FicTile Tijl Deneut IT Manager

6 Management of Security Vulnerabilities in Industrial Networks Enable remote monitoring by connecting industrial equipment to the company network Operations Manager

7 Enable Remote Monitoring of Industrial Equipment Office / datacenter ( /16) Presses Furnace Dosing equipment / / /16

8 Encountered in Real Life, three major kinds of problems 1. Non-human, accidental issues And how FicTile solved it 2. Human on the job, accidental issues And how FicTile solved it 3. Human recreational, accidental issues And how FicTile solved it

9 Scenario 1 Please help: PLC of dosing equipment goes into stop mode every day at 4 AM Tijl Deneut IT Manager

10 PLC of the dosing equipment continuously goes in stop mode Office / datacenter ( /16) TCP-broadcasts Big TCP Window Presses Furnace Dosing equipment / / /16

11 Solution : Buy a new type of router that filters out these types of broadcasts Office / datacenter ( /16) TCP-broadcasts Big TCP Window Presses Furnace Dosing equipment / / /16

12 Scenario 2 Please help: Dosing equipment mysteriously goes into error and can not be restarted Tijl Deneut IT Manager

0.0 /16) PLC program downloaded to PLC in wrong hall

13 Dosing equipment mysteriously goes into error PRES-1 Office / datacenter ( /16) PLC program downloaded to PLC in wrong hall Presses Furnace Dosing equipment / / /16

14 Solution : Organizeatrainingtocreate awareness forplcprogrammers PRES-1 Office / datacenter ( /16) OT training to create awareness Presses Furnace Dosing equipment / / /16

15 Scenario 3 Please help: USB stick causes a complete shutdown of production Tijl Deneut IT Manager

0.0 /16) Presses Furnace Dosing equipment

16 Thumb drive causes a complete shutdown of production Office / datacenter ( /16) Presses Furnace Dosing equipment / / /16

17 Solution : Installanew andexpensive Antivirus programonthelaptop Antivirus installation Office / datacenter ( /16) Presses Furnace Dosing equipment / / /16

18 ATS 2017 June 8 Intermezzo: recentmalware calledwannacrypt(orwannacry)

19 The Real Problem? The so-called flat network o One broadcast domain o The differences in IP addresses are only on paper o Each equipment has a direct connection with any other equipment o No opportunity for segmentation in zones or areas o No control on network traffic An untrusted network! - Not safe: bad configurations or errors have an influence on the whole network - Not secure: illegitimate access is not manageable

20 The (starting) solution? Solution: network segmentation Ideal Solution: Use of VLANs (Physical subdivision on switch) - Configure traffic control on one location - Broadcast traffic is limited to VLAN - Switches have to support this (managed switches) - Needs to be thought through in advance, if necessary change subnetmask

21 Configuring VLANs Office / datacenter ( /16) Presses Furnace Dosing equipment / / /16

22 Configuring VLANs, example (maybe requires extra cables) Office / datacenter ( /24) TRUNK VLAN ID 1000 VLAN ID 2000 VLAN ID 3000 Presses Furnace Dosing equipment /24 (ID 1000) /24 (ID 2000) /24 (ID 3000)

23 The other upside: Real Life Statistics We assistedsomecompaniesto makethismigration,we havesomepreandpoststatistics Verycommonin *all*ofthesecompanies:redundanttraffic

24 And am I safe then? Safer, but not secure! Hacker damage... Tijl Deneut IT Manager

25 Hacking Industrial Networks So what can a hacker do on your network? Using traditional protocols in new ways Example demonstration: scanning and hacking using the Profinet Discovery Protocol (DCP) -> Solution: Network Segmentation

26 Let s get into the Hacker Mindset What does a hacker have at his disposal? The internet! shodan.io Shodan ICS Radar

27 HTTP or HTTPS? HyperText Transport Protocol is the uniform protocol used by almost every website However, HTTP is insecure All data transferred using HTTP is clearly readable by listeners A solution for this could be HTTPS, where the S stands for Secure A good tool to verify this is, Wireshark

28 A fairly known and commonly used protocol: RDP Technique for taking over a Windows PC remotely Client is present on every Windows version since XP (mstsc.exe) Supports a lot of features: Copy-Paste, File System & Audio Redirection, Printer & Port Redirection

29 Remote Desktop Protocol vulnerability Without getting to technical: Remote Desktop can be sniffed Example demonstration: Sniffing RDP Solution1: Enable NLA Solution2: Encryption

network Attacker at remote network WORK Internet

30 Remote access Theoretically and ideally Sensitive PC at work Manager at a hotel Attacker at local network Attacker at remote network WORK Internet VPN Connection HOTEL Sensitive PC at work Manager at a hotel

Some remote access guidelines Use a VPN solution, there are many options here, not all of them equally secure Use a Jump Station, don t allow third parties unlimited access to your

31 Some remote access guidelines Use a VPN solution, there are many options here, not all of them equally secure Use a Jump Station, don t allow third parties unlimited access to your network WORK Internet VPN Connection HOTEL NON-Sensitive PC at work (VM) Up-to-date AV - RDP client - refreshed each night Sensitive PC at work Manager at a hotel

Industrial Security The Siemens Solution Physical access protection to the plant and critical systems Security management and policies Security services for protection of a plant's entire lifecycle

32 Industrial Security The Siemens Solution Physical access protection to the plant and critical systems Security management and policies Security services for protection of a plant's entire lifecycle Secure remote access to the plant via the Internet or mobile networks Protection of the plant / machine network through segmentation Secured communication Protection of system integrity through integrated functions Access protection and rights management Restricted Siemens AG 2017 Seite 34 June 8, 2017

Industrial Security SIMATIC S7-1500 and the TIA Portal Security Highlights The SIMATIC S7-1500 and

Protection of intellectual property and effective investment Increased Copy Protection Protection

(Authentication) Extensive protection against unauthorized project changes Via Security CP1543-1

protection against unauthorized project changes Increased Protection against Manipulation

33 Industrial Security SIMATIC S and the TIA Portal Security Highlights The SIMATIC S and the TIA Portal provide several security features: Increased Know-How Protection in STEP 7 Protection of intellectual property and effective investment Increased Copy Protection Protection against unauthorized reproduction of executable programs Increased Access Protection (Authentication) Extensive protection against unauthorized project changes Via Security CP by means of integrated firewall and VPN communication Expanded Access Protection Extensive protection against unauthorized project changes Increased Protection against Manipulation Protection of communication against unauthorized manipulation for high plant availability Restricted Siemens AG 2017 Seite 35 June 8, 2017

34 Industrial Security VLAN - Portfolio Switch Graphic Areas of application XB-200 For setting up line, star and ring structures For PROFINET and EtherNet/IP applications Compact and small dimensions XC-200 XP-200 X-300 Extended temperature range from -40 C to +70 C Gigabit-capable, can be equipped with SFPs, PROFINET and EtherNet/IP Certifications for trackside railway applications, marine applications 1) Additional FW functionalities: Fiber monitoring, VLANs, HRP standby High degree of protection (IP65/67) for use outside of the control cabinet and in extreme ambient conditions from -40 C to +70 C PROFINET, EtherNet/IP applications with up to 1 Gbit/s and IEEE 802.3at Type 2 (max. 120 W) Certifications for railway, motor vehicles, marine applications For high-performance plant networks VLANs, Gigabit, Power-over-Ethernet (PoE) Flexibility with different media modules XM400 XR500 Restricted Siemens AG 2017 Seite 36 June 8, 2017 Layer 3 routing Combo ports Expandable up to 24 ports NFC Modular Up to 52 ports 10 Gbit

35 Industrial Security Cell Protection with Security Communication Processor Restricted Siemens AG 2017 Seite 37 June 8, 2017

36 Industrial Security Cell Protection with Communication Processor - Portfolio Cell segmentation S S7-300/S7-400 ET200 SP CPU PC CM CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/ 1623/ 1626 Cell Protection S S S7-300/S7-400 ET200 SP CPU PC CM CP CP 343-1/CP443-1 Advanced CP 1543SP-1 CP 1628 Restricted Siemens AG 2017 Seite 39 June 8, 2017

Industrial Security Cell Protection and remote access with SCALANCE S Task For risk minimization, a large automation network is to be segmented into several safety-technical areas.

Solution BILD Individual segments are secured with a SCALANCE S variant which controls access to the lower-level segment by means of a firewall.

37 Industrial Security Cell Protection and remote access with SCALANCE S Task For risk minimization, a large automation network is to be segmented into several safety-technical areas. The individual segments are subject to different requirements. Solution BILD Individual segments are secured with a SCALANCE S variant which controls access to the lower-level segment by means of a firewall. An S602 is placed upstream a segment and is also able to take on the identity of a lower-level device by means of the GHOST method, e.g. robot control. An S612 is placed upstream a segment and is also able to protect communication from and to this segment by means of VPN. An S615 is placed upstream a segment and is able to secure multiple further lower-level cells by means of VLAN. An S623 separates the automation network from the office network and facilitates data exchange between these networks via DMZ without requiring direct access. An S627-2M is placed upstream a lower-level ring (FO or Cu) and controls data communication. If required, a second S627-2M can be placed in standby mode in a redundant manner in order to increase availability in case of fault. Restricted Siemens AG 2017 Seite 40 June 8, 2017

Industrial Security Remote access with Sinema Remote Connect Task Remote access to special machines and sensitive areas Solution Central management of the machines and service technicians in SINEMA

38 Industrial Security Remote access with Sinema Remote Connect Task Remote access to special machines and sensitive areas Solution Central management of the machines and service technicians in SINEMA RC Assignment and management of user rights and access rights Logging access Benefits High transparency and security Avoidance of errors with unique assignment of the possessors of know-how to the relevant plant sections Transparent IP communication SINEMA RC example of a configuration: Remote service for special machine building Restricted Siemens AG 2017 Seite 43 June 8, 2017

39 Industrial Security First Vendor with Certification on Achilles Level 2 Certified CPUs LOGO! S7-300 PN/DP S7-400 PN/DP S PN/DP S S7-400 HF CPU V6.0 S H Certified CPs CP343-1 Advanced CP443-1 & Advanced CP CP CP1628 Certified DP ET 200 PN/DP CPUs ET 200SP PN CPUs Certified Firewalls SCALANCE S602, S612, S623, S627-2M + Protection against DoS attacks + Defined behavior in case of attack Improved Availability IP Protection International Standard Restricted Siemens AG 2017 Seite 45 June 8, 2017

40 Industrial Security Cyber Emergency Readiness Team Restricted Siemens AG 2017 Seite 46 June 8, 2017

41 Industrial Security Siemens Security Services The Siemens security concept Defense in Depth Siemens products and systems offer integrated security Know how and copy protection Authentication and user management Firewall and VPN (Virtual Private Network) System hardening Siemens Plant Security Services Assess Security Implement Security Manage Security Restricted Siemens AG 2017 Seite 48 June 8, 2017

42 Assess Security How do we figure out which assessment we need in each case? Would I like to have a quick ISO check against the Assessment best known security standard? Do I have a close to 100% SIMATIC PCS 7 SIMATIC PCS 7 & installation? Or do I WinCC have an heterogeneous Assessment environment? Would I like to have a quick check against the IEC best known security standard Assessment for Industrial Control Systems? Or do I rather get a deep, time intensive analysis of my industrial Assessment environment, including data collection? Risk & Vulnerability Which assessment do I need? Restricted Siemens AG 2017 Seite Page 49 June 8, 2017

IEC 62443 Assessment Identify security gaps and define measures to mitigate risks Assessment of compliance to IEC 62443 international standard (Industrial communication

measurement and control Network and system security Available for Siemens and third party systems 2 days on-site Coordinated by a security consultant and a security engineer

43 IEC Assessment Identify security gaps and define measures to mitigate risks Assessment of compliance to IEC international standard (Industrial communication networks Network and system security) Focus on parts 2-1 Establishing an industrial automation and control system security program and 3-3 Security for industrial process measurement and control Network and system security Available for Siemens and third party systems 2 days on-site Coordinated by a security consultant and a security engineer Questionnaire-based checklist to identify and classify risks Up to 30 pages report containing recommendations for risk mitigation measures Restricted Siemens AG 2017 Seite Page 52 June 8, 2017

ISO 27001 Assessment Identify security gaps and define measures to mitigate risks Quick assessment of plant security according to the ISO 27001 international standard (Information Security

questionnaire-based checklist: 1 day on-site Coordinated by a security consultant and a security engineer Typical attendants: Management and customer s responsible for production, IT security and

44 ISO Assessment Identify security gaps and define measures to mitigate risks Quick assessment of plant security according to the ISO international standard (Information Security Management) Onsite workshop incl. questionnaire-based checklist: 1 day on-site Coordinated by a security consultant and a security engineer Typical attendants: Management and customer s responsible for production, IT security and physical security, maintenance staff, engineering staff, Offline evaluation of the results: Analysis, risk identification and classification, definition of risk mitigation measures and prioritization of actions (based on cost/benefit scenario) Up to 30 pages report containing recommendations for risk mitigation measures Restricted Siemens AG 2017 Seite Page 53 June 8, 2017

SIMATIC PCS 7 & WinCC Assessment Identify security gaps and define measures to mitigate risks Quick assessment of the SIMATIC PCS 7 & WinCC installation Onsite workshop incl.

45 SIMATIC PCS 7 & WinCC Assessment Identify security gaps and define measures to mitigate risks Quick assessment of the SIMATIC PCS 7 & WinCC installation Onsite workshop incl. questionnaire-based checklist: 1 day on-site Coordinated by a SIMATIC PCS 7 & WinCC security consultant Typical attendants: Customer s responsible for production, IT security and physical security, maintenance staff, engineering staff, Offline analysis of the results: Risk identification and classification and definition of risk mitigation Up to 30 pages report containing recommendations for risk mitigation measures Restricted Siemens AG 2017 Seite Page 54 June 8, 2017

Risk & Vulnerability Assessment Identify, classify and evaluate risks for a risk-based security program People We evaluate security awareness, security-related skills and knowledge Technology We

46 Risk & Vulnerability Assessment Identify, classify and evaluate risks for a risk-based security program People We evaluate security awareness, security-related skills and knowledge Technology We collect installed base data and system architecture to perform a vulnerability assessment on Industrial Control Systems We evaluate the current security risk situation of the production networks and systems Processes We assess the maturity of organizational processes and work instructions as they apply to the security of Industrial Control Systems We perform a gap analysis based upon standards, best practices and existing policies We check if the current policies and work instructions are adequate to protect the plant against the latest and emerging threats Restricted Siemens AG 2017 Seite 55 June 8, 2017

Risk & Vulnerability Assessment Identify, classify and evaluate risks for a risk-based security program Report including: Project documentation: Scope description Current network topology Current

47 Risk & Vulnerability Assessment Identify, classify and evaluate risks for a risk-based security program Report including: Project documentation: Scope description Current network topology Current system architecture Risk analysis and scoring methodology Findings: Network topology analysis results Installed Base data analysis results System criticality results (likelihood and business impact) Risk level including risk scoring Training needs Risk mitigation measures for each finding Management presentation as a first step to establish a security roadmap Restricted Siemens AG 2017 Seite Page 56 June 8, 2017

48 Implement Security to mitigate risks Security Awareness Training Knowledge transfer to secure the "weakest link" SITRAIN training Web-based, one-hour training Generate security awareness for the staff: Introduce current threat landscape, describe how to handle risks and help identifying security incidents Security Policy Consulting Establish standard practice in industrial control system (ICS) security Establish new or review and enhance existing policies, processes, procedures and work instructions which influence security in the shop-floor Integration with enterprise cyber security practice Examples: Patch and backup strategy, handling of removable media, Network Security Consulting Support on secured network design and setup Cell segmentation in security cells support based on IEC standard and SIMATIC PCS 7 & WinCC security concept Design and planning of a perimeter protection network: DMZ network (Demilitarized) Perimeter firewall rule establishment / review and implementation Restricted Siemens AG 2017 Seite 57 June 8, 2017

49 Implement Security to mitigate risks Perimeter Firewall Installation First line of defense against highly developed threats Based on Automation Firewall Appliance Installation, configuration, commissioning and test of firewall system and traffic rules Configuration backup Consideration of customer-specific applications (e.g. fine-tuning of intrusion detection / prevention system (IDS/IPS)) Clean Slate Validation Validate clean-slate status of environment Identification of security gaps thanks to virus scanning with two different scan engines Use of McAfee Command Line Scanner and Kaspersky Rescue Disk No installations required: Use of USB stick and Command Lines Anti Virus Installation Restricted Siemens AG 2017 Seite 58 June 8, 2017 Virus protection solution for malware detection and prevention Installation and configuration of virus protection software (McAfee Virusscan Enterprise Agents) Installation of the McAfee epo* central management console recommended when more than 10 anti-virus agents installed Compatibility consideration for SIMATIC PCS 7 Systems * epolicy Orchestrator

50 Implement Security to mitigate risks Whitelisting Installation Application control solution for malware detection and prevention Installation of whitelisting software (McAfee Application Control) Installation of the McAfee epo* central management console recommended when more than 10 whitelisting agents installed Compatibility consideration for SIMATIC PCS 7 Systems * epolicy Orchestrator System Backup Industrial control system backup Performance of one-time backup of systems in plant environment Symantec System Recovery software procured and owned by customer Windows Patch Installation Installation of Microsoft OS Patches Installation of automation vendor validated and customer approved Microsoft OS patches via customer-owned WSUS server Consideration of compatibility: Patches recommended by the supplier of automation technology AND authorized by the customer Restricted Siemens AG 2017 Seite 59 June 8, 2017

51 Industrial Security If you want to work secure Work with Restricted Siemens AG 2017 Seite 60 June 8, 2017

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen - Protecting productivity Industrial Security in Pharmaanlagen siemens.com/industrialsecurity Security Trends Globally we are seeing more network connections than ever before Trends Impacting Security