Industrial Control Systems Providing Advanced Threat Detection

Transcription

1 Industrial Control Systems Providing Advanced Threat Detection Gene Stevens, Co-Founder & CTO, ProtectWise Richard Welch, Senior Software Engineer, ProtectWise November 2016

2 2 AGENDA Introduction Intro to Industrial Control Systems ICS Security Example Attacks Opportunities for Suricata Community Opportunities

3 3 INTRODUCTION ProtectWise provides unlimited visibility and detection of complex threats that develop over time by creating a memory for the network. Gene Stevens, Co-founder and CTO

4 4 SECURITY CHALLENGES Advanced Attacks Point Product Chaos Complex threats execute over long periods of time. Point products and alarm fatigue overwhelm the human ability to process. Average enterprise breach detection window is nearly 150 days On average 75+ point products in the modern security architecture Resource Shortage Not enough humans to manage a response, let alone hunt for threats. Less than 10% of an analyst s time is spent in proactive analysis

5 5

6 6 An Introduction to Industrial Control Systems THE NEW ATTACK SURFACE

7 7 Industrial Control Systems Terminology ICS - Industrial Control Systems SCADA - Supervisory Control and Data Acquisition PLC - Programmable Logic Controller RTU - Remote Telemetry or Terminal Unit SCADA comprised of sensors, PLCs and/or RTUs, communication infrastructure, etc

8 8 Industrial Control Systems Protocol Overview

9 9 Example Industrial Control System Protocols Modbus First developed in 1979! EtherNet/IP ( ENIP ) Yokogawa Many others!

10 10 Modbus Protocol Relatively simple, transactional protocol Command -> Response Originally developed for serial communication, later TCP And others! Every request is composed of a header ( MBAP ), followed by a payload ( PDU ) Variations on the protocol unofficially adopted to accommodate pipelining

11 11 Modbus Protocol MBAP Header Field Name Length (B) Description Transaction ID 2 Transaction ID of the current transaction Protocol ID 2 Always 0; other values are not allowed Length 2 Number of remaining bytes, including the Unit ID Unit ID 1 A way to address specific device on remote machine

12 12 Modbus Protocol PDU Present on both query and response Ex: Query: Read reg + params, Response: Read reg + value But if there was an exception in the response, different format (exception response) PDU format varies with function code, function sub code (if present) For historical reasons maximum length is 253 bytes

13 13 Modbus Protocol Attack Vectors Buffer overflows MBAP header length > 253 bytes Or doesn t agree with actual PDU PDUs containing invalid/corrupt/malicious data DOS ing, spoofing responses...

14 14 Industrial Control Systems Example Network Topologies

15 15 SCADA Network Topologies Point-to-point: Control Center Field Site Series: Control Center Field Site Field Site

16 16 SCADA Network Topologies Field Site Series-star: Control Center Field Site Field Site

17 17 SCADA Network Topologies Multi-drop: Control Center Field Site Field Site Field Site

18 18 SCADA Network Topologies Each topology has different strengths and weaknesses Cost, complexity, bandwidth are competing priorities These simple 4 topologies can be combined with redundant components (including backup control centers) And higher levels of hierarchy can be achieved with regional and primary control centers, etc

19 19 SCADA Network Topologies These networks may not look like those you are used to May not have a SPAN or TAP

20 20 ICS Security CHALLENGES AND OPPORTUNITIES

21 21 Traditional ICS Security

22 22 Traditional ICS Security The Role of the Firewall

23 23 Challenges with ICS Systems Not tooled for being on the Internet Life cycle of decades! Remote or inaccessible locations Centralized industrial environments Remote power substation Deployed with limited maintenance budgets Limited or no updates!

24 24 Challenges with ICS Systems No strong IT infrastructure Changing deployment environment, minimal support Default passwords? Low bandwidth Dial up, wireless, power line based, etc Infiltrated systems might beacon once every few months Ancient hardware Reliability mandate Often unable to remediate due to critical role

25 25 Urgency for ICS Security Critical infrastructure Power systems (transmission, distribution and generation) Water treatment facilities Dams Refineries...many other things

26 26 Urgency for ICS Security Deep vulnerability Impacts aren t trivial Could be very, very costly - in dollars and lives IT security is not well versed in OT security Both have historically different approaches Need to find common ground to succeed Newly exposed, newly weaponized

27 27 Example Attacks BE PREPARED

28 28 Example Attacks BLACK ENERGY

29 29 Opportunities for Suricata STAY AHEAD OF THE GAME

30 30 Opportunities for Suricata Today ICS Signatures Protocol awareness Centralized mgmt OT team relationship Unify enterprise + ICS

31 31 Opportunities for Suricata in the Future Signatures++ Edge analytics Distribution Learning Comprehensive time Pluggable Embeddable

32 32 Community Opportunities STAY AHEAD OF THE GAME

33 33 Community Opportunities Intel management, sharing Working groups Cooperatives, EnergySec, etc.

34 Thank You Gene Stevens Richard Welch