Indegy. Industrial Cyber Security. The Anatomy of an Industrial Cyber Attack

Transcription

1 Indegy Industrial Cyber Security The Anatomy of an Industrial Cyber Attack

2 Today s Presenter Eliminating Security Blindspots in SCADA and Control Networks Presented By: Dana Tamir, VP Marketing, Indegy Previously: Trusteer (IBM), Imperva, Symantec

3 What are we going to talk about today? How cyber attacks cause disruption to Industrial Control Systems Discovering malicious activity in ICS networks

4 - Confidential - The ICS/SCADA Network Day to day operations Operator reads data from sensors PLC/RTU HMI FurTemp = CurrentTemp Sensor data SCADA Operator changes process parameter Industrial Furnace HMI Request set change FurTemp to Val PLC/RTU Set FurTemp to Val SCADA Industrial Furnace FurTemp = Furnace Temperature

5 5 Cyber Attack By Changing Control Parameters Is it possible? Likely?

6 The Role of Industrial Controllers in ICS Networks HMI Request set change FurTemp to Val PLC/RTU Set FurTemp to Val Industrial Furnace SCADA FurTemp = Furnace Temperature Control Logic: If val < MAX_FurTemp set FurTemp = val Else ignore send error message Industrial Controllers are not simple proxies between HMI/SCADA and I/Os: The controller is responsible for continuous operations The controller determines if and how operational changes should be processed

7 The Role of Control-Logic in ICS Networks HMI Request set change FurTemp to 1000* MAX_FurTemp PLC/RTU SCADA Error Message! FurTemp = Furnace Temperature Control Logic: If val < MAX_FurTemp set FurTemp = Val Else ignore send error message Industrial Furnace In a properly designed system the control-logic safety thresholds will prevent the execution of unsafe operational instructions sent via HMI or SCADA applications!

8 8 Cyber Attack Targets the Controller Easy and Effective

9 The Anatomy of an Industrial Cyber Attack? Unauthorized Logic Change HMI Request set change FurTemp to Val PLC/RTU Set FurTemp to 1000*MAX_FurTemp Industrial Furnace SCADA FurTemp = Furnace Temperature Control Logic: If val < MAX_FurTemp set FurTemp = Val set FurTemp = 1000*MAX_FurTemp Else ignore Send Error Message Unauthorized changes to the control-logic can cause significant damage!

10 Understanding The Technology A PLC logical architecture Process Parameters Logic Configuration Firmware Ladder Logic 10

11 The logical architecture of the PLC Data Plane vs. Control Plane Data Plane Control Plane (includes the Management Plane) Process Parameters Logic Configuration Firmware

12 What is the Industrial Control Plane? HMI Data-Plane PLC/RTU SCADA Engineering Process Parameters: Temperatures, Pressure, RPM, etc. Control-Plane Logic Configuration Firmware Engineering Activities: Logic and Code updates, Configuration Changes, Firmware Download/Upload

13 The Industrial Control Plane The control-plane consists of engineering activities related to the management and maintenance of industrial controllers: HMI Data-Plane PLC/RTU Read/change controller state Read/change control-logic SCADA Read/change configuration settings Firmware uploads/downloads Control-Plane Logic Configuration Firmware Engineering In IT networks these activities would require special privileges! However, most ICS networks don t have authentication or encryption controls Therefore anyone with network access can execute these activities

14 - Confidential - The Control-Plane: An operational blindspot! ICS data-plane and control-plane communications use different protocols: Standard HMI and SCADA protocols are fully documented -> monitored Proprietary engineering protocols are typically undocumented -> overlooked! Reminder: In ICS networks there are No Access Controls, No Authentication, No Encryption Anyone with network access can execute these activities!

15 - Confidential - Disrupting Operations Another example Change Controller Logic??? Set valve open HMI/SCADA application PLC/RTU Valve pressure = Fake-pressure Control Logic: If pressure = MAX_P set valve = close Set valve = open Report pressure = Fake-pressure

16 Complexity Level 2nd year Industrial Engineering 16

17 Recap Controllers are the most critical part of an ICS network Unfortunately they are also its weakest link When controllers are compromised, you can no longer trust the readings and error messages Monitoring data-plane activity is not enough Control-Plane aware deep packet inspection needed 17

18 - Confidential - What s missing in SCADA and Control networks? Visibility! To assets and to control-layer changes Ask yourself: Would I Know about a change?

19 - Confidential - Indegy Industrial Cyber Security Securing Against Operational Disruptions caused by Cyber Threats, Malicious Insiders and Human Error, by providing Visibility and Control to industrial networks.

20 Visibility and Control for Industrial Networks EngWS SCADA HMI Your business is dependent on automated industrial processes. PLC/RTU Any threat to these controllers puts your business at risk. Turbines Generators Valves Pumps

21 - Confidential - The Indegy Industrial Cyber Security Platform Visibility and Control for ICS Networks Software solution, delivered as a turn-key appliance Agentless, Non intrusive Monitors ICS Network Activity Data-Plane: Process Parameters Control-Plane: Engineering Activities Captures all changes to industrial controllers Over the network or local on the physical device Authorized or unauthorized

22 Taking the first steps towards ICS security Do you know what needs to be protected? 1 Know what needs to be protected Complete ICS device inventory Detailed controller information Document current state Assess Risk to PLCs/RTUs 2 Monitor on-going activities 3 Apply policies, Get real-time alerts No reliable inventory

23 Taking the first steps towards ICS security What is happening within the OT Network? 1 Know what needs to be protected 2 Monitor on-going activities Process Variables (aka Tags) Who is active? Is anyone changing the PLC logic? Is anyone downloading Firmware? 3 Apply policies, Get real-time alerts Control operations are executed via proprietary vendor - specific implementations of the IEC standard for PLCs

24 Taking the first steps towards ICS security Can you effectively manage and respond to events? 1 Know what needs to be protected 2 Monitor on-going activities 3 Apply policies, Get real-time alerts Apply rule-based policies Get meaningful alerts Can t be accomplished without step #1 and step #2

25 The Indegy Platform Built-In Applications Dashboard Policy Enforcement Asset Management Configuration Control Real-Time Activity Monitoring Risk Analysis 3rd Party Applications and Integrations RESTful API Control Network Inspection (CNI) Agentless Controller Verifications (ACV) Indegy Core Technologies The Indegy Platform

26 Not Just Security, But Also Operational Value : Valuable tools and views for all aspects of ICS network lifecycle Industrial Cyber Security Real Time Activity Monitoring: Comprehensive audit trail Real-Time Security Alerts Risk Analysis: Discover assets at risk Identify exploit attempts Operational Value Asset Management: Discovery Inventory On-going monitoring Configuration Control: Baseline State validation Backup and recovery Support Forensic Investigations: Detailed logs help quickly pinpoint cause and effect Change Management: Event notifications Compliance

27 Why Indegy? Improving operational continuity, safety and reliability by providing real-time situational awareness and security for industrial control networks Patent pending ICS monitoring technology inspects critical control-layer activities Unique combination of cyber security and operational benefits Low-Touch network deployment doesn t disrupt operations About Team Decades of hands on experience with cyber security of industrial control systems. Indegy Labs research team drawn from Israeli Defense Forces' elite cyber security agencies. Infrastructure Advanced ICS laboratory and test bed including a wide variety of PLCs, RTUs and IEDs. Board Members Shlomo Kramer Security industry visionary, member ofthe InfoSec Hall of Fame, Founder of Check Point (CHKP) & Imperva (IMPV). Yahal Zilka Co-Founder and Managing partner, Magma Venture Partners. Advisory Board Gen (ret.) Amos Yadlin, Former Head Of Intelligence, IDF Amichai Shulman, Founder & CTO, Imperva Mark Kraynak, CPO, Imperva Indegy

28 Indegy Industrial Cyber Security Thank you! Want to know more? Contact us: Indegy provides situational awareness and real-time security for industrial control networks to ensure operational continuity and reliability.