Industrial Control System Security white paper

Similar documents
Network Security Policy

Modern IP Communication bears risks

Information System Security. Nguyen Ho Minh Duc, M.Sc

Basic rules for protecting remote maintenance accesses

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

IC32E - Pre-Instructional Survey

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Log Data: A Source of Value. Nagios Enterprises LLC Nagios Enterprises 2017 Logs: A Source of Value // 1

SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1

Wireless LAN Security (RM12/2002)

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

1.4 VPN Processing Principle and Communication Method

CtrlS Datacenters Placement Questions And Answers

IP806GA/GB Wireless ADSL Router

GWN7000 Firmware Release Note IMPORTANT UPGRADING NOTE

CTS2134 Introduction to Networking. Module 08: Network Security

Securing Access to Network Devices

Network Security and Cryptography. December Sample Exam Marking Scheme

Version No. Build Date No./ Release Date. Supported OS Apply to Models New Features/Enhancements. Bugs Fixed/Changes

Broadband Router DC-202. User's Guide

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Virtual private networks

Distributed Systems. Lecture 14: Security. Distributed Systems 1

CHAPTER 7 ADVANCED ADMINISTRATION PC

Distributed Systems. Lecture 14: Security. 5 March,

ECDL / ICDL IT Security. Syllabus Version 2.0

Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

CITADEL Series - Security and VPN Appliances

A (sample) computerized system for publishing the daily currency exchange rates

Gigabit SSL VPN Security Router

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

HikCentral V.1.1.x for Windows Hardening Guide

LevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver

Cloud Security Standards Supplier Survey. Version 1

Connectivity 101 for Remote Monitoring Systems

Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Smart Machine Smart Decision. R700_User Guide_V1.05 1

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

SIMATIC NET. Industrial Remote Communication - Remote Networks SINEMA Remote Connect. Preface. Connecting the SINEMA RC Server to the WAN 1

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

NTC-6908T Firmware Release Notes

Security with Passion. Endian UTM Virtual Appliance

WHITE PAPER. Secure communication. - Security functions of i-pro system s

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615


The following chart provides the breakdown of exam as to the weight of each section of the exam.

SECURE USE OF IT Syllabus Version 2.0

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

A Division of Cisco Systems, Inc. EtherFast Cable/DSL VPN Router. with 4-Port 10/100 Switch. User Guide WIRED. BEFVP41 v2. Model No.

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Custom Connect. All Area Networks. customer s guide to how it works version 1.0

A practical guide to IT security

Standalone DVR User s Manual. Figure 4-81

SIMATIC. PCS 7 Process Control System Support and Remote Dialup. Security information 1. Preface 2. Support and Remote Dialup 3.

Security+ SY0-501 Study Guide Table of Contents

A Division of Cisco Systems, Inc. 10/100/ Port. VPN Router. User Guide WIRED RV0041. Model No.

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Chapter 16: Advanced Security

User Guide IP Connect GPRS Wireless Maingate

Training UNIFIED SECURITY. Signature based packet analysis

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

Just How Vulnerable is Your Safety System?

Security Principles for Stratos. Part no. 667/UE/31701/004

Substation. Communications. Power Utilities. Application Brochure. Typical users: Transmission & distribution power utilities

HikCentral V1.3 for Windows Hardening Guide

The Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:

Education Network Security

TECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple

USR-G808 User Manual

Series 5000 ADSL Modem / Router. Firmware Release Notes

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

NBG-416N. Wireless N-lite Home Router. Default Login Details. IMPORTANT! READ CAREFULLY BEFORE USE.

LevelOne. User's Guide. Broadband Router FBR-1402TX FBR-1403TX

Chapter 24 Wireless Network Security

Information Security Awareness

Using a VPN with Niagara Systems. v0.3 6, July 2013

NEN The Education Network

10/100 4-Port. User Guide. VPN Router RV042. A Division of Cisco Systems, Inc. Model No. Downloaded from manuals search engine

LevelOne Broadband Routers

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Most Common Security Threats (cont.)

IndigoVision. Control Center. Security Hardening Guide

... Lecture 10. Network Security I. Information & Communication Security. Prof. Dr. Kai Rannenberg

FDS manual File Delivery Services SFTP and FTP file transfer

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Quick Installation Guide

Cyber Essentials. Requirements for IT Infrastructure. QG Adaption Publication 25 th July 17

KNX Secure. KNX Position Paper on Data Security and Privacy

FDS manual File Delivery Services SFTP and FTP file transfer

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Transcription:

Industrial Control System Security white paper The top 10 threats to automation and process control systems and their countermeasures with INSYS routers Introduction With the advent of M2M (machine to machine) connectivity and the Internet of things, businesses are presented with the opportunity to remotely monitor, maintain and manage their remote devices (sometimes referred to as assets); this strategy can drastically increase operational efficiency and reduce running costs. Automation and process control system networks are an ideal example of how the advances in technology can be realised. With the use of WAN technology, such as cellular and broadband, businesses can keep in constant contact with their control networks, ensuring that system uptime and system availability are kept at a maximum. Connecting a control system network to a WAN (or public network) does present some security concerns that must be understood. This white paper discusses some of the cyber security threats to businesses that adopt WAN connectivity for their devices.

Top 10 threat overview according to the BSI (1) In the table below we can see the top 10 cyber threats to automation and process control system networks. NO. THREAT DESCRIPTION 1 Unauthorised use of remote maintenance accesses 2 Online attacks via office / enterprise networks 3 Attacks on used standard components in the ICS network Maintenance accesses are intentionally created openings of the ICS network to the outside but are often not protected sufficiently. Office IT is usually connected to the Internet on many paths. Usually, there are network connections from the office into the ICS network, so that offenders can invade this way. IT standard components (commercial off-the-shelf, COTS) like operating systems, application servers or databases usually contain faults and weak points that are exploited by offenders. If these standard components are also used in the ICS network, this will increase the risk of a successful attack on the ICS systems. 4 DoS (D) attacks Network connections and necessary resources can be compromised and systems can be caused to crash by (distributed) denial of service attacks, for example to disturb the functionality of an ICS. 5 Human misbehaviour and sabotage 6 Introduction of malicious code via removable media and external hardware 7 Reading and writing messages in the ICS network 8 Unauthorised access to resources 9 Attacks to network components 10 Technical misbehaviour and force majeure 1) Source: BSI-A-CS 004 version 1.00 dated April 12, 2012 Deliberate acts regardless whether by internal or external offenders are a massive threat for all protection objectives. Besides this, negligence and human failure are a major threat especially regarding the protection objectives of confidentiality and availability. The use of removable media and mobile IT components by external employees is always a great risk regarding malware infections. This aspect was important for Stuxnet for example. Since most control components communicate via plain text protocols and thus non-protected at the moment, eavesdropping and introducing of control commands is often possible without much effort. In particular internal offenders or subsequent attacks from outside have a walk-over if services and components in the process network implement insecure methods for authentication and authorisation. Network components can be manipulated by offenders, to make man-in-the-middle attacks or easy sniffing for example. Failures due to extreme environmental conditions or technical failures are always possible risk and damage potential can only be minimised here.

Preventative measures using the INSYS security features The table below corresponds to the top 10 cyber threats to industrial automation and control system networks; it provides guidance on the most appropriate methods available, when using INSYS routers, to prevent these threats from damaging your remote assets. NO. THREAT PREVENTATIVE MEASURES 1 Unauthorised use of remote maintenance accesses 2 Online attacks via office / enterprise networks 3 Attacks on used standard components in the ICS network Firewall Authentication Blacklisting / Whitelisting Key switch functions Firewall Authentication Remote firmware update Waiving standard office IT standards Linux components individually selected for INSYS 4 (D)DoS attacks Redundant connections 5 Human misbehaviour and sabotage 6 Introduction of malicious code via removable media and external hardware 7 Reading and writing messages in the ICS network 8 Unauthorised access to resources 9 Attacks to network components 10 Technical misbehaviour and force majeure Disable web interface Blacklisting / Whitelisting Key switch functions Policies and procedures Services are only enabled if absolutely necessary Port based security Firewall Authentication Key switch functions Port based security Blacklisting / Whitelisting Monitoring log files Message dispatch Redundant connections Redundant devices Configuration backup

Glossary Authentication The authentication during connection establishment ensures that the communication partner is definitely the one he claims to be, Example: The VPN client authenticates to the VPN server and this authenticates its communication partner. Pre-shared keys (PSK) or better certificates are used as an authentication method. Blacklisting / Whitelisting Users, IP or MAC addresses that are to be blocked from accessing services or locations are entered into negative lists (black lists). Principle: Everything is allowed which is not forbidden! This is the opposite principle of whitelisting. The web interface is the central user interface for configuring all INSYS devices. Its structure is consistently identical for intuitive, quick and trouble-free use. Configuration backup Operation must be resumed quickly on hardware failures. It must be possible to restore a backup of the complete configuration on the replacement device. Backup of the complete configuration including all keys and certificates into an encrypted BIN file. Devices of INSYS will recognise when restoring that this is a file with a configuration, regardless of the file name. Disable web interface This can be used for protecting the device configuration settings against accidental change, sabotage and spying by participants from the LAN and/or WAN. Disabled for LAN participants. Disabled for WAN participants (remote). Disabled for LAN and WAN participants (can only be cancelled by resetting to default settings). Firewall An active firewall blocks all data packets generally, to allow communication, permitted data packets must be explicitly specified using rules. Principle: block everything, allow only the necessary. Firewalls are mostly situated at the coupling point between private and public network as well as at the coupling point of network segments (LANs) in case of network segmentation. The main tasks are: protecting a secure network from attacks from an insecure network. preventing unauthorised access to private networks (LANs). enabling authorised access to public networks (WANs). limiting the use of services or protocols.

protecting network segments mutually (cell protection). The firewall of the INSYS icom routers allows you to create rules as per various aspects: Data direction. Protocol. IP version. Sender IP. Destination IP. Destination port. Dial-In user name. Key switch functions This achieves a physical access protection; only authorised persons can operate the switch with their key. This controls a signal at a digital input of the INSYS routers for connection establishment and closure. Dial-Out connection. OpenVPN-Tunnel. PPTP tunnel. IPsec tunnel. Serial Ethernet connection. Without key switch OFF, the connection will be terminated again either by the remote terminal or after expiry of the configured time (idle time, maximum connection time, time). Linux components individually selected for INSYS Linux distributions contain various services and libraries. INSYS selects each used component individually and checks it carefully; this is how the hardened Linux operating system of INSYS evolves. Only necessary services are being installed. The availability of the sources is ensured Transparency and verifiability by using free software. Message dispatch Status or fault messages are generated and dispatched based on events. Such messages are a type of condition monitor and inform responsible persons or automated control centres about normal processes or faults. Monitoring of numerous events like system start, VPN tunnel established, digital input closed or pulsed, Dial-Out or Dial-In connection established, SIM card switched or IP address obtained via DHCP.

Dispatch as SMS, e-mail or SNMP trap with individual message text The content of a status page of the web interface and/or a log file can be attached to an e-mail. Monitoring log files Instead of a delayed evaluation of log files, INSYS icom routers will monitor significant events (abnormal connections or unauthorised connection attempts) and send a message immediately. Immediate message dispatch (SMS, e-mail, SNMP trap) on: o Ethernet link (connection established) o Ethernet link lost (link lost) o Incorrect web interface login Network segmentation Manufacturers and external service providers sometimes have external accesses for maintenance and programming. Secure authentication methods and a firewall provide security. If access for remote maintenance is permitted, further systems or networks may be accessible via a maintenance access. If unintended or unauthorised access to a further system is possible, this presents a security problem. Therefore, an acceptable granular segmentation of the networks is necessary in order to minimise the "range" of remote maintenance access. Policies and procedures Only the interaction of technical, physical and organisational measures as well as their regular check and update will provide maximum security. This is based on clear guidelines and processes for internal and external personnel, for handling data carriers, e-mail, social networks, passwords, firewall rules, back doors, software installations up to mandatory advanced training programs and security checks. Port based security Even if remote accesses are routed via a firewall that allows and monitors the access to the target system, unused Ethernet ports must be disabled. Used Ethernet ports must be monitored so that it is possible to detect if a network cable is disconnected or connected without authority. Managed switch, configurable local and remote via web-interface. Monitoring of active Ethernet ports and message dispatch (SMS, e-mail, SNMP trap) upon Ethernet link (established, lost). Disabling unused Ethernet ports via web interface.

Redundant connections DoS(D) attacks rarely affect different infrastructures (fixed line network and cellular connections) at the same time. A cellular connection will be provided in parallel to a fixed line connection as a solution. This allows you to maintain a backup connection in case the fixed line connection is attacked - the inverse solution is also possible. Redundant devices using several devices that operate in parallel, one device operates as active and the other operates in stand-by, it will take on the tasks of the defective device in case of a failure. Devices and services of INSYS routers help you with backing up the configuration for a quick restoration of the original configuration on a replacement device including all certificates. Remote firmware update A manual update at the site is often complex and expensive for remote stations. Offenders could also exploit the weak points of outdated systems. Remote updates via secure connections eliminate these defects. INSYS routers can look for the following updates independently on a secure server in the LAN or WAN, download them via HTTP or FTP and install them. Firmware. Configuration (ASCII and binary). INSYS sandbox (image). Extension applications (image). Services are only enabled if absolutely necessary Services that are not installed or not started cannot be attacked and present no security risk. Only selected and necessary services are installed on devices of INSYS. Services are only started on INSYS devices if they need to be used. VPN VPN stands for Virtual Private Network. VPNs are encrypted connections via data networks. The objective is to tamper-proof communication between VPN partners from different local networks (LANs) via insecure or public networks (Internet). They use encryption and authentication for connection establishment and transmit encrypted data (cryptography). The assignment of permissions causes closed user groups. Well-known examples are IPsec and OpenVPN. The INSYS router products support OpenVPN, IPsec and PPTP. Waiving standard office IT standards Increased standard information technology is being used in automation and control networks like Windows PCs, databases and software-based PLCs. This makes these networks viable for attack scenarios known from the Internet, since potential offenders have know-how and attack tools freely available on the Internet.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback