Management of Security Vulnerabilities in Industrial Networks Do you need security incidents to come to a good design of your industrial automation network? Ing. Tijl Deneut Project assistant Industrial Security Lecturer Howest
Management of Security Vulnerabilities in Industrial Networks Industrial Security Center 2
Lessons Learned Within our security project, we had a lot of ICS factories and companies asking our help. Lessons Learned From Troubleshooting REAL companies 3
FicTile We Fake Your Tiles!
Management of Security Vulnerabilities in Industrial Networks FicTile Tijl Deneut IT Manager
Management of Security Vulnerabilities in Industrial Networks Enable remote monitoring by connecting industrial equipment to the company network Operations Manager
Enable Remote Monitoring of Industrial Equipment Office / datacenter (172.20.0.0 /16) Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Encountered in Real Life, three major kinds of problems 1. Non-human, accidental issues And how FicTile solved it 2. Human on the job, accidental issues And how FicTile solved it 3. Human recreational, accidental issues And how FicTile solved it
Scenario 1 Please help: PLC of dosing equipment goes into stop mode every day at 4 AM Tijl Deneut IT Manager
PLC of the dosing equipment continuously goes in stop mode Office / datacenter (172.20.0.0 /16) TCP-broadcasts Big TCP Window Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Solution : Buy a new type of router that filters out these types of broadcasts Office / datacenter (172.20.0.0 /16) TCP-broadcasts Big TCP Window Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Scenario 2 Please help: Dosing equipment mysteriously goes into error and can not be restarted Tijl Deneut IT Manager
Dosing equipment mysteriously goes into error PRES-1 Office / datacenter (172.20.0.0 /16) PLC program downloaded to PLC in wrong hall Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Solution : Organizeatrainingtocreate awareness forplcprogrammers PRES-1 Office / datacenter (172.20.0.0 /16) OT training to create awareness Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Scenario 3 Please help: USB stick causes a complete shutdown of production Tijl Deneut IT Manager
Thumb drive causes a complete shutdown of production Office / datacenter (172.20.0.0 /16) Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Solution : Installanew andexpensive Antivirus programonthelaptop Antivirus installation Office / datacenter (172.20.0.0 /16) Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
ATS 2017 June 8 Intermezzo: recentmalware calledwannacrypt(orwannacry)
The Real Problem? The so-called flat network o One broadcast domain o The differences in IP addresses are only on paper o Each equipment has a direct connection with any other equipment o No opportunity for segmentation in zones or areas o No control on network traffic An untrusted network! - Not safe: bad configurations or errors have an influence on the whole network - Not secure: illegitimate access is not manageable
The (starting) solution? Solution: network segmentation Ideal Solution: Use of VLANs (Physical subdivision on switch) - Configure traffic control on one location - Broadcast traffic is limited to VLAN - Switches have to support this (managed switches) - Needs to be thought through in advance, if necessary change subnetmask
Configuring VLANs Office / datacenter (172.20.0.0 /16) Presses Furnace Dosing equipment 172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Configuring VLANs, example (maybe requires extra cables) Office / datacenter (172.20.0.0 /24) TRUNK VLAN ID 1000 VLAN ID 2000 VLAN ID 3000 Presses Furnace Dosing equipment 172.20.1.0 /24 (ID 1000) 172.20.2.0 /24 (ID 2000) 172.20.3.0 /24 (ID 3000)
The other upside: Real Life Statistics We assistedsomecompaniesto makethismigration,we havesomepreandpoststatistics Verycommonin *all*ofthesecompanies:redundanttraffic
And am I safe then? Safer, but not secure! Hacker damage... Tijl Deneut IT Manager
Hacking Industrial Networks So what can a hacker do on your network? Using traditional protocols in new ways Example demonstration: scanning and hacking using the Profinet Discovery Protocol (DCP) -> Solution: Network Segmentation
Let s get into the Hacker Mindset What does a hacker have at his disposal? The internet! shodan.io Shodan ICS Radar
HTTP or HTTPS? HyperText Transport Protocol is the uniform protocol used by almost every website However, HTTP is insecure All data transferred using HTTP is clearly readable by listeners A solution for this could be HTTPS, where the S stands for Secure A good tool to verify this is, Wireshark
A fairly known and commonly used protocol: RDP Technique for taking over a Windows PC remotely Client is present on every Windows version since XP (mstsc.exe) Supports a lot of features: Copy-Paste, File System & Audio Redirection, Printer & Port Redirection
Remote Desktop Protocol vulnerability Without getting to technical: Remote Desktop can be sniffed Example demonstration: Sniffing RDP Solution1: Enable NLA Solution2: Encryption
Remote access Theoretically and ideally Sensitive PC at work Manager at a hotel Attacker at local network Attacker at remote network WORK Internet VPN Connection HOTEL Sensitive PC at work Manager at a hotel
Some remote access guidelines Use a VPN solution, there are many options here, not all of them equally secure Use a Jump Station, don t allow third parties unlimited access to your network WORK Internet VPN Connection HOTEL NON-Sensitive PC at work (VM) --------------------- - Up-to-date AV - RDP client - refreshed each night Sensitive PC at work Manager at a hotel
Industrial Security The Siemens Solution Physical access protection to the plant and critical systems Security management and policies Security services for protection of a plant's entire lifecycle Secure remote access to the plant via the Internet or mobile networks Protection of the plant / machine network through segmentation Secured communication Protection of system integrity through integrated functions Access protection and rights management Restricted Siemens AG 2017 Seite 34 June 8, 2017
Industrial Security SIMATIC S7-1500 and the TIA Portal Security Highlights The SIMATIC S7-1500 and the TIA Portal provide several security features: Increased Know-How Protection in STEP 7 Protection of intellectual property and effective investment Increased Copy Protection Protection against unauthorized reproduction of executable programs Increased Access Protection (Authentication) Extensive protection against unauthorized project changes Via Security CP1543-1 by means of integrated firewall and VPN communication Expanded Access Protection Extensive protection against unauthorized project changes Increased Protection against Manipulation Protection of communication against unauthorized manipulation for high plant availability Restricted Siemens AG 2017 Seite 35 June 8, 2017
Industrial Security VLAN - Portfolio Switch Graphic Areas of application XB-200 For setting up line, star and ring structures For PROFINET and EtherNet/IP applications Compact and small dimensions XC-200 XP-200 X-300 Extended temperature range from -40 C to +70 C Gigabit-capable, can be equipped with SFPs, PROFINET and EtherNet/IP Certifications for trackside railway applications, marine applications 1) Additional FW functionalities: Fiber monitoring, VLANs, HRP standby High degree of protection (IP65/67) for use outside of the control cabinet and in extreme ambient conditions from -40 C to +70 C PROFINET, EtherNet/IP applications with up to 1 Gbit/s and IEEE 802.3at Type 2 (max. 120 W) Certifications for railway, motor vehicles, marine applications For high-performance plant networks VLANs, Gigabit, Power-over-Ethernet (PoE) Flexibility with different media modules XM400 XR500 Restricted Siemens AG 2017 Seite 36 June 8, 2017 Layer 3 routing Combo ports Expandable up to 24 ports NFC Modular Up to 52 ports 10 Gbit
Industrial Security Cell Protection with Security Communication Processor Restricted Siemens AG 2017 Seite 37 June 8, 2017
Industrial Security Cell Protection with Communication Processor - Portfolio Cell segmentation S7-1500 S7-300/S7-400 ET200 SP CPU PC CM 1542-1 CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/ 1623/ 1626 Cell Protection S7-1500 S7-1200 S7-300/S7-400 ET200 SP CPU PC CM 1543-1 CP 1243-1 CP 343-1/CP443-1 Advanced CP 1543SP-1 CP 1628 Restricted Siemens AG 2017 Seite 39 June 8, 2017
Industrial Security Cell Protection and remote access with SCALANCE S Task For risk minimization, a large automation network is to be segmented into several safety-technical areas. The individual segments are subject to different requirements. Solution BILD Individual segments are secured with a SCALANCE S variant which controls access to the lower-level segment by means of a firewall. An S602 is placed upstream a segment and is also able to take on the identity of a lower-level device by means of the GHOST method, e.g. robot control. An S612 is placed upstream a segment and is also able to protect communication from and to this segment by means of VPN. An S615 is placed upstream a segment and is able to secure multiple further lower-level cells by means of VLAN. An S623 separates the automation network from the office network and facilitates data exchange between these networks via DMZ without requiring direct access. An S627-2M is placed upstream a lower-level ring (FO or Cu) and controls data communication. If required, a second S627-2M can be placed in standby mode in a redundant manner in order to increase availability in case of fault. Restricted Siemens AG 2017 Seite 40 June 8, 2017
Industrial Security Remote access with Sinema Remote Connect Task Remote access to special machines and sensitive areas Solution Central management of the machines and service technicians in SINEMA RC Assignment and management of user rights and access rights Logging access Benefits High transparency and security Avoidance of errors with unique assignment of the possessors of know-how to the relevant plant sections Transparent IP communication SINEMA RC example of a configuration: Remote service for special machine building Restricted Siemens AG 2017 Seite 43 June 8, 2017
Industrial Security First Vendor with Certification on Achilles Level 2 Certified CPUs LOGO! S7-300 PN/DP S7-400 PN/DP S7-1500 PN/DP S7-1200 S7-400 HF CPU V6.0 S7-410-5H Certified CPs CP343-1 Advanced CP443-1 & Advanced CP1243-1 CP1543-1 CP1628 Certified DP ET 200 PN/DP CPUs ET 200SP PN CPUs Certified Firewalls SCALANCE S602, S612, S623, S627-2M + Protection against DoS attacks + Defined behavior in case of attack Improved Availability IP Protection International Standard Restricted Siemens AG 2017 Seite 45 June 8, 2017
Industrial Security CERT@Siemens Cyber Emergency Readiness Team www.siemens.com/industrialsecurity Restricted Siemens AG 2017 Seite 46 June 8, 2017
Industrial Security Siemens Security Services The Siemens security concept Defense in Depth Siemens products and systems offer integrated security Know how and copy protection Authentication and user management Firewall and VPN (Virtual Private Network) System hardening Siemens Plant Security Services Assess Security Implement Security Manage Security Restricted Siemens AG 2017 Seite 48 June 8, 2017
Assess Security How do we figure out which assessment we need in each case? Would I like to have a quick ISO check 27001 against the Assessment best known security standard? Do I have a close to 100% SIMATIC PCS 7 SIMATIC PCS 7 & installation? Or do I WinCC have an heterogeneous Assessment environment? Would I like to have a quick check against the IEC 62443 best known security standard Assessment for Industrial Control Systems? Or do I rather get a deep, time intensive analysis of my industrial Assessment environment, including data collection? Risk & Vulnerability Which assessment do I need? Restricted Siemens AG 2017 Seite Page 49 June 8, 2017
IEC 62443 Assessment Identify security gaps and define measures to mitigate risks Assessment of compliance to IEC 62443 international standard (Industrial communication networks Network and system security) Focus on parts 2-1 Establishing an industrial automation and control system security program and 3-3 Security for industrial process measurement and control Network and system security Available for Siemens and third party systems 2 days on-site Coordinated by a security consultant and a security engineer Questionnaire-based checklist to identify and classify risks Up to 30 pages report containing recommendations for risk mitigation measures Restricted Siemens AG 2017 Seite Page 52 June 8, 2017
ISO 27001 Assessment Identify security gaps and define measures to mitigate risks Quick assessment of plant security according to the ISO 27001 international standard (Information Security Management) Onsite workshop incl. questionnaire-based checklist: 1 day on-site Coordinated by a security consultant and a security engineer Typical attendants: Management and customer s responsible for production, IT security and physical security, maintenance staff, engineering staff, Offline evaluation of the results: Analysis, risk identification and classification, definition of risk mitigation measures and prioritization of actions (based on cost/benefit scenario) Up to 30 pages report containing recommendations for risk mitigation measures Restricted Siemens AG 2017 Seite Page 53 June 8, 2017
SIMATIC PCS 7 & WinCC Assessment Identify security gaps and define measures to mitigate risks Quick assessment of the SIMATIC PCS 7 & WinCC installation Onsite workshop incl. questionnaire-based checklist: 1 day on-site Coordinated by a SIMATIC PCS 7 & WinCC security consultant Typical attendants: Customer s responsible for production, IT security and physical security, maintenance staff, engineering staff, Offline analysis of the results: Risk identification and classification and definition of risk mitigation Up to 30 pages report containing recommendations for risk mitigation measures Restricted Siemens AG 2017 Seite Page 54 June 8, 2017
Risk & Vulnerability Assessment Identify, classify and evaluate risks for a risk-based security program People We evaluate security awareness, security-related skills and knowledge Technology We collect installed base data and system architecture to perform a vulnerability assessment on Industrial Control Systems We evaluate the current security risk situation of the production networks and systems Processes We assess the maturity of organizational processes and work instructions as they apply to the security of Industrial Control Systems We perform a gap analysis based upon standards, best practices and existing policies We check if the current policies and work instructions are adequate to protect the plant against the latest and emerging threats Restricted Siemens AG 2017 Seite 55 June 8, 2017
Risk & Vulnerability Assessment Identify, classify and evaluate risks for a risk-based security program Report including: Project documentation: Scope description Current network topology Current system architecture Risk analysis and scoring methodology Findings: Network topology analysis results Installed Base data analysis results System criticality results (likelihood and business impact) Risk level including risk scoring Training needs Risk mitigation measures for each finding Management presentation as a first step to establish a security roadmap Restricted Siemens AG 2017 Seite Page 56 June 8, 2017
Implement Security to mitigate risks Security Awareness Training Knowledge transfer to secure the "weakest link" SITRAIN training Web-based, one-hour training Generate security awareness for the staff: Introduce current threat landscape, describe how to handle risks and help identifying security incidents Security Policy Consulting Establish standard practice in industrial control system (ICS) security Establish new or review and enhance existing policies, processes, procedures and work instructions which influence security in the shop-floor Integration with enterprise cyber security practice Examples: Patch and backup strategy, handling of removable media, Network Security Consulting Support on secured network design and setup Cell segmentation in security cells support based on IEC 62443 standard and SIMATIC PCS 7 & WinCC security concept Design and planning of a perimeter protection network: DMZ network (Demilitarized) Perimeter firewall rule establishment / review and implementation Restricted Siemens AG 2017 Seite 57 June 8, 2017
Implement Security to mitigate risks Perimeter Firewall Installation First line of defense against highly developed threats Based on Automation Firewall Appliance Installation, configuration, commissioning and test of firewall system and traffic rules Configuration backup Consideration of customer-specific applications (e.g. fine-tuning of intrusion detection / prevention system (IDS/IPS)) Clean Slate Validation Validate clean-slate status of environment Identification of security gaps thanks to virus scanning with two different scan engines Use of McAfee Command Line Scanner and Kaspersky Rescue Disk No installations required: Use of USB stick and Command Lines Anti Virus Installation Restricted Siemens AG 2017 Seite 58 June 8, 2017 Virus protection solution for malware detection and prevention Installation and configuration of virus protection software (McAfee Virusscan Enterprise Agents) Installation of the McAfee epo* central management console recommended when more than 10 anti-virus agents installed Compatibility consideration for SIMATIC PCS 7 Systems * epolicy Orchestrator
Implement Security to mitigate risks Whitelisting Installation Application control solution for malware detection and prevention Installation of whitelisting software (McAfee Application Control) Installation of the McAfee epo* central management console recommended when more than 10 whitelisting agents installed Compatibility consideration for SIMATIC PCS 7 Systems * epolicy Orchestrator System Backup Industrial control system backup Performance of one-time backup of systems in plant environment Symantec System Recovery software procured and owned by customer Windows Patch Installation Installation of Microsoft OS Patches Installation of automation vendor validated and customer approved Microsoft OS patches via customer-owned WSUS server Consideration of compatibility: Patches recommended by the supplier of automation technology AND authorized by the customer Restricted Siemens AG 2017 Seite 59 June 8, 2017
Industrial Security If you want to work secure Work with Restricted Siemens AG 2017 Seite 60 June 8, 2017