No compromises for secure SCADA Communications even over 3rd Party Networks The Gamble of Using ISP Private Networks How to Stack the Odds in Your Favor Standards Certification Education & Training Publishing Conferences & Exhibits Speaker: David Mattes CTO & Co-Founder of Tempered Networks 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 Orlando, Florida, USA
Presenter Co-Founder and CTO, Tempered Networks Co-founded Tempered Networks in 2012 to create standards-based products that address the challenge of managing connectivity and information security for industrial control systems (ICS). Prior to Tempered Networks, Mattes spent 13 years in Boeing s R&D organization working on advanced networking for manufacturing. Co-created and led deployment and implementation of ICS Security Architecture, and worked to publish this architecture as international standards Mattes has patents pending in distributed network configuration and orchestration. M.S. degree in electrical engineering from the University of Washington and a B.S. degree in electrical engineering from the University of New Mexico. 2
Current Infrastructure Agenda Issues & Challenges for Water/Wastewater Looking to the Future Standards & Sharing Deployment & Implementation How to Secure Your Network 3
Industry Status Need this soon Need this now Connectivity today Secure comms over Internet Secure comms over intranets Security Posture today A control panel intranet connected Using some IP Network technologies Isolated proprietary solutions 4
The Evolving Threat Landscape for ICS Two year study on devices exposed on Internet SHODAN Search Engine Sampled ~2.2 Million devices exposed >25% (587,000) ICS, SCADA systems, HVAC systems SHODAN reveals a device s: IP address, geo coordinates, owner, service port header, firmware details, and more Source: Infracritical s Project SHINE Findings Report, October 2014 ICS Devices 5
Attacks Focusing on ICS Systems Havex Malware Discovered June 2014 Targets OPC on Windows Vendor download sites compromised German Steel Mill A cyberattack has caused confirmed physical damage for the second time ever
Limitations of Current Technology Firewalls Firewalls inspect data - they do not protect data IP and MAC addresses are spoofable Management is costly Prone to misconfiguration your FW is only as secure as its configuration Perimeter security is no longer adequate Requires highly skilled staff to deploy Management is time consuming and costly VPNs Geared towards connecting networks to networks or people to networks Do not scale well Once authenticated, there is broad access to a flat trusted network All your eggs in one basket a flat trusted network VLANs High cost per managed port Change management is time consuming and expensive Granting & revoking remote access is challenging Security is embedded in the core of the underlying network
State of ICS Networks
ICS Networks: Ideal
Standards-Based Future In the 80 s TCP and IP specs are finished No security designed into the protocols at all Small trusted networked community to ubiquitous Internet usage with many untrusted users IP address used to identify and locate a host International Society for Automation (ISA) ISA100 TR100.15.01 Overlay Network Architecture Model ISA99 Zones and Conduits Trusted Computing Group (TCG) IF-MAP Metadata for ICS Security Internet Engineering Task Force (IETF) RFC 5201 Host Identity Protocol 10
ISA 100.15.01 Architecture Goals Leverage shared network infrastructure to minimize costs Isolate SCADA and Control networks from shared network Dynamic and flexible network segmentation Process Minimize attack surface - limit connectivity Success Technology People Allow automation engineers to manage their own devices Create a clear delineation of roles & responsibilities of engineers and IT Keep CapEx/OpEx costs LOW; Reliability HIGH Enabler of additive defensive measures
ISA 100.15.01 Functional Architecture The Story Behind the Solution Industry standard overlay network architecture Encrypt host identities with industry standard HIP protocol and create a secure, peer-to-peer trust mechanism Create many private overlay networks, each with only trusted peers Orchestrate and automate, at scale, all overlays, devices and users with industry standard IF-MAP protocol
Securing Remote Access 1. Risks and challenges of ISP lock-in ISP as a network utility & switching costs 2. Benefits of an independent layer of security Network components patch and obsolescence issues 3. Appropriate levels of visibility, auditing, governance, and change control Implementing a governance model appropriate for the org 4. Standards-based solutions that are open and vetted Standards, open forums 13
Implementation & Deployment Florida Water Utility Case Public Safety Network Shared network resource VLAN for SCADA IT Services appearing on SCADA VLAN Goals Fine grained control over connectivity policies Integrity protection of data over PSN backhaul SCADA-focused visibility and alerting at network layer Flexible and secure remote access 14
Implementation & Deployment 15
Fine-grained Connectivity Policy Control 16
Summary Threat level is rising Duty to protect Connectivity is increasing And it s not going away tablets and mobile Operations needs to be at the table Networking Security Policy Awareness Resilience Standards are maturing Standards alone are not enough Solutions are here today to bridge the gaps 17