Firewalls (IDS and IPS) MIS 5214 Week 6

Similar documents
WHITE PAPER. Vericlave The Kemuri Water Company Hack

Securing Industrial Control Systems

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Introduction to ICS Security

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

Jeff Dagle. P.O. Box 999, M/S K5-20; Richland WA ; Fax: ;

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Detection and Analysis of Threats to the Energy Sector (DATES)

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Industrial Network Trends & Technologies

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Addressing Cyber Threats in Power Generation and Distribution

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Security+ SY0-501 Study Guide Table of Contents

Verizon Software Defined Perimeter (SDP).

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Mission Critical MPLS in Utilities

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

PROTECTING INFORMATION ASSETS NETWORK SECURITY

No compromises for secure SCADA Communications even over 3rd Party Networks

Toward Open Source Intrusion Tolerant SCADA. Trevor Aron JR Charles Akshay Srivatsan Mentor: Marco Platania

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Securing the Network: Understanding CIA, Segmentation, and Zero Trust. Jacek Szamrej VP of Cybersecurity SEDC

BeOn Security Cybersecurity for Critical Communications Systems

System Wide Awareness Training. your cyber vulnerabilities. your critical control systems

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Bridging The Gap Between Industry And Academia

PT Unified Application Security Enforcement. ptsecurity.com

Control Systems Cyber Security Awareness

Protecting productivity with Industrial Security Services

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Risk-Based Cyber Security for the 21 st Century

IE156: ICS410: ICS/SCADA Security Essentials

SANS SCADA and Process Control Europe Rome 2011

Why Security Fails in Federated Systems

Process System Security. Process System Security

Identity-Based Cyber Defense. March 2017

Best Practices in ICS Security for System Operators

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Instructor: Eric Rettke Phone: (every few days)

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Connectivity 101 for Remote Monitoring Systems

Innovation policy for Industry 4.0

Newer Developments in Firewall Technology. The International Organization for Standardization s Open Systems Interconnect

Improving SCADA System Security

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Cybersecurity Training

INFORMATION ASSURANCE DIRECTORATE

NEN The Education Network

CCNA Cybersecurity Operations 1.1 Scope and Sequence

How AlienVault ICS SIEM Supports Compliance with CFATS

CCNA Cybersecurity Operations. Program Overview

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Required Textbook and Materials. Course Objectives. Course Outline

Digital Wind Cyber Security from GE Renewable Energy

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Industrial Defender ASM. for Automation Systems Management

COMPUTER SECURITY DESIGN METHODOLOGY FOR NUCLEAR FACILITY & PHYSICAL PROTECTION SYSTEMS

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Enterasys 2B Enterasys Certified Internetworking Engineer(ECIE)

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Evolution Of Cyber Threats & Defense Approaches

The Importance of Cybersecurity Threat Detection for Utilities

The Future of Industrial Control Systems Security

University of San Francisco Course Syllabus and Outline

Cyber security for digital substations. IEC Europe Conference 2017

Cyber Security of Industrial Control Systems (ICSs)

CIH

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

Data Diode Cybersecurity Implementation Protects SCADA Network and Facilitates Transfer of Operations Information to Business Users

Cyber Resilience. Think18. Felicity March IBM Corporation

TARGET, PROTECT. your cyber vulnerabilities

Critical Infrastructure

*NSTAC Report to the President on the Internet of Things.

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Forecast to Industry Program Executive Office Mission Assurance/NetOps

CS 356 Operating System Security. Fall 2013

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

Security protection to industrial control system based on Defense-in-Depth strategy

Security Standards for Electric Market Participants

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Security Considerations for Cloud Readiness

Summary of Cyber Security Issues in the Electric Power Sector

Cyber Security Bryan Owen PE Principal Cyber Security Manager October 11, 2016

Awareness Technologies Systems Security. PHONE: (888)

VIKING. Vital Infrastructure, Networks, Information and Control Systems Management. A Research Project in the EU Seventh Framework Programme

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Advanced Security Tester Course Outline

Exam: : VPN/Security. Ver :

Statement for the Record

Transcription:

Firewalls (IDS and IPS) MIS 5214 Week 6

Agenda Defense in Depth Evolution of IT risk in automated control systems Security Domains Where to put firewalls in an N-Tier Architecture? In-class exercise Part 1 Build an IT Architecture In-class exercise Part 2 Add security Architecture Next-week Midterm Exam

What is implied by this model of security?

What is implied with this architectural model?

Early computer architecture of automated control systems separated Corporate and Control Domains Critical infrastructure systems supporting major industries are dependent on information systems for command and control Manufacturing, Transportation, Energy, Water/Wastewater Highly dependent on disparate legacy proprietary control systems which were up until recently isolated from corporate information systems Control system security used to mean locating and identifying problems in a closed-loop system

LAN 1 connected via layer 2 switch PBX LAN 2 connected via layer 2 switch PBX HMI = Human Machine Interface CS = Control System PBX = Private Branch Exchange telephone system switches between users on local lines while allowing users to use a fixed # of external phone lines RTU = Remote Terminal Unit is a computer controlled device that connects physical machines to distributed control systems PLC = Programmable Logic Controller IED = Intelligent End device

Security based on Isolation from the Internet Air Gap between control system LAN and corporate LAN Security by Obscurity Few, if any, understood the architecture or operation of the resources on the controls systems Local Area Network (LAN) Works well for environments that have no external connections Allows organization to focus on physical security

Total isolation from the untrusted external network resulted in reduced need for communications security Only threats to operations were physical access to a facility or plant floor Most data communication in isolated information infrastructure required limited authorization and security oversight Operational commands, instructions and data acquisition occurred in a closed environment where all communications were trusted If a command or instruction was sent via the network it was expected to arrive and perform the authorized function as only authorized operators had access to the system Control Systems Cyber Security: Defense in Depth Strategies, Prepared by Idaho National Laboratory s Control Systems Security Center, for U.S. Department of Homeland Security, External Report# INL/EXT-06-11478, May 2006

Year ~2000 isolated control system networks began being interconnected to corporate networks with simple routers and switches Router is a networking device that forwards data packets between computer networks Routers perform the traffic directing functions on the Internet A data packet is typically forwarded from one router to another router through the networks that constitute the internetwork until it reaches its destination node

Many previously isolated control system networks have been interconnected as part of an IT modernization process of web-ification Introducing IT components into the control system domain continues to result in security problems: No business case for cyber security in control system environments Increased dependency on automation of control systems Use of technologies with known vulnerabilities Considerable amount of open source information available on control system configurations and operations Control system communication protocols are absent of security functionality Control system technologies have limited security, and if they do vendor supplied security capabilities often enabled if the administrator is aware of the capability

Over the past 2 decades IT architectures that separated corporate and control domains began evolving Legacy control systems being replaced with modern open architecture standards and common communication protocols Positive impacts Efficient communications, robust data storage and exchange, increased interoperability and control of infrastructure systems, quicker time to market, predictive analytics Negative impacts Same technologies exploited and compromised in the Internet and IT networks

Example threat surface for vulnerability to database compromise from SQL Injection

Risk of Multilayer protocols Distributed Network Protocol 3 (DNP3) communications protocol for SCADA systems used by water and power utilities Not all protocols fit nicely within OSI model layers. Especially in case of devices on networks that were never intended to interoperate with the Internet Likely lack robust security features for protecting CIA of data they communicate Previously isolated devices and networks increasingly connected to unanticipated threats December 2015 attackers cut power to utilities supervisory control and data acquisition (SCADA) systems creating first known cyberattack created blackout impacting 80,000 homes in Ukraine DNP3 created before networking was a consideration, instead of OSI s 7 layer model developers used Enhanced Performance Architecture (EPA) that approximated OSI layers: 7 (app), 4 (transport) & 2 (data link) with no encryption or authentication. No Intrusion Protection Systems, no Intrusion Detection Systems able to understand connections between DNP3 and IP networks and identify DNP3 attacks!

Defense in Depth through Network Segmentation to create Security Domains IT network infrastructure domains are sets of logical (and physical) resources available to a subject A subject can be a user, a process, an application Security domains build on this concept and add the following requirement: Resources within each domain are working under the same security policy and managed by the same group Different domains are separated by logical boundaries created by components that enforce security policy for each domain Such as firewalls with ACLs, directory services making access decisions, and objects have their own ACLs indicating which individuals and groups can access and run operations/processes on them

Zone 1: External connectivity to the Internet, peer locations, and backup facilities Zone 2: External connectivity for corporate communications Zone 3: Control systems communications from external services Zone 4: Control systems operations process based or SCADA

Attack scenarios are studied and suggest Intrusion begins at some point outside the control zone, and attacker pries deeper and deeper into the architecture Securing each core zone creates a defensive strategy with depth Offering administrators more opportunities for information and control of resources Introduces cascading countermeasures that will not necessarily impede business functionality Control Systems Cyber Security: Defense in Depth Strategies, Prepared by Idaho National Laboratory s Control Systems Security Center, for U.S. Department of Homeland Security, External Report# INL/EXT-06-11478, May 2006

Firewalls DMZ deployments Control Systems Cyber Security: Defense in Depth Strategies, Prepared by Idaho National Laboratory s Control Systems Security Center, for U.S. Department of Homeland Security, External Report# INL/EXT-06-11478, May 2006

Where to put firewalls in N-Tier systems

In-class exercise part 2 Break your Team into smaller groups of 2 or 3: Using CSET s Diagram Tool draw a logical network diagram that Identifies technical infrastructure needed by a 30 person consulting firm to provide services developing and maintaining mission-based and service delivery information systems for a government agency See NIST Special Publication 800-60 Volume 1 Guide for Mapping Types of Information Systems to Security Categories Using appropriate network symbols and annotation in your architectural diagram, include: Information System Servers: e.g. Web, Application, Database, File, Groups of desktop/laptop computers illustrating organized within LANS of organizational units Security domain areas (based in-part on security categorizations) NIST Special Publication 800-60 Volume 2 Guide for Mapping Types of Information Systems to Security Categories: Appendices Appropriately placed switches, routers, firewalls, Intrusion Detection System(s) and/or Intrusion Protection Systems: Label the firewalls and IDSs to indicate the type of firewall technology and the type of IDS technology you placed in each location of your diagram Where the interconnection(s) to the Internet is and to your: clients, sub-contractors and remote staff accessing your organization s various IT system resources via the Internet The level of detail is your diagram should be one at which you would feel comfortable explaining to a group of high level executives There is no single right answer: The purpose of this exercise is to get you thinking about security architecture and to get you comfortable with documenting your ideas with diagrams

Preparation for Mid Term Emphasis on terminology and concepts Study lecture slides and notes Readings Textbook assigned chapters (look at practice questions in textbook) Other readings (e.g. NIST and FIPS documents) as covered/discussed in class lectures Practice quizzes See additional material: MIS5214_StudyMaterials_Firewalls-IDS-IPS.pdf in Wrap Up of this lecture Subjects covered: 1. Threat environment 2. Planning and policy 3. Cryptography 4. Secure Networks (and Module A: Networking Concepts) 5. Firewalls

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback