Post on 07-Jul-2020
transcript
© Copyright Fortinet Inc. All rights reserved.
Building an Industrial Security Fabric
An innovative approach to protecting the industrial environment
2
Agenda
▪ ICS versus IoT
▪ Industrial Control System and IoT Attacks are on the rise
▪ Fortinet Security Fabric for IoT and Industrial Security
▪ Fortinet Fabric Alliance Partner Nozomi
▪ ICS and IoT Use Cases
▪ Q&A
ICS versus IoTAn overview of ICS and IoT fundamentals and its evolution
4
SCADA = Basis of Industrial Automation
Operational Technology (OT) is hardware and
software that detects or causes a change through the
direct monitoring and/or control of physical devices,
processes and events in the industrial environment.
Industrial Control Systems (ICS) play a main role
in OT and includes Supervisory Control and Data
Acquisition (SCADA) systems and Distributed
Control Systems (DCS).
Supervisory Control and Data Acquisition
(SCADA) refers to a system that collects data from
various sensors at a factory, plant or in other remote
locations and then sends this data to a central
computer which then manages and controls the data.
5
Key SCADA Components
Human-Machine Interface (HMI): is the
component in charge of displaying process
data to a human operator. The
operator monitors and controls the process
through the HMI.
SCADA Master: is the component in
charge to collect all data from different
devices and control the entire process.
Remote Terminal Units (RTU): connect to
sensors and convert their signals to digital
data and send it to the supervisory system.
Programmable Logic Controller (PLC):
used as field devices because they are
more economical, versatile, flexible, and
configurable than special-purpose RTUs.
Valve
Fan
Pump
Operator
6
Standard SCADA Architecture
DMZ: Systems that need to interact
with IT Systems (i.e. Remote
Management Server, Historian,
Antivirus, DNS, Patch Management).
Process Network: Systems that
need to interact with IT Systems (i.e.
HMI, SCADA Master, MTU,
Supervisory Controller).
Control Network: Systems that
collect and transmit data between
field devices (actuators and sensors)
and Supervisors (i.e. RTU, PLC).
Field Network: Actuators and
Sensors directly connected to RTU
and PLC by close network
connections (i.e. Serial Cable, Fiber
Ring, Proprietary protocols).
Valve
Fan
Pump
7
Typical SCADA components as RTU and PLC are Vulnerable
▪ Programmable Logic Controllers (PLC)
or Remote Terminal Units (RTU) are low
computational computers built to control
physical components such as valves,
pumps, motors, etc.
▪ They communicate with dedicated
protocols that are prone to attacks
» No identity
» Lack authentication
» Lack encryption
» Backdoors
» Buffer overflow
8
SCADA Protocols
Different communication protocols are
used in a SCADA system, encapsulating
data in standard TCP/IP network packet.
Usually these protocols were designed
for serial communications, so they lack
basic security mechanism such as
identity, authentication, encryption and
integrity checks.
Application
SCADA Protocols (i.e. Modbus, DNP3, Profinet, IEC 101/104)
Presentation
Session
Transport TCP UDP
Network Internet Protocol
Data Link Ethernet Data Link layer
Physical Ethernet Physical layer
9
What is a Headless IoT Device?
+ =
10
▪ Hardware based
▪ Has an IP address and Mac Address
▪ No UI on the device itself (relies on a smartphone
or website)
▪ No user login attached to it
▪ A device that doesn’t have an authentication
mechanism
▪ Capable of accessing a network resource
▪ Cannot install security/anything on it
▪ Some will probably never be patched
What is a Headless IoT Device?
11
IoT Examples – the daily stuff
Ralph Lauren Shirt
Mimo Monitor
Smart Thermostats
Apple Watch
Smart Fridge
Google glass
Smart TV
Smart Phones
12
IoT Examples – the serious stuff
Smart Metering Windmills
Power plantsSCADA systems
13
IoT Security challenges
IoT is all around us
We see it in home environments (smart home devices, smart tv, smart tv),
corporate environment (printers, coffee machines, etc.) and industrial environments
(tracking, metering, SCADA)
The big questions:
» what do we have to be afraid of
» what do we need to secure
» how do we secure it
14
IoT Security challenges
Very fast “time to market”
No time for proper security
Embeded developers
No knowledge about IT security
Lots of low cost devices
No money for security
We are seeing the same security bugs
of the last 20 years again
15
IoT Security problems
Device memoryCleartext keys and credential
Device physical interfacesunprotected local CLI
Device web interfaceSQL injection, Buffer overrun, Cross site scripting, TLS bugs, etc.
Device firmwarehard coded credentials and crypto keys
Device network servicesUnencrypted communication, bad/weak encryption, UPnP, Buffer overflow
Admin interfaceDefault credentials, weak passwords, SQL injection (again), etc.
16
IoT Security problems
Summary
most of IoT security has to be done on the devices
themselves
Result
As you don’t have any influence on that, you should treat
IoT devices in your network as HOSTILE and keep them in
separate zones, as much as possible
Industrial Control System and IoTAttacks are on the Rise
Cyber threats to industrial networks are a real and
fast-growing challenge
18
August 27th, 2014
Major cyber attack hits Norwegian oil industryMore than 50 Norwegian oil and energy companies have been hacked by unknown attackers, according to government security
authorities. State-owned Statoil, Norway's largest petro company, appears to be the main target of what's described as the country's
biggest ever hack attack. http://www.theregister.co.uk/2014/08/27/nowegian_oil_hack_campaign/
December 23rd, 2015
Iranian Hackers Claim Cyber Attack on New York DamAn Iranian hacktivist group has claimed responsibility for a cyber attack that gave it access to the control system for a dam in the suburbs
of New York — an intrusion that one official said may be "just the tip of the iceberg”.
http://www.nbcnews.com/news/us-news/iranian-hackers-claim-cyber-attack-new-york-dam-n484611
January 1st, 2015
A Cyberattack Has Caused Confirmed Physical Damage Hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree
that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.
http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
September 23th, 2010
Stuxnet worm 'targeted high-value Iranian assets’Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.Unlike most viruses,
the worm targets systems that are traditionally not connected to the internet for security reasons. Instead it infects Windows machines
via USB keys - commonly used to move files around - infected with malware. http://www.bbc.com/news/technology-11388018
Industrial Cybersecurity News Goes Mainstream
19
IoT Security gone bad .. hunderds of examples…
Miray Botnet (2016)Attacked cameras, DVRs, etc. and was then user for DDoS. Attack: Default passwords
Jeep hack (2015)Firmware update was not protected, so hacker could inject own code and then “drive by wire” ;-)
Vulnerable medical devices (2014)pacemakers and defibrilators. Attack: Weak protection of data transmission between device and “mobile app”
20
IoT Security gone bad .. hunderds of examples…
https://github.com/nebgnahz/awesome-iot-hacks
21
IoT Security challenges
Don’t trust ANY of these IoT devices
22
2009 Sayano–Shushenskaya Hydroelectric Power Station Accident
Number of Units
10Rated Power Rated Discharge Per Unit Nominal Speed
650 MW each 358.5m3/s 142.86 rpm
Turbine Type
Francis (16 blades)
Operation Date Runner Diameter
1978 6.77m
23
Before the Incident…
Power Units
Generator floor
Air-Oil Tanks
Power UnitsAir-Oil Tanks
24
Sequence of Events
Turbine 2 functioning
band was changed to a
specific load forbidden
from the manufacturer
The turbine cover shot
up and the 920-ton
rotor then shot out of
its seat
On 21 August 2009, a
rebel group in Chechnya
claimed that they were
responsible for the blast
The forbidden band
created an extra
vibration registered also
from a seismograph
Water immediately
flooded the engine and
turbine rooms and caused
a transformer explosion
25
After the Incident…
Air-Oil Tanks
Sump Tank
Floor
Crosshead - Unit 2
Unit 2
Collector Ring
Unit 1
26
Casualties
75
The Total Impact
Damages of Property and Equipment
Power Station Reconstruction Cost
Power Station Reconstruction Time
million Euros
310billion Euros
1.3years
~2
27
How are ICS Networks Vulnerable?
RESULTS:
Attackers can create changes in the physical process such as electrical, chemical, mechanical etc..
STEP 1Access the Network
STEP 2Run Standard Attacks
STEP 3Specific ICS Attacks
▪ IT bridge ways
▪ Social engineering/phishing
▪ USB keys
▪ ICS maintenance contractors
Once the network is
accessible, standard
attacks can be
performed using well
known tool kits
Run tailored attacks
in order to gain control
of system components,
gather sensitive and
critical data, and/or
disrupt operations
Get access to the
network through standard
techniques such as
28
Recent ICS surveys tell the story as well.
Fortinet Security Fabric for Industrial SecurityProviding End-to-End Segmentation for IT/OT security
30
Fortinet Security Fabric from IoT to Cloud
Network Secure LAN
Access
Secure WLAN
Access
Secure Cloud
Secure Devices
SandboxingPolicy
SecurityWeb
Security
Network & Security
Operations
Threat
Intelligence
Partner
Integration
Automated Operations
▪ Inner Core Network Security
▪ Outer Core Security
» Access, Cloud & Endpoints
▪ Extended Security
» ATP, Email, Web & Policy
▪ Threat Intelligence
▪ Security Operations
▪ Partner Integration
Infrastructure
31
Device Access Network Cloud
Distributed
Enterprise
Edge Segmentation
Branch
Data Center
North-South
Carrier Class
SDN/NFVPrivate Cloud IaaS/SaaS
WLAN / LAN
Rugged
Embedded System on a Chips Packet and Content Processor ASIC Hardware Dependent
Device
>1G
Appliance
>5G
Appliance
>30G
Appliance
>300G
Chassis
>Terabit
Virtual Machine
SDN/NFV
Virtual Machine
On Demand
Client
Endpoint/IoT Application
Security
FLOW
Appliance
Virtual
Cloud
From IoT to Cloud
Security
Updates
IPS AVAPPFW VPN
32
FortiGate Rugged 30D/35D/60D/90D
• Fully enclosed, fanless design, DC/AC
• Operates in extreme (-40 to 75 C) temperatures
• IEC 61850-3, IP67, IEEE 1613, Division1 Class 2 Compliant,
• Integrates wireless, 3G/4G expansions, Bypass modules
FortiSwitch Rugged 112D-POE/124D
• Built to IP30 standards, no fans or moving parts
• Operates in extreme (-40 to 60 C) temperatures
• FortiGate Switch Controller Compatible
FortiAP 222C
• IEEE 802.11a/b/g/n/ac standards-based, and operates on both 2.4 GHz and 5 GHz spectrums
• Operates in extreme (-40 to 60 C) temperatures
• Managed by FortiGate wireless controller
Purpose-Built Rugged Devices for Industrial Solutions
33
IEC-61850 describes a unified communications system design for use in electrical
sub-stations. IEC-61850-3 provides guidance on the hardware requirements of
equipment deployed in this demanding environment.
EMI ThermalEMIUnprotected devices can fail or be destroyed when exposed to high levels of electromagnetic interference
✓ A strong electromagnetic compatibility (EMC) design is required
ThermalA wide (-20 to +75C) operating temp can be expected in a hash environment.
✓ Requires efficient heat dissipation system and self warming
Vibration✓ Devices must survive being
dropped from a cabinet rack mount
✓ 50G anti-shock & 5-500 Mhzanti-vibration requirement is present
✓ Protective components are used to cushion the device
Industrial Standard and Compliance ready
34
IPS/ Application Control for Industrial Systems
Supported Protocols
--------------------------------✓ BACnet
✓ DNP3
✓ Modbus
✓ EtherNet/IP
✓ IEC 60870-6 (TASE 2) /
ICCP
✓ EtherCAT
✓ IEC 60870-5-104
✓ IEC 61850
✓ OPC
✓ Elcom
Supported Applications and Vendors
-----------------------------------------------------✓ 7T Technologies/
Schneider Electric
✓ ABB
✓ ADvantech
✓ Avahi
✓ Broadwin
✓ CoDeSys
✓ Cogent
✓ Control Automation
✓ Datac
✓ GE
✓ Iconics
✓ InduSoft
✓ Intellicom
✓ Measuresoft
✓ Microsys
✓ MOXA
✓ PcVue
✓ Progea
✓ Promotic
✓ RealFlex
✓ Rockwell
Automation
✓ RSLogix
✓ Siemens
✓ Sunway
✓ TeeChart
✓ TwinCAT
✓ WellinTech
✓ xArrow
35
Evolution of Industrial Control Systems
▪ Industry 4.0: Operational Efficiencies = Cyber Exposure
▪ Moving from Proprietary to standards. IP communications.
▪ Convergence of ICS and IT infrastructure
▪ Commercial off the shelf products
(COTS), IOT and Cloud
▪ B2B communications, Vendor/Partner
access
Isolated and Proprietary
Serial /IP connectivity. Protocol Standards
Networked, Process Control Network
IT and ICS convergence. COTS/Cloud
Operational Efficiencies
Cyber
Exposure
4th Generation
36
Typical ICS and IT Network Architecture
▪ HMI and RTU
▪ Air Gap
▪ IT and ICS Networks
Industry 4.0 -
Convergence
Partners/
VendorsCorporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow RateRemote
Terminal Unit
37
Breach points everywhere
▪ Outside threat: Black Hat
▪ Inside threat: Hard Hat
▪ Air gap breached
▪ RTU or HMI exploits
▪ DOS attack of Protocols
▪ Droppers USB
Corporate LAN
Domain
Controller
Business
Systems
Air gap breached in multiple
locations allowing threats to
propogate
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
RTU security compromised and
SCADA system vulnerable to DoS
and malicious control
Remote
Terminal Unit
38
Fortinet Security Fabric for IT/OT Convergence
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Prevent threats from entering with NGFW
(FortiGate), Secure Email Gateway (FortiMail) and
Sandbox (FortiSandbox)
39
Fortinet Security Fabric for IT/OT Convergence
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Segregate networks, prevent malware (FortiGate)
and control access (FortiAuthenticator)
40
Fortinet Security Fabric for IT/OT Convergence
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Secure SCADA communications with hardware
accelerated VPN back to the Management HMI
network (FortiGate)
41
Fortinet Security Fabric for IT/OT Convergence
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Prevent malware propagation and non-authorized
communication channels (FortiGate)
42
Fortinet Security Fabric Strategy
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Protect web based HMI from exploitation with Web
Application Firewalling (FortiWeb)
43
Fortinet Security Fabric for IT/OT Convergence
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Vulnerability assessment, patch management and
auditing of all organizational assets (FortiClient)
44
Fortinet Security Fabric for IT/OT Convergence
Corporate LAN
Domain
Controller
Business
Systems
Supervisory Control System and
associated databases
Human Machine Interface
(HMI)
Remote
Terminal Unit
Sensors
Pressure
Pump/fan speed
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Temperature
Flow Rate
Implement FSF (Fortinet Security Fabric) for end-
to-end awareness and control across both IT and
OT environments
45
SCADA Partner Integration
Fortinet Security Fabric
SIEM
SDN
Endpoint
CloudVirtual
Management
Ecosystem Alliance Partners
ICS/SCADA
Fortinet and Nozomi IntegrationA Proactive Approach to SCADA Security
47
IT/OT Convergence Creates New Security Challenges
Business
Process
Automation
Industrial
Process
AutomationOperational Technology (OT)Information Technology (IT)
Since OT has started to progressively adopt IT-like technologies (i.e. Windows OS or TCP/IP
protocol stack) and is being more exposed to business networks, the attack surface has increased
and 'Security through obscurity’ has become an outdated approach.
Enhanced Performance Cost Reduction Scalability and Flexibility
IT/OT CONVERGENCE
48
Behavioral
Analysis
Deep SCADA
Understanding
Unintrusive
Passive
Monitoring
… our Answer is an Active Integration between SCADAguardian and Fortigate
Automatically learns ICS
behavior and detects
suspicious activities
Security Policy
Enforcement
Flexibility to enforce security
policies with different degree
of granularity
Deep understanding of all
key SCADA protocols,
open and proprietary
Active Traffic
Control
Proactive filtering of
malicious and unauthorized
network traffic
Real-time passive monitoring
guarantees no performance impact and
permits visibility at different layers of the
Control and Process Networks
In-line
Protection
In-line separation
between IT and OT
environments
Turn–key Internal and
Perimeter Visibility
Fine Tuning, Control and
Monitoring of the Firewall Ruleset
Proactive SCADA
Security
49
Fortinet/Nozomi Networks Security Architecture
Full Protection, Visibility
and Monitoring Thanks
to Nozomi Networks and
Fortinet
Valve
Fan
Pump
The Nozomi Networks
solution passively monitors
the network, thus not
affecting the performance
of the control system
The appliance is connected
to the system via a SPAN
or mirror port on a switch
50
Valve
Fan
Pump
Responding to Threats in Real Time
1
1 MonitorA threat is detected by SCADAguardian
and an alert is generated
2 DetectUser-defined policies are examined and
the appropriate corresponding action is
triggered
2
3 ProtectFortiGate responds according to the
user-configured action (Node Blocking,
Link Blocking, or Kill Session) in order to
mitigate the issue
3
3
3
3
51
Fortinet Nozomi Use Case
52
FW Policy
53
Modbus Attack
54
Nozomi Web UI
55
Fortinet Securtiy Fabric Nozomi Integration
56
Fortinet Config Change Log
57
FW Policy Change
58
Nozomi Log
59
IoT Use Case Expanded intelligence for Fortinet Security Fabric
▪ Device Asset Tagging & Profiling
▪ Device Auto Detection
▪ New Device Types Added
» More headless IoT device types added
▪ Server
» Identify ‘Rogue servers’ in LAN segments
» Further differentiation: Web, Mail & FTP
▪ Enhanced Visibility & Control
» IoT Device Visibility in Fabric
» FortiSIEM Auto Discovery
60
IoT Device Asset Tagging in FortiView
▪ IoT device identified and tagged
▪ Custom groups to associate IoT devices
61
Headless Device Auto Detection
▪ Intelligent detection of devices based on signature database
▪ 21 device categories in the database, new devices continually added
62
IoT Device Visibility in Security Fabric
IoT Device Visible in Fabric Topology:
▪ View connectivity to security
elements in the network
▪ Device configuration
information
▪ Take action to allow or block
communications
▪ Proactive approach to
remediation
63
Summary
By incorporating the particularities
of ICS and IoT in our solutions,
Fortinet can provide the same level
of actionable security in an
Industrial network as it does in an
Enterprise network.