Post on 09-Feb-2016
description
transcript
FIREWALL DEPLOYMENT FOR SCADA/PCN
Network Security
How closed need your network needs to be?How open can you afford your network to
be?Where from the vulnerability is coming?How to mitigate the vulnerability?How to detect that anyone un-authorized is
trying to jeopardize the network services?How the Business Continuity can be
maintained in the long run with the steps taken?
How to envisage future requirements?
Types of Attacks
1. Denial of Service2. Unauthorized Access:
Attempt to access command shell
3. Illicit command execution:
Hacking Administrator’s password
Changing IP Address Putting a Start-up Script4. Confidentiality Breach5. Destructive Attacks Data Diddling Data destruction
Network Security
Balancing act between:Keeping equipment and processes
protected.Allowing them to touch larger computing
realms via Ethernet protocols and the internet to gain new connections and capabilities.
Solution:Multiple Zone Network with Subzone.
Generic IT security goals versus ICS security goals
Assessment process flow chart
OSI Model – 7 Layers
Network Security
Network Security ToolsIntelligent Network Switches and RoutersFirewallsHardware and Software Devices for
managing network connectionsUser AuthenticationEncrypting DataDMZ
FIREWALL
FirewallFirewall is a mechanism used to control and
monitor traffic to and from a network for the purpose of protecting devices on a network.
Compares traffic passing through it to a pre-defined security criteria
Can be a hardware device (CISCO PIX or Semantic Security Gateway)
Can be a hardware/Software unit with OS based firewall capabilities (“iptables” running on a Linux Server)
Host based software solution installed on the workstation directly (Norton Personal Firewall or Sygate Personal Firewall)
Internet facing firewall protecting PC & PLC
Content of Network Traffic
Network TrafficNetwork traffic is sent in discrete group of bits,
called a packet which includesSender’s Identity (Source Address)Recipient’s Identity (Destination Address)Service to which the packet pertains (Port
Number)Network Operation and Status FlagsActual payload of data to be delivered to serviceA firewall analyzes these characteristics and
decides what to do with the packet based on a series of rules, known as Access Control Lists (ACL).
Classes of Firewall
Host Based FirewallsAvailable on Windows or Unix based
platformsPrimary function is Workstation or Server
Tasks like Database Access or Web Services
Can do little to regulate traffic destined for Embedded Control Devices
Classes of Firewall
Packet Filter FirewallSimplest class of Firewall following a set of
static rulesOnly the IP Addresses and the port
number of the packet is examinedNo intelligence to identify spoofed (Forged
source IP Address) packages
Packet Filter Firewall
Classes of Firewall
Application Proxy FirewallsOpen Packets at Application LayerProcess them based on specific
application rulesReassemble and forward to target devicesNo direct connection to external serverPossible to configure internal clients to
redirect traffic without the knowledge of the sender
Possible to apply access control lists against the application protocol
Other Firewall Services
Acting as Intrusion Detection System; Logging denied packets, Recognizing network packages specifically designed to cause problems, Reporting unusual traffic patterns
Blocking infected traffic by deploying Front-line Anti-Virus Software on firewall
Authentication services through passwords or Public Key Encryption
Virtual Private Network (VPN) gateway services by setting up an encrypted tunnel between firewall and remote Host devices
Network Address Translation (NAT) where a set of IP addresses used on one side of a firewall are mapped to a different set on the other side.
Overall Security Goals of PCN/SCADA Firewalls
No direct connection from the Internet to the PCN/SCADA Network and vice versa
Restricted access from the enterprise network to the control network
Unrestricted (but only authorized) access from the enterprise network to shared PCN/Enterprise servers
Secured methods for authorized remote support of control system
Secure connectivity for wireless devicesWell defined rules outlining the type of traffic
permittedMonitoring the traffic attempting to enter PCNSecure connectivity for management of firewall
Firewall Selection Criteria
Security: The likely effectiveness of the architecture to prevent possible attacks.Manageability: Ability of the architecture to be easily managed (both locally as well as from remote).Scalability: Ability of the architecture to be effectively deployed in both large and small systems or in large numbers.
Common SCADA/PCN Segregation Architecture
Dual-Homed Computers
Common SCADA/PCN Segregation Architecture
Dual Homed Server with Personal Firewall Software
Common SCADA/PCN Segregation Architecture
Packet Filtering Router/Layer-3 Switch between PCN & EN
Common SCADA/PCN Segregation Architecture
Two Port Firewall between PCN & EN
Common SCADA/PCN Segregation Architecture
Router/Firewall combination between PCN & EN
DMZ
DMZ is a critical part of a firewall.Neither part of un-trusted Network, nor
part of trusted networkPuts additional layer of security to
DDCMIS LANPhysical or Logical sub-network that
provides services to users outside LAN
Common SCADA/PCN Segregation Architecture
Firewall with DMZ between PCN & EN
Common SCADA/PCN Segregation Architecture
Paired Firewalls with DMZ between PCN & EN
Common SCADA/PCN Segregation Architecture
Firewall with DMZ and SCADA/PCN VLAN
Comparison Chart for PCN/SCADA segregation Architecture
DDCMIS NETWORK SECURITY MEASURES TAKEN AT NTPC/TALCHER-KANIHA
Network Topology
Firewall
Gateway PC+
PI OPC Interface
Unit 3
Honeywell Experion System
Office Network
Honeywell OPC Server
Unit 6
Honeywell Experion System
PI Server
Port5450
Stage II Plant Network
Unit 1
KeltronOPC
Server
Unit 2
Keltron OPC
Server
Stage I Plant Network
Firewall
Gateway PC+
PI OPC Interface
ABT OPC Server + PI
OPC Interface
ABT Network
Firewall
10.0.120.202
Network Topology
Firewall-1
Gateway PC
Unit 3
Honeywell Experion System
Office Network (NTPC LAN)
Honeywell WAN
Server
Unit 6
Honeywell Experion System
PI Server
Port545
0
Stage II Plant Network
PI Client
Firewall-2
ABT OPC Server
(Redundant) + PI OPC Interface
ABT Network
Firewall-3
10.0.120.202
OPC Server
Standby
OPCServer Main
Unit 1DDCMS
Unit 2DDCMS
L-3 Switch L-3 Switch
CONTROL SYSTEM
UNIT HMI SERVERS
OWS in PR & CER
STATION LAN SWITCH STN LANSERVER
MORPC
Unit 1 Unit 2
GATEWAY PC
ESP PCs # 3,4,5,6
SERVER PR SWITCH
SWAS C&I shift PC Incharge PC
PT PLANT SWITCH SERVICE BLDG SWITCH
Ash handling fire proof AC CPU PLC PLC PLC PLC
CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLC PLC PLC TOWER2 HEAD
PLC OF PROJ
HEADS OF PLC COOLING - O&M TOWER-1 - OPER -C&I SHIFT M/C - BOILER/TURBINE M/C ENGR etc -C&I M/C ENGR
PC1 … .. P C n
IT LAN
UNIT HMI LAN
UNIT-3
Typical
FIREWALL
UNIT-5
UNIT-6
UNIT-4
U#3 SWITCH
OWS / LVS in CCR
OWS in PR & CER
Station LAN of Talcher-IIbefore PI connectivity
BPOS systemU#3,4,5 &6
DMZ
CONTROL SYSTEM
UNIT HMI SERVERS
OWS in PR
& CER
STATION LAN SWITCH STN LANSERVER
MORPC
Unit 1 Unit 2
GATEWAY PC
ESP PCs # 3,4,5,6
PI-SERVER PR SWITCH
SWAS C&I shift PC Incharge PC
PT PLANT SWITCH SERVICE BLDG SWITCH
Ash handling fire proof AC CPU PLC PLC PLC PLC
CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLC PLC PLC TOWER2 HEAD
PLC OF PROJ
HEADS OF PLC COOLING - O&M TOWER-1 - OPER -C&I SHIFT M/C - BOILER/TURBINE M/C ENGR etc -C&I M/C ENGR
PC1 … .. P C n
IT LAN
UNIT HMI LAN
UNIT-3
Typical
FIREWALL
UNIT-5
UNIT-6
UNIT-4
U#3 SWITCH
OWS / LVS
in CCR
OWS in PR
& CER
Station LAN of Talcher-IIafter PI connectivity
BPOS systemU#3,4,5 &6
PI-Interface
PI-Server
PI-Interface
NTPC Office LAN
- - -
PI system connectivity at Talcher-II
Network Testing Methodology
Steps:1. Review the existing LAN of NTPC/Talcher
Kaniha2. Perform a Bandwidth Assessment Test3. Perform a Vulnerability Test4. Conduct a Penetration Test5. Conduct a Security Audit6. Conduct a CCTV Demo between Talcher
Kaniha & EOC-NOIDA7. Recommendation and Suggested Up-
Gradation
Vulnerability Test on Servers
Finding Vulnerability on the Operating SystemVulnerability of ServersTools:NMAP: To Map Open PortsNESSUS: To find the application running on Target
Servers.MBSA: To find the missing patches on the operating
system and applicationsPort Scanning and Network Mapping Used Traceroute, Hping2, Xprobe2 and Nmap tools.Fingerprinting and Vulnerability Mapping Server Operating system (Gateway PC)
Fingerprinting Security Patch Review using Microsoft Baseline
Security Analyzer (MBSA)
LAN Capacity Testing
Bandwidth Testing:To find out used Bandwidth of the NetworkIdentifying potential bottlenecksTool Used:PRTGMethodology:Port Mirroring: All Tx/Rx Traffics of WAN
Server, MOR Server and Gateway PC are mirrored into the Grapher
Penetration Test
Testing of Network and Components for security weaknesses.
Flowchart:NMA
PNessus
Ethereal
Hping2/ Firewalk
Password Cracking Tool/Web Server
Scanner/OS Fingerprinting/SNMP
Tests
Penetration Tools
Ethereal: Sniffs Network Traffic to find clear-text username and passwords
Hping2: Command line oriented TCP/IP Packet assembler/analyzer. Used for Firewall Testing/Advanced Port Scanning, Remote OS Fingerprinting
Firewalk: Used to enumerate the rules of the firewall and ACLs
Cain & Abel,John the ripper, L0phtcrack: Password auditing tool
Brutus: Password Cracker
Network Security
Network Security To Do List:Turn ON Virus Protection software and be vigilant
about installing patchesUse Complex Passwords that includes numbers
and mixed charactersInstall Firewall. Monitor them to check who is
accessing them and what software they are using.Turn off unnecessary ports and devicesTurn down and lock down PCs as much as possibleTrain staff to follow security policies.
Information Security Team Structure
Chairman(HOD-C&I)
Information Security Coordinator
Database Administrator
Information Security Manager
System Administrator
Network Administrator
Thank You