Post on 01-Aug-2020
transcript
Rockwell Automation TechED 2016 @ROKTechED #ROKTechED
PUBLIC
T44 – Owl Computing TechnologiesData Diodes Implement DHS Strategies for Industrial Control System Cybersecurity
Dennis Lanahan Director of Worldwide Channel Partnerships & International Sales November, 2016
SecurityBoundary
2
Operations Technology (OT) – ICS and IIoTIndustrial Control Systems (ICS), Industrial Internet of Things (IIoT)
3 cm deep
42 volts 3 gallons per minute
12 microns
57 units failed
3 PSI
Unit 12 offline
OTNetwork
Industrial “Controls” & “Things”
25 lbs
875o F
End UserEnd User
End User
InformationCreators InformationConsumers
ITNetwork
SecurityBoundary
3
Remote Access of Data – Is it Secure?
3 cm deep
42 volts 3 gallons per minute
25 lbs
12 microns
57 units failed
3 PSI
Unit 12 offline
875o F
End Users
End Users
Butisitsecure? RemoteMonitoringWithRemoteAccess
OTNetwork
Industrial “Controls” & “Things”
DHS, FBI, NSA Risk Assessment for ICS
4
CyberThreatsAgainstIndustrial
Controls2%1%
4%9%
17%
29%
38%
Execu6onofMalwareUnpatchedSystemsOpenConnec6onsPerimeterBreachesCompromisedCreden6alsExploitBackdoorsMiscellanousexploits
PublishedDecember2015,https://ics-cert.us-cert.gov/Seven-Steps-Effectively-Defend-Industrial-Control-Systems
USDepartmentofHomelandSecurity’sResearch
5
DHS Seven Strategies for ProtectingCritical Infrastructure
1. ApplicationWhitelisting2. Configuration/PatchManagement3. ReduceAttackSurface4. DefendableEnvironment5. ManageAuthentication6. ImplementSecureRemoteAccess7. Monitor&Respond
Thesestrategiescouldhaveprevented98%ofattacksin2014and2015
6
Highlights from DHS Seven Strategies Whitepaper
• ApplicationWhitelisting:Onlyallowpre-designatedapplicationstorun
• ConfigurationandPatchManagement:safeimportoftrustedpatches
• ReduceAttackSurfaceArea:Isolateindustrialcontrolsystem(ICS)networkslockdownunusedservicesandportsuseadatadiodetoprovidenetworksegmentation
• ifbidirectionalcommunicationisneededuseasingleportoverarestrictedpath.
• BuildaDefendableEnvironment:Useopticalseparation(“datadiode”)to:segmentnetworksrestricthost-to-hostpathspreventandcontainthespreadofinfection
• ImplementSecureRemoteAccess:Removebackdoorsandmodemaccessimplementmonitoringonlywithaccessenforcedbydatadiodesdonotrelyon"readonly"softwareconfigurationsdon'tallowpersistentremoteconnections
BottomLine–ReduceOpenAccess
1. Eliminateconnectionsthataren’tnecessary
7
• Turnoffunusedservices• Lockdownunusedports• Eliminatemodemconnections• Consolidateaccesspoints
BottomLine–ReduceOpenAccess
8
2. Convertdatapathsto:• One-wayin• One-wayout
Analogy:Physicalairportsecuritypaths
BottomLine–ReduceOpenAccess
3. Anyremainingtwo-wayconnectionsforexternalcommandandcontrol,requiresriskassessment• DHSrecommendation:
– “ifbidirectionalcommunicationisneededuseasingleportoverarestrictedpath”– Transientconnections(NERC-CIPterminology)
– Shortterm,singlepurposeconnection–onlyconnectedwhilein-use– VPN,physicalEthernetswitch,restrictedfirewalls,etc.
– OwldatadiodeBi-Lateralsolution(Moreaboutthislater)
9
10
Implementing DHS Guidance
#1One-WayCommunicationsPathoutofthePlant• BuildaDefendableEnvironment:Segmentnetworksandrestricthost-to-hostpathstopreventand
containthespreadofinfection• ReduceAttackSurfaceArea:Useadatadiodetoprovidenetworksegmentation• ImplementSecureRemoteAccess:Implementmonitoringonlysolutionwithaccessenforcedbydata
diodes
#2One-WayCommunicationsPathintothePlant• Configuration/PatchManagement:Providesecureconfiguration/patchmanagementprogramcentered
onsafeimportationoftrustedpatchupdates
11
Managing the Remaining Need for Remote Command and Control
Two-WayCommunicationsPathwiththePlant• ReduceAttackSurfaceArea:Ifbidirectionalcommunicationisneededuseasingleportoverarestricted
path• Bi-Lateraldatadiodesolution
By-passalternative• Permanentinfrastructureusedfortemporaryconnections
• Etherneton/offswitch,dedicatedpatchcable
12
Change the Paradigm – Monitoring without Access
3 cm deep
42 volts 3 gallons per minute
25 lbs
12 microns
57 units failed
3 PSI
Unit 12 offline
875o F
End Users
OTNetwork
SecurityBoundary
Industrial “Things”
Butisitsecure? RemoteMonitoringWithRemoteAccessRemoteMonitoring
WithoutRemoteAccess
End Users
Effectiveness of Cybersecurity Technologies
13
• EXCELLENT BUSINESS CONTINUITY• LIMITED CYBERSECURITY
Firewall Network Security
End Users
DMZ
14
ConvergenceofOTandITOTNetwork
IT/CorpNetwork
File Server Historian OPC Server
End Users
End Users
OTNetworkIT/CorpNetwork
File Server Historian OPC Server
End Users
Air Gap Network Segmentation
• EXCELLENT CYBERSECURITY• LIMITED OR NO BUSINESS CONTINUITY
15
Air gap
OTNetworkIT/CorpNetwork
DataSystem 1
DataSystem 2
DataSystem 3
End Users
Data Diode Network Security
• EXCELLENT CYBERSECURITY• ENABLES BUSINESS CONTINUITY
16
Data Diode
DataSystem 1
DataSystem 2
DataSystem 3
SecurityBoundary
What is a Data Diode?
17
• Hardwarebasedcybersecuritydesignedtobeone-way• Impervioustosoftwarechangesorattacks(hardwarecannotchange)• Defendstheperimeterofthesourcenetwork(preventsallexternalattacks)• Transfersdataacrossnetworksecurityboundaries(withoutcreatingattackvector)
DestinationNetworkITNetwork
Data(Historian,files,Syslog,SNMP)
securelytransferredoutofthenetwork
SourceNetworkOTNetwork
DataDiode
Badactorsprevented
fromaccessing
How One-Way Works in a Two-Way World
18
SecureOne-wayTransfer
Existing
IPProxy
IPProxy
One-wayTransferEstablished
SendOnly RcvOnly
OTNetwork
OTNetwork ITNetwork
ITNetwork
One-Way out & One-Way in
19
#1DHSRecommendationOne-wayOut
IPProxy
IPProxy
#2DHSRecommendationOne-wayIn
SendOnly RcvOnly
OTNetwork
OTNetworkDataContentFilterwithAntivirusDataContentInspectionwithHashCodeValidationWhitelistFileTypesandFileNames
ITNetwork
IPProxy
IPProxySendOnlyRcvOnly
SecureOne-wayTransfer
Bi-Lateral for Remote Command and Control
20
OTNetworkITNetwork
IPProxy
IPProxy IPProxy
IPProxy
SendOnly
RcvOnly
RcvOnly
SendOnly
OwlBilateralCommunicationSystem(OBCS):• Singleportwithrestrictedpath• SupportsTCP/IPapplicationsthatcannotbeoneway• Pairofsecureone-waytransferswithin1Uenclosure• Non-routableATMprotocolbreaks• TCP/IPproxiesthatbreakandjoinsinglewhitelistedsession
DHSStrategy#3:ReduceYourAttackSurfaceArea-“IfBidirectionalcommunicationisnecessary,thenuseasingleopenportoverarestrictednetworkpath.”
ReplicateHistorian,Syslog&otherdata
Small Enterprise Architecture
21
OTNetwork
IT/CorpNetworkDataDiodeSegmentationSecurityBoundary
Historian,Syslog&otherdata
Supports simple and easy security and established data replication flows
End Users
File Transfer HistorianTransfer
Email Transfer
File Transfer HistorianTransfer
Email Transfer
End Users
Medium Enterprise Architecture
22
OTNetworksIT/CorpNetwork
Historian,Syslog&otherdata
Meets the needs of any midsize company security and data needs
ReplicateHistorian,Syslog&otherdata
End Users
HMIReplication
OPC ServerReplication
End Users
SyslogData
Historian,Syslog&otherdata
Historian,Syslog&otherdata
WANNetwork
Large Enterprise Architecture
23
OTNetworks IT/CorpNetwork
Supports largest enterprise needs with failover, redundancy and load balancing
Historian,Syslog&otherdata
ReplicateHistorian,Syslog&otherdata
End Users
MitsubishiMonitor
HistorianReplication
End Users
YokogawaOPC
ExamplesofOne-Wayin,One-WayOutandBi-Lateral
24
IndustryUseCases
25
• PowerGeneration,Substations,TransmissionandDistribution(T&D)• Gasturbine,nuclear,fossil,hydroplantperformancedata• Historianreplication• Secureremotemonitoring–syslog,alarms,events• Compliancereporting
• ManufacturingandMining• Securemonitoringofsystemalarms,events,syslogmessages• Transferoffiles,email,securityvideo
• OilandGas• Transferofhistoriandata,alarms,events• Interfaces:Modbus,OPC
• Water,Wastewater• WindowsHMIreplication• Historiandata
• FinancialandBanking• Datatransferbetweensecureandlesssecurelocations• Financialtransactions
Underlying Interface Technology
• NetworkHardwareInterfaces• Ethernet,serial,USB,dialupmodem
• StandardVendorSoftwareInterfaces• RockwellFactoryTalkHistorian,RockwellAssetCenter,RockwellRS-Links• OSIsoftPIHistorian
• Networkapplicationinterfaces:• Syslog,SNMP,FTP,SFTP• Email(SMTP)• UDP,multicast,broadcast,unicast(video)• TCP/IP
• StandardsBodiesinterfaces:• OPCFoundationinterfaces:DA,A&E,UA• Modbus
26
OPDSDataDiodeProductLine
• OPDS-5D,OPDS-100D• Compact,singleboxsolutions• VerticalDINrailmount• OperateinEnvironmentalExtremes• Marketentryandhighendsolutions
• OPDS-100,OPDS-1000• 1U,19”rackmount• ITenvironments• Variablebandwidthlicenses• Scalefrom10Mbpsto1Gbps
1. OPDS-100DReplicationofdataoutoftheplant1. RockwellFTHistorianMEtoSEreplication2. RSLinxandRSViewOPCserverreplication3. HMIScreenreplication(UDPconnection)4. FileTransfer(TCP/IPconnection)
2. OPDS-100SecureSoftwareUpdateService1. Securefiletransferintotheplant2. WithSecureSHAhashcodevalidation
DemonstrationshereatAutomationFair
Summary
29
1. ThreatstotheConnectedEnterprisedemandimprovedcybersecuritymeasures
2. USDept.ofHomelandSecurityprovidesstrategiesforprotectingICS:• ReducetheoverallnumberofconnectionsintotheOTnetwork• Converttwo-wayconnectionstoone-waydatadiodeconnections• Forremainingexternalcommandandcontrolrequirements:
• useprotected,singlepurpose,transientconnections
3. ExistingOwlUseCasesillustratesuccessfulimplementationoftheseDHSrecommendationsforprotectingICS
Rockwell Automation TechED 2016 @ROKTechED #ROKTechED 31
Please take a moment to complete the brief session survey using the ROKEvent mobile app.
▪ Login to the ROKEvents mobile app with your username and password (set up when registering for the 2016 Automation Fair® Event)
▪ Locate the session in “Schedule” or “My Event” ▪ Click on the survey icon in the lower right corner in the session details
We want to hear from you and value your opinion!
COMPLETE A SURVEY
Like what you heard? Need more information? Let us know in the survey and we will contact you!