13-06-2013

1

1

Cyber Security

Presenter

Jakob Drescher

Industry

Schneider Electric 2- Division - Name – Date

Cyber Security?

● Measures used to protect assets against computer threats.

● Covers both intentional and unintentional attacks.

● Malware or network traffic overloads can effect a control system.

● Accidental miss configuration or well intentioned but unauthorized control

system changes.

● Directed attacks by internal or external threats.

● Increasing the security of the assets also increases the integrity of

the production system.

13-06-2013

2

Schneider Electric 3- Division - Name – Date

Why Now?

●The rapidly changing world of technology makes computer systems more vulnerable

to a cyber attack.

● Increase in attacks on general IT systems and directed attacks on companies results in an increase in threats to control systems.

● Open systems have proven to be desirable and effective but expose a control system to greater risks.

●Government and Companies are responding with cyber security standards for

control systems.

●Awareness that control systems contain valuable data, can effect business and are

vulnerable has increased the focus.

● Dedicated attacks increasing for Industrial companies.

● Researcher focus on control systems is increasing awareness and providing tools.

Schneider Electric 4- Division - Name – Date

Security

● Security implementation is a solution and not a product

● People, Policies, Architectures, Products

● Security requires a multilayer or Defense in Depth (DiD) approach

● Security Plan, Network Separation, Perimeter protection, Network

Segmentation, Device Hardening, Monitoring & Update

● Vendor’s responsibilities

● Design products & solutions with security features

● Ensure they enable customers to comply with security standards

● Provide recommendations and methodologies to guide implementation

● End User’s responsibilities

● Define security procedures (organizational security)

● Mandate responsible people (personal security)

● Ensure compliance with security standards

13-06-2013

3

Schneider Electric 5- Division - Name – Date

How to “Secure” a System

●Protect the perimeter

●Routers, Firewalls, VPN

●Segment the network

●DMZ between Trusted Zones

●Segments within Trusted Zones

●Protect the computers

●AntiVirus, White-listing, Access

control

●Harden the controllers / devices

●Device security, External protection

●Monitor and React

● Logs, traffic monitoring, alarms

●Act on unauthorized events

Policies and Procedures, Staff Training, Secure Architecture

Schneider Electric 6- Division - Name – Date

Security is a risk evaluation

●Customers and vendors should both handle security based on risk

●Evaluate the risks, take actions on the risks above a defined level.

●Both systems and products can be evaluated for risk and should be.

●Risks on a product can be mitigated by another component of the system

●Risk = Threat x Vulnerability x Consequence

● Threat, a person or event with the potential to cause a loss.

●Vulnerability, a weakness that can be exploited by an adversary or an

accident.

●Consequence, the amount of loss or damage that can be expected from a

successful attack.

●Mitigation - Something that is done to reduce the risk,

●Normally reducing the vulnerability or raising the skills needed to exploit it

13-06-2013

4

Schneider Electric 7- Division - Name – Date

Address the highest risks first

●The highest risk for cyber security is the most exposed systems.

● IT Systems

●Remote access systems

●PC Systems

●SCADA Systems

●7 largest cyber security issues from Industrial Defender(number 1 company in Industrial cyber security)

● Inadequate security staffing / training

● Insecure perimeter firewalls

● Insufficient patching of PCs and software

● Inadequate separation on corporate and plant networks

●Weak Passwords

●Unnecessary 3rd party products

● Inadequate documentation

Schneider Electric 8- Division - Name – Date

How to “Manage” a Secure System

●Keep the computers protected

●A/V protection

●Appl. White-listing

●Administer access control

●Monitor Device Hardening

●Device settings

●External devices

●Monitor traffic, log users, log

events, and trap alarms

●Act when unauthorized events

occur

●Patch! Patch! Patch!

IT

OT

DMZ

13-06-2013

5

Schneider Electric 9- Division - Name – Date

6 key steps:

1. Security Plan

2. Network

Separation

3. Perimeter

Protection

4. Network

Segmentation

5. Device

Hardening

6. Monitoring &

Update

Schneider Electric’s Recommendation

2

3

4

5

5

The “Defence in Depth” Approach (DiD)

Schneider Electric 10- Division - Name – Date

Defense-in-Depth Step #1: Security Plan

●Define:● Roles and responsibilities.● Allowed activities, actions and processes.● Consequences of non-compliance.

●Full network assessment:

● Communication paths.● Audit of all devices.● Security settings.● Network drawings.

●Vulnerability assessment:

● Potential threats.● Consequences.● Risk assessment and mitigation.

Assessment

and Design

Service

Connexium

Network

Manager

Product Alerts

13-06-2013

6

Schneider Electric 11- Division - Name – Date

●Separate the Industrial Automation & Control System from

the outside world

● Create a ‘buffer’ network (DMZ) between the IACS network and the rest of the world, using routers and firewalls

● Block inbound traffic to the IACS except through the DMZ firewall

● Limit outbound traffic to essential and authorized traffic only

“Defence in Depth” Step #2: Network Separation

Connexium

Eagle 20

ETG Routers

Hirschmann

Routers,

Mach, Mice

●DMZ host for servers● Vijeo Historian mirror● Web servers● Authentication server● Remote access server● Anti-virus server

Schneider Electric 12- Division - Name – Date

●Protect the Industrial Automation & Control System perimeter using a firewall

● Validate packets and protocols

● Manage authorization of certain data packets

● Restrict IP address or user access via authorization and authentication

●Protect critical parts of the process with additional firewalls within the IACS

●Secure remote accesses

● Use the VPN technology of routers and firewalls

● Use the latest authentication and authorization technologies. They’re evolving fast.

“Defence in Depth” Step #3: Perimeter Protection

Connexium

Eagle

Connexium

Tofino

ETG

Gateways

13-06-2013

7

Schneider Electric 13- Division - Name – Date

●Create Security Zones● Limit and monitor access

between zones.● Limits the effect of a security

issue, alerts when an issue occurs.

●Use managed switches● Limit access to network

packets.● Precisely segment the network

using VLANs● Limit rates of ‘multicast’ and

‘broadcast’ messages to protect from DoS type attacks

● Limit physical connections using port security

“Defence in Depth” Step #4: Network Segmentation and

Zones

ConneXium

Switches

Connexium

Tofino

Firewall

Schneider Electric 14- Division - Name – Date

●On all devices● Replace default passwords with ‘strong’ passwords● Shut off unused ports, communication services and

hardware interfaces● Set up broadcast limiter functions● Use multicast message filtering● Avoid generating requests faster than system can

handle

●On PCs and HMI terminals● Forbid or seriously control the use of any external

memory

●On Unity Pro and Vijeo Citect● Set up all security features: passwords, user profiles,

operator action logging

●On ConneXium switches● Restrict access on ports to assigned addresses only

●On remote I/Os● Restrict access to authorized PACs only

“Defence in Depth” Step #5: Device Hardening

• Vijeo Citect PCs• Vijeo Historian PCs

• Unity Pro PACs• Magelis HMI terminals• ConneXium switches

• Modicon STB I/O islands• Altivar speed drives

• Any I/O or instrument on fieldbus

13-06-2013

8

Schneider Electric 15- Division - Name – Date

●Monitor, Manage and Protect service

● 24/7 remote security monitoring

● Configuration monitoring

● Reporting for Audit Compliance

● Network and Host Intrusion Detection systems

●Monitor

● Authentication traps.

● Unauthorized login attempts.

● Unusual activity.

● Windows Event Viewer.

● Network load.

● Device log files.

“Defence in Depth” Step #6: Monitor and Update

• Monitor, Manage, Protect Service

•Citect Log Files

•Unity Pro log files

•PLC Event Viewers

•PLC Diagnostics and access lists

Schneider Electric 16- Division - Name – Date

Defense in Depth – Why?

●Every mitigation mentioned has a weakness, method to break through

●Eg IP address spoofing

●An attack can be launched from behind the devices

● Internal attacker

●Capture of a device already in the system

6 key steps:

1. Security Plan

2. Network Separation

3. Perimeter Protection

4. Network Segmentation

5. Device Hardening

6. Monitoring & Update

13-06-2013

9

Schneider Electric 17- Division - Name – Date

Schneider Electric’s Security Solution

● Information for Customers● Web portal for guidance, vulnerabilities and information

● Secure products● New products developed to Industrial security standards.

● Legacy products protected using pre configured security appliances.

● Secure Network Infrastructure.

● Security Certification Lab

● Secure reference architectures● Secure PlantStruxure architectures validated by leading security experts.

● Assessment and Design Services● Assessment Service – allowing security to be applied where it is needed most.

● Design Service – customizing the secure PlantStruxure architecture creating a unique solution for each customer.

● Monitoring Services● Tools and services to continually monitor a plant configuration and operation to ensure

security and production is maintained.

Schneider Electric 18- Division - Name – Date

Cyber Security Web Presence

http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page

●White Papers

●Product Vulnerability data

● Vulnerability list for all products

● Mitigation recommendations

● Patches and Firmware updates

●Secure Vulnerability reporting

●Cyber Security news stories

● Product releases and updates

● Industry News

●RSS feed for vulnerability and news

13-06-2013

10

Schneider Electric 19- Division - Name – Date

Secure Products

●New products developed to Industry security standards

● Achilles certified for robustness, ISA Secure certified for complete security.

● Legacy Products

● Protected using industry leading Connexium Tofino application firewalls.

●Low cost, Industrially rated.

●Deep packet inspection for read only access or fixed variable access

●Secure Network Infrastructure

● Connexium range of secure networkinfrastructure products.

● Includes Schneider Connexium Eagleand Tofino firewalls.

●Security certification Center

Schneider Electric 20- Division - Name – Date

Secure Reference Architectures

●How can I … Reduce Vulnerability to Cyber Attacks.

●Guidelines on Industrial Control System Security.

● Risk Assessment, Security Planning, Recommended Architectures, Methods of Attack.

●Secure PlantStruxure architectures incorporating key

security features

● Network Separation and server locations

● Perimeter Protections product and settings

● Network Segmentation and security zonesrecommendations with data flows identified.

● Device Hardening and Monitoringrecommendations for PlantStruxure devices.

13-06-2013

11

Schneider Electric 21- Division - Name – Date

Design and Assessment Service

● Identify vulnerabilities in a customers system

●Quantify the risks to the system based on threats and

identified vulnerabilities

●Make recommendations on

● Architecture

● Product hardening

● Training

● Processes

●Partnership with Wurldtech and SiS

● Leaders in security assessments

● Strong player in security standards

Schneider Electric 22- Division - Name – Date

Monitor, Manage, Protect

●Monitoring and Management of Control System

● Devices, Protocols, Communications, User Accounts, Product/Firmware Versions, Device Settings.

● Host Intrusion Detection

● Network Intrusion Detection

●Protection of Control System

● Boundary and Security Zone Firewalls

● Application White listing

●Compliance audit and change management

●Partnership with Industrial Defender

● Number 1 in Smart Grid security (Pike Research)

● Hardware and service offer

13-06-2013

12

Schneider Electric 23- Division - Name – Date

Summary

● Cyber Security is becoming critical for control systems.

● IT-based lessons, methods, and tools apply – with adaptation.

● A Defense-in-Depth approach is the best approach:

●Mitigates risk.

● Improves system reliability.

●Schneider Electric offers

● Information

●Assessment and Design Services

●Secure Products

●Recommended Architectures

●Monitor, Manage and Protect Services

24Schneider Electric – PlantStruxure NOW! – PRESENTER & SESSION NOW!