+ All Categories
Home > Software > A modern approach to safeguarding your ICS and SCADA systems

A modern approach to safeguarding your ICS and SCADA systems

Date post: 15-Apr-2017
Category:
Upload: alane-moran
View: 112 times
Download: 3 times
Share this document with a friend
29
A Modern Approach to Safeguarding Your Industrial Control Systems and Assets INSTANTLY CONNECT, CLOAK, SEGMENT, PROTECT AND REVOKE ANY IP RESOURCE Marc Kaplan VP Solution Architecture
Transcript
Page 1: A modern approach to safeguarding your ICS and SCADA systems

A Modern Approach to Safeguarding Your Industrial Control Systems and Assets

INSTANTLY CONNECT, CLOAK, SEGMENT, PROTECT AND REVOKE ANY IP RESOURCE

Marc Kaplan

VP Solution Architecture

Page 2: A modern approach to safeguarding your ICS and SCADA systems

Cisco mid-year review take away, working it backwards

Complexity Makes Us All Less Secure

This landscape of increasing regulatory

complexity is challenging for commercial

enterprises to navigate. Ultimately,

complexity makes us all less secure, and attackers can and will exploit division.

“Many organizations have reached a tipping point with their Internet infrastructure.... This is their moment to harden security, and enable visibility, throughout their network—and help to reduce the unconstrained time to operate that adversaries currently enjoy.”

Page 3: A modern approach to safeguarding your ICS and SCADA systems
Page 4: A modern approach to safeguarding your ICS and SCADA systems

Cisco Annual AlertsA FALSE SENSE OF SECURITY ABOUT SECURE CONNECTIONS

Secure connections, such as those created by HTTPS

connections and SSL certificates, are supposed to give

users a sense of security about their online activities.

However, a recent increase in vulnerability alerts involving

encryption

and authentication raises concerns that adversaries can

more easily compromise secure connections. The result: connections of questionable security.

As shown in the Common Weakness Enumeration (CWE)

chart below (Figure 2), authentication issues and

cryptographic issues have been on the rise since 2014 and 2015.

Page 5: A modern approach to safeguarding your ICS and SCADA systems

Years that Cisco equipment is Vulnerable

Page 6: A modern approach to safeguarding your ICS and SCADA systems

Percentage of Devices Running Known Vulnerabilities by Age

Page 7: A modern approach to safeguarding your ICS and SCADA systems

How dangerous are the Tools

Most recently came the online dump of tools and files of the Equation Group—aka the National Security Agency—by a group calling itself the

ShadowBrokers. Experts say the auction of the files by ShadowBrokers is a fake, but the files

and tools are real, including tools from the NSA that hacked Cisco,

Fortinet, and Juniper firewalls.Security experts say it’s no coincidence the data dump came in the wake of

the attacks on DNC, DCCC, and others, by Russia.

HOW BAD COULD IT BE

Page 8: A modern approach to safeguarding your ICS and SCADA systems

A plethora of API enabled attack tools

Router implants, from any vendor in the enterprise space, have been largely believed to be in use. Recent vendor advisories

indicate that these have been seen in the wild. Mandiant can confirm the existence of at least 14 such router implants spread

across four different countries: Ukraine, Philippines, Mexico, and India.

Page 9: A modern approach to safeguarding your ICS and SCADA systems

Easy to find, easy to hackCisco IOS Software Reverse SSH Denial of Service Vulnerability An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username. Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition.

OR… no security

Page 10: A modern approach to safeguarding your ICS and SCADA systems

ICS.. Really easy to find…did we mention the API

Page 11: A modern approach to safeguarding your ICS and SCADA systems

BEFORE TEMPERED

Ticket submitted to Network

IT for new resources addition

to corporate network.

Design for Routing, Firewall,

VPN, and Switching Policies

Design Submitted to InfoSec

for review and approval

Approval of Design

by InfoSec

Implementation of Design by

Network Ops

Implementation Review and

Sign-Off by InfoSec

GO LIVE!

Week 1

Week 2

Week 3

Week 4

Week 5

Week 6

Week 7

AFTER TEMPERED

Ticket submitted to Network

team for new resource.

Day 1

Resource added with explicit

trust relationships, segmentation

and encryption. Verified by

InfoSec.

Secure networking

time reduced by

97%

GO LIVE!

Reduce customers time to provision

Page 12: A modern approach to safeguarding your ICS and SCADA systems

IDN Value proposition

Simple. Fast. Effective. Secure.

25%

Improve time to

mitigation,

revocation, and

quarantine up to:

90%

Reduce attack

surface up to:

1 sec

Decrease failover

and disaster

recovery times to

as little as:

Page 13: A modern approach to safeguarding your ICS and SCADA systems

Flawed identity, only complexity. Unsustainable.

13*Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE, IEEE Transactions on Software Engineering, 2010

Complex firewall and

networking rule sets

Routing policies,

VLANs and

ACLS overhead

… per networked “thing”

VPN access

controls for each

network

DNS and routing

updates for failover

100%

Network and Security Policies

USE IP ADDRESSES as IDENTITY

Use IP addresses as identity for policy–

This is the root cause of complexity,

network security vulnerabilities, poor segmentation,

and lack of mobility

(clients x resources) x (net & sec policy) x updates = complexity(c x r ) x p = y*n in

Page 14: A modern approach to safeguarding your ICS and SCADA systems

R A P I D L Y C O N N E C T ,

D I S C O N N E C T & R E V O K E

M O V E A N Y G L O B A L I P R E S O U R C E

W I T H O U T D I S R U P T I O N

S E G M E N T E F F O R T L E S S L Y

( M I C R O , M A C R O , A N D C R O S S - B O U N D A R Y )

C L O A K E D A N D E N C R Y P T E D F A B R I C

M A K I N G R E S O U R C E S A N D D A T A I N V I S I B L E

I N S T A N T A N D

V E R I F I A B L E F A I L O V E R

What you get with Tempered NetworksIdentity-Defined Networking: Unified platform for secure networking

Page 15: A modern approach to safeguarding your ICS and SCADA systems

IDN Fabric – The cure to IT complexity

• Automated orchestration reduces errors

• Rapid: 3-click network design

• Centralized governance; delegated

control

• GlobalIPAnywhere – Move any IP

address to any network

TM

Page 16: A modern approach to safeguarding your ICS and SCADA systems

Legacy Identifier & Locator

Identifier = who the client is

Locator = where client is attached to

the network

MAC address (00:1C:B3:09:85:15)

Host Identity Protocol (HIP) is an Identity Exchange mechanism that enables secure communications with tunneling protocols such as ESP. HIP provides a

method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, from which end-point identifiers are taken. HIP uses existing IP addressing and forwarding for locators and packet delivery.

128-bit host identify tag (HIT) 2001:15:e156:8a78:3226:dbaa:f2ff:ed06

c6d90a4e31a12b297b00162e7ce87d4eac71f53e032a7088……...bb7af53ff1a61b2186c468e1680d46084af340ee252cb4ce...........

Modulus , Signature..

IP Addresses (192.168.16.1)

Locator = where client is attached to

the networkIP Addresses (192.168.16.1)

IDENTITY – Legacy and HIP enabled IDN

Page 17: A modern approach to safeguarding your ICS and SCADA systems

Identity-Defined Networking (IDN) – the way forward Securely network and orchestrate any thing, anywhere, anytime - instantly.

17

HIPservers

HIPswitch

Tempered Networks’ IDN Conductor

Control based on unique crypto-identity for every networked thing. Seamless deployment, simple policy

orchestration and enforcement based on identity. Securely connect, cloak, segment, revoke, move,

failover and revoke instantly within the IDN’s encrypted fabric.

Public / Corporate Network (No Identity. Untrusted. Unmanageable.)

IDN Fabric – Trusted. Cloaked. Segmented. Encrypted.

Applications

Databases

HIPchip

PoS / ATMs

IP cameras

Medical devicesCloud workloads

Containers

HIPclients

Page 18: A modern approach to safeguarding your ICS and SCADA systems

Unique Identity-Defined Overlays (IDO) and Virtual Trust Segments (VTS):Macro and micro-segmentation is based on unique host identity and every IDO is cloaked and hardened. Allowed VTS connectivity and communication is explicit, non-traversal, encrypted and verifiable

18

Building

Automation

System

Applications

Building Automation

Vendor VTS

Databases

DBAs

Application-Database

ID Overlay

DBA Admin

VTSVendor / 3rd Party

ID Overlay

Managed Devices

Employee

ID Overlay

Remote Employee

ID Overlay

Managed Device VTS

Unmanaged

Network

Telemetry/Analytics VTS

Web Services

VTS

Cloud ID Overlay

U.S. DevOps

VTS

IoT Virtual Trust SegmentsIoT Admins

VTS

IoT ID Overlay

Public

Cloud-US

Public

Cloud–KR

EU DevOps VTSPublic

Cloud–DE

Corporate Network

Korea DevOps VTS

Page 19: A modern approach to safeguarding your ICS and SCADA systems

Trusted Identity-Defined Network Fabric Goes Anywhere

Flexible, resilient, connectivity options with automated fail-over

Page 20: A modern approach to safeguarding your ICS and SCADA systems

Trusted identity-based hardware

Serial-over-IP

• Secure Management of Routers and Switches

• No need to expose SSH / Telnet over the internet

• Enable IP on serial based devices such as SCADA or ATM

Cellular

• Remove the constraints of Ethernet connectivity

• Fallback functionality, flip from Ethernet to Cellular automatically

Wireless • Move seamlessly between Ethernet and Wifi without reduction of security

• HIP over-Wifi, incredibly secure Wifi that can not be brute-forced

Secure by Default

• No local management

• Symmetric policy validation engine

• Hardened

• Secure High-Available Central Management

• Software Defined – RESTful API

• Identity Based HIP Networks

• Global IP Namespace

• Flexible IP transformation

Management

Page 21: A modern approach to safeguarding your ICS and SCADA systems

The Singular Root DefectThat affects all IP security and networking

IP Addresses are used as Network and Device Identity

• Hacker reconnaissance & fingerprinting via TCP/IP stack

• Listening TCP/UDP service ports

• All networking and security products use IP addresses for

policy

Large Attack Surface

• IP, TCP/UDP Attacks: every connected thing is an entry point

• East / West lateral movement

• ACLs and VLANs ≆ segmentation

Lack of Mobility and Instant Failover

• Policies tied to IP - creates inflexible mobility

• IP conflicts

• DNS TTL and Routing Convergence Delays

Networking and Security Costs

• Many distributed, complex VLAN, ACL, VPN,

firewall policies

• Controlling network routing

• IPsec VPN cert management, connection limitations,

failover issues

• Expense of “next-gen” firewalls deployed on interior

WAN / LAN

Remote Unmanaged Network Remote Site Managed Network

Corporate Network & Resources

Device 10 Device 11 Device 12

192.168.10.10 192.168.10.11 192.168.10.12

Device 20 Device 21

192.168.20.20 192.168.20.21

Device 30 Device 31 Device 32

192.168.30.30 192.168.30.31 192.168.30.32

192.168.10.1

192.168.20.1 192.168.30.1

Field TechniciansRemote Employees

Page 22: A modern approach to safeguarding your ICS and SCADA systems

How we do what we do

I D E N T I T Y - D E F I N E D

O V E R L A Y S

H O S T - B A S E D

C R Y P T O G R A P H I C I D E N T I T I E S

S I M P L E P O L I C Y - B A S E D

O R C H E S T R A T I O N E N G I N E

H O S T I D E N T I T Y

N A M E S P A C E

S O F T W A R E - D E F I N E D

S E G M E N T A T I O N

F A S T , F L E X I B L E D E P L O Y M E N T O F

I D N E N D P O I N T S ( H I P S E R V I C E S )

E V E R Y W H E R E

V I R T U A L T R U S T

S E G M E N T S

Page 23: A modern approach to safeguarding your ICS and SCADA systems

A New Identity Networking Paradigm Made Simple

WAN / LAN

Device 10 Device 11 Device 12

192.168.10.10 192.168.10.11 192.168.10.12

Device 20 Device 21

192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32

192.168.30.30 192.168.30.31 192.168.30.32

192.168.10.1

192.168.20.1

192.168.30.1

CLOAKED, SEGMENTED & MOBILE

PROTECTED, SEGMENTED, ENCRYPTED, & MOBILE

CLOAKED, SEGMENTED, & MOBILE

HIPswitch192.168.10.100

192.168.30.100

Field TechniciansRemote Employees

HIPclient

10.0.9.2

Conductor

Remote Site Networks & Resources

Corporate Network & Resources

Unique Host Identity Approach • Host Identity Protocol (HIP): IETF ratified April 2015• True SDN overlay –little to no changes to network, security, or applications• Unshackles IP from serving as identity - frees IT from complexity• In production since 2006

Rapid Provisioning, Revocation, IP Mobility and Failover• Effortless segmentation & cloaking• One-click orchestration to connect, disconnect, move or failover any

“thing”• Less than 1 second failover between any IDN endpoint• Build ID overlays (IDOs) on-demand based on situation

Significantly Reduced Attack Surface• No trust? No connectivity. No communication. No data.• VLAN ”segmentation” traversal is now impossible.• Based on explicit device trust- all systems are invisible• 2048 bit Identity-Based connectivity, AES 256

encryption by default

Lower Costs, Simpler Environment• CapEx and OpEx decrease• Eliminate or reduce interior “next-gen” firewalls, VPNs,

complex policies, ACLs, VLAN complexity, cert mngt

Page 24: A modern approach to safeguarding your ICS and SCADA systems

Conductor’s “Visual Trust Map” – Instant Verification

Visualize trust relationships between HIP Services and

whitelisted endpoints

Page 25: A modern approach to safeguarding your ICS and SCADA systems

Availability, Status, Configurations, Versioning – Know the State

HIP Services:• Activity• Models• Versions• Static or dynamic config

• Current IP address

• Gateway

• DNS server

• Custom routes

• Link status

• Port configuration [if

available]

Users may now check which HIP associations (secure tunnels) exist on a HIPswitch and check available bandwidth as well for availability and sizing understanding.

Page 26: A modern approach to safeguarding your ICS and SCADA systems

Reduce the Attack Surface

26

Up to:

90%

BEFORE TEMPERED AFTER TEMPERED

Because of cloaking,

identity-based

segmentation, non-

traversal, automatic

encryption, and instant

revocation.

Attack surface reduction allows greater security focus and depth on the other areas Tempered Networks doesn’t address, like endpoint or code-level security.

Page 27: A modern approach to safeguarding your ICS and SCADA systems

Improve Time to Mitigate, Revoke, and Quarantine

27

Time to mitigation,

revocation, and

quarantine is improved

with greater confidence.

By:

50%

• Revocation of any resource within the IDN fabric is one

click or an automated API call from a security analytics

system. It can happen instantly, is verifiable, and

permanent - until you say otherwise.

• Even if a user’s credentials were stolen and still valid, if

they’re not on an authorized device – no access.

• The alternative? Complexity. Check all VPNs, Firewall

rules, ACLs, and directory services. Analyze other policies

to ensure that system is in fact quarantined or revoked.

Page 28: A modern approach to safeguarding your ICS and SCADA systems

Decrease Failover and Disaster Recovery Time

28

Failover and Disaster

Recovery times

reduced to as little as

one second.

To as little as:

1second

• Every IDN endpoint or HIP Service is based on

unique host identities, not an IP address or host

making IP-based failover ’mobile.’

• Failover can be applied from an entire

datacenter (represented as a unique host

identity), down to a container (represented as a

unique host identity).

• If one goes down in the IDN fabric, a simple

automated API call or one-click manual update

to the fabric will reconnect instantly to the

designated IDN failover endpoint.

Page 29: A modern approach to safeguarding your ICS and SCADA systems

Visit us at booth #310 for a demo

THANK YOU


Recommended