Cybersecurity nelle Infrastrutture critiche di pubblica utilità
Umberto Cattaneo PMP, Security+, ISA99/IEC62443 Specialist
Page 2Confidential Property of Schneider Electric |
About me:
• Dr. Physics Cybernetic, PMP, Security+
ISA99/IEC62443 Certified Specialist
• 30+ years of experience in System integration, Oil&GasSCADA, encryption solutions, implementation of Nationwide Secure Network Solutions, Command and control systems, GMDSS, ITS, GIS
• Previous experiences:• ENI• AGUSTA-Leonardo Helicopter• Sirti• Qnective (CH)
• Member of ANIE, ISA, Clusit, PMI©
Umberto CattaneoSE Cybersecurity TSC
MOBILE
+39 335 5821626
Confidential Property of Schneider Electric
• Concetti base OT-IACS
• Differenze tra IT e OT
• Principi della sicurezza
• Attacchi agli IACS: tipi e casi di studio
• Come proteggere gli IACS
• Esempi di architetture
• Regolamentazione NIS
Operational Technology Information Technology
System & Networks are used to run productive processes in plants.
Operational continuity and safety of humans and environment are the priorities.
System & Networks are used to run business processes and to circulate information.
Data Confidentiality, data integrity and operational continuity are the priorities.
Confidential Property of Schneider Electric
Sample of IACS model
Confidential Property of Schneider Electric
Control Zone
Data Zone
Corporate ZoneExternal Zone
Corporate LAN
Control System LAN
Corp DMZ
CS DMZApplications, database, support
Remote
Business
Partners and
Vendors
Remote
Operations
and
Facilities
Internet
External VPN
Access
Configuration
ServerControl Workstations
Data
Acquisition
Server
Database
Server
Secondary
HistorianCS Web
Server
External
Business
Comms
Server
Infrastructure
Servers
Servers
Web
ServersCorporate WorkstationsCorporate
Servers
Corporate
VPN
Wireless
Access Points
Corporate
Firew all
Control Room WorkstationsPrimary
Historian
CS LAN
Firew all
Dedicated
Comm Path
Dedicated
Comm Path
Field Level
and Device
Firew all
RTU / PLC
Field
Locations
HMI
Sensors
and
ActuatorsSource: Recommended Practices:
Improving Industrial Control System
Cyber security with Defense in Depth
Strategies from Department of Homeland
Security
Differences between IT and OT
Availability
Integrity
Confidentiality
Availability
Confidentiality
Confidentiality
Integrity
Integrity
Availability
IT OTLAB
Priorities
Confidential Property of Schneider Electric
Differences between IT and OT
Performance
IT OT
Response should be reliable
Response is Time critical
High Throughput Modest Throughput
High delay and Jitter tolerated
High delays are serious concern
IT protocols IT and industrial protocols
Confidential Property of Schneider Electric
Differences between IT and OT
Availability
IT OT
Scheduled operations Continuous operation
Occasional failures tolerated Outages intolerable
Rebooting tolerated Rebooting may not be acceptable
Beta test on field acceptabe Testing expected in non production environment
Modification possible with little paperwork
Formal certification maybe requested after any change
Confidential Property of Schneider Electric
Differences between IT and OT
Operatingenvironment
IT OT
Typical “Office” applications Special applications
Standard OS Standard and embedded OS
Technology refresh after 3-5 years
Legacy systems (15-25-years)
Upgrades are straightforward Upgrades are challenging an may impact HW. Logic an graphics
Abundant resources (memory, bandwidth)
Resources constrained
Data center or server rooms or office environment
Industrial environment
Confidential Property of Schneider Electric
Differences between IT and OT
Risk management
IT OT
Data Confidentiality and integrity
HSE and production are paramount (integrity&availability)
Risk impact is loss of data, delay of business operation
Risk impact is loss of life, equipment, product, environment
Recovery by reboot Fault tolerance is essential
Confidential Property of Schneider Electric
Hazard escalation in critical plants
Independent layer
Confidential Property of Schneider Electric
What can be the consequences?
Confidential Property of Schneider Electric
Cybersecurity scope
Confidential
Confidentiality
Integrity
Availability
Cyber attacks
Physical Assets
To be protected
Social Engineer
AttackBecause there is
no patch to human stupidity
• People• Process• Technologies• Design
• Identify• Block• React
Confidential Property of Schneider Electric
Cybersecurity Vector Attacks (some of them...)
Social Engineer Attack
Because there is no patch to human
stupidity
Rainbow Tables
War drivingVirusPolymorphic Virus
Worm
DDoS
BotNet
Man in the Middle
Ransomware
Fishing/Vishing/Whaling
Trojan
SpywareEavesdroppingBrute force
Zero Day
Confidential Property of Schneider Electric
Cyber Risk
Risk= Threat x Vulnerability x Consequences= Likelihood x Consequences
Risk Response• Design the risk out• Reduce the risk• Accept the risk• Transfer the risk• Eliminate/redesign redundant or ineffective controls
Risk ToleranceIt’s management responsibility to determine the level of risk the organization is willing to tolerate
Confidential Property of Schneider Electric
Attacks based on principles of asymmetric warfare
Widespread, costly and sophisticated protection
Confidential Property of Schneider Electric
Space and Time dilated
Unbalanced means
Serious damage in viewof the means available
Unprotected Infrastructures can be subject to terrific attacks
Confidential Property of Schneider Electric
Causing power outages
Confidential Property of Schneider Electric
Paralyzing transport systems
Confidential Property of Schneider Electric
Triggering ecological catastrophes
Confidential Property of Schneider Electric
Water and Waste Water
Confidential Property of Schneider Electric
Page 22Confidential Property of Schneider Electric |
Cyber Threats in Industrial Control Systems are Growing
Exponentially, Impacting Equipment Availability and Safety2010 2011 2012 2013 2014
StuxnetIran nuclear plant
45,000 machines infected in Iran, Germany, France, India, Indonesia
ZeuS
“Zeus” malware, available for about $1200, were able to steal over $12 million from five banks in the US and UK.
ShamoonSaudi Aramco attack
30,000 Windows-based machines infected
HaveX
Malware embedded into vendor software.
Gathered OPC tag data for later attack.
German steel mill
Breakdowns of individual control components led to the uncontrolled shutdown of a blast
furnace
2015
Ukraine
200K+ without power.
Remote control of SCADA.
Destruction of device firmware.
2016 2017 2017 2018 2019
Shamoon 2
Civil Aviation, KSA government agencies Thousands of machines Wiped
Triton
First attack targeted to Safety Instrumental
Systems (SIS) in Middle East.
NotPetya
Danish Shipping MAERSK port terminal attacked by
ransomware: shut down for 2 days 300 Mil USD Loss
Shamoon 3 SAIPEM
Saipem targeted with a modified version of the Shamoon virus, taking down hundred computers in the UAE, Saudi Arabia, Scotland, and India
2019
Venezuela power grid
Venezuelan power grid was out of services for 2 days due to suspicious cyber attack
Norway aluminium plant
Ransomware LockerGogablocked plants over 40 countries
Sample of IACS model
Confidential Property of Schneider Electric
Reference model IEC62443-Purdue model
Level 4
Level 3
Level 2
Level 1
Level 0
Enterprise SystemsBusiness, Planning & Logistics
Operations Manager
Supervisory Control
Safety and protection
Basic control
Process- field devices
DMZ
Physical process
Intelligent devices, analyser, instrumentation
Real time control SW, DCS, SCADA, HMI
Batch management, Manufacturing mngmt,MES/MOMS, Laboratory, Maintenance
Business logistic systems, ERP, Shift
Confidential Property of Schneider Electric
Maintain the Plant control and availability by:• Protecting the system against hacking
o Intentional• Protecting the system against errors
o Non intentional• Improve operation and maintenance processes• Improve process organisation
Cybersecurity is a continuous process• Organisation is changing• New vulnerabilities are always discovered• Products evolves• Threats changes
Cybersecurity what does it mean?
Page 25Confidential Property of Schneider Electric |
Cybersecurity driving concepts
Technology
Process
People
Security logs
Segregation and conduit
Hardening
User Authentication
Access Protection
Risk assessment
Incident Response
Securing devices & Test
Patch Management
Secure Operations
End point Protection
Security Awareness
SecurityTraining
Audit Capability
Secure Configuration
ServiceOffer
InternalProcess
Products and systems
Page 26Confidential Property of Schneider Electric |
Network security basic/Why we have to address security in IACS
• TCP/IP where not designed to be secure exemple: flood attack• PLC where designed to replace relays, not to be secure
How to improve system security:• Network architectures
Switches/RoutersFirewallsData Diodes
• CryptographyVPNHashesSecure protocols
• Intrusion Detection SystemsNIDSHIDS
Confidential Property of Schneider Electric
Page 28Confidential Property of Schneider Electric |
A systematic approach to cybersecurityAdapted from IEC62443-1-1
Oil and GasWWWMMMF&B
EnergyUtility
Pharma
AssessPerform risk and threat
assessment and gap analysis
Determine appropriate security
level settings
Establish Zones and
Conduits
ImplementDesign zones and conduits to
meet target SLs
Validate and Test
Determine the achieved
SL
MaintainConduct periodic vulnerability
assessments
Test and Deploy patches
Implement additional
security measures
Start
1
23
Confidential Property of Schneider Electric
Page 30Confidential Property of Schneider Electric |
AssessThe risks and threats
1. Define the risk methodology
2. Identify major items
3. Identify and evaluate threats,
impact and likelihood
Before to protect the ICS we must know what we are dealing with
Risk Analysis
4. Reduce risks by designing
adequate countermeasures
5. Document
results in risk register
Develop a plan to address unacceptable risk
Risk Reduction
Cyber Security Risk Assessment
Each assessment must be site specific
Confidential Property of Schneider Electric
Page 32Confidential Property of Schneider Electric |
Develop and Implement
Defence in depth
Defense in depht
Device
Host Security
Application Security Secure architecture design
Zone and conduit
Least of privileges
IDS
NG Firewalls
Patch/upgrade
Operating system protection
Antivirus software
Host-based firewalls
White & black listing
applications
Sandboxing
Post deployment security
Secure software design
Validation of user input
User authentication
Function level access control
Use of strong cryptography
Patch/upgrade
Post deployment security
Physical securityPolicy and procedures
Network security
Confidential Property of Schneider Electric
Detection in depthThere should be alarms, logs, and detection methods to identify:• Unusual data transfer patterns• Unexpected protocols being used• Out-of-time data traffic• Communication to unknown or unexpected MAC or IP addresses
• Firewalls and IDS should be configured to identify any traffic that is not part of the expected traffic across zones
• Patch management &Antimalware should report devices out of date• IDS Detection of unknown devices• Detection of missing devices
Confidential Property of Schneider Electric
Certification
Certification underpins cybersecurity technology
Use Certified
Products
Developed in
certified development
centres
By certified
authorities
• Follow the Secure Development Lifecycle
• All Policies, Practices & Procedures reviewed / updated every quarter.
• For Process Automation we use exida and TÜV for Safety
• Any embedded product with an interface and IP Stack now undergo Embedded Device Security Assurance (EDSA) certification.
• For long development cycles devices will undergo Achilles certification in the interim. Workstations will also be Achilles certified
Confidential Property of Schneider Electric
Used Certified ProductsAchilles Level 2 Certification
Certification underpins cybersecurity technology
Confidential Property of Schneider Electric
Used Certified ProductsAchilles Level 1 Certification
Certification underpins cybersecurity technology
Confidential Property of Schneider Electric
Cybersecure Smart Grid SolutionsCompliance with IEC 62351 and IEEE P1686
Certification underpins cybersecurity technology
Advanced
Distribution Management
System (ADMS)
Easergy T300
Remote Terminal Unit for feeder automation
Confidential Property of Schneider Electric
Page 39Confidential Property of Schneider Electric |
Use the certifying bodies website over vendor material
http://isasecure.org/en-US/End-Users/ISASecure-Certified-Development-Organizations https://www.ge.com/digital/services/certifications/achilles-communications-certified-products/schneider-electric-certified-products
Tecnologie abilitanti per il Servizio idrico
Giovanni Piazzalunga
Page 41Confidential Property of Schneider Electric |
Protocollo DNP3
Il protocollo di comunicazione DNP3 “Distributed Network Protocol”, è un protocollo sviluppato
per comunicazioni sicure e flessibili.
I dati gestiti in DNP3 sono timestampati e
possono essere storicizzati nella RTU in caso di
mancata comunicazione e consentono il
backfilling a Sistema SCADA.
Il “dato” porta con sè metadata come la qualità
dello stesso e viene classificato in diversi gruppi
di priorità o classi permettendo diverse logiche di
acquisizione del valore ed ottimizzazione della
comunicazione.
Page 42Confidential Property of Schneider Electric |
Sicurezza
Il protocollo DNP3 è intrinsicamente sicuro:
criptazione del dato (AES – Advanced
Encryption Standard) ed autenticazione
dello stesso (AGA12) con garanzia di
prevenzione di accessi non autorizzati e
modifiche se non previa sequenza di RCR
– request-challenge-response.
Master RTU
Non-critical message
Standard protocol response
Standard protocol response
Critical Message
Authentication response
Authentication challenge
Authenticate &
perform
operation
Perform
operation
Con RTU Scadpack è possibile quindi la
configurazione e programmazione da
remoto.
Page 43Confidential Property of Schneider Electric |
Geographic SCADA
Per la visualizzazione e gestione degli asset remoti
REGIONS FOR OPERATIONAL BOUNDARIES AND RESPONSIBILITY
ALARM RULES FOR AUTOMATED NOTIFICATION
LOCATION-BASED QUERIES, F ILTERS, AND DISTANCE CALCULATION
Maps GIS Weather Assets Staff GPS Tracking
ClearSCADA Security
• Configurazione server
• CS Server CS Client connessioni criptate
• Opzioni avanzate di configurazione Username e Password
• Definizione IP in accesso al server (whitelisting)
• IP nascosti dei Server ClearSCADA (utenti non autorizzati)
• Utilizzo di protocolli sicuri (DNP3)
• Ciascun utente può loggarsi con un account built-in (guest) o con
uno custom
• ClearSCADA può essere configurato affinchè tutti gli accessi
vengano validati da un trusted domain o dagli utenti configurati a
database
Page 45Confidential Property of Schneider Electric |
Show maps with
locations of assets
(and users) plus
overlay of real-time
weather data
Integrated Control and Safety Systems
(ICSS)
Zones and Conduits
DMZ
SIS PCS
Enterprise Information System
DMZ
Unit Control Panels
Supervisory Control and
Data Acquisition
Zone
Conduit
Confidential Property of Schneider Electric
Zones and Conduits - ExampleWater treatment
Zones applied as result of risk and threat assessment
ZoneFiltration
ZoneFiltration
ZoneChemical Addition /
Mixing
ZoneStorage
ZoneDisinfect
ZoneWater treatment plant
Confidential Property of Schneider Electric
Zones and Conduits - ExampleRefinery
Zones applied as result of risk and threat assessment
Confidential Property of Schneider Electric
Zones and Conduits - ExampleMetals, Minerals, Mining
Zones applied as result of risk and threat assessment
ZoneExtraction
ZoneStockyard
ZoneCrushing, Screening
ZoneLoading
ZoneShipping
Confidential Property of Schneider Electric
Zones and Conduits - ExamplePharmaceutical
Zones applied as result of risk and threat assessment
Image courtesy of Roche
ZoneCulture
ZoneFermentation
ZonePurification
ZoneConjucation
ZoneFormulation, filling and
packaging
ZoneManufacturing facility
Confidential Property of Schneider Electric
• Triple A access control – authentication, authorization, auditing
• Advanced endpoint protection with integrity and hardware control
• Network segmentation and protection with secure access
• Centralized and offsite backup and disaster recovery
• SIEM – Security information and event management
• Network performance monitoring
• Centralized patch management
• IDS/IPS – Intrusion Detection / Prevention systems
Security Control Design & ImplementSecuring DCS, SIS, PLC, SCADA
Confidential Property of Schneider Electric
Cybersecurity solutionsSecuring the operational lifecycle
Policy & Procedure Asset Inventory
Gap AnalysisRisk & ThreatCompliance
Defense in DepthSecure ArchitectureAsset ManagementPolicy & Procedure
Security Assurance Level
Policy & Procedure Hardware & Software
System HardeningSolution IntegrationKnowledge Transfer
System UpgradesSecurity Patches
Awareness & TrainingIncident Response
Penetration Testing
TrainSecurity
AwarenessSecurity Engineer
Security Administrator
Advanced Expert
People
Technology
Process
Assess Design Implement Monitor Maintain
Firewall Security Device Mgmt.
Unified Threat Mgmt.
NIPS Device Security Mgmt.
SIEM Security Device Mgmt.
IAA: Identification, Authorization, Accounting
Identification: Who are you?
Authentication: Prove it
Authorisation: What set of privileges do you have?Confidential Property of Schneider Electric
Microsoft Active Directory (IAA)
• A central and vital component of an Active Directory environment is the
Domain Controller (DC). (Can be Single O Redundant – PDC/SDC)• Makes it possible to manage computer and user accounts centrally
• Allows the creation of computer or user group policies, which are also centrally managed
• Provides authentication services with central logging
• Can work with many third-party software products designed for an Active Directory environment
• During the I/A Series software installation of a Domain Controller, it will automatically create the domain. The I/A Series installation also creates the OUs, group policies, and security groups as necessary.
Confidential Property of Schneider Electric
User authentification and authorization
• Three factors authentication:• Something you know
• Something you have,
• Something you are
• Mandatory access control
• Discretionary access control (rule based)
• Role based access control
Confidential Property of Schneider Electric
McAfee ePO's globally recognized security package to complement the security features built into its products. These packages provide additional security features with the ability to facilitate the management of each. It provides a centralized management for below products through the deployed agent on each client .
• Host-based Antivirus (AV)
• Host Intrusion Prevention (HIPS)
• Application control (Solid Core) (Whitelisting)
• Data Loss Prevention (DLP)
• Device Control (USB, CD/DVD, Floppy, etc.)
Qualified patches (.dat files) for Foxboro Systems
• License J0202AS - McAfee Security Product license provides entitlement to VirusScan Enterprise (VSE), MOVE, ePolicy Orchestrator (ePO), McAfee Agent (MA), Host Intrusion Prevention (HIP), Data Loss Prevention (DLP), Rouge System Detection (RSD), and Integrity
Endpoint ProtectionMcAfee ePolicy Orchestrator (McAfee ePO)
Confidential Property of Schneider Electric
Operating Systems must be up to date with the latest Microsoft Critical and Important Security Patches. Windows Server Update Services (WSUS) is our solution
• By using WSUS, administrators can fully manage the distribution of updates centrally and without the hassle of going to each system.
• He can even control which patch will be approved for installation for which group of computers.
• i.e. Qualified patches for Foxboro Systems
Centralized patch managementWindows Server Update Services "WSUS server“
Confidential Property of Schneider Electric
Solarwinds LEM (Log & Event Manager)
• Collects, consolidates, and analyzes logs and events from firewalls, IDS/IPS devices and applications, switches, routers, servers, operating system logs, and other applications
• Real-time correlation to identify attacks
• Detect breaches with threat intelligence
• Supports root cause analysis with built-in intelligence that applies to networks, applications, and security management
SIEMSecurity Information and Event Management
Confidential Property of Schneider Electric
Drawing on our ecosystem of partners
Confidential Property of Schneider Electric
Architecture Examples
Confidential Property of Schneider Electric
Industrial Control System with cyber security solutions
IEC 62443.3.3 Security Level (SL)
Confidential Property of Schneider Electric
Which Security Model apply?
Single Layer
VS
or Defense in Depth
Confidential Property of Schneider Electric
SL 0
Confidential Property of Schneider Electric
SL 1
Confidential Property of Schneider Electric
SL 2
Confidential Property of Schneider Electric
SL 3
Confidential Property of Schneider Electric
Cybersecurity is a National Security task
Directive UE 2016/1148 del 6/7/2016 for creation of an high level of security on
network and information systems (NIS) in EU
In Italy
Decreto legge n. 65, del 18 maggio 2018
Confidential Property of Schneider Electric
Directive NIS:
Creation of a Cyber Security Incident Response Team (CSIRT)
Identify collaboration rules for National and Overnational collaboration on Cybersecurity (Rete di CSIRT)
Identified two Areas of National Interest for Cybersecurity:
- “Operatori di servizi essenziali”- “Fornitori di servizi digitali”
Confidential Property of Schneider Electric
Obbligations for Essential Serivices Operators (ESO)
Risk management:
«The operators of essential services must adopt appropriate technical and
organizational measures in proportion to the management of the risks posed to the security of networks and information systems.»
Impact mitigation:«Operators of essential services must take appropriate measures to prevent and minimize the impact of incidents on network security and information systems ... in order to ensure continuity of services »
Notification:«The operators of essential services must notify without delay the CSIRT and the civil code. accidents to the competent authority »
Confidential Property of Schneider Electric
Credits - Traders
Essential services Operators
Energy
Transportation
Health care & Water
Electricity – Oil – GasSupply, Distribution and production
Airport – Railways – Waterways –RoadsUtilities /Authorities
Hospitals – ClinicsSuppliers - Distributors
Bank and Finance
Fines: from 12.000 up to 150.000 euroDefined a Confidential Nominal list
Confidential Property of Schneider Electric
Reference Standards:
IEC 62443IEC 62443.3.3
ISO 27001ISO 27002ISO 27019, 2017
ETSI TR 102 893 V1.1.1
Confidential Property of Schneider Electric
Cybersecurity solutionsSecuring the operational lifecycle
Policy & Procedure Asset Inventory
Gap AnalysisRisk & ThreatCompliance
Defense in DepthSecure ArchitectureAsset ManagementPolicy & Procedure
Security Assurance Level
Policy & Procedure Hardware & Software
System HardeningSolution IntegrationKnowledge Transfer
System UpgradesSecurity Patches
Awareness & TrainingIncident Response
Penetration Testing
TrainSecurity
AwarenessSecurity Engineer
Security Administrator
Advanced Expert
People
Technology
Process
Assess Design Implement Monitor Maintain
Firewall Security Device Mgmt.
Unified Threat Mgmt.
NIPS Device Security Mgmt.
SIEM Security Device Mgmt.
Confidential Property of Schneider Electric
Confidential Property of Schneider Electric
• Concetti base OT-IACS
• Differenze tra IT e OT
• Principi della sicurezza
• Attacchi agli IACS: tipi e casi di studio
• Come proteggere gli IACS
• Esempi di architetture
• Regolamentazione NIS
We know how to protect Critical Infrastructures
Confidential Property of Schneider Electric
e………..Vi aspettiamo al nostro Desk per mostravi …….
Come
la Realtà
Aumentata facilita
la gestione del
Servizio
IDRICO
GRAZIE PER L’ATTENZIONE
E……..Vi Aspettiamo ad SPS a Parma dal 28 al 30 Maggio