Cybersecurity nelle Infrastrutture critiche di pubblica ...€¦ · Trojan Spyware Brute force...

Cybersecurity nelle Infrastrutture critiche di pubblica utilità

Umberto Cattaneo PMP, Security+, ISA99/IEC62443 Specialist

Page 2Confidential Property of Schneider Electric |

About me:

• Dr. Physics Cybernetic, PMP, Security+

ISA99/IEC62443 Certified Specialist

• 30+ years of experience in System integration, Oil&GasSCADA, encryption solutions, implementation of Nationwide Secure Network Solutions, Command and control systems, GMDSS, ITS, GIS

• Previous experiences:• ENI• AGUSTA-Leonardo Helicopter• Sirti• Qnective (CH)

• Member of ANIE, ISA, Clusit, PMI©

Umberto CattaneoSE Cybersecurity TSC

MOBILE

+39 335 5821626

EMAIL

[email protected]

Confidential Property of Schneider Electric

• Concetti base OT-IACS

• Differenze tra IT e OT

• Principi della sicurezza

• Attacchi agli IACS: tipi e casi di studio

• Come proteggere gli IACS

• Esempi di architetture

• Regolamentazione NIS

Operational Technology Information Technology

System & Networks are used to run productive processes in plants.

Operational continuity and safety of humans and environment are the priorities.

System & Networks are used to run business processes and to circulate information.

Data Confidentiality, data integrity and operational continuity are the priorities.


Sample of IACS model


Control Zone

Data Zone

Corporate ZoneExternal Zone

Corporate LAN

Control System LAN

Corp DMZ

CS DMZApplications, database, support

Remote

Business

Partners and

Vendors

Remote

Operations

and

Facilities

Internet

External VPN

Access

Configuration

ServerControl Workstations

Data

Acquisition

Server

Database

Server

Secondary

HistorianCS Web

Server

External

Business

Comms

Server

Infrastructure

Servers

Email

Servers

Web

ServersCorporate WorkstationsCorporate

Servers

Corporate

VPN

Wireless

Access Points

Corporate

Firew all

Control Room WorkstationsPrimary

Historian

CS LAN

Firew all

Dedicated

Comm Path

Dedicated

Comm Path

Field Level

and Device

Firew all

RTU / PLC

Field

Locations

HMI

Sensors

and

ActuatorsSource: Recommended Practices:

Improving Industrial Control System

Cyber security with Defense in Depth

Strategies from Department of Homeland

Security

Differences between IT and OT

Availability

Integrity

Confidentiality

Availability

Confidentiality

Confidentiality

Integrity

Integrity

Availability

IT OTLAB

Priorities



Performance

IT OT

Response should be reliable

Response is Time critical

High Throughput Modest Throughput

High delay and Jitter tolerated

High delays are serious concern

IT protocols IT and industrial protocols



Availability

IT OT

Scheduled operations Continuous operation

Occasional failures tolerated Outages intolerable

Rebooting tolerated Rebooting may not be acceptable

Beta test on field acceptabe Testing expected in non production environment

Modification possible with little paperwork

Formal certification maybe requested after any change



Operatingenvironment

IT OT

Typical “Office” applications Special applications

Standard OS Standard and embedded OS

Technology refresh after 3-5 years

Legacy systems (15-25-years)

Upgrades are straightforward Upgrades are challenging an may impact HW. Logic an graphics

Abundant resources (memory, bandwidth)

Resources constrained

Data center or server rooms or office environment

Industrial environment



Risk management

IT OT

Data Confidentiality and integrity

HSE and production are paramount (integrity&availability)

Risk impact is loss of data, delay of business operation

Risk impact is loss of life, equipment, product, environment

Recovery by reboot Fault tolerance is essential


Hazard escalation in critical plants

Independent layer


What can be the consequences?


Cybersecurity scope

Confidential

Confidentiality

Integrity

Availability

Cyber attacks

Physical Assets

To be protected

Social Engineer

AttackBecause there is

no patch to human stupidity

• People• Process• Technologies• Design

• Identify• Block• React


Cybersecurity Vector Attacks (some of them...)

Social Engineer Attack

Because there is no patch to human

stupidity

Rainbow Tables

War drivingVirusPolymorphic Virus

Worm

DDoS

BotNet

Man in the Middle

Ransomware

Fishing/Vishing/Whaling

Trojan

SpywareEavesdroppingBrute force

Zero Day


Cyber Risk

Risk= Threat x Vulnerability x Consequences= Likelihood x Consequences

Risk Response• Design the risk out• Reduce the risk• Accept the risk• Transfer the risk• Eliminate/redesign redundant or ineffective controls

Risk ToleranceIt’s management responsibility to determine the level of risk the organization is willing to tolerate


Attacks based on principles of asymmetric warfare

Widespread, costly and sophisticated protection


Space and Time dilated

Unbalanced means

Serious damage in viewof the means available

Unprotected Infrastructures can be subject to terrific attacks


Causing power outages


Paralyzing transport systems


Triggering ecological catastrophes


Water and Waste Water



Cyber Threats in Industrial Control Systems are Growing

Exponentially, Impacting Equipment Availability and Safety2010 2011 2012 2013 2014

StuxnetIran nuclear plant

45,000 machines infected in Iran, Germany, France, India, Indonesia

ZeuS

“Zeus” malware, available for about $1200, were able to steal over $12 million from five banks in the US and UK.

ShamoonSaudi Aramco attack

30,000 Windows-based machines infected

HaveX

Malware embedded into vendor software.

Gathered OPC tag data for later attack.

German steel mill

Breakdowns of individual control components led to the uncontrolled shutdown of a blast

furnace

2015

Ukraine

200K+ without power.

Remote control of SCADA.

Destruction of device firmware.

2016 2017 2017 2018 2019

Shamoon 2

Civil Aviation, KSA government agencies Thousands of machines Wiped

Triton

First attack targeted to Safety Instrumental

Systems (SIS) in Middle East.

NotPetya

Danish Shipping MAERSK port terminal attacked by

ransomware: shut down for 2 days 300 Mil USD Loss

Shamoon 3 SAIPEM

Saipem targeted with a modified version of the Shamoon virus, taking down hundred computers in the UAE, Saudi Arabia, Scotland, and India

2019

Venezuela power grid

Venezuelan power grid was out of services for 2 days due to suspicious cyber attack

Norway aluminium plant

Ransomware LockerGogablocked plants over 40 countries

Sample of IACS model


Reference model IEC62443-Purdue model

Level 4

Level 3

Level 2

Level 1

Level 0

Enterprise SystemsBusiness, Planning & Logistics

Operations Manager

Supervisory Control

Safety and protection

Basic control

Process- field devices

DMZ

Physical process

Intelligent devices, analyser, instrumentation

Real time control SW, DCS, SCADA, HMI

Batch management, Manufacturing mngmt,MES/MOMS, Laboratory, Maintenance

Business logistic systems, ERP, Shift


Maintain the Plant control and availability by:• Protecting the system against hacking

o Intentional• Protecting the system against errors

o Non intentional• Improve operation and maintenance processes• Improve process organisation

Cybersecurity is a continuous process• Organisation is changing• New vulnerabilities are always discovered• Products evolves• Threats changes

Cybersecurity what does it mean?


Cybersecurity driving concepts

Technology

Process

People

Security logs

Segregation and conduit

Hardening

User Authentication

Access Protection

Risk assessment

Incident Response

Securing devices & Test

Patch Management

Secure Operations

End point Protection

Security Awareness

SecurityTraining

Audit Capability

Secure Configuration

ServiceOffer

InternalProcess

Products and systems


Network security basic/Why we have to address security in IACS

• TCP/IP where not designed to be secure exemple: flood attack• PLC where designed to replace relays, not to be secure

How to improve system security:• Network architectures

Switches/RoutersFirewallsData Diodes

• CryptographyVPNHashesSecure protocols

• Intrusion Detection SystemsNIDSHIDS



A systematic approach to cybersecurityAdapted from IEC62443-1-1

Oil and GasWWWMMMF&B

EnergyUtility

Pharma

AssessPerform risk and threat

assessment and gap analysis

Determine appropriate security

level settings

Establish Zones and

Conduits

ImplementDesign zones and conduits to

meet target SLs

Validate and Test

Determine the achieved

SL

MaintainConduct periodic vulnerability

assessments

Test and Deploy patches

Implement additional

security measures

Start

1

23



AssessThe risks and threats

1. Define the risk methodology

2. Identify major items

3. Identify and evaluate threats,

impact and likelihood

Before to protect the ICS we must know what we are dealing with

Risk Analysis

4. Reduce risks by designing

adequate countermeasures

5. Document

results in risk register

Develop a plan to address unacceptable risk

Risk Reduction

Cyber Security Risk Assessment

Each assessment must be site specific



Develop and Implement

Defence in depth

Defense in depht

Device

Host Security

Application Security Secure architecture design

Zone and conduit

Least of privileges

IDS

NG Firewalls

Patch/upgrade

Operating system protection

Antivirus software

Host-based firewalls

White & black listing

applications

Sandboxing

Post deployment security

Secure software design

Validation of user input

User authentication

Function level access control

Use of strong cryptography

Patch/upgrade

Post deployment security

Physical securityPolicy and procedures

Network security


Detection in depthThere should be alarms, logs, and detection methods to identify:• Unusual data transfer patterns• Unexpected protocols being used• Out-of-time data traffic• Communication to unknown or unexpected MAC or IP addresses

• Firewalls and IDS should be configured to identify any traffic that is not part of the expected traffic across zones

• Patch management &Antimalware should report devices out of date• IDS Detection of unknown devices• Detection of missing devices


Certification

Certification underpins cybersecurity technology

Use Certified

Products

Developed in

certified development

centres

By certified

authorities

• Follow the Secure Development Lifecycle

• All Policies, Practices & Procedures reviewed / updated every quarter.

• For Process Automation we use exida and TÜV for Safety

• Any embedded product with an interface and IP Stack now undergo Embedded Device Security Assurance (EDSA) certification.

• For long development cycles devices will undergo Achilles certification in the interim. Workstations will also be Achilles certified


Used Certified ProductsAchilles Level 2 Certification



Used Certified ProductsAchilles Level 1 Certification



Cybersecure Smart Grid SolutionsCompliance with IEC 62351 and IEEE P1686


Advanced

Distribution Management

System (ADMS)

Easergy T300

Remote Terminal Unit for feeder automation



Use the certifying bodies website over vendor material

http://isasecure.org/en-US/End-Users/ISASecure-Certified-Development-Organizations https://www.ge.com/digital/services/certifications/achilles-communications-certified-products/schneider-electric-certified-products

Tecnologie abilitanti per il Servizio idrico

Giovanni Piazzalunga


Protocollo DNP3

Il protocollo di comunicazione DNP3 “Distributed Network Protocol”, è un protocollo sviluppato

per comunicazioni sicure e flessibili.

I dati gestiti in DNP3 sono timestampati e

possono essere storicizzati nella RTU in caso di

mancata comunicazione e consentono il

backfilling a Sistema SCADA.

Il “dato” porta con sè metadata come la qualità

dello stesso e viene classificato in diversi gruppi

di priorità o classi permettendo diverse logiche di

acquisizione del valore ed ottimizzazione della

comunicazione.


Sicurezza

Il protocollo DNP3 è intrinsicamente sicuro:

criptazione del dato (AES – Advanced

Encryption Standard) ed autenticazione

dello stesso (AGA12) con garanzia di

prevenzione di accessi non autorizzati e

modifiche se non previa sequenza di RCR

– request-challenge-response.

Master RTU

Non-critical message

Standard protocol response

Standard protocol response

Critical Message

Authentication response

Authentication challenge

Authenticate &

perform

operation

Perform

operation

Con RTU Scadpack è possibile quindi la

configurazione e programmazione da

remoto.


Geographic SCADA

Per la visualizzazione e gestione degli asset remoti

REGIONS FOR OPERATIONAL BOUNDARIES AND RESPONSIBILITY

ALARM RULES FOR AUTOMATED NOTIFICATION

LOCATION-BASED QUERIES, F ILTERS, AND DISTANCE CALCULATION

Maps GIS Weather Assets Staff GPS Tracking

ClearSCADA Security

• Configurazione server

• CS Server CS Client connessioni criptate

• Opzioni avanzate di configurazione Username e Password

• Definizione IP in accesso al server (whitelisting)

• IP nascosti dei Server ClearSCADA (utenti non autorizzati)

• Utilizzo di protocolli sicuri (DNP3)

• Ciascun utente può loggarsi con un account built-in (guest) o con

uno custom

• ClearSCADA può essere configurato affinchè tutti gli accessi

vengano validati da un trusted domain o dagli utenti configurati a

database


Show maps with

locations of assets

(and users) plus

overlay of real-time

weather data

Integrated Control and Safety Systems

(ICSS)

Zones and Conduits

DMZ

SIS PCS

Enterprise Information System

DMZ

Unit Control Panels

Supervisory Control and

Data Acquisition

Zone

Conduit


Zones and Conduits - ExampleWater treatment

Zones applied as result of risk and threat assessment

ZoneFiltration

ZoneFiltration

ZoneChemical Addition /

Mixing

ZoneStorage

ZoneDisinfect

ZoneWater treatment plant


Zones and Conduits - ExampleRefinery



Zones and Conduits - ExampleMetals, Minerals, Mining


ZoneExtraction

ZoneStockyard

ZoneCrushing, Screening

ZoneLoading

ZoneShipping


Zones and Conduits - ExamplePharmaceutical


Image courtesy of Roche

ZoneCulture

ZoneFermentation

ZonePurification

ZoneConjucation

ZoneFormulation, filling and

packaging

ZoneManufacturing facility


• Triple A access control – authentication, authorization, auditing

• Advanced endpoint protection with integrity and hardware control

• Network segmentation and protection with secure access

• Centralized and offsite backup and disaster recovery

• SIEM – Security information and event management

• Network performance monitoring

• Centralized patch management

• IDS/IPS – Intrusion Detection / Prevention systems

Security Control Design & ImplementSecuring DCS, SIS, PLC, SCADA


Cybersecurity solutionsSecuring the operational lifecycle

Policy & Procedure Asset Inventory

Gap AnalysisRisk & ThreatCompliance

Defense in DepthSecure ArchitectureAsset ManagementPolicy & Procedure

Security Assurance Level

Policy & Procedure Hardware & Software

System HardeningSolution IntegrationKnowledge Transfer

System UpgradesSecurity Patches

Awareness & TrainingIncident Response

Penetration Testing

TrainSecurity

AwarenessSecurity Engineer

Security Administrator

Advanced Expert

People

Technology

Process

Assess Design Implement Monitor Maintain

Firewall Security Device Mgmt.

Unified Threat Mgmt.

NIPS Device Security Mgmt.

SIEM Security Device Mgmt.

IAA: Identification, Authorization, Accounting

Identification: Who are you?

Authentication: Prove it

Authorisation: What set of privileges do you have?Confidential Property of Schneider Electric

Microsoft Active Directory (IAA)

• A central and vital component of an Active Directory environment is the

Domain Controller (DC). (Can be Single O Redundant – PDC/SDC)• Makes it possible to manage computer and user accounts centrally

• Allows the creation of computer or user group policies, which are also centrally managed

• Provides authentication services with central logging

• Can work with many third-party software products designed for an Active Directory environment

• During the I/A Series software installation of a Domain Controller, it will automatically create the domain. The I/A Series installation also creates the OUs, group policies, and security groups as necessary.


User authentification and authorization

• Three factors authentication:• Something you know

• Something you have,

• Something you are

• Mandatory access control

• Discretionary access control (rule based)

• Role based access control


McAfee ePO's globally recognized security package to complement the security features built into its products. These packages provide additional security features with the ability to facilitate the management of each. It provides a centralized management for below products through the deployed agent on each client .

• Host-based Antivirus (AV)

• Host Intrusion Prevention (HIPS)

• Application control (Solid Core) (Whitelisting)

• Data Loss Prevention (DLP)

• Device Control (USB, CD/DVD, Floppy, etc.)

Qualified patches (.dat files) for Foxboro Systems

• License J0202AS - McAfee Security Product license provides entitlement to VirusScan Enterprise (VSE), MOVE, ePolicy Orchestrator (ePO), McAfee Agent (MA), Host Intrusion Prevention (HIP), Data Loss Prevention (DLP), Rouge System Detection (RSD), and Integrity

Endpoint ProtectionMcAfee ePolicy Orchestrator (McAfee ePO)


Operating Systems must be up to date with the latest Microsoft Critical and Important Security Patches. Windows Server Update Services (WSUS) is our solution

• By using WSUS, administrators can fully manage the distribution of updates centrally and without the hassle of going to each system.

• He can even control which patch will be approved for installation for which group of computers.

• i.e. Qualified patches for Foxboro Systems

Centralized patch managementWindows Server Update Services "WSUS server“


Solarwinds LEM (Log & Event Manager)

• Collects, consolidates, and analyzes logs and events from firewalls, IDS/IPS devices and applications, switches, routers, servers, operating system logs, and other applications

• Real-time correlation to identify attacks

• Detect breaches with threat intelligence

• Supports root cause analysis with built-in intelligence that applies to networks, applications, and security management

SIEMSecurity Information and Event Management


Drawing on our ecosystem of partners


Architecture Examples


Industrial Control System with cyber security solutions

IEC 62443.3.3 Security Level (SL)


Which Security Model apply?

Single Layer

VS

or Defense in Depth


SL 0


SL 1


SL 2


SL 3


Cybersecurity is a National Security task

Directive UE 2016/1148 del 6/7/2016 for creation of an high level of security on

network and information systems (NIS) in EU

In Italy

Decreto legge n. 65, del 18 maggio 2018


Directive NIS:

Creation of a Cyber Security Incident Response Team (CSIRT)

Identify collaboration rules for National and Overnational collaboration on Cybersecurity (Rete di CSIRT)

Identified two Areas of National Interest for Cybersecurity:

- “Operatori di servizi essenziali”- “Fornitori di servizi digitali”


Obbligations for Essential Serivices Operators (ESO)

Risk management:

«The operators of essential services must adopt appropriate technical and

organizational measures in proportion to the management of the risks posed to the security of networks and information systems.»

Impact mitigation:«Operators of essential services must take appropriate measures to prevent and minimize the impact of incidents on network security and information systems ... in order to ensure continuity of services »

Notification:«The operators of essential services must notify without delay the CSIRT and the civil code. accidents to the competent authority »


Credits - Traders

Essential services Operators

Energy

Transportation

Health care & Water

Electricity – Oil – GasSupply, Distribution and production

Airport – Railways – Waterways –RoadsUtilities /Authorities

Hospitals – ClinicsSuppliers - Distributors

Bank and Finance

Fines: from 12.000 up to 150.000 euroDefined a Confidential Nominal list


Reference Standards:

IEC 62443IEC 62443.3.3

ISO 27001ISO 27002ISO 27019, 2017

ETSI TR 102 893 V1.1.1


Cybersecurity solutionsSecuring the operational lifecycle

Policy & Procedure Asset Inventory

Gap AnalysisRisk & ThreatCompliance

Defense in DepthSecure ArchitectureAsset ManagementPolicy & Procedure

Security Assurance Level

Policy & Procedure Hardware & Software

System HardeningSolution IntegrationKnowledge Transfer

System UpgradesSecurity Patches

Awareness & TrainingIncident Response

Penetration Testing

TrainSecurity

AwarenessSecurity Engineer

Security Administrator

Advanced Expert

People

Technology

Process

Assess Design Implement Monitor Maintain

Firewall Security Device Mgmt.

Unified Threat Mgmt.

NIPS Device Security Mgmt.

SIEM Security Device Mgmt.



• Concetti base OT-IACS

• Differenze tra IT e OT

• Principi della sicurezza

• Attacchi agli IACS: tipi e casi di studio

• Come proteggere gli IACS

• Esempi di architetture

• Regolamentazione NIS

We know how to protect Critical Infrastructures


e………..Vi aspettiamo al nostro Desk per mostravi …….

Come

la Realtà

Aumentata facilita

la gestione del

Servizio

IDRICO

GRAZIE PER L’ATTENZIONE

E……..Vi Aspettiamo ad SPS a Parma dal 28 al 30 Maggio

Date post:	11-Aug-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Cybersecurity nelle Infrastrutture critiche di pubblica ...€¦ · Trojan Spyware Brute force...

Documents