Practical Security Solutions for Industrial Control Systems (ICS)

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Practical Security Solutions for Industrial Control Systems (ICS)

Jason J. Dely, CISSP, CISM

Principal Security Consultant, Network & Security Services

[email protected]


Course Description

Explore how to reduce risk and enhance protection of your ICS

infrastructure by utilizing non-Integrated Architecture components

such as switch ACLs, firewall configurations, and Windows

Operating System hardening techniques.

A prior understanding of general Ethernet concepts, or attendance of

the Fundamentals of EtherNet/IP session is recommended.

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3

Agenda

Operating System Security

Firewall

Switch Access Control Lists (ACLs)

Defense In Depth


Defense In Depth

Layered Security Model Shield potential targets behind multiple levels of protection to reduce security risks

Defense in Depth Use multiple security countermeasures to protect integrity of components or systems

Openness Consideration for participation of a variety of vendors in our security solutions

Flexibility Able to accommodate a customer’s needs, including policies & procedures

Consistency Solutions that align with Government directives and Standards Bodies

A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.

Perimeter Enforcement

Device Security

Security Services

Application

Computer

Device

Physical

Network

- Don’t miss the “Depth”

Layers within the Layers

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


Security Objective - Decompose the Elements, Then Secure!

6

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services Gateway

Patch Management

AV Server

Application Mirror

Web Services Operations

Application Server

Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application

Server

FactoryTalk Directory

Engineering Workstation

Remote Access Server

FactoryTalk Client

Operator Interface

FactoryTalk Client


Operator Interface

Batch Control

Discrete Control

Drive Control

Continuous Process Control

Safety Control

Sensors Drives Actuators Robots

Enterprise Security Zone

DMZ

Industrial Security Zone

Cell/Area Zone

Web E-Mail

CIP

Firewall

Firewall

Site Operations and Control

Area Supervisory

Control

Basic Control

Process

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


End Node & Infrastructure Security

7

Legacy PLCs Process Automation Controller (PAC)

I/O Subsystems

Servers

Switches

Routers

Firewall

Infrastructure

Outside the Infrastructure box is an end

node


Infrastructure Decomposition

8

Production Control

Workstation

Operator Interface

Optimizing Control

Manufacturing Security Zone

DMZ

Remote Desktop Gateway

Domain Controller

Firewall

Site Business Network

Enterprise Network

Router Enterprise Security Zone Email, Intranet,

shared drives, etc

web

Email

TCP/IP

Firewall Rules

Access Control Lists (ACLs)

• The only way to secure the infrastructure is to determine the dataflow

• Dataflow diagrams require the knowledge of source, destination and protocols

• Knowledge of source, destination and protocols enable creation of Firewall and ACLs


End Node Security

9

Legacy PLCs Process Automation Controller (PAC)

I/O Subsystems

Servers

Switches

Routers

Firewall

Infrastructure

Outside the Infrastructure box is an end

node


Legacy PLC System Architecture Components

Proprietary I/O Protocol

PLC

Code Execution Engine

Data

Communication

I/O Non- I/O

Remote Inputs / Outputs


Legacy PLC System Architecture Components Prior to Ethernet Adoption

Proprietary I/O Protocol Protocol

Converter

Proprietary Data Bus Protocol

PLC Data

Programming

THREATS



PLC Data

Programming

Ethernet

Historians Remote Access

Trending

THREATS

THREATS

Legacy PLC System Architecture Components w/ Limited Ethernet Adoption


Where’s the holes in the Castle Walls? (Assessments / Vulnerabilities)


Ethernet

PLC


Data

Communication

I/O Non- I/O

Entry for External Threats

Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.)


Expanded Threat Model On Newer Process Automation Control Systems

Ethernet I/O

Ethernet

PLC


Data

Communication

I/O Non- I/O

Entry for External Threats

Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.) Supporting Historians and Reporting functions •*** NEW *** Asset & Inventory Mapping Tools (NMAP, etc) •*** NEW *** Vulnerability scanners •*** NEW *** Penetration Testing (Metasploit)


Computers = Applications + Operating Systems

15

Automation Application Security Mostly Provided by Vendor(s)

Often Leverages O.S. Authentication

Operating Systems are NOT Provided by Automation Vendors

Biggest target of Malware, Virus, etc.

COTS Productivity Software ( Adobe, Word, Excel, etc) presents large target too.


Rockwell Automation Product Security Solution Boundaries

16

Provide Automation

Software Security

Often Leverages O.S.

Authentication

Provide switching and

routing infrastructure

security

Provide “In Rack” secured

communications capabilities

Stratix Switches

Secured Communications Module


Operating System Security Boundaries

17

An Operating System is a

collection of software that

manages computer

hardware resources.

Provides security

permissions for objects, files

and folders

Foundation for application

security

Often not managed for

security within the

Manufacturing Zones

Switch

Secured Communications Module


Agenda


Firewall


Defense In Depth


ACL Flow Diagram

20


Anatomy of a Standard ACL

Let’s use the following ACL as an example. Permit traffic with a source

address that resides on the 172.24.101.x network.

Access-list 10 permit 172.24.101.0 0.0.0.255

The first part of the ACL begins with a numbered access-list command.


Standard ACLs must be numbered 1-99.

Subsequent rules that are added using the same number (Access-list

10) are appended to the bottom of the list.

As the switch or router checks the traffic against the list of rules, the

first rule that matches is used.

Always remember that at the end of every ACL there is an implicit

deny all rule.

21


Anatomy of a Standard ACL cont.

The next part of an ACL rule states whether the traffic will be permitted or

denied if there is a match.


In this example any traffic that matches this rule is permitted to

continue through the interface.

The two options for this command are Permit or Deny.

22


Anatomy of a Standard ACL cont.

This part of the ACL rule specifies the source network or host of the traffic

in which the rule will be applied against.


This command may specify a specific host, a range of addresses, or all

addresses.

To specify a specific host, the host option may be used.

For example, access-list 10 permit host 172.24.101.12

To specify all addresses, the any option may be used.

For example, access-list 10 permit any

23


Anatomy of a Standard ACL cont. (Source Address)

To specify a range of addresses, an IP address and a wildcard mask must

be used. This is the inverse of a subnet mask.

To match traffic from the 172.24.101.x network, the wildcard mask

0.0.0.255 must be used.

To match traffic from the 172.24.x.x network, the wildcard mask

0.0.255.255 must be used.

24


Applying an ACL to an Interface

Commands to add an access list to inbound traffic on an interface.

Router (config)#int fa1/1

Router (config-if)#ip access-group 110 in

Commands to add an access list to outbound traffic on an interface.

Router (config)#int fa1/1

Router (config-if)#ip access-group 110 out

*Stratix switches do not give the option to apply an ACL to outbound

traffic*

37


Agenda


Firewall


Defense In Depth


Network Security Framework Unified Threat Management (UTM)

39

Enterprise-wide Business Systems Levels 4 & 5 – Data Center

Enterprise Zone

Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers

• FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array

Levels 0-2 Cell/Area Zones

Level 3.5 - IDMZ

Remote Site #1 Local Cell/Area Zone #1

Local OEM Skid / Machine #1

Plant-wide Site-wide

Operation Systems

UTM

Switch

Who owns the key to this protection?

Site-to-Site Connection

Is farther controls needed for your SLA

Switch

Is this level of protection enough?


Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls

Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including

Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID

Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response

Low latency Diverse topologies Multicast support

Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing

Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN

Firewall with Application Layer Security

Access Control and Authentication

IPS and Anti-X Defenses

Intelligent Networking Services

SSL and IPSec Connectivity


40

Modern Firewalls (UTMs) provide a range of security services

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


Network Security Framework Unified Threat Management (UTM) – Stratix 5900

41

The Stratix 5900 UTM security appliance is a ruggedized all-inclusive UTM with features such as firewall, secure routing, VPN (virtual private network), intrusion prevention, NAT (network address translation) and content filtering.

Site-to-Site Connection, tunnels the Industrial Zone trusted network to a remote site over an untrusted network using a site-to-site VPN connection.

Cell/Area Zone Firewall, to protect a Cell/Area Zone from the greater Industrial Zone.

Physical features

RJ-45 Gigabit WAN

4 – 10/100Base-Tx LAN ports

Shock /Vibration & Extended

Temperature

DIN rail mount

Network features

ACL / Firewall

DHCP

QoS

VLAN

NAT

Stratix 5900™ Security Appliance



42

Enterprise-wide Business Systems Levels 4 & 5 – Data Center

Enterprise Zone

Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers

• FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array

Levels 0-2 Cell/Area Zones

Level 3.5 - IDMZ

Remote Site #1 Local Cell/Area Zone #1

Local OEM Skid / Machine #1

Plant-wide Site-wide

Operation Systems

UTM

UTM

Stratix 5900 1) Site-to-Site Connection

Site-to-Site Connection

Stratix 5900 3) OEM Integration

UTM

Stratix 5900 2) Cell/Area Zone Firewall


Allows the system to be

securely distributed between

a Central Site and smaller

sites.

Applications:

Water/ Waste Water

Pipelines

Oil and Gas

Distributed Site #1

Central Site

Distributed Site #2

Central Site Controller

ASA5500-X

Catalyst3750-X

Stratix5700

Catalyst 2960

HMIServer


Stratix5900

Untrusted Network

Distributed Site #3

Stratix5900

Stratix5900

Enterprise

DMZ

ASA 5515-X

Enterprise

DMZIndustrial

WAN

Industrial Zone

Failover

Network Security Framework Stratix 5900 (Distributed System)


The Stratix 5900 firewall are

restricts/ filters traffic to and

from the Cell/ Area Zones

Supports:

NAT

Transparent Firewalls

Routing

Netflow

Syslog

Machine #2Machine #1

Catalyst 2960

HMIServer

Catalyst3750-X

Stratix5700

Stratix5900

Stratix5900

Line Controller

Network Security Framework Stratix 5900 (Cell Firewall)


Agenda


Firewall


Defense In Depth


• Knowlegebase ID 30498 - Windows Firewall Configuration Utility for

Windows XP Service Pack 2 (TechConnect Level)

• Knowledgebase ID 45891 – How to use the Windows Firewall

Configuration Utilty to configure the Public network on Windows 7

46

Rockwell Automation Knowledgebase


Rockwell Software Windows Firewall Configuration Utility


Windows Firewall


Order of Windows Firewall Security Rule Evaluation


Demonstration

Blocking Ping (ICMP)

Blocking other traffic (like Remote Desktop, Ping, etc) from IP Address

Ranges


Software Restriction Policies (SRP)

Software Restriction Policies (SRP) is Group Policy-based feature that identifies software

programs running on computers in a domain, and controls the ability of those programs to

run. Software restriction policies are part of the Microsoft security and management

strategy to assist enterprises in increasing the reliability, integrity, and manageability of

their computers.

You can also use software restriction policies to create a highly restricted configuration for

computers, in which you allow only specifically identified applications to run.

Software restriction policies are integrated with Microsoft Active Directory and Group

Policy.

You can define these policies through the Software Restriction Policies extension of the

Local Group Policy Editor or the Local Security Policies snap-in to the Microsoft

Management Console (MMC).


MMC.EXE – Used to set permissions per user


GPEDIT.MSC – used to globally edit SRP’s


Registry Setting to Disable USB

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

Start Value = 4 to disable


Demonstration - SRP

Disable USB - Grossly

Disable USB – Per User

Disable software running in unwanted locations


We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

56

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions?

Date post:	13-May-2015
Category:	Technology
Upload:	rockwell-automation
View:	627 times
Download:	1 times

Practical Security Solutions for Industrial Control Systems (ICS)

Technology