Safety of TechnologicalControl Systems
Petr Chmelař
TrustPort
Annotation
Security of Operational Technology (OT), such as Industrial Control Systems (ICS) for Supervisory Control and Data Acquisition (SCADA) had become a focus of security experts after a series of attacks on critical infrastructure and production.
Unlike conventional attacks aimed to entertain or make strategic and military targets – Internet has become a regular battleground on which life goes on.
I will try to introduce basic technological and partly procedural matters, which aim to protect Control Systems based on IP and differences in Operational Technology safety compared to conventional IT measures.
18. února 2015
Outline
Case Studies
Background
Industries
Security Technology
Call for …
Summary
18. února 2015
Case Studies
2000 Raw sawage dumped 46times in Australia
Supertanker delayed for 8 hours in Venezuela
2003+ Northeast Blackouts
Blaster způsobil uzavření Menzy VUT
Farmaceutical Chemical Company
2007-10 Stuxnet and mates
2014 German Steel Mill
City burnt from intelligent coffee machines
18. února 2015
2003 Northeast Blackouts
A bug in GE energy management systemresulted in an alarm system failure at FirstEnergy’s control room
China’s People’s Liberation Army may have cracked the computers controlling the U.S. power grid but the involvement is unconfirmed
Blaster worm contributed to the blackout by disrupting all the secondary systems that help to keep the grid up and running
Evgeniy Kaspersky is pretty sure that a virus triggered that...at least 11 died and cost estimated $6 billion.
Windows operating systems that run the critical infrastructure are not reliable enough.Neither is the Internet.
18. února 2015
Farmaceutical Chemical Company
Stuxnet publicly demonstrated physical interruption of automatized hardware, but...Who cares about nuclear wash-machines?
Some of you may care about a Steel Mill(spear phishing, email spoofing → ICS)
We care about medicine we get...Win95 machine accesible to boiler room maintenance
It actualy did blow up.
18. února 2015
Background
The Battlefield
Diverse Risks
Vulnerabilities
Requirements and Differences
Legislation
18. února 2015
The Battlefield
On Friday, Obama was participating in a summit on cybersecurity and consumer protection
Cyberwarfare = espionage and sabotage
18. února 2015
Diverse Risks
DoS attacks
Misuse (default passwords)
IP and MAC spoofing
Man-in-the-middle
Viruses, trojans and malware on employees' USB sticks:Amateurs can use ready-made malware
Spying and data/operation corruption: Zero day exploits for considerable sums
Advanced Persistent Threats by professionals
Cyberwarfare by armies and terrorists
Can kill. And does.
18. února 2015
Vulnerabilities
Source: DigitalBond
It's the computer you never thought about, that surprise is critical and critically vulnerable
NIST NVD – Common Vulnerabilities and Exposures (CVEs)
18. února 2015
System FW PL Backdoor
Fuzzing
Web Config DoS Undoc
Schweitzer SEL-2032 ? ? ? ? ?
General Electric D20 ? ! ! ! ! ! !
Schneider Modicon ! ? ! ! ! ? !
Rockwell A-B ? ? ? ! ? ? !
Koyo / DirectLOGIC ? ! ? ! ? ?
IT and OT Systems Differences
18. února 2015
Requirements IT OT
Performance Non-real-timeHigh throughput and jitter
Critical real-time responsesLow throughput and jitter
Availability Deficiencies as rebooting or virus blocking are often acceptable
Outages must by scheduledAvailability by redundancy
Risk Management Data confidentiality and integrity Human safety and protection of the process
Security Focus IT assets and the information Protect edge clients (field devices, ...)
Consequences Typical requirements Security tools must be tested for ICS operation
Time-Critical Interaction Less critical emergency interaction Response to emergency interaction is critical
System Operation Regular system updates and upgrades Proprietary FW systems, no security
Resource Constraints Plenty of resources for security purposes Industrial process only
Communication Standard communications Many proprietary protocols and media
Change Management Every second Tuesday :) Must be planned and tested; unsupported...
Managed Support Multiple options Support is usually via a vendor
Component Lifetime 3-5 years Lifetime (15 – 30 years)
Physical accessRequirements
Local or easy to accessOffice/server room
Isolated, remote and require effort to accessEMP, shock, water ... proof
Legislation
ISO 17799 => ISO 27000 family
Zákon o kybernetické bezpečnosti 181/2014 Sb. a prováděcí vyhláška
ISA-99 => ISA/IEC 62443
NERC CIP 002-009
NIST Guide to ICS Security
18. února 2015
Industries
Siemens
Emerson
Lockheed Martin
ABB & Others
18. února 2015
Siemens
Security for Network Components
18. února 2015
Siemens
Industrial Security for PCs, Controllers and HMIs
Simatic S5 PLC on DOS to WinXP
SIMATIC S7-1500 controllers
Virus scanner, IDS?
Deactivation of services and interfaces
Whitelisting, robust communication
VPN client software
User administration and access control
18. února 2015
Emerson
18. února 2015
Lockheed Martin
Recently acquired Industrial Defendertargeting cybersecurity, change management and compliance
18. února 2015
ABB & Others
Pushed by US governmet...
Looking for a serious solution
Trying to make IT & OT people
… Talk each other
18. února 2015
Security Technology
Endpoint Network Perimeters Intrusion Detection Analysis & Correlation Deep Inside
Protocols Manual approach HoneyPots Analysis
=> Summary
Proactive: from Protect to “Detect and Respond”
18. února 2015
Endpoint
Antivirus | Antimalware just for Windows Disable all unnecessary services (USB lockdown) Field devices have seldom the capability to protect
themselves
Nessus audit files exist for:
18. února 2015
NERC CIP-007 R8 ABB 800xA PPA AREVA e-terra Control Sys. Int. UCOS Emerson Ovation Matrikon Security
Gateway
OSIsoft PI Enterprise Server
Siemens Spectrum Power TG 8.2
SISCO AX-S4 ICCP SNC GENe Telvent OASyS DNA 7.5
Network Perimeters
Air-gap is impossible (=> BYOD :)→ Firewall and VPN in “paranoia” mode↔ allowing only trusted|whitelisted access↔ segments network into security zones
Attack vectors are “normalous” and encrypted→ “Man in the Middle” HTTPS Proxy isessential
See next presentation18. února 2015
Intrusion Detection
Analyzes network traffic and its contentor may monitor endpoints
Reactive IPS not suitable :(real-time availability)
There are some SCADA rules out there (462)
Ask your IDS vendor
Try out OpenSource IDS (Snort or Suricata)
Don't forget on IT in the OT network
18. února 2015
DATES Project
18. února 2015 www.digitalbond.com
Analysis & Correlation
SIEMs detects 0-21% of attacks, but …0% of Advanced Persistent Threats*
However, SIEM is highly configurable, and...some can parse even network traffic
Some vendors can analyze SCADA logs Ask your SIEM vendor
Try out OpenSource SIEM (OSSIM)
There is a need for transparency!
18. února 2015
* Independent Validation and Verification (IV&V) of Security Information and Event Management (SIEM)Systems Final Report SPAWAR for DARPA/I2O, January 2011
Deep Inside
Traffic retention (capture) for future forensics
18. února 2015
Protocol jungle
Modbus/TCP
MMS
CS31
SPA
Fieldbus/EtherCAT
SIMATIC S5/S7 PROFINET
Profibus (HART)
ROC
IEC 101/104
DNP3
IEC 61850
ICCP
EtherNet/IP
OPC-DA
RPC/DCOM
SMB/CIFS
+ some proprietary
18. února 2015
Manual Analysis
18. února 2015
SCADA HoneyPot
HoneyPot is a highly monitored machine with the single purpose: being attacked
There are not really vendors, but... You may setup an “unsecured” Windows computer,
HMI, PLC or RTU if you have some spare parts :)
You may copy the PLCs' web interface (wget -r)
Multiple SCADA simulators available
Conplot, HoneyD or Sebek may be tuned to simulate a PLC, sewage pump, supertanker, power grid, steel mill, ...
Since there is no activity at HoneyPots,just wait to be “attacked” :)
18. února 2015
Automated Analysis
Detection methods Blacklisting and Signature-Based Detection (what's forbidden) Whitelisting and Fingerprinting (what's allowed)
Approaches Based on NetFlow (what communicated with who, how often) Based on Content (what commands, parameters, values)
Artificial Intelligence Clustering & Outlier Analysis (anomalies) Classification & Characterization (how does it normally look like) Behavior (pattern) analysis (e.g. what transactions)
Immature – only research or a startups
18. února 2015
Call for …
Collaboration
Security vendors
ICS vendors
Industrial customers
RISI Online Incident Database
FIRST (Forum of Incident Response and Security Teams) – association of CSIRTs
CERT (Computer Emergency Response Team)
18. února 2015
Summary
Standards compliance (proof & testing)Identify, Protect, Detect, Respond, Recover, Prevent
Physical security & access control: n-factor, Pass...
Support & vendors: Updates, ...
Corporate IT network: Antimalware, ...
Network perimeters: Firewalls, VPN, Proxy
Intrusion and Anomaly Detection System (IDS)
Analysis & Correlation: SIEM
Data retention for future forensics
+ A little more
18. února 2015
Conclusions
Better it already was
Automation vendors looking for solutions
ISO27000 and Kyberzákon summarized
We have developed IDS and NBA for OT
Working on content-based analysis
Looking for collaboration
18. února 2015