© Copyright Fortinet Inc. All rights reserved.
Security without CompromiseSecuring ICS and IT networksPeter Kocik
Systems Engineer
2
Sayano–Shushenskaya hydroelectric power station
Number of Units: 10
Turbine Type: Francis (16 blades)
Rated Power: 650 MW each
Rated Discharge per Unit: 358,5 m3/s
Nominal Speed: 142,86 rpm
Operation Date: 1978
Runner Diameter: 6,77 m
3
View of the Russian dam
4
Inside …
Power Units
Generator floor
Air-Oil Tanks
5
What’s happened on 17th of August 2009..
Turbine 2
functioning band
was changed to a
specific load
forbidden form the
manufacturer
The turbine cover
shot up and the
920-tons rotor
then shot out of its
seat
On 21 August
2009, a rebel group
in Chechnya
claimed that they
were responsible
for the blast
The forbidden
band created an
extra vibration
registered also
from a
seismograph
Water immediately
flooded the engine
and turbine rooms
and caused a
transformer explosion
6
After the Accident…
7
Consequences
75 people died
The physical damage was estimated in 310 millions
According to Russian Energy Minister, they spent almost 2 years and 1.3
billion Euros to reconstruct the power building
The production of more than 500,000 tons of aluminum will be lost
8
ICS Cyber issue: Intentional vs Unintentional
20%
30%
50%
Threat Source% of Industrial
Network IncidentsIncident Type
Hackers and Terrorists 9.4%Intentional
Insiders 10.6%
Human Error 11.2%
UnintentionalMalware 30.4%
Device and Software
Failure38.4%
According to 2011 RISI data, most cybersecurity threats and incidents are
unintentional and occur inside industrial networks.
Intentional targeted attacks(unauthorized access, DOS, email attacks)
Unintentional consequences(collateral damage from viruses or control system failures)
Unintentional internal security consequences(Device or Software Failure, Human Error)
9
Intentional/Unintentional: Cyberthreats in ICS environments
Top threat vectors in ICS (SANS ICS Survey 2014).
External Threats (hactivism, nation states)
Malware
Insider Exploits
Email phishing attacks
Attacks coming from within the internal
Cybersecurity policy violations
Industrial espionage
Other
0% 5% 10% 15% 20% 25% 30%
Data source: ICS-Cert (US)
Critical Manufacturing
Energy
Unknown
Water
Transportation
Government facilities
Healthcare
Communications
Nuclear
IT
Dams
Chemical
Commercial Facilities
Finance
Food & Agriculture
Defense
0 20 40 60 80 100
ICS-CERT: Incident sectorsFY2015 FY2014
Number of incidents
External Threats is the top concern
Malware, Exploits, Email, Segmentation
being the main touchpoints
Could be ICS or IT based
attacks – now bridged
Manufacturing and Energy highest targets
1st Militarized ICS malware:
Stuxnet
» Cyber-physical consequences
10
ICS Cyber issue: Intentional vs Unintentional
20%
30%
50%
Threat Source% of Industrial
Network IncidentsIncident Type
Hackers and Terrorists 9.4%Intentional
Insiders 10.6%
Human Error 11.2%
UnintentionalMalware 30.4%
Device and Software
Failure38.4%
According to 2011 RISI data, most cybersecurity threats and incidents are
unintentional and occur inside industrial networks.
Intentional targeted attacks(unauthorized access, DOS, email attacks)
Unintentional consequences(collateral damage from viruses or control system failures)
Unintentional internal security consequences(Device or Software Failure, Human Error)
‹#›
ICS Components
SensorsAction devices PLC HMI
SCADA
Supervisor
Data historian
ICS Defense Strategy #1 : Exploit VectorsDefense in Depth
12
Defense-in-Depth Strategy
A Defense-in-depth strategy deploys application security at both the host RTU and the
network level
Deploy security systems that offer tightly integrated multiple detection mechanisms:
Firewall
Network
Security
MGT
Campus
Network
Border
Firewall
Critical
Assets
Intrusion
Prevention
Data
Application
Host
Intranet
Perimeter
Physical Security
13
Corporate LAN
Pump/fan speed
Domain Controller
Business Systems
Pressure
Flow Rate
Temperature
Noise Level
Oil levels and Maintenance alarms
Radioactivity levels
Water levels
Sensors
Supervisory Control System and associated databases
Human Machine Interface (HMI)
FortiGate secures and restricts communication with SCADA network
FGR-100C
RemoteTerminal Unit
FGR-100C
Prevent threats entering the organization
with stringent boundary controls including
Web Filtering, Anti-Virus, Intrusion
Prevention and Application Control
(FortiGate) and Anti-SPAM (FortiMail)
Segregate networks and prevent malware
propagation with inter-zone Anti-Virus,
Intrusion Prevention and Application
Control (FortiGate)
Provide secure remote access (FortiGate)
SSL and IPSEC VPN) together with secure
remote authentication methods
(FortiAuthenticator).
Secure wireless communication with rogue
access point detection and segregating
engineers traffic on dedicated SSIDs
(FortiGate & FortiAP)
Secure SCADA communications with
hardware accelerated VPN back to the
Management HMI network (FortiGate)
Prevent malware propagation and non-
authorised communication channels with
on-the-wire Anti-Virus, Intrusion Prevention
and Application Control (FortiGate)
Secure, audit and monitor HMI database
(FortiDB)
Vulnerability assesment, patch
management an auditing of all
organizational assets (FortiScan)
Protect web based HMI from exploitation
with Web Application Firewalling
(FortiWeb)
Fortinet Defense In Depth Strategy
ICS Defense Strategy #2 : Segmentation VectorsSecurity Segmentation
15
ICS Defense Strategy #2: Segmentation VectorsISFW - Internal Segmentation Architecture
Inspect and log all
segment traffic
Verification/Auth of
segment traffic
Network is designed
within security
segments
1
2
3
16
Fortinet Internet Segmentation Strategy
ICS Defense Strategy #3 : Advanced Threat Vectors
APT Framework – Sandbox technology
18
ICS Defense Strategy #3 : Advanced/0-day Threat VectorsAPT Framework – Sandbox technology
Code
ContinuumKnown Good
Probably
GoodMight be Good
Completely
Unknown
Somewhat
Suspicious
Very
SuspiciousKnown Bad
Security
TechnologiesWhitelists
Reputation:
File, IP, App,
Email App
Signatures,
Digitally singed
files
Sandboxing Heuristics
Reputation:
File, IP, App,
Email Generic
Signatures
Blacklists
Signatures
70-90%Of Malware samples are
Unique to an Organization
19
Fortinet APT Framework
20
Fortinet’s ICS Layered Defense Model
APT Framework•Advanced Malware
•Automation
• Interaction
Defense-in-Depth•Multiple Layers
•Exploit Vectors
•Data Protection
Internal Segmentation
•Untrust Model
•Breach Containment
•Security Corridors
Fortinet ICS Layered Defense Model
DinD
APTIS
21
… our answer is an active integration between SCADAguardian and Fortigate
Turn–key Internal and Perimeter Visibility
Fine Tuning, Control and Monitoring of the Firewall Ruleset
Proactive SCADA Security
Automatically learns ICS behavior and
detects suspicious activities.Behavioral Analysis
Security Policy
EnforcementFlexibility to enforce security policies with
different degree of granularity.
Deep understanding of all SCADA protocols,
open and proprietary.
Deep SCADA
UnderstandingActive Traffic Control
Proactive filtering of malicious and
unauthorized network traffic.
Real time passive monitoring guarantees no
impact and permits visibility at different layers
of the Control and Process Networks.
Unintrusive passive
monitoring
In-line
ProtectionIn-line separation between IT and OT
environments.
Going Live
24
The Matrix Movie …
~ nmap -sT -sV -vvvvv -P0 -p25,80,443,993 wagon.eriqe.sk
Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-05 23:15 CEST
NSE: Loaded 29 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 23:15
Completed Parallel DNS resolution of 1 host. at 23:15, 0.06s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 23:15
Scanning wagon.eriqe.sk (93.184.66.157) [4 ports]
Discovered open port 25/tcp on 93.184.66.157
Discovered open port 80/tcp on 93.184.66.157
Discovered open port 993/tcp on 93.184.66.157
Discovered open port 443/tcp on 93.184.66.157
Completed Connect Scan at 23:15, 0.15s elapsed (4 total ports)
Initiating Service scan at 23:15
Scanning 4 services on wagon.eriqe.sk (93.184.66.157)
Completed Service scan at 23:15, 26.24s elapsed (4 services on 1 host)
NSE: Script scanning 93.184.66.157.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for wagon.eriqe.sk (93.184.66.157)
Host is up (0.15s latency).
rDNS record for 93.184.66.157: 93.184.66.157.host.vnet.sk
Scanned at 2015-10-05 23:15:25 CEST for 26s
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.22
443/tcp open ssl/http Apache httpd 2.2.22
993/tcp open ssl/imap Courier Imapd (released 2011)
~ nmap -sT -sV -vvvvv -P0 -p25,80,443,993 wagon.eriqe.sk
Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-05 23:15 CEST
NSE: Loaded 29 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 23:15
Completed Parallel DNS resolution of 1 host. at 23:15, 0.06s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 23:15
Scanning wagon.eriqe.sk (93.184.66.157) [4 ports]
Discovered open port 25/tcp on 93.184.66.157
Discovered open port 80/tcp on 93.184.66.157
Discovered open port 993/tcp on 93.184.66.157
Discovered open port 443/tcp on 93.184.66.157
Completed Connect Scan at 23:15, 0.15s elapsed (4 total ports)
Initiating Service scan at 23:15
Scanning 4 services on wagon.eriqe.sk (93.184.66.157)
Completed Service scan at 23:15, 26.24s elapsed (4 services on 1 host)
NSE: Script scanning 93.184.66.157.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for wagon.eriqe.sk (93.184.66.157)
Host is up (0.15s latency).
rDNS record for 93.184.66.157: 93.184.66.157.host.vnet.sk
Scanned at 2015-10-05 23:15:25 CEST for 26s
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.22
443/tcp open ssl/http Apache httpd 2.2.22
993/tcp open ssl/imap Courier Imapd (released 2011)
~ openssl s_client -connect mail.eriqe.sk:993
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT
QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready.
Copyright 1998-2011 Double Precision, Inc. See COPYING for
distribution information.
25
Shodan - the bad search engine
SHODAN interrogates ports and grabs the resulting banners, then
indexes the banners (rather than the web content) for searching
26
Basic Filters
country: filters results by two letter country code
city: filter results by City name
hostname: filters results by specified text in the hostname or
domain
geo: you can use coordinates
net: filter results by a specific IP range or subnet
os: search for specific operating systems
port: narrow the search for specific services
timeframe: find results within a timeframe