Vincent Fu 傅國書台灣區技術總監 · affecting a variety of PLC models of the top SCADA...

Vincent Fu 傅國書 | 台灣區技術總監

2 ©2018 Check Point Software Technologies Ltd. ©2018 Check Point Software Technologies Ltd.

Vincent Fu 傅國書 | SE Manager, Taiwan

自動化安全與IIOT安全防護

IIOT/ICS SECURITY BEST PRACTICE

3 ©2018 Check Point Software Technologies Ltd.

IoT已經影響現代人生活模式

IoT的延伸應用將深入你我日常所需的所有事物…

Connected Cars Connected Home

Smart Cities

Healthcare Smart Buildings

Industrial IoT


Faxploit: 透過事務機入侵企業內部網路


Home Hack 有人在窺探你家?

©2018 Check Point Software Technologies Ltd.

PROTECTING THE IOT DEVICES



Connected Medical Devices

Regulation

High Risk

Lack of Control

Outdated OS / SW

Up Time

Weakest Link

IoMT


The micro Gateway

Protects Medical Devices

1X1 VPN & FW Security

Centrally Managed

Easily Deployed


One Common OS

Anti Malware

VPN Firewall URL

Filtering

Anti Bot Anti

Ransomware Forensics

App Control


Introducing GEN VI - NANO-SECURITY

NANO AGENTS

AI ADAPTIVE

SECURITY CONTROLS

(開放原始碼) 軟體插件控制所有裝置安全屬性

CENTRAL INTELLIGENCE AND CONTROL

基於可分享的威脅智能分析自動化安全管理政策

OS

MobileOS

Cloud services

IoT devices

Web Services

Micro services


Transportation

Manufacturing

Smart cities

Smart buildings

Banking

Utilities

Healthcare

Telecom

Automotive

Energy

Smart homes

cloud

AI智能引擎自適性的安全控制


AUTOMOTIVE車聯網

Internet

Cloud Security

Mobile Threat Defense

Nano security


Sensor Hub Sensor Hub

Private

NGFW 1200R

Sensor Hub

VPN + Clean Pipe

R80 Management

Internet

Internet Public

Internet

• Device Control as App Control feature

Future Solution Protecting the public cloud with vSEC

Cloud Platform

VPN Client and Clean Pipe Connection

智慧城市應用


PROTECTING THE

ENTERPRISE ENVIRONMENT


The Enterprise Environment

While Some See Things… We See a Trojan Horse

Building Office


The Security Challenges

Devices Lack of Security

Protocol Vulnerabilities

Non Upgradable / Not Updated

East - West

Most of the Devices do not have security mechanisms built in

Protocol vulnerabilities may allow infected devices to attack from within

Devices are not updated with latest version due to capability / knowledge

One device attacking the other / IT resources


The Corporate Building (BMS)

Energy Management

HVAC

Lighting

Elevators

Access & Security

Water

And more…

Perimeter Segmentation

Functional Zone Segmentation

DPI of BMS Protocols

SCADA/IoT

MQTT, BACNET


ICS & IoT Convergence (BMS Environment)

Control Network

PLC PLC

Security Gateway

SCADA Server

MQTT

BACNET

R80

Elevator AC Water

ICS Visibility

Building

NAC

MQTT Over Ethernet

WLAN / LAN

Office April 2018

http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T


Remote Maintenance for Elevator or HVAC (and more)

PLC

Security Gateway

Elevators (or AC)

Building

VPN Connection

Company’s service center

• Secured connectivity (VPN)

• Protocol Visibility

• Command provisioning

• Access Control

• Remote Access VPN Client

Protocol ?


PROTECTING

ICS AND CRITICAL INFRASTRUCTURE



Industrial Control Systems (ICS)/SCADA are All Around Us

… and we rely on it every day for our basic functions and needs.

Industrial Automation Oil & Gas Critical manufacturing

Water & Sewage Electricity Transportation

Building Management


ICS Threat Landscape – Attackers and Attacks

The Onslow Water and Sewer Authority in Jacksonville was hit by the Ryuk ransomware that shut down its computer operations.

Oct. 2018

“ClearEnergy” ransomware is capable of affecting a variety of PLC models of the top SCADA and ICS manufacturers.

April. 2017

Attack Sources

State Actors Government-sponsored groups with resources and power to develop state-of-the-art tools, and political motives to leverage them and time to plan the attack.

ICS Vulnerabilities Flaws found in the ICS network components, such as the PLC or SIS, and could allow privilege escalation.

Insiders Employees with access to the operational system, and a financial or vindictive a motive to cause damage.

Otherwise, employees infected by a spear-phishing campaign in order to leverage their network access.

APT attack - “Triton” Malware has

been spotted targeting Schneider

Electrics’ Triconex controllers in

Saudi Arabia and caused a

shutdown of it

Dec. 2017

A Monero Cryptominer was found in

the network of a water utility provider

in Europe, after infecting the HMI

Feb. 2018

https://www.scmagazine.com/home/security-news/north-carolina-water-utility-onwasa-taken-down-by-ransomware/


US ICS-CERT report: (Jan-18) FY 2017 Most Prevalent Weaknesses

Transportation Systems 5%

Government Facilities 6%

Water 6%

Energy 20%

Communication 21%

Critical Manufacturing

22%

Most Attacked Sectors 2016

3rd year in a row


Best Practices for Securing OT

Secure Both OT and IT

Environments

Protect IT with Advanced Threat Prevention Technologies

Clear Segmentation between

OT and IT/Internet

Deploy Specialized ICS/SCADA Security Technologies


Visibility

Real Time SCADA/ICS Network monitoring

Field Devices

Controllers (PLC/RTU)

Sensor Data Pressure Flow Temp. Voltage State

Analyze the ICS

Network Traffic

Control Network

Control Center

Network

Traffic

IT/OT Segmentation

Level 0

Level 3

Level 1

Level 2

Purdue Reference

Model

SCADA/HMI/DCS


SCADA/ICS 特定通訊協定支援

Over 1300 SCADA and IoT commands

in Check Point Application Control

MMS

DNP3

Siemens Step7

IEC 60870-5-104

IEC 61850

ICCP

OPC

DA & UA

Profinet

CIP IoT

MQTT MODBUS

And many more…..

BACNET

Updated list: appwiki.checkpoint.com

http://appwiki.checkpoint.com/


Virtual patching Over 300 dedicated IDS/IPS signatures

PROTECTED by

Check Point

IPS

NSS Labs

Highest Rating

Stops exploits of known

vulnerabilities and detects

anomalous traffic

SCADA專屬的IDS/IPS特徵碼


• Fully featured Check Point security gateway

Check Point 1200R New Purpose-Built Ruggedized Security Gateway Appliance

• Compliant to the most rigid regulations:

IEC 61850-3 and IEEE 1613

• 6x1GbE ports and firewall throughput of 2Gbps

• Compact fan-less design with no moving parts; temperature

range from -40°C to 75°C

• Can be used in In-line or Tap (Mirror) modes

• Routing and networking (e.g: BGP, OSPF, IPsec, etc.)


OT Security Blueprint Management Facility

Shop Floor – Line A Shop Floor – Line B

PLC1 PLC2 PLC3 PLCx

Main Control Center

SmartEvent

HMI

AAD

Check Point GW

SCADA

Adding Asset Management &

Anomaly Detection

SCADA

Traffic

1200R 1200R

Adding

Visibility and

Micro Segmentation


Full IT-OT Convergence Blueprint

IT Network

ERP

Domain Server

LAN

ICS

Network IT/OT

Segmentation


Central Site Substation

SCADA Server

Data Center

RTU

LAN MPLS

IED

RTU –

Substation

Controller

IEC-104/

DNP3

Backup Site

Smart Event

• Typical power utility security deployment in substations

• Single or cluster solution for combined OT and IT traffic

• SCADA security

Power Utilities — Substation Security

SCADA Server

Data Center

Smart Event


Customized Visibility

Unified Policy

Everywhere Monitoring

整合IT環境與OT產線的安全管理 FOR BEST ROI AND OPTIMAL PROTECTION

Management integration With Leading SIEM systems: Q-Radar, ARCSight, Splunk And more like Predix and others


REPORTED by

Check Point COMPLIANCE BLADE

Real-time assessment of

compliance with major regulations

法令遵循與安全管理監控功能

SCADA SPECIFIC COMPLIANCE CHECKS


End to End Security suite for Critical Infrastructure IT and OT networks

Most extensive security support of ICS/SCADA protocols

Asset Management and Anomaly Detection

Full OT to IT security segmentation

Large Scale Management – Market “Gold Standard” (Gartner)

Check Point offers complete security suite from Mobile, End-Point to the Cloud – including Private cloud for separation of IT from OT


Infinity Total Protection Gen V 安全架構

分享即時威脅情資與智能

整合安全管理

行動裝置

端點設備

混合雲

邊際網路與資料中心

雲服務雲服務行動裝置

36 ©2018 Check Point Software Technologies Ltd. ©2018 Check Point Software Technologies Ltd.

THANK YOU

Date post:	25-May-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Vincent Fu 傅國書 台灣區技術總監 · affecting a variety of PLC models of the top SCADA...

Documents

Vincent Fu 傅國書台灣區技術總監 · affecting a variety of PLC models of the top SCADA...