Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
IoT Security Update: Understanding IT vs. OT Concerns
Robert Albach
Security Product Line Manager
Cisco IoT Business Unit
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• This session will discuss the security options available today in the Cisco portfolio for some sample industrial needs as well as coming products.
• We will discuss a step by step approach to building out a secured OT infrastructure for your customers.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• Primarily IT oriented audience with some industrial networking awareness.
• NetAcad students and Instructors
• A moderate to good grounding in security and network design concepts.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• Why the need for a change in OT Security?
• Some Quick IT vs. OT Differences
• Where to Start with Security
• Phased Approach
• Learning – Your own Progress to Success
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• Operations Technology
“Industrial” NW and Compute
Working with electronic endpoints (IEDs) where the end point generally has no people involved
Autonomous but highly limited
More than SCADA
…and what is that SCADA(Supervisory Control and Data Acquisition) thing?
Or is that ICS (Industrial Control Systems)?
Same / Different
Depends on your POV
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Why Must OT Security Change?
• Trends in discovery and correlation with external events.
0
2
4
6
8
10
12
14
0
50
100
150
200
250
300
350
400
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Vulns
Stux News
Black Hat
Source: osvdb.org.; blackhat; google news search
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• How Networks were built
• Network / Device Attributes
• Network traffic differences
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Manufacturing
Ad Hoc – This piece of the NW was built by our paint system provider.
Multiple sources – This section came from the conveyer system.
Assembled - The integrator put these pieces together.
• Utilities
Top Down – “We (our engineering consultants) built this sub-station.”
Integrated – “We interface with the LCRA here (grid interconnects).”
TelComm groups - <if the utility is large enough>
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Transport
Bus / Train / Plane / Boarding systems / ticket systems / physical security
Each from a different source / different “network”
• Oil and Gas / Mining
Upstream – exploration / drilling / production / pipeline
Downstream – refinery / pipeline / retail
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Security Policies IT Network IoT Network
Focus Protecting Intellectual Property and
Company Assets 24/7 Operations, High OEE, Safety, and Ease of
Use
Priorities
1. Confidentiality
2. Integrity
3. Availability
1. Availability
2. Integrity
3. Confidentiality
Types of Data Traffic Converged Network of Data,
Voice and Video (Hierarchical) Converged Network of Data, Control Protocols,
Information, Safety and Motion (P2P & Hierarchical)
Access Control Strict Network Authentication
and Access Policies
Strict Physical Access
Simple Network Device Access
Implications of a Device Failure
Continues to Operate Could Stop Processes, Impact Markets, Physical
Harm
Threat Protection Shut Down Access to
Detected Threat and Remediate Potentially Keep Operating
with a Detected Threat
Upgrades and Patch Mgmt ASAP
During Uptime Scheduled
During Downtime
Most commonly heard concerns:
availability, safety, and ease-of-use
Biggest pain point is the management of who,
what, where, when, and how (people, data,
devices, and processes)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Asset Description Examples and Notes
IEDs
Intelligent Electronic Device – Commonly used within
a control system, and is equipped with a small
microprocessor to communicate digitally.
Sensor, actuator, motor, transformer,
circuit breaker, pump
RTUs
Remote Terminal Unit – Typically used in a substation
or remote location. It monitors field parameters and
transmit data back to central station.
Overlap with PLC in terms of capability
and functionality
PLCs
Programmable Logic Controller – A specialized
computer used to automate control functions within
industrial network.
Most PLCs do not use commercial OS,
and use “ladder logic” for control functions
HMIs
Human Machine Interfaces – Operator’s dashboard or
control panel to monitor and control PLCs, RTUs, and
IEDs.
HMIs are typically modern control
software running on modern operating
systems (e.g. Windows).
Supervisory
Workstations
Collect information from industrial assets and present
the information for supervisory purposes.
Unlike HMI, a supervisory workstation is
primarily read-only.
Data Historians
Software system that collects point values and other
information from industrial devices and store them in
specialized database.
Typically with built-in high availability and
replicated across the industrial network.
Other Assets Many other devices may be connected to an industrial
network.
For example, printers can be connected
directly to a control loop.
Less
Complexity
More
Less
Threat
Vectors
More
2%
40%
40%
8%
10%
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Every Network has its Challenges
IT Networks
Lots of Different Applications
Dynamic
Interoperability rarely constrained
Large market of knowledgeable workers
OT Networks
Fixed / Limited Applications
Stagnant / Stable
Limited interoperability
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IT Networks – Data Flows
End points are smart –independently driven.
If data leaves – it goes far…
Web – data center / internet
File / Print shares
Nearby devices largely unrelated
When the end points talk:
Short conversations
Lots of connections
Short TCP sessions – SYN SYN/ACK ACK
– a few secs max
Largely egalitarian – anybody talk to anybody
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
OT Networks – Data Flows
End points are not smart – repetitive.
If data leaves – it goes to same places
…or not far at all
Interaction is largely local
Movement not very visible
if it does leave – streams out
Not a conversation
When the end points talk:
Long conversations
Lots of connections
Long TCP sessions – lots of keep alives– hours / days
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• An attribute of discrete / segmented modularly built networks <like manufacturing systems>
• Generally references network span
• Small subnets
• Zone segmentation much more than VLANs
*Rockwell Automation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• NTP – Network Time Protocol
Precision levels - coarse
CPU or mother board oscillator
• PTP – Precision Timing Protocol
Precision levels 100 ns
Specialized HW <Phy level>
Smart Grid
Industrial Solutions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 17
• Weak Access controls to HMI and other equipment
− Separation of duty for operator, administrator, audit
− Little or no Password management
• Physical segmentation of the SCADA network
− Dual-homed servers or PLCs act as Firewall
− Segmented network has only physical security
• Unauthenticated command execution
• Communication is un-encrypted
• Outdated operating systems left unpatched
• Rogue wireless access points without encryption
• Insufficient controls on contractors (i.e. access policy, laptops, etc…)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 18
By Count most of the “things” in IoT: Won’t have an IP Address
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• The obvious – Industrial conditions are more strenuous
• Next obvious – meeting those needs are not an “add on” activity
• Not so obvious – never confuse “operating” levels with “non-operating” levels
Believability / Liability
Operating Environment - -40C to
60C in a fully enclosed cabinet (no
airflow)
Storage Environment -
Temperature: -40 to +85 degrees C
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• Driven by the IT vs. OT differences discussed
Frequently - Latency trumps Throughput
Frequently - Application control trumps Threat control
Frequently – Simplicity trumps Sophistication
This equipment *might* get swapped out in a decade.
…Availability trumps Security
• Hardware / Software must change to respond
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Introduce Ethernet • ISA-99 Compliance
Separate / Segregate into Zones
Connect via Conduits
Functions
Protocols
Applications
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Design your networks
Physical / Logical Organization
Mostly Physical
• Remember the OT NW Traffic Profile?
Intra-”cell” traffic is dominant
Little cell to cell communication
Lends itself to the zone / conduit model
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Controlled Communications
Think ACLs
DACLs?
Or perhaps Security Group Tags (SGTs)?
Think VLANs
Secured Communications
Think VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Phase 1: What they have today –
Network design
Switches and Routers
Phase 2: With dedicated security offerings
Firewalls (ASA)
NG IPS (SourceFire)
Phase 3: Beyond Zones and Conduits
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• A bad network design is as big a threat to security success as the lack of security.
• Better to know what you are missing than to think you are safe.
Enterprise Ethernet
Proprietary Ethernet
To next machine
I/O Fieldbus Motion Net
Safety Net
STAR
TRUNK/DROP
FIBER RING
DAISY CHAIN
This does not mean that there was no architecture -
It is likely that the architecture eroded over time.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Switches / Routers / Wireless
• Management
• Advantages:
Simple – easily achieved, limited knowledge needed
Checkbox security
• Disadvantage:
Static – less flexible
Usually results in wider access than desired
VLAN propagation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Get them networked!
• Design the network with Zones / Conduits in mind.
• Build the network with the future in mind – dedicated security appliances / features
• What to deploy:
Industrial Switches / Routers / Wireless (combinations)
NW Expertise
• Who:
Local Buying Center
OT Centric
Some Possible IT Department Involvement
Basic NW knowledge at play (but still possibly new)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• Dedicated Security Appliances
• Network Security Monitoring – Level 1
• Who:
Local Buying Center
OT Centric
Some Possible IT Department Involvement
Introducing Security unique knowledge
Assume there are no CC** involved in the implementation
Don’t assume they are dumb – they debug with oscilloscopes
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• Where - At major demarcation points
IT >> OT (Layer 3.5)
Physical / Functional NW
Plant level / Generation level
Floor level / Distribution level
Cell level / Sub-station level
• What - Firewall / IPS
Multi-context for traffic specific needs
VPNs
Application Control
Protocols / Applications / Individual Commands
Threats
Generic / OS Specific / Application Specific
Don’t just throw an IT
solution with a few new
signatures into a 3rd
party shell!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
RJ Console
Power Input A,
5.0 mm Centers
Reset
Front Serial
Label
Mini USB
Console with
Hazloc Screw
Dual USB-A
With Hazloc
Screws
Power Input B,
5.0 mm Centers
Alarm Connector,
3.81 mm Centers
Chassis Ground
Connection
RJ Management Port
Dual Ethernet Ports
Dual Ethernet Ports SD Card Slot
…and this
device
should run
for
DECADES
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• Identifiers
Threats
Protocols
Applications / Commands / Devices
• Configurations
OT Rules Configurations
OT Function Prioritizations
IT Rules / Function De-Prioritizations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Threat protection grows as threats grow
• Updates are like AV updates – automated and no impact on base code
(1:29202) PROTOCOL-SCADA Modbus read coil status response - too many coils
(1:29203) PROTOCOL-SCADA Modbus read fifo response invalid byte count
(1:29204) PROTOCOL-SCADA Modbus read holding register response - invalid byte count
(1:29205) PROTOCOL-SCADA Modbus read input registers response invalid byte count
(1:29206) PROTOCOL-SCADA Modbus read write register response - invalid byte count
(1:29317) PROTOCOL-SCADA Modbus invalid exception message
(1:29318) PROTOCOL-SCADA Modbus invalid encapsulated interface response
(1:29319) PROTOCOL-SCADA Modbus invalid encapsulated interface request
(1:29505) PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt
(1:29515) PROTOCOL-SCADA ScadaTec Procyon Core server password overflow attempt
(1:29534) PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt
(1:29954) PROTOCOL-SCADA CODESYS Gateway-Server heap buffer overflow attempt
(1:29959) PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt
(1:29960) PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt
(1:29964) PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime directory traversal attempt
(1:15071) PROTOCOL-SCADA Modbus exception returned
(1:15074) PROTOCOL-SCADA Modbus user-defined function code - 65 to 72
(1:15075) PROTOCOL-SCADA Modbus user-defined function code - 100 to 110
(1:15389) PROTOCOL-SCADA OMRON-FINS memory area write attempt
(1:15390) PROTOCOL-SCADA OMRON-FINS memory area fill attempt
(1:15391) PROTOCOL-SCADA OMRON-FINS memory area transfer attempt
(1:15713) PROTOCOL-SCADA DNP3 device trouble
(1:15714) PROTOCOL-SCADA DNP3 corrupt configuration
(1:15715) PROTOCOL-SCADA DNP3 event buffer overflow error
(1:15716) PROTOCOL-SCADA DNP3 parameter error
(1:15717) PROTOCOL-SCADA DNP3 unknown object error
(1:15718) PROTOCOL-SCADA DNP3 unsupported function code error
(1:15719) PROTOCOL-SCADA DNP3 link service not supported
(1:17782) PROTOCOL-SCADA Modbus write multiple registers from external source
(1:17783) PROTOCOL-SCADA Modbus write single register from external source
(1:17784) PROTOCOL-SCADA Modbus write single coil from external source
(1:17785) PROTOCOL-SCADA Modbus write multiple coils from external source
(1:17786) PROTOCOL-SCADA Modbus write file record from external source
(1:17787) PROTOCOL-SCADA Modbus read discrete inputs from external source
(1:17788) PROTOCOL-SCADA Modbus read coils from external source
(1:17789) PROTOCOL-SCADA Modbus read input register from external source
(1:17790) PROTOCOL-SCADA Modbus read holding registers from external source
(1:17791) PROTOCOL-SCADA Modbus read/write multiple registers from external source
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
• NSM or Network as Security Sensor / Enforcer
• Acknowledges that product(s) alone are not enough.
• Answers the question:
What am I looking for?
What do I do when I find it?
BUT – who knows what they are looking for?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• General MSSP Services
Your Services
Cisco Remote Managed Services
Your Favorite Partner
IT Department’s Favorite Partner
• OT Knowledgeable
Your Services
Cisco Secure Ops
Your Favorite Partner
Probably not IT Department’s Favorite Partner
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• Beyond Zones and Conduits
• Where the IT and OT NW and Security Converge
• Who:
More Central IT Buying Center
IT NW and IT Security Involved
Dedicated Security teams
IT
OT (hopefully)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• Security Overlays
Enhanced Access Control Policy Management
SIEMs
Network Behavior Analysis
• Enhanced Protections
Heuristics
Malware ID
Sandboxing
• Content
Web
• ISE*
• Partner SIEMs*
• Cisco Cyber Threat Defense*
• IOC*
• AMP*
• ThreatGRID*
• ESA
• WSA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• Networking
• Security Basics
ASA (Firewall)
SourceFire (NG IPS)
• Trustsec / ISE
• Cisco Connected X / Industry Solutions
Cisco Architectures with Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Robert Albach