Thanks for joining!
We will begin in just a few minutes as more people come on line.
IoT Security Talks –Industrial Protocols andSecurity Implications2016 May 12
Robert Albach – Product Line Manager IoT Security
Sunil Maryala – Technical Marketing Engineer IoT Security
Agenda
:00
Welcome to Tech Talks
:03
Industrial Protocols
@ :45
Question and Answer
Mechanics of Tech Talks Protocol Diversity
Security state of OT
Protocols
Where the protocols are
found in the network
Security for OT Protocols
Tech Talk MechanicsHow these events will operate
• With many people on-line we will mute all but the presenters
• We will try to answer questions at the end
• Please use the “Question and Answer” feature for questions
• If we don’t get to your question, we will try to answer them off-line
• The presentation and recording will be placed on the Community support site:
https://supportforums.cisco.com/
Who This Presentation is For:
• Cisco customers, partners, employees
• Assumption:
• Your background is primarily in classic IT environments
• OR
• You are an OT practitioner with security responsibility
• You have some amount of security background / responsibility
• You are likely to have some responsibility in OT in the future or do so already.
What is the OT Thing?• Operations Technology
• “Industrial” NW and Compute
• Working with electronic endpoints (IEDs) where the end point generally has no people involved
• Autonomous but highly limited
• More than SCADA
• …and what is that SCADA(Supervisory Control and Data Acquisition) thing?
• Or is that ICS (Industrial Control Systems)?
• Literally Different / Frequently used Interchangably
• Depends on your POV
Some Quick IT vs. OT Differences
• How Networks were built
• Network / Device Attributes
• Network traffic differences
IT Networks – Data Flows
End points are smart –independently driven.
If data leaves – it goes far…
Web – data center / internet
File / Print shares
Nearby devices largely unrelated
When the end points talk:
Short conversations
Lots of connections
Short TCP sessions – SYN SYN/ACK ACK
– a few secs max
Largely egalitarian – anybody talk to anybody
OT Networks – Data Flows
End points are not smart – repetitive.
If data leaves – it goes to same places
…or not far at all
Interaction is largely local
Movement not very visible
if it does leave – streams out
Not a conversation usually
When the end points talk:
Long conversations
Few connections
Long TCP sessions – lots of keep alives– hours / days!
11
Most of the “things” in IoT:Won’t have an IP Address
How to Wire a PLC
Sample Assets to ProtectAsset Description Examples and Notes
IEDs
Intelligent Electronic Device – Commonly used within
a control system, and is equipped with a small
microprocessor to communicate digitally.
Sensor, actuator, motor, transformer,
circuit breaker, pump
RTUs
Remote Terminal Unit – Typically used in a substation
or remote location. It monitors field parameters and
transmit data back to central station.
Overlap with PLC in terms of capability
and functionality
PLCs
Programmable Logic Controller – A specialized
computer used to automate control functions within
industrial network.
Most PLCs do not use commercial OS,
and use “ladder logic” for control functions
HMIs
Human Machine Interfaces – Operator’s dashboard or
control panel to monitor and control PLCs, RTUs, and
IEDs.
HMIs are typically modern control
software running on modern operating
systems (e.g. Windows).
Supervisory
Workstations
Collect information from industrial assets and present
the information for supervisory purposes.
Unlike HMI, a supervisory workstation is
primarily read-only.
Data Historians
Software system that collects point values and other
information from industrial devices and store them in
specialized database.
Typically with built-in high availability and
replicated across the industrial network.
Other AssetsMany other devices may be connected to an industrial
network.
For example, printers can be connected
directly to a control loop.
Less
Complexity
More
Less
Threat
Vectors
More
2%
40%
40%
8%
10%
Modbus
• Created by Modicon (now Schneider) – first PLC Vendor – 1970s
• Control Body – Modbus Organization - modbus.org
• Technology and Organization Variants:
• Modbus RTU / Modbus ASCII / Modbus TCP / Modbus Plus / others
• Modbus PEMEX / Enron Modbus
• Transport varies – some serial, some IT network types
• Some variants require special hardware for PC communications
Profibus / Profinet
• Created by German Consortia (Siemens Primary Adopter) –– 1989s
• Control Body – PROFIBUS & PROFINET International-profibus.com
• Technology Variants:
• PROFIBUS / PROFINET / PROFIsafe / PROFIdrive / PROFIenergey
• RT / IRT /
• Fieldbus and modern networking transport
• Special chips for protocol acceleration (optional)
CIP – Common Industrial Protocol
• Predecesor Allen-Bradly (Rockwell) (Bosch CAN chip base) 1994
• Control Body – Open DeviceNet Vendor Association odva.com
• Technology Variants:
• DeviceNet / EtherNet/IP / ControlNet / CompoNet
• CIP Safety / CIP Energy / CIP Synch / CIP Motion / CIP Security
• Fieldbus and and modern networking transport
DNP – Distributed Network Protocol
• Created by Weston – GE-Harris Canada – 1993
• Control Body – Distributed Network Protocol User Group dnp.org
• Technology Variants:
• DNP / DNP3 / opendnp3
Other Manufacturing* Protocols
• HART – Highway Addressable Remote Transducer) <Fieldbus>
• OPC - Open Platform Communication – was OLE for Process Control
• CAN / CANBUS – Controller Area Network – serial bus system
• PTP – Precision Timing Protocol (highly precise / requires special HW)
IEC 60870-5-104
• International standard for telecommunications in utilities – 2000
• Focus on communication between control and substations
• Runs over TCP / IP
ICCP - Inter-Control Center Communications Protocol
• ICCP or IEC 60870-6/TASE.2 - 1992
• Focus on communication between control and substations / utilities
ICS Specific ProtocolsCompany Protocols Company Protocols
ABB ABB Time Sync Multicast,
MI – Multisystem Integration Protocol
RNRP – Redundant Network Routing Protocol
RemSys – Show Remote System Protocol
Honeywell Honeywell CDA
Honeywell FTE
Honeywell safety Manager
PLANTSCAPE
Allen- Bradley Ethernet/IP – CIP
Rockwell CSP (TCP & UDP)Schneider Modbus/TCP
Modbus/UDP
HIMA HIMA HiMAX-HIMatrix-(X)OPC
HIMA HiMatrix RIO
HIMA HiQuad-OPC-DA
HIMA ELOP II
HIMA X-OPC Computer
Siemens PROFINet Context Manager
PROFINet Multicast
PROFINet Unicast
S7Com
Emerson DeltaV Wago Wago CoDeSys
Generic Industrial ICCP
DNP3
FF Fieldbus Message Specification
FF System Management
GOOSE - IEC61850 Interface
IEC MMS
IEC 60870-5-104
IEEE 1588 precision time prorocol
ISO Network Layer Protocol
MRP – Media Redundancy Protocol, OPC – Classic TCP
Yokogawa Yokogawa Stardom
Vnet/IP
Belden HiPER Ring Protocol
Hirschmann Redundant Ring Coupling
Tofino CMP
GE GE QuickPanel Configuration Protocol
GE SRTP
MOST/PAC8000 API
Participating in 58 industrial standards efforts
IEEE / IEC / ISA / ISO / IETF / AVnu / HART / ETSI / Heathrow / OPC / ProfiNET / OMG – DDS / OIC / IIC / FDT / ODVA / OASIS / AllSeen / OneM2M / Wi-Sun / LORa / SiGFOX / ETSI / SAE / ITU / UCA / CIGRE(T) / COW / HomePlug / G3 / AIOTI
Cisco Industrial Standards Participation
IEC
61850 Utility, Industrial, Transportation (Data)
62351 Utility, Industrial, Smart City (Security)
62357 Utility, Smart Cities (Architecture)
62443 Energy Et Al, Industrial (PCS Security)
61508 Industrial, Utility, other energy (Safety)
Industrial Protocols - General Security Concerns
• Early developments of many protocols made few provisions for security
• Focus was on interoperability and continuity
• Master / Slave relationships within serial communications
• No encryption (but there are reasons not to in some cases)
• Authentication in particularly commonly lacking
• Some protocols utilize broadcasting for communications
• Legacy devices built on assumption of limited communication complexity
Modbus Legacy Security Issues
• Endpoint authentication not a default operation
Endpoint authentication not a default operation
Nothing more needed than address and function call
Modbus message content is not validated by application
Dependent on network stack
No real integrity checking
• DOS easily initiated
More a function of the end-points inability to handle processing
Profibus / Profinet Legacy Security Issues
• Endpoint authentication lacking in older Profibus
Assumption of master to slave exclusivity – slave has a single master
Some revs could allow for slave to slave comms or slave to master
Modbus message content is not validated by application
Dependent on network stack
No real integrity checking
• DOS easily initiated
More a function of the end-points inability to handle processing
DNP / DNP3 Legacy Security Issues
• Abuse of unsolicited messaging
Feeding masters with spoofed status
Suppressing of potential alarms by suppressing unsolicited messaging
• Ready acceptance of unauthorized commands
• DOS easily initiated
More a function of the end-points inability to handle processing
ICCP Legacy Security Issues
• Lack of encryption
ICCP’s use in WANs make this a greater area of concern
• MITM / Spoofing / Masquerade
WAN use introduces more potential physical points of intercept
• DOS easily initiated
More a function of the end-points inability to handle processing
32
Where are these Protocols Found?Manufacturing Protocols
FieldBus
TCP/IP
33
Where are these Protocols Found?Utility Protocols
DNP
ICCP
IT Boxes for OT OR OT Boxes for OT
The right box for the right place.
Location in the NW Determines Traffic Visibility
Simple Solution (In a Perfect World)
• Update to the Most Recent Version
Modern equivalents are more secure
Vulnerabilities are patched
• Encrypt Communications Everywhere
BUT..
How much of the legacy system will support it
What kind of latency might encryption introduce
• Remember – Industrial Equipment is Expected to Last for Decades
Real World Solution
• 1. Proper network design
• 2. Secure End-Points
Not really a protocol solution
• 3. Encrypt at higher Levels of Network / WANs
• 4. Protocol Control and Inspection
Evolve to Security:Phased Security Architecture
First Level –
Secured Connectivity
Second Level –
Secured Visibility &
Control
Third Level –
Converged Security &
Depth
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning & Logistics Network
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Site Manufacturing Operationsand Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalk
ClientHMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
Application Control
Threat Control
Policy Driven
Response
Deeper Vision /
Control
Level 0
v v
Zone Design to Mitigate:Potential Broadcast / AuthZ
• Design your networks
• Physical / Logical Organization
• Mostly Physical
• Remember the OT NW Traffic Profile?
• Intra-”cell” traffic is dominant
• Little cell to cell communication
• Lends itself to the zone / conduit model
Conduits Design to Mitigate:Broadcast / AuthZ
• Controlled Communications
• Think ACLs
• DACLs?
• Or perhaps Security Group Tags (SGTs)?
• Think VLANs
• Secured Communications
• Think VPNs
Viewing Industrial Protocols -Proximity
First Level –
Secured Connectivity
Second Level –
Secured Visibility &
Control
Third Level –
Converged Security &
Depth
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning & Logistics Network
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Site Manufacturing Operationsand Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalk
ClientHMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
Application Control
Threat Control
Policy Driven
Response
Deeper Vision /
Control
Level 0
v v
ISA 3000 – SW Architecture
Industrial
Security
Appliance
ASA Firewall
Access Control – Device / User
VPN
Quality of Service
Packet Storms
FirePower Services
Application FW
Threat Control
Device ID
Behaviour Control
ASDM – OnBox Managment
• IPS based Rules
• Industrial Protocol specific parsers
• 200+
• Growing rapidly 100+ in last 12 months
• Threats
• Application Control
• Can control parameter ranges
• Customizable
• Automation vendor created rules
• Application Identification
• OpenApp ID
• App ID
• Coarse ID + Control
• Capable of much more
Industrial Protocol Specific Coverage
ISO MMS 608701-04 GOOSE
GSE COSEM BACnet
OPC-UA Honeywell –
Control /
Experion
Emission
Control
Protocol
Industrial Protocol Identification
RA = Rockwell Automation
ODVA – CIP / EIP
Protocol Parser -Modbus
Parameter Value (Data)
Function
Unit
Summary
• Multiple Non-Interoperable protocols in same location doing the same thing
• Many legacy devices working well, but requiring older insecure protocols
• IF viable move to more modern and secure protocol equivalents
• Look to put the right security equipment in the right place that truly understand the protocol
• <Look for the follow up session on how to phase in industrial security>
Before the Q&A Session
• Thanks for attending.
• Let us know:
• Was this session worth while to you?
• What future topics would you like to see?
• How might we improve these events?
• Send an email to:
• Robert Albach
•
Q&APlease use the Question and Answer section of WebEx
THANKS!