Upload
digital-bond
View
280
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Rani Kehat of Elbit discusses Application Whitelisting and Deep Packet Inspection (DPI) used to protect ICS.
Citation preview
©2014 by Elbit Systems | Elbit Systems Proprietary
Cyber security for ICS
Lev – 1Lev – 2
Lev - 3
Rani Kehat CISSP
Director MarketingIntelligence & Cyber SolutionsElbit [email protected]
©2014 by Elbit Systems | Elbit Systems Proprietary
Siting by my computer screenWhite turns to Black, Black turns to WhiteAll just Shades of Grey
©2014 by Elbit Systems | Elbit Systems Proprietary
ICS ProtectionApplication and DPI White Listing
©2014 by Elbit Systems | Elbit Systems Proprietary
AIG – New Cyber Policy
Will cover :
Physical Damage
Property
Harm to People
Not only “ data breach “
SecurityWeek April 2014 :“ request especially from SCADA industrial power plants , but as they review applicants , they refused most of them…. that protection were inadequate “
AIG is setting high demands ?
or inadequate protection ?
Or both ??
©2014 by Elbit Systems | Elbit Systems Proprietary
Application White Listing
©2014 by Elbit Systems | Elbit Systems Proprietary
What is What?
©2014 by Elbit Systems | Elbit Systems Proprietary
What is AWL
Node level protection against Malware and unauthorized executable .
Scans disk for executable and stamps them with HASH ( MD5, SHA1 , SHA256…)
To each HASH a security Policy is attached .
One policy for all nodes , or differentiated according to operational function .
Policy example : File creation , Trusted Path , File Integrity, Execution control .
HASH to Policy: A Rule
Rule B
Run
Pending
Deny
HashExecutableFile
©2014 by Elbit Systems | Elbit Systems Proprietary
In two words ... Or More
Whitelisting – Only allow the Trusted good to run
Anti Virus – Only stops known bad things to run
What about the rest ?
Executable
Run Process
Trusted
Pending
Bad
Not allowedBad
A=BB>CC<DD=C
©2014 by Elbit Systems | Elbit Systems Proprietary
AWL Protection – Benefits
We get protection against unsigned Malware .
We get Log Audit on systems instances , allowing greater visibility to data integrity and user accountability .
End point Security – driver level – USB , I/O , execute only …..
File Rights management – Access Control and rights to Folders & Files
Snapshot – Gold Image ( Baseline ) Config’ , inventory of files
Proactive - only needed when software changes are made , ( can cut down patching – but does not mean you can stop all together )
Change Management – Certificate ,Temporary Policy for updates, trusted location , manual approval
©2014 by Elbit Systems | Elbit Systems Proprietary
Turning Grey to White
Trusted User
Trusted Directory
Updater – An uplifted privilege application – SCCM ( system Center Configuration Management )
Installer – Using a HASH DB
Publisher – Using digitally signed applications
Binary – Precompiled binary , registered by HASH , Interpreters
End User Notification
Grey App’ – Run in restrictive mode , limited access to corporate data , no network access .
Administrating a whitelisting system is a key function that must be understood and planned .
©2014 by Elbit Systems | Elbit Systems Proprietary
Turning Grey to White – Trusted Change
Check as part of your it Operational Best Practice: TNO ( Trust no One )
3rd party digital certificates ( CRL )
IT department digital certificates
Periodically check your trusted sources
Integration to SIEM / Security dashboard
New AWL policies during plant operation
Tools for rollout policy changes to entire system
Check performance issues on Host and Network
©2014 by Elbit Systems | Elbit Systems Proprietary
Golden Image – For relatively static environments
Hardware from a secure chain of supply
If possible , secure code review on executable with access to source .
Harden not only Application but Hardware and drivers according to chosen Best Practice .
Run in staging environment “ SandBox – mode “ i.e using non intrusive anomaly visibility tools for host and network .Trying to simulate real-time environment - user , applications , services , protocols , Topology, Boot up the machine’s .
Run Observe Mode at “Staging site “ ( Lab ) – and preform policy discovery
Pull your Whitelist and check reputation
Then the Gold image is HASHed
©2014 by Elbit Systems | Elbit Systems Proprietary
AWL - What it does NOT Do
Memory based attacks – DLL injection , IAT ( import address table ) Hooking
Interpreted Code ( JavaScript _ JAR , Pearl_PL , Piton _ PY ) – Conflicker , Duqu
Text instructions can be stored anywhere: web pages, databases, project files, “tmp” files
WEB interface in Control systems are written in Scripting Languages ( PHP , Pearl .. ) , very susceptible to injection attack’s .
DDoS - Bandwidth or Application attacks
Does NOT prevent White Application High jacking :
Corruption / Theft of DataRouge commands to SCADA servicesDenial of Service at the application and network Level
Filed to center threats - Not at All
Field to Field threats –Not at All
©2014 by Elbit Systems | Elbit Systems Proprietary
Shellshock – Bash Bug – Sep’ 2014
Allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments
©2014 by Elbit Systems | Elbit Systems Proprietary
White Application High jacking
Filed to center threats
Field to Field threats
Does not address Authenticity , but Anomaly .
Open database solution allows for correlation with process data, alarm data and traditional IT products like SIEM solution
Static and well defined Environment
AWL _ DPI
©2014 by Elbit Systems | Elbit Systems Proprietary
DNP3 - 2013
Send a request or command or change the protocol stack to drive the Master Station crazy
It makes no difference if its IP or native Serial .
DPI – WL relevant to the ICS environment
Encryption – is a bump in the wire , your may be encrypting the bad stuff.
©2014 by Elbit Systems | Elbit Systems Proprietary
ICS - Multi Vendor environment
Modbus TCP/RTU/+ IEC 60870-5-101/104 MDLC / MDLC over IP DNP3 / DNPi Siemens Profinet/Profibus Siemens Teleperm XP Siemens TIM GE UDH Rockwell Automation DF1 C37.118 (Smart Grid Synchrophasor) IEC 60870-6-503 (TASE.2) IEC 61850 (GOOSE) ICCP And more…….
Very few Logs on our SCADA Data
Catch the crafted commands coming into your trusted Application .
©2014 by Elbit Systems | Elbit Systems Proprietary
www.c4-security.com
AWL - DPI
XiXiXiXiXiXiXiXiiXiXXiXXXXXX
©2014 by Elbit Systems | Elbit Systems Proprietary
To Summarize - Defense in Layers
AWL
AWL
AWL DPI
System
Network
Host
©2014 by Elbit Systems | Elbit Systems Proprietary
Thank You
ありがとう
Rani Kehat CISSP
Director MarketingIntelligence & Cyber SolutionsElbit [email protected]