Mission Critical Security in a Post-Stuxnet World Part 2

Addressing the Son-of-Addressing the Son ofStuxnetCyber Security Solutions for Mission Critical Systems

Eric Byres, P.Eng.CTO Byres Security IncCTO, Byres Security Inc.

The Stuxnet WormThe Stuxnet Worm• July, 2010: Stuxnet worm was discovered attacking

Siemens PCS7 S7 PLC and WIN-CC systemsSiemens PCS7, S7 PLC and WIN-CC systems around the world

• Infected 100,000 computers• Infected at least 22

manufacturing sites• A t h i t d• Appears to have impacted

its possible target, Iran’s nuclear enrichment program

Stuxnet Had Many Paths to its Victim PLCsStuxnet Had Many Paths to its Victim PLCs

The “Air Gap” Is DeadThe Air Gap Is Dead• A modern ICS or SCADA system is highly complex

and interconnectedand interconnected• Multiple potential pathways exist from the outside

world to the process controllers• Assuming an air-gap between ICS and corporate

networks is unrealistic• F i it ff t f b i th• Focusing security efforts on a few obvious pathways

(such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense

SCADA and ICS in the Bull’s EyeSCADA and ICS in the Bull s Eye• ICS platforms are becoming an obvious target for

attacksattacks• “Security Researchers” focusing on SCADA/ICS

because it is easy money/fame (little malicious intent)

• Actors with intent have access to the weapons:• Download exploits for free (Italian list)• Download exploits for free (Italian list)• Purchase tool kits (Gleg)• Directed where to look for more vulnerabilities

Stuxnet’s LegacyStuxnet s Legacy• Model for simple, destructive SCADA worms• E ploits inherent PLC design iss es• Exploits inherent PLC design issues• Applicable to almost all industrial controllers• There are no possible “patches” to the PLCThere are no possible patches to the PLC

Protecting Against the “Son of Stuxnet”Protecting Against the Son-of-Stuxnet• Understanding and Managing the Pathways• Protecting the Critical Pieces First• Protecting the Critical Pieces First• ISA-99 and IEC 62433 Security Standards• Making Security Simple and FocusedMaking Security Simple and Focused

Understanding the Pathways

Look At All Possible PathwaysLook At All Possible Pathways• Don’t focus on a single pathway such as USB keys• Consider all possible infection path a s• Consider all possible infection pathways:

• Removable Media (CDs, DVDs, USB Drives)• File Transfer (Database, PDFs, PLC Project Files) • Portable Equipment (Laptops, Storage Units, Config Tools)• Internal Network Connections (Business, Lab, QA, Support)• External Connections (Support Contractor Customer)External Connections (Support, Contractor, Customer)• Wireless (802.11, 802.15, Licensed-band, Cellular,

Wireless HART, ISA-100a, Bluetooth, USB tethering)• Other Interfaces (Serial Data Highways)• Other Interfaces (Serial, Data Highways)

• Have strategies for discovering/mitigating ALL pathways

Protecting the Critical Pieces First

• The Attack/Consequence Funnel

Practical Solutions for ICS ProfessionalsPractical Solutions for ICS Professionals• You are NOT going to be able to:

• Restructure your IT department’s focus and practices• Restructure your IT department s focus and practices• Get suppliers to provide vulnerability-free products• Patch every ICS system immediately• Cut off all pathways in to and out of your ICS

Practical Solutions for ICS ProfessionalsPractical Solutions for ICS Professionals• You should be able to:

• Restrict and manage the data flows into your systems• Restrict and manage the data flows into your systems• Restrict and manage the data flows out of your systems• Detect unusual behaviors in you systems• Patch most ICS products within a patch management

strategy • Progressively reduce the probably of attacker success the

deeper into the ICS/SCADA system they go

The Attack/ Consequence FunnelThe Attack/ Consequence Funnel

External Corporate

Internal Enterprise Assets

Process DMZ

Avai

Co

Explo

AttProcess DMZ

HMI/Supervisory Systems

ilablePath

onsequen

oit Opport

tack Qua

Primary Control Systems

Safety Systems

hways

nces

tunities

antity

Systems

Process

Keeping All the Rubbish OutKeeping All the Rubbish Out

External Corporate


Process DMZ

Process DMZ is a critical Choke Point

Process DMZ


Limited Pathways

Limited ProtocolsPrimary Control Systems

Safety Systems

Limited Protocols

Managed EgressSystems

ProcessDisjoint Protocols

Reducing the Vulnerable Systems in the MiddleMiddle

External Corporate


Process DMZ

Windows-based applications offer a major

attack opportunityProcess DMZ


pp yattack opportunity

Patch applications, not just the O/S


Safety Systems

A/V Deployment

White Listing (?)Systems

Process

g ( )

Separation of HMI & Control

Securing Last line of Defense Critical SystemsSecuring Last-line-of-Defense Critical Systems

External Corporate


Process DMZ High ConsequenceProcess DMZ

HMI/Supervisory Systems Focus on monitoring and

i SIS B d

High Consequence


Safety Systems

securing SIS Boundary

Limited Pathways

Systems

ProcessAnomaly Detection

ISA-99 and IEC 62433ISA 99 and IEC 62433 Security Standards

• Using Zones and Conduits to Focus your Efforts

ANSI/ISA 99: Dividing Up The Control SystemANSI/ISA-99: Dividing Up The Control System• A core concept in the ANSI/ISA-99 (now IEC

62443 02 01) security standard is “Zones and62443.02.01) security standard is Zones and Conduits”

• Offers a level of segmentation and traffic control inside the control system.

• Control networks divided into layers or zones based on control functionon control function.

• Multiple separated zones manage that “defense in depth” strategy

ANSI/ISA 99: Connecting the ZonesANSI/ISA-99: Connecting the Zones• Connections between the zones are called conduits,

and these must have security controls to:and these must have security controls to:• Control access to zones• Resist Denial of Service (DoS) attacks or the transfer of

lmalware• Shield other network systems • Protect the integrity and confidentiality of network traffic

• It is important to understand and manage all your conduits between zones, not just the obvious ones.

Security Zone DefinitionSecurity Zone Definition• “Security zone: grouping of logical or physical assets

that share common security requirements”that share common security requirements . [ANSI/ISA-99.02.01–2007- 3.2.116]• A zone has a clearly defined border (either logical or

h i l) hi h i th b d b t i l d d dphysical), which is the boundary between included and excluded elements.

HMI ZonePLC ZonePLC Zone

ConduitsConduits• A conduit is a path for the flow of data between two

zoneszones. • can provide the security functions that allow different zones

to communicate securely. A i ti b t t h d it• Any communications between zone must have a conduit.

Conduit


Protecting the Network with Zones and ConduitsConduits• A firewall in each conduit will allow only the

MINIMUM network traffic necessary for correct plantMINIMUM network traffic necessary for correct plant operation

Firewall


Using Zones: An Example Oil RefineryUsing Zones: An Example Oil Refinery

Specifying the ZonesSpecifying the Zones

Defining the ConduitsDefining the Conduits

Protecting the Conduits with FirewallsProtecting the Conduits with Firewalls

Corporate Firewall

Hirschmann Firewall

Making Security Simple

An Industrial Firewall Installation Gone BadAn Industrial Firewall Installation Gone Bad…• An automotive company wanted layered protection

for key PLCs and robotsfor key PLCs and robots• Decided to install over 100 personal firewalls in front

of indentified critical devices• All firewalls had to be removed within a few

months…• Wh ?• Why?

BCIT SCADA Firewall Research ProjectBCIT SCADA Firewall Research Project• In 2003 the research centre at the British Columbia

Institute of Technology (BCIT) was commissioned toInstitute of Technology (BCIT) was commissioned to investigate issues and best practices in firewall deployment in SCADA systems

• Results:• “CPNI Good Practice Guide on SCADA Firewall

Deployment”p y• “The Special Needs of SCADA/PCN Firewalls:

Architectures and Test Results”• Several restricted-access documentsSeveral restricted access documents…

What We FoundWhat We Found…

“While the results indicate that commercial fi ll b f ll d th t dfirewalls can be successfully used, the study also shows important differences between the configuration of firewalls in industrial andthe configuration of firewalls in industrial and IT settings.”

The Special Needs of SCADA/PCN Firewalls:Architectures and Test Results

Byres, Hoffman, et. al. y , ,

Misapplication of IT Security AssumptionsMisapplication of IT Security Assumptions• There are important differences between information

technology (IT) networks and industrial automationtechnology (IT) networks and industrial automation and control systems (IACS) networks.

• Problems occur because assumptions that are valid in the IT world may not be on the plant floor

• Some examples:• Valid types of outbound traffic• Valid types of outbound traffic• Importance of web “customers”• Assumed protection from DoS attacks via routers• “Critical” protocols• Desired state on failure

An Example Assumption and Its Impact on a Chemical PlantChemical Plant• IT Assumption: Outbound traffic is safe, inbound

traffic is unsafetraffic is unsafe• Result:

By default, all ports are blocked on the outside y , pinterface, and all ports are open on the inside interface of the security appliance.

Cisco ASA 5500 Adaptive Security AppliancesCisco ASA 5500 Adaptive Security Appliances Document ID: 91970

An Example Assumption and Its Impact on a Chemical PlantChemical Plant• Plant Floor Reality: Cisco ASA firewall is installed

between DCS and PLCs with DCS as SCADAbetween DCS and PLCs with DCS as SCADA master (thus inbound traffic to PLC must be allowed)

• Event: Firewall installed with default rule sets• Impact: All traffic to PLCs is blocked, plant down for

three hours

ConclusionConclusion • Security technology may be excellent, but the

default assumptions determine its usability in andefault assumptions determine its usability in an environment.

SCADA/ICS Appropriate TechnologiesSCADA/ICS-Appropriate Technologies• Select security solutions that are easy for engineers

and technicians to deployand technicians to deploy• Use ICS-appropriate detection technologies can

raise an alarm when equipment is compromised or at risk of compromise

• Deploy ICS-appropriate security technologies• L k b d t diti l t k l fi ll• Look beyond traditional network layer firewalls,

towards firewalls that are capable of Deep Packet Inspection of key SCADA and ICS protocols

Example: SCADA Focused MonitoringExample: SCADA-Focused Monitoring• Stuxnet had to connect to and reprogram the victim

PLCs to be successfulPLCs to be successful• Win-CC Servers likely the reprogramming point• Question: Should an HMI server be reprogramming Q p g g

a PLC?• Traffic analysis beyond the basic IP Address / TCP

t ld d t t thiport would detect this…

Example: Fixed Configuration Safety FirewallExample: Fixed Configuration Safety Firewall• Firewalls designed specifically for a single purpose

• Cannot be disabled or mis configured by staff• Cannot be disabled or mis-configured by staff• Can be tuned for specific control systems

• Aware of SCADA protocols and capable of deep packet inspection• Sanity checking of protocols like Modbus• Can provide fine grained controls ofCan provide fine grained controls of

allowed commands

Example: Deep Packet Inspection for OPCExample: Deep Packet Inspection for OPC• Stuxnet made extensive use of RPC protocol, which

is the basis of OPCis the basis of OPC• IT firewalls can’t manage RPC or OPC traffic • Firewall needs to be able to “understand” SCADA

protocols like OPC• Requires “Deep Packet Inspection”

t h l f t ti ttechnology for automation systems• Example: Hirschmann OPC Enforcer

automatically inspects and managesautomatically inspects and manages OPC traffic

Some Final Thoughts

Making Security Work in the SCADA WorldMaking Security Work in the SCADA World• "Certainly controls engineers and operators need to

be security aware but they should not all need to bebe security aware, but they should not all need to be security experts.“

• "We have to make this [security] something a plant superintendent, engineer, or senior operator can do in their spare time, or it will flop."

ISA-99 Discussion Forum

Some Final ThoughtsSome Final Thoughts• IT and SCADA systems are different• Translates to differing req irements for safe and• Translates to differing requirements for safe and

reliable deployments of security systems in SCADA• We can’t stop all infectionsp• We can prevent attackers from reaching their goals• Security AND safety can be significantly improved

with good policy and appropriate technology