Upload
byres-security-inc
View
3.952
Download
4
Embed Size (px)
DESCRIPTION
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
Citation preview
Addressing the Son-of-Addressing the Son ofStuxnetCyber Security Solutions for Mission Critical Systems
Eric Byres, P.Eng.CTO Byres Security IncCTO, Byres Security Inc.
The Stuxnet WormThe Stuxnet Worm• July, 2010: Stuxnet worm was discovered attacking
Siemens PCS7 S7 PLC and WIN-CC systemsSiemens PCS7, S7 PLC and WIN-CC systems around the world
• Infected 100,000 computers• Infected at least 22
manufacturing sites• A t h i t d• Appears to have impacted
its possible target, Iran’s nuclear enrichment program
Stuxnet Had Many Paths to its Victim PLCsStuxnet Had Many Paths to its Victim PLCs
The “Air Gap” Is DeadThe Air Gap Is Dead• A modern ICS or SCADA system is highly complex
and interconnectedand interconnected• Multiple potential pathways exist from the outside
world to the process controllers• Assuming an air-gap between ICS and corporate
networks is unrealistic• F i it ff t f b i th• Focusing security efforts on a few obvious pathways
(such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense
SCADA and ICS in the Bull’s EyeSCADA and ICS in the Bull s Eye• ICS platforms are becoming an obvious target for
attacksattacks• “Security Researchers” focusing on SCADA/ICS
because it is easy money/fame (little malicious intent)
• Actors with intent have access to the weapons:• Download exploits for free (Italian list)• Download exploits for free (Italian list)• Purchase tool kits (Gleg)• Directed where to look for more vulnerabilities
Stuxnet’s LegacyStuxnet s Legacy• Model for simple, destructive SCADA worms• E ploits inherent PLC design iss es• Exploits inherent PLC design issues• Applicable to almost all industrial controllers• There are no possible “patches” to the PLCThere are no possible patches to the PLC
Protecting Against the “Son of Stuxnet”Protecting Against the Son-of-Stuxnet• Understanding and Managing the Pathways• Protecting the Critical Pieces First• Protecting the Critical Pieces First• ISA-99 and IEC 62433 Security Standards• Making Security Simple and FocusedMaking Security Simple and Focused
Understanding the Pathways
Look At All Possible PathwaysLook At All Possible Pathways• Don’t focus on a single pathway such as USB keys• Consider all possible infection path a s• Consider all possible infection pathways:
• Removable Media (CDs, DVDs, USB Drives)• File Transfer (Database, PDFs, PLC Project Files) • Portable Equipment (Laptops, Storage Units, Config Tools)• Internal Network Connections (Business, Lab, QA, Support)• External Connections (Support Contractor Customer)External Connections (Support, Contractor, Customer)• Wireless (802.11, 802.15, Licensed-band, Cellular,
Wireless HART, ISA-100a, Bluetooth, USB tethering)• Other Interfaces (Serial Data Highways)• Other Interfaces (Serial, Data Highways)
• Have strategies for discovering/mitigating ALL pathways
Protecting the Critical Pieces First
• The Attack/Consequence Funnel
Practical Solutions for ICS ProfessionalsPractical Solutions for ICS Professionals• You are NOT going to be able to:
• Restructure your IT department’s focus and practices• Restructure your IT department s focus and practices• Get suppliers to provide vulnerability-free products• Patch every ICS system immediately• Cut off all pathways in to and out of your ICS
Practical Solutions for ICS ProfessionalsPractical Solutions for ICS Professionals• You should be able to:
• Restrict and manage the data flows into your systems• Restrict and manage the data flows into your systems• Restrict and manage the data flows out of your systems• Detect unusual behaviors in you systems• Patch most ICS products within a patch management
strategy • Progressively reduce the probably of attacker success the
deeper into the ICS/SCADA system they go
The Attack/ Consequence FunnelThe Attack/ Consequence Funnel
External Corporate
Internal Enterprise Assets
Process DMZ
Avai
Co
Explo
AttProcess DMZ
HMI/Supervisory Systems
ilablePath
onsequen
oit Opport
tack Qua
Primary Control Systems
Safety Systems
hways
nces
tunities
antity
Systems
Process
Keeping All the Rubbish OutKeeping All the Rubbish Out
External Corporate
Internal Enterprise Assets
Process DMZ
Process DMZ is a critical Choke Point
Process DMZ
HMI/Supervisory Systems
Limited Pathways
Limited ProtocolsPrimary Control Systems
Safety Systems
Limited Protocols
Managed EgressSystems
ProcessDisjoint Protocols
Reducing the Vulnerable Systems in the MiddleMiddle
External Corporate
Internal Enterprise Assets
Process DMZ
Windows-based applications offer a major
attack opportunityProcess DMZ
HMI/Supervisory Systems
pp yattack opportunity
Patch applications, not just the O/S
Primary Control Systems
Safety Systems
A/V Deployment
White Listing (?)Systems
Process
g ( )
Separation of HMI & Control
Securing Last line of Defense Critical SystemsSecuring Last-line-of-Defense Critical Systems
External Corporate
Internal Enterprise Assets
Process DMZ High ConsequenceProcess DMZ
HMI/Supervisory Systems Focus on monitoring and
i SIS B d
High Consequence
Primary Control Systems
Safety Systems
securing SIS Boundary
Limited Pathways
Systems
ProcessAnomaly Detection
ISA-99 and IEC 62433ISA 99 and IEC 62433 Security Standards
• Using Zones and Conduits to Focus your Efforts
ANSI/ISA 99: Dividing Up The Control SystemANSI/ISA-99: Dividing Up The Control System• A core concept in the ANSI/ISA-99 (now IEC
62443 02 01) security standard is “Zones and62443.02.01) security standard is Zones and Conduits”
• Offers a level of segmentation and traffic control inside the control system.
• Control networks divided into layers or zones based on control functionon control function.
• Multiple separated zones manage that “defense in depth” strategy
ANSI/ISA 99: Connecting the ZonesANSI/ISA-99: Connecting the Zones• Connections between the zones are called conduits,
and these must have security controls to:and these must have security controls to:• Control access to zones• Resist Denial of Service (DoS) attacks or the transfer of
lmalware• Shield other network systems • Protect the integrity and confidentiality of network traffic
• It is important to understand and manage all your conduits between zones, not just the obvious ones.
Security Zone DefinitionSecurity Zone Definition• “Security zone: grouping of logical or physical assets
that share common security requirements”that share common security requirements . [ANSI/ISA-99.02.01–2007- 3.2.116]• A zone has a clearly defined border (either logical or
h i l) hi h i th b d b t i l d d dphysical), which is the boundary between included and excluded elements.
HMI ZonePLC ZonePLC Zone
ConduitsConduits• A conduit is a path for the flow of data between two
zoneszones. • can provide the security functions that allow different zones
to communicate securely. A i ti b t t h d it• Any communications between zone must have a conduit.
Conduit
HMI ZonePLC ZonePLC Zone
Protecting the Network with Zones and ConduitsConduits• A firewall in each conduit will allow only the
MINIMUM network traffic necessary for correct plantMINIMUM network traffic necessary for correct plant operation
Firewall
HMI ZonePLC ZonePLC Zone
Using Zones: An Example Oil RefineryUsing Zones: An Example Oil Refinery
Specifying the ZonesSpecifying the Zones
Defining the ConduitsDefining the Conduits
Protecting the Conduits with FirewallsProtecting the Conduits with Firewalls
Corporate Firewall
Hirschmann Firewall
Making Security Simple
An Industrial Firewall Installation Gone BadAn Industrial Firewall Installation Gone Bad…• An automotive company wanted layered protection
for key PLCs and robotsfor key PLCs and robots• Decided to install over 100 personal firewalls in front
of indentified critical devices• All firewalls had to be removed within a few
months…• Wh ?• Why?
BCIT SCADA Firewall Research ProjectBCIT SCADA Firewall Research Project• In 2003 the research centre at the British Columbia
Institute of Technology (BCIT) was commissioned toInstitute of Technology (BCIT) was commissioned to investigate issues and best practices in firewall deployment in SCADA systems
• Results:• “CPNI Good Practice Guide on SCADA Firewall
Deployment”p y• “The Special Needs of SCADA/PCN Firewalls:
Architectures and Test Results”• Several restricted-access documentsSeveral restricted access documents…
What We FoundWhat We Found…
“While the results indicate that commercial fi ll b f ll d th t dfirewalls can be successfully used, the study also shows important differences between the configuration of firewalls in industrial andthe configuration of firewalls in industrial and IT settings.”
The Special Needs of SCADA/PCN Firewalls:Architectures and Test Results
Byres, Hoffman, et. al. y , ,
Misapplication of IT Security AssumptionsMisapplication of IT Security Assumptions• There are important differences between information
technology (IT) networks and industrial automationtechnology (IT) networks and industrial automation and control systems (IACS) networks.
• Problems occur because assumptions that are valid in the IT world may not be on the plant floor
• Some examples:• Valid types of outbound traffic• Valid types of outbound traffic• Importance of web “customers”• Assumed protection from DoS attacks via routers• “Critical” protocols• Desired state on failure
An Example Assumption and Its Impact on a Chemical PlantChemical Plant• IT Assumption: Outbound traffic is safe, inbound
traffic is unsafetraffic is unsafe• Result:
By default, all ports are blocked on the outside y , pinterface, and all ports are open on the inside interface of the security appliance.
Cisco ASA 5500 Adaptive Security AppliancesCisco ASA 5500 Adaptive Security Appliances Document ID: 91970
An Example Assumption and Its Impact on a Chemical PlantChemical Plant• Plant Floor Reality: Cisco ASA firewall is installed
between DCS and PLCs with DCS as SCADAbetween DCS and PLCs with DCS as SCADA master (thus inbound traffic to PLC must be allowed)
• Event: Firewall installed with default rule sets• Impact: All traffic to PLCs is blocked, plant down for
three hours
ConclusionConclusion • Security technology may be excellent, but the
default assumptions determine its usability in andefault assumptions determine its usability in an environment.
SCADA/ICS Appropriate TechnologiesSCADA/ICS-Appropriate Technologies• Select security solutions that are easy for engineers
and technicians to deployand technicians to deploy• Use ICS-appropriate detection technologies can
raise an alarm when equipment is compromised or at risk of compromise
• Deploy ICS-appropriate security technologies• L k b d t diti l t k l fi ll• Look beyond traditional network layer firewalls,
towards firewalls that are capable of Deep Packet Inspection of key SCADA and ICS protocols
Example: SCADA Focused MonitoringExample: SCADA-Focused Monitoring• Stuxnet had to connect to and reprogram the victim
PLCs to be successfulPLCs to be successful• Win-CC Servers likely the reprogramming point• Question: Should an HMI server be reprogramming Q p g g
a PLC?• Traffic analysis beyond the basic IP Address / TCP
t ld d t t thiport would detect this…
Example: Fixed Configuration Safety FirewallExample: Fixed Configuration Safety Firewall• Firewalls designed specifically for a single purpose
• Cannot be disabled or mis configured by staff• Cannot be disabled or mis-configured by staff• Can be tuned for specific control systems
• Aware of SCADA protocols and capable of deep packet inspection• Sanity checking of protocols like Modbus• Can provide fine grained controls ofCan provide fine grained controls of
allowed commands
Example: Deep Packet Inspection for OPCExample: Deep Packet Inspection for OPC• Stuxnet made extensive use of RPC protocol, which
is the basis of OPCis the basis of OPC• IT firewalls can’t manage RPC or OPC traffic • Firewall needs to be able to “understand” SCADA
protocols like OPC• Requires “Deep Packet Inspection”
t h l f t ti ttechnology for automation systems• Example: Hirschmann OPC Enforcer
automatically inspects and managesautomatically inspects and manages OPC traffic
Some Final Thoughts
Making Security Work in the SCADA WorldMaking Security Work in the SCADA World• "Certainly controls engineers and operators need to
be security aware but they should not all need to bebe security aware, but they should not all need to be security experts.“
• "We have to make this [security] something a plant superintendent, engineer, or senior operator can do in their spare time, or it will flop."
ISA-99 Discussion Forum
Some Final ThoughtsSome Final Thoughts• IT and SCADA systems are different• Translates to differing req irements for safe and• Translates to differing requirements for safe and
reliable deployments of security systems in SCADA• We can’t stop all infectionsp• We can prevent attackers from reaching their goals• Security AND safety can be significantly improved
with good policy and appropriate technology