Upload
rockwell-automation
View
650
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Explore how to reduce risk and enhance protection of your ICS infrastructure by utilizing non-Integrated Architecture components such as switch ACL's, firewall configurations, and Windows Operating System hardening techniques. A prior understanding of general Ethernet concepts, or attendance of NW01 is recommended.
Citation preview
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Practical Security Solutions for Industrial Control Systems (ICS)
Jason J. Dely, CISSP, CISM
Principal Security Consultant, Network & Security Services
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Course Description
Explore how to reduce risk and enhance protection of your ICS
infrastructure by utilizing non-Integrated Architecture components
such as switch ACLs, firewall configurations, and Windows
Operating System hardening techniques.
A prior understanding of general Ethernet concepts, or attendance of
the Fundamentals of EtherNet/IP session is recommended.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3
Agenda
Operating System Security
Firewall
Switch Access Control Lists (ACLs)
Defense In Depth
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 4
Defense In Depth
Layered Security Model Shield potential targets behind multiple levels of protection to reduce security risks
Defense in Depth Use multiple security countermeasures to protect integrity of components or systems
Openness Consideration for participation of a variety of vendors in our security solutions
Flexibility Able to accommodate a customer’s needs, including policies & procedures
Consistency Solutions that align with Government directives and Standards Bodies
A secure application depends on multiple layers of protection. Industrial security must be implemented as a system.
Perimeter Enforcement
Device Security
Security Services
Application
Computer
Device
Physical
Network
- Don’t miss the “Depth”
Layers within the Layers
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Security Objective - Decompose the Elements, Then Secure!
6
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services Gateway
Patch Management
AV Server
Application Mirror
Web Services Operations
Application Server
Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk Application
Server
FactoryTalk Directory
Engineering Workstation
Remote Access Server
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
Continuous Process Control
Safety Control
Sensors Drives Actuators Robots
Enterprise Security Zone
DMZ
Industrial Security Zone
Cell/Area Zone
Web E-Mail
CIP
Firewall
Firewall
Site Operations and Control
Area Supervisory
Control
Basic Control
Process
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
End Node & Infrastructure Security
7
Legacy PLCs Process Automation Controller (PAC)
I/O Subsystems
Servers
Switches
Routers
Firewall
Infrastructure
Outside the Infrastructure box is an end
node
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Infrastructure Decomposition
8
Production Control
Workstation
Operator Interface
Optimizing Control
Manufacturing Security Zone
DMZ
Remote Desktop Gateway
Domain Controller
Firewall
Site Business Network
Enterprise Network
Router Enterprise Security Zone Email, Intranet,
shared drives, etc
web
TCP/IP
Firewall Rules
Access Control Lists (ACLs)
• The only way to secure the infrastructure is to determine the dataflow
• Dataflow diagrams require the knowledge of source, destination and protocols
• Knowledge of source, destination and protocols enable creation of Firewall and ACLs
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
End Node Security
9
Legacy PLCs Process Automation Controller (PAC)
I/O Subsystems
Servers
Switches
Routers
Firewall
Infrastructure
Outside the Infrastructure box is an end
node
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Legacy PLC System Architecture Components
Proprietary I/O Protocol
PLC
Code Execution Engine
Data
Communication
I/O Non- I/O
Remote Inputs / Outputs
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Legacy PLC System Architecture Components Prior to Ethernet Adoption
Proprietary I/O Protocol Protocol
Converter
Proprietary Data Bus Protocol
PLC Data
Programming
THREATS
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Proprietary I/O Protocol
PLC Data
Programming
Ethernet
Historians Remote Access
Trending
THREATS
THREATS
Legacy PLC System Architecture Components w/ Limited Ethernet Adoption
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Where’s the holes in the Castle Walls? (Assessments / Vulnerabilities)
Proprietary I/O Protocol
Ethernet
PLC
Code Execution Engine
Data
Communication
I/O Non- I/O
Entry for External Threats
Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Expanded Threat Model On Newer Process Automation Control Systems
Ethernet I/O
Ethernet
PLC
Code Execution Engine
Data
Communication
I/O Non- I/O
Entry for External Threats
Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.) Supporting Historians and Reporting functions •*** NEW *** Asset & Inventory Mapping Tools (NMAP, etc) •*** NEW *** Vulnerability scanners •*** NEW *** Penetration Testing (Metasploit)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Computers = Applications + Operating Systems
15
Automation Application Security Mostly Provided by Vendor(s)
Often Leverages O.S. Authentication
Operating Systems are NOT Provided by Automation Vendors
Biggest target of Malware, Virus, etc.
COTS Productivity Software ( Adobe, Word, Excel, etc) presents large target too.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Rockwell Automation Product Security Solution Boundaries
16
Provide Automation
Software Security
Often Leverages O.S.
Authentication
Provide switching and
routing infrastructure
security
Provide “In Rack” secured
communications capabilities
Stratix Switches
Secured Communications Module
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Operating System Security Boundaries
17
An Operating System is a
collection of software that
manages computer
hardware resources.
Provides security
permissions for objects, files
and folders
Foundation for application
security
Often not managed for
security within the
Manufacturing Zones
Switch
Secured Communications Module
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 18
Agenda
Operating System Security
Firewall
Switch Access Control Lists (ACLs)
Defense In Depth
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
ACL Flow Diagram
20
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL
Let’s use the following ACL as an example. Permit traffic with a source
address that resides on the 172.24.101.x network.
Access-list 10 permit 172.24.101.0 0.0.0.255
The first part of the ACL begins with a numbered access-list command.
Access-list 10 permit 172.24.101.0 0.0.0.255
Standard ACLs must be numbered 1-99.
Subsequent rules that are added using the same number (Access-list
10) are appended to the bottom of the list.
As the switch or router checks the traffic against the list of rules, the
first rule that matches is used.
Always remember that at the end of every ACL there is an implicit
deny all rule.
21
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL cont.
The next part of an ACL rule states whether the traffic will be permitted or
denied if there is a match.
Access-list 10 permit 172.24.101.0 0.0.0.255
In this example any traffic that matches this rule is permitted to
continue through the interface.
The two options for this command are Permit or Deny.
22
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL cont.
This part of the ACL rule specifies the source network or host of the traffic
in which the rule will be applied against.
Access-list 10 permit 172.24.101.0 0.0.0.255
This command may specify a specific host, a range of addresses, or all
addresses.
To specify a specific host, the host option may be used.
For example, access-list 10 permit host 172.24.101.12
To specify all addresses, the any option may be used.
For example, access-list 10 permit any
23
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL cont. (Source Address)
To specify a range of addresses, an IP address and a wildcard mask must
be used. This is the inverse of a subnet mask.
To match traffic from the 172.24.101.x network, the wildcard mask
0.0.0.255 must be used.
To match traffic from the 172.24.x.x network, the wildcard mask
0.0.255.255 must be used.
24
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Applying an ACL to an Interface
Commands to add an access list to inbound traffic on an interface.
Router (config)#int fa1/1
Router (config-if)#ip access-group 110 in
Commands to add an access list to outbound traffic on an interface.
Router (config)#int fa1/1
Router (config-if)#ip access-group 110 out
*Stratix switches do not give the option to apply an ACL to outbound
traffic*
37
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 38
Agenda
Operating System Security
Firewall
Switch Access Control Lists (ACLs)
Defense In Depth
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Network Security Framework Unified Threat Management (UTM)
39
Enterprise-wide Business Systems Levels 4 & 5 – Data Center
Enterprise Zone
Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers
• FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array
Levels 0-2 Cell/Area Zones
Level 3.5 - IDMZ
Remote Site #1 Local Cell/Area Zone #1
Local OEM Skid / Machine #1
Plant-wide Site-wide
Operation Systems
UTM
Switch
Who owns the key to this protection?
Site-to-Site Connection
Is farther controls needed for your SLA
Switch
Is this level of protection enough?
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls
Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including
Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID
Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response
Low latency Diverse topologies Multicast support
Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing
Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN
Firewall with Application Layer Security
Access Control and Authentication
IPS and Anti-X Defenses
Intelligent Networking Services
SSL and IPSec Connectivity
Network Security Framework Unified Threat Management (UTM)
40
Modern Firewalls (UTMs) provide a range of security services
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Network Security Framework Unified Threat Management (UTM) – Stratix 5900
41
The Stratix 5900 UTM security appliance is a ruggedized all-inclusive UTM with features such as firewall, secure routing, VPN (virtual private network), intrusion prevention, NAT (network address translation) and content filtering.
Site-to-Site Connection, tunnels the Industrial Zone trusted network to a remote site over an untrusted network using a site-to-site VPN connection.
Cell/Area Zone Firewall, to protect a Cell/Area Zone from the greater Industrial Zone.
Physical features
RJ-45 Gigabit WAN
4 – 10/100Base-Tx LAN ports
Shock /Vibration & Extended
Temperature
DIN rail mount
Network features
ACL / Firewall
DHCP
QoS
VLAN
NAT
Stratix 5900™ Security Appliance
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Network Security Framework Unified Threat Management (UTM)
42
Enterprise-wide Business Systems Levels 4 & 5 – Data Center
Enterprise Zone
Level 3 - Site Operations Industrial Zone Physical or Virtualized Servers
• FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array
Levels 0-2 Cell/Area Zones
Level 3.5 - IDMZ
Remote Site #1 Local Cell/Area Zone #1
Local OEM Skid / Machine #1
Plant-wide Site-wide
Operation Systems
UTM
UTM
Stratix 5900 1) Site-to-Site Connection
Site-to-Site Connection
Stratix 5900 3) OEM Integration
UTM
Stratix 5900 2) Cell/Area Zone Firewall
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Allows the system to be
securely distributed between
a Central Site and smaller
sites.
Applications:
Water/ Waste Water
Pipelines
Oil and Gas
Distributed Site #1
Central Site
Distributed Site #2
Central Site Controller
ASA5500-X
Catalyst3750-X
Stratix5700
Catalyst 2960
HMIServer
Engineering Workstation
Stratix5900
Untrusted Network
Distributed Site #3
Stratix5900
Stratix5900
Enterprise
DMZ
ASA 5515-X
Enterprise
DMZIndustrial
WAN
Industrial Zone
Failover
Network Security Framework Stratix 5900 (Distributed System)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
The Stratix 5900 firewall are
restricts/ filters traffic to and
from the Cell/ Area Zones
Supports:
NAT
Transparent Firewalls
Routing
Netflow
Syslog
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
Network Security Framework Stratix 5900 (Cell Firewall)
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 45
Agenda
Operating System Security
Firewall
Switch Access Control Lists (ACLs)
Defense In Depth
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
• Knowlegebase ID 30498 - Windows Firewall Configuration Utility for
Windows XP Service Pack 2 (TechConnect Level)
• Knowledgebase ID 45891 – How to use the Windows Firewall
Configuration Utilty to configure the Public network on Windows 7
46
Rockwell Automation Knowledgebase
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 47
Rockwell Software Windows Firewall Configuration Utility
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 48
Windows Firewall
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 49
Order of Windows Firewall Security Rule Evaluation
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 50
Demonstration
Blocking Ping (ICMP)
Blocking other traffic (like Remote Desktop, Ping, etc) from IP Address
Ranges
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 51
Software Restriction Policies (SRP)
Software Restriction Policies (SRP) is Group Policy-based feature that identifies software
programs running on computers in a domain, and controls the ability of those programs to
run. Software restriction policies are part of the Microsoft security and management
strategy to assist enterprises in increasing the reliability, integrity, and manageability of
their computers.
You can also use software restriction policies to create a highly restricted configuration for
computers, in which you allow only specifically identified applications to run.
Software restriction policies are integrated with Microsoft Active Directory and Group
Policy.
You can define these policies through the Software Restriction Policies extension of the
Local Group Policy Editor or the Local Security Policies snap-in to the Microsoft
Management Console (MMC).
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 52
MMC.EXE – Used to set permissions per user
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 53
GPEDIT.MSC – used to globally edit SRP’s
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 54
Registry Setting to Disable USB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Start Value = 4 to disable
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 55
Demonstration - SRP
Disable USB - Grossly
Disable USB – Per User
Disable software running in unwanted locations
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
56
Please take a couple minutes to complete a quick session survey to tell us how we’re doing.
2
3
4
1
Thank you!!
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Questions?