Embed Size (px)
Citation preview
Comparing Remote Connectivity SolutionsBenefits, Disadvantages, Architectures for allowing 3rd Party Access
Michael Coden, CISSP, Vice President, NextNine Inc.Gary Williams, MSc ITSEC, Sr. Director, Schneider Electric
Presenters
Michael Coden, CISSPVice President, NextNine Inc.Editor, ISA/IEC-62443Associate Director, MIT-(IC)3
Gary Williams, MSc ITSECSr. Director Technology, CyberSecurity & Communications, Schneider ElectricLead Auditor ISO/IEC [email protected]
Introduction
The challenge of keeping Control, Safety & SCADA systems current once delivered, and continuously operating, is huge.
Vendors have to be dynamic in evaluating each new threat against components, devices & systems, often resulting in a plethora of patches, configuration and supporting documentation.
Each solution has to be delivered to our Clients in a secure manner ensuring the integrity from dispatch to delivery.
The Challenge
We all want to have our systems patched to mitigate against new threats.
Vendors want Clients to update ICS, Safety & SCADA systems to mitigate the latest vulnerabilities
We all want the latest signature files to ensure our Anti-Virus is up to date
Ideally Clients want Vendors to monitor their systems in near real-time and provide feedback to ensure optimised running and productivity.
To enable this, ICS systems need external connectivity to facilitate this & other support.
The days of air-gapped systems are gone!
MethodologiesThere are a number of methodologies used today to enable connectivity to third parties and between outlying plants. e.g:
• VPN• Cryptographic devices• Data Diodes• Secure Web Interfaces• Bespoke configured Firewalls• One time connectivity approach• NextNIne
All of these have value, however, the general requirement is :
‘A resilient, sustainable methodology to provide Secure Communications between Sites & off-site engineers, including 3rd Parties, ensuring the integrity of any data, whether operational or administrative and provision of OS & AV patches’.
VPN
A secure wide area network (WAN) comprised of 2 or more endpoints, at least one of which is the Server.
Pros:• Cheap technology• Flexible in growth
Cons:• Use several protocols to perform tunneling: PPTP; L2TP; IPSec & SSL• The design and security implementation is complex• Uses a number of ports: 47, 50, 443, 500,1701, 1723, 4500, both outbound and inbound
dependent on protocol
Hardware Security Modules (HSM)
Provides crypto protected links, via physical or data key
Pros:• Good for point to point. • Good for James Bond
Cons:• Expensive• Requires third party hardware for key infrastructure and support• Configuration of Services on either end can be very complex• Restricted number of links/channels• Point to MultiPoint feasible but very expensive
Data Diodes
Provides unidirectional network via a bespoke appliance
Pros:Excellent choice for classified data, governments and nuclear plants• They allow traffic to travel in one direction only• Good confidentiality
Cons:• They allow traffic to travel in one direction only• Restricted number of services can be achieved due to unidirectional traffic flow.• Typically only allow connection to one single device or system• Expensive to maintain, often a spare is required on the shelf• Not suitable for services like Remote Desktop
Secure Web Interface
Secure Web based communications often based on certificates or SSL
Pros:• Enables Remote Users to provide data input• Used by banking, qBittorrent and commercial ventures such as car hire• Cross platform• Transport Layer Security
Cons:• Certificate management can be difficult• Not suitable for sustained long term connectivity• Subject to multiple threats as it is browser based
Bespoke configured Firewalls
Use of Firewalls specifically configured for known IP to known IP
Pro:• Security by obscurity
Cons:• Security by obscurity• Not very secure• Not very reliable• Difficult to configure and maintain• Not suitable for long term services requiring constant connection
Schneider Electric’s approachSchneider Electric’s Process Automation Systems resolved this conundrum 10 years ago, by partnering with NextNine. Why?
At the time, we were looking for ways of transmitting field device & system data back to Foxboro for monitoring, to enable predictive maintenance and provide an early warning to Clients of anomalous activity, equipment failure etc.
Clients then and now, wanted to control such connectivity to ensure the integrity of both the data and access. At the time, there were few solutions that would enable a Client to control connectivity to multiple parties, whether internal or external, especially one that was sustainable.
Over the last 10 years, the solution has evolved to meet the increasing demand of ICS Security.Today we provide OS, AV and System patches on a regular basis to address the increasing threats. But, we also use the system for attack mitigation and Remote Maintenance enabling our experts to work remotely together with engineers onsite.
Remote Site A
Remote Site B
Remote Site C
Secure CenterCertificate
Something I know
Certificate Something I know
Certificate Something I know
Certificate Something I know
Trusted Platform Module
Trusted Platform Module
Trusted Platform Module
VSE = Virtual Security Engine; TPM = Trusted Platform ModuleConnectivity is outbound only through a single port, to specific IP address.
-- No possibility of VPN bleed or spoofed connections-- Only one single Firewall Rule to manage for all remote functionality.
-Outbound only
-Single Port (443)
-Specific IP Address
-FIPS 140-2 Compliant
-1024-bit TLS Encrypted
Secure Multi-purpose Tunnel with Mutual Strong M2M Authentication
Remote Site A
Remote Site B
Remote Site C
Secure Center
End-customer approves remote access
Remote Site VSE Interface
Secure Remote Desktop Sharing with Site Control– With Remote Access, Cyber Security and 3rd Party experts can immediately connect to your system
– Remote Site controls granting of access– Remote Site can Supervise remote access
Remote Site VSE Interface
Remote Site A
Remote Site B
Remote Site C
Secure Center
Secure Remote Desktop Sharing with Site Control– With Remote Access, Cyber Security and 3rd Party experts can immediately connect to your system
– Remote Site controls granting of access– Remote Site can Supervise remote access
Centralize/Automate Patch, S/W, AV Delivery – Minimize Vulnerability
WSUSePO
SEPM
WSUSePO
SEPM
DevicesSystems
Applications
NetworkDevices
VSE
Network& Security
Devices
VSE
DevicesSystems Applications
Remote Sites
Internet
External UsersPartner / SI / OEM
Field Service
Full Web UI Full Web UIInternal Users
DMZ
Windows WSUS Server
McAfee ePO
Server
SymantecSEPM Server
Product PatchServer
--Vendors-- --Vendors-- --Vendors----Vendors--
Security Center
Application Server
CommServer
DatabaseServer
Collect Logs for SIEM Analysis – Scan Ports & Services vs. Whitelist
DevicesSystems
Applications
NetworkDevices
Virtual Security Engine™
LocalPeronnel
Network& Security
Devices
Virtual Security Engine™
LocalPersonnel
Devices, Systems, Applications
Internet
External UsersPartner / SI / OEM
Field Service
Full Web UI
Cyber Security SIEM and Analysis Tools, e.g.: ArcSight, Q-Radar,
Nitro, ….Detecting Rogue
Devices, Ports, Services
Full Web UI
Internal Users
DMZ
Houston
CentralSecurity Center
Application Server
DatabaseServer
Nigeria
Qatar
VSE continuously scans Ports and
Services – comparing
against Whitelist & Blacklist.
Full Web UI
Cybersecurity Experts
CommServer
VSE continuously collects logs, converts them to CEF (Common
Event Format) sends logs for analysis and detection of malicious activities.
Secure Offsite Backups – Automated Verification – Restore/Recovery
Devices SystemsApplications
NetworkDevices
Virtual Security Engine™
LocalPersonnel
Network & Security Devices
Virtual Security Engine™
Devices, Systems, Applications
Internet
External UsersPartner / SI / OEM
Field Service
Full Web UI
Backup Location# 2 With
Auto-Verify of Backups
Backup Location# 1 With
Auto-Verify of Backups
Full Web UI
Internal Users
DMZ
Houston
Central Security Center
Application Server
CommServer
DatabaseServer
Nigeria
California Amsterdam
Qatar
Automated Asset Discovery – Daily Inventory – Change Management
DMZ
Security Center
Application Server
CommServer
Real-TimeDatabase
Server
VSE
Local IT
Devices – Systems – Applications
Remote Site/s
Internet
External UsersPartner / SI / OEM
Full Web UIInternal Users
WSUS, ePO, SEPM, SIEM,
Patches
WMISNMPOPCSSHHTTPTelnet (CLI)SFTPFTPProprietaryOthers
Solution supports all versions of: Windows (NT, XP, Vista, Win7, 2000,
2003, 2008, 2012) Unix (HP-UX, AIX, Solaris, ….) Linux (Red Hat, Ubuntu, ….) Any other product that can be accessed
via the protocols at the left.
Network& Security
Devices
Rapid Development & Instant Application Deployment Remotely
DMZ
Security Center
Application Server
CommServer
Real-TimeDatabase
Server
VSE
Local IT
Devices – Systems – Applications
Remote Site/s
Internet
External UsersPartner / SI / OEM
Full Web UIInternal Users
WSUS, ePO, SEPM, SIEM,
Patches
Network& Security
Devices
Heartbleed scanner
was delivered
in 48 hours!
ShellShock scanner
was delivered
in one week!
• GUI based App Development Environment• Develop new Apps in a few hours• Distribute Apps to all VSE’s • No recompile or reboot of VSE is
required• App is used immediately
Most Functions of ISA / IEC – 62443 Scale Cost Effectively Remotely
All Major Functions of Cybersecurity Framework Scale Remotely
ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443ISA99 / IEC-62443
Automated Asset Discovery and Inventory
Automated Patch-AV DeliveryAnd Compliance/Enforcement Reports
Event and Incident Log Collection,Conditioning, and Transfer for SIEM Input
Secure Remote Access and Device-to-Device Connection
Mutli-Site File Transfer for Secure Software &File Transfers, & Multi-Site Backup / Restore
The authors would like to acknowledge the important contributions and gracious support of the following organizations in providing the data, research, and resources to produce this analysis and report:
– NextNine Inc.• http://www.nextnine.com
– Schneider Electric• http://www.schneider-electric.com
– Massachusetts Institute of Technology (IC)3
• MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity
• To Join, Visit: http://ic3.mit.edu
[email protected]@schneider-electric.com
