Modernizing Network Security in SCADA and Industrial Control Systems

(1)

Modernizing Network Security in SCADA

and Industrial Control Systems

Geoff Shukin, Solutions Architect

(2)

Agenda

§

 

Challenges in Securing SCADA/ICS Networks

§

 

Four Strategies for Modernizing Control Network Cybersecurity

§

 

Practical Solutions for Implementation

(3)

Challenges in Securing SCADA/ICS Networks

Typical challenges faced in SCADA/

ICS Network Security

Reporting for Regulatory/ Customer Audits & Forensics

CFATS CIP

Standards

Escalated Threat Landscape Exploits Malware & APTs

Protecting Legacy Systems Managing Network Integration

Corporate

3rd_Party

Partner Control Network

Lack of granular visibility and control over control network usage & traffic

Enterprise Zone Control Network Zone 1 Zone 2 Zone 4 Zone 3

Increasing use of web-based Applications / SaaS

h"p://

(4)

What Keeps SCADA Security Supervisors Up at Night?

0% 5% 10% 15% 20% 25% 30% Extortion or other financially motivated crimes

Other Industrial espionage Cybersecurity policy violations Attacks coming from within the internal network Email phishing attacks Insider exploits Malware External threats (hacktivism, nation states)

Percent Respondents

What are the top three threat vectors you are most concerned with?

First Second Third

SANS 2014 Survey on Industrial Control Systems

(5)

Advanced Targeted Attacks

§  Social Engineering: Removable media

§  Exploits zero-day vulnerabilities (Windows, Siemens)

§  Propagation/Recon via general IT apps and file-types

§  Goal: Disrupt uranium enrichment program

§  Social Engineering: Spearphishing, Watering hole,

Trojan in ICS Software

§  Enumerates OPC assets (ICS-protocol!)

§  Goal: IP theft and ICS Attack PoC?

Energetic Bear

§  Social Engineering: Spearphishing, Watering hole

§  Goal: IP Theft and ???

Norway Oil & Gas Attacks

(6)

Malicious Insider Attack

§  Sewage treatment facility in Maroochy Shire,

Queensland, Australia

§  Disgruntled employee of ICS vendor sought

revenge on customer (shire council) and employer

§  Used intimate knowledge of asset owner’s ICS to

gain access and wreak havoc

§  Impact

§  Spillage of 800,000 liters of raw sewage into

local parks, rivers and hotel grounds

§  Loss of marine life, damage to environment,

health hazard

Source: Applied Control Solutions

(7)

Unintentional Cyber Incidents

§  Platform shared by operator and royalty partner

§  Slammer infection on rig via partner network

§  Workstations and SCADA servers crashed

§  Systems would not restart after reboot

§  8 hours to restore the SCADA and restart production

§  Consequences

§  Immediate loss of monitoring down-hole wells §  Loss of production for all 4 major wells

§  Total losses > $1.2M before production finally restored

Source: Red Tiger Security

§  Application Visibility and Risk Report

conducted at energy company in E. Europe

§  Plant manager insisted “not internet-facing”

§  Rogue broadband link and risky web

applications found on SCADA system

§  Wuala (storage), eMule (P2P), DAV (Collaboration)

§  Concerns over loss of IP, network availability,

malware introduction

Source: Palo Alto Networks

SQL

Slammer

(8)

Requirements for Next-generation Control Network Security

Least Privilege

Control

Fine-grained control. Not just “On or Off”

Not based on port, protocol, IP address

Forensics & Incident Response

Consolidated visibility and faster time to remediation

Threat

Prevention

Known and unknown threats Malware and Control System

Vulnerabilities Natively supported

Situational

Awareness

Applications (IT, SCADA, ICS)

Users Assets Groups Content URLs Domain Countries

(9)

4 Strategies for Modernizing Control Network Cybersecurity

Apply segmenta1on and advanced traﬃc

classiﬁca1on (L7) to improve situa1onal awareness

1 Enforce a least privilege network access model

based on users, applica1ons, assets, URLs

2 Apply a life-‐cycle approach to threat preven1on that controls a"ack

vectors before having to block known and unknown threats

3 Deploy centralized management and log collec1on to

accelerate forensics, incident response and repor1ng

(10)

Revisiting the Trust Model in ICS

PCN PCN Servers HMI PLCs / RTUs Local HMI

Remote Sta,on / Plant Floor

(11)

Observations

§

 

Broken Trust Model

§  Micro-segmentation is critical

§

 

Granular visibility of traffic is an essential capability

§  Applications, users, content

§  Shared context

§

 

End-to-end security is required

§  Threats originate at endpoints and via networks

§

 

Real and potentially high risks with ICS cyber incidents

§  Must focus on prevention vs. just detection

§

 

Advanced attacks will be “zero-day”

§  The capability to detect and stop unknown threats quickly is needed

§  Automated threat analysis and information sharing would be helpful

(12)

The Challenges with Legacy Solutions

IM DLP

IPS AV URL Proxy

UTM

Internet

§

 

Splintered security - legacy stateful-inspection firewalls + “firewall helpers”

§  Founded on port based policy in the legacy firewall, not application-based

§  Multiple, non-shared contexts - difficult to really understand what is happening

§  Difficult or impossible to implement desired control

§  Higher chance of misconfiguration and leaving security holes

§  Tedious and slow forensics and remediation

§

 

Performance drops off dramatically with each stage

(13)

Implement the Strategies with Palo Alto Networks

Next-generation Security Platform

Application signatures

Additional Intelligence

Threat / Vulnerability signatures URL database User/User-group mapping

Next-generation security ≠ Legacy Firewall + IPS + URL + … Next-generation security ≠ Unified Threat Management (UTM) Classification Engine (L7)

App-ID User-ID Content-ID

Threat Prevention AV, AS, Exploits URL Filtering Unknown Threat Prevention Mobile Security

Natively supported services

Application Visibility and

(14)

Palo Alto Networks “SP3” Architecture

Single-pass, Parallel Processing

§

 

Redesigned from the ground up

with next-generation security

requirements in mind

§

 

Single-pass processing

§  Performs app, user, content

scanning once per packet

§  One policy that integrates apps,

user and content

§

 

Parallel processing hardware

§  Function-specific parallel

processing HW engines

§  Separate data plane and

control plane

Our firewalls are powered by our single-pass, parallel processing architecture

which delivers high performance and promotes high availability

(15)

1 5

User-ID: Many Ways to Identify User / User-group

§

 

Policy enforcement based on users and groups

(16)

Traffic Shaping for Critical and Real-time Traffic

§

 

In addition to being able to create policies based on apps, users & content…

§

 

You can also apply QoS profiles to specific apps, users, interfaces and more

§

 

Possible use cases

§  Ensure all PLC / IED / RTU traffic and alarms get highest priority

§  Allocate just the right amount of bandwidth for video used for surveillance at PCN

§  Prioritize Fault Location, Isolation, Restoration (FLISR) data in Smart Grid

§

 

Traffic shaping overview

§  Guaranteed, maximum and priority bandwidth can be applied across eight traffic

queues

§  Your policies can be applied to physical interface, IPSec VPN tunnels, applications,

users, source, destination and more

§  Diffserv marking is supported, enabling application traffic to be controlled by a

downstream or upstream networking device

(17)

4 Strategies for Modernizing Control Network Cybersecurity

Apply segmenta1on and advanced traﬃc

classiﬁca1on (L7) to improve situa1onal awareness

1 Enforce a least privilege network access model

based on users, applica1ons, assets, URLs

2 Apply a life-‐cycle approach to threat preven1on that controls a"ack

vectors before actually blocking known and unknown threats

3 Deploy central management and repor1ng to accelerate

forensics, incident response and repor1ng

(18)

Corporate / Remote

Access Network Control Center

Remote Sta1on/Plant Floor SCADA / HMI Zone Enterprise / Remote Zone Server Zone Work-‐ sta1on Zone Field Device Zone 1 SIS Zone Field Device Zone 2 HMI Zone

Create zones for external access into the OT

infrastructure as well as for sub-zones in the OT

Security

Zone #1

Security

Zone #2

Conduit

(19)

The Need for Better Segmentation in SCADA / ICS

§  Perimeter

§  Exposure to enterprise (IT-OT Integration) and 3rd-party / service provider networks

§  Intra-OT

§  Risk levels and security requirements vary among assets & tend to increase as you go deeper in the SCADA

§  Intra-OT traffic visibility – The internet is not the only source of malware (Removable media, mobile computing)

§  Must create security zones with conduits that monitor/control inter-zone traffic

OPC SCADA Historian

PLC / RTU / IED _SIS

3rd_{Party Support / Service Provider}

HMI / SCADA Client Workstation

Enterprise Network

Substation / Remote Station Control Center

(20)

Network Segmentation with Palo Alto Networks

§  Define security zones and security policies that match the unique zone-to-zone security

requirements

§  Support for different types of segmentation schemes

§  Layer 3, Layer 2, Layer 1, VLAN, VPN

OPC SCADA Historian

HMI / SCADA Client Workstation PLC / RTU / IED SIS

Server Zone

Enterprise Zone

Remote / Support Zone

User Zone Process Zone

Enterprise Network

Substation / Remote Station Control Center

(21)

Over 1950 application signatures including a growing list of SCADA/ICS-specific signatures

Protocol / Applica,on Protocol / Applica,on Protocol / Applica,on

n Modbus base n ICCP (IEC 60870-‐6 / TASE.2) n CIP Ethernet/IP

n Modbus func1on control n Cygnet n Synchrophasor (IEEE C.37.118)

n DNP3 n Elcom 90 n Founda1on Fieldbus

n IEC 60870-‐5-‐104 base n FactoryLink n Proﬁnet IO

n IEC 60870-‐5-‐104 func1on control n MQTT n OPC

n OSIsoa PI Systems

(22)

App-ID Function Control Example:

Func,on Control Variants (15 total)

Modbus-‐base Modbus-‐write-‐mul1ple-‐coils Modbus-‐write-‐file-‐record Modbus-‐read-‐write-‐register Modbus-‐write-‐single-‐coil Modbus-‐write-‐single-‐register Modbus-‐write-‐mul1ple-‐registers Modbus-‐read-‐input-‐registers Modbus-‐encapsulated-‐transport Modbus-‐read-‐coils Modbus-‐read-‐discrete-‐inputs Modbus-‐mask-‐write-‐registers Modbus-‐read-‐fifo-‐queue Modbus-‐read-‐file-‐record Modbus-‐read-‐holding-‐registers

Applipedia entry for Modbus-base App-ID

(23)

App-ID Function Control Example:

IEC 60870-5-104

Available Variants for IEC 60870-‐5-‐104 App-‐ID

Applipedia entry for IEC 60870-5-104 Base App-ID

(24)

4 Strategies for Modernizing Control Network Cybersecurity

Apply segmenta1on and advanced traﬃc

classiﬁca1on (L7) to improve situa1onal awareness

1 Enforce a least privilege network access model

based on users, applica1ons, assets, URLs

2 Apply a life-‐cycle approach to threat preven1on that controls a"ack

vectors before actually blocking known and unknown threats

3 Deploy central management and repor1ng to accelerate

forensics, incident response and repor1ng

(25)

Data Center Security

§

 

Control application/web usage

§  Approved apps, users, content only

§  SCADA/ICS: OPC, PI, Cygnet, etc

§  General IT Apps

§  Apply QoS for specific applications

§  URL filtering for HTTP service

§

 

Control administration

§  To approved administrators

§  SSH, Telnet, SNMP, FTP, etc

§

 

Block malware & exploits

§  known & unknown

§

 

Monitor for botnets / C&C

Data Center

OPC PI SCADA / ICS /

DCS / EMS IT APPS HTTP U se r Ad mi n

(26)

Remote Station / Plant Floor Security

§

 

Limit traffic to control network protocols

§  Modbus, DNP3, Ethernet IP,

FactoryLink, etc

§  Limit access to write commands to

control devices (PLCs, IEDs, RTUs)

§

 

Safely enable IT apps and web access

§  SSH, FTP, Telnet, SMTP, SNMP, etc.

§  Control with User-ID and URL filtering

§

 

Block malware & exploits

§  Malware: Antivirus, Antispyware

§  Exploits: Vendor and protocol

§  Known & unknown threats

§

 

Monitor for botnets / C&C

Substation

PLC / RTU HMI

OR

3rd_{-Party Ruggedized Server}

with VM-Series Standard Appliance

Plant Floor

(27)

Application and Users in SCADA/ICS Networks

§

 

Limited/specialized set of applications, meant to be used by a limited/

specialized set of users in the OT

§  An even smaller set of people should have access from outside of the OT

§

 

Similarly, access to external networks from the OT should be strictly controlled

§  Enabling applications should not open unnecessary security risks, for example web

based apps and other apps that open up a lot of ports

§

 

Least privilege model based on applications and users simultaneously

manages risk and enables the business

Protocol/Applica,on Category Examples

PLC / IED / RTU protocols Modbus, DNP3, IEC 60870-‐5-‐104, … Client/server soaware OPC, Historian, SCADA/HMI, … Industry-‐speciﬁc applica1ons Oil & Gas, Power EMS, …

(28)

Securing VPN/Remote Access

§

 

Monitor and Control VPN access by user and application

§  Enterprise

§  Vendor support

§  Business Partner

§

 

Gain user level visibility to terminal server users

§

 

Enforce time of day policies for 3

rd

party support users

IT / 3

rd

_{Party Access}

Terminal Server VPN

Control Network LAN

(29)

User-ID Example: RDP into Terminal Server

§  Motivation:

§  SCADA/ICS systems sometimes require support for 3rd party access with RDP as the

mechanism for remote access

§  Challenge:

§  Devices downstream of WTS server do not have visibility into which user initiated which

application (all from the same IP address)

§  Makes it difficult to monitor & control application usage by users accessing network

SSL RDP SSL Application: Sharepoint User: Unknown Application: OSIsoft PI User: Unknown Smith, John (3rd_Party) Taylor, Richard (Internal employee) To SCADA / Control Network VPN Router/FW (Single IP Address) Terminal Server RDP

(30)

User-ID Example: RDP into Terminal Server

§  Terminal Services Agent

§  Allocates a port range to specific users and reports those allocations to our appliance

§  Users sharing IP address on Terminal Server can now be identified

§  Benefits

§  Allows visibility to user and group visibility to each RDP session

§  Enables administrator to implement application-user & application-group policies

VPN Router/FW

SSL RDP

Application: Sharepoint User: Taylor, Richard Port range: 1025-2048

Application: OSISoft PI User: Smith, John Port range: 2049-3073 Smith, John (3rd_Party) (Single IP Address) Terminal Server Terminal Services Agent Taylor, Richard (Internal employee)

Palo Alto Networks Appliance

To SCADA / Control Network

(31)

Web Based Applications / SaaS

Actual applications found running on servers and a PLC in the PCN of

a energy company during a proof of concept (PoC) evaluation

Peer-to-peer file sharing

Cloud storage

Web-based distributed authoring & versioning

Are there valid business uses for these apps in a PCN?

What if you could safely enable these applications?

(Known vulnerabilities) _{(May carry DLLs that could be} use for exploits)

(32)

4 Strategies for Modernizing Control Network Cybersecurity

Apply segmenta1on and advanced traﬃc

classiﬁca1on (L7) to improve situa1onal awareness

1 Enforce a least privilege network access model

based on users, applica1ons, assets, URLs

2 Apply a life-‐cycle approach to threat preven1on that controls a"ack

vectors before actually blocking known and unknown threats

3 Deploy central management and repor1ng to accelerate

forensics, incident response and repor1ng

(33)

§  Database of the vulnerabilities/exploits, viruses, spyware that we can detect & prevent §  Every entry contains a description, severity ranking, links to more info

§  Backed by the world class Palo Alto Networks threat research team

§  Includes signatures for Digital Bond QuickDraw ICS vulnerabilities

§  Any currently uncovered vulnerabilities from Digital Bond or other source (customer, SW/HW vendor)

can be researched by the threat research team

- Vulnerabilities, Spyware, Viruses

(34)

SCADA/ICS Vulnerabilities & Exploits

Historian Server (CVE-2012-2516) OPC Server (CVE-2011-1914) SCADA Master / HMI (CVE-2012-0233)

§  Many systems with known vulnerabilities are left unpatched for a variety of reasons

§  “Don’t fix it if it ain’t broken”, Patch only for most recent OS version, Don’t know/care

§  Multiple exploitation vectors exist & they include more than just the internet

§  Yet to be discovered Zero-day Malware are of highest concern

PLC / RTU / IED (CVE-2010-2772) Mu lti pl e V ect ors fo r Exp lo ita tio

n Internet / Support Network

Removable Media

Portable Computing

Example CVE numbers for different types of SCADA/ICS system components

(35)

Protocol-specific Exploits

Modbus

(36)

Protecting Unpatched/Unpatchable Systems

PLC / RTU / IED

CVE

HMI /

Workstation Database Server /

Protecting Unpatched Systems

§  Native threat prevention protects critical

assets from viruses and spyware

§  Apply exploit signatures to virtually patch

§  SCADA/ICS and general IT exploits

(37)

Next-Generation Network Security

§  Inspects all traffic

§  Blocks known threats

§  Sends unknown to cloud

§  Extensible to mobile & virtual networks

§  Inspects all processes and files

§  Prevents both known & unknown exploits

§  Integrates with cloud to prevent known & unknown malware

Advanced Endpoint Protection Threat Intelligence Cloud

§  Gathers potential threats from network and endpoints

§  Analyzes and correlates threat intelligence

§  Disseminates threat intelligence to

network and endpoints

What is Required? Platform Approach Focused on Prevention

(38)

Endpoint Security: The failures of traditional approaches

EXE Legacy Endpoint Protection Known signature? NO Known strings? NO Previously seen behavior? NO PDF Malware direct execution Exploit vulnerability to run any code

Targeted

Evasive

Advanced

(39)

Unknown Threat Prevention with WildFire

•  10 Gbps Threat Prevention

and file scanning

•  All traffic, all ports

•  Web, email, FTP and SMB

•  Running in the cloud lets

the malware do things that

you wouldn’t allow in your

network.

•  Updates to sandbox logic

without impacting the

customer

•  Stream-based malware

engine to perform true inline

enforcement

(40)

4 Strategies for Modernizing Control Network Cybersecurity

Apply segmenta1on and advanced traﬃc

classiﬁca1on (L7) to improve situa1onal awareness

1 Enforce a least privilege network access model

based on users, applica1ons, assets, URLs

2 Apply a life-‐cycle approach to threat preven1on that controls a"ack

vectors before actually blocking known and unknown threats

3 Deploy central management and repor1ng to accelerate

forensics, incident response and repor1ng

(41)

Centralized Network Administration

Central Administrators

Panorama Central Management Platform

IT Admin OT Admin

§  Panorama central management platform

§  Enables you to centrally manage the process of configuring devices and deploying security policies

§  Allows role based management

§  Enable different members of your team, both local and remote, to only have access to the features and functions that their job requires

§  By implementing role-based administration you establish the appropriate levels of rights and access to the responsibilities of a given administrator

Local admin access Central admin access

(42)

Centralized Logging and Reporting

Central Administrators

Panorama Central Management Platform

IT Admin OT Admin

§

 

Aggregate local firewall logs and reports into Panorama and generate

powerful, centralized reports

§  Holistic view of network application usage and threats facilitates forensics and

helps you make more informed decisions

§

 

Simplify the process and save time when generating reports for regulatory/

customer audit process

Enterprise Control Center

Local Device Logs/Reports Aggregate reports

CIP

(43)

Security Information & Event Management (SIEM)

§

 

Technology partnerships with leading suppliers of SIEM solutions

(44)

Flexible Deployment Options

Visibility Transparent In-‐Line Firewall Replacement

•  Application, user and content

visibility without inline deployment

•  IPS with app visibility & control

•  Consolidation of IPS & URL

filtering

•  Firewall replacement with app

visibility & control •  Firewall + IPS

•  Firewall + IPS + URL filtering

(45)

Modernizing Network Security in SCADA and Industrial Control Systems