Presentation is loading. Please wait.

Presentation is loading. Please wait.

Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach.

Published byColin Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach."— Presentation transcript:

1 Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach Entelec Spring 2013

2 Entelec Spring 2013 Slide 2 Growing Awareness for ICS Cyber- Security VIRUS INFECTION AT AN ELECTRIC UTILITY (Source: ICS CERT Jan. 2013) In early October 2012, a power company contacted ICS-CERT to report a virus infection in a turbine control system which impacted approximately ten computers on its control system network. Discussion and analysis of the incident revealed that a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the technician, the USB-drive was infected with a variant of the Mariposa virus. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks.

3 Entelec Spring 2013 Slide 3 Advanced Persistent Threats Escalation: “bragging rights” -> organized crime -> nation states Opportunistic versus Targeted Recent examples: –Stuxnet – industrial sabotage -> Iranian uranium enrichment program –Ghostnet – stole diplomatic communications -> embassies, Dhali Llama –Aurora – stole source code and other intellectual property -> Google –Night Dragon – industrial and commercial intelligence -> large oil companies

4 Entelec Spring 2013 Slide 4 Stuxnet – Targeted Attack on ICS

5 Entelec Spring 2013 Slide 5 “Most Sophisticated Worm Ever” Exploited multiple Windows zero-day vulnerabilities Targets Siemens PLC's to sabotage physical process Spreads via multiple media: –USB/Removable Media –3 Network Techniques –PLC Project Files –Windows Database Connections Drivers digitally signed with legitimate (stolen) certificates Installs cleanly on all windows variants Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections

6 Entelec Spring 2013 Slide 6 Source: Byres Security How Stuxnet Infects a System Infected Removable Media: 1.Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2.Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3.Copies itself to accessible network shares, including administrative shares 4.Copies itself to print servers 5.Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6.Installs in SQL Server database via known and legitimate (stolen) credentials 7.Copies into project files

7 Entelec Spring 2013 Slide 7 “Secure” Private industrial network – The Smart Grid MV/LV transformers on poles now enhanced with Smart-Grid equipment  Distributed automation in Secondary sub-stations Inter-connected by regional Ethernet networks with overlaying application communication using simple automation control protocols (IEC60870, DNP3)  An attacker gaining access to 1 site can manipulate the operation of the devices in other sites Vulnerability: Distributed large-scale open internal networks “smart grid cyber-security guidelines did not address an important element… risk of attacks that use both cyber and physical means” Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011

8 Entelec Spring 2013 Slide 8 The Great Wall of China Defense Firewall are designed to keep intruders out Some provide impervious walls BUT: Once you break the physical constraint you can reach every point in the internal network Antivirus software is designed to identify known signatures and flag or block “suspicious activity” Antivirus software does not “know” what each application does These defenses – restrict access, but once overcome are ineffective The great wall is only as effective as it’s weakest link

9 Entelec Spring 2013 Slide 9 Vulnerability in Many Current Design Secure Network Thou Shall Not Pass Remote Substation You’re part of the Secure Network - Pass Solution: Defense-in-Depth security architecture “An aggregated security posture help defend against cyber-security threats and vulnerabilities that affect an industrial control system” Strategy for securing control systems, US DHS, October 2009

10 Entelec Spring 2013 Slide 10 Origin of Defense-in-Depth – in IT “A military strategy sometimes called elastic defense. Defense in depth seeks to delay rather than prevent the advance of an attacker, buying time and causing additional causalities by yielding space.” http://en.wikipedia.org/wiki/Defense_in_depth “…the practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system places multiple barriers between an attacker and your business critical information resources: the deeper an attacker tries to go, the harder it gets.” Brooke Paul, Jul 01, Security Workshop at Network Computing

11 Entelec Spring 2013 Slide 11 Defense-in-Depth Strategy PeopleTechnology Information Assurance Strategy Operations IAS Thomas E. Anderson Briefing Slides Information Assurance Strategy Ensuring confidentiality, integrity, and availability of data People -Hire talented people, train and reward them Technology -Evaluate, Implement, Test and Assess Operations -Maintain vigilance, respond to intrusions, and be prepared to restore critical services

12 Entelec Spring 2013 Slide 12 Defense-in-Depth Security Model

13 Entelec Spring 2013 Slide 13 Distributed Firewall Deployment Secure end-devices +Integrated  Space, Power –Operational stability –Install-base Integrated firewalls as part of the network design Mini-firewall per site +Available technology – Stand-alone  Space, Power – Network complexity Network-based firewalls +Integrated  Space, Power +Network simplicity – Technology emerging

14 Entelec Spring 2013 Slide 14 Utilities Cyber Security Threats & Counter-measures Attack vector Control-Center malware Field-site breach Man-in-the-Middle Remote maintenance Security Measure Service-aware firewall Distributed firewalls Encryption Secure remote access

15 Entelec Spring 2013 Slide 15 Defense-in-Depth tool-set L2-L4 filtersAccess Control Inter-site VPN Remote access Service validation IPSec tunnels SSH gateway App-aware firewall Required FeatureFunction Advanced security measures integrated in the switch using a dedicated service-engine to Enables easy deployment of an extensive defense-in-depth solution

16 Entelec Spring 2013 Slide 16 Inter-site connectivity GRE tunnels used for transparent connectivity of private Ethernet networks across the Internet IP Sec used to encrypt the GRE tunnels Internet Private ETH Network

17 Entelec Spring 2013 Slide 17 Secure Remote Access Integrated remote access gateway using an encrypted SSH tunnel Optionally use reverse-SSH initiated from the secure site Access rights per user (locally or from RADIUS server) SSH tunnel used a secure transport for any user IP-based session User session re-routed to a local-host which sends the data via the SSH tunnel Gateway as session proxy hiding the local network On-line app-aware session security checks are performed RS-232 Ethernet RS-485 Internet

18 Entelec Spring 2013 Slide 18 Distributed service-aware firewall deployment Service-aware inspection of traffic in every end-point –Rule-based validation of SCADA flows –Blocking an “insider” attack Firewall integrated in multi-service network switches –Efficient IPS deployment for distributed small sites –Protection for Serial & ETH devices Central service management tool –End-to-end provisioning of security rules –Reporting network-wide security events Defense-in-depth is the answer to securing distributed utility networks

19 Entelec Spring 2013 Slide 19 Firewall IPS inspection flow IP Packet originated from and designated to a service member (source/destination IP) Port Packet holds a service permissible TCP/UDP port number (examples - IEC 104 :2404 ; Modbus : TCP 502 ;SNMP :UDP161) address Validation according to protocol specific device addresses (Originator address ;Link address ;ASDU ;IO objects) payload In-depth packet payload inspection to comply with the “firewall rules” file. Firewall rules are configured uniquely between each pair of service members login Visual alerts and logging of firewall violations

20 Entelec Spring 2013 Slide 20 Security – Modbus Application Aware Firewall Example Modbus Function Codes

21 Entelec Spring 2013 Slide 21 Application aware Firewall Using a network management tool the user plans his network and maps the service groups in it For each pair of devices specific firewall rules on the application level can be applied (function codes, address ranges, etc.) –The user can select multiple device pairs to apply the same firewall profile

22 Entelec Spring 2013 Slide 22 Auto-Learning Capabilities Any deviation from the firewall rules is logged in the switch and reported to the central management tool –Security events are shown on the map and in a dedicated events log Simulate mode can be used to learn the network traffic flows –The “illegal” traffic is reported but not blocked

23 Entelec Spring 2013 Slide 23 Connecting the sub-station LANs – Current status Network Limitations SCADA direct access to S.S. IEDs Field technician access to: –Other sub-stations –Central storage –Facility RTU Remote technician access to RTUs and IEDs in all S.Ss Data-sharing between S.Ss SCADA Sub-Station Control Center SONET/Packet Network Sub-station RTU Facility RTU Sub-station IEDs Field Technician Internet Remote Technician Storage Need a unified sub-station LAN with secure inter- site connectivity

24 Entelec Spring 2013 Slide 24 Connecting the sub-station LANs – Future evolution Use a secure switch connecting the LAN devices to the backbone Network segmentation using VLANs/Subnets App-aware firewall per-device Secure remote access Serial-to-ETH protocol gateway SCADA Sub-Station Control Center SDH/Packet Network S.S. RTU Facility RTU Sub-station IEDs Field Technician Internet Remote Technician Storage

25 Entelec Spring 2013 Slide 25 Summary When modern critical infrastructure deployments use Ethernet –Intra-network security is mandatory To meet evolving security standards and threats Service- aware Industrial Ethernet solutions must have –Unique distributed service-aware firewall –Integrated defense-in-depth –Reliable network capabilities –Easy management and configuration –Optimized to minimize integration cost

26 Entelec Spring 2013 Slide 26 Cyber Security Sub Committee Goal: –Enhance understanding of Cyber Security Issues as they relate to ICS and SCADA –Advocate for the industry with the most effective ways to tackle ICS security In the process of defining priorities Survey in process Looking for more participation Please contact me via board or directly at: motty@radusa.com, 201-378-0213 if interested motty@radusa.com

27 Entelec Spring 2013 Slide 27 www.rad.com Thank You For Your Attention For more information: Motty Anavi VP Business Development motty@radusa.com (201) 378-0213

Download ppt "Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 12 Network Security.

Chapter 12 Network Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google