creat a dynamic and enpowered industrial iot security system in … · 2017-03-01 · creat a...
TRANSCRIPT
Creat a Dynamic and Enpowered
Industrial IoT Security System in
the Intelligent Age
Li Zhuanqin
Venustech Group
March 2017
Translated by ECV
Discussion
Outline
I. Security Situations in Smart Times
II. New Security System for Dynamically-
enabling IIOT
III. Originality Spirit in New System
What is IIOT?
IIOT applications
Network-based
cooperation
Development
simulation
Big-data
processing
Industrial
cloud platform
External networks of factory
(the Internet/mobile network and special
network)
Upstream and
downstream
enterprises
Intelligent
products Intelligent
factory
Factory control system
Intelligent
machine
Intelligent
machine
Intelligent
machine
Goods-in-process
Intelligent
production
Service-oriented
transformation
Personalized
customization
Factory cloud platform (and management
software)
Industrial Development in Smart Times
Intelligent
factory
Digitalized
factory
LG CNS
BOSCH
Ind
ust
ria
l
4.0
Haier
Ma
de
in C
hin
a
20
25
IIOT
Sany Heavy
Industry Midea
Smart Times and Industrial Control System
Intelligent
manufacturing
Industrial
big-data
Industrial cloud
IIOT Internet of
Things (IoT)
Security Threat on Industrial Control in Smart Times
Industrial
cloud
security
IIOT
Security
Industrial data
security
Security vulnerabilities
and viruses of
industrial control
system
1. Authentication
issue
2. Account hijack
3. Virtual machine
escape
4. System
vulnerabilities
5. Malicious internal
attacks
6. Abuse of cloud
service
7. Denial of service
attack
8. ….
The application of IIOT realizes the
seamless connection between the
industrial control system and the
Internet, and also brings new
security issues:
1. When industrial control systems
are exposed to the Internet, some
“men of intention” may search for
industrial control systems;
2. Different types of unknown
attacks from the Internet may do
harm to the industrial control
systems at any time.
1. Data storage security
2. Data transmission security
3. Data use security
4. Security of industrial big-
data platforms
5. Security of relevant
business secret data
1. Malicious use of known
vulnerabilities
2. Constant emergence of
Oday vulnerabilities
3. Explosion of different
types of new vulnerabilities
4. New Trojans and viruses
Security Situations of Industrial Control —
Two Reports of Gartner
2015
Market Trends: Industrial Control System
Security
•Threats could be highly visualized to learn the
development of driver OT security.
•Highly-professional products are required in the
market to settle the problems of special protocols of
special systems.
•Though ICS security could be realized at different
technical levels, security devices at network level
are most important.
2016
Market Guide for Operational
Technology Security
•OT security problems need to be settled jointly by
IT and OT departments
•OT security products have been evolving from the
flexibility and protection security demands
proposed by IT security and OT liability
•Existing IT security products could not settle OT
security scenarios, particularly the requirements on
safety.
•OT integrating both informatization and industrialization will face higher risks, with energy and
public service enterprises being the first to be affected
•By 2020, the investment in OT security will be doubled due to attacks and adjustments to
corresponding strategies
•4G or wireless network access technologies as well as IPV6 applications will allow more devices to
access the network
•Fast-growing market segments are forming and many IT security products are being transformed into
OT security products
New Features of IIOT
1. Blurred network boundary
2. Gradually blurring between “Security” and “Safty”
3. Increasingly uncertain threats
4. Not a simple confrontation between offense and
defense
1. Security protection shifting from optional to
prerequisite
2. Flexibility
3. Dynamics
4. Sustainability4 Sustainability
Dynamically-enabling
• Dynamically-enabling is a fundamental philosophy that needs to be
implemented when designing the full life circle of network space
information system
• "Dynamically" reflects the collaboration, correlation and flexibility
in protection. Dynamical ‡Automation.
• "Enabling" reflects the value of security in business. When security
capacity is enabled for any objects, corresponding capacity will
increase.
New Security System for Dynamically-enabling
Industrial Control
Ex
terna
l percep
tion
Dynamical perception platform of industrial
network security
Knowledge base of security vulnerabilities and
attack models
Applications of IIOT
Network-based
cooperation
Development
simulation
Big-data
processing
Industrial cloud
platform
IT/OT Unified management on information
security Intern
al p
erceptio
n
Intelligent
products
External networks of factory
(the Internet/mobile network and special network)
Upstream and
downstream
Corporate
Factory cloud platform
(and management software)
Factory control system
Control
system Intelligent
machine
Intelligent
machine
Industrial control
abnormality check
Security
configuration check
Database audit
IT/OT O&M audit
Pro
tection
-ena
blin
g Sensor
IT/OT/ cloud firewall
Intelligent
production
Personalized
customization Service-oriented
transformation
Intelligence
factory
IT/OT
Vulnerability check
Cloud /IT
intrusion check
IT/OT Gatekeeper
(Date exchange platform)
IT/OT intrusion
prevention Anti-Virus
Load balance
Terminal / Operation
station
Wireless security
protection
Data security protection Internet behavior
management
Equipment Type -> Terminal-side Security
Operating system
SOC/FPGA/MCU
architecture
Restricted
resources
Abundant resources,
regulated system
easy for adaptation
Provide regulated interfaces,
and complete security logic
build-in before delivery
(hardware programing)
Provide lightweight Agent
and realize authentication
and encryption
Provide powerful clients,
to realize terminal security
and authentication
The above three devices, except for software support, may also integrate reliable chips into system to realize
high-level authentication security.
E.g., Protection devices enabling business security
Enable the administrator to easily master the information on industrial control network
flow
Display industrial assets, industrial control protocols, protection rules and intrusion events
in one page
Visibility
Flexibility
Multi-dimensional flexibility engine settles the fragmented and long-period
industrial control network problems
One entrance for four aspects, i.e., protocol rules, intelligence rules, intrusion
characteristics and preset scenario
Intelligence
It is not required to learn business flow since intelligent customization of industrial
protection rules could be realized
In-depth flow self-learning ->Automatic parameter aggregation ->One-button
generation of intelligent protection rules
Collaboration
Fully integration into business security, and bidirectional interaction of industrial firewall
and application system, collaboratively removing the threat of industrial control security
Interface of industrial firewall supply and centralized management system +SOC
platform+ user business platform
Three Stages Corresponding to the Two
Steps of Intelligent Manufacturing Plan
By 2020, the development foundation and
support ing capaci ty of intel l igent
manufacturing will be strengthened
s i g n i f i c a n t l y , a n d d i g i t a l i z e d
manufacturing will be basically realized in
the key fields of traditional manufacturing.
By 2025, the supporting system of
intelligent manufacturing will be basically
established, and intelligent transformation
will be preliminarily realized for key
industries.
Stage II
Opening for collaboration, jointly
establishing a platform for timely sharing
of threat information
Stage III
Integrating data, connecting the bottom and
cloud of IIOT and establishing a new security
guarantee system
Stage I
Based on current situations, solving existing
security problems of industrial networks
Four Core Originality Spirits Supporting
the New System
Constant study on
vulnerability attack
and defense
Boundary protection
Terminal protection
Monitoring and scanning
technologies
Log collection
Consummation of large-
scale industrial applications
Vulnerabilities of intelligent
device, e.g., sensor
PLC and DCS system vulnerabilities
Security of source codes and mobile
Internet
APT attack and defense, Honeypot
Vulnerabilities of host and server
virtualization systems
Fully-refined technical
protection framework
Electrical SCADA and
DCS
Rail traffic
Petroleum refining ....
Open collaborative
platform
Originality 1- Detecting the Vulnerabilities of
Industrial Control System
Security vulnerabilities of industrial control software: industrial control software such as
Siemens WinCC, WellinTech KingView, GE iFix and ICONICS GENESIS32 has the
vulnerabilities such as buffer overflow, denial of service, permission and access control.
CNVD collects the vulnerabilties such as remote denial of service and password leakage of
well-known PLCs like Siemens S7-1200 and Schneider Quantum PLCs
Case Study on the Security of IoT
An intelligent camera has information leakage and the login steers clear of
vulnerability detection and verification
Verification of information leakage
vulnerabilities—APP for Android
NMAP scanning results —23 ports of the
cameras are opened (telnet) ( l )
Login steers clear of
vulnerability verification
—three modes available
Use telent for login
Check default accounts and passwords;
Confirmed as root after login
Originality 2-Fully refined Technical Protection
Framework
Field
audit
Protection
Intra-domain
abnormality
Monitoring
Boundary
isolation
protection
Unified
security
management
Originality 3- Consummation of Large-scale Industrial
Applications
Operation station, engineer station and server adopt windows system,
basically not requiring patch updating;
The communication between DCS controller and operation station and
engineer station basically does not use the information security measures such
as identity authentication, rule checking, encrypted transmission and
completion checking;
The MES server at production execution level and the OPC server at
supervision and control level lack the dynamic identification of OPC port.
OPC server may allow any OPC client connection for obtaining any data;
The engineer station has high authority and, once connected to the
production network, may perform operation and maintenance on the control
system;
Superfluous network ports are not closed, and the industrial control network
lacks security boundary control during inter-connection;
There are no audit supervision measures external operation and
maintenance.
Originality 4- Open and Collaborative Platform
Automation
integration
manufacturers
Supervision
authorities
Information
security providers
Threat information
monitoring platform
Opinion monitoring
Sandbox technology
Vulnerability scanning
Configuration verification
Virtual execution
Venustech Group Ecological Chain Stock Code-002439
Acquiring and
holding companies
Cloud
security
Ecological
chain
Physical
security