Richard Wood

Cyber Security Best Practices for the Industrial IoT

Product Marketing ManagerIndustrial Ethernet Infrastructure

Agenda

Cyber Security Landscape in the IoT Era

Unique Challenges for Industrial Automation

Cyber Security Standards

Industrial Best Practices

Case Studies

Confidential

Megatrend – Internet of Things (IoT)“The IoT refers to devices, systems, and services communicating with each other via the Internet to enable smarter operations and new applications.”

Confidential

Industrial Systems are in the Crosshairs

Source:Honeywell Cyber Security Lab

PLCSafety Systems

Plant Management System

Assess Management System

SCADA

DCS

No Vendor or user is immune from a potential cyber security incident

Security Landscape

Confidential

Factory is Vulnerable to Cyber Attacks

Source: ICS-CERT 2013 Report, Region: the U.S.

Cyber attacks may come from both outside AND inside factory

Security Landscape

Confidential

The Landscape Today: Easy to Find a Target Project SHINE: 1,000,000 Internet-Connected SCADA and ICS Systems and Counting

Industrial Device search engines (Example: SHODAN)• The SHODAN search engine works by searching for commonly used

TCP/UDP port numbers• Web, Telnet, SNMP and FTP are some of the more common ones• Logs of the response on these ports is saved in a searchable database• Try searching “OpenSSL”, “GNU”, or “NTPD” or industrial vendor’s names

Security Landscape

Executive Order for Improving Cyber Security

Executive Order 13636:“Improving Critical Infrastructure Cybersecurity”

Information Sharing Privacy Adoption of cyber security

practices

Security Landscape

Confidential

Continuous Reporting of ICS Vulnerability Industrial control system devices are not always

updated with the latest vulnerability patch

Security Landscape

Confidential

NIST Published Final ICS Cybersecurity Guidelines

http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

Security Landscape

Unique ChallengesIndustrial Control Systems

Confidential

Types of Incidents ICS May Face Blocked or delayed flow of information through ICS networks

which could disrupt ICS operation Unauthorized changes to instructions, commands, or alarm

thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life

Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects

ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects

Interference with the operation of safety systems, which could endanger human life.

Confidential

Industrial Challenges

Confidential

Harsh Industrial Environments

Field Sites

Extended Operating Temperature

Severe Vibration / Shock

Electromagnetic Interference

High Humidity / Pollution

CONTROLLED TEMPERATURE

CONTROLLED HUMIDITY

CONTROLLED AIR QUALITY

Control Center

Industrial Challenges

Industrial Protocols are Difficult to Secure

Deep Packet Inspection of Modbus TCP

Confidential

Industrial Challenges

Confidential

Industrial-grade Enterprise-grade

Target Devices• RTU, PLC & DCS, critical industrial

devices• SCADA system, Control Network

• Computer, data server• Prevent virus to affect PC

Operating Environment

• High EMC/EMI/Surge environment• Fanless to high temperature• Dusty-proof/shock-proof• Working with industrial power supply,

24VDC

• Common IT environment with air conditioners

Content to filtering

• IP filtering/port filtering• Industrial automation protocols, e.g.

Modbus/TCP, PROFINET, EtherNet/IP, Foundation Fieldbus, Lonworks

• IP filtering/port filtering• HTTP, Email, POP, SMTP• MSN, Skype, Facebook, Game...

Industrial Firewall vs. Enterprise FirewallIndustrial Challenges

Confidential

Industrial Security Concerns

PLC/IO Network

Control Network

Field Site / FactoryControl Room

Attack frompublic network

Unauthorizedconnection

Malfunctioning PLC

Broadcast Storm

• VPN function for data encryption• VPN server for dynamic remote access• Standard protocol: IPSec, L2TP, PPTP

SECURED REMOTE ACCESS

• Protect unauthorized connections to critical devices (PLC, RTU, DCS)

• Isolated broadcast packets from malfunctioning device to entire network

CRITICAL DEVICE PROTECTION

VPN tunnel Firewall

Industrial Challenges

StandardsIndustrial Control Systems

Confidential

Confidential

TSA Published Pipeline Security Guidelines (2011)

https://www.tsa.gov/sites/default/files/assets/pdf/Intermodal/tsa_pipeline_sec_guideline_april2011.pdf

Standards

Confidential

Standards for Industrial Automation

Industrial Control System

ISA / IEC 62443

Power Industry

NERC CIP V5

Standards

Confidential

What’s ISA /IEC 62443?

For Network System:• Secure Zones and Conduits

For Network Equipment:• Technical security requirement

Standards

Best PracticesIndustrial Control Systems

Confidential

Defense-In-Depth Strategy

Principle #1Defense on multiple fronts

- @Network Perimeter- @Edge device

Principle #2

Layered Defense- 1: Detection- 2: Remediation- 3: Prevention

Best Practices

Confidential

Cyber Security Implementation in Automation Network

Employ a security life cycle process• Assessment of threats• Implementation of countermeasures and

verification• Monitoring and Maintenance

Network segmentation• Breaking down the network into physical or

logical zones with similar security requirements

Define the zone to zone interaction• Device requirements• Identification of allowed traffic over conduits• Requirements of safe communication

Best Practices

Confidential

Cyber Security Implementation at Edge Devices

Authentication• Use centralized user management• Radius and TACACS+ authentication

Authorization• Only authorized devices can be connected• Disable any unused ports• 802.1X• MAC address control at port

Data Integrity and Encryption• Use HTTPS, disable HTTP• Use SSH, disable TELNET• Use SNMPv3, disable SNMPv1/v2

Best Practices

Confidential

How to Secure Zones and Conduits (example)(IEC 62443-3-2 )

Firewall and VPN to ensure Industrial Control System to meet the security requirement for zone and conduit• Firewall: control traffic flow between zones • VPN: encrypted sensitive control data in conduits

Define Zones Define Conduits

Traffic Control Data Encryption

Best Practices

Confidential

Industrial Firewall and VPN Solution in Plant Network

25000 FPS Throughput

Firewall between different function zones

70 Mbps Throughput

VPN tunnels between function zones

10000 FPS Throughput

Firewall between devices to isolate the unnecessary traffic

17 Mbps Throughput

VPN tunnel between end device and supervisory controller

40000 FPS Throughput

Firewall between enterprise network and plant network

150 Mbps Throughput

VPN gateway connecting uplink back to enterprise control center

Firewall VPNEnterprise security system

Enterprise security system

Best Practices

Confidential

Transparent Firewall made ICS Cybersecurity Easy

No network change required Add into live network without disruption Aim at industrial protocols 5-Step visualized setting wizard

SiteZoneCellIn-Cell Network Protection

10.0.0.110.0.0.2

10.0.0.3 10.0.0.4

Best Practices

Confidential

Real-Time Intrusion Detection

SNMP Trap

SyslogLocal DB

Detection Remediation Prevention

3rd Party SIEM

Best Practices

Confidential

Modbus TCP Filtering (Deep packet inspection)

Filtering Modbus Protocol:1. Function code2. Access address range3. Device ID

Best Practices

Case StudiesIndustrial Control Systems

Confidential

Manufacturing >> Country: U.S.

Network Traffic isolation for Semiconductor Clean Room Equipment

EDR-810 provided support for 7 ports at WAN interface for connecting to different systems

Easy integration into equipment due to industrial design of power and DIN-rail installation

Reliable & stable for mission critical manufacturing

Why Moxa?

Isolate broadcast traffic from external network to critical laser equipment.

Required firewall with ability to connect to multiple WAN’s

Need a easy management of the secure router configuration for over 100 stations

Background & Requirements

Confidential

Oil and Gas >> Country: U.S.

Secured Remote Monitoring of Gas Transmission Stations along pipeline

EDR-G903 provides high-performance of VPN up to 150Mbps for large amount of data acquisition

EDR-G903 provides up to 350 NAT rules for all 100 stations with single configuration file for easy management

Built-in Modbus TCP deep packet inspection to provide protection for unsecured Modbus communication

Why Moxa?

Gas stations are built along pipeline over thousands of miles and require a efficient and easy way for monitoring

This system utilize public network (Satellites and 3G/4G) for remote gas analyzer data acquisition and request a secured tunnel between gas station and control center

Need a easy management of the secure router configuration for over 100 stations

Background & Requirements

Thank You

© 2013 Moxa Inc. All rights reserved.