1 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
11 22
Cyber Defense for Industrial Control
and Utility SCADA
Systems
Daniel Ehrenreich,
SCCE, Israel
3
……. Introduction
• 1976 -1990 Tadiran Inc.
• 1991 - 2011 Motorola Ltd,
• 2011 - 2013 Siemens - Ltd
• 2014 - 2014 Waterfall Security Ltd
• 2014 - SCCE Consulting
• 2014 - SCCE Training
Daniel Ehrenreich
SCCESecure Communication and Control Experts
Tel: +972-54-9151594
40 years of activity industrial activity
4
Cyber Risks Everywhere....
Organization which know that they already were under cyber attack
Organization which does not know, they are under attack. The Virus is already there!
Organization which will be under cyberattack as soon as tomorrow!
2 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
5
IT Security Topics
• Viruses
• Spyware
• Trojans
• Botnets
• Phishing & Spam
• Identity Theft
• Cyber Harassment
• ..... more
Confidentiality
AvailabilityIntegrity
6
SCADA Security Topics
• People “create” technical vulnerabilities
– Incorrect architecture, added signals, zone crossing
– Software bugs, unsecured network wiring, etc.
– Software patches, upgrades and ”minor” modifications
– Software updates without proper testing
• People “create” procedure vulnerabilities
– Allow connection of backdoors for maintenance
– Using same default password for all devices
– Authorized people might perform wrong actions
– Not pay attention to physical perimeter security
7
SCADA assure “Safety & Reliability”
• Prevent people causing damage to assets
• Prevent equipment from hurting people
• Reliable operation and high productivity
Confidentiality
Integrity Availability
IT Security Challenges
Safety
Reliability Productivity
SCADA Security Challenges
8
SCADA Vulnerabilities 1/2
• Outdated Hardware:
– Can not be replaced as it works 24/7
– Any replacement may cause an unexpected risk!
• Outdated Operating system
– Can not be replaced as it works 24/7
– New OS – may not be compatible
– Upgrade may cause unexpected behaviour
• Application Program Risks
– Can not be replaced as it works 24/7
– Change may cause unexpected behaviour
3 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
9
SCADA Vulnerabilities 2/2• Computers and Software contain Vulnerability
– Attackers are more Creative that Defenders 1:000
– For every “better” defense there will be a new offense
– For every offense one may deploy a stronger defense
• SCADA systems are never perfectly safe
– Internally and externally generated “harms”
– Unauthorized people might access the system
– Authorized people might perform wrong actions
• Expect the Unexpected
– Strange system-behavior my look like an attack
– “Back-doors” might by-bass all defenses
10
Internal and External Attacks
• Internally Generated Cyber Attacks
– Start with breaching of the physical perimeter
– Attacker can be an employee or a hacker
– Start with connecting a USB stick to a computer
– Smart attacks can spread w/o remote control
• Externally Generated Cyber attack
– Starts through with Social Engineering
– May last long prior it is detected
– Requires compromising of safety barriers
Internally Generated Attack is Easier!
Stuxnet
2010
Ukraine
2015
11
Internal Attack on SCADA Systems
Public
Internet
firewall
CORPORATE NETWORK
CONTROL NETWORK
SCADA SYSTEM
SOFTWARE TEST LAB
VENDOR EXPERT CENTER
Eng. Station
View Consoles
12
Remote Attacking on SCADAEngineeringWorkstation
ModemPool
Web Server
BusinessWorkstation
DataHistorian
SCADA (OT)Network
Corporate (IT)Network
Domain NameServer (DNS)
enterpriseFirewall
IT-OTFirewall
Attacker
Email Server
Database Server
RTU
PLC
Vendor Web Server
Internet
Internet
1
2
3
4
5
6
87
9
10
12
11
4 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
13
Advanced Persistent Threats (APT)
• Advanced
– Attacker can develop or buy Zero-Day exploits
• Persistent
– Attacker will continue until succeed
• Threats
– Significant entity is behind the attack
Our goal is to mitigate such risks by boosting the “cost” of attack
14
Know the “Zero-Day” Terminology
• Zero Day Vulnerability
– “Recently published” vulnerability
– There is no defense measure available !
• Zero Day Exploit
– An exploit was developed for that vulnerability
– None else except the attacker has that exploit
• Zero Day Attack
– Using the exploit for that specific vulnerability
– More attacker can use it after the publication
0Day
15
“Back door” Vulnerability=high risk!
• Employee’s & Vendor modems
– Activity of “very helpful” employees !
– Negligent connections w/o firewall
• Negligent – unsecured connections
– Hackers might identify these connections
• Direct connection to partner’s network !
– Remember Target USA- 40 M credit cards
• The system owner might no know!!
– Temporary connection turn to permanent
– Periodic assessment by external people helps
Security
Assessment
actions
16
Infection spreading in SCADA Systems
Infolevel
Control/Automation level
Operational level
Field level (sensors, actuators)
5 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
17
Lockheed Martin Cyber Kill Chain
18
How Secure are IoT and IIoT Devices?
• Industrial
– Industrial sensors
– Security CCTV
– Alarm system
– More .......
• Commercial
– Washing machine
– Refrigerator
– Air-condition
– Home cameras
– More ........Remember the IoT DDoS in USA 10-2016
19
SCADA Deserves Strong Defense
• Coordinated use of multiple security measures
– The Goal: Protecting the industrial assets.
– Remember: Zoning, zoning, zoning – where possible
• Multi-layered structure is more difficult to defeat
– Physical security
– Electronic Security
– Cyber Security
– Active SOC
Without adequate physical security you can not deploy an
effective cyber security. .......... Remember the Stuxnet attack
20
Security Intrusion & Detection
• Industrial Intrusion Detection System (IIDS)
– Monitors and analyzes SCADA system events
– Detects anomaly behavior on process and communication
– Real-time warning of unauthorized attempts to access
• Intrusion Prevention System (IPS)
– Same as above but also prevent the attack
Definition: “Security Intrusion is a Combination
of multiple events/actions, that constitutes a
security incident in which an intruder gains
unauthorized access to a critical asset/resource”
Rarely allowed
for SCADA-ICS
6 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
21
Industrial Cyber Security Challenges
There is no single cyber defense measure (no Silver bullet) which can
absolutely protect any industrial operation from a cyber attack
Firewall & Network
Access Control (NAC)
Antivirus OT Operation
OT Network
Communication
RTUs, PLC, IEDs,
Sensors,
Actuators
• Perimeter
security
• End Point
Security
• Network
Security
• Control Device
security
22
Network Isolation - Zoning
• Segregated segments
– Internal from External
– Different Hierarchy levels
– Highly critical SCADA sections
– ..... Wherever possible-do it!
• Achieve enhanced Defense
– Helps collecting Forensic Data
– Slows the worm spreading
– Block hacker’s “instructions” to the malware
– Analyze the direction of the application data
Application
HMI-ENG level
CorporateIntranet
Automation
DMZ
UnsecuredInternet
23
DMZ Basic Principles
• Preventing In/Out path to SCADA
– Limited inbound traffic to Control Zone
– Controlled outbound traffic from SCADA
– No direct connection between In/Out
– Emergency disconnect; inside or outside
– No network management from outside
• More Cyber security Benefits
– Allows collecting Forensic Data
DMZ – Demilitarized Zone
Lower Security
Section
Higher Security
Section
24
Security Information Event Management
• Collection of information from multiple sites
– More reliable and faster detection of cyber attacks
Security Information and Event Management (SIEM)
Antivirus
Event Tracking
Reports/Alerts
Active Directory/Radius
Computer
Event Logs
Firewall/Event Logs DHCP/DNS
SIEM
Processing
7 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
25
Data Sanitizing Kiosk
• Data sanitization, file’s inspection to detect
malware in document and software
– Provides an extra level of insurance against zero day attacks without reducing the value of the files
• Transfer of Sanitized files to the Network
– Manually, on transferable media
– Through direct connection to network
• Special Challenges
– The Sanitizing Kiosk is periodically updated with new signatures supplied by the AV vendor
Data
Certified
Data
Scanning
26
IDS-IIDS Performs Cyber Defense
• IIDS- Industrial Intrusion Detection System
– Collecting data in critical points in the system
• Anomaly detection – Big Data Analysis
– Analysis done on the process and communication
• The “Normal” is dynamically changing
– Must deploy effective self learning mechanism
• Secure data collection
– Using “replica server” for analyzing the data
If you do not assume that you are targeted and not
start searching the attack code, you will never find it
27
SCADA Cyber Defense Solutions 1/3
• Accurate Access Control Definition downloaded to
the Remote site to specify:
– Who Can access the site
– Which devices can be accessed
– What action can be performed
– Time slot for service execution
• Benefits of the APA
– Eliminate need for Instant process
– Precise white list definitions
• Audit Trail
– All actions are recordedAuthenticated Proxy Access (APA)
28
SCADA Cyber Defense Solutions 2/3
Network Visualization
and Modeling
Cyber Events Detection
within SCADA Network
Secure Remote Access
During Maintenance
Integration With SIEM
& HMI for Cyber Events
8 of 8Presented by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected] by Daniel Ehrenreich, SCCE, [email protected]
SCCE ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter ISCADA Ireland Chapter 11111111----11111111----2016201620162016
29
SCADA Cyber Defense Solutions 3/3
• Used among zones – single direction data flow
– Generates a replica server for external access
• Primarily SCADA defense against external access
– Impossible connecting the SCADA- only the replica server
• No defense against internally generated attacks
– Internal IDS linked to SCADA may report on the event
SCADA
SCADA based Historian
Server
SCADA based Historian
Server
SCADA based Historian
Server
Replica Historian
Server
Corporate NetworkIndustrial Network
Unidirectional link
30
Creating Robust SCADA System
• Preventing authorized Control Center configuration
• Using frequently changing strong HMI passwords
• Preventing printer sharing in the control room
• Blocking all unused hardware and software ports
• Blocking services which are not linked to process
• Installing software patching supplied by the vendor
• PLC/RTU passwords must be unique and different
• Physical Security !!!
• http://energy.gov/oe/downloads/21-steps-improve-
cyber-security-scada-networks
31
Towards Better Secured SCADA Systems
• Conduct periodic cyber drills and exercises
• You must train your technical staff and users
• Become and experts and analyze cyber events
• Establish security policy for all operation levels
• Remember to be prepared for new challenges
3232