secure connectivity for critical infrastructure · isolating and protecting assets:...
TRANSCRIPT
Secure Connectivity for
Critical Infrastructure
Shodan Project SHINE
Shodan Intelligence Extraction = SHINE
• Study using Shodan on ICS Devices exposed on the
Internet
• Focused on Industrial Control Systems
Project RUGGEDTRAX:
• Public Sourced an ICS Device
• Deployed as actual cyber asset controlling
critical infrastructure
• Exposed it to the Internet
Result:
• First Attack within 2 hours
• Shodan Found it in 2 Days
• After 70 days:
• 140,430 Access Attempts
• 651 different IP Addresses
• 90% from China
SHINE Findings Report: http://01m.us/l/ltjify8p2a1r
RUGGEDTRAX Preliminary Report: http://01m.us/l/gltlhotyw69j
Targets: Critical Infrastructure
Consider what’s at risk.
Critical infrastructure is compromised daily…
Nuclear Water Oil processing Gas Electric
The not so really bad guys?
http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html
• Twelve people were injured in one derailment,
and the boy is suspected of having been
involved in several similar incidents.
• He treated it like any other schoolboy might a
giant train set, but it was lucky nobody was
killed. Four trams were derailed, and others
had to make emergency stops that left
passengers hurt. He clearly did not think
about the consequences of his actions
• The 14-year-old, described by his teachers as
a model pupil and an electronics "genius",
adapted a television remote control so it could
change track points in the city of Lodz.
How bad can it get?
http://securityaffairs.co/wordpress/36536/cyber-warfare-2/iran-accused-blackout-turkey.html
Recent major attacks
Target
Anthem
Premera Blue Cross
Home Depot
Staples
Sony
JP Morgan Chase
Community Health Systems
Michael’s
Source: “9 Recent Cyber Attacks Against Big Business, NY Times 2/2015
Existing Security Solutions are Fighting a Losing Battle
What do they all have in common?
They had lots of dedicated
security engineers helping to
manage routing, switching,
firewalls and VPNs…
DHS Guidelines are outdated:
Improving Industrial Control
Systems Cyber security with
Defense-In-Depth Strategies
ISOLATING AND PROTECTING ASSETS:
DEFENSE-IN-DEPTH STRATEGIES
3.1.1 Architectural Zones
Leverage best practices can include:
1. Firewalls (single, multi-homed, dual, cascading)
2. Routers with Access Control Lists (ACLs)
3. Configured switches
4. Static routes and routing tables
5. Dedicated communications media.
Following Documented Guidelines DHS, NIST, AWWA, WaterISAC, NERC-SIP…
https://ics-cert.us-cert.gov/Field-ControllerRTUPLCIED-Documentation
Firewalls: Complexity, the enemy of security
“The key to effective firewall protection is a simple Rule Base. One of the greatest dangers to the security of your organization is
misconfiguration… To keep your Rule Base simple, ensure that it is concise and therefore easy to understand and maintain. The more rules you have, the more likely
you are to make a mistake.
Basic Rules.
Rule Order
Rule order is a critical aspect of an effective Rule Base. Having the same rules, but
putting them in a different order, can radically alter the effectiveness of your
firewall. It is best to place more specific rules first and more general rules last. This order
prevents a general rule from being applied before a more specific rule and protects your
firewall from misconfigurations.
Best Regards,
Firewall Vendor
passwd g00fba11
enable password gen1u$
hostname Buster
asdm image disk0:/asdm.bin
boot system disk0:/image.bin
interface gigabitethernet 0/0
nameif outside
security-level 0
ip address 209.165.201.3 255.255.255.224
no shutdown
interface gigabitethernet 0/1
nameif dept2
security-level 100
ip address 10.1.2.1 255.255.255.0
mac-address 000C.F142.4CDE standby 000C.F142.4CDF
no shutdown
rip authentication mode md5
rip authentication key scorpius key_id 1
interface gigabitethernet 0/2
nameif dept1
security-level 100
ip address 10.1.1.1 255.255.255.0
no shutdown
interface gigabitethernet 0/3
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
no shutdown
same-security-traffic permit inter-interface
route outside 0 0 209.165.201.1 1
nat (dept1) 1 10.1.1.0 255.255.255.0
nat (dept2) 1 10.1.2.0 255.255.255.0
! The dept1 and dept2 networks use PAT when accessing the outside
global (outside) 1 209.165.201.9 netmask 255.255.255.255
! Because we perform dynamic NAT on these addresses for outside access, we need to perform
! NAT on them for all other interface access. This identity static statement just
! translates the local address to the same address.
static (dept1,dept2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (dept2,dept1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
! The syslog server uses a static translation so the outside management host can access
! the server
static (dmz,outside) 209.165.201.5 192.168.2.2 netmask 255.255.255.255
access-list MANAGE remark Allows the management host to access the syslog server
access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq ssh
access-group MANAGE in interface outside
! Advertises the adaptive security appliance IP address as the default gateway for the
downstream
! router. The adaptive security appliance does not advertise a default route to the
upstream
! router. Listens for RIP updates from the downstream router. The adaptive security
appliance does
! not listen for RIP updates from the upstream router because a default route to the
! upstream router is all that is required.
router rip
network 10.0.0.0
default information originate
version 2
ssh 209.165.200.225 255.255.255.255 outside
logging trap 5
! System messages are sent to the syslog server on the DMZ network
logging host dmz 192.168.2.2
logging enable
! Enable basic threat detection:
threat-detection basic-threat
threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
! Enables scanning threat detection and automatically shun attackers,
! except for hosts on the 10.1.1.0 network:
threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0
threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20
threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20
! Enable statistics for access-lists:
threat-detection statistics access-list
Simple router Firewall Rules
Router>enable
Router>#configure terminal
Router(config)#hostname CORP
ISP(config)#interface serial 0/0/0
CORP(config-if)#description link to ISP
CORP(config-if)#ip address 192.31.7.6 255.255.255.252
CORP(config-if)#no shutdown
CORP(config)#interface fastethernet 0/1
CORP(config-if)#description link to 3560 Switch
CORP(config-if)#ip address 172.31.1.5 255.255.255.252
CORP(config-if)#no shutdown
CORP(config-if)#exit
CORP(config)#interface fastethernet 0/0
CORP(config-if)#duplex full
CORP(config-if)#no shutdown
CORP(config-if)#interface fastethernet 0/0.1
CORP(config-subif)#description Management VLAN 1 – Native VLAN
CORP(config-subif)#ip address 192.168.1.1 255.255.255.0
CORP(config-subif)#interface fastethernet 0/0.10
CORP(config-subif)#description Sales VLAN 10
CORP(config-subif)#encapsulation dot1q 10
CORP(config-subif)#ip address 192.168.10.1 255.255.255.0
CORP(config-subif)#interface fastethernet 0/0.20
CORP(config-subif)#description Engineering VLAN 20
CORP(config-subif)#encapsulation dot1q 20
CORP(config-subif)#ip address 192.168.20.1 255.255.255.0
CORP(config-subif)#interface fastethernet 0/0.30
CORP(config-subif)#description Marketing VLAN 30
CORP(config-subif)#encapsulation dot1q 30
CORP(config-subif)#exit
CORP(config-if)#exit
CORP(config)#router eigrp 10
CORP(config-router)#network 192.168.1.0
CORP(config-router)#network 192.168.10.0
CORP(config-router)#network 192.168.20.0
CORP(config-router)#network 192.168.30.0
CORP(config-router)#network 172.31.0.0
Configuring VLANs
How does this work with my firewall rules???
Water Treatment Facility: Misconfigured Equipment During a recent network infrastructure upgrade, a water utility implemented a
misconfigured switch configuration, which flooded the network with traffic. This error led to massive resource consumption on control
system endpoints. To the entity, it looked as though the systems had been infected with malware.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) analyzed the router and switch configurations and found
an error in how the spanning-tree protocol, which prevents network traffic re-broadcasting loops, was configured. The misconfiguration
caused too much network traffic to be sent to endpoint devices, which overloaded the system processors.
Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT)
Complexity, not just the enemy of security!
https://ics-cert.us-cert.gov/advisories
SCADA Network Enterprise Network
Cellular Network
80/20 Rule: Reduce the attack vectors with Micro-segmentation
Summary
• Prioritize Security
• Be Realistic
– Manage Risk, Reward, Cost, Manageability
– Defense in Depth (Layers)
• Goals:
– Understand your High Value (High Target) Assets
– Identify Soft Spots (Network, Access Points, Devices, Encryption …)
– Always work to Improve Your Security Posture
– Lower Operational Costs