security in iot · maik g. seewald, cissp application eng apps remote access (engineering,...
TRANSCRIPT
Security in [email protected]
Cluj-Napoca
Source: Cisco Consulting Services
What is IoT?
50BDevices Connected
by 2020
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Use cases for IoT Connections
Substations 3M sites
Cell Towers 15M sites
Wells 1M sites
Transportation
1M cabinets
Healthcare 50K sites
Defense 20K sites
Energy Efficiency
Street Lighting
Waste ManagementParking
Traffic Management Safety & Security
Manufacturing
Utilities
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Industrialization of Hacking There is a multi-billion dollar global industry targeting your prized assets
$450 Billion
to
$1 TrillionSocial
Security$1
MobileMalware
$150
$Bank
Account Info>$1000 depending
on account type and balance
FacebookAccounts$1 for an
account with 15 friends
Credit CardData
$0.25-$60
MalwareDevelopment
$2500(commercial
malware)
DDoS
DDoS asA Service~$7/hour
Spam$50/500K
emails MedicalRecords
>$50
Exploits$1000-$300K
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Edge
Devices
Data Computing TiersFog Nodes for Better Performance
Edge
Devices
Data Center
and
Applications
IoT Data System
Fog
Node
Fog
Node
Data Center
and
Applications
3 or More Tiered System2 Tiered System
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IOx: Enabling Cisco IoT Gear for Fog Computing
Networking Devices Compute DevicesGW Devices Cameras
Fog Platform Host
Virtual
Machine
Fo
g
Se
rvic
es
App
ServicesStorage ML ESP
Conta
iner
Managem
ent
Java
App
Lua
App
Python
App…
CAF
Agent
IOx / Fog Platform
REST API
Docker
And
LXC
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What is REST?
HTTP
GET
• Using HTTP/HTTPS to communicate between 2 software components written in any
language, over any environment
• Using HTTP GET/POST/PUT/DELETE to make a remote function call
• Using JSON to pass the parameters to the function call
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Fog Computing – some use-cases
• Cisco IR829/IR809 Router as:
Edge/Real-time Analytics
RTU Software
Assembly lines Analytics - factories
Metering Concentrator Software
Preventive Maintenance Data Provider
Data Virtualization – Healthcare
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cyber Security Lessons learned
Security is a never-ending process (and an attitude)
New vulnerabilities are discovered daily
Threats continue to evolve
Personnel become lax, or find workarounds to security
measures
The weakest points in the system are the most likely targets
Assume that the attacker is at least as intelligent and
motivated as the defenders
All trust is limited!
There are external AND internal threats!
Internal Access Control needs continuous configuration
monitoring
Maik G. Seewald, CISSP
Application
Eng
Apps
Remote Access
(Engineering,
Maintenance)
Control Center, SCADA
Protection and Control ENG/SYS
HMI
Field Devices
Branch/ Manufacturing Hall/ Special Station
3rd Party
Branch
Utility Private WAN
(MPLS,SDH/PDH) WAN
WAN
AppsToolsApps
SCADA EMS Apps
Client ClientClient
Office Network
Data Center,
Enterprise Apps
Your normal IoT Network to Secure
LAN AccessWAN
Access Intrusion detection
Firewall FirewallVPN Server
Intrusion detectionWAN
Access
LAN Access
IP Transport
Intrusion
detectionIntrusion
detection
Security
Visibility
Everywhere
Maik G. Seewald, CISSP
LAN Access(for machines) – security and normalization
CPU: 1GHz total
Memory for Guest
OS: 200MB
Memory for IOS:
<800MB
Hardware
Software
Network InterfaceNetwork Interface
Hypervisor
Virtual
Serial I/F
Virtual
Ethernet I/F
Linux Kernel Space
Linux User Space
TCP/IP
Stack
Applications
Guest Operating System
Virtual
Serial I/FVirtual
Ethernet I/F
Virtual
Ethernet I/FVirtual
Ethernet I/F
IOS
Forwarding Engine
Southbound NetworkNorthbound Network
USB
Serial
Maik G. Seewald, CISSP
LAN Access(for humans) – policy with ISE
Identity Profiling
Wireless LAN Controller
DHCP
RADIUS
SNMP
NetFlow
HTTP
DNS
Cisco® ISE
Unified Access Management
IEEE 802.1x EAP User Authentication
1
HQ
2:38 p.m.
Profiling to Identify Device
2
6
Full or Partial Access Granted
PersonalAsset
Company Asset
3
Posture of the Device
PolicyDecision
4
5
Enforce Policy in the Network
Corporate
Resources
Internet Only
NMAP
Maik G. Seewald, CISSP
Application
Eng
Apps
Remote Access
(Engineering,
Maintenance)
Control Center, SCADA
Protection and Control ENG/SYS
HMI
Field Devices
Branch/ Manufacturing Hall/ Special Station
3rd Party
Branch
Utility Private WAN
(MPLS,SDH/PDH)
MPLS Priave Network
AppsToolsApps
SCADA EMS Apps
Client ClientClient
Office Network
Data Center,
Enterprise Apps
Private WAN – MPLS Recommendation
Maik G. Seewald, CISSP
iWAN – Best Practice for using Multiple ProvidersTransport Independent Design
Internet
Branch
3G/4G-LTE
AVC
MPLS
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS PfR
Application Optimization
• Application visibility
with performance
monitoring
• Application acceleration
and bandwidth
optimization
Secure Connectivity
• Certified strong encryption
• Comprehensive threat
defense
• Cloud Web Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best
path based on policy
• Load balancing for full
utilization of bandwidth
• Improved network
availability
TransportIndependent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• IPsec routing overlay design
Maik G. Seewald, CISSP
Application
Eng
Apps
Remote Access
(Engineering,
Maintenance)
Control Center, SCADA
Protection and Control ENG/SYS
HMI
Field Devices
Branch/ Manufacturing Hall/ Special Station
3rd Party
Branch
Utility Private WAN
(MPLS,SDH/PDH) WAN
WAN
AppsToolsApps
SCADA EMS Apps
Client ClientClient
Office Network
Data Center,
Enterprise Apps
Remote VPN
ASA VPN Server
Identity Services Engine
Identity policy
Maik G. Seewald, CISSP
Next Generation Firewall - AMP
Maik G. Seewald, CISSP
Intrusion Prevention
• For people – pretty obvious need – Cisco Sourcefire
• For things – do we need to?
• SCADA = implemented through different protocols depending on IoT Vertical, all being clear text (though the protocol is proprietary)
• What you do?
Maik G. Seewald, CISSP
Scada Strangelove
• “Group of security researchers focused on ICS/SCADA security to save Humanity from industrial disaster and to keep Purity Of Essence”
• Scada Scanner readily-available
Simple python script
Return device-name, IP, software version
Maik G. Seewald, CISSP
SCADA Protocol Fuzzing
• “Sergey Bratus, ISTS/Dartmouth, Fortune 500 utility company”, Black Hat 2008
• Created a SCADA Protocol Fuzzer that crashes most SCADA systems by applying machine learning and repeating certain strings(normal or mutating)
• Result? Crash SCADA Systems
Maik G. Seewald, CISSP
MiTM Attack
• Intercept communication between two or more devices
• Modify and inject packets
• Many tools available
• Ettercap
• Cain and able
• Dsniff
• Scope of attack: modify cause of transmission field (CoT)
• Intercept and set an invalid CoT value
• Detection with Snort(ISA3000)
• Source: http://www.slideshare.net/pgmaynard/man-inthemiddletalk
Maik G. Seewald, CISSP
Capture and modify (Wireshark, Fidler)
Maik G. Seewald, CISSP
Snort alert
Maik G. Seewald, CISSP
Application
Eng
Apps
Remote Access
(Engineering,
Maintenance)
Control Center, SCADA
Protection and Control ENG/SYS
HMI
Field Devices
Branch/ Manufacturing Hall/ Special Station
3rd Party
Branch
Utility Private WAN
(MPLS,SDH/PDH) WAN
WAN
AppsToolsApps
SCADA EMS Apps
Client ClientClient
Office Network
Data Center,
Enterprise Apps
Intrusion Detection(for Things)
Intrusion detection Intrusion detection
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Industrial, Energy, Marine, Railway Applications Additional Certifications post-FCS
Services include Firewall, VPN and IPS, DHCP, and NAT
Two SKU’s Copper: 4x10/100/1000BaseT
Fiber: 2x1GbE (SFP), 2x10/100/1000BaseT
LED scheme is OT Ready
Follows the Industry Leading Industrial Ethernet (IE) look/feel
DIN Rail mounting with optional Rack Mounting
Connectors: Management Interface (RJ45 and USB); Power supports 24-12 AWG; Factory Reset
Thermals: -40C to 60C no airflow; -40C to 70C with 40LFM; -34C to 74C with 200LFM
Hazloc with nA protection
IEEE 1613, IEC 61850-3
EFT in Summer ‘15 and Launch in Fall ‘15
ISA 3000 Copper
ISA 3000 Fiber
ISA3000 Summary
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ISA3000
Inspection
-Hardware/Software Failure
-Powered Off
-Power Outage
-Reload
Inspection
Bypass Triggered – Circuit closed (acting as a
wire)
ISA3000
Hardware Bypass?
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Can be managed as other ASA with FirePOWER Services
Management for multiple devices
Comprehensive visibility and control over network activity
Optimal remediation through infection scoping and root cause determination
FireSIGHT
Management
offers:
Superior
reporting and
visibility
Centralized management - FireSIGHTVer 5.4.1
Maik G. Seewald, CISSP
Concluding
• Full IoT end-to-end stack protection
• A proven intrusion prevention system
• Design guide for integrating the OT with IT
• Proven solutions for Fog Computing use-cases
• Middleware/SDK for developing IoT Solutions: http://developer.cisco.com
• Use-cases for multiple verticals – come ask us :)