tss-02 wsp 2014 r2 whitelisting cyber security recommendations

Wonderware Conference. Schneider Electric confidential.

TSS-02 WSP 2014 R2 Whitelisting & Cyber Security Recommendations Alicia Rantos Principal Technical Support Engineer


Introduction: Alicia Rantos Principal Technical Support Engineer, Global Customer Support (GCS) at Schneider

Electric Software Project lead for GCS Training, GCS vCloud and GCS Cyber Security Lead which includes

Liaison for R&D and other Schneider Electric entities. Following training with the Department of Homeland Security via CSSP in 2014 Alicia

obtained GICSP certification in 2015. And attends regular meetings with Cyber Security R&D as well industry trainings and conferences. Also holds B.S. in Computer Information Systems with a minor Organizational Leadership from Chapman University and a Masters of Business Administration (MBA) from University California Irvine.

With the company for over 15 years supporting InTouch, Application Server, Wonderware Information Server, Tablets and Panels and various other products. In addition to supporting level 2 customers on primary Wonderware products and a regular content contributor to the Wonderware GCS website.


Summary

Recommended configuration details for Whitelisting our WSP 2014 R2 products with Intel Securitys ePO products. Plus, important industrial controls cyber security recommendations


Agenda

Whitelisting as a cyber security solution McAfee ePO and Application Control for whitelisting Compatibility and Installation Central Administration Whitelisting specifics for WSP 2014 R2 and related components Installing updates, hot fixes, patches and upgrades Additional defense-in-depth cyber security recommendations


Whitelisting

Application Whitelisting is a proactive security technique where only a limited set of approved programs are allowed to run, while all other programs (including most malware) are blocked from running by default.

Application Whitelisting is not a replacement for traditional security software, such as antivirus and host firewalls. It should be used as one layer in a defense-in-depth strategy.


McAfee Application Control McAfee Application Control software provides an effective way to block unauthorized

applications and code servers, workstations and fixed function devices.

McAfee Application Control can be used to block the start of unauthorized or unknown applications on servers and workstations. After the installation and activation of McAfee Application Control, all executable applications and files are protected against modification. Updates of authorized applications in the list can be integrated via: Trustworthy users (user) Trustworthy manufacturers (certificate) A trustworthy directory A binary file Updaters (updating programs, e.g. Windows Update or virus scanners)


McAfee Application Control

McAfee Application Control offers functions that monitor the main memory, provide protection against buffer overflow, and protect files that are running in the main memory.

McAfee Application Control is a component of McAfee Integrity Control. McAfee Integrity Control includes the components McAfee Application Control and McAfee Change Control.

In the WSP environment, only the functionality of the whitelisting (McAfee Application Control) has been tested.


McAfee Application Control

Video


Compatibility and Installation Currently WSP 2014 R2 (or higher) is compatible with McAfee ePO version 5.1

and Application Control version 6.1.3.

Administration The administration of McAfee Application Control can be done in two

different ways: Locally on a computer system (standalone) Centrally via the administration software McAfee ePolicy Orchestrator (ePO) We recommend central administration using ePO which is what weve

tested our WSP products with and what were.


Compatibility and Installation

General Procedure Installation of McAfee Application Control on a PC. Execution of the "Solidify" on the PC. Activation of McAfee Application Control. Computer restart.


Central Administration The central administration of the whitelisting (installation, configuration, and

monitoring of the clients) takes place via the McAfee ePO application. All local McAfee Application Control commands and options are also remotely

available via the ePO. The McAfee ePO administration software must be installed on its own computer

with up-to-date hardware and a respectively compatible, McAfee supported Windows Server operating system; Windows 2008 R2 or Windows 2012 R2.

Note: McAfee ePO must not be installed on a WSP computer or an Active Directory domain controller. We highly recommend using Active Directory for Access Control.


Central Administration


Whitelisting WSP 2014 R2 Installation Preparations

1. Setup of the system based on the recommendations of the WSP documentation. Reference the WSP Readme.

2. Installation and configuration of the operating system. 3. Installation of the required programs and components. 4. Installation of all available security updates for the operating system, program and

program related components. 5. Installation of a virus scanner including security updates and the newest, available

virus signature files.


Whitelisting WSP 2014 R2 Installation Preparations

6. If possible, isolation of the connection to external / third-party networks (e.g. on front firewall).

7. Execution of a complete virus scan of the computer. 8. Installation of McAfee Application Control via ePO. 9. Execution of the "Solidify" process for all local hard drives and partitions. 10. Activation of McAfee Application Control. 11. Computer restart


Whitelisting WSP 2014 R2 Installation Preparations Installation and Configuration; Central administration via ePO Installation of the ePO server

Install McAfee ePolicy Orchestrator (ePO). Install Solidcore Extension Package. Apply license for Solidcore or McAfee Application Control.

The standard settings recommended by McAfee for the installations of these products can be used.


Whitelisting WSP 2014 R2 Installation Preparations Installation of McAfee Solidcore clients:

Add of the Solidcore Agent Deployment Package to the ePO repository. Add the client systems in the ePO console. Install the Solidcore Agent on the clients. Activation of the Solidcore Agent on the clients.

Solidification via Client Task from ePO. Activation of client

Additional client tasks


Whitelisting WSP 2014 R2

Video


Whitelisting Specifics for Application Server, InTouch, Historian Add Solidcore rules to implement the policy:

Publishers

Digital certificates which certify the ownership of a cryptographic public key by the named subject. A public key is a value provided by a designated authority as an encryption key that combined with a private key derived from the public key can be used to effectively encrypt messages and digital signatures.

Updaters Installers, executables, Checksums (SHA1)

Installers Executables; .exe, .msi, .msm


Whitelisting Specifics for Application Server, InTouch, Historian Publishers:

Updater Label: Any name (we used Invensys Certificate in our example) Issued To: Invensys System, Issued By: VeriSign Class 3 Code Signing 2010 CA Extracted From: WSP 2014 R2 (or later) Setup.exe


Whitelisting Specifics for WSP 2014 R2

Updaters:

Updater By Name: Framework\Bin\aaDCOMTransport.exe Updater Checksum(for aaDCOMTransport.exe):

64695e7b00763efb0ea975950f566078e0445c39 Updater By Name: c:\program files

(x86)\archestra\framework\filerepository\t_object.msi


Whitelisting Specifics for WSP 2014 R2 Updaters


Whitelisting Specifics for WSP 2014 R2 Installers:

aaGR.exe aaEngine.exe aaDCOMTransport.exe aaPim.exe ******_Temp.msi ****** = Platform node name (an entry for each node) T_Object.msi AAMXCore.msm MxAccess.msm LmxProxy.msm



Installers: SmartCardAL.msm RTCommon_IDEGR_Runtime.msm Security_IDEGR_Runtime.msm SysObject_IDEGR_Common_Deploy.msm SysObject_GR_Common_Deploy.msm ObjectIcons_Common.msm PFServer_GR_Runtime.msm LegacyIGDSupport.msm DASClientRedist.msm DCOMConfig.msm DASRedist.msm


Whitelisting Specifics for WSP 2014 R2 Installers


Whitelisting Specifics for WSP 2014 R2 To enable installers, set the following in Solidcore 6.1.3: Application Control Options

(Windows) on the Features tab for your policy in the System Tree of the ePO: Package Control # Bypass Package Control



An option to manually creating the Rules noted is to import the data outlined here via an export of a previously configured system. The Solidcore Rules Import / Export feature creates an xml file that can be imported back into the ePO system or into another system. This file can be used as a backup reference once your specific Rules are configured or modified.


Whitelisting Specifics for FS Gateway

FS Gateway is included in the WSP installation which is digitally signed. Once the WSP setup.exe is added as a Publisher, FS Gateway is allowed to run and update the system.

Nothing additional is needed for FS Gateway in the Whitelisting process.


Whitelisting Specifics for DAS ABCIP Updaters:

Updater Checksum(for Setup.exe DASABCIP): 36c05f9fad9971aee17a631cce7d117bb09e8774


Installing Updates, Hot Fixes, Patches and Upgrades Service packs, updates, hotfixes and patches from WSP can only be installed during completed runtime and the activation of the update mode of McAfee Application Control.

1. Power down and close all WSP applications. 2. Computer restart. Note that if Autologin and Autostart have been

configured for WSP systems, they must be deactivated prior to the restart. 3. Switching on update mode of Application Control via: "sadmin bu"

Depending on the system, centrally via the ePO through a task (recommended).


Installing Updates, Hot Fixes, Patches and Upgrades Service packs, updates, hotfixes and patches from WSP can only be installed during completed runtime and the activation of the update mode of McAfee Application Control.

4. Installing of WSP update 5. Computer restart 6. Start the complete, updated WSP application 7. Activate the Autologin and Autostart if those have been deactivated previously 8. Terminating update mode of AC via "sadmin eu"

Depending on the system centrally via the ePO through a task (or locally on the respective PC).


Defense-In-Depth Security Recommendations Cyber Security Framework: ISA-62443


Defense-In-Depth Security Recommendations People, Policies and Procedures, Technologies

People Training Policies

SOPs and Tools Technology


Defense-In-Depth Security Recommendations Common Attack Vectors External/Removable Media:

Attack executed from removable media (e.g., flash drive, CD) or a peripheral device. Attrition:

Attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.

Web: Attack executed from a website or web-based application.

Email: An attack executed via an email message or attachment.

Improper Usage Any incident resulting from violation of an organizations acceptable usage policies by an

authorized user Loss or Theft of Equipment

The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.


Defense-In-Depth Security Recommendations Incident Response - Prepare Capability Create an Incident response policy and plan Develop procedures performing incident handling and reporting Set guidelines for communicating with outside parties Select a team structure and staffing model Establish relationships and lines of communication between the incident

response team and other groups Determine what services the incident response team should provide Staff and train the incident response team


Defense-In-Depth Security Resources

McAfee Application Control Software http://www.mcafee.com/us/products/application-control.aspx

ICS CERT Targeted Cyber Intrusion Detection and Mitigation Strategies Update B https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B

National Security Agency Central Security Service

www.nsa.gov

Wonderware Conference. Schneider Electric confidential. 2015 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies or their respective owners.

Thank you!


Slide Number 1TSS-02 WSP 2014 R2 Whitelisting & Cyber Security RecommendationsIntroduction: Alicia RantosSummaryAgendaWhitelistingMcAfee Application ControlMcAfee Application ControlMcAfee Application ControlCompatibility and InstallationCompatibility and InstallationCentral AdministrationCentral AdministrationWhitelisting WSP 2014 R2 Installation PreparationsWhitelisting WSP 2014 R2 Installation PreparationsWhitelisting WSP 2014 R2 Installation PreparationsWhitelisting WSP 2014 R2 Installation PreparationsWhitelisting WSP 2014 R2Whitelisting Specifics for Application Server, InTouch, HistorianWhitelisting Specifics for Application Server, InTouch, HistorianWhitelisting Specifics for WSP 2014 R2Whitelisting Specifics for WSP 2014 R2Whitelisting Specifics for WSP 2014 R2Whitelisting Specifics for WSP 2014 R2Whitelisting Specifics for WSP 2014 R2Whitelisting Specifics for WSP 2014 R2Whitelisting Specifics for WSP 2014 R2Whitelisting Specifics for FS GatewayWhitelisting Specifics for DAS ABCIPInstalling Updates, Hot Fixes, Patches and UpgradesInstalling Updates, Hot Fixes, Patches and UpgradesDefense-In-Depth Security RecommendationsDefense-In-Depth Security RecommendationsDefense-In-Depth Security RecommendationsDefense-In-Depth Security RecommendationsDefense-In-Depth Security ResourcesSlide Number 37Slide Number 38

tss-02 wsp 2014 r2 whitelisting cyber security recommendations

Documents