How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

  • 408 views
Uploaded on

by Andrew Ginter …

by Andrew Ginter

VP Industrial Security - Waterfall Security Solutions

mail: andrew.ginter@waterfall–security.com

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
408
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. UNIDIRECTIONAL SECURITY GATEWAYS™ 1st Ibero-American Industrial Cybersecurity Congress How Security Can Be Stronger Than a Firewall 13 Different Ways Breaking Through Firewalls Andrew Ginter VP Industrial Security Waterfall Security Solutions Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. -- Copyright © 2013 by Waterfall Security Solutions Ltd. 2013
  • 2. Industrial Security Priorities Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 2
  • 3. Safety, Reliability, Confidentiality Attribute Enterprise / IT Control System Scale Huge – 100,000’s of devices 100-500 devices per DCS Priority Confidentiality Safety and reliability Target Data Theft Sabotage Exposure Constant exposure to Internet content Exposed to business network, not Internet Equipment lifecycle 3-5 years 10-20 years Security discipline: Speed / aggressive change – stay ahead of the threats Security is an aspect of safety - Engineering Change Control (ECC) Most IT controls are not appropriate. You manage IT and ICS networks differently Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 3
  • 4. Elephants in the Room ● Plain text communication protocols – at least for local / DCS communications ● Anti-virus / constant change is hard – many sites limit use of AV ● Security updates / constant change is worse ● Vulnerable designs / components: 100,000 vulnerabilities ● Old equipment – will anyone sell you anti-virus signatures for Windows 2000? ● Timing, network traffic and other sensitivities Industrial sites deploy compensating measures such as physical security and cyber-perimeter security Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 4
  • 5. 13 Ways Through a Firewall 1) Phishing / drive-by-download – victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller – create fwall acct 4) Attack exposed servers – SQL injection / DOS / etc 5) Attack exposed clients – compromise web servers 6) Session hijacking – MIM / steal HTTP cookies 7) Piggy-back on VPN – split tunnelling / viruses 8) Firewall vulnerabilities –zero-days / design vulns 9) Errors and omissions – bad rules / IT errors 10) Forge an IP address –rules are IP-based 11) Bypass network perimeter – eg: rogue wireless 12) Physical access to firewall – reset to fact defaults 13) Sneakernet – removable media / laptops Photo: Red Tiger Security Keeping a firewall secure takes people and processes… Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 5
  • 6. #1 Phishing / Spam / Drive-By-Download ● Single most common way through (enterprise) firewalls ● Client on business network pulls malware from internet, or activates malware in email attachment ● “Spear-phishing” – carefully crafted email to fool even security experts into opening attachment Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 6
  • 7. #2 Social Engineering – Steal a Password ● VPN password on sticky note on monitor, or under keyboard ● Call up administrator, weave a convincing tale of woe, and ask for the password ● Ask the administrator to give you a VPN account ● Shoulder-surf while administrator enters firewall password ● Guess ● Install a keystroke logger Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 7
  • 8. #3 Compromise Domain Controller – Create Account ● More generally – abuse trust of external system ● Create account / change password of exposed ICS server, or firewall itself ● Other external trust abuse – compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc. Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 8
  • 9. #4 Attack Exposed Servers ● Every exposed port is vulnerable: ● SQL injection ● buffer overflow ● default passwords ● hard-coded password ● denial of service / SYN-flood Night Dragon Attack Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 9
  • 10. 13 Ways Through a Firewall 1) Phishing / drive-by-download – victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller – create fwall acct 4) Attack exposed servers – SQL injection / DOS / etc 5) Attack exposed clients – compromise web servers 6) Session hijacking – MIM / steal HTTP cookies 7) Piggy-back on VPN – split tunnelling / viruses 8) Firewall vulnerabilities –zero-days / design vulns 9) Errors and omissions – bad rules / IT errors 10) Forge an IP address –rules are IP-based 11) Bypass network perimeter – eg: rogue wireless 12) Physical access to firewall – reset to fact defaults 13) Sneakernet – removable media / laptops Photo: Red Tiger Security Keeping a firewall secure takes people and processes… Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 10
  • 11. Unidirectional Security Gateways ● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network ● TX uses 2-way protocols to gather data from protected network ● RX uses 2-way protocols to publish data to external network ● Absolute protection against online attacks from external networks Industrial Network Corporate Network Waterfall RX Server Waterfall TX Server Waterfall TX appliance Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Waterfall RX appliance 11
  • 12. Secure Historian Replication ● Hardware-enforced unidirectional historian replication ● Replica historian contains all data and functionality of original ● Corporate workstations communicate only with replica historian ● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Corporate Network Waterfall TX agent Waterfall RX agent PLCs RTUs Unidirectional TX appliance Unidirectional RX appliance Unidirectional Historian replication Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 12 Replica Historian Workstations
  • 13. Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians ● OSIsoft PI, PI AF, GE iHistorian, GE iFIX ● Scientech R*Time, Instep eDNA, GE OSM ● Siemens: WinCC, SINAUT/Spectrum ● Emerson Ovation, Wonderware Historian ● SQLServer, Oracle, MySQL, SAP ● AspenTech, Matrikon Alert Manager Leading Industrial Protocols ● OPC: DA, HDA, A&E, UA ● DNP3, ICCP, Modbus Remote Access ● Remote Screen View™ ● Secure Manual Uplink Leading IT Monitoring Applications ● Log Transfer, SNMP, SYSLOG ● CA Unicenter, CA SIM, HP OpenView, IBM Tivoli ● HP ArcSight SIEM , McAfee ESM SIEM Other connectors ● UDP, TCP/IP ● NTP, Multicast Ethernet ● Video/Audio stream transfer ● Mail server/mail box replication ● IBM MQ series, Microsoft MSMQ File/Folder Mirroring ● Antivirus updater, patch (WSUS) ● Folder, tree mirroring, remote folders (CIFS) updater ● FTP/FTFP/SFTP/TFPS/RCP ● Remote print server Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 13
  • 14. Use Case: Iberdrola Confrentes Nuclear Plant ● Replicates plant historian to corporate network ● Unidirectional gateways are deployed at the majority of American nuclear generators ● Protect safety networks, control networks and plant networks ● Routinely replicate OPC, historians, Syslog, Modbus and SNMP ● Specified in NRC 5.71 and NEI 08-09 regulatory guides NRC Regulatory Guide 5.71 Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 14
  • 15. Use Case: New Brunswick Power – Power Generation ● Inter Control Center Protocol (ICCP) replication to regional electric system control center ● OSIsoft PI Server replication at all generating plants ● Deployed fleet-wide: 3000 MW ● Absolute protection from external network attacks Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 15
  • 16. Use Case: Detroit Water – Waterfall Solution ● Replaced firewall a service provider was managing: $10,000/mo ● Deployed OSIsoft PI Server and replica: aggregate all information to be shared with business network ● Hydraulic optimization reduces $50M/year power costs by 3-7% ● Cell-phone loop-check improves field technician productivity ● Real-time sewage utilization to client utilities reduces their costs and increases customer satisfaction Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 16
  • 17. Trends in Standards and Guidance ● Increasingly, regulations, standards and best-practice guidance recognizes hardware-enforced unidirectional communications ● Most recent: ISA SP-99-3-3/IEC 62443-3-3 and NERC-CIP V5 Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17
  • 18. Waterfall Security Solutions ● Headquarters in Israel, sales and operations office in the USA ● Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market – 2010, 2011, & 2012 ● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 18
  • 19. Unidirectional Gateways: Secure IT/OT Integration ● Firewalls are porous ● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks ● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security ● Costs: reduces security operating costs: improves security and saves money andrew . ginter @ waterfall – security . com www.waterfall-security.com Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 19