How Security can be stronger than a Firewall: 13 different ways breaking through firewalls
Upcoming SlideShare
Loading in...5
×
 

How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

on

  • 418 views

by Andrew Ginter

by Andrew Ginter

VP Industrial Security - Waterfall Security Solutions

mail: andrew.ginter@waterfall–security.com

Statistics

Views

Total Views
418
Views on SlideShare
418
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

How Security can be stronger than a Firewall: 13 different ways breaking through firewalls How Security can be stronger than a Firewall: 13 different ways breaking through firewalls Presentation Transcript

  • UNIDIRECTIONAL SECURITY GATEWAYS™ 1st Ibero-American Industrial Cybersecurity Congress How Security Can Be Stronger Than a Firewall 13 Different Ways Breaking Through Firewalls Andrew Ginter VP Industrial Security Waterfall Security Solutions Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. -- Copyright © 2013 by Waterfall Security Solutions Ltd. 2013
  • Industrial Security Priorities Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 2
  • Safety, Reliability, Confidentiality Attribute Enterprise / IT Control System Scale Huge – 100,000’s of devices 100-500 devices per DCS Priority Confidentiality Safety and reliability Target Data Theft Sabotage Exposure Constant exposure to Internet content Exposed to business network, not Internet Equipment lifecycle 3-5 years 10-20 years Security discipline: Speed / aggressive change – stay ahead of the threats Security is an aspect of safety - Engineering Change Control (ECC) Most IT controls are not appropriate. You manage IT and ICS networks differently Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 3
  • Elephants in the Room ● Plain text communication protocols – at least for local / DCS communications ● Anti-virus / constant change is hard – many sites limit use of AV ● Security updates / constant change is worse ● Vulnerable designs / components: 100,000 vulnerabilities ● Old equipment – will anyone sell you anti-virus signatures for Windows 2000? ● Timing, network traffic and other sensitivities Industrial sites deploy compensating measures such as physical security and cyber-perimeter security Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 4
  • 13 Ways Through a Firewall 1) Phishing / drive-by-download – victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller – create fwall acct 4) Attack exposed servers – SQL injection / DOS / etc 5) Attack exposed clients – compromise web servers 6) Session hijacking – MIM / steal HTTP cookies 7) Piggy-back on VPN – split tunnelling / viruses 8) Firewall vulnerabilities –zero-days / design vulns 9) Errors and omissions – bad rules / IT errors 10) Forge an IP address –rules are IP-based 11) Bypass network perimeter – eg: rogue wireless 12) Physical access to firewall – reset to fact defaults 13) Sneakernet – removable media / laptops Photo: Red Tiger Security Keeping a firewall secure takes people and processes… Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 5
  • #1 Phishing / Spam / Drive-By-Download ● Single most common way through (enterprise) firewalls ● Client on business network pulls malware from internet, or activates malware in email attachment ● “Spear-phishing” – carefully crafted email to fool even security experts into opening attachment Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 6
  • #2 Social Engineering – Steal a Password ● VPN password on sticky note on monitor, or under keyboard ● Call up administrator, weave a convincing tale of woe, and ask for the password ● Ask the administrator to give you a VPN account ● Shoulder-surf while administrator enters firewall password ● Guess ● Install a keystroke logger Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 7
  • #3 Compromise Domain Controller – Create Account ● More generally – abuse trust of external system ● Create account / change password of exposed ICS server, or firewall itself ● Other external trust abuse – compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc. Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 8
  • #4 Attack Exposed Servers ● Every exposed port is vulnerable: ● SQL injection ● buffer overflow ● default passwords ● hard-coded password ● denial of service / SYN-flood Night Dragon Attack Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 9
  • 13 Ways Through a Firewall 1) Phishing / drive-by-download – victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller – create fwall acct 4) Attack exposed servers – SQL injection / DOS / etc 5) Attack exposed clients – compromise web servers 6) Session hijacking – MIM / steal HTTP cookies 7) Piggy-back on VPN – split tunnelling / viruses 8) Firewall vulnerabilities –zero-days / design vulns 9) Errors and omissions – bad rules / IT errors 10) Forge an IP address –rules are IP-based 11) Bypass network perimeter – eg: rogue wireless 12) Physical access to firewall – reset to fact defaults 13) Sneakernet – removable media / laptops Photo: Red Tiger Security Keeping a firewall secure takes people and processes… Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 10
  • Unidirectional Security Gateways ● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network ● TX uses 2-way protocols to gather data from protected network ● RX uses 2-way protocols to publish data to external network ● Absolute protection against online attacks from external networks Industrial Network Corporate Network Waterfall RX Server Waterfall TX Server Waterfall TX appliance Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Waterfall RX appliance 11
  • Secure Historian Replication ● Hardware-enforced unidirectional historian replication ● Replica historian contains all data and functionality of original ● Corporate workstations communicate only with replica historian ● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Corporate Network Waterfall TX agent Waterfall RX agent PLCs RTUs Unidirectional TX appliance Unidirectional RX appliance Unidirectional Historian replication Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 12 Replica Historian Workstations
  • Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians ● OSIsoft PI, PI AF, GE iHistorian, GE iFIX ● Scientech R*Time, Instep eDNA, GE OSM ● Siemens: WinCC, SINAUT/Spectrum ● Emerson Ovation, Wonderware Historian ● SQLServer, Oracle, MySQL, SAP ● AspenTech, Matrikon Alert Manager Leading Industrial Protocols ● OPC: DA, HDA, A&E, UA ● DNP3, ICCP, Modbus Remote Access ● Remote Screen View™ ● Secure Manual Uplink Leading IT Monitoring Applications ● Log Transfer, SNMP, SYSLOG ● CA Unicenter, CA SIM, HP OpenView, IBM Tivoli ● HP ArcSight SIEM , McAfee ESM SIEM Other connectors ● UDP, TCP/IP ● NTP, Multicast Ethernet ● Video/Audio stream transfer ● Mail server/mail box replication ● IBM MQ series, Microsoft MSMQ File/Folder Mirroring ● Antivirus updater, patch (WSUS) ● Folder, tree mirroring, remote folders (CIFS) updater ● FTP/FTFP/SFTP/TFPS/RCP ● Remote print server Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 13
  • Use Case: Iberdrola Confrentes Nuclear Plant ● Replicates plant historian to corporate network ● Unidirectional gateways are deployed at the majority of American nuclear generators ● Protect safety networks, control networks and plant networks ● Routinely replicate OPC, historians, Syslog, Modbus and SNMP ● Specified in NRC 5.71 and NEI 08-09 regulatory guides NRC Regulatory Guide 5.71 Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 14
  • Use Case: New Brunswick Power – Power Generation ● Inter Control Center Protocol (ICCP) replication to regional electric system control center ● OSIsoft PI Server replication at all generating plants ● Deployed fleet-wide: 3000 MW ● Absolute protection from external network attacks Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 15
  • Use Case: Detroit Water – Waterfall Solution ● Replaced firewall a service provider was managing: $10,000/mo ● Deployed OSIsoft PI Server and replica: aggregate all information to be shared with business network ● Hydraulic optimization reduces $50M/year power costs by 3-7% ● Cell-phone loop-check improves field technician productivity ● Real-time sewage utilization to client utilities reduces their costs and increases customer satisfaction Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 16
  • Trends in Standards and Guidance ● Increasingly, regulations, standards and best-practice guidance recognizes hardware-enforced unidirectional communications ● Most recent: ISA SP-99-3-3/IEC 62443-3-3 and NERC-CIP V5 Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17
  • Waterfall Security Solutions ● Headquarters in Israel, sales and operations office in the USA ● Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market – 2010, 2011, & 2012 ● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 18
  • Unidirectional Gateways: Secure IT/OT Integration ● Firewalls are porous ● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks ● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security ● Costs: reduces security operating costs: improves security and saves money andrew . ginter @ waterfall – security . com www.waterfall-security.com Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 19