Your SlideShare is downloading. ×
Practical Security Solutions for Industrial Control Systems (ICS)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Practical Security Solutions for Industrial Control Systems (ICS)

514
views

Published on

Explore how to reduce risk and enhance protection of your ICS infrastructure by utilizing non-Integrated Architecture components such as switch ACL's, firewall configurations, and Windows Operating …

Explore how to reduce risk and enhance protection of your ICS infrastructure by utilizing non-Integrated Architecture components such as switch ACL's, firewall configurations, and Windows Operating System hardening techniques. A prior understanding of general Ethernet concepts, or attendance of NW01 is recommended.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
514
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC INFORMATION Practical Security Solutions for Industrial Control Systems (ICS) Jason J. Dely, CISSP, CISM Principal Security Consultant, Network & Security Services jdely@ra.rockwell.com
  • 2. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Course Description Explore how to reduce risk and enhance protection of your ICS infrastructure by utilizing non-Integrated Architecture components such as switch ACLs, firewall configurations, and Windows Operating System hardening techniques. A prior understanding of general Ethernet concepts, or attendance of the Fundamentals of EtherNet/IP session is recommended.
  • 3. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  • 4. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 4 Defense In Depth Layered Security Model Shield potential targets behind multiple levels of protection to reduce security risks Defense in Depth Use multiple security countermeasures to protect integrity of components or systems Openness Consideration for participation of a variety of vendors in our security solutions Flexibility Able to accommodate a customer’s needs, including policies & procedures Consistency Solutions that align with Government directives and Standards Bodies A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. Perimeter Enforcement Device Security Security Services Application Computer Device Physical Network - Don’t miss the “Depth” Layers within the Layers
  • 5. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Security Objective - Decompose the Elements, Then Secure! 6 Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Terminal Services Gateway Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network Site Business Planning and Logistics NetworkE-Mail, Intranet, etc. FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control Sensors Drives Actuators Robots Enterprise Security Zone DMZ Industrial Security Zone Cell/Area Zone Web E-Mail CIP Firewall Firewall Site Operations and Control Area Supervisory Control Basic Control Process
  • 6. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. End Node & Infrastructure Security 7 Legacy PLCs Process Automation Controller (PAC) I/O Subsystems Servers Switches Routers Firewall Infrastructure Outside the Infrastructure box is an end node
  • 7. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Infrastructure Decomposition 8 Production Control Workstation Operator Interface Optimizing Control Manufacturing Security Zone DMZ Remote Desktop Gateway Domain Controller Firewall Site Business Network Enterprise Network RouterEnterprise Security Zone Email, Intranet, shared drives, etc web Email TCP/IP Firewall Rules Access Control Lists (ACLs) • The only way to secure the infrastructure is to determine the dataflow • Dataflow diagrams require the knowledge of source, destination and protocols • Knowledge of source, destination and protocols enable creation of Firewall and ACLs
  • 8. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. End Node Security 9 Legacy PLCs Process Automation Controller (PAC) I/O Subsystems Servers Switches Routers Firewall Infrastructure Outside the Infrastructure box is an end node
  • 9. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Legacy PLC System Architecture Components Proprietary I/O Protocol PLC Code Execution Engine Data Communication I/O Non- I/O Remote Inputs / Outputs
  • 10. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Legacy PLC System Architecture Components Prior to Ethernet Adoption Proprietary I/O ProtocolProtocol Converter Proprietary Data Bus Protocol PLC Data Programming THREATS
  • 11. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Proprietary I/O Protocol PLC Data Programming Ethernet HistoriansRemote Access Trending THREATS THREATS Legacy PLC System Architecture Components w/ Limited Ethernet Adoption
  • 12. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Where’s the holes in the Castle Walls? (Assessments / Vulnerabilities) Proprietary I/O Protocol Ethernet PLC Code Execution Engine Data Communication I/O Non- I/O Entry for External Threats Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.)
  • 13. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Expanded Threat Model On Newer Process Automation Control Systems Ethernet I/O Ethernet PLC Code Execution Engine Data Communication I/O Non- I/O Entry for External Threats Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.) Supporting Historians and Reporting functions •*** NEW *** Asset & Inventory Mapping Tools (NMAP, etc) •*** NEW *** Vulnerability scanners •*** NEW *** Penetration Testing (Metasploit)
  • 14. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Computers = Applications + Operating Systems 15  Automation Application Security Mostly Provided by Vendor(s)  Often Leverages O.S. Authentication  Operating Systems are NOT Provided by Automation Vendors  Biggest target of Malware, Virus, etc.  COTS Productivity Software ( Adobe, Word, Excel, etc) presents large target too.
  • 15. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Rockwell Automation Product Security Solution Boundaries 16  Provide Automation Software Security  Often Leverages O.S. Authentication  Provide switching and routing infrastructure security  Provide “In Rack” secured communications capabilities Stratix Switches Secured Communications Module
  • 16. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Operating System Security Boundaries 17  An Operating System is a collection of software that manages computer hardware resources.  Provides security permissions for objects, files and folders  Foundation for application security  Often not managed for security within the Manufacturing Zones Switch Secured Communications Module
  • 17. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 18 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  • 18. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. ACL Flow Diagram 20
  • 19. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL  Let’s use the following ACL as an example. Permit traffic with a source address that resides on the 172.24.101.x network.  Access-list 10 permit 172.24.101.0 0.0.0.255  The first part of the ACL begins with a numbered access-list command.  Access-list 10 permit 172.24.101.0 0.0.0.255  Standard ACLs must be numbered 1-99.  Subsequent rules that are added using the same number (Access-list 10) are appended to the bottom of the list.  As the switch or router checks the traffic against the list of rules, the first rule that matches is used.  Always remember that at the end of every ACL there is an implicit deny all rule. 21
  • 20. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL cont.  The next part of an ACL rule states whether the traffic will be permitted or denied if there is a match.  Access-list 10 permit 172.24.101.0 0.0.0.255  In this example any traffic that matches this rule is permitted to continue through the interface.  The two options for this command are Permit or Deny. 22
  • 21. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL cont.  This part of the ACL rule specifies the source network or host of the traffic in which the rule will be applied against.  Access-list 10 permit 172.24.101.0 0.0.0.255  This command may specify a specific host, a range of addresses, or all addresses.  To specify a specific host, the host option may be used.  For example, access-list 10 permit host 172.24.101.12  To specify all addresses, the any option may be used.  For example, access-list 10 permit any 23
  • 22. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL cont. (Source Address)  To specify a range of addresses, an IP address and a wildcard mask must be used. This is the inverse of a subnet mask.  To match traffic from the 172.24.101.x network, the wildcard mask 0.0.0.255 must be used.  To match traffic from the 172.24.x.x network, the wildcard mask 0.0.255.255 must be used. 24
  • 23. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Applying an ACL to an Interface  Commands to add an access list to inbound traffic on an interface.  Router (config)#int fa1/1  Router (config-if)#ip access-group 110 in  Commands to add an access list to outbound traffic on an interface.  Router (config)#int fa1/1  Router (config-if)#ip access-group 110 out  *Stratix switches do not give the option to apply an ACL to outbound traffic* 37
  • 24. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 38 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  • 25. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Unified Threat Management (UTM) 39 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial ZonePhysical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems UTM Switch Who owns the key to this protection? Site-to-Site Connection Is farther controls needed for your SLA Switc h Is this level of protection enough?
  • 26. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Multi-layer packet and traffic analysis  Advanced application and protocol inspection services  Network application controls  Flexible user and network based access control services  Stateful packet inspection  Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID  Real-time protection from application and OS level attacks  Network-based worm and virus mitigation  Spyware, adware, malware detection and control  On-box event correlation and proactive response  Low latency  Diverse topologies  Multicast support  Services virtualization  Network segmentation & partitioning  Routing, resiliency, load-balancing  Threat protected SSL and IPSec VPN services  Zero-touch, automatically updateable IPSec remote access  Flexible clientless and full tunneling client SSL VPN services  QoS/routing-enabled site-to-site VPN Firewall with Application Layer Security Access Control and Authentication IPS and Anti-X Defenses Intelligent Networking Services SSL and IPSec Connectivity Network Security Framework Unified Threat Management (UTM) 40 Modern Firewalls (UTMs) provide a range of security services
  • 27. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Unified Threat Management (UTM) – Stratix 5900 41  The Stratix 5900 UTM security appliance is a ruggedized all-inclusive UTM with features such as firewall, secure routing, VPN (virtual private network), intrusion prevention, NAT (network address translation) and content filtering.  Site-to-Site Connection, tunnels the Industrial Zone trusted network to a remote site over an untrusted network using a site-to-site VPN connection.  Cell/Area Zone Firewall, to protect a Cell/Area Zone from the greater Industrial Zone.  Physical features  RJ-45 Gigabit WAN  4 – 10/100Base-Tx LAN ports  Shock /Vibration & Extended Temperature  DIN rail mount  Network features  ACL / Firewall  DHCP  QoS  VLAN  NAT Stratix 5900™ Security Appliance
  • 28. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Unified Threat Management (UTM) 42 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial ZonePhysical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems UTM UTM Stratix 5900 1) Site-to-Site Connection Site-to-Site Connection Stratix 5900 3) OEM Integration UTM Stratix 5900 2) Cell/Area Zone Firewall
  • 29. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Allows the system to be securely distributed between a Central Site and smaller sites.  Applications:  Water/ Waste Water  Pipelines  Oil and Gas Distributed Site #1 Central Site Distributed Site #2 Central Site Controller ASA 5500-X Catalyst 3750-X Stratix 5700 Catalyst 2960 HMI Server Engineering Workstation Stratix 5900 Untrusted Network Distributed Site #3 Stratix 5900 Stratix 5900 Enterprise DMZ ASA 5515- X Enterprise DMZ Industrial WAN Industrial Zone Failover Network Security Framework Stratix 5900 (Distributed System)
  • 30. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  The Stratix 5900 firewall are restricts/ filters traffic to and from the Cell/ Area Zones  Supports:  NAT  Transparent Firewalls  Routing  Netflow  Syslog Machine #2Machine #1 Catalyst 2960 HMI Server Catalyst 3750-X Stratix 5700 Stratix 5900 Stratix 5900 Line Controller Network Security Framework Stratix 5900 (Cell Firewall)
  • 31. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 45 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  • 32. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. • Knowlegebase ID 30498 - Windows Firewall Configuration Utility for Windows XP Service Pack 2 (TechConnect Level) • Knowledgebase ID 45891 – How to use the Windows Firewall Configuration Utilty to configure the Public network on Windows 7 46 Rockwell Automation Knowledgebase
  • 33. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 47 Rockwell Software Windows Firewall Configuration Utility
  • 34. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 48 Windows Firewall
  • 35. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 49 Order of Windows Firewall Security Rule Evaluation
  • 36. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 50 Demonstration  Blocking Ping (ICMP)  Blocking other traffic (like Remote Desktop, Ping, etc) from IP Address Ranges
  • 37. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 51 Software Restriction Policies (SRP)  Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.  You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run.  Software restriction policies are integrated with Microsoft Active Directory and Group Policy.  You can define these policies through the Software Restriction Policies extension of the Local Group Policy Editor or the Local Security Policies snap-in to the Microsoft Management Console (MMC).
  • 38. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 52 MMC.EXE – Used to set permissions per user
  • 39. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 53 GPEDIT.MSC – used to globally edit SRP’s
  • 40. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 54 Registry Setting to Disable USB HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor Start Value = 4 to disable
  • 41. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 55 Demonstration - SRP  Disable USB - Grossly  Disable USB – Per User  Disable software running in unwanted locations
  • 42. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. We care what you think!  On the mobile app: 1. Locate session using Schedule or Agenda Builder 2. Click on the thumbs up icon on the lower right corner of the session detail 3. Complete survey 4. Click the Submit Form button 56 Please take a couple minutes to complete a quick session survey to tell us how we’re doing. 2 3 4 1 Thank you!!
  • 43. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. www.rsteched.com Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Questions?