Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Practical Security Solutions
for Indust...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Course Description
Explore how to reduce risk and enhance ...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3
Agenda
Operating System Security
Firewall
Switch Access ...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 4
Defense In Depth
Layered Security Model
Shield potential...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Security Objective -
Decompose the Elements, Then Secure!
...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
End Node & Infrastructure Security
7
Legacy PLCs
Process A...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Infrastructure Decomposition
8
Production
Control Workstat...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
End Node Security
9
Legacy PLCs
Process Automation
Control...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Legacy PLC System Architecture
Components
Proprietary
I/O ...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Legacy PLC System Architecture
Components Prior to Etherne...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Proprietary
I/O Protocol
PLC Data
Programming
Ethernet
His...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Where’s the holes in the Castle Walls?
(Assessments / Vuln...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Expanded Threat Model On Newer
Process Automation Control ...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Computers = Applications + Operating
Systems
15
 Automati...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Rockwell Automation
Product Security Solution Boundaries
1...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Operating System Security Boundaries
17
 An Operating Sys...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 18
Agenda
Operating System Security
Firewall
Switch Access...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
ACL Flow Diagram
20
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL
 Let’s use the following ACL as...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL cont.
 The next part of an ACL ...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL cont.
 This part of the ACL rul...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Anatomy of a Standard ACL cont.
(Source Address)
 To spec...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Applying an ACL to an Interface
 Commands to add an acces...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 38
Agenda
Operating System Security
Firewall
Switch Access...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Network Security Framework
Unified Threat Management (UTM)...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
 Multi-layer packet and traffic analysis
 Advanced appli...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Network Security Framework
Unified Threat Management (UTM)...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
Network Security Framework
Unified Threat Management (UTM)...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
 Allows the system to be
securely distributed between
a C...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
 The Stratix 5900 firewall are
restricts/ filters traffic...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 45
Agenda
Operating System Security
Firewall
Switch Access...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
• Knowlegebase ID 30498 - Windows Firewall Configuration U...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 47
Rockwell Software Windows Firewall
Configuration Utility
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 48
Windows Firewall
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 49
Order of Windows Firewall Security Rule
Evaluation
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 50
Demonstration
 Blocking Ping (ICMP)
 Blocking other t...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 51
Software Restriction Policies (SRP)
 Software Restrict...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 52
MMC.EXE – Used to set permissions
per user
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 53
GPEDIT.MSC – used to globally edit
SRP’s
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 54
Registry Setting to Disable USB
HKEY_LOCAL_MACHINESYSTE...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 55
Demonstration - SRP
 Disable USB - Grossly
 Disable U...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
 On the mobile app:
1. Locate ses...
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter.
Co...
Upcoming SlideShare
Loading in...5
×

Practical Security Solutions for Industrial Control Systems (ICS)

826

Published on

Explore how to reduce risk and enhance protection of your ICS infrastructure by utilizing non-Integrated Architecture components such as switch ACL's, firewall configurations, and Windows Operating System hardening techniques. A prior understanding of general Ethernet concepts, or attendance of NW01 is recommended.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
826
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
101
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Practical Security Solutions for Industrial Control Systems (ICS)

  1. 1. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC INFORMATION Practical Security Solutions for Industrial Control Systems (ICS) Jason J. Dely, CISSP, CISM Principal Security Consultant, Network & Security Services jdely@ra.rockwell.com
  2. 2. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Course Description Explore how to reduce risk and enhance protection of your ICS infrastructure by utilizing non-Integrated Architecture components such as switch ACLs, firewall configurations, and Windows Operating System hardening techniques. A prior understanding of general Ethernet concepts, or attendance of the Fundamentals of EtherNet/IP session is recommended.
  3. 3. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 3 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  4. 4. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 4 Defense In Depth Layered Security Model Shield potential targets behind multiple levels of protection to reduce security risks Defense in Depth Use multiple security countermeasures to protect integrity of components or systems Openness Consideration for participation of a variety of vendors in our security solutions Flexibility Able to accommodate a customer’s needs, including policies & procedures Consistency Solutions that align with Government directives and Standards Bodies A secure application depends on multiple layers of protection. Industrial security must be implemented as a system. Perimeter Enforcement Device Security Security Services Application Computer Device Physical Network - Don’t miss the “Depth” Layers within the Layers
  5. 5. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Security Objective - Decompose the Elements, Then Secure! 6 Level 5 Level 4 Level 3 Level 2 Level 1 Level 0 Terminal Services Gateway Patch Management AV Server Application Mirror Web Services Operations Application Server Enterprise Network Site Business Planning and Logistics NetworkE-Mail, Intranet, etc. FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Remote Access Server FactoryTalk Client Operator Interface FactoryTalk Client Engineering Workstation Operator Interface Batch Control Discrete Control Drive Control Continuous Process Control Safety Control Sensors Drives Actuators Robots Enterprise Security Zone DMZ Industrial Security Zone Cell/Area Zone Web E-Mail CIP Firewall Firewall Site Operations and Control Area Supervisory Control Basic Control Process
  6. 6. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. End Node & Infrastructure Security 7 Legacy PLCs Process Automation Controller (PAC) I/O Subsystems Servers Switches Routers Firewall Infrastructure Outside the Infrastructure box is an end node
  7. 7. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Infrastructure Decomposition 8 Production Control Workstation Operator Interface Optimizing Control Manufacturing Security Zone DMZ Remote Desktop Gateway Domain Controller Firewall Site Business Network Enterprise Network RouterEnterprise Security Zone Email, Intranet, shared drives, etc web Email TCP/IP Firewall Rules Access Control Lists (ACLs) • The only way to secure the infrastructure is to determine the dataflow • Dataflow diagrams require the knowledge of source, destination and protocols • Knowledge of source, destination and protocols enable creation of Firewall and ACLs
  8. 8. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. End Node Security 9 Legacy PLCs Process Automation Controller (PAC) I/O Subsystems Servers Switches Routers Firewall Infrastructure Outside the Infrastructure box is an end node
  9. 9. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Legacy PLC System Architecture Components Proprietary I/O Protocol PLC Code Execution Engine Data Communication I/O Non- I/O Remote Inputs / Outputs
  10. 10. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Legacy PLC System Architecture Components Prior to Ethernet Adoption Proprietary I/O ProtocolProtocol Converter Proprietary Data Bus Protocol PLC Data Programming THREATS
  11. 11. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Proprietary I/O Protocol PLC Data Programming Ethernet HistoriansRemote Access Trending THREATS THREATS Legacy PLC System Architecture Components w/ Limited Ethernet Adoption
  12. 12. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Where’s the holes in the Castle Walls? (Assessments / Vulnerabilities) Proprietary I/O Protocol Ethernet PLC Code Execution Engine Data Communication I/O Non- I/O Entry for External Threats Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.)
  13. 13. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Expanded Threat Model On Newer Process Automation Control Systems Ethernet I/O Ethernet PLC Code Execution Engine Data Communication I/O Non- I/O Entry for External Threats Typical PLC Communication Entry Tools: •Programming Software •Human Machine Interface (HMI) / SCADA Software Packages •Firmware Flash Tools •Data “Getters & Setters” Tools (OPC - > PCCC / CIP / Modbus etc.) Supporting Historians and Reporting functions •*** NEW *** Asset & Inventory Mapping Tools (NMAP, etc) •*** NEW *** Vulnerability scanners •*** NEW *** Penetration Testing (Metasploit)
  14. 14. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Computers = Applications + Operating Systems 15  Automation Application Security Mostly Provided by Vendor(s)  Often Leverages O.S. Authentication  Operating Systems are NOT Provided by Automation Vendors  Biggest target of Malware, Virus, etc.  COTS Productivity Software ( Adobe, Word, Excel, etc) presents large target too.
  15. 15. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Rockwell Automation Product Security Solution Boundaries 16  Provide Automation Software Security  Often Leverages O.S. Authentication  Provide switching and routing infrastructure security  Provide “In Rack” secured communications capabilities Stratix Switches Secured Communications Module
  16. 16. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Operating System Security Boundaries 17  An Operating System is a collection of software that manages computer hardware resources.  Provides security permissions for objects, files and folders  Foundation for application security  Often not managed for security within the Manufacturing Zones Switch Secured Communications Module
  17. 17. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 18 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  18. 18. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. ACL Flow Diagram 20
  19. 19. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL  Let’s use the following ACL as an example. Permit traffic with a source address that resides on the 172.24.101.x network.  Access-list 10 permit 172.24.101.0 0.0.0.255  The first part of the ACL begins with a numbered access-list command.  Access-list 10 permit 172.24.101.0 0.0.0.255  Standard ACLs must be numbered 1-99.  Subsequent rules that are added using the same number (Access-list 10) are appended to the bottom of the list.  As the switch or router checks the traffic against the list of rules, the first rule that matches is used.  Always remember that at the end of every ACL there is an implicit deny all rule. 21
  20. 20. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL cont.  The next part of an ACL rule states whether the traffic will be permitted or denied if there is a match.  Access-list 10 permit 172.24.101.0 0.0.0.255  In this example any traffic that matches this rule is permitted to continue through the interface.  The two options for this command are Permit or Deny. 22
  21. 21. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL cont.  This part of the ACL rule specifies the source network or host of the traffic in which the rule will be applied against.  Access-list 10 permit 172.24.101.0 0.0.0.255  This command may specify a specific host, a range of addresses, or all addresses.  To specify a specific host, the host option may be used.  For example, access-list 10 permit host 172.24.101.12  To specify all addresses, the any option may be used.  For example, access-list 10 permit any 23
  22. 22. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Anatomy of a Standard ACL cont. (Source Address)  To specify a range of addresses, an IP address and a wildcard mask must be used. This is the inverse of a subnet mask.  To match traffic from the 172.24.101.x network, the wildcard mask 0.0.0.255 must be used.  To match traffic from the 172.24.x.x network, the wildcard mask 0.0.255.255 must be used. 24
  23. 23. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Applying an ACL to an Interface  Commands to add an access list to inbound traffic on an interface.  Router (config)#int fa1/1  Router (config-if)#ip access-group 110 in  Commands to add an access list to outbound traffic on an interface.  Router (config)#int fa1/1  Router (config-if)#ip access-group 110 out  *Stratix switches do not give the option to apply an ACL to outbound traffic* 37
  24. 24. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 38 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  25. 25. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Unified Threat Management (UTM) 39 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial ZonePhysical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems UTM Switch Who owns the key to this protection? Site-to-Site Connection Is farther controls needed for your SLA Switc h Is this level of protection enough?
  26. 26. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Multi-layer packet and traffic analysis  Advanced application and protocol inspection services  Network application controls  Flexible user and network based access control services  Stateful packet inspection  Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID  Real-time protection from application and OS level attacks  Network-based worm and virus mitigation  Spyware, adware, malware detection and control  On-box event correlation and proactive response  Low latency  Diverse topologies  Multicast support  Services virtualization  Network segmentation & partitioning  Routing, resiliency, load-balancing  Threat protected SSL and IPSec VPN services  Zero-touch, automatically updateable IPSec remote access  Flexible clientless and full tunneling client SSL VPN services  QoS/routing-enabled site-to-site VPN Firewall with Application Layer Security Access Control and Authentication IPS and Anti-X Defenses Intelligent Networking Services SSL and IPSec Connectivity Network Security Framework Unified Threat Management (UTM) 40 Modern Firewalls (UTMs) provide a range of security services
  27. 27. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Unified Threat Management (UTM) – Stratix 5900 41  The Stratix 5900 UTM security appliance is a ruggedized all-inclusive UTM with features such as firewall, secure routing, VPN (virtual private network), intrusion prevention, NAT (network address translation) and content filtering.  Site-to-Site Connection, tunnels the Industrial Zone trusted network to a remote site over an untrusted network using a site-to-site VPN connection.  Cell/Area Zone Firewall, to protect a Cell/Area Zone from the greater Industrial Zone.  Physical features  RJ-45 Gigabit WAN  4 – 10/100Base-Tx LAN ports  Shock /Vibration & Extended Temperature  DIN rail mount  Network features  ACL / Firewall  DHCP  QoS  VLAN  NAT Stratix 5900™ Security Appliance
  28. 28. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Network Security Framework Unified Threat Management (UTM) 42 Enterprise-wide Business Systems Levels 4 & 5 – Data Center Enterprise Zone Level 3 - Site Operations Industrial ZonePhysical or Virtualized Servers • FactoryTalk Application Servers & Services Platform • Network Services – e.g. DNS, AD, DHCP, AAA • Remote Access Server (RAS) • Call Manager • Storage Array Levels 0-2 Cell/Area Zones Level 3.5 - IDMZ Remote Site #1 Local Cell/Area Zone #1 Local OEM Skid / Machine #1 Plant-wide Site-wide Operation Systems UTM UTM Stratix 5900 1) Site-to-Site Connection Site-to-Site Connection Stratix 5900 3) OEM Integration UTM Stratix 5900 2) Cell/Area Zone Firewall
  29. 29. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  Allows the system to be securely distributed between a Central Site and smaller sites.  Applications:  Water/ Waste Water  Pipelines  Oil and Gas Distributed Site #1 Central Site Distributed Site #2 Central Site Controller ASA 5500-X Catalyst 3750-X Stratix 5700 Catalyst 2960 HMI Server Engineering Workstation Stratix 5900 Untrusted Network Distributed Site #3 Stratix 5900 Stratix 5900 Enterprise DMZ ASA 5515- X Enterprise DMZ Industrial WAN Industrial Zone Failover Network Security Framework Stratix 5900 (Distributed System)
  30. 30. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.  The Stratix 5900 firewall are restricts/ filters traffic to and from the Cell/ Area Zones  Supports:  NAT  Transparent Firewalls  Routing  Netflow  Syslog Machine #2Machine #1 Catalyst 2960 HMI Server Catalyst 3750-X Stratix 5700 Stratix 5900 Stratix 5900 Line Controller Network Security Framework Stratix 5900 (Cell Firewall)
  31. 31. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 45 Agenda Operating System Security Firewall Switch Access Control Lists (ACLs) Defense In Depth
  32. 32. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. • Knowlegebase ID 30498 - Windows Firewall Configuration Utility for Windows XP Service Pack 2 (TechConnect Level) • Knowledgebase ID 45891 – How to use the Windows Firewall Configuration Utilty to configure the Public network on Windows 7 46 Rockwell Automation Knowledgebase
  33. 33. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 47 Rockwell Software Windows Firewall Configuration Utility
  34. 34. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 48 Windows Firewall
  35. 35. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 49 Order of Windows Firewall Security Rule Evaluation
  36. 36. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 50 Demonstration  Blocking Ping (ICMP)  Blocking other traffic (like Remote Desktop, Ping, etc) from IP Address Ranges
  37. 37. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 51 Software Restriction Policies (SRP)  Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.  You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run.  Software restriction policies are integrated with Microsoft Active Directory and Group Policy.  You can define these policies through the Software Restriction Policies extension of the Local Group Policy Editor or the Local Security Policies snap-in to the Microsoft Management Console (MMC).
  38. 38. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 52 MMC.EXE – Used to set permissions per user
  39. 39. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 53 GPEDIT.MSC – used to globally edit SRP’s
  40. 40. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 54 Registry Setting to Disable USB HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor Start Value = 4 to disable
  41. 41. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 55 Demonstration - SRP  Disable USB - Grossly  Disable USB – Per User  Disable software running in unwanted locations
  42. 42. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. We care what you think!  On the mobile app: 1. Locate session using Schedule or Agenda Builder 2. Click on the thumbs up icon on the lower right corner of the session detail 3. Complete survey 4. Click the Submit Form button 56 Please take a couple minutes to complete a quick session survey to tell us how we’re doing. 2 3 4 1 Thank you!!
  43. 43. Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. www.rsteched.com Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn. PUBLIC INFORMATION Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×