Presentation by Derek Manky, Real-Time Threat Protection in a ...


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 1998 – 2009, 10 year evolution for threats borne from 1 st Gen SCADA to 3 rd gen SCADA Many incidents with insider threats (authorization)
  • Consolidation in the Network Security space is being driven my three primary items: First is a dynamic threat landscape— Through consolidation we will see how evolving threats are best protected against by a consolidated network security solution. The second driver is slowing growth of IT budgets— As we will see in a few minutes, consolidation offers a host of financial benefits. And finally, the third driver that we see driving consolidation is around a company’s desire to reduce both the physical footprint of their IT infrastructure as well as their carbon footprint.
  • What is SCADA - SCADA stands for Supervisory Control And Data Acquisition . It generally refers to an industrial control system: a computer system monitoring and controlling a process. The process can be industrial, infrastructure or facility. The History of SCADA SCADA systems became popular in the 1960’s as the need to monitor and control remote equipment grew. Early SCADA systems used mainframe technology and required human operators to make action decisions and maintain the information systems. Because this increased the human labor cost, early SCADA systems were very expensive to maintain. Today, SCADA is generally much more automated, and consequently more cost-efficient. Started out as Panels and Meters, lights and strip chart recorders. The operator manually operating various control knobs exercised supervisory control
  • At a third generation of SCADA – wide open deployment, integration; security complexity
  • WEP IV attack, WPA-PSK dictionary attacks with rainbow tables
  • There are hundreds of security appliance and software solutions in the market. Let us classify those by Security Tools and threat types. Firewall and VPN was introduced to address external threat. All external threat software and appliances are now consolidating into the firewall. Authentication, Authorization and Access Control, so called AAA, is used to exclude unauthorized users. AAA software includes user name & password, PKI, Token, LDAP, X500 and others. In addition to AAA, the server domain is protected by the domain firewall. Intrusion Detection Systems are checking for unauthorized user attack. Encryption hides data from unauthorized user. Recent statistics including CSI/FBI shows 78% of threats are from authorized users. Fortinet Database Security Software is developed to monitor suspicious behavior, policy violation and integrity problems from authorized user access to business information residing in DBMS.
  • Emphasize HA Emphasize VDOM
  • Presentation by Derek Manky, Real-Time Threat Protection in a ...

    1. 1. Fortinet Confidential Real-Time Threat Protection in a SCADA Environment Derek Manky Cyber Security & Threat Research, FortiGuard Cyber Security for Energy and Communications September 29th, 2009
    2. 2. Presentation Overview <ul><ul><li>FortiGuard services </li></ul></ul><ul><ul><ul><li>Research </li></ul></ul></ul><ul><ul><ul><li>SCADA threats </li></ul></ul></ul><ul><ul><li>Elements of SCADA </li></ul></ul><ul><ul><ul><li>Compliances </li></ul></ul></ul><ul><ul><li>Real-time threat protection </li></ul></ul><ul><ul><ul><li>Mitigation solutions </li></ul></ul></ul><ul><ul><ul><li>Visibility & monitoring </li></ul></ul></ul><ul><ul><ul><li>Management </li></ul></ul></ul>
    3. 3. FortiGuard Distribution Network System Fortinet Confidential Vancouver 15 Servers Singapore 2 Servers Beijing 2 Servers Tokyo 4 Servers Ottawa 3 Servers San Francisco 4 Servers New Jersey 6 Servers London 2 Servers Frankfurt 5 Servers 40+ servers in 9 strategic locations balance traffic loads and provide the highest quality of service with redundancy <ul><li>Up to date scanning with signature database </li></ul><ul><ul><li>Antivirus - hourly </li></ul></ul><ul><ul><li>IPS </li></ul></ul><ul><ul><li>True zero-day protection </li></ul></ul><ul><ul><li>Application control </li></ul></ul><ul><ul><li>Database </li></ul></ul><ul><ul><li>Vulnerability management </li></ul></ul><ul><li>Real time queries </li></ul><ul><ul><li>AV Query </li></ul></ul><ul><ul><li>Webfiltering </li></ul></ul><ul><ul><li>Antispam </li></ul></ul>
    4. 4. FortiGuard Intelligence Systems Fortinet Confidential FortiGuard Intelligence Systems <ul><li>High capacity intelligence systems </li></ul><ul><ul><li>Automated signatures </li></ul></ul><ul><ul><li>Stays in stride with arms race </li></ul></ul><ul><ul><li>Consolidated Intelligence </li></ul></ul><ul><li>Frequent daily updates to all devices </li></ul><ul><li>Immediate hot updates for breaking threats </li></ul>
    5. 5. FortiGuard Research <ul><li>Responsible disclosure </li></ul><ul><li>Worldwide team </li></ul><ul><li>69 zero-days discovered since 2008 </li></ul><ul><ul><li>NVC: 588 critical (March 2008) / 178 exploited </li></ul></ul><ul><li>Proactive Detection </li></ul><ul><ul><li>MS09-043 office Web components: 1 year advanced protection </li></ul></ul><ul><li>Microsoft MAPP partner </li></ul><ul><li>Breaking updates </li></ul>
    6. 6. History of SCADA Security Threats <ul><li>1998: Government penetration tests on US grid hack questioned </li></ul><ul><ul><li>“ Highly decentralized structure of the power plants” [1] </li></ul></ul><ul><li>2000: Unknown intruders hijacked an electric company's FTP servers </li></ul><ul><ul><li>Access through power company's servers by exploiting a vulnerability in the company's file storage service </li></ul></ul><ul><ul><li>&quot;The intruders used the hacked FTP site to store and play interactive games that consumed 95 percent of the organization's Internet bandwidth… &quot;The compromised bandwidth threatened the (company's) ability to conduct bulk power transactions.“ </li></ul></ul><ul><li>2003: The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant, disabling a safety monitoring system for nearly five hours </li></ul>[1] Wired:
    7. 7. History of SCADA Security Threats <ul><li>2008: Hackers shut off power in multiple regions outside USA, demand payments </li></ul><ul><ul><li>CIA official: “All involved intrusions through the Internet” [1] </li></ul></ul><ul><li>April 7, 2009: NERC releases public warning on Cyber Asset Identification </li></ul><ul><ul><li>Reports surfaced of China/Russia infiltrating US electrical grid, malware left behind [1] </li></ul></ul><ul><li>2009: DHS official on SCADA intrusions </li></ul><ul><ul><li>“ ..They are growing”, “There were a lot last year.” [2] </li></ul></ul>[1] Wired: [2] Wall Street Journal:
    8. 8. Real-Time Threat Protection? <ul><li>Unique solutions for each threat </li></ul><ul><ul><li>Require multiple security point products </li></ul></ul><ul><ul><li>Limited to no product interoperability </li></ul></ul><ul><li>Costly to own – costly to operate </li></ul><ul><ul><li>High capital and operational expense </li></ul></ul><ul><ul><li>Disparate management consoles </li></ul></ul><ul><ul><li>No central threat dashboard </li></ul></ul><ul><li>Not flexible </li></ul><ul><ul><li>No deployment flexibility </li></ul></ul><ul><ul><li>Limited product offering </li></ul></ul><ul><ul><li>No Support for DNPV3 </li></ul></ul>Need Cost-Effective, All-in-One Security Solutions Users Servers SSL VPN IPS Firewall Antivirus Antispam URL Filters IPSEC VPN AntiSpyware
    9. 9. Consolidated Intelligence: FortiGuard Solution A AntiVirus Public Solution D AntiSpam FortiGuard Solution Solution B WCF Solution C IPS Fresh Web 0-Day Exploit Variant #2 Hosted Variant #1 Attached Mass Mail 1 2 3 4 5 1 1 2 3 4 5 2 5 3 4
    10. 10. Elements of a SCADA System <ul><li>A Human – Machine Interface </li></ul><ul><ul><li>HMI is the apparatus which presents process data to a human operator, and through this, the human operator, monitors and controls the process </li></ul></ul><ul><li>A supervisory system </li></ul><ul><ul><li>A computer gathering/acquiring data on the process and sending commands (control) to the process </li></ul></ul><ul><li>Remote Terminal Units </li></ul><ul><ul><li>RTUs connect to sensors in the process, converting sensor signals to digital data and sending digital data to the supervisory system </li></ul></ul><ul><li>Communications Infrastructure </li></ul><ul><ul><li>Connect the supervisory system to the RTU’s </li></ul></ul>
    11. 11. Elements of a SCADA System
    12. 12. SCADA Application & Function HMI DNP V3 ICCP Wireless 3G/WIFI connectivity to RTU stations Database Systems Application Function Security Technology Secured AP technology that includes AV, IPS, and application control Distributed control systems control systems integration to EMS systems IPS protection from protocol anomalies and systems attacks SCADA Main to SCADA remote RTU Application control for TCP/IP DNP protocol control, IPS for buffer, header and network attacks RTU control Terminal AV/IPS to secure against Threats to terminal (no AV allowed on HMI Terminals) Data storage for HMI and RTU systems Database security control with schema, table auditing and control
    13. 13. SCADA Compliance and Certifications Fortinet Confidential HIPAA Healthcare Baseline ISO 17799, 27001 FW, AV, IPS, DB controls, Visibility, Audit Encryption in Transport NERC CIP Electrical PCI Retail SOX, Multilateral Instruments 52-109, 52-111 Corporations Baseline ISO 17799, 27001 FW, AV, IPS – visibility, audit security perimeter for all cyber assets network segmentation, authentication Baseline ISO 17799, 27001 FW, AV, IPS, Database controls, Visibility, Audit, Network Segmentation, Authentication, Encryption in Transport Baseline ISO 17799, 27001 FW, AV, IPS, IM Controls, Database controls, Visibility, Audit, Network Segmentation, Authentication Fortigate – FW, VPN, AV, IPS FortiManager, FortiAnalyzer, FortiDB Forticlient FortiGate – FW, VPN, AV, IPS, network segmentation, app. authentication, FortiManager FortiAnalyzer, FortiDB Fortigate – FW, VPN, AV, IPS Network Segmentation Authentication, FortiManager FortiAnalyzer, FortiDB, Forticlient Fortigate – FW, VPN, AV, IPS IM Controls, Fortimail, Network Segmentation Authentication, FortiManager FortiAnalyzer, FortiDB, Forticlient Compliance Requirements Fortinet Solution
    14. 14. Key NERC Requirements <ul><li>Cyber-asset identification </li></ul><ul><ul><li>Professional services to help identify </li></ul></ul><ul><ul><li>Built in scanning tools (Fortinet) </li></ul></ul><ul><li>Security management controls </li></ul><ul><ul><li>Role/group based user management </li></ul></ul><ul><ul><li>FortiGate policy enforcement </li></ul></ul><ul><li>Personnel & training </li></ul><ul><ul><li>Professional services/training </li></ul></ul><ul><ul><li>FortiGuard advisories/analysis/reports & blog (RSS) </li></ul></ul><ul><li>Electronic security perimeter(s) </li></ul><ul><ul><li>FortiGate solution with AV/IPS and role based policy enforcement </li></ul></ul><ul><li>Physical security of critical cyber assets </li></ul><ul><ul><li>Segmentation of network with FortiGate </li></ul></ul><ul><ul><li>Role based security policies </li></ul></ul><ul><li>Systems security management </li></ul><ul><ul><li>Change management with the FortiManager </li></ul></ul><ul><li>Incident reporting and response management </li></ul><ul><ul><li>FortiAnalyzer will fill this role easily </li></ul></ul>
    15. 15. Where are the Threats Coming From? <ul><li>External Sources </li></ul><ul><ul><li>SCADA systems are normally interconnected to other SCADA systems and their own RTU’s/MGMT stations via public networks </li></ul></ul><ul><ul><li>Software as a Service (SaaS) </li></ul></ul><ul><ul><li>Internal sources </li></ul></ul><ul><ul><li>Virus’ brought into SCADA network via portable devices </li></ul></ul><ul><ul><li>Corporate espionage </li></ul></ul><ul><ul><li>Third party applications </li></ul></ul><ul><ul><ul><li>File sharing, P2P and social networks </li></ul></ul></ul><ul><ul><li>HMI terminals do not have or are not allowed to install an AV solution </li></ul></ul><ul><li>Wireless sources </li></ul><ul><ul><li>SCADA network often employ WiFi or 3G based wireless connectivity to RTU’s. </li></ul></ul><ul><ul><li>Rogue AP set up as original equipment SSID </li></ul></ul><ul><ul><li>Host of encryption exploits </li></ul></ul><ul><ul><li>No host based security features on RTU’s </li></ul></ul>
    16. 16. How You can Protect your SCADA Environment <ul><li>Control application/ communication into/out of the network </li></ul><ul><li>Control application/ communication inside the network </li></ul><ul><ul><li>Includes ICCP and DNPV3 </li></ul></ul><ul><li>Control what/who can interface with SCADA systems </li></ul><ul><li>Monitor the network for virus/ attacks and be able to react to those events quickly </li></ul>
    17. 17. How Fortinet Can Help <ul><li>External firewall security </li></ul><ul><ul><li>IPS SCADA signatures available today </li></ul></ul><ul><ul><ul><ul><li>Modbus, DNP3, etc </li></ul></ul></ul></ul><ul><ul><li>IPS anomaly/DDoS mitigation </li></ul></ul><ul><ul><li>Application control for DNPv3 and ICCP </li></ul></ul><ul><ul><li>Firewall rules, user access control, endpoint control </li></ul></ul><ul><li>Internal firewall security </li></ul><ul><ul><li>IPS, AV, application control </li></ul></ul><ul><ul><li>User Access control, DLP </li></ul></ul><ul><li>Wireless/3G </li></ul><ul><ul><li>Rogue AP detection </li></ul></ul><ul><ul><li>Multiple security methods </li></ul></ul><ul><ul><ul><ul><li>MAC address, WEP, WPA, WPA2 Enterprise </li></ul></ul></ul></ul><ul><ul><li>Role based security rules at RTU Access point </li></ul></ul><ul><ul><ul><ul><li>Restrict to RTU and MGMT IP’s </li></ul></ul></ul></ul><ul><ul><li>IPSec VPN from AP to CTU/MGMT station </li></ul></ul>
    18. 18. Protection from the Outside (ingress) <ul><li>Firewall. Inspects content in network packets to ensure no unauthorized traffic passes into or out of the intranet. With adequate performance, a firewall can be deployed in-line for real-time protection. </li></ul><ul><li>Intrusion Detection and Prevention. Stops attacks at network perimeter by analyzing traffic for worms, viruses and exploits. Analysis techniques include behavior-based learning and heuristics in addition to signatures defining known hazards. </li></ul><ul><li>VPN. Enables secure communications tunnels across the public Internet between computing devices. With adequate performance, a VPN can authenticate users, encrypt data and manage sessions. </li></ul><ul><li>Antispam. Eliminates entry to the intranet of junk email, file attachments and web access of blacklisted websites, domains and key words. </li></ul>
    19. 19. Protection from the Outside (ingress) <ul><li>Web-based Content Filtering. Processes all Web content to block inappropriate material and malicious scripts from Java Applet, Cookies and ActiveX scripts entering the intranet. Assures improved productivity by minimizing time wasted on non-business use of the network. </li></ul><ul><li>Vulnerability Scanning. This automated process checks network devices and applications to identify and rank the severity level of known vulnerabilities caused by unpatched software, mis-configurations and other causes. Scan reports provide a blueprint to remove vulnerabilities for stronger security. </li></ul><ul><li>All these security applications can and should be installed at every SCADA network endpoint. The biggest challenge is operational – how to deploy them and manage their use in a cost-effective manner. </li></ul>
    20. 20. Protection from the Inside <ul><li>Once an intruder is on the inside of a network, the SCADA system is vulnerable from several points, the HMI (Human-Machine Interface) and RTU (Remote Terminal Units). The HMI is a direct interface to the databases that the RTU sends and receives commands from. For example a HMI user working at a fuel tank farm, can manage the flow of fuel from a pipeline into various storage tanks and then into a piping system into delivery trucks or another pipeline. The HMI sends commands to the RTU to open/close valves, turn on pumps, record the amount of fuel/temp/water content of a storage tank, all real time. If the HMI interface were to be exploited, either by a bot, worm, or a known exploit that gives command/control access to an external user, what could happen? </li></ul>
    21. 21. Protection from the Inside <ul><li>Secure (encrypted) communications to/from RTU’s </li></ul><ul><li>Firewall policies that restrict users/IP’s to only operational personnel </li></ul><ul><li>Antivirus/IPS profiles within network </li></ul><ul><li>Secure database communications </li></ul><ul><li>FortiDB </li></ul><ul><li>DLP </li></ul><ul><li>Application control to limit unwanted or potentially dangerous applications from being installed within SCADA network </li></ul>
    22. 22. Wireless Protection <ul><li>WiFi </li></ul><ul><ul><li>Use non-broadcast SSID </li></ul></ul><ul><ul><li>Use WPA-PSK 128 or better encryption </li></ul></ul><ul><ul><ul><li>WPA2 Enterprise (RADIUS) </li></ul></ul></ul><ul><ul><li>Lock wireless access to known MAC/IP addresses </li></ul></ul><ul><ul><li>VPN to CTU or DB </li></ul></ul><ul><li>3G Based Wireless </li></ul><ul><ul><li>Static IP devices </li></ul></ul><ul><ul><li>MPLS to SCADA network </li></ul></ul><ul><ul><li>VPN into SCADA network </li></ul></ul><ul><ul><li>Restrict VPN to know IP addresses </li></ul></ul>
    23. 23. Enterprise Security Tools Firewalls, VPN AAA, Anti Virus AAA, IDS, Encryption Application Security Database Security Authorized User External Internal Network PC, Printers Server Domain HMI Applications SCADA Databases Database Security UTM
    24. 24. The Solution: A Defense-in-Depth Security Strategy <ul><li>A Defense-in-depth strategy deploys application security at both the host RTU and the network level </li></ul><ul><li>Deploy security systems that offer tightly integrated multiple detection mechanisms: </li></ul><ul><ul><li>IPS </li></ul></ul><ul><ul><li>Antivirus </li></ul></ul><ul><ul><li>Antispam </li></ul></ul><ul><ul><li>Application control </li></ul></ul><ul><ul><li>Web filtering </li></ul></ul><ul><ul><li>DB </li></ul></ul><ul><ul><li>Stateful firewall </li></ul></ul><ul><ul><li>VPN </li></ul></ul><ul><li>Automated processes to update AV and IPS signature databases </li></ul><ul><li>Known SCADA Exploits already in AV/IPS databases </li></ul>
    25. 25. Protection of the HMI Database <ul><li>Vulnerability assessment </li></ul><ul><ul><ul><li>Centralize signature/policy management </li></ul></ul></ul><ul><ul><ul><li>Separation of duties </li></ul></ul></ul><ul><ul><ul><li>Create custom signatures/policies </li></ul></ul></ul><ul><ul><ul><li>Implement expert-level remediation advice </li></ul></ul></ul><ul><ul><ul><li>Analyze database security trends </li></ul></ul></ul><ul><ul><ul><li>Supports well known DB systems </li></ul></ul></ul><ul><li>Audit control – monitoring/audit </li></ul><ul><ul><ul><li>Unauthorized access/change of data circumventing application controls </li></ul></ul></ul><ul><ul><ul><li>Segregation of duties - database security/audit should be external to the database </li></ul></ul></ul><ul><ul><ul><li>Control on rules for who, when, where makes a change in the database without authorization   </li></ul></ul></ul><ul><ul><ul><li>Change control on schemas </li></ul></ul></ul><ul><ul><ul><li>User privilege changes </li></ul></ul></ul><ul><ul><ul><li>Failed logins and failed actions </li></ul></ul></ul><ul><ul><ul><li>Data integrity of critical data </li></ul></ul></ul>
    26. 26. Vulnerability Assessment <ul><li>Key Features </li></ul><ul><li>Assesses and provides industry standard remediation advice that strengthens the integrity and security of databases. This helps with eliminating weaknesses in passwords, access, privileges, configuration settings, and more. </li></ul><ul><li>Automatically discover all databases </li></ul><ul><li>Accelerate security & compliance best practices (PCI, SOX, HIPAA) </li></ul><ul><li>Centralize signature/policy management </li></ul><ul><li>Separation of duties </li></ul><ul><li>Easily create custom signatures/policies </li></ul><ul><li>Brand reports for easy identification </li></ul><ul><li>Implement expert-level remediation advice </li></ul><ul><li>Analyze database security trends </li></ul><ul><li>Supports (Oracle, SQL, DB2 UDB and Sybase) </li></ul>
    27. 27. Audit Control – Monitoring/Audit <ul><li>Reduces the risk of information theft / leak / fraudulent update; automates compliance processes </li></ul><ul><li>Automation of IT internal controls (database specific) </li></ul><ul><li>Unauthorized access/change of data circumventing application controls </li></ul><ul><li>Segregation of duties - database security/audit should be external to the database </li></ul><ul><li>Power user activities </li></ul><ul><li>Control on rules on who when where makes a change in the database without authorization   </li></ul><ul><li>Change control on schemas </li></ul><ul><li>User privilege changes </li></ul><ul><li>Failed logins and failed actions </li></ul><ul><li>Data integrity of critical data </li></ul>
    28. 28. Reporting and Analysis of SCADA <ul><li>More than 300 different report templates available </li></ul><ul><li>Report configuration wizard </li></ul><ul><li>Reports are completely customizable </li></ul><ul><li>Example reports </li></ul><ul><li>Events/attacks by: </li></ul><ul><ul><li>Sensor </li></ul></ul><ul><ul><li>Source </li></ul></ul><ul><ul><li>Category </li></ul></ul><ul><ul><li>Threat </li></ul></ul><ul><ul><li>Protocol </li></ul></ul><ul><li>Mail Usage </li></ul><ul><li>ICCP, DNP usage </li></ul><ul><li>Bandwidth usage </li></ul><ul><li>Protocol usage </li></ul>
    29. 29. Management in a SCADA Environment Back Bone Switching Out of Band RTU A RTU B RTU C RTU F RTU D RTU B SCADA DB System Internet Access INTERNET Management w/ Centralized Logging and Reporting
    30. 30. Multi-Threat Security with Fortinet <ul><li>Fortinet advantages </li></ul><ul><li>Provides comprehensive security approach </li></ul><ul><li>Minimizes down-time from individual threats (FortiGuard) </li></ul><ul><li>Reduces number of vendors and appliances </li></ul><ul><li>Simplifies security management </li></ul><ul><li>Coordinates security alerting, logging, and reporting </li></ul><ul><li>Improves detection capabilities </li></ul>HMI Core DB IPS Firewall Antivirus Antispam URL Filters VPN