DTS Solution - SCADA Security Solutions


Published on

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • HIPS Protectors supports multiple platformsWindows NT 4 SP6a, 2000, XP(e), Server 2003, Windows Server 2008/Windows Vista, Win 7Solaris 7-10UTMs provide: Secure remote access Secure network segmentation such as historians in DMZ
  • DTS Solution - SCADA Security Solutions

    1. 1. SCADA / Industrial Control Systems Security Solutions www.dts-solution.com shah@dts-solution.com
    2. 2. Industrial Control Systems Security  Securing Industrial Control Systems (ICS) is enterprise is not business but mission critical.  The overall impact can be catastrophic.  Securing a process has different paradigm to securing a service  The framework should be built around National Critical Infrastructure Protection
    3. 3. Industrial Control Systems Security • Industrial Control Systems Security should be an integrated core mission of any organization in the Utilities and Transportation sector; • Electricity and Power Plants • Water Authorities • Energy Producers – Oil / Gas • Aviation and Airports
    4. 4. • SCADA – Supervisory Control and Data Acquisition • SCADA systems are vital components of most nation’s critical infrastructures • SCADA systems control: – Gas pipelines – Water and wastewater systems – Transportation systems – Electrical Utilities – Refineries and chemical plants – Manufacturing operations What is SCADA?
    5. 5. SCADA System SCADA systems are intended to provide a human operator with updated real-time information about the current state of the remote process being monitored, as well as the ability to manipulate the process remotely. William T. Shaw
    6. 6. SCADA Systems • Used to monitor and remotely control critical industrial processes • Industrial control systems (ICS) – SCADA systems – Distributed Control Systems (DCS) – Programmable Logic Controllers (PLC) • SCADA Components – Master Terminal Unit (Architecture unique) – Human Machine Interface – Remote Terminal Unit – Communications
    7. 7. SCADA Systems • Highly distributed • Geographically separated assets • Centralized data acquisition and control are critical – Oil and gas pipelines – Electrical power grids – Railway transportation systems • Field devices control local operations
    8. 8. Distributed Control System • Supervisory control of multiple integrated systems responsible for a local process • DCSs used extensively in process-based industries • Examples: – Oil and gas refineries – Electrical power generation – Automotive production • Feedback loops maintain set points • Programmable logic controllers used in the field
    9. 9. Programmable Logic Controllers • Computer based solid state devices • Control industrial equipment and processes • Regulate process flow – Automobile assembly line
    10. 10. SCADA, DCS or PLC Compare and Contrast • Location – SCADA – geographically dispersed – DCS and PLC – factory centered • Communications – SCADA – long distance, slow speed – DCS and PLC – LAN, high speed • Control – SCADA – supervisory level – DCS and PLC – closed feedback loops
    11. 11. SCADA – Why the emphasis? • SCADA Supports Critical Infrastructures • 80-90% of critical infrastructures (CI) are privately owned and operated • Critical to National survival and prosperity, yet dependent on industries driven by profit, not security
    12. 12. SCADA – Why the emphasis? • Many challenges exist when securing SCADA – Complex systems…patching, rebooting, authentication – Preponderance of legacy hardware, software and transmission protocols ($) – Multiple and divers access points…by design…radio, wireless, phone – The need to connect to business network • The Cyberwar Plan. Article by Shane Harris, Saturday, Nov. 14, 2009: President Obama confirmed that cyber-warriors have aimed at American networks. "We know that cyber-intruders have probed our electrical grid," he said at the White House in May, when he unveiled the next stage of the national cyber-security strategy. The president also confirmed, for the first time, that the weapons of cyberwar had claimed victims. "In other countries, cyberattacks have plunged entire cities into darkness."
    13. 13. SCADA Evolution • 1960 -1980s – Central Architectures – Single powerful computer performing all functions – 2nd identical computer for redundancy
    14. 14. SCADA Evolution • 1980s to present – Distributed Architectures – Multiple computers networked together with each performing a specific function – LAN improvements – practical and possible – Functions: • Remote terminal polling • Complex applications processing • Historian – data archiving and trending – Graceful degradation
    15. 15. SCADA Evolution • 1990s to present – Client/Server – Powerful PCs – TCP/IP networking – High speed Ethernet – Commercial real-time operating systems • Looking more like IT systems – Scalable and fault tolerant – Smart software makes redundancy easy
    16. 16. SCADA Evolution • Human Machine Interface – Printouts – Map board – Mimic panel – Video projection technology
    17. 17. SCADA Evolution HMI Example
    18. 18. SCADA Evolution • Remote Terminal Unit – Electronic devices located at key measurement and control points – Originally hardwired devices with limited capabilities and one proprietary communications protocol – Modern RTUs contain their own microprocessors and can support multiple sophisticated protocols
    19. 19. SCADA Evolution • Communications – Initially used telephone systems and radio transmitters designed for voice • Slow • Some remote areas had to build their own communication systems – Latest systems are digital networks designed to transfer data • TCP/IP • Wireless including cellular and satellite
    20. 20. SCADA Evolution Summary • SCADA systems are based on computer technology so they have evolved with computer technology • New technologies have also been introduced to SCADA systems • Huge decreases in proprietary nature
    21. 21. SCADA Evolution Summary • The Good News – Cheaper – Interoperable between vendors – Larger pool of available workers • The Bad News – Susceptible to malware, hackers and cyber attacks • We can’t go back. We must provide secure designs for now & the future
    22. 22. • Cost Savings – Reduced down time and maintenance costs – Improved productivity – Enhanced business continuity • Simplified Regulatory and Standards Compliance – FERC / NERC CIP – ANSI/ISA-99 – IEC 62443 • Enhanced Security and Safety – Improved safety for the plant, employees and community – Improved defense against malicious attacks Why is Cyber Security important?
    23. 23. Pike Research – Smart Grid Cyber Security Ranking
    24. 24. Mission Critical Security is Our Specialty When dealing with Mission Critical Systems, partner with someone whose done it before…
    25. 25. Industrial Defender • Automation System Security Management • Exclusive focus on providing an integrated set of products and services for Automation Systems Security Management • Unify two challenging domains: • Automation Systems • Cyber security • 350+ customers worldwide – 10,000 deployments – Industrial Defender
    26. 26. Critical Infrastructure Operations – The Emerging Threat
    27. 27. • http://www.securityincidents.org/ - global repository of industrial control security incidents. Some Incidents - SCADA Copyright © 2008 Industrial Defender All rights reserved Process Control Security, Performance and Compliance Incidents
    28. 28. Corporate IT Automation Systems IT Not life threatening Safety first Availability important Non-interruption is critical Transactional orientation Real-time focus IBM, SAP, Oracle, ….. ABB, Emerson, GE, Honeywell, Siemens... People ~= Devices Few people; Many, many devices PCs and Servers Sensors, Controllers, Servers Web services model is dominant Polled automation control model MS Windows is dominant OS Vendor-embedded operating systems Many commercial software products installed on each PC Purpose-specific devices and application Protocol is primarily HTTP/HTTPS over TCP/IP -- widely known Many industrial protocols, some over TCP/IP – vendor and sector- specific Office environment, plus mobile Harsh operating plant environments Cross-industry IT jargon Industry sector-specific jargon Cross-industry regulations (mostly) Industry-specific regulations Automation Systems Security Really Unique?
    29. 29. Oil & Gas Industry Customers … many more Electric Power Industry Chemical Industry Water and Transportation Industry
    30. 30. Experience Across Many Automation Environments Security/Performance monitoring for: • ABB 800xA • ABB Symphony/Harmony • ABB Infi90 • ABB Network Manager • Automsoft RAPID Historian • Emerson DeltaV • Emerson Ovation • Emerson/Westinghouse WDPF • GE XA / 21 • Foxboro I/A Series • Honeywell Experion • Itron OpenWay System • Rockwell RSView • Schneider Momentum • Schneider Quantum • Siemens PCS7 • Yokogawa Centrum CS 3000 Operating systems: • HP-UX PA-RISC & Itanium • W2K, WinNT, W2003 • Linux • DEC Tru-64 • Sun Solaris • IBM AIX Industrial rules for: • DNP3 • Modbus • ICCP • IEC • Siemens S7 Protocol • TCP/IP
    31. 31. Security Maturity Evolution in Industrial Control Firewalls Business connectivity Locks on the Door Intrusion Detection Network Based Host Based Known Bad Industrial Protocols Alarm Sensors Event Monitor Central Logging Monitor and respond Alert on Events of interest Log everything and apply forensics Incident Management Flight recorder Intrusion Prevention Network Based Host Based Deep packet inspection Known Bad signatures Known Good Signatures Whitelisting System hardening System locked down Security Management Automates manual process Enforces policy, process & procedures Leverages “baselines” Manages changes Audit reporting Continuous assessments Attestation data Doing it and Proving you are doing it TechnologySophistication 2003 2005 2007 2009 2011
    32. 32. ICS Security - Defense-in-Depth
    33. 33. Industrial Control Systems Security
    34. 34. SCADA Network… What is the problem?
    35. 35. SCADA Network… Isolation and Zoning
    36. 36. SCADA Network… Secured Zones
    37. 37. Defense in Depth Strategy
    38. 38. Stuxnet
    39. 39. Automation System Management
    40. 40. • Compliance Manager consolidates all events, logs and configuration settings for archiving and audit reporting - Collectors • Security Event Manager (SEM) aggregates security events from all monitored systems • UTM/firewalls provide intrusion prevention at the network perimeter – ESP protection • HIPS provides the Host Intrusion Prevention – Protectors • HIDS provides the Host Intrusion Detection – Host Sensors • NIDS provides the Network Intrusion Detection – Network Sensors Industrial Defenders Defense-in-Depth - Solution
    41. 41. Tofino – Byres Security • Founder of the BCIT Critical Infrastructure Security Centre, a leading academic facility for SCADA cyber-security research. • Canadian representative for IEC TC65/WG10 standards effort for the protection of industrial facilities from cyber attack. • Chairs ISA S-99 Security Technologies W.G. • Member of DHS best practices approval board. • 2006 SANS Institute Security Leadership Award. • Six ISA and IEEE awards for security research. • Testified to the US Congress on SCADA Security.
    42. 42. “Security” Issues in Control Networks • “Soft” Targets – PCs run 24x7 without security updates or even antivirus – Controllers are optimized for real-time I/O, not for robust networking connections • Multiple Network Entry Points – The majority of cyber security incidents originate from secondary points of entry to the network – USB keys, maintenance connections, laptops, etc. • Poor Network Segmentation – Many control networks are “wide-open” with no isolation between different sub-systems – As a result problems spread rapidly through the network
    43. 43. External Network Control LAN Plant Network Office LAN Internet  Infected Laptops Infected Remote Support  Mis-Configured Firewalls  Unauthorized Connections  Modems   3rd Party Issues USB Drives  Pathways into the Plant Floor
    44. 44. A Perimeter Defense is Not Enough • We can’t just install a control system firewall and forget about security. – The bad guys will eventually get in – Many problems originate inside the plant network • We must harden the plant floor. • We need Defense in Depth. Crunchy on the Outside - Soft in the Middle
    45. 45. The Solution in the IT World • Your desktop has flaws so you add security software: – Patches – Personal Firewalls (like ZoneAlarm) – Anti-Virus Software – Encryption (VPN Client or PGP) • This is a good idea for PCs in the control system… • But you can’t add software to your DCS, PLC or RTU • The Result? Your receptionist’s PC is probably much better protected than the average PLC or RTU
    46. 46. Distributed Security Appliances • Add hardware instead - a security appliance designed to be placed in front of control devices (such as PLC, DCS, RTU etc). • User-configured firewall rules permit only the minimum network traffic required for correct plant operation • Complement security measures implemented by IT • Address the unique requirements of the plant network
    47. 47. ANSI/ISA-99: Dividing Up The Control System • A core concept in the new ANSI/ISA-99 security standard is “Zones and Conduits” • Offers a level of segmentation and traffic control inside the control system. • Control networks divided into layers or zones based on control function. • Multiple separated zones help to provide “defense in depth”.
    48. 48. Security Zone Definition • “Security zone: grouping of logical or physical assets that share common security requirements”. [ANSI/ISA- 99.01.01–2007- 3.2.116] – A zone has a clearly defined border (either logical or physical), which is the boundary between included and excluded elements. HMI Zone PLC Zone
    49. 49. Conduits • A conduit is a path for the flow of data between two zones. – can provide the security functions that allow different zones to communicate securely. – Any communications between zone must have a conduit. HMI Zone PLC Zone Conduit
    50. 50. Protecting the Network with Zones and Conduits • A firewall in each conduit will allow only the MINIMUM network traffic necessary for correct plant operation HMI Zone PLC Zone Firewall
    51. 51. Redefining Security Zones in ICS
    52. 52. Specifying Controlled Zones
    53. 53. Adding the Controlled Conduits Points
    54. 54. The Tofino™ Industrial Security Solution – What is it? • It is a distributed security solution managed from a central location. • Flexible architecture allows you to create security zones throughout your control network to protect critical system components. (ANSI/ISA-99 standards) • Monitoring and management are easy using one centralized software program.
    55. 55. Industrial Control Systems Security
    56. 56. • These are the devices that physically connect to the 802.3 Ethernet and provide Zone Level Security™ for other devices the IT firewall cannot protect The Tofino Security Appliance is the hardware component of the system Tofino Security Appliance Authorized SECURE ZONE Unauthorized
    57. 57. • Configure, manage and monitor all your Tofino Security Appliances from one workstation The Central Management Platform (CMP) is the centralized software program
    58. 58. Fast Deployment using Tofino™ CMP • Map your network • Drag and drop talkers and protocols to create rules • Test • Deploy & manage
    59. 59. Intuitive Rule Editor Preconfigured to block known device flaws Globally control specific types of communications Create a list of devices that can “talk” to a protected device using allowed protocols
    60. 60. • Tofino™ operates in three modes: – PASSIVE - all traffic allowed, logging off – TEST – all traffic allowed; logging on – OPERATIONAL – firewall rules applied • When operational, Tofino™ will drop any traffic for which there is no ‘allow’ rule. • Test mode allows all traffic, but reports traffic that would have been dropped if operational – Critical to ensuring that all required traffic has a corresponding rule to permit it Process-Friendly Test Mode
    61. 61. Tofino Loadable Security Modules are licensed to each Tofino Security Appliance based on the needs in that security zone • Downloaded into each Tofino Security Appliance (Tofino SA) via the CMP the LSMs offer customizable security functions depending on the zone-by-zone requirements of the control system.
    62. 62. • The SAM LSM is a sentry that identifies and reports the devices that communicate through the Tofino SA to the protected devices in the security zone. This builds a useful model of the network upon Tofino SA start up. • After system commissioning, the SAM LSM continues to scan for new devices and reports these to the CMP as a potential security threat Describing the Tofino™ Secure Asset Management LSM quickly
    63. 63. • When incoming communications arrive at the Tofino SA the Tofino™ Firewall LSM traffic cop determines if the communication traffic can pass into the security zone • This determination is based on a set of rules easily created by the control engineer in Tofino CMP Describing the Tofino™ Firewall LSM quickly Tofino™ Firewall LSM Authorized Protected Controller Unauthorized
    64. 64. • On a Modbus network traffic that passes the Firewall can have its “luggage searched” by the border guard • The Tofino™ Modbus TCP Enforcer LSM analyzes each packet based on a defined list of allowed Modbus commands, registers, coils and standards • Unlawful traffic is blocked and reported to the CMP Describing the Tofino™ Modbus TCP Enforcer LSM quickly Tofino™ Modbus TCP Enforcer Modbus Master Modbus Slave
    65. 65. • OPC servers cannot be protected by traditional firewalls because they create data connections using a wide range of TCP port numbers that cannot be determined in advance • OPC Enforcer is a ‘gatekeeper’ that tracks OPC data connections as they are created and opens only the minimum required ports in the firewall for authorized clients Describing the Tofino™ OPC Enforcer LSM quickly
    66. 66. • The Event Logger LSM records Tofino security alarm reports – Tofino SA’s with this LSM can report alarms directly to a syslog server (no CMP required) AND buffer/resend them if the connection to the server is interrupted/restored – Alarms can also be stored on the Tofino SA, then later offloaded via USB memory stick or CMP Describing the Tofino™ Event Logger LSM quickly
    67. 67. • This simple to set up LSM creates secure tunnels between Tofino Security Appliances; between Tofino and PCs; and between Tofino and supported third-party devices • It is designed for the control network, not the home or office network, and works hand-in-hand with other LSMs Describing the Tofino™ VPN LSM quickly VPN Tunnel Remote Client Main Facility Eavesdroppers Internet
    68. 68. DEMO