How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

1,091 views

Published on

by Andrew Ginter

VP Industrial Security - Waterfall Security Solutions

mail: andrew.ginter@waterfall–security.com

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,091
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How Security can be stronger than a Firewall: 13 different ways breaking through firewalls

  1. 1. UNIDIRECTIONAL SECURITY GATEWAYS™ 1st Ibero-American Industrial Cybersecurity Congress How Security Can Be Stronger Than a Firewall 13 Different Ways Breaking Through Firewalls Andrew Ginter VP Industrial Security Waterfall Security Solutions Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. -- Copyright © 2013 by Waterfall Security Solutions Ltd. 2013
  2. 2. Industrial Security Priorities Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 2
  3. 3. Safety, Reliability, Confidentiality Attribute Enterprise / IT Control System Scale Huge – 100,000’s of devices 100-500 devices per DCS Priority Confidentiality Safety and reliability Target Data Theft Sabotage Exposure Constant exposure to Internet content Exposed to business network, not Internet Equipment lifecycle 3-5 years 10-20 years Security discipline: Speed / aggressive change – stay ahead of the threats Security is an aspect of safety - Engineering Change Control (ECC) Most IT controls are not appropriate. You manage IT and ICS networks differently Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 3
  4. 4. Elephants in the Room ● Plain text communication protocols – at least for local / DCS communications ● Anti-virus / constant change is hard – many sites limit use of AV ● Security updates / constant change is worse ● Vulnerable designs / components: 100,000 vulnerabilities ● Old equipment – will anyone sell you anti-virus signatures for Windows 2000? ● Timing, network traffic and other sensitivities Industrial sites deploy compensating measures such as physical security and cyber-perimeter security Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 4
  5. 5. 13 Ways Through a Firewall 1) Phishing / drive-by-download – victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller – create fwall acct 4) Attack exposed servers – SQL injection / DOS / etc 5) Attack exposed clients – compromise web servers 6) Session hijacking – MIM / steal HTTP cookies 7) Piggy-back on VPN – split tunnelling / viruses 8) Firewall vulnerabilities –zero-days / design vulns 9) Errors and omissions – bad rules / IT errors 10) Forge an IP address –rules are IP-based 11) Bypass network perimeter – eg: rogue wireless 12) Physical access to firewall – reset to fact defaults 13) Sneakernet – removable media / laptops Photo: Red Tiger Security Keeping a firewall secure takes people and processes… Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 5
  6. 6. #1 Phishing / Spam / Drive-By-Download ● Single most common way through (enterprise) firewalls ● Client on business network pulls malware from internet, or activates malware in email attachment ● “Spear-phishing” – carefully crafted email to fool even security experts into opening attachment Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 6
  7. 7. #2 Social Engineering – Steal a Password ● VPN password on sticky note on monitor, or under keyboard ● Call up administrator, weave a convincing tale of woe, and ask for the password ● Ask the administrator to give you a VPN account ● Shoulder-surf while administrator enters firewall password ● Guess ● Install a keystroke logger Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 7
  8. 8. #3 Compromise Domain Controller – Create Account ● More generally – abuse trust of external system ● Create account / change password of exposed ICS server, or firewall itself ● Other external trust abuse – compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc. Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 8
  9. 9. #4 Attack Exposed Servers ● Every exposed port is vulnerable: ● SQL injection ● buffer overflow ● default passwords ● hard-coded password ● denial of service / SYN-flood Night Dragon Attack Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 9
  10. 10. 13 Ways Through a Firewall 1) Phishing / drive-by-download – victim pulls attack 2) Social engineering / steal a password / keylogger 3) Compromise domain controller – create fwall acct 4) Attack exposed servers – SQL injection / DOS / etc 5) Attack exposed clients – compromise web servers 6) Session hijacking – MIM / steal HTTP cookies 7) Piggy-back on VPN – split tunnelling / viruses 8) Firewall vulnerabilities –zero-days / design vulns 9) Errors and omissions – bad rules / IT errors 10) Forge an IP address –rules are IP-based 11) Bypass network perimeter – eg: rogue wireless 12) Physical access to firewall – reset to fact defaults 13) Sneakernet – removable media / laptops Photo: Red Tiger Security Keeping a firewall secure takes people and processes… Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 10
  11. 11. Unidirectional Security Gateways ● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network ● TX uses 2-way protocols to gather data from protected network ● RX uses 2-way protocols to publish data to external network ● Absolute protection against online attacks from external networks Industrial Network Corporate Network Waterfall RX Server Waterfall TX Server Waterfall TX appliance Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Waterfall RX appliance 11
  12. 12. Secure Historian Replication ● Hardware-enforced unidirectional historian replication ● Replica historian contains all data and functionality of original ● Corporate workstations communicate only with replica historian ● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack Industrial Network Historian Corporate Network Waterfall TX agent Waterfall RX agent PLCs RTUs Unidirectional TX appliance Unidirectional RX appliance Unidirectional Historian replication Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 12 Replica Historian Workstations
  13. 13. Waterfall Unidirectional Gateway Connectors Leading Industrial Applications/Historians ● OSIsoft PI, PI AF, GE iHistorian, GE iFIX ● Scientech R*Time, Instep eDNA, GE OSM ● Siemens: WinCC, SINAUT/Spectrum ● Emerson Ovation, Wonderware Historian ● SQLServer, Oracle, MySQL, SAP ● AspenTech, Matrikon Alert Manager Leading Industrial Protocols ● OPC: DA, HDA, A&E, UA ● DNP3, ICCP, Modbus Remote Access ● Remote Screen View™ ● Secure Manual Uplink Leading IT Monitoring Applications ● Log Transfer, SNMP, SYSLOG ● CA Unicenter, CA SIM, HP OpenView, IBM Tivoli ● HP ArcSight SIEM , McAfee ESM SIEM Other connectors ● UDP, TCP/IP ● NTP, Multicast Ethernet ● Video/Audio stream transfer ● Mail server/mail box replication ● IBM MQ series, Microsoft MSMQ File/Folder Mirroring ● Antivirus updater, patch (WSUS) ● Folder, tree mirroring, remote folders (CIFS) updater ● FTP/FTFP/SFTP/TFPS/RCP ● Remote print server Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 13
  14. 14. Use Case: Iberdrola Confrentes Nuclear Plant ● Replicates plant historian to corporate network ● Unidirectional gateways are deployed at the majority of American nuclear generators ● Protect safety networks, control networks and plant networks ● Routinely replicate OPC, historians, Syslog, Modbus and SNMP ● Specified in NRC 5.71 and NEI 08-09 regulatory guides NRC Regulatory Guide 5.71 Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 14
  15. 15. Use Case: New Brunswick Power – Power Generation ● Inter Control Center Protocol (ICCP) replication to regional electric system control center ● OSIsoft PI Server replication at all generating plants ● Deployed fleet-wide: 3000 MW ● Absolute protection from external network attacks Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 15
  16. 16. Use Case: Detroit Water – Waterfall Solution ● Replaced firewall a service provider was managing: $10,000/mo ● Deployed OSIsoft PI Server and replica: aggregate all information to be shared with business network ● Hydraulic optimization reduces $50M/year power costs by 3-7% ● Cell-phone loop-check improves field technician productivity ● Real-time sewage utilization to client utilities reduces their costs and increases customer satisfaction Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 16
  17. 17. Trends in Standards and Guidance ● Increasingly, regulations, standards and best-practice guidance recognizes hardware-enforced unidirectional communications ● Most recent: ISA SP-99-3-3/IEC 62443-3-3 and NERC-CIP V5 Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17
  18. 18. Waterfall Security Solutions ● Headquarters in Israel, sales and operations office in the USA ● Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market – 2010, 2011, & 2012 ● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 18
  19. 19. Unidirectional Gateways: Secure IT/OT Integration ● Firewalls are porous ● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks ● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security ● Costs: reduces security operating costs: improves security and saves money andrew . ginter @ waterfall – security . com www.waterfall-security.com Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 19

×