[CLASS 2014] Palestra Técnica - Delfin Rodillas

1. Defending ICS from Cyberthreats with Next-generation Platform Security Del Rodillas Sr. Manager, SCADA & ICS Initiative

2. Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Supplier of Industry-leading Enterprise Security Platform Safely enables all applications through granular use control… Prevents known and unknown cyber threats… for all users on any device across any network. Experienced team of 1,650+ employees Q3FY14: $150.7M revenue; 17,000+ customers $13 Revenues $49 4.700 9.000 13,500 17.000 $400 $300 $200 $100 18.000 16.000 14.000 12.000 10.000 8.000 6.000 4.000 2.000 0 Jul-11 Jul-12 $255 $396 $420 $119 $0 FY09 FY10 FY11 FY12 FY13 FY14TD Enterprise customers $MM FYE July Jul-13 May-14 2 | ©2014, Palo Alto Networks

4. What Keeps SCADA Security Supervisors Up at Night? SANS 2014 Survey on Industrial Control Systems What are the top three threat vectors you are most concerned with? 0% 5% 10% 15% 20% 25% 30% External threats (hacktivism, nation states) Malware Insider exploits Email phishing attacks Attacks coming from within the internal network Cybersecurity policy violations Industrial espionage Other Extortion or other financially motivated crimes Percent Respondents First Second Third 4 | ©2014, Palo Alto Networks

5. Advanced Targeted Attacks Norway Oil & Gas Attacks Social Engineering: Removable media Exploits zero-day vulnerabilities (Windows, Siemens) Propagation/Recon via general IT apps and file-types Goal: Disrupt uranium enrichment program Social Engineering: Spearphishing, Watering hole, Trojan in ICS Software Enumerates OPC assets (ICS-protocol!) Goal: IP theft and ICS Attack PoC? Energetic Bear Social Engineering: Spearphishing, Watering hole Goal: IP Theft and ??? 5 | ©2014, Palo Alto Networks

6. Malicious Insider Attack Sewage treatment facility in Maroochy Shire, Queensland, Australia Disgruntled employee of ICS vendor sought revenge on customer (shire council) and employer Used intimate knowledge of asset owner’s ICS to gain access and wreak havoc Impact Spillage of 800,000 liters of raw sewage into local parks, rivers and hotel grounds Loss of marine life, damage to environment, health hazard Source: Applied Control Solutions 6 | ©2014, Palo Alto Networks

7. Unintentional Cyber Incidents Platform shared by operator and royalty partner Slammer infection on rig via partner network Workstations and SCADA servers crashed Systems would not restart after reboot 8 hours to restore the SCADA and restart production Consequences Immediate loss of monitoring down-hole wells Loss of production for all 4 major wells Total losses $1.2M before production finally restored Source: Red Tiger Security Application Visibility and Risk Report conducted at energy company in E. Europe Plant manager insisted “not internet-facing” Rogue broadband link and risky web applications found on SCADA system Wuala (storage), eMule (P2P), DAV (Collaboration) Concerns over loss of IP, network availability, malware introduction Source: Palo Alto Networks SQL Slammer 7 | ©2014, Palo Alto Networks

8. Revisiting the Trust Model in ICS PCN Internet WAN PCN Servers HMI PLCs / RTUs Local HMI Remote Station / Plant Floor DEV PLCs / RTUs Local HMI PLCs / RTUs Local HMI Vendor/Partner Enterprise Network Mobility Internal Actors 8 | ©2014, Palo Alto Networks

9. Observations Broken Trust Model Micro-segmentation is critical Granular visibility of traffic is an essential capability Applications, users, content Shared context End-to-end security is required Threats originate at endpoints and via networks Real and potentially high risks with ICS cyber incidents Must focus on prevention vs. just detection Advanced attacks will be “zero-day” The capability to detect and stop unknown threats quickly is needed Automated threat analysis and information sharing would be helpful 9 | ©2014, Palo Alto Networks

10. Legacy Security Architecture and Its Challenges Stateful inspection Firewall “helpers” IPS AV URL Sandbox IM Proxy Firewall Traditional Endpoint Security Characteristic Associated Challenges Stateful inspection firewall as a base o Visibility to port numbers and IP addresses o No content identification Limited visibility to ICS traffic risks Coarse access control; not role based Firewall “helpers” bolted on to try to fill the security gaps Uncorrelated Information silos; slow forensics Increased administrative effort Performance drop off / serial processing Limited to No zero-day threat detection /prevention capabilities Highly vulnerable to targeted attacks Disjointed endpoint network technologies 10 | ©2014, Palo Alto Networks

11. What is Required? Platform Approach Focused on Prevention Next-Generation Network Security Inspects all traffic Blocks known threats Sends unknown to cloud Extensible to mobile virtual networks Threat Intelligence Cloud Gathers potential threats from network and endpoints Analyzes and correlates threat intelligence Disseminates threat intelligence to network and endpoints Advanced Endpoint Protection Inspects all processes and files Prevents both known unknown exploits Integrates with cloud to prevent known unknown malware 11 | ©2014, Palo Alto Networks

12. Next-generation Network Security Application identifiers Application User Content Additional Intelligence User/User-group mapping Threat / Vulnerability signatures URL database Classification Engine (L7) Threat Prevention AV, AS, Exploits URL Filtering Unknown Threat Prevention Mobile Security Natively supported services Application Visibility and Control 12 | ©2014, Palo Alto Networks

13. Systematic Approach to Network Security Apply new protections to prevent future attacks Discover 2 3 unknown threats Prevent known threats Apply 1 positive controls Improve Situational Awareness w/ Granular Traffic Visibility 13 | ©2014, Palo Alto Networks

15. Protocol/Application Identifiers for SCADA ICS Protocol / Application Protocol / Application Protocol / Application Modbus base ICCP (IEC 60870-6 / TASE.2) CIP Ethernet/IP Modbus function control Cygnet Synchrophasor (IEEE C.37.118) DNP3 Elcom 90 Foundation Fieldbus IEC 60870-5-104 base FactoryLink Profinet IO IEC 60870-5-104 function control MQTT OPC OSIsoft PI Systems BACnet 15 | ©2014, Palo Alto Networks

16. Functional Application Identifiers Function Control Variants (15 total) Modbus-base Modbus-write-multiple-coils Modbus-write-file-record Modbus-read-write-register Modbus-write-single-coil Modbus-write-single-register Modbus-write-multiple-registers Modbus-read-input-registers Modbus-encapsulated-transport Modbus-read-coils Modbus-read-discrete-inputs Modbus-mask-write-registers Modbus-read-fifo-queue Modbus-read-file-record Modbus-read-holding-registers Applipedia entry for Modbus-base App-ID 16 | ©2014, Palo Alto Networks

17. ICS-ISAC SARA Testbed at the Enernex Smart Grid Lab Substation Server Rugged Server GE EnerVista PC Phasor Data Concentrator Line Distance Protection Transformer Protection Feeder Protection Rugged Ethernet Switch Line Distance Relay DNP3 IEC 61850 Modbus DNP3 IEC 61850 C37.118 Modbus C37.118 IEC 61850 Mirror/SPAN Port Palo Alto Networks Next-generation Firewall ics-isac.org/sara 17 | ©2014, Palo Alto Networks

18. Sample Traffic from SARA Testbed (SPAN Port Monitoring) Protocol/Protocol-function visibility

21. Segmentation with Application and User Identification Remote/S upport Zone Business User access to Historian Application, e.g. Pi Business Zone Server Zone User Zone Process Zone Process Zone Business Zone Remote/S upport Zone Server Zone User Zone Sr. Engineer access to Modbus Write, SSH Remote/ Support Zone Business Zone Process Zone Server Zone User Zone 3rd Party application use via Jump Server 21 | ©2014, Palo Alto Networks

24. IT-centric exploits, but also relevant to OT Browser-based HMIs and other applications in ICS Several ICS vendors issued HeartBleed advisories Vulnerabilities being discovered all the time XP Server are still widely used in ICS XP and older Server versions no longer supported 24 | ©2014, Palo Alto Networks

29. Platform Approach to Stopping Energetic Bear WildFire “Zero-day” Havex Variant Protections and Intelligence Allowed Allowed AV Apply application visibility and control for OPC and other allowed traffic. Apply User-ID for role based policy. Control content access to web. 1 Apply Threat Prevention for known Havex malware signatures, exploits, and command and control traffic associated with Havex 2 Exploits CNC CNC Isolate suspicious files which could be a zero-day variant of Havex. Automatically convert to known threat, receive protections and additional intelligence from the cloud 3 29 | ©2014, Palo Alto Networks

30. Endpoint Security: The failures of traditional approaches EXE Targeted Evasive Advanced Known signature? NO Known strings? NO Previously seen behavior? NO Legacy Endpoint Protection PDF Malware direct execution Exploit vulnerability to run any code 30 | ©2014, Palo Alto Networks

31. Block the core techniques – not the individual attacks Software Vulnerability Exploits Exploitation Techniques Thousands of new vulnerabilities and exploits a year Only 2-4 new exploit techniques a year Malware Malware Techniques Millions of new malware every year 10’s – 100’s of new malware sub-techniques every year 31 | ©2014, Palo Alto Networks

32. Introducing Traps The right way to deal with advanced cyber threats Prevent Exploits Including zero-day exploits Prevent Malware Including advanced unknown malware Collect Attempted-Attack Forensics For further analysis Scalable Lightweight Must be user-friendly and cover complete enterprise Integrate with Network and Cloud Security For data exchange and crossed-organization protection 32 | ©2014, Palo Alto Networks

33. Central Management and Reporting Central Admin Central Management Platform Local Device Logs Reports Aggregate reports PCN Admin PCN Remote Admin Remote Station Centralized deployment of universal rules while giving IT and OT admins ability to set local policies Role based administration for added security (tiered admin rights) Centralized reports which facilitate forensics and regulatory compliance 33 | ©2014, Palo Alto Networks

34. Summary – New Kind of Security Needed for ICS Platform-based… Network, Endpoint, Cloud Prevention-focused Stop advanced attacks vs. just telling you that you have a problem Network Delivers granular visibility and segmentation Protocol visibility, User-based controls Stop known and unknowns Endpoint Stop the fundamental techniques vs. signatures Threat intelligence cloud Automated analysis and correlation Interacts with Network and Endpoint Palo Alto Networks Next-generation Platform meets these requirements 34 | ©2014, Palo Alto Networks

35. Learn more about Next-generation Security 1 for SCADA/ICS Download our SCADA/ICS Solution Brief go.secure.paloaltonetworks.com/secureics Sign up for a Live Online Demo at: http://events.paloaltonetworks.com/?event_type=632 2 Learn how your control network is being used and what threats may exist Sign up for a free Application Visibility and Risk Report (AVR) at: http://connect.paloaltonetworks.com/AVR Control Network 35 | ©2014, Palo Alto Networks

[CLASS 2014] Palestra Técnica - Delfin Rodillas

Estás leyendo una previsualización.

Eche un vistazo a continuación

[CLASS 2014] Palestra Técnica - Delfin Rodillas

Más Contenido Relacionado

Presentaciones para usted (20)

Similares a [CLASS 2014] Palestra Técnica - Delfin Rodillas (20)

Más de TI Safe (20)

Más reciente (20)