More Related Content Similar to [CLASS 2014] Palestra Técnica - Michael Firstenberg (20) [CLASS 2014] Palestra Técnica - Michael Firstenberg1. UNIDIRECTIONAL SECURITY GATEWAYS™
Challenges of Cybersecurity Implementations for
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions
2014
Process Control Systems
Michael Firstenberg, Director of Industrial Security
Waterfall Security Solutions
2. Security Landscape
● 1M ICS hosts on the Internet? 500K in NA?
Really only 7,000
● Heartbleed – encryption in lots of products,
websites & VPNs broken
● NSA supply chain revelations. Does anyone
really believe it was only the NSA?
● Always more ICS vulnerabilities found, and
patching change-controlled network is slow
Heartbleed drives home the point: all
software has bugs. Some bugs are
security holes. So in practice, all software
can be hacked
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2
3. Threat Resources Methods
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions
Existing
Protection Examples
Nation-state,
sleeper insiders
High Highly targeted,
autonomous
none Stuxnet, NSA
supply chain
Targeted Persistent
Attacks
Medium Targeted, manual
remote control
NEI Aurora, Night
Dragon, Shady
Rat, Ghostnet,
Disgruntled insider
with access to ICS
Low Targeted: social
engineering
ISA, API,
NERC-CIP
Maroochy
Insider with access
to IT network
Low Targeted: social
engineering
NIST IT examples
Organized crime Medium Highly volume,
automated
ISA, API,
NERC-CIP
Zeus, Conflicker
Who Are We Worried About?
4. Targeted Persistent Attacks
● Use “spear phishing” or server attacks to punch through firewalls
● Use custom malware to evade anti-virus
● Operate malware by interactive remote control
● Steal administrator passwords / password hashes
● Create new administrator accounts on domain controller
● Use new accounts to log in – no need to “break in” any more –
defeats software update programs
IT teams are unable to block
these targeted attacks at the
corporate perimeter.
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 4
5. IT vs ICS - Safety, Reliability, Confidentiality
Attribute Enterprise / IT Control System
Scale Huge – 100,000’s of devices 100-500 devices per DCS
Priority Confidentiality Safety and reliability
Target Data Equipment
Exposure Constant exposure to Internet
content / attacks
Exposed to business
network, not Internet
Equipment
lifecycle
3-5 years 10-20 years
Security
discipline:
Speed / aggressive change – stay
ahead of the threats
Security is an aspect of safety
- Engineering Change Control
(ECC)
The difference between IT and ICS is control
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 5
6. Reliability + Safety Risks = Soft ICS Interior
● Cyber safety and reliability risks arise from ability to control physical
equipment
● Testing security updates and AV updates for reliability and safety
takes longer – sometimes much longer
● There are tens of thousands of vulnerabilities are waiting to be
discovered in ICS software
● Old, out-of-support hardware and software
● Encrypted/authenticated communications debate
for critical devices may never be resolved
Strong perimeter protection will
always be disproportionately important
in ICS defense-in-depth programs
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 6
7. Physical Security
● Strictly control access to critical ICS computers
● Reduce risks due to USB, CD-ROMS, cell phone connections and other
removable media / networking
● Reduce risks due to rogue laptops & other equipment plugged into
ICS / safety networks
● Entire ICS network must lie within physical security perimeter
● No silver bullet:
● Insider threat is still real
● Distant adversaries can
compromise equipment
over Internet / remote
control
Photo: Idaho National Labs
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 7
8. Sneakernet
● Device control – low-impact software to control which users and ports
can accept which kinds of USB / CD / DVD device
● Network Access Control – refuses access to unauthorized laptops
● Supply chain - offline scans of hard disks of new equipment, physical
inspections
● The most cautious firms purchase USB peripherals from distant,
random locations
● Training & Awareness
Be paranoid.
Everything that crosses the physical
or cyber perimeter is a threat
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8
9. Device Control & Whitelisting
● Whitelisting: strictly control what software is allowed to run where
● Currently used more for “devices” with complex embedded
operating systems than for entire ICS systems
● Device control: forbid entirely the execution of software from
removable media, control what kinds of USB devices (keyboards,
mice) are allowed to be connected to which ports
● Less intrusive than whitelisting, applied more commonly to larger
parts of ICS systems
● No silver bullet:
● Cannot prevent remote control
of legitimate applications
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9
10. Cyber Perimeter - How Secure are Firewalls Really?
Attack Type UGW Fwall
1) Phishing / drive-by-download – victim pulls your attack through firewall
2) Social engineering – steal a password / keystroke logger / shoulder surf
3) Compromise domain controller – create ICS host or firewall account
4) Attack exposed servers – SQL injection / DOS / buffer-overflowd
5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows
6) Session hijacking – MIM / steal HTTP cookies / command injection
7) Piggy-back on VPN – split tunneling / malware propagation
8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns
9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls
10) Forge an IP address – firewall rules are IP-based
Firewall have been with us for 30 years now. The good guys and
the bad guys both know how to defeat them
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10
Photo: Red Tiger Security
Attack Success
Rate:
Impossible Routine Easy
11. Technical Shortcomings of Firewalls
● Well short of secure initially
● The “deny any any” rule
● Order of your firewall ruleset
● Multiple administration services
● Multiple passwords
A Tufin Technologies survey found that
86% of hackers believe that they can
break through any firewall.
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11
Photo: Idaho National Labs
12. Technical Shortcomings – Part 2
● Software and hardware issues (e.g. code updates, loose power cables)
can affect ops and business.
● May not be able to operate in harsher conditions of plants and need to
be replaced more often
● Dependencies on corporate network, where SLAs are not as high
● New vulnerabilities are introduced with new software
Firewalls have external dependencies
which affect their capabilities.
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 12
13. Technical Shortcomings Part 3
All TCP connections through the firewall are bi-directional
Outbound access = Inbound C&C
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13
?
14. Technical Shortcomings Part 3
All TCP connections through the firewall are bi-directional
Outbound access = Inbound C&C
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14
15. Unidirectional Security Gateways: Server Replication
● Hardware-enforced unidirectional server replication
● Replica server contains all data and functionality of original
● External clients communicate only with replica historian
● 100% secure from online attacks from external networks
● Replicate historian servers, OPC servers, RDB servers, Modbus, etc.
PLCs
RTUs
Industrial Network Corporate Network
Historian
Waterfall
TX appliance
Waterfall
RX appliance
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15
Workstations
Replica
Historian
Waterfall
TX agent
Waterfall
RX agent
Unidirectional Historian replication
16. Waterfall FLIP™ Defeats Interactive Remote Control
● Unidirectional Gateway whose direction can be reversed:
● Chemicals / refining / mining / pharmaceuticals: batch instructions
● Water systems: periodic security updates & anti-virus signatures
● Remote unstaffed sites: substations, pumping stations
● Trigger: button / key, schedule
● Stronger than firewalls,
stronger than removable media
The FLIP is a
Unidirectional
Gateway that
can “flip over”
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16
17. Deep Content Control
● Trend in firewalls for 30 years is towards increasingly deep
understanding, inspection of, and control of communications protocols
● Deep content control inspects and controls individual fields, tags,
values, flags & files passing between networks
● Supports open protocols, proprietary protocols, ICS protocols,
fragmented protocols – anything that an endpoint can make sense of
● DCC is generally a client, pulling only desired data. Servers try to sort
out anything a client/attacker sends them.
Deep Content Control
protects both ICS networks
from IT networks, and IT
networks from ICS networks
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17
18. Evolving Best Practices – Unidirectional Gateways
NERC CIP exempts
unidirectionally-protected
sites from
over 35% of
requirements
DHS recommends
unidirectional gateways
in security
assessments (ICS
CERT)
NRC & NEI exempts
unidirectionally-protected
sites from 21 of 26
cyber-perimeter rules
Unidirectional gateways –
limit the propagation of
malicious code (ISA SP-
99-3-3 / IEC 62443-3-3)
ENISA - unidirectional
gateways provide
better protection than
firewalls
NIST - unidirectional
gateways prevent any
connectivity of traffic
between domains
(800-82)
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 18
19. Best Practices Continue to Evolve
Unidirectional gateways defeat targeted attacks, insider attacks
& malware propagation
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19
20. Waterfall Security Solutions
● Headquarters in Israel, sales and operations office in the USA
● Hundreds of sites deployed in all critical infrastructure sectors
2012, 2013 & 2014 Best Practice awards for Industrial
Network Security and Oil & Gas Security Practice
IT and OT security architects should consider Waterfall
for their operations networks
Waterfall is key player in the cyber security market –
2010, 2011, & 2012
● Strategic partnership agreements /
cooperation with: OSIsoft, GE, Siemens,
and many other major industrial vendors
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20
21. ICS Relies Heavily on Perimeter Protection
● If IT protections cannot prevent modern attacks from breaching IT
networks, why are they adequate for ICS networks?
● Unidirectional Gateways defeat modern interactive remote control
attacks
● Everything crossing physical or cyber perimeters is a threat
● Deep Content Control supports open protocols as well as proprietary,
industrial protocols
Hardware-enforced unidirectional
protections are today’s best practices
Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 21