RackGuardian: Physical Network Security

Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved

The Intersection of The IIoT and Cybersecurity

Copyright 2016 – AlphaGuardian Networks LLC

Building Codes REQUIRE Networked Energy Management Systems

But EVERY communication protocol is vulnerable to hackers!

ElectricalSystems

Metering

HVAC BMS/DCIM

SNMP

Modbus

BACnet

Modbus Communications are NOT Safe

Modbus is the standard communication protocol between the BMS and the Operating Technology (OT) and it has NO security.

Copyright 2016 – AlphaGuardian Networks LLC

Modbus attacks are easy to carry out:

The Modbus protocol has become the de facto industrial communications standard…The Modbus protocol lacks the ability to authenticate a user and hence middle man attacks can easily take place in Modbus.

- California Energy Commission Best Practices White Paper

SNMP Communications are NOT Safe

SNMP is easily compromised, leading to a takeover of any UPS or PDU

Copyright 2014 – AlphaGuardian Networks LLC

“SNMPv3 fails to provide its advertised security guarantees…These vulnerabilities are implementation agnostic and demonstrate a fundamental flaw in the current protocol…An adversary could use a single request to shutdown multiple UPS’s

Dr. Patrick Traynor, Georgia Institute of Technology

BACnet Communications are NOT Safe

BACnet is classified by security experts as “Insecure by Design” or IbD

Copyright 2014 – AlphaGuardian Networks LLC

“Knowing the Object Identifier and having a BACnet client will usually allow you to issue commands to the BACnet device such as change setpoint, change schedule, or change program based on the capabilities of the BACnet device.”

Digital Bond Corporation Research Report

Modbus, SNMP & BACnet units Easily Found

These systems can be sniffed and found on most facilities networks.

Copyright 2016 – AlphaGuardian Networks LLC

Power Systems• Power Meters• Energy Storage Systems• UPS and PDU systems

Mechanical Systems• Pumps• Chillers• VFD’s and PLC’s

Lighting Systems• Lighting control systems• Lighting dimmers

Traditional Firewalls Do Not Stop Hackers

If You can gain access to a user’s VPN Credentials, you’re in!

This is how the Target breach was carried out.

Copyright 2016 – AlphaGuardian Networks LLC

WiFi & Zigbee Actually Invite Hackers

Dozens of Free WiFi Crackers are available on the Internet including multiple Android Apps!

Zigbee crackers are also freely available

Copyright 2016 – AlphaGuardian Networks LLC

Wireless Hacking

Copyright 2014 – AlphaGuardian Networks LLC

Breach Level Report - Insiders now lead outsiders in successful cyber attacks

Malicious Insider, 52%

Malicious Outsider,

43%

Hacktivist, 4%

State Sponsored,

1%

Wi-Fi Cracker for Android phones allows anyone to anonymously enter networks

Traditional Firewalls Only Screen

Traditional Firewall systems use “White Lists” and “Black Lists”.

If you spoof a “White List” IP address, you get to enter the “secure zone” freely!

Copyright 2016 – AlphaGuardian Networks LLC

All Major Security Regulations Require Securing Electrical and Mechanical Systems

Copyright 2016 – AlphaGuardian Networks LLC

California Energy CommissionBest Practices Require IIoT Security

Copyright 2016 – AlphaGuardian Networks LLC

Section 2.2 Demand Response Security Concerns.2.2.2 DR Events Information“DR strategies are pre‐programmed in Energy Management Control System (EMCS) at the customers’ sites. The strategies are carried out when the DR events and pricing signal arrives.

However, if DR events information is manipulated by an attacker by controlling the electricity usage, such as turning on/off the air condition or heating units at end users, this could affect both the utility and participants in DR program financially.”

California Law Requires Securing Submetering for Title 24 Requirements

Copyright 2016 – AlphaGuardian Networks LLC

California Senate Bill 1476 - Section 2, Chapter 5 PRIVACY PROTECTIONS FOR ENERGY CONSUMPTION DATA“An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer’s unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.”

Public Utilities Commission Decision 08-12-009 RULES TO PROTECT THE PRIVACY AND SECURITYOF ELECTRICITY USAGE DATASection 9.1“…those engaged in a primary purpose pursuant to a program approved by theCommission, whether a utility or a non-utility, have similar rights and responsibilities pertaining to the data needed to accomplish the primary purpose.”

PLCs & HVAC are Already Being Hacked

Copyright 2016 – AlphaGuardian Networks LLC

United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: January 26, 2016

Rockwell Automation, Micrologix PLC is vulnerable to cyber attack.

Lighting Systems are Being Hacked

Copyright 2016 – AlphaGuardian Networks LLC

United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: April 7, 2016

Eaton Lighting Systems are vulnerable to cyber attack.

Power Meters are Being Attacked

Copyright 2016 – AlphaGuardian Networks LLC

United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: September 12, 2016

Schneider Ion Power Meter is vulnerable to cyber attack.

OK Time to Take a Breath!

We see that all major IIoT communication protocols are insecure.

We know that an attack on an IIoT device can produce catastrophic results.

But there ARE options that you can employ to protect the devices in your design and implementation!!!!

Copyright 2016 – AlphaGuardian Networks LLC

Here Are 5 Guiding Principles to Make Your Projects Secure

1. There is an inverse relationship between convenience and security2. Separate all IIoT systems from the Enterprise Network3. Never place control of a system in a single device4. Distribute control as close to the managed devices as possible5. Match the proper security component to the proper task

Copyright 2016 – AlphaGuardian Networks LLC

The Inverse Relation Between Convenience and Security

System designs have tended to become easer to deploy by using newer technologies.

Example: wireless lighting and plug control systems.

This creates a classic tradeoff between ease of installation and implementation vs. security!!!

Copyright 2016 – AlphaGuardian Networks LLC

Separate all IIoT Systems fromThe Enterprise Network

Enterprise Networks are VERY complex and that complexity creates backdoors for entry into your systems.

Over 1/3rd of all data center Enterprise Networks were penetrated in 2015 according to Arbor Networks.

Enterprise Networks work on the assumption that MANY people need access to equipment. IIoT Networks should assume that a very, very small number of people need access to equipment.

Copyright 2016 – AlphaGuardian Networks LLC

Never Place Total Control in 1 Device

Most IIoT BMS systems operate with limited security.

ICS-CERT has issued over 50 warnings based on BMS/EMS/DCIM Systems.

These systems are easy to find on the Internet and easy to find in an office building.

With only HTTP security, they can be hacked by easily by a low skill person

Copyright 2016 – AlphaGuardian Networks LLC

Distribute Control Near the Device

Move control into the system via:• PLC’s• PID controllers• Intelligent VFD’s

Distributed controls eliminates a single point of attack sequence.

Distributed controls also eliminates a single point of failure.

You are much more secure than trying to put all your eggs into one basket

Copyright 2016 – AlphaGuardian Networks LLC

Match Security Component to the Task

There are 3 types of IIoT firewall devices.1. Virtual Private Network Server2. Traditional Filtering Firewall3. Data Diode Firewall

In order to secure an IIoT network, you will likely need all 3 types

Copyright 2016 – AlphaGuardian Networks LLC

Virtual Private Network Unit

Purpose:A VPN creates a secure connection between your browser and anything connected directly behind the VPN unit.

Best Uses:1. In front of BMS/EMS2. In front of DCIM3. In front of any other monitoring

console

Copyright 2016 – AlphaGuardian Networks LLC

Traditional Filtering Firewall

Purpose:Allows 2 way communication between a known IP address on the outside and a protected object on the inside

Best Uses:1. IIoT systems that require

control commands2. IIoT devices that use non-

standard protocols

Copyright 2016 – AlphaGuardian Networks LLC

Data Diode Firewall

Purpose:Gathers information from protected IIoT systems on its inside and pushes encrypted information to a matched diode receiver. The receiver then decrypts the data and makes it available in original native format.

Best Uses:1. For any IIoT device that is only

monitored2. For remote monitoring critical

systems

Copyright 2016 – AlphaGuardian Networks LLC

A Data Diode with Secure Cloud Integration for Distanceless, Secure Monitoring

Copyright 2016 – AlphaGuardian Networks LLC

If You Match Security to each of Your Devices You Will Be Successful!

Copyright 2016 – AlphaGuardian Networks LLC

Chet Sandberg: CTO Former Chief Scientist - Raychem Corporation Board Member - TrendPoint Systems and NetBrowser IEEE Fellow, MS from MIT, BS from Stanford

Bob Hunter: Founder and CEO Founder and CEO – TrendPoint Systems, the leader in high density energy monitoring for data centers Founder and CEO – NetBrowser Communications, first DCIM system, now Modius

Zack Hunter: Chief Data Architect Data Analytics Programmer – US Department of Energy BS – Computer Science, BA – Mathematics, Whitworth University

The Team

Copyright 2016 – AlphaGuardian Networks LLC

Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved

Thank You!

- Bob Hunter

Contact: bhunter@alphaguardian.net(925) 421-0030