[CLASS 2014] Palestra Técnica - Delfin Rodillas

Defending ICS from Cyberthreats with Next-generation Platform Security

Del Rodillas

Sr. Manager, SCADA & ICS Initiative

Palo Alto Networks at a glance

Corporate highlights

Founded in 2005; first customer shipment in 2007

Supplier of Industry-leading Enterprise Security Platform

Safely enables all applications through granular use control…

Prevents known and unknown cyber threats…

for all users on any device across any network.

Experienced team of 1,650+ employees

Q3FY14: $150.7M revenue; 17,000+ customers4.700

9.000

13,500

17.000

02.0004.0006.0008.000

10.00012.00014.00016.00018.000

Jul-11 Jul-12

$13$49

$255

$396$420

$119

$0

$100

$200

$300

$400

FY09 FY10 FY11 FY12 FY13 FY14TD

Revenues

Enterprise customers

$MM

FYE July

May-14Jul-13

2 | ©2014, Palo Alto Networks

What is a

Cyberthreat?Cyber Threat

Availability, Confidentiality, IntegrityIndustrial Control Systems ,Information Systems

Malicious Unintentional


What Keeps SCADA Security Supervisors Up at Night?

0% 5% 10% 15% 20% 25% 30%

Extortion or other financially motivated crimes

Other

Industrial espionage

Cybersecurity policy violations

Attacks coming from within the internal network

Email phishing attacks

Insider exploits

Malware

External threats (hacktivism, nation states)

Percent Respondents

What are the top three threat vectors you are most concerned with?

First Second Third

SANS 2014 Survey on Industrial Control Systems


Advanced Targeted Attacks

� Social Engineering: Removable media� Exploits zero-day vulnerabilities (Windows, Siemens)� Propagation/Recon via general IT apps and file-types� Goal: Disrupt uranium enrichment program

� Social Engineering: Spearphishing, Watering hole, Trojan in ICS Software

� Enumerates OPC assets (ICS-protocol!)� Goal: IP theft and ICS Attack PoC?

Energetic Bear

� Social Engineering: Spearphishing, Watering hole� Goal: IP Theft and ???

Norway Oil & Gas Attacks


Malicious Insider Attack

� Sewage treatment facility in Maroochy Shire, Queensland, Australia

� Disgruntled employee of ICS vendor sought revenge on customer (shire council) and employer

� Used intimate knowledge of asset owner’s ICS to gain access and wreak havoc

� Impact� Spillage of 800,000 liters of raw sewage into

local parks, rivers and hotel grounds � Loss of marine life, damage to environment,

health hazard

Source: Applied Control Solutions


Unintentional Cyber Incidents

� Platform shared by operator and royalty partner

� Slammer infection on rig via partner network

� Workstations and SCADA servers crashed� Systems would not restart after reboot� 8 hours to restore the SCADA and restart production

� Consequences� Immediate loss of monitoring down-hole wells� Loss of production for all 4 major wells� Total losses > $1.2M before production finally restored

Source: Red Tiger Security

� Application Visibility and Risk Report conducted at energy company in E. Europe

� Plant manager insisted “not internet-facing”

� Rogue broadband link and risky web applications found on SCADA system� Wuala (storage), eMule (P2P), DAV (Collaboration)

� Concerns over loss of IP, network availability, malware introduction

Source: Palo Alto Networks

SQL Slammer


Revisiting the Trust Model in ICS

PCN

PCN Servers

HMI

PLCs / RTUs

Local HMI

Remote Station / Plant Floor

DEV

PLCs / RTUs

Local HMI

PLCs / RTUs

Local HMI

Vendor/Partner

Mobility

Enterprise Network

Internet WAN

Internal Actors


Observations

� Broken Trust Model � Micro-segmentation is critical

� Granular visibility of traffic is an essential capability� Applications, users, content� Shared context

� End-to-end security is required� Threats originate at endpoints and via networks

� Real and potentially high risks with ICS cyber incidents� Must focus on prevention vs. just detection

� Advanced attacks will be “zero-day”� The capability to detect and stop unknown threats quickly is needed� Automated threat analysis and information sharing would be helpful


Legacy Security Architecture and Its Challenges

URLAVIPS ProxyIMSandbox

Stateful inspection Firewall

Characteristic Associated Challenges

� Stateful inspection firewall as a baseo Visibility to port numbers and IP addresseso No content identification

� Limited visibility to ICS traffic & risks� Coarse access control; not role based

Firewall “helpers”

� Firewall “helpers” bolted on to try to fill the security gaps

� Uncorrelated Information silos; slow forensics

� Increased administrative effort

� Performance drop off / serial processing

� Limited to No zero-day threat detection /prevention capabilities

� Highly vulnerable to targeted attacks

� Disjointed endpoint & network technologies

Traditional Endpoint Security


Next-Generation Network Security

� Inspects all traffic

� Blocks known threats

� Sends unknown to cloud

� Extensible to mobile & virtual networks

� Inspects all processes and files

� Prevents both known & unknown exploits

� Integrates with cloud to prevent known & unknown malware

Advanced Endpoint Protection

Threat Intelligence Cloud

� Gathers potential threats from network and endpoints

� Analyzes and correlates threat intelligence

� Disseminates threat intelligence to network and endpoints

What is Required? Platform Approach Focused on Prevention


Next-generation Network Security

Application identifiers

Additional Intelligence

Threat / Vulnerability signatures

URL database

User/User-group mapping

Classification Engine (L7)

Application User Content

Threat Prevention

AV, AS, Exploits

URL Filtering

Unknown Threat

Prevention

Mobile Security

Natively supported services

Application Visibility and

Control


Systematic Approach to Network Security

Discover unknown threats


Improve Situational Awareness w/ Granular Traffic V isibility Improve Situational Awareness w/ Granular Traffic V isibility

Prevent known threats


2 3

Applypositive controls


1

Apply new protections to prevent future attacks








2 3



1



Protocol / Application Protocol / Application Protocol / Application

� Modbus base � ICCP (IEC 60870-6 / TASE.2) � CIP Ethernet/IP

� Modbus function control � Cygnet � Synchrophasor (IEEE C.37.118)

� DNP3 � Elcom 90 � Foundation Fieldbus

� IEC 60870-5-104 base � FactoryLink � Profinet IO

� IEC 60870-5-104 function control � MQTT � OPC

� OSIsoft PI Systems � BACnet

Protocol/Application Identifiers for SCADA & ICS


Functional Application Identifiers

Function Control Variants (15 total)

Modbus-base

Modbus-write-multiple-coils

Modbus-write-file-record

Modbus-read-write-register

Modbus-write-single-coil

Modbus-write-single-register

Modbus-write-multiple-registers

Modbus-read-input-registers

Modbus-encapsulated-transport

Modbus-read-coils

Modbus-read-discrete-inputs

Modbus-mask-write-registers

Modbus-read-fifo-queue

Modbus-read-file-record

Modbus-read-holding-registers

Applipedia entry for Modbus-base App-ID


ICS-ISAC SARA Testbed at the Enernex Smart Grid Lab

Rugged Server

Substation Server

PC

GE EnerVista

Phasor Data Concentrator

Transformer Protection

Feeder Protection

Line Distance Protection

Rugged Ethernet Switch

Line Distance Relay

DNP3IEC 61850

Modbus

DNP3IEC 61850C37.118Modbus

C37.118

IEC 61850

Palo Alto NetworksNext-generation Firewall

Mirror/SPAN Port

ics-isac.org/sara


Sample Traffic from SARA Testbed (SPAN Port Monitoring)

Protocol/Protocol-function visibility







2 3



1



User Identification is a Key Enabler of Role-based Access

� Policy enforcement based on users and groups


Segmentation with Application and User Identification

Business User access to Historian Application, e.g. Pi

BusinessZone

Server Zone

User Zone

Process Zone

Remote/Support Zone

Process Zone

Business Zone

Remote/Support Zone

Server Zone

User Zone

Sr. Engineer access to Modbus Write, SSH

Remote/ Support

Zone

Business Zone

Process Zone

Server Zone

User Zone

3rd Party application use via Jump Server








2 3



1



ICS-Specific IPS Signatures� Product-specific

� Risky Protocol Commands

DNP3 Modbus


IT-centric exploits, but also relevant to OT

� Several ICS vendors issued HeartBleed advisories

� Browser-based HMIs and other applications in ICS

� Vulnerabilities being discovered all the time

� XP & Server are still widely used in ICS

� XP and older Server versions no longer supported


Anti-Virus and Anti-Spyware


Benefits of Shared Information

Threat ProfilesApplications

Security Zones

User / User Group

Simplified policy implementation & management2

Accelerated forensics1








2 3



1



Zero-day Malware Detection & Prevention


Platform Approach to Stopping Energetic Bear

Apply application visibility and control for OPC and other allowed traffic. Apply User-ID for role based policy. Control content & access to web.

AllowedAllowed

1

Apply Threat Prevention for known Havex malware signatures, exploits, and command and control traffic associated with Havex

2

ExploitsAV

CNC CNC

WildFire“Zero-day”

Havex VariantProtections and

Intelligence

Isolate suspicious files which could be a zero-day variant of Havex. Automatically convert to known threat, receive protections and additional intelligence from the cloud

3


Endpoint Security: The failures of traditional approaches

EXE

Legacy Endpoint Protection

Known signature?NO

Known strings?NO

Previously seen behavior?

NO

PDF

Malwaredirect execution

Exploitvulnerability

to run any code

Targeted Evasive Advanced


Block the core techniques – not the individual attacks

Software Vulnerability Exploits Exploitation Techniques

Thousands of new vulnerabilities andexploits a year

Only 2-4 new exploit techniques a year

Malware Malware Techniques

Millions of new malware every year 10’s – 100’s of new malware

sub-techniques every year


Introducing TrapsThe right way to deal with advanced cyber threats

Prevent ExploitsIncluding zero-day exploits

Prevent MalwareIncluding advanced & unknown malware

Collect Attempted-Attack ForensicsFor further analysis

Scalable & LightweightMust be user-friendly and cover complete enterprise

Integrate with Network and Cloud SecurityFor data exchange and crossed-organization protection


Central Management and Reporting

Central Management Platform

Central Admin

Local Device Logs Reports

Aggregate reports

PCN Admin Remote AdminPCN Remote Station

� Centralized deployment of universal rules while giving IT and OT admins ability to set local policies

� Role based administration for added security (tiered admin rights)

� Centralized reports which facilitate forensics and regulatory compliance


Summary – New Kind of Security Needed for ICS

� Platform-based…� Network, Endpoint, Cloud

� Prevention-focused� Stop advanced attacks vs. just telling you that you have a problem

� Network� Delivers granular visibility and segmentation

� Protocol visibility, User-based controls

� Stop known and unknowns

� Endpoint� Stop the fundamental techniques vs. signatures

� Threat intelligence cloud� Automated analysis and correlation� Interacts with Network and Endpoint

� Palo Alto Networks Next-generation Platform meets these requirements


Learn more about Next-generation Security for SCADA/ICS 1

Download our SCADA/ICS Solution Briefgo.secure.paloaltonetworks.com/secureics

2 Learn how your control network is being used and what threats may exist

Control Network

Sign up for a free Application Visibility and Risk Report (AVR) at:http://connect.paloaltonetworks.com/AVR

Sign up for a Live Online Demo at:http://events.paloaltonetworks.com/?event_type=632


[CLASS 2014] Palestra Técnica - Delfin Rodillas

Technology

palo altonetworks

ics software

defending ics

ics cyber incidents

scada ics initiative

palo alto networkssqlslammer7

scada security supervisors

ics attack poc