[CLASS 2014] Palestra Técnica - Michael Firstenberg

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions

UNIDIRECTIONAL SECURITY GATEWAYS™

2014

Challenges of Cybersecurity Implementations for Process Control Systems

Michael Firstenberg, Director of Industrial SecurityWaterfall Security Solutions

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 2

● 1M ICS hosts on the Internet? 500K in NA? Really only 7,000

● Heartbleed – encryption in lots of products, websites & VPNs broken

● NSA supply chain revelations. Does anyone really believe it was only the NSA?

● Always more ICS vulnerabilities found, andpatching change-controlled network is slow

Heartbleed drives home the point: allsoftware has bugs. Some bugs aresecurity holes. So in practice, all softwarecan be hacked

Security Landscape

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions

Threat Resources Methods

Existing

Protection Examples

Nation-state,

sleeper insiders

High Highly targeted,

autonomous

none Stuxnet, NSA

supply chain

Targeted Persistent

Attacks

Medium Targeted, manual

remote control

NEI Aurora, Night

Dragon, Shady

Rat, Ghostnet,

Disgruntled insider

with access to ICS

Low Targeted: social

engineering

ISA, API,

NERC-CIP

Maroochy

Insider with access

to IT network

Low Targeted: social

engineering

NIST IT examples

Organized crime Medium Highly volume,

automated

ISA, API,

NERC-CIP

Zeus, Conflicker

Who Are We Worried About?

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 4

Targeted Persistent Attacks

● Use “spear phishing” or server attacks to punch through firewalls

● Use custom malware to evade anti-virus

● Operate malware by interactive remote control

● Steal administrator passwords / password hashes

● Create new administrator accounts on domain controller

● Use new accounts to log in – no need to “break in” any more –defeats software update programs

IT teams are unable to blockthese targeted attacks at thecorporate perimeter.

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 5

IT vs ICS - Safety, Reliability, Confidentiality

Attribute Enterprise / IT Control System

Scale Huge – 100,000’s of devices 100-500 devices per DCS

Priority Confidentiality Safety and reliability

Target Data Equipment

Exposure Constant exposure to Internet

content / attacks

Exposed to business

network, not Internet

Equipment

lifecycle

3-5 years 10-20 years

Security

discipline:

Speed / aggressive change – stay

ahead of the threats

Security is an aspect of safety

- Engineering Change Control

(ECC)

The difference between IT and ICS is control

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 6

Reliability + Safety Risks = Soft ICS Interior

● Cyber safety and reliability risks arise from ability to control physical equipment

● Testing security updates and AV updates for reliability and safety takes longer – sometimes much longer

● There are tens of thousands of vulnerabilities are waiting to be discovered in ICS software

● Old, out-of-support hardware and software

● Encrypted/authenticated communications debatefor critical devices may never be resolved

Strong perimeter protection will always be disproportionately important in ICS defense-in-depth programs

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 7

● Strictly control access to critical ICS computers

● Reduce risks due to USB, CD-ROMS, cell phone connections and other removable media / networking

● Reduce risks due to rogue laptops & other equipment plugged into ICS / safety networks

● Entire ICS network must lie within physical security perimeter

● No silver bullet:

● Insider threat is still real

● Distant adversaries cancompromise equipmentover Internet / remotecontrol

Physical Security

Photo: Idaho National Labs

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 8

Sneakernet

● Device control – low-impact software to control which users and ports can accept which kinds of USB / CD / DVD device

● Network Access Control – refuses access to unauthorized laptops

● Supply chain - offline scans of hard disks of new equipment, physical inspections

● The most cautious firms purchase USB peripherals from distant, random locations

● Training & Awareness

Be paranoid.Everything that crosses the physicalor cyber perimeter is a threat

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 9

● Whitelisting: strictly control what software is allowed to run where

● Currently used more for “devices” with complex embedded operating systems than for entire ICS systems

● Device control: forbid entirely the execution of software from removable media, control what kinds of USB devices (keyboards, mice) are allowed to be connected to which ports

● Less intrusive than whitelisting, applied more commonly to larger parts of ICS systems

● No silver bullet:

● Cannot prevent remote controlof legitimate applications

Device Control & Whitelisting

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 10

Firewall have been with us for 30 years now. The good guys and the bad guys both know how to defeat them

Cyber Perimeter - How Secure are Firewalls Really?

Photo: Red Tiger Security

Attack Success Rate:

Impossible Routine Easy

Attack Type UGW Fwall

1) Phishing / drive-by-download – victim pulls your attack through firewall

2) Social engineering – steal a password / keystroke logger / shoulder surf

3) Compromise domain controller – create ICS host or firewall account

4) Attack exposed servers – SQL injection / DOS / buffer-overflowd

5) Attack exposed clients – compromised web svrs/ file svrs / buf-overflows

6) Session hijacking – MIM / steal HTTP cookies / command injection

7) Piggy-back on VPN – split tunneling / malware propagation

8) Firewall vulnerabilities – bugs / zero-days / default passwd/ design vulns

9) Errors and omissions – bad fwall rules/configs / IT reaches through fwalls

10) Forge an IP address – firewall rules are IP-based

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 11

Technical Shortcomings of Firewalls

● Well short of secure initially

● The “deny any any” rule

● Order of your firewall ruleset

● Multiple administration services

● Multiple passwords

A Tufin Technologies survey found that 86% of hackers believe that they can break through any firewall.

Photo: Idaho National Labs

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 12

Technical Shortcomings – Part 2

● Software and hardware issues (e.g. code updates, loose power cables) can affect ops and business.

● May not be able to operate in harsher conditions of plants and need to be replaced more often

● Dependencies on corporate network, where SLAs are not as high

● New vulnerabilities are introduced with new software

Firewalls have external dependencies which affect their capabilities.

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 13

Technical Shortcomings Part 3

All TCP connections through the firewall are bi-directional

Outbound access = Inbound C&C

?

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 14

Technical Shortcomings Part 3

All TCP connections through the firewall are bi-directional

Outbound access = Inbound C&C

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 15

PLCs RTUs

HistorianHistorianHistorian

Workstations

ReplicaHistorianReplicaHistorianReplicaHistorian

WaterfallTX agentWaterfallTX agentWaterfallTX agent

Waterfall RX agentWaterfall RX agentWaterfall RX agent

Corporate NetworkIndustrial Network

Unidirectional Historian replication

Waterfall TX appliance

Waterfall RX appliance

Unidirectional Security Gateways: Server Replication

● Hardware-enforced unidirectional server replication

● Replica server contains all data and functionality of original

● External clients communicate only with replica historian

● 100% secure from online attacks from external networks

● Replicate historian servers, OPC servers, RDB servers, Modbus, etc.

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 16

Waterfall FLIP™ Defeats Interactive Remote Control

● Unidirectional Gateway whose direction can be reversed:

● Chemicals / refining / mining / pharmaceuticals: batch instructions

● Water systems: periodic security updates & anti-virus signatures

● Remote unstaffed sites: substations, pumping stations

● Trigger: button / key, schedule

● Stronger than firewalls, stronger than removable media

The FLIP is aUnidirectionalGateway thatcan “flip over”

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 17

Deep Content Control

● Trend in firewalls for 30 years is towards increasingly deep understanding, inspection of, and control of communications protocols

● Deep content control inspects and controls individual fields, tags, values, flags & files passing between networks

● Supports open protocols, proprietary protocols, ICS protocols, fragmented protocols – anything that an endpoint can make sense of

● DCC is generally a client, pulling only desired data. Servers try to sort out anything a client/attacker sends them.

Deep Content Controlprotects both ICS networksfrom IT networks, and ITnetworks from ICS networks

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 18

Evolving Best Practices – Unidirectional Gateways

NERC CIP exempts unidirectionally-protected sites from over 35% of requirements

DHS recommends unidirectional gateways in security assessments (ICS CERT)

NRC & NEI exempts unidirectionally-protected sites from 21 of 26 cyber-perimeter rules

Unidirectional gateways –limit the propagation of malicious code (ISA SP-99-3-3 / IEC 62443-3-3)

ENISA - unidirectional gateways provide better protection than firewalls

NIST - unidirectional gateways prevent any connectivity of trafficbetween domains (800-82)

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 19

Best Practices Continue to Evolve

Unidirectional gateways defeat targeted attacks, insider attacks & malware propagation

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 20

● Headquarters in Israel, sales and operations office in the USA

● Hundreds of sites deployed in all critical infrastructure sectors

2012, 2013 & 2014 Best Practice awards for Industrial Network Security and Oil & Gas Security Practice

IT and OT security architects should consider Waterfall for their operations networks

Waterfall is key player in the cyber security market –2010, 2011, & 2012

● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors

Waterfall Security Solutions

Proprietary Information -- Copyright © 2014 by Waterfall Security Solutions 21

ICS Relies Heavily on Perimeter Protection

● If IT protections cannot prevent modern attacks from breaching IT networks, why are they adequate for ICS networks?

● Unidirectional Gateways defeat modern interactive remote control attacks

● Everything crossing physical or cyber perimeters is a threat

● Deep Content Control supports open protocols as well as proprietary, industrial protocols

Hardware-enforced unidirectionalprotections are today’s best practices