Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved
Jul 16, 2015
Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved
The Intersection of The IIoT and Cybersecurity
Copyright 2016 – AlphaGuardian Networks LLC
Building Codes REQUIRE Networked Energy Management Systems
But EVERY communication protocol is vulnerable to hackers!
ElectricalSystems
Metering
HVAC BMS/DCIM
SNMP
Modbus
BACnet
Modbus Communications are NOT Safe
Modbus is the standard communication protocol between the BMS and the Operating Technology (OT) and it has NO security.
Copyright 2016 – AlphaGuardian Networks LLC
Modbus attacks are easy to carry out:
The Modbus protocol has become the de facto industrial communications standard…The Modbus protocol lacks the ability to authenticate a user and hence middle man attacks can easily take place in Modbus.
- California Energy Commission Best Practices White Paper
SNMP Communications are NOT Safe
SNMP is easily compromised, leading to a takeover of any UPS or PDU
Copyright 2014 – AlphaGuardian Networks LLC
“SNMPv3 fails to provide its advertised security guarantees…These vulnerabilities are implementation agnostic and demonstrate a fundamental flaw in the current protocol…An adversary could use a single request to shutdown multiple UPS’s
Dr. Patrick Traynor, Georgia Institute of Technology
BACnet Communications are NOT Safe
BACnet is classified by security experts as “Insecure by Design” or IbD
Copyright 2014 – AlphaGuardian Networks LLC
“Knowing the Object Identifier and having a BACnet client will usually allow you to issue commands to the BACnet device such as change setpoint, change schedule, or change program based on the capabilities of the BACnet device.”
Digital Bond Corporation Research Report
Modbus, SNMP & BACnet units Easily Found
These systems can be sniffed and found on most facilities networks.
Copyright 2016 – AlphaGuardian Networks LLC
Power Systems• Power Meters• Energy Storage Systems• UPS and PDU systems
Mechanical Systems• Pumps• Chillers• VFD’s and PLC’s
Lighting Systems• Lighting control systems• Lighting dimmers
Traditional Firewalls Do Not Stop Hackers
If You can gain access to a user’s VPN Credentials, you’re in!
This is how the Target breach was carried out.
Copyright 2016 – AlphaGuardian Networks LLC
WiFi & Zigbee Actually Invite Hackers
Dozens of Free WiFi Crackers are available on the Internet including multiple Android Apps!
Zigbee crackers are also freely available
Copyright 2016 – AlphaGuardian Networks LLC
Wireless Hacking
Copyright 2014 – AlphaGuardian Networks LLC
Breach Level Report - Insiders now lead outsiders in successful cyber attacks
Malicious Insider, 52%
Malicious Outsider,
43%
Hacktivist, 4%
State Sponsored,
1%
Wi-Fi Cracker for Android phones allows anyone to anonymously enter networks
Traditional Firewalls Only Screen
Traditional Firewall systems use “White Lists” and “Black Lists”.
If you spoof a “White List” IP address, you get to enter the “secure zone” freely!
Copyright 2016 – AlphaGuardian Networks LLC
All Major Security Regulations Require Securing Electrical and Mechanical Systems
Copyright 2016 – AlphaGuardian Networks LLC
California Energy CommissionBest Practices Require IIoT Security
Copyright 2016 – AlphaGuardian Networks LLC
Section 2.2 Demand Response Security Concerns.2.2.2 DR Events Information“DR strategies are pre‐programmed in Energy Management Control System (EMCS) at the customers’ sites. The strategies are carried out when the DR events and pricing signal arrives.
However, if DR events information is manipulated by an attacker by controlling the electricity usage, such as turning on/off the air condition or heating units at end users, this could affect both the utility and participants in DR program financially.”
California Law Requires Securing Submetering for Title 24 Requirements
Copyright 2016 – AlphaGuardian Networks LLC
California Senate Bill 1476 - Section 2, Chapter 5 PRIVACY PROTECTIONS FOR ENERGY CONSUMPTION DATA“An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer’s unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.”
Public Utilities Commission Decision 08-12-009 RULES TO PROTECT THE PRIVACY AND SECURITYOF ELECTRICITY USAGE DATASection 9.1“…those engaged in a primary purpose pursuant to a program approved by theCommission, whether a utility or a non-utility, have similar rights and responsibilities pertaining to the data needed to accomplish the primary purpose.”
PLCs & HVAC are Already Being Hacked
Copyright 2016 – AlphaGuardian Networks LLC
United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: January 26, 2016
Rockwell Automation, Micrologix PLC is vulnerable to cyber attack.
Lighting Systems are Being Hacked
Copyright 2016 – AlphaGuardian Networks LLC
United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: April 7, 2016
Eaton Lighting Systems are vulnerable to cyber attack.
Power Meters are Being Attacked
Copyright 2016 – AlphaGuardian Networks LLC
United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: September 12, 2016
Schneider Ion Power Meter is vulnerable to cyber attack.
OK Time to Take a Breath!
We see that all major IIoT communication protocols are insecure.
We know that an attack on an IIoT device can produce catastrophic results.
But there ARE options that you can employ to protect the devices in your design and implementation!!!!
Copyright 2016 – AlphaGuardian Networks LLC
Here Are 5 Guiding Principles to Make Your Projects Secure
1. There is an inverse relationship between convenience and security2. Separate all IIoT systems from the Enterprise Network3. Never place control of a system in a single device4. Distribute control as close to the managed devices as possible5. Match the proper security component to the proper task
Copyright 2016 – AlphaGuardian Networks LLC
The Inverse Relation Between Convenience and Security
System designs have tended to become easer to deploy by using newer technologies.
Example: wireless lighting and plug control systems.
This creates a classic tradeoff between ease of installation and implementation vs. security!!!
Copyright 2016 – AlphaGuardian Networks LLC
Separate all IIoT Systems fromThe Enterprise Network
Enterprise Networks are VERY complex and that complexity creates backdoors for entry into your systems.
Over 1/3rd of all data center Enterprise Networks were penetrated in 2015 according to Arbor Networks.
Enterprise Networks work on the assumption that MANY people need access to equipment. IIoT Networks should assume that a very, very small number of people need access to equipment.
Copyright 2016 – AlphaGuardian Networks LLC
Never Place Total Control in 1 Device
Most IIoT BMS systems operate with limited security.
ICS-CERT has issued over 50 warnings based on BMS/EMS/DCIM Systems.
These systems are easy to find on the Internet and easy to find in an office building.
With only HTTP security, they can be hacked by easily by a low skill person
Copyright 2016 – AlphaGuardian Networks LLC
Distribute Control Near the Device
Move control into the system via:• PLC’s• PID controllers• Intelligent VFD’s
Distributed controls eliminates a single point of attack sequence.
Distributed controls also eliminates a single point of failure.
You are much more secure than trying to put all your eggs into one basket
Copyright 2016 – AlphaGuardian Networks LLC
Match Security Component to the Task
There are 3 types of IIoT firewall devices.1. Virtual Private Network Server2. Traditional Filtering Firewall3. Data Diode Firewall
In order to secure an IIoT network, you will likely need all 3 types
Copyright 2016 – AlphaGuardian Networks LLC
Virtual Private Network Unit
Purpose:A VPN creates a secure connection between your browser and anything connected directly behind the VPN unit.
Best Uses:1. In front of BMS/EMS2. In front of DCIM3. In front of any other monitoring
console
Copyright 2016 – AlphaGuardian Networks LLC
Traditional Filtering Firewall
Purpose:Allows 2 way communication between a known IP address on the outside and a protected object on the inside
Best Uses:1. IIoT systems that require
control commands2. IIoT devices that use non-
standard protocols
Copyright 2016 – AlphaGuardian Networks LLC
Data Diode Firewall
Purpose:Gathers information from protected IIoT systems on its inside and pushes encrypted information to a matched diode receiver. The receiver then decrypts the data and makes it available in original native format.
Best Uses:1. For any IIoT device that is only
monitored2. For remote monitoring critical
systems
Copyright 2016 – AlphaGuardian Networks LLC
A Data Diode with Secure Cloud Integration for Distanceless, Secure Monitoring
Copyright 2016 – AlphaGuardian Networks LLC
If You Match Security to each of Your Devices You Will Be Successful!
Copyright 2016 – AlphaGuardian Networks LLC
Chet Sandberg: CTO Former Chief Scientist - Raychem Corporation Board Member - TrendPoint Systems and NetBrowser IEEE Fellow, MS from MIT, BS from Stanford
Bob Hunter: Founder and CEO Founder and CEO – TrendPoint Systems, the leader in high density energy monitoring for data centers Founder and CEO – NetBrowser Communications, first DCIM system, now Modius
Zack Hunter: Chief Data Architect Data Analytics Programmer – US Department of Energy BS – Computer Science, BA – Mathematics, Whitworth University
The Team
Copyright 2016 – AlphaGuardian Networks LLC
Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved
Thank You!
- Bob Hunter
Contact: [email protected](925) 421-0030