RackGuardian: Physical Network Security

Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved

The Intersection of The IIoT and Cybersecurity

Copyright 2016 – AlphaGuardian Networks LLC

Building Codes REQUIRE Networked Energy Management Systems

But EVERY communication protocol is vulnerable to hackers!

ElectricalSystems

Metering

HVAC BMS/DCIM

SNMP

Modbus

BACnet

Modbus Communications are NOT Safe

Modbus is the standard communication protocol between the BMS and the Operating Technology (OT) and it has NO security.


Modbus attacks are easy to carry out:

The Modbus protocol has become the de facto industrial communications standard…The Modbus protocol lacks the ability to authenticate a user and hence middle man attacks can easily take place in Modbus.

- California Energy Commission Best Practices White Paper

SNMP Communications are NOT Safe

SNMP is easily compromised, leading to a takeover of any UPS or PDU


“SNMPv3 fails to provide its advertised security guarantees…These vulnerabilities are implementation agnostic and demonstrate a fundamental flaw in the current protocol…An adversary could use a single request to shutdown multiple UPS’s

Dr. Patrick Traynor, Georgia Institute of Technology

BACnet Communications are NOT Safe

BACnet is classified by security experts as “Insecure by Design” or IbD


“Knowing the Object Identifier and having a BACnet client will usually allow you to issue commands to the BACnet device such as change setpoint, change schedule, or change program based on the capabilities of the BACnet device.”

Digital Bond Corporation Research Report

Modbus, SNMP & BACnet units Easily Found

These systems can be sniffed and found on most facilities networks.


Power Systems• Power Meters• Energy Storage Systems• UPS and PDU systems

Mechanical Systems• Pumps• Chillers• VFD’s and PLC’s

Lighting Systems• Lighting control systems• Lighting dimmers

Traditional Firewalls Do Not Stop Hackers

If You can gain access to a user’s VPN Credentials, you’re in!

This is how the Target breach was carried out.


WiFi & Zigbee Actually Invite Hackers

Dozens of Free WiFi Crackers are available on the Internet including multiple Android Apps!

Zigbee crackers are also freely available


Wireless Hacking


Breach Level Report - Insiders now lead outsiders in successful cyber attacks

Malicious Insider, 52%

Malicious Outsider,

43%

Hacktivist, 4%

State Sponsored,

1%

Wi-Fi Cracker for Android phones allows anyone to anonymously enter networks

Traditional Firewalls Only Screen

Traditional Firewall systems use “White Lists” and “Black Lists”.

If you spoof a “White List” IP address, you get to enter the “secure zone” freely!


All Major Security Regulations Require Securing Electrical and Mechanical Systems


California Energy CommissionBest Practices Require IIoT Security


Section 2.2 Demand Response Security Concerns.2.2.2 DR Events Information“DR strategies are pre‐programmed in Energy Management Control System (EMCS) at the customers’ sites. The strategies are carried out when the DR events and pricing signal arrives.

However, if DR events information is manipulated by an attacker by controlling the electricity usage, such as turning on/off the air condition or heating units at end users, this could affect both the utility and participants in DR program financially.”

California Law Requires Securing Submetering for Title 24 Requirements


California Senate Bill 1476 - Section 2, Chapter 5 PRIVACY PROTECTIONS FOR ENERGY CONSUMPTION DATA“An electrical corporation or gas corporation shall use reasonable security procedures and practices to protect a customer’s unencrypted electrical or gas consumption data from unauthorized access, destruction, use, modification, or disclosure.”

Public Utilities Commission Decision 08-12-009 RULES TO PROTECT THE PRIVACY AND SECURITYOF ELECTRICITY USAGE DATASection 9.1“…those engaged in a primary purpose pursuant to a program approved by theCommission, whether a utility or a non-utility, have similar rights and responsibilities pertaining to the data needed to accomplish the primary purpose.”

PLCs & HVAC are Already Being Hacked


United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: January 26, 2016

Rockwell Automation, Micrologix PLC is vulnerable to cyber attack.

Lighting Systems are Being Hacked


United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: April 7, 2016

Eaton Lighting Systems are vulnerable to cyber attack.

Power Meters are Being Attacked


United States Industrial Control System Computer Emergency Response Team (ICS-CERT) Bulletin: September 12, 2016

Schneider Ion Power Meter is vulnerable to cyber attack.

OK Time to Take a Breath!

We see that all major IIoT communication protocols are insecure.

We know that an attack on an IIoT device can produce catastrophic results.

But there ARE options that you can employ to protect the devices in your design and implementation!!!!


Here Are 5 Guiding Principles to Make Your Projects Secure

1. There is an inverse relationship between convenience and security2. Separate all IIoT systems from the Enterprise Network3. Never place control of a system in a single device4. Distribute control as close to the managed devices as possible5. Match the proper security component to the proper task


The Inverse Relation Between Convenience and Security

System designs have tended to become easer to deploy by using newer technologies.

Example: wireless lighting and plug control systems.

This creates a classic tradeoff between ease of installation and implementation vs. security!!!


Separate all IIoT Systems fromThe Enterprise Network

Enterprise Networks are VERY complex and that complexity creates backdoors for entry into your systems.

Over 1/3rd of all data center Enterprise Networks were penetrated in 2015 according to Arbor Networks.

Enterprise Networks work on the assumption that MANY people need access to equipment. IIoT Networks should assume that a very, very small number of people need access to equipment.


Never Place Total Control in 1 Device

Most IIoT BMS systems operate with limited security.

ICS-CERT has issued over 50 warnings based on BMS/EMS/DCIM Systems.

These systems are easy to find on the Internet and easy to find in an office building.

With only HTTP security, they can be hacked by easily by a low skill person


Distribute Control Near the Device

Move control into the system via:• PLC’s• PID controllers• Intelligent VFD’s

Distributed controls eliminates a single point of attack sequence.

Distributed controls also eliminates a single point of failure.

You are much more secure than trying to put all your eggs into one basket


Match Security Component to the Task

There are 3 types of IIoT firewall devices.1. Virtual Private Network Server2. Traditional Filtering Firewall3. Data Diode Firewall

In order to secure an IIoT network, you will likely need all 3 types


Virtual Private Network Unit

Purpose:A VPN creates a secure connection between your browser and anything connected directly behind the VPN unit.

Best Uses:1. In front of BMS/EMS2. In front of DCIM3. In front of any other monitoring

console


Traditional Filtering Firewall

Purpose:Allows 2 way communication between a known IP address on the outside and a protected object on the inside

Best Uses:1. IIoT systems that require

control commands2. IIoT devices that use non-

standard protocols


Data Diode Firewall

Purpose:Gathers information from protected IIoT systems on its inside and pushes encrypted information to a matched diode receiver. The receiver then decrypts the data and makes it available in original native format.

Best Uses:1. For any IIoT device that is only

monitored2. For remote monitoring critical

systems


A Data Diode with Secure Cloud Integration for Distanceless, Secure Monitoring


If You Match Security to each of Your Devices You Will Be Successful!


Chet Sandberg: CTO Former Chief Scientist - Raychem Corporation Board Member - TrendPoint Systems and NetBrowser IEEE Fellow, MS from MIT, BS from Stanford

Bob Hunter: Founder and CEO Founder and CEO – TrendPoint Systems, the leader in high density energy monitoring for data centers Founder and CEO – NetBrowser Communications, first DCIM system, now Modius

Zack Hunter: Chief Data Architect Data Analytics Programmer – US Department of Energy BS – Computer Science, BA – Mathematics, Whitworth University

The Team


Copyright 2016 – AlphaGuardian Networks LLC. All rights reserved

Thank You!

- Bob Hunter

Contact: [email protected](925) 421-0030

mailto:[email protected]

RackGuardian: Physical Network Security

Data & Analytics

physical access

physical network layer

network systems

alphaguardian networks

physical environment

physical layer protection

vulnerable access

card access systems