Securing the Network: Understanding CIA, Segmentation, and Zero Trust Jacek Szamrej VP of Cybersecurity SEDC
Securing the Network:Understanding CIA, Segmentation, and Zero Trust
Jacek SzamrejVP of CybersecuritySEDC
What are we protecting?
DATA
Confidentiality
IntegrityAvailabilityRTORPOMTD
PublicPersonalSecret
CryptographyMeta data
What are we protecting?
Confidentiality
IntegrityAvailabilityRTORPOMTD
PublicPersonalSecret
CryptographyMeta data
DATA
DATADATADATA
Defense in Depth
We divided data into different categories for more effective protection
Now we can support this defense with network segmentation
Data segmentation example
Account Number Meter Number Usage Data5489425345 43534504234 0.2, 0.5, 0.3, 1.2,…
Account Number Meter Number Usage Data2cb6128ecc85fa4916491a626d876cfd
be799977f7b518b1416daa371f890809
0.2, 0.5, 0.3, 1.2,…
MD5HASH
MD5HASH Copy
Segmentation
https://www.porttechnology.org/news/maersk_to_build_10_of_the_worlds_largest_ever_container_ships
Segmentation
https://www.bleepingcomputer.com/news/security/maersk‐reinstalled‐45‐000‐pcs‐and‐4‐000‐servers‐to‐recover‐from‐notpetya‐attack/
DMZ
SCADA
S1 S2
Office
SubstationSCADA
TrustedNetworkTrustedNetwork
UntrustedUntrusted
DMZDMZ
How do we apply CIA to our network?
Ukraine Power Grid Cyberattack 2015Email with BlackEnergy malware
DMZ
SCADA
S1 S2
Office
SubstationSCADA
Ukraine Power Grid Cyberattack 2015Pivot to server and establish C&C
DMZ
SCADA
S1 S2
Office
SubstationSCADA
DMZ
SCADA
S1 S2
Office
SubstationSCADA
Ukraine Power Grid Cyberattack 2015
They found pre‐shared key for VPN on SCADA firewall
DMZ
SCADA
S1 S2
Office
SubstationSCADA
Ukraine Power Grid Cyberattack 2015
Firmware has been changedon SCADA devices
DMZ
SCADA
S1 S2
Office
SubstationSCADA
Ukraine Power Grid Cyberattack 2015
They use SCADA HMIto open breakers
Ukraine Power Grid Cyberattack 2015
Full document with all recommendations:http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
Network Segmentation
Definition:Network segmentation in computer networking is the act or profession of splitting a computer network into subnetworks, each being a network segment.
Advantages of such splitting are primarily for boosting performance and improving security.https://en.wikipedia.org/wiki/Network_segmentation
VLAN/ACLVirtual Firewall Air Gap
Network Segmentation Examples
Data DiodeFirewallACL
Source: Gartner (July 2016)
Levels of Trust
All resources are accessed in a secure manner regardless of location
Access control is on a “need‐to‐know” and is strictly enforced
Inspect and log all traffic
Concepts of Zero‐Trust Model
Zero Trust Network Diagram
https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice
Zero Trust Network Diagram
Next Generation Firewall:FW ‐ FirewallIPS – Intrusion Prevention SystemCF ‐ Content FilteringAC – Activity MonitoringCrypto ‐ CryptographyAM – Access Control
https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice
Zero Trust Network Diagram
Management jumpboxin separate zone
https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice
Zero Trust Network Diagram
MCAP (Micro Core and Perimeter):• Protected L2 switching zone• MCAP members have similar
functionality
https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice
Zero Trust Network Diagram
DAN (Data Acquisition Network):• Zone dedicated to log analysis• SIEM• Network Analysis and Visibility
(NAV)
https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Software Defined Perimeter
All network connections are authenticated (using MFA and/or PKI), the health of each endpoint is inspected
Originated at the Defense Information Systems Agency (DISA), now maintained by Cloud Security Alliance
BeyondCorp is Google version of this concept
https://cloudsecurityalliance.org/group/software‐defined‐perimeter/#_overview
Software Defined Perimeter
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Micro‐Segmentation
Software defined segmentation
Isolates applications in virtual environment
Focus on east‐west communication
Security defined at granular level
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Micro‐Segmentation Models
Native micro‐segmentation
Vendors examples:Amazon, Cisco, Microsoft, VMware
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Micro‐Segmentation Models
Native micro‐segmentation
Third‐party model
Vendor examples:Cisco, Check Point, Fortinet, Juniper Networks, Palo Alto Networks, SonicWall, Sophos, Huawei
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Micro‐Segmentation Models
Native micro‐segmentation
Third‐party model
Overlay model
Vendor examples:Cisco, CloudPassage, Drawbridge Networks, GuardiCore, Illumio,Juniper Networks, ShieldX, vArmour, Unisys, Tempered Networks
http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/
Micro‐Segmentation Models
Native micro‐segmentation
Third‐party model
Overlay model
Hybrid model
Example of Native Micro‐Segmentation
https://vinfrastructure.it/2014/09/micro‐segmentation‐with‐nsx/
Controller: analyzing traffic, allows communication, apply and adjust policies
How Overlay Segmentation Works
Internet
Firewall
DMZ-S1 DMZ-S2
S1 S2
S3 PBX1SW1 SW2
SW3
SW4
W1 W2
W3 W4-CC
PR1 P3
P1 P2
SW-D1
Controller
Agent Agent
Agent Agent
AgentAgent
Controller: analyzing traffic, allows communication, apply and adjust policies
Internet
Firewall
DMZ-S1 DMZ-S2
S1 S2
S3 PBX1SW1 SW2
SW3
SW4
W1 W2
W3 W4-CC
PR1 P3
P1 P2
SW-D1
Controller
Agent Agent
Agent Agent
AgentAgent
How Overlay Segmentation Works
Some vendors are offering deception features
Internet
Firewall
DMZ-S1 DMZ-S2
S1 S2
S3 PBX1SW1 SW2
SW3
SW4
W1 W2
W3 W4-CC
PR1 P3
P1 P2
SW-D1
Controller
Agent Agent
Agent Agent
AgentAgent
How Overlay Segmentation Works
Cyber DeceptionExample
https://www.nytimes.com/2017/05/09/world/europe/hackers‐came‐but‐the‐french‐were‐prepared.html
Purdue Enterprise Reference Architecture
Enterprise network
IT Applications (CIS, GIS, OMS, AMI?)
SCADA Historian
FEP, SCADA Master
Meter, RTU
CT, PT, other sensors
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0Source: https://www.slideshare.net/MarinaKrotofil/s4x16europekrotofil
Phases of Network Segmentation
Data Classification
Analyze network traffic (types, volume)
Network structure, monitoring methods
Select vendor, install equipment
Monitoring
Source: https://www.slideshare.net/MarinaKrotofil/s4x16europekrotofil
Classification
Design
Analysis
Implementation
Monitor traffic, apply changes
Our Guests• Gary Jeger – Palmetto Electric Co‐op• George Buckner – Central Florida Electric Co‐op• Jack Daniels – Bison Valley Electric Co‐op
http://www.cablinginstall.com/articles/slideshow/2013/09/closet‐cleanup‐before‐and‐after‐photos/pg004.html
BVEC Network
Before After
BVEC ‐ Network Segmentation Project
ObjectiveFollow Zero‐Trust Model and recommendations from PCI DSS and US‐CERT TA16‐250A.
Solution BVEC is considering three different approaches to segment their network.
Questions How these options follow concept of Zero‐Trust Model, PCI DSS, and TA16‐250A recommendations?
US‐CERT Alert (TA16‐250A)The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
“Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availabilityof communication and services across an enterprise.”
BVEC ‐ Network Segmentation Project
TA16‐250A Recommendations:1. Segregate Networks and Functions2. Limit Unnecessary Lateral Communications3. Harden Network Devices4. Secure Access to Infrastructure Devices5. Perform Out‐of‐Band Management6. Validate Integrity of Hardware and Software
BVEC ‐ Network Segmentation Project
BVEC Network
DMZ
CISAMIMDMGISOMS
DMZ
Fiber & Radio
Dispatch &
SCADA
Office
VM2VM1S1 S2
District Office
Server RoomOffice
MS MS MS FIN CFO CEO
E&O E&O E&O E&O LG COO
AD & FSExchangeIntranetDB1DB2
Substation
CAMI PTZSCADA
Substation
CAMI PTZSCADA
BVEC Network Option 1 ‐ Segmentation Gateway
Multiple NGFW vendors:(Palo Alto, Checkpoint, Fortinet, Juniper, etc)
Shall we use the same vendor as edge firewall or
different?
We will need High Availability option which
is more expensive.
DMZ
CISAMIMDMGISOMS
DMZ
Fiber & Radio
Dispatch &
SCADA
Office
VM2VM1S1 S2
District Office
Server RoomOffice
MS MS MS FIN CFO CEO
E&O E&O E&O E&O LG COO
AD & FSExchangeIntranetDB1DB2
Substation
CAMI PTZSCADA
Substation
CAMI PTZSCADA
BVEC Network Option 2 ‐ VMWare NSX
BVEC Network Option 2 ‐ VMWare NSX
CIS AMI MDM GIS OMS
VM2VM1
AD & FSExchangeIntranetDB1DB2
vSphere Distributed Switch DFW
Distributed Firewalls
Physical
VDS
CIS AMI MDM GIS OMS
VM2VM1
AD & FSExchangeIntranetDB1DB2
vSphere Distributed Switch DFW
Distributed Firewalls
Physical
VDS
BVEC Network Option 2 ‐ VMWare NSX
Uses proprietary VMWare NSX solution, bare metal servers are not included.
Consultant might be needed to determine optimal configuration.
Throughput not tied to hardware, easy to scale, can be extended to the
cloud.
BVEC Network Option 3 ‐ Identity Defined Network
DMZ
CISAMIMDMGISOMS
DMZ
ADFS
ExchangeIntranetApps
Fiber & Radio
Dispatch &
SCADA
Office
VM2VM1S1 S2
District Office
Server Room
Substation
CAMI CCVSCADA
Substation
CAMI CCVSCADA
HIP Server
HIP Server
Conductor
HIP Server
HIP Client
HIP Server
HIP Client
DMZ
CISAMIMDMGISOMS
DMZ
ADFS
ExchangeIntranetApps
Fiber & Radio
Dispatch &
SCADA
Office
VM2VM1S1 S2
District Office
Server Room
Substation
CAMI CCVSCADA
Substation
CAMI CCVSCADA
HIP Server
HIP Server
Conductor
HIP Server
HIP Client
HIP Server
HIP Client
BVEC Network Option 3 ‐ Identity Defined Network
Based on HIP standard, but IDN is a proprietary
solution.
Can be tested locally before installed.
Does not require major hardware installation.
It can be extended to the cloud in the future.
DMZ
CISAMIMDMGISOMS
DMZ
Fiber & Radio
Dispatch &
SCADA
Office
VM2VM1S1 S2
District Office
Server RoomOffice
MS MS MS FIN CFO CEO
E&O E&O E&O E&O LG COO
AD & FSExchangeIntranetDB1DB2
Substation
CAMI PTZSCADA
Substation
CAMI PTZSCADA
BVEC Network Option 2 ‐ VMWare NSX
BVEC Network Option 3 ‐ Identity Defined Network
DMZ
CISAMIMDMGISOMS
DMZ
ADFS
ExchangeIntranetApps
Fiber & Radio
Dispatch &
SCADA
Office
VM2VM1S1 S2
District Office
Server Room
Substation
CAMI CCVSCADA
Substation
CAMI CCVSCADA
HIP Server
HIP Server
Conductor
HIP Server
HIP Client
HIP Server
HIP Client
Summary
Classify your data by using CIA triad
Network segmentation can be designed in‐house
Consider segmenting SCADA, PCI, and PII first