Security without Compromise Securing ICS and IT networks · Fortinet’s ICS Layered Defense Model APT Framework •Advanced Malware ... (4 services on 1 host) NSE: Script scanning

© Copyright Fortinet Inc. All rights reserved.

Security without CompromiseSecuring ICS and IT networksPeter Kocik

Systems Engineer

2

Sayano–Shushenskaya hydroelectric power station

Number of Units: 10

Turbine Type: Francis (16 blades)

Rated Power: 650 MW each

Rated Discharge per Unit: 358,5 m3/s

Nominal Speed: 142,86 rpm

Operation Date: 1978

Runner Diameter: 6,77 m

3

View of the Russian dam

4

Inside …

Power Units

Generator floor

Air-Oil Tanks

5

What’s happened on 17th of August 2009..

Turbine 2

functioning band

was changed to a

specific load

forbidden form the

manufacturer

The turbine cover

shot up and the

920-tons rotor

then shot out of its

seat

On 21 August

2009, a rebel group

in Chechnya

claimed that they

were responsible

for the blast

The forbidden

band created an

extra vibration

registered also

from a

seismograph

Water immediately

flooded the engine

and turbine rooms

and caused a

transformer explosion

6

After the Accident…

7

Consequences

75 people died

The physical damage was estimated in 310 millions

According to Russian Energy Minister, they spent almost 2 years and 1.3

billion Euros to reconstruct the power building

The production of more than 500,000 tons of aluminum will be lost

8

ICS Cyber issue: Intentional vs Unintentional

20%

30%

50%

Threat Source% of Industrial

Network IncidentsIncident Type

Hackers and Terrorists 9.4%Intentional

Insiders 10.6%

Human Error 11.2%

UnintentionalMalware 30.4%

Device and Software

Failure38.4%

According to 2011 RISI data, most cybersecurity threats and incidents are

unintentional and occur inside industrial networks.

Intentional targeted attacks(unauthorized access, DOS, email attacks)

Unintentional consequences(collateral damage from viruses or control system failures)

Unintentional internal security consequences(Device or Software Failure, Human Error)

9

Intentional/Unintentional: Cyberthreats in ICS environments

Top threat vectors in ICS (SANS ICS Survey 2014).

External Threats (hactivism, nation states)

Malware

Insider Exploits

Email phishing attacks

Attacks coming from within the internal

Cybersecurity policy violations

Industrial espionage

Other

0% 5% 10% 15% 20% 25% 30%

Data source: ICS-Cert (US)

Critical Manufacturing

Energy

Unknown

Water

Transportation

Government facilities

Healthcare

Communications

Nuclear

IT

Dams

Chemical

Commercial Facilities

Finance

Food & Agriculture

Defense

0 20 40 60 80 100

ICS-CERT: Incident sectorsFY2015 FY2014

Number of incidents

External Threats is the top concern

Malware, Exploits, Email, Segmentation

being the main touchpoints

Could be ICS or IT based

attacks – now bridged

Manufacturing and Energy highest targets

1st Militarized ICS malware:

Stuxnet

» Cyber-physical consequences

10

ICS Cyber issue: Intentional vs Unintentional

20%

30%

50%

Threat Source% of Industrial

Network IncidentsIncident Type

Hackers and Terrorists 9.4%Intentional

Insiders 10.6%

Human Error 11.2%

UnintentionalMalware 30.4%

Device and Software

Failure38.4%

According to 2011 RISI data, most cybersecurity threats and incidents are

unintentional and occur inside industrial networks.

Intentional targeted attacks(unauthorized access, DOS, email attacks)

Unintentional consequences(collateral damage from viruses or control system failures)

Unintentional internal security consequences(Device or Software Failure, Human Error)

‹#›

ICS Components

SensorsAction devices PLC HMI

SCADA

Supervisor

Data historian

ICS Defense Strategy #1 : Exploit VectorsDefense in Depth

12

Defense-in-Depth Strategy

A Defense-in-depth strategy deploys application security at both the host RTU and the

network level

Deploy security systems that offer tightly integrated multiple detection mechanisms:

Firewall

Network

Security

MGT

Campus

Network

Border

Firewall

Critical

Assets

Intrusion

Prevention

Data

Application

Host

Intranet

Perimeter

Physical Security

13

Corporate LAN

Pump/fan speed

Domain Controller

Business Systems

Pressure

Flow Rate

Temperature

Noise Level

Oil levels and Maintenance alarms

Radioactivity levels

Water levels

Sensors

Supervisory Control System and associated databases

Human Machine Interface (HMI)

FortiGate secures and restricts communication with SCADA network

FGR-100C

RemoteTerminal Unit

FGR-100C

Prevent threats entering the organization

with stringent boundary controls including

Web Filtering, Anti-Virus, Intrusion

Prevention and Application Control

(FortiGate) and Anti-SPAM (FortiMail)

Segregate networks and prevent malware

propagation with inter-zone Anti-Virus,

Intrusion Prevention and Application

Control (FortiGate)

Provide secure remote access (FortiGate)

SSL and IPSEC VPN) together with secure

remote authentication methods

(FortiAuthenticator).

Secure wireless communication with rogue

access point detection and segregating

engineers traffic on dedicated SSIDs

(FortiGate & FortiAP)

Secure SCADA communications with

hardware accelerated VPN back to the

Management HMI network (FortiGate)

Prevent malware propagation and non-

authorised communication channels with

on-the-wire Anti-Virus, Intrusion Prevention

and Application Control (FortiGate)

Secure, audit and monitor HMI database

(FortiDB)

Vulnerability assesment, patch

management an auditing of all

organizational assets (FortiScan)

Protect web based HMI from exploitation

with Web Application Firewalling

(FortiWeb)

Fortinet Defense In Depth Strategy

ICS Defense Strategy #2 : Segmentation VectorsSecurity Segmentation

15

ICS Defense Strategy #2: Segmentation VectorsISFW - Internal Segmentation Architecture

Inspect and log all

segment traffic

Verification/Auth of

segment traffic

Network is designed

within security

segments

1

2

3

16

Fortinet Internet Segmentation Strategy

ICS Defense Strategy #3 : Advanced Threat Vectors

APT Framework – Sandbox technology

18

ICS Defense Strategy #3 : Advanced/0-day Threat VectorsAPT Framework – Sandbox technology

Code

ContinuumKnown Good

Probably

GoodMight be Good

Completely

Unknown

Somewhat

Suspicious

Very

SuspiciousKnown Bad

Security

TechnologiesWhitelists

Reputation:

File, IP, App,

Email App

Signatures,

Digitally singed

files

Sandboxing Heuristics

Reputation:

File, IP, App,

Email Generic

Signatures

Blacklists

Signatures

70-90%Of Malware samples are

Unique to an Organization

19

Fortinet APT Framework

20

Fortinet’s ICS Layered Defense Model

APT Framework•Advanced Malware

•Automation

• Interaction

Defense-in-Depth•Multiple Layers

•Exploit Vectors

•Data Protection

Internal Segmentation

•Untrust Model

•Breach Containment

•Security Corridors

Fortinet ICS Layered Defense Model

DinD

APTIS

21

… our answer is an active integration between SCADAguardian and Fortigate

Turn–key Internal and Perimeter Visibility

Fine Tuning, Control and Monitoring of the Firewall Ruleset

Proactive SCADA Security

Automatically learns ICS behavior and

detects suspicious activities.Behavioral Analysis

Security Policy

EnforcementFlexibility to enforce security policies with

different degree of granularity.

Deep understanding of all SCADA protocols,

open and proprietary.

Deep SCADA

UnderstandingActive Traffic Control

Proactive filtering of malicious and

unauthorized network traffic.

Real time passive monitoring guarantees no

impact and permits visibility at different layers

of the Control and Process Networks.

Unintrusive passive

monitoring

In-line

ProtectionIn-line separation between IT and OT

environments.

Going Live

24

The Matrix Movie …

~ nmap -sT -sV -vvvvv -P0 -p25,80,443,993 wagon.eriqe.sk

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-05 23:15 CEST

NSE: Loaded 29 scripts for scanning.

Initiating Parallel DNS resolution of 1 host. at 23:15

Completed Parallel DNS resolution of 1 host. at 23:15, 0.06s elapsed

DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating Connect Scan at 23:15

Scanning wagon.eriqe.sk (93.184.66.157) [4 ports]

Discovered open port 25/tcp on 93.184.66.157

Discovered open port 80/tcp on 93.184.66.157

Discovered open port 993/tcp on 93.184.66.157

Discovered open port 443/tcp on 93.184.66.157

Completed Connect Scan at 23:15, 0.15s elapsed (4 total ports)

Initiating Service scan at 23:15

Scanning 4 services on wagon.eriqe.sk (93.184.66.157)

Completed Service scan at 23:15, 26.24s elapsed (4 services on 1 host)

NSE: Script scanning 93.184.66.157.

NSE: Starting runlevel 1 (of 1) scan.

Nmap scan report for wagon.eriqe.sk (93.184.66.157)

Host is up (0.15s latency).

rDNS record for 93.184.66.157: 93.184.66.157.host.vnet.sk

Scanned at 2015-10-05 23:15:25 CEST for 26s

PORT STATE SERVICE VERSION

25/tcp open smtp Postfix smtpd

80/tcp open http Apache httpd 2.2.22

443/tcp open ssl/http Apache httpd 2.2.22

993/tcp open ssl/imap Courier Imapd (released 2011)

~ nmap -sT -sV -vvvvv -P0 -p25,80,443,993 wagon.eriqe.sk

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-05 23:15 CEST

NSE: Loaded 29 scripts for scanning.

Initiating Parallel DNS resolution of 1 host. at 23:15

Completed Parallel DNS resolution of 1 host. at 23:15, 0.06s elapsed

DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating Connect Scan at 23:15

Scanning wagon.eriqe.sk (93.184.66.157) [4 ports]

Discovered open port 25/tcp on 93.184.66.157

Discovered open port 80/tcp on 93.184.66.157

Discovered open port 993/tcp on 93.184.66.157

Discovered open port 443/tcp on 93.184.66.157

Completed Connect Scan at 23:15, 0.15s elapsed (4 total ports)

Initiating Service scan at 23:15

Scanning 4 services on wagon.eriqe.sk (93.184.66.157)

Completed Service scan at 23:15, 26.24s elapsed (4 services on 1 host)

NSE: Script scanning 93.184.66.157.

NSE: Starting runlevel 1 (of 1) scan.

Nmap scan report for wagon.eriqe.sk (93.184.66.157)

Host is up (0.15s latency).

rDNS record for 93.184.66.157: 93.184.66.157.host.vnet.sk

Scanned at 2015-10-05 23:15:25 CEST for 26s

PORT STATE SERVICE VERSION

25/tcp open smtp Postfix smtpd

80/tcp open http Apache httpd 2.2.22

443/tcp open ssl/http Apache httpd 2.2.22

993/tcp open ssl/imap Courier Imapd (released 2011)

~ openssl s_client -connect mail.eriqe.sk:993

---

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE

THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT

QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready.

Copyright 1998-2011 Double Precision, Inc. See COPYING for

distribution information.

25

Shodan - the bad search engine

SHODAN interrogates ports and grabs the resulting banners, then

indexes the banners (rather than the web content) for searching

26

Basic Filters

country: filters results by two letter country code

city: filter results by City name

hostname: filters results by specified text in the hostname or

domain

geo: you can use coordinates

net: filter results by a specific IP range or subnet

os: search for specific operating systems

port: narrow the search for specific services

timeframe: find results within a timeframe