CyberSecurity Best Practices for the IIoT
•Als PPTX, PDF herunterladen•
1 gefällt mir•1,003 views
In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security. Key Takeaways: 1. Gain perspective regarding common security threats facing industrial networks. 2. Learn about the relevant standards governing industrial cyber security. 3. Increase understanding of some best practices for securing industrial networks.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie CyberSecurity Best Practices for the IIoT
Ähnlich wie CyberSecurity Best Practices for the IIoT (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
CyberSecurity Best Practices for the IIoT
- 1. Richard Wood Cyber Security Best Practices for the Industrial IoT Product Marketing Manager Industrial Ethernet Infrastructure
- 2. Agenda Cyber Security Landscape in the IoT Era Unique Challenges for Industrial Automation Cyber Security Standards Industrial Best Practices Case Studies
- 3. Confidential Megatrend – Internet of Things (IoT) “The IoT refers to devices, systems, and services communicating with each other via the Internet to enable smarter operations and new applications.”
- 4. Confidential Industrial Systems are in the Crosshairs Source: Honeywell Cyber Security Lab PLC Safety Systems Plant Management System Assess Management System SCADA DCS No Vendor or user is immune from a potential cyber security incident Security Landscape
- 5. Confidential Factory is Vulnerable to Cyber Attacks Source: ICS-CERT 2013 Report, Region: the U.S. Cyber attacks may come from both outside AND inside factory Security Landscape
- 6. Confidential The Landscape Today: Easy to Find a Target Project SHINE: 1,000,000 Internet-Connected SCADA and ICS Systems and Counting Industrial Device search engines (Example: SHODAN) • The SHODAN search engine works by searching for commonly used TCP/UDP port numbers • Web, Telnet, SNMP and FTP are some of the more common ones • Logs of the response on these ports is saved in a searchable database • Try searching “OpenSSL”, “GNU”, or “NTPD” or industrial vendor’s names Security Landscape
- 7. Executive Order for Improving Cyber Security Executive Order 13636: “Improving Critical Infrastructure Cybersecurity” Information Sharing Privacy Adoption of cyber security practices Security Landscape
- 8. Confidential Continuous Reporting of ICS Vulnerability Industrial control system devices are not always updated with the latest vulnerability patch Security Landscape
- 9. Confidential NIST Published Final ICS Cybersecurity Guidelines http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf Security Landscape
- 10. Unique Challenges Industrial Control Systems Confidential
- 11. Types of Incidents ICS May Face Blocked or delayed flow of information through ICS networks which could disrupt ICS operation Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects Interference with the operation of safety systems, which could endanger human life. Confidential Industrial Challenges
- 12. Confidential Harsh Industrial Environments Industrial Challenges
- 13. Industrial Protocols are Difficult to Secure Deep Packet Inspection of Modbus TCP Confidential Industrial Challenges
- 14. Confidential Industrial-grade Enterprise-grade Target Devices • RTU, PLC & DCS, critical industrial devices • SCADA system, Control Network • Computer, data server • Prevent virus to affect PC Operating Environment • High EMC/EMI/Surge environment • Fanless to high temperature • Dusty-proof/shock-proof • Working with industrial power supply, 24VDC • Common IT environment with air conditioners Content to filtering • IP filtering/port filtering • Industrial automation protocols, e.g. Modbus/TCP, PROFINET, EtherNet/IP, Foundation Fieldbus, Lonworks • IP filtering/port filtering • HTTP, Email, POP, SMTP • MSN, Skype, Facebook, Game... Industrial Firewall vs. Enterprise Firewall Industrial Challenges
- 15. Confidential Industrial Security Concerns PLC/IO Network Control Network Field Site / Factory Control Room Attack from public network Unauthorized connection Malfunctioning PLC Broadcast Storm • VPN function for data encryption • VPN server for dynamic remote access • Standard protocol: IPSec, L2TP, PPTP • Protect unauthorized connections to critical devices (PLC, RTU, DCS) • Isolated broadcast packets from malfunctioning device to entire network VPN tunnel Firewall Industrial Challenges
- 17. Confidential TSA Published Pipeline Security Guidelines (2011) https://www.tsa.gov/sites/default/files/assets/pdf/Intermodal/tsa_pipelin e_sec_guideline_april2011.pdf Standards
- 18. Confidential Standards for Industrial Automation Industrial Control System ISA / IEC 62443 Power Industry NERC CIP V5 Standards
- 19. Confidential What’s ISA /IEC 62443? For Network System: • Secure Zones and Conduits For Network Equipment: • Technical security requirement Standards
- 20. Best Practices Industrial Control Systems
- 21. Confidential Defense-In-Depth Strategy Principle #1 Defense on multiple fronts - @Network Perimeter - @Edge device Principle #2 Layered Defense - 1: Detection - 2: Remediation - 3: Prevention Best Practices
- 22. Confidential Cyber Security Implementation in Automation Network Employ a security life cycle process • Assessment of threats • Implementation of countermeasures and verification • Monitoring and Maintenance Network segmentation • Breaking down the network into physical or logical zones with similar security requirements Define the zone to zone interaction • Device requirements • Identification of allowed traffic over conduits • Requirements of safe communication Best Practices
- 23. Confidential Cyber Security Implementation at Edge Devices Authentication • Use centralized user management • Radius and TACACS+ authentication Authorization • Only authorized devices can be connected • Disable any unused ports • 802.1X • MAC address control at port Data Integrity and Encryption • Use HTTPS, disable HTTP • Use SSH, disable TELNET • Use SNMPv3, disable SNMPv1/v2 Best Practices
- 24. Confidential How to Secure Zones and Conduits (example) (IEC 62443-3-2 ) Firewall and VPN to ensure Industrial Control System to meet the security requirement for zone and conduit • Firewall: control traffic flow between zones • VPN: encrypted sensitive control data in conduits Define Zones Define Conduits Traffic Control Data Encryption Best Practices
- 25. Confidential Industrial Firewall and VPN Solution in Plant Network 25000 FPS Throughput Firewall between different function zones 70 Mbps Throughput VPN tunnels between function zones 10000 FPS Throughput Firewall between devices to isolate the unnecessary traffic 17 Mbps Throughput VPN tunnel between end device and supervisory controller 40000 FPS Throughput Firewall between enterprise network and plant network 150 Mbps Throughput VPN gateway connecting uplink back to enterprise control center Firewall VPNEnterprise security system Enterprise security system Best Practices
- 26. Confidential Transparent Firewall made ICS Cybersecurity Easy No network change required Add into live network without disruption Aim at industrial protocols 5-Step visualized setting wizard In-Cell Network Protection 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 Best Practices
- 27. Confidential Real-Time Intrusion Detection Local DB Detection Remediation Prevention 3rd Party SIEM Best Practices
- 28. Confidential Modbus TCP Filtering (Deep packet inspection) Filtering Modbus Protocol: 1. Function code 2. Access address range 3. Device ID Best Practices
- 29. Case Studies Industrial Control Systems
- 30. Confidential Manufacturing >> Country: U.S. Network Traffic isolation for Semiconductor Clean Room Equipment EDR-810 provided support for 7 ports at WAN interface for connecting to different systems Easy integration into equipment due to industrial design of power and DIN-rail installation Reliable & stable for mission critical manufacturing Why Moxa? Isolate broadcast traffic from external network to critical laser equipment. Required firewall with ability to connect to multiple WAN’s Need a easy management of the secure router configuration for over 100 stations Background & Requirements
- 31. Confidential Oil and Gas >> Country: U.S. Secured Remote Monitoring of Gas Transmission Stations along pipeline EDR-G903 provides high-performance of VPN up to 150Mbps for large amount of data acquisition EDR-G903 provides up to 350 NAT rules for all 100 stations with single configuration file for easy management Built-in Modbus TCP deep packet inspection to provide protection for unsecured Modbus communication Why Moxa? Gas stations are built along pipeline over thousands of miles and require a efficient and easy way for monitoring This system utilize public network (Satellites and 3G/4G) for remote gas analyzer data acquisition and request a secured tunnel between gas station and control center Need a easy management of the secure router configuration for over 100 stations Background & Requirements
- 32. Thank You © 2013 Moxa Inc. All rights reserved.
Hinweis der Redaktion
- Thank you Marty. Here is the agenda for today’s webinar. We will begin by reviewing the cyber security landscape in today’s internet of things era, then we’ll jump into some unique challenges for industrial automation. From there we will begin to discuss some of the standards that have emerged around industrial cyber security and get into some best practices. Finally we will wrap up with a few case studies then get to the Q&A. As we go through today’s presentation, please use the Q&A box on the right sidebar to ask any questions you may have.
- The IoT or Internet of Things refers to devices, systems and services communicating with each other via the internet to enable smarter operations and new applications. The IoT spurred terms such as Intelligent Cities, Intelligent Highways and Intelligent or Smart Factories. But what does that all really mean? Let’s look at an example that many of you may relate to. For years now, many Department of Transportation Agencies have used traffic cameras and ground sensors to monitor traffic and road conditions on our major highways. These systems were typically private networks accessible only to agency personnel at regional control centers. Through the Internet of Things, many of these sensors, cameras and the data they create are now accessible via the internet. The accessibility of this data has spurred the development of applications and services to provide better information to municipalities and drivers alike. In the past, the video and road sensors on a highway could allow someone in a control center to detect an accident and dispatch emergency services. Now, those same video cameras, sensors and other data can be shared securely over the internet to allow local municipalities to more efficiently reroute traffic on surface streets near the accident and even alert drivers through their vehicle navigation systems or cell phones that there is an accident ahead and calculate a route around the trouble.
- Industrial engineers are becoming more aware of the importance of network security in today’s industrial systems. Attacks on industrial control systems are becoming more commonplace. The availability of industry specific search engines, which can reveal systems to anyone interested, has made it easier to target vulnerable systems. Years ago, networks that were not connected to a public network were considered “safe”. Today these networks are inter-connected and the challenge is how to make them secure. This has caused industrial engineers to go back and secure existing systems as well as re-think their network deployment strategy. This webinar will address some of these topics as well as provide best practices in securing industrial networks.
- Cybersecurity has long been a concern at the enterprise level, but we have seen and dramatic increase in the number and frequency of attacks on critical infrastructure and manufacturing. These attacks come not only from malicious external hackers but from internal sources as well.
- As I talk to executives, managers and engineers about industrial cyber security, one of the statements I continue to hear is "None of our SCADA or ICS equipment is accessible from the Internet." Many are surprised to find that they are more vulnerable than they thought. Project SHINE (SHINE meaning SHodan INtelligence Extraction) was developed to extract information about the existence of SCADA and ICS devices accessible from the Internet. The project use an existing online search engine called SHODAN that scans the Internet looking for attached devices. Those devices can be computers, printers, switches, PLCs, SCADA RTUs, etc: anything with an IP address. To date, Project SHINE has uncovered over 1 million connected SCADA & ICS devices and continues to find new ones at a rate of 2,000-8,000 per day. The point is, that many more devices are connected than most people believe and if a simple search engine can see them, so can the bad guys.
- In response to the growing number of attacks on critical infrastructure and the prevalence of tools like Shodan, the US government felt the need to weigh in on the subject. On February 12, 2013, President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” The Executive Order is designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. It does this by focusing on three key areas: (1) information sharing, (2) privacy, and (3) the adoption of cybersecurity practices.
- To address information sharing, the Department of Homeland Security has formed ICS-CERT or the “Industrial Control Systems Cyber Emergency Response Team”. ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. ICS-CERT Alert is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks.
- To help in the adoption of cyber security best practices, the National Institute of Standards and Technology released their Guide to Industrial Control Systems Security paper in in 2014. This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial control sectors.
- Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. As these industrial networks converge and become connected to enterprise level systems and the internet, there are some unique challenges in providing security while maintaining critical functionality.
- It is important to realize that the types of threats and consequences of a breach can be very different than in traditional enterprise level security breaches. Simply delaying the flow of information in an ICS could disrupt the operation of an entire production process or line. Unauthorized changes to instructions, device configurations or operator information could result in damaged, disabled or shut down equipment. In addition to the cost to repair, lost profits and typical costs associated with a breach, there can also be environmental impacts and even the endangerment of human life.
- Additionally, the equipment used in industrial control systems has to be able to operate reliably in harsh industrial environments. Enterprise equipment is typically designed to operate in air conditioned server rooms where the environment is closely controlled to optimize the function and reliability of the IT equipment. Industrial equipment is often found out on the factory floor, where it is subject to extreme temperatures, shock and vibration, electromagnetic noise and even pollution.
- Furthermore, many of the industrial protocols were never designed with the idea they would be connected to the outside world, and so they don’t have robust security built into the protocols. While enterprise level security devices typically filter packets based on IP address or port, Industrial devices need to be able to look deeper into the packets of data to the commands embedded within the application layer in order to filter potentially harmful data. They also need to be able to do this without introducing delays in transmission that could cause a malfunction. In the example shown here, an (click) HMI has access to a Modbus TCP device for monitoring purposes. (click) The intent is for the HMI to have read only access to the device. Since the read/write function codes are embedded at the application layer in a Modbus TPC packet, a traditional firewall will see that the HMI has been granted access to the device but cannot tell if the packet is asking to read or to write data. The write command causes a system failure. (Click) With deep packet inspection (click), information at the application layer is inspected to allow only read access to the device. Any packets attempting to write are discarded (Click).
- Just like in enterprise systems, Firewalls are an important tool in industrial cybersecurity. Here is a side by side comparison of an industrial grade vs. enterprise grade firewall. As you can see that both devices are designed to protect different types of devices. They are designed to operate in different environments and designed to filter different types of content. It is important to note that an enterprise firewall is likely not going to provide adequate protection for an ICS.
- From a practical standpoint, When looking at security for an industrial network, there are two main concerns: Click Secure remote access to the systems. As plant networks become more dispersed it becomes necessary to provide for remote control or monitoring of critical systems while protecting from unauthorized access. Industrial secure routers use encrypted VPN tunnels to provide easy secure access at a reasonable cost. Click Critical device protection – In a production environment, not only do you need to protect critical devices from unauthorized access, but you also need to protect the network from other devices on the network. For example, a malfunctioning PLC if not properly isolated could easily broadcast enough traffic to bring down the entire network. Industrial firewalls can provide the proper protection and isolation necessary. These firewalls are specifically designed to filter the types of traffic harmful to industrial networks. They are also designed to be installed without having to reconfigure the rest of your network.
- In our discussions with controlls engineers, a question that comes up a lot is what standards exist governing cybersecurity for industrial control systems. Depending on what industry you are in, there are a couple.
- If you are in th eoil & gas industry and you are securing pipeline systems, you should note that the TSA governs pipeline security guidelines since technically, a pipeline is transporting oil or gas. Detailed information about those guidelines can be founnd at the TSA website.
- If you are in the power industry, the North American Electric Reliability Corporation standards or NERC-CIP V5 will be the one you want to look at. For most of us though , ISA or IES 62443 will be the standard we look to for securing industrial control systems. I’ll go into this one a little deeper in the coming slides.
- The International Society of Automation (ISA) worked on defining security standards for several years resulting in ISA99: Security for Industrial Automation and Control Systems, the first parts of which have been approved by the American National Standards Institute (ANSI). In 2010, the standards were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards. ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This is an overview of the 14 components of the standard. While this is rather complex, with a lot of moving parts, processes and policies, I’ve tried to boil it down to some practical first steps. Keep in mind that security is an ongoing process or a lifestyle if you will. The following slides will outline some initial areas to look at to do an initial assessment of your risks.
- So now that we have some understanding of the risks, unique challenges and standards around securing industrial control systems, lets look at some best practices.
- When experts talk about cyber security best practices, they often refer to a defense-in-depth strategy. From an industrial standpoint, I’ve broken this down into two main principles. The first is to defend multiple fronts or access points. Start by looking at the existing data lines into the network and set up defenses to keep unwanted traffic from flowing through those connections. Also look at physical access points at edge devices. Are there unused network ports that someone could plug into and access the network? The second principle is a layered defense. The more check points someone has to go through to access critical infrastructure, the more opportunities you have to detect an intrusion, cut off their access and set up prevention measures to keep the intrusion from happening again.
- Think of cyber security as an ongoing continuous improvement cycle. To stay secure, you need to be constantly assessing threats, implementing countermeasures, monitoring and reassessing. At first, you will likely make big improvements in your level of security, but as you begin to uncover and fix the vulnerabilities in your network, the improvements will likely become less involved, often consisting of security patches for your devices. Another successful tactic is to segment your network into physical or logical zones with similar security requirements, then clearly defining the necessary interactions between those zones and restricting unnecessary traffic and access.
- Controlling physical access at edge devices is an often overlooked precaution. An open Ethernet may look inviting to someone looking for quick access to the internet, but could be devastating to your industrial control network. Utilize centralized user management to authenticate users and devices connecting to the network and only allow authorized devices to connect. Consider using Mac address control on edge ports and disable any unused ports. Finally, use data encryption to protect data in the event it is intercepted during transmission.
- So let’s bring some of this together into a simple example. Here we have three separate plants in a manufacturing complex. Each have been defined as a separate zone and the necessary network interactions have been defined between these zones. Industrial firewalls are then used to manage the network traffic between these zones to only the traffic that has been deemed necessary and the conduits between the zones are encrypted using VPN tunnels.
- If we drill down into one of those plants we can see that it is further broken down into smaller zones with clearly defined points of interaction between them. Multiple levels of firewalls are used contain network traffic within each zone while allowing defined interactions between zones.
- In a typical layered approach, it is common to see firewalls at the site, zone and cell level. If you were to look at how typical firewalls require you to set up different subnets on either side of each firewall, you could easily find yourself with a very complex network that needed a lot of reconfiguration. Luckily another feature of industrial firewalls is the transparent firewall of bridge mode feature. This allows you to put a firewall between any two devices, cells, zones or sites without having to reconfigure your subnets.
- As we mentioned earlier, detection is a critical part of a defense in depth strategy. It is the beginning point for your cybersecurity continuous improvement process. Many enterprise IT professionals rely on Security Information & Event Management software to collect and analyze detected attempts to breach their systems. In an industrial control system, this data can be fed directly into enterprise SEIM systems, but also have the capability for real-time intrusion detection and alerts so that action can be taken to protect critical infrastructure before an intrusion is successful.
- Finally, a firewall is only effective if it can filter out the harmful traffic. In industrial control systems, firewalls must be able to look deeper into the application layer data withing the packets in order to effectively protect your systems. This “Deep Packet Inspection” allows you to set up firewall rules at this level to ensure you are catching all of the potentially harmful traffic.
- So we’ve talked about some theory and general application, now lets wrap things up with a couple of real life examples to bring these concepts together.
- In this case, a semiconductor manufacturer had well over 100 laser equipment stations that required real-time communication within the station as well as relying on communication with multiple Wide area networks. It was critical that broadcast traffic from the other stations did not interfere with each other. Industrial firewalls were used to allow these secure connections to the wide area networks while isolating the broadcast traffic within each station. With so many firewalls in use, simple configuration was also a key feature. Overall, they were able to provide a reliable and stable network for their mission critical application.
- In this gas pipeline application, stations were strung out over thousands of miles, yet needed to be connected back to a centralized control center. Due to the distances involved, dedicated network connections were not an option and so public networks needed to be used to connect the individual stations back to the control center and to each other. Modbus TPC industrial protocol was in use at the stations. Industrial secure routers were used to provide firewall protection with deep packet inspection as well as secure VPN connections to encrypt data going over public network connections.
- Hopefully I was able to give you a basic understanding of some industrial Cybersecurity principals and best practices today. At this point it looks like we have some questions that have been sent in. If you have any questions please feel free to type them in the Q&A area and I’ll answer as many of them as possible in the time allotted. Marty, what questions do we have?