Лучшие практики по защите IoT и ICS/SCADA
•
1 gefällt mir•259 views
Сегментация сети на уровне L2 используя Palo Alto Networks
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Лучшие практики по защите IoT и ICS/SCADA
Ähnlich wie Лучшие практики по защите IoT и ICS/SCADA (20)
Mehr von Denis Batrankov, CISSP
Mehr von Denis Batrankov, CISSP (8)
Лучшие практики по защите IoT и ICS/SCADA
- 1. Лучшие практики по защите IIoT Денис Батранков консультант по информационной безопасности Palo Alto Networks
- 2. Кофемашина заразилась криптолокером и заразила все системы мониторинга у химического завода • https://www.reddit.com/r/talesfromtechsupport/comment s/6ovy0h/how_the_coffeemachine_took_down_a_factori es/ Ignite 2017 2
- 3. Рассмотрим основные проблемы Shadow IT – недостаточно ясно какие устройства и приложения работают в сети Пользователи не будут никогда следовать правилам безопасности Контроль безопасности традиционными средствами не решается Ignite 2017 3
- 4. Результаты исследования Burwood Group IIoT Какие шаги предпринимает ваша организация для минимизации угроз устройств IIoT? Какие основные проблемы когда мы сталкиваемся с безопасностью IIoT? 4Ignite 2017
- 5. Шаги по безопасности IIoT 5Ignite 2017 Asset Inventory Network Monitoring Security Implementation
- 6. Ignite 2017 6 Top 20 Critical Security Controls for Cyber Security
- 7. Шаги по безопасности IIoT – Asset Inventory 7Ignite 2017 Address SANS Controls 1 & 2 Identify IT & OT devices to plan for physical separation of business and process devices Network scans to understand plant network topology • Layer 3, Layer 2, Layer 1
- 8. Asset Inventory Case Study • Разделить бизнес приложения и PCN • Больше сегментации в сетях • Установить мониторинг на свитчах • Нужны изменения в схеме VLAN Ignite 2017 8
- 9. Шаги по безопасности IIoT – Network Monitoring 9Ignite 2017 Network scans to understand plant network topology • Layer 3, Layer 2, Layer 1 Implement Palo Alto Networks firewalls for visibility only • Tap Mode • Layer 3 Install with “any-any” policy Monitor log data • Panorama • SIEM
- 10. Шаги по безопасности IIoT • Понимать о чем общаются между собой PLC, HMI и другие. – мало кто из обычных ИТ админов разбирается • Исследовать топологию • Создать диаграммы Ignite 2017 10
- 11. Corporate Workstations Data Center Enterprise Services Email Business Workstation Patch Web Jump HMI Historian Engineering Application File Server WD Network Isolation Разделите корпоративную сеть и DMZ Шаги по безопасности IIoT Ignite 2017
- 12. Corporate Workstations Data Center Enterprise Services Email Business Workstation Patch Web Jump HMI Historian Engineering Application File Server WD Network Isolation Разделите корпоративную сеть и DMZ Разделите DMZ и PCN Изолируйте системы внутри Шаги по безопасности IIoT Ignite 2017
- 13. VLAN Insertion Case Study Ignite 2017 13
- 14. VLAN Insertion: Method 1: Несколько интерфейсов Физически расположите NGFW между устройствами VLAN A VLAN B Host A 192.168.1.1/24 Host B 192.168.1.2/24 NGFW Выгода Не нужно менять IP адресацияю Идеально как реакция на инцидент уже который был VLAN A VLAN B Host A 192.168.1.1/24 Host B 192.168.1.2/24 Switch NGFW VLAN B VLAN A Минусы Портов не бесконечное число
- 15. Ignite 2017 15 VLAN Insertion Method 2: Один L2 интерфейс HMI PLC 192.168.1.1/24 192.168.1.2/24 VLAN 1VLAN 1 Switch Figure 1 Figure 1: Типичная плоская есть в среде ICS TRUN K VLAN A VLAN B Host A 192.168.1.1/24 PLC 192.168.1.2/24 Switch NGFW Figure 2 Рисунок 2: Диаграмма после реализации VLAN Insertion • Два хоста по прежнему в одной IP подсети • Хосты разделены в разные VLANы • Трафик маршутизируется на L2 уровне через NGFW и NGFW меняет 802.1q теги
- 16. To Zero-Trust Segmentation Делаем сегментацию zero trust?
- 17. Layer 3 switch Access Switch Access Switch Access Switch Access Switch Business Computer Historian HMI VLAN 1 PLC INTERNET VLAN Insertion: Method 2 продуктивна сеть • Плоская сеть 192.168.10.0/24 • Управляемые свитчи • Все что нужно предприятию в сети есть, но многие системы просят доступ в Интернет Формулировка проблемы: • Несмотря на усилия администраторов системы управления постоянно заражаются вирусами
- 18. Layer 3 switch Access Switch Access Switch Access Switch Access Switch Business Computer Historian HMI VLAN 1 PLC INTERNET VLAN Insertion: Method 2 Production Plant • Desired Segmentation • Customer wants Business machine isolated out from rest of the plant with access granted based on network id and just to the Historian • Customer also wants HMI, PLCs, and remote Field network devices separated so that controlled access can be enforced on a per device basis
- 19. 19 | © 2015, Palo Alto Networks. Confidential and Proprietary. To Zero-Trust Segmentation From zero segmentation
- 20. How it was done – Switch Fabric On the switches • Determine what VLANS are available. • Define VLANS on switches. • Assign Zones or Enclaves to each VLAN. • Configure TRUNK port to connect NGFW. • Configure switches to account for route loop prevention where needed.
- 21. How it was done - NGFW On the NGFW • Connect port from NGFW to assigned TRUNK port on switch • Configure the interface as either a Layer 2 or Vwire interface • Create sub-interfaces for each needed VLAN created on switch fabric • Create Zones for each VLAN and assign to sub-interfaces • Create a New VLAN under the VLANs section and assign sub- interfaces to it • Under policies define zone access criteria and commit
- 22. Layer 3 switch Access Switch Access Switch Access Switch Access Switch Business Computer Historian HMI TRUNKS PLC Zone: L3.5 Zone: PLC Zone: SCADA Zone: PLANT-HMI Figure 7: Logical Diagram: Post VLAN Insertion INTERNET VLAN 6 VLAN 7 VLAN 8 VLAN 9 VLAN 10 После внедрения VLAN Что мы добились • Не потребовалась смена адресного пространства • Минимальное время настройки • Включается визуализаций соединений внутри сети • Четкое разделение сегментов в компании • Каждую отдельную зону теперь накрывает: • Антивирус • Anti-Spyware • IPS • URL фильтр • Контроль передачи файлов по типам • DLP • DoS защита • QoS • Визуализация • User-ID • Инспекция всех уровней модели OSI ISO • Быстрее выявить и заблокировать угрозы внутри сети • Возможно управлять сегментами как единым целым или как разными по функционалу. NGFW
- 23. Шаги по безопасности IIoT – Security Implementation 23Ignite 2017 Implement Security Controls Implement Access Restrictions
- 24. Шаги по безопасности IIoT – Security Implementation Address Endpoint Security and Vulnerabilities After installing Palo Alto Networks firewalls, implement Threat Prevention and WildFire Continue monitoring logs. Slowly create access restrictions 24Ignite 2017
- 25. Шаги по безопасности IIoT – Security Implementation • This is a matter of tolerance • When deploying TreatPrevention, Wildfire and Traps in OT – Alerting vs. Blocking • Signature update process – Delay internal signature updates – Leverage ICS-specific threat signatures • TP, WF, and AF Ignite 2017 25
- 26. Steady State Quarterly Review: - Re-occurring Health-checks - New Feature implementations - Continuous Monitoring Convert to App-ID Project Work: - SSL Decryption - Review policies and logs - Convert to app-id - Create custom applicationsSecurity Cleanup and Management Review and Configure: - Firewall Policy Creation - Firewall documentation - Panorama logging - Panorama management Utilize Security Suite Configuration: - Content ID - Threat Prevention - WildFire - URL Filtering - User ID - Global Protect Security StatefulInspectionNext-Generation Security Visibility Install Visibility Project Work: - Discover Current State - Migrate/Install NGFW - Design Migration Plan - Migrate/Cutover - Test and Validate Burwood Group Lifecycle Ignite 2017
- 27. Лучшие методики защиты IIoT готовыми средствами Визуализация приложений – инспектируем Layer 7 Сегментация сети Zero-Trust– ISA 62443 Современные средства предотвращения zero-day атак Защитите мобильных сотрудников и среду виртуализации Объедините разные платформы ИБ в единую систему 29Ignite 2017
- 28. Palo Alto Networks Next-Generation Threat Cloud Palo Alto Networks Next-Generation EndpointPalo Alto Networks Next-Generation Firewall Next-Generation Firewall Инспекция трафика Контроль приложений и пользователей Защита от угроз 0-ого дня Блокировка угроз и вирусов на уровне сети Next-Generation Threat Cloud Анализ подозрительных файлов в облаке Распространение сигнатур безопасности на МЭ Next-Generation Endpoint Инспекция процессов и файлов Защиты от известных и неизвестных угроз Защиты стационарных, виртуальных и мобильных пользователей Интеграция с облачной защитой от угроз Palo Alto Networks представляет платформу защиты
Hinweis der Redaktion
- Primary Presenter: Lionel
- Primary Presenter: Justin Inability to apply security controls through traditional security measures: Endpoint and network
- Primary Presenter: Justin Discuss approach being taken (or already applied to secure IIoT devices) Burwood involvement in these projects First step on all accounts to focus on segmentation being easier than endpoint and analytics.
- Primary Presenter: Justin Big emphasis on the asset inventory. Discuss how the manufacturing networks are not well designed. Devices are connected based on need and not based on best practices. Occasionally took manual intervention to find devices and determine which network they should be on. This takes time but it is worth it
- Primary Presenter: Justin Process Control Network (PCN) Operational Technology (OT) refers to computing systems that are used to manage industrial operations Big emphasis on the asset inventory. Discuss how the manufacturing networks are not well designed. Devices are connected based on need and not based on best practices. Occasionally took manual intervention to find devices and determine which network they should be on. This takes time but it is worth it. Hand-off to Lionel
- Primary Presenter: Justin Process Control Network
- Primary Presenter: Justin Big emphasis on the asset inventory. Discuss how the manufacturing networks are not well designed. Devices are connected based on need and not based on best practices. Occasionally took manual intervention to find devices and determine which network they should be on. This takes time but it is worth it
- SCADA represents the entire central system which includes / communicates with the following components: Input/Output (IO) Devices Remote Terminal Units (RTU) Programmable Logic Controller (PLC) Communication network Supervisory System Human Machine Interface (HMI) Process Control Network (PCN)
- Primary Presenter: Justin Phased approach to the implementation after the monitoring phase. This slide represents the most simple way to insert a firewall between the business network and the ENTIRE plant network. Some cases this was sufficient and didn’t take much time. Policy is not granular. Minimal impact to production….keep in mind this once the inventory is known
- Primary Presenter: Justin Purdue model approach is the ultimate goal based on ease of accessing the PCN without security concerns Some cases we can implement this right away based on the size of the plant, downtime, etc. In most cases this is the next step to be taken after the simple segmentation is complete Hand off to Lionel Process Control Network (PCN)
- Primary Presenter: Lionel
- Primary Presenter: Lionel
- Primary Presenter: Lionel The largest subgroup of ICS is SCADA Industry Control System
- Primary Presenter: Lionel
- Primary Presenter: Lionel These machines are continually being configured to surf both the intra and internet by local users. These machines have a common shared password and user-id making it difficult to determine responsible party
- Primary Presenter: Lionel
- Primary Presenter: Lionel
- Primary Presenter: Lionel
- Primary Presenter: Lionel
- Primary Presenter: Lionel
- Primary Presenter: Justin Big emphasis on the asset inventory. Discuss how the manufacturing networks are not well designed. Devices are connected based on need and not based on best practices. Occasionally took manual intervention to find devices and determine which network they should be on. This takes time but it is worth it
- Primary Presenter: Justin Not perfect….but a step in the right direction for segmentation We must phase the security in. Something is better than nothing …Focus on making sure we can relate back to this slide in the challenges section Mention use of Splunk for security analytics Outcomes of these steps relate directly back to question one (key concerns): Ability to see traffic and identify active devices Introduce security through Security Profiles Utilize the scans and manual process to inventory devices Utilize the firewall to assist with asset management through logging and SIEM
- Primary Presenter: Justin
- Primary Presenter: Justin Reference 2016 and how this methodology has worked so well. Leave the audience feeling like securing the PCN for IIoT devices is feasible with the right approach
- Primary Presenter: Lionel
- Primary Presenter: Justin Discuss location of devices Cheap networking gear that provides 0 liability Example of digging into a location to find out there are 20-30 switches from Best Buy Discuss issues with vulnerabilities being medium that were blocked and false positives Issues with “PCN within the PCN” – bad terminology but gets the point across Still not entirely addressing the endpoint problem Tee up Lionel for Trustworthiness
- Primary Presenter: Justin
- And that’s what we have built here at Palo Alto Networks. We believe that our next generation platform delivers on this promise, and with this platform, we think and hope that prevention becomes the byword for the battle and it is technically possible and can be continuously improved over time. It is fundamentally built on three leading technologies: The industries leading next-generation firewall, which was just recognized again as a leader in the Gartner Magic Quadrant. Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats The most advanced next-generation threat cloud [WildFire, Threat Prevention, URL Filtering] Gathers potential threats from network and endpoints Analyses and correlates threat intelligence Disseminates threat intelligence to network and endpoints The market’s most compelling next-generation endpoint protection Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based And the result of that is better security at a lower cost for the good guys and less effective attacks at ever increasing costs for the bad guys. Through this security platform we can deliver complete and integrated protection across the kill-chain…
- Primary Presenter: Justin