1. Лучшие практики по защите IIoT
Денис Батранков
консультант по информационной
безопасности
Palo Alto Networks
2. Кофемашина заразилась криптолокером и заразила
все системы мониторинга у химического завода
• https://www.reddit.com/r/talesfromtechsupport/comment
s/6ovy0h/how_the_coffeemachine_took_down_a_factori
es/
Ignite 2017 2
3. Рассмотрим основные проблемы
Shadow IT – недостаточно ясно какие устройства и
приложения работают в сети
Пользователи не будут никогда следовать правилам
безопасности
Контроль безопасности традиционными средствами не
решается
Ignite 2017 3
4. Результаты исследования Burwood Group IIoT
Какие шаги предпринимает ваша организация для
минимизации угроз устройств IIoT?
Какие основные проблемы когда мы сталкиваемся с
безопасностью IIoT?
4Ignite 2017
5. Шаги по безопасности IIoT
5Ignite 2017
Asset
Inventory
Network Monitoring
Security
Implementation
7. Шаги по безопасности IIoT – Asset Inventory
7Ignite 2017
Address SANS Controls 1
& 2
Identify IT & OT devices
to plan for physical
separation of business
and process devices
Network scans to
understand plant
network topology
• Layer 3, Layer 2, Layer 1
8. Asset Inventory Case Study
• Разделить бизнес приложения и PCN
• Больше сегментации в сетях
• Установить мониторинг на свитчах
• Нужны изменения в схеме VLAN
Ignite 2017 8
9. Шаги по безопасности IIoT – Network Monitoring
9Ignite 2017
Network scans to understand
plant network topology
• Layer 3, Layer 2, Layer 1
Implement Palo Alto Networks
firewalls for visibility only
• Tap Mode
• Layer 3 Install with “any-any” policy
Monitor log data
• Panorama
• SIEM
10. Шаги по безопасности IIoT
• Понимать о чем общаются между собой PLC, HMI и
другие.
– мало кто из обычных ИТ админов разбирается
• Исследовать топологию
• Создать диаграммы
Ignite 2017 10
11. Corporate Workstations
Data Center
Enterprise Services
Email
Business Workstation
Patch
Web
Jump
HMI
Historian
Engineering
Application File Server
WD Network Isolation
Разделите корпоративную сеть и DMZ
Шаги по безопасности IIoT
Ignite 2017
12. Corporate Workstations
Data Center
Enterprise Services
Email
Business Workstation
Patch
Web
Jump
HMI
Historian
Engineering
Application File Server
WD Network Isolation
Разделите корпоративную сеть и
DMZ
Разделите DMZ и PCN
Изолируйте системы внутри
Шаги по безопасности IIoT
Ignite 2017
14. VLAN Insertion: Method 1: Несколько интерфейсов
Физически расположите NGFW между устройствами
VLAN A
VLAN B
Host A
192.168.1.1/24
Host B
192.168.1.2/24
NGFW
Выгода
Не нужно менять IP адресацияю
Идеально как реакция на инцидент уже который был
VLAN A
VLAN B
Host A
192.168.1.1/24
Host B
192.168.1.2/24
Switch NGFW
VLAN B
VLAN A
Минусы
Портов не бесконечное число
15. Ignite 2017 15
VLAN Insertion Method 2: Один L2 интерфейс
HMI
PLC
192.168.1.1/24 192.168.1.2/24
VLAN 1VLAN
1
Switch
Figure 1
Figure 1: Типичная плоская есть в среде ICS
TRUN
K
VLAN A
VLAN B
Host A
192.168.1.1/24
PLC
192.168.1.2/24
Switch NGFW
Figure 2
Рисунок 2: Диаграмма после реализации VLAN Insertion
• Два хоста по прежнему в одной IP подсети
• Хосты разделены в разные VLANы
• Трафик маршутизируется на L2 уровне через NGFW и NGFW
меняет 802.1q теги
18. Layer 3
switch
Access
Switch
Access
Switch
Access
Switch
Access
Switch
Business Computer
Historian
HMI
VLAN 1
PLC
INTERNET
VLAN Insertion: Method 2 Production Plant
• Desired Segmentation
• Customer wants Business machine
isolated out from rest of the plant
with access granted based on
network id and just to the Historian
• Customer also wants HMI, PLCs,
and remote Field network devices
separated so that controlled access
can be enforced on a per device
basis
20. How it was done – Switch Fabric
On the switches
• Determine what VLANS are available.
• Define VLANS on switches.
• Assign Zones or Enclaves to each VLAN.
• Configure TRUNK port to connect NGFW.
• Configure switches to account for route loop
prevention where needed.
21. How it was done - NGFW
On the NGFW
• Connect port from NGFW to assigned TRUNK port on switch
• Configure the interface as either a Layer 2 or Vwire interface
• Create sub-interfaces for each needed VLAN created on switch
fabric
• Create Zones for each VLAN and assign to sub-interfaces
• Create a New VLAN under the VLANs section and assign sub-
interfaces to it
• Under policies define zone access criteria and commit
22. Layer 3
switch
Access
Switch
Access
Switch
Access
Switch
Access
Switch
Business Computer
Historian
HMI
TRUNKS
PLC
Zone: L3.5
Zone: PLC
Zone: SCADA
Zone: PLANT-HMI
Figure 7: Logical Diagram: Post VLAN Insertion
INTERNET
VLAN 6
VLAN 7
VLAN 8
VLAN 9
VLAN 10
После внедрения VLAN
Что мы добились
• Не потребовалась смена адресного пространства
• Минимальное время настройки
• Включается визуализаций соединений внутри сети
• Четкое разделение сегментов в компании
• Каждую отдельную зону теперь накрывает:
• Антивирус
• Anti-Spyware
• IPS
• URL фильтр
• Контроль передачи файлов по типам
• DLP
• DoS защита
• QoS
• Визуализация
• User-ID
• Инспекция всех уровней модели OSI ISO
• Быстрее выявить и заблокировать угрозы внутри сети
• Возможно управлять сегментами как единым целым или как
разными по функционалу.
NGFW
23. Шаги по безопасности IIoT – Security Implementation
23Ignite 2017
Implement
Security Controls
Implement Access
Restrictions
24. Шаги по безопасности IIoT – Security Implementation
Address Endpoint
Security and
Vulnerabilities
After installing Palo
Alto Networks
firewalls, implement
Threat Prevention
and WildFire
Continue
monitoring logs.
Slowly create access
restrictions
24Ignite 2017
25. Шаги по безопасности IIoT – Security Implementation
• This is a matter of tolerance
• When deploying TreatPrevention, Wildfire and Traps in
OT
– Alerting vs. Blocking
• Signature update process
– Delay internal signature updates
– Leverage ICS-specific threat signatures
• TP, WF, and AF
Ignite 2017 25
26. Steady State
Quarterly Review:
- Re-occurring Health-checks
- New Feature implementations
- Continuous Monitoring
Convert to App-ID
Project Work:
- SSL Decryption
- Review policies and logs
- Convert to app-id
- Create custom applicationsSecurity Cleanup
and Management
Review and Configure:
- Firewall Policy Creation
- Firewall documentation
- Panorama logging
- Panorama management
Utilize Security
Suite
Configuration:
- Content ID
- Threat Prevention
- WildFire
- URL Filtering
- User ID
- Global Protect
Security
StatefulInspectionNext-Generation
Security
Visibility
Install Visibility
Project Work:
- Discover Current State
- Migrate/Install NGFW
- Design Migration Plan
- Migrate/Cutover
- Test and Validate
Burwood Group Lifecycle
Ignite 2017
27. Лучшие методики защиты IIoT готовыми средствами
Визуализация приложений – инспектируем Layer 7
Сегментация сети Zero-Trust– ISA 62443
Современные средства предотвращения zero-day атак
Защитите мобильных сотрудников и среду виртуализации
Объедините разные платформы ИБ в единую систему
29Ignite 2017
28. Palo Alto Networks
Next-Generation Threat Cloud
Palo Alto Networks
Next-Generation EndpointPalo Alto Networks
Next-Generation Firewall
Next-Generation Firewall
Инспекция трафика
Контроль приложений и
пользователей
Защита от угроз 0-ого дня
Блокировка угроз и вирусов
на уровне сети
Next-Generation Threat Cloud
Анализ подозрительных файлов
в облаке
Распространение сигнатур
безопасности на МЭ
Next-Generation Endpoint
Инспекция процессов и файлов
Защиты от известных и неизвестных
угроз
Защиты стационарных, виртуальных и
мобильных пользователей
Интеграция с облачной защитой от угроз
Palo Alto Networks представляет платформу защиты
Primary Presenter: Justin
Inability to apply security controls through traditional security measures: Endpoint and network
Primary Presenter: Justin
Discuss approach being taken (or already applied to secure IIoT devices)
Burwood involvement in these projects
First step on all accounts to focus on segmentation being easier than endpoint and analytics.
Primary Presenter: Justin
Big emphasis on the asset inventory.
Discuss how the manufacturing networks are not well designed.
Devices are connected based on need and not based on best practices.
Occasionally took manual intervention to find devices and determine which network they should be on.
This takes time but it is worth it
Primary Presenter: Justin
Process Control Network (PCN)
Operational Technology (OT) refers to computing systems that are used to manage industrial operations
Big emphasis on the asset inventory.
Discuss how the manufacturing networks are not well designed.
Devices are connected based on need and not based on best practices.
Occasionally took manual intervention to find devices and determine which network they should be on.
This takes time but it is worth it.
Hand-off to Lionel
Primary Presenter: Justin
Process Control Network
Primary Presenter: Justin
Big emphasis on the asset inventory.
Discuss how the manufacturing networks are not well designed.
Devices are connected based on need and not based on best practices.
Occasionally took manual intervention to find devices and determine which network they should be on.
This takes time but it is worth it
SCADA represents the entire central system which includes / communicates with the following components:
Input/Output (IO) Devices
Remote Terminal Units (RTU)
Programmable Logic Controller (PLC)
Communication network
Supervisory System
Human Machine Interface (HMI)
Process Control Network (PCN)
Primary Presenter: Justin
Phased approach to the implementation after the monitoring phase.
This slide represents the most simple way to insert a firewall between the business network and the ENTIRE plant network.
Some cases this was sufficient and didn’t take much time.
Policy is not granular. Minimal impact to production….keep in mind this once the inventory is known
Primary Presenter: Justin
Purdue model approach is the ultimate goal based on ease of accessing the PCN without security concerns
Some cases we can implement this right away based on the size of the plant, downtime, etc.
In most cases this is the next step to be taken after the simple segmentation is complete
Hand off to Lionel
Process Control Network (PCN)
Primary Presenter: Lionel
Primary Presenter: Lionel
Primary Presenter: Lionel
The largest subgroup of ICS is SCADA
Industry Control System
Primary Presenter: Lionel
Primary Presenter: Lionel
These machines are continually being configured to surf both the intra and internet by local users. These machines have a common shared password and user-id making it difficult to determine responsible party
Primary Presenter: Lionel
Primary Presenter: Lionel
Primary Presenter: Lionel
Primary Presenter: Lionel
Primary Presenter: Lionel
Primary Presenter: Justin
Big emphasis on the asset inventory.
Discuss how the manufacturing networks are not well designed.
Devices are connected based on need and not based on best practices.
Occasionally took manual intervention to find devices and determine which network they should be on.
This takes time but it is worth it
Primary Presenter: Justin
Not perfect….but a step in the right direction for segmentation
We must phase the security in. Something is better than nothing
…Focus on making sure we can relate back to this slide in the challenges section
Mention use of Splunk for security analytics
Outcomes of these steps relate directly back to question one (key concerns):
Ability to see traffic and identify active devices
Introduce security through Security Profiles
Utilize the scans and manual process to inventory devices
Utilize the firewall to assist with asset management through logging and SIEM
Primary Presenter: Justin
Primary Presenter: Justin
Reference 2016 and how this methodology has worked so well.
Leave the audience feeling like securing the PCN for IIoT devices is feasible with the right approach
Primary Presenter: Lionel
Primary Presenter: Justin
Discuss location of devices
Cheap networking gear that provides 0 liability
Example of digging into a location to find out there are 20-30 switches from Best Buy
Discuss issues with vulnerabilities being medium that were blocked and false positives
Issues with “PCN within the PCN” – bad terminology but gets the point across
Still not entirely addressing the endpoint problem
Tee up Lionel for Trustworthiness
Primary Presenter: Justin
And that’s what we have built here at Palo Alto Networks. We believe that our next generation platform delivers on this promise, and with this platform, we think and hope that prevention becomes the byword for the battle and it is technically possible and can be continuously improved over time.
It is fundamentally built on three leading technologies:
The industries leading next-generation firewall, which was just recognized again as a leader in the Gartner Magic Quadrant.
Inspects all traffic
Safely enables applications
Sends unknown threats to cloud
Blocks network based threats
The most advanced next-generation threat cloud [WildFire, Threat Prevention, URL Filtering]
Gathers potential threats from network and endpoints
Analyses and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
The market’s most compelling next-generation endpoint protection
Inspects all processes and files
Prevents both known and unknown exploits
Protects fixed, virtual, and mobile endpoints
Lightweight client and cloud based
And the result of that is better security at a lower cost for the good guys and less effective attacks at ever increasing costs for the bad guys. Through this security platform we can deliver complete and integrated protection across the kill-chain…