Beruflich Dokumente
Kultur Dokumente
Cybersecurity on the
Small and Medium-sized
manufacturer: Risk
Management and
Compliance
2
Compliant, but breeched
3
The Essence of the problem
4
Compliant with Certifications -- but Breached
According to the SANS Institute: “The Payment Card Industry published the
Data Security Standard 11 years ago; however, criminals are still breaching
companies and getting access to cardholder data. The number of security
breaches in the past two years has increased considerable, even among the
companies for which assessors deemed compliant.”
5
What is Compliance and Security?
6
Possible Combinations
• Possible combinations:
1. Neither compliant with any standards or secure
2. Secure in a limited way but not compliant with any standards
3. Compliant with standards but insecure
4. Secure and compliant
• Best option is to achieve security via compliance
Treat certifications of products and processes or regulatory
compliance as assets
7
Health Insurance Portability and Accountability Act (HIPAA)
8
Health Insurance Portability and Accountability Act (HIPAA)
9
Payment Card Industry – Data Security Standards (PCI DSS)
10
Payment Card Industry – Data Security Standards (PCI DSS)
11
Gramm-Leach-Bliley Act (GLBA)
12
Gramm-Leach-Bliley Act (GLBA)
13
Sarbanes-Oxley Act (SOX)
14
Sarbanes-Oxley Act (SOX)
15
Family Educational Rights and Privacy Act (FERPA)
16
Defense Federal Acquisition Regulation
Supplement (DFARS)
17
Cyber Security and Industrial Control
Systems
18
Importance of Securing Industrial Networks
19
Before – Air Gap Separation
20
Need to connect
21
Reality of the Air Gap
22
Red Tiger Research
23
Foundation to Securing ICS
24
General Terms
25
ICS Terms
26
Industrial Network vs. Critical Infrastructure
• Industrial Network
is referring to any network operating some sort of automated
control system that communicates digitally over a network.
• Critical Infrastructure
is referring to critical network infrastructure, including any
network used in the direct operation of any system upon which
one of “critical infrastructures” depends.
27
Industrial Control Network
28
Critical Infrastructure examples
• Utilities
Utilities—water, gas, oil, electricity, and communications
Financial ??
• Nuclear Facilities
Nuclear facilities represent unique safety and security challenges
due to their inherent danger in the fueling and operation,
as well as the national security implications of the raw materials used.
29
Critical Infrastructure examples - continued
• Chemical Facilities
Chemical manufacture and distribution represent speci c
challenges to securing an industrial manufacturing network.
30
Standards and Organizations
31
Standards and Organizations - continued
32
Standards and Organizations - continued
33
Standards and Organizations - continued
34
Standards and Organizations - continued
35
Network Segmentation - isolation
36
Network Segmentation - isolation
37
Network Segmentation - isolation
38
Defense in Depth – Provision of additional layers of protection
39
Defense in Depth – Protective Measures
40
Additional Measures
41
Routable and non-routable
• A routable network
Typically means Ethernet and TCP/IP,
“Routable” networks also include routable variants of SCADA and
ICS protocols that have been modified to operate over TCP/IP,
such as Modbus/TCP or ICCP over TCP/IP.
• A non-routable network
Refers to those serial, bus, and point-to-point communication
links that utilize Modbus/RTU, point-to-point ICCP, fieldbus,
and other networks.
They are still networks: they interconnect devices and provide a
communication path between digital devices
In many cases are designed for remote command and control.
42
Routable and non-routable
43
Assets in Industrial Control Systems
44
Assets (as defined by NERC CIP)
• A “cyber asset”
as any device connected via a routable protocol
• A “critical cyber asset,”
is a cyber asset whose operation can impact the bulk energy
system
45
Example of Industrial Network Incidents
46
Example of Industrial Network Incidents - continued
47
Example of Industrial Network Incidents - continued
48
Example of Industrial Network Incidents - Stuxnet
49
Example of Industrial Network Incidents – Stuxnet (continued)
50
Example of Industrial Network Incidents – Night Dragon
51
Industrial Network Controls
52
Industrial Network Protocols
53
Industrial Network Protocols
54
Other Protocols
55
MODBUS
56
MODBUS - Continued
57
MODBUS - Continued
58
MODBUS - Variants
• Modbus RTU
• Modbus ASCII
• Modbus TCP
• Modbus Plus
59
Security Concerns
• Lack of authentication.
Modbus sessions only require the use of a valid Modbus address and
valid function code.
Can be easily guessed or spammed, whereas the other is easily
obtainable information.
• Lack of encryption
Commands and addresses are transmitted in clear text and can
therefore be easily captured and spoofed due to the lack of encryption.
• Lack of message checksum (Modbus TCP only).
A spoofed command is even easier over some implementations of
Modbus TCP, as the checksum is generated at the transmission layer,
not the application layer.
60
Security Concerns - continued
61
Modbus TCP
62
Modbus – Security Recommendations
63
Ethernet Industrial Protocol – Ethernet/IP
64
Common Industrial Protocol (CIP)
65
Security Concerns
• Ethernet/IP is
a real-time Ethernet protocol
it is susceptible to any of the vulnerabilities of Ethernet.
• Ethernet/IP over UDP is transaction-less and so there is no
inherent network-layer mechanism for reliability, ordering, or
data integrity checks.
• The CIP also introduces some specific security concerns, due to
its well-defined object model.
66
Ethernet/IP Security Concerns
• The CIP does not define any explicit or implicit mechanisms for
security.
• The use of common “Required Objects” for device identification
can facilitate device identification and enumeration, facilitating an
attack.
• The use of common “Application Objects” for device information
exchange and control can enable broader industrial attacks, able to
manipulate a broad range of industrial devices.
• Ethernet/IP’s use of UDP and Multicast traffic—both of which lack
transmission control—for real-time transmissions facilitate the
injection of spoofed traffic or (in the case of multicast traffic) the
manipulation of the transmission path using injected IGMP
controls.
67
Security Recommendations
68
Final Recommendations
69
Final Recommendations - continued
• Failsafe
• May apply forensics if needed
• Implement security best practices
• Connect with others who are expert in the filed
70