You are on page 1of 21

Extending Fabric-Ready into ICS

Chet Namboodri

© Copyright Fortinet Inc. All rights reserved.


Convergence of IT and Traditional OT
What was air gapped and proprietary is now connected and general purpose

In the past, they were … Now they are …


 Isolated from IT  Bridged into corporate networks

 Run on proprietary control  Riding on common internet


protocols protocols

 Run on specialized hardware  Running on general purpose


hardware with IT origins
 Run on proprietary embedded
operating systems  Running mainstream IT operating
systems
 Connected by copper and twisted
pair  Increasingly connected to wireless
technologies

2
Typical SCADA Components are Vulnerable

 Domain-specific technologies: Many technologies require specialized knowledge of industrial control


systems technology & communications. Enterprise IT security technologies are not ICS-aware

 Operational Technology deficiencies: PLCs and RTUs are low computational computers built for
controlling physical components such as valves, pumps, motors, etc.

 Lack of authentication  Buffer overflow


 Lack of encryption  Tailored attacks on physical
 Backdoors control components

3
Market Realities
ICS Cybersecurity: Making the Headlines
A Worm in the Centrifuge- Stuxnet The Ukraine’s Power Outage Was a Cyber Attack
30 Sept. 2010 18 Jan. 2017
An unusually sophisticated cyber-weapon is A power blackout in Ukraine's capital Kiev last month was
mysterious but important. A new software caused by a cyber attack and investigators are trying to
“worm” called Stuxnet … trace other potentially infected computers.

A Cyberattack Has Caused Confirmed Industroyer; A Cyberweapon can disrupt Power Grids
Physical Damage 12 June 2017
30 Sept. 2015 Hackers allied with the Russian government have devised a
Massive damage by manipulating and cyberweapon that has the potential to be the most disruptive
disrupting control systems at German steel mill yet against electric systems that Americans depend on for
daily life, according to U.S. researchers.

U.S. Finds Proof: Cyberattack on Ukraine Hackers halt plant operations in watershed cyberattack
Power Grid 15 Dec. 2017
3 Feb. 2016 Schneider confirmed that the incident had occurred and that
Almost immediately, investigators found it had issued a security alert to users of Triconex, which
indications of a malware called BlackEnergy. cyber experts said is widely used in the energy industry,
including at nuclear facilities, and oil and gas plants.

Triton: hackers take out safety systems in


'watershed' attack on energy plant
15 Dec. 2017
Sophisticated malware halts operations at
power station in unprecedented attack which
experts believe was state-sponsored 5
Top Threat Vectors for OT - 2017 SANS Survey

What are the top three threat vectors you are most concerned with? Rank the top three, with
“First” being the threat of highest concern.

Devices and “things” (that cannot protect…


Internal threat (accidental)
External threats (hacktivism, nation states)
Extortion, ransomware or other financially…
Phishing scams
Malware families spreading indiscriminately
Integration of IT into control system networks
External threats (supply chain or partnerships)
Internal threat (intentional)
Industrial espionage
Other
First Second Third
0% 10% 20% 30% 40%

Source: SANs: The 2017 State of Industrial Control System Security: July 2017

6
2017 SANS Survey: Security Technologies In Use

What security technologies or solutions do you currently have in use? What new technologies
or solutions would you most want to add for control system security in the next 18 months?

Industrial intrusion detection systems (IDS)


Industrial intrusion prevention systems (IPS)
Control system network security monitoring…
Asset identification and management
Security awareness training for staff,…
Vulnerability scanning
Monitoring and log analysis
User and application access controls
Assessment and audit
Access controls
Anti-malware/Antivirus
In Use Planned 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Source: SANs: The 2017 State of Industrial Control System Security: July 2017

7
Capabilities Required of an Integrated Solution

Reduce Rapidly Detect Cybersecurity Quickly Recognize and


Troubleshooting and Vulnerabilities, Threats Remediate Operational
Remediation Efforts and Incidents Anomalies

Track Industrial Assets Deploy at Enterprise Centrally Supervise and


and Corresponding Scale with Proven Monitor Distributed
Cybersecurity Risks Performance Networks

8
Fabric-Ready ICS Cybersecurity
The Fortinet / Nozomi Networks Integrated Solution
Nozomi Networks’ Solution Architecture

10
Comprehensive Security for ICS
Selected threats SIEM SOC Corporate
Firewall
detected
Level 4
• Monitoring of remote access connection to networks www
• ConnectionProduction
to Internet\corporate network DMZ
• Scheduling
MITM & Scanning Attacks (Port, Network)
Remote
• Unauthorized cross level communication
Access
• IP conflicts

• Weak passwords (FTP / • Network topologies


Level 3
TFPTP / RDP / DCERPC) • Used ports of assets Historian Firewall DNS
• Traffic activity summaries • Unencrypted
Production
Bad configurations (NTP / communications (Telnet)
DNS / DHCP/ etc.) Control • Insecure Internet
connections

Local SCADA Local SCADA Local SCADA


& HMI & HMI & HMI
• Anomalous protocol behavior
• Online edits to PLC projects
• CommunicationLevel
changes 2
• Configuration downloads
• Plant
New assets in the network
• Supervisory
Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes

• Authentication to PLCs
Level 1
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Direct PLCs RTUs PLCs RTUs PLCs RTUs
Program, Test) Control

Level 0
• Fieldbus I/O monitoring
Field Level
Site #1 Site #2 Site #N

11
SCADAguardian with FortiGate

Real-time passive monitoring guarantees


no performance impact and permits Non-intrusive In-line In-line separation between IT
visibility at different layers of the Control Passive Protection and OT environments
and Process Networks Monitoring

Deep understanding of all


Deep SCADA Active Traffic Proactive filtering of malicious and
key SCADA protocols, open
Understanding Control unauthorized network traffic
and proprietary

Automatically learns ICS Behavioral Security Policy Flexibility to enforce security policies
behavior and detects
Analysis Enforcement with different degree of granularity
suspicious activities

Turn–key Internal and Fine Tuning, Control and Proactive SCADA


Perimeter Visibility Monitoring of the Firewall Ruleset Security

12
Fortinet / Nozomi Networks Integrated Solution

Full Protection, Visibility and


Monitoring Thanks to Nozomi
Networks and Fortinet

The Nozomi Networks solution


passively monitors the network,
thus not affecting the performance
of the control system

Valve The appliance is connected to the


Fan system via a SPAN or mirror port
Pump on a switch

13
Responding to Threats in Real Time
Monitor
1 A threat is detected by SCADAguardian
and an alert is generated

2
2 Detect
User-defined policies are examined
and the appropriate corresponding
action is triggered
Valve

Fan 3 Protect
Pump
FortiGate responds according to the user-
1
configured action (Node Blocking, Link
Blocking, or Kill Session) in order to
mitigate the issue

14
Three Use Case Scenarios: Blocking Attack Vectors

1 2 3
Blocking Reconnaissance Blocking Advanced Malware or
Blocking Unauthorized Activity Zero Day Attack
Activity

 New unknown node joins trusted  Node in trusted networks issues  SCADA Master changes process
control network (or process a command to reprogram a PLC in subtle way towards a critical
network) state
 SCADAguardian detects anomaly
 SCADAguardian detects it and and triggers alert to FortiGate  SCADAguardian detects anomaly
triggers alert to FortiGate and triggers alert for FortiGate
 FortiGate enforces policy and
 FortiGate enforces policy and blocks communication  FortiGate enforces policy and
blocks node from all access blocks SCADA Master from all
access

15
Real-time Visibility - IT/OT Convergence
HMI
Local
SCADA

HMI
Firewall Local
Switch SCADA Central
Management
Firewall Console (CMC)

Firewall Switch
RTU

RTU
Historian
RTU

PLC SIEM
DNS Web

PLC
Patching
PLC Server

Jump Control Room


Box Corporate
Firewall

Replicated Remote
Historian Access

16
Real-time Visibility - Support Multi-tenant Deployments
HMI
Local
SCADA

HMI
Firewall Local
Switch SCADA Central
Management
Firewall Console (CMC)

CMC
Firewall Switch
RTU

RTU
Area 2
Historian
RTU Control Room
Onshore
PLC SIEM
DNS Web

PLC CMC
Patching
PLC Server
Control Room
Jump Control Room
Box Corporate
Firewall
Area 1
Control Room
CMC Replicated Remote
Historian AccessOnshore

17
Nozomi Networks: Fortinet Fabric Ready for ICS
MANAGEMENT-ANALYTICS

PARTNER API MULTI-CLOUD

 Leverages Security Fabric APIs to deliver pre-


IOT-ENDPOINT WEB APPS
integrated, end-to-end security offerings

 Integrated products improve threat awareness NETWORK

& intelligence, broaden & coordinate threat


response and policy enforcement
UNIFIED ACCESS EMAIL

 Faster time-to-deployment & reduced costs


due to pre-validation of solutions
ADVANCED THREAT PROTECTION

18
Questions?
Nozomi Networks: Leading ICS Cybersecurity
FOUNDED Since Oct 2013 ~$24m invested

CUSTOMERS +200 Global Installations

DEVICES +200,000 Monitored

SERVING VERTICALS

21