Beruflich Dokumente
Kultur Dokumente
March 2, 2015
Start Time: 9am US Pacific
/12 noon US Eastern/ 5pm
London Time
T
Sponsored by:
#ISSAWebConf
Welcome
Conference Moderator
James McQuiggan
CISSP
Program Manager, NERC CIP, Siemens
March 2, 2015
Start Time: 9am US Pacific
12pm US Eastern/5pm London Time
Speaker Introduction
Del Rodillas- ICS & SCADA Solution Lead, Palo Alto Networks
Mario Chiock - CISSP, CISM & CISA, API Chair Security SubCommittee
Remember
Remember to
to type
type in
in your
your question
question in
in the
the Chat
Chat area
area of
of your
your screen.
screen. You
You may
may need
need to
to click
click
on
on the
the double
double arrows
arrows to
to open
open this
this function.
function.
Del Rodillas
ICS & SCADA Solution Lead
Palo Alto Networks
Webinar Goals
Shed
Shed light
light on
on prevailing
prevailing ICS
ICS cybersecurity
cybersecurity myths
myths
Real-world
Real-world examples
examples to
to highlight
highlight the
the real
real risks
risks
Present
Present some
some good
good practices
practices and
and technologies
technologies to
to better
better secure
secure ICS
ICS
Basic
Basic block-and-tackle
block-and-tackle concepts
concepts
Next-generation
Next-generation technologies
technologies for
for better
better defense-in-depth
defense-in-depth
Myth #1
ICS cyber incidents havent damaged critical
infrastructure
~ 400 incidents world-wide
Most unintentional
Some malicious attacks
Impacts range from trivial to
major outages to equipment
damage to deaths
Most not identified as cyber
social
social engineering
engineering techniques
techniques to
to access
access
business
business network
network then
then pivot
pivot into
into the
the plant
plant
Evidence
Evidence of
of attackers
attackers strong
strong knowledge
knowledge of
of IT
IT
security
security and
and industrial
industrial control
control systems
systems
After
After the
the attack,
attack, individual
individual components
components or
or
even
even entire
entire systems
systems started
started to
to fail
fail frequently
frequently
One
One of
of the
the plants
plants blast
blast furnaces
furnaces could
could not
not be
be
shut
shut down
down in
in aa controlled
controlled manner,
manner, which
which
resulted
resulted in
in massive
massive damage
damage to
to plant.
plant.
Blast Furnace
Myth #2
You can air-gap industrial control systems
3rd Party
Support
Business
Network
Industrial
Control
System
Partners
Other
Plants/Faciliti
es
Myth #3
External, malicious threats are the only concern
Malicious
Insider Attacks
10
Unintended Cyber
Incidents
Key Points
Visibility and segmentation are key
Both for external and internal traffic
11
Security Checklist
Create security zones vs. just having a single, flat network
Apply a zero-trust approach with all sources of traffic,
external or internal
Assume a least-privilege approach to network access
control
Audit all traffic to ensure proper use or to detect
anomalous use
Use technologies that allow you to have the proper
visibility and control
12
Myth #4
Firewalls are all you need to be secure
3rd Party
Support
ICS
Business
Network
Partners
13
Other
Plants/Faciliti
es
Myth #5
VPN/Encryption technology makes me secure
VP
N
3rd Party
Support
ICS
VP
N
Business
Network
Partners
14
Other
Plants/Faciliti
es
15
Security checklist
Employ
Employ appliances
appliances with
with must-have
must-have capabilities,
capabilities, e.g.
e.g. Next-generation
Next-generation firewalls
firewalls
Protocol
Protocol and
and Application
Application control
control
ICS-specific
Intrusion
Intrusion Detection/Prevention
Detection/Prevention
Anti-virus
Anti-virus and
and Anti-spyware
Anti-spyware
User
User // User-group
User-group based
based controls
controls
Ability
Ability to
to inspect
inspect and
and secure
secure traffic
traffic within
within VPNs
VPNs
Pick
Pick aa platform
platform that
that provides
provides sufficient
sufficient throughput/performance
throughput/performance when
when security
security
functions
functions are
are turned
turned on
on
Select
Select aa platform
platform that
that also
also simplifies
simplifies the
the administration
administration of
of these
these capabilities
capabilities
and
and analysis
analysis of
of the
the information
information
Single-pane
Single-pane of
of glass
glass management
management
Single-policy
Single-policy for
for all
all capabilities
capabilities
16
Myth #6
Securing IT is the same as securing OT
???
OT
Security
Security Admin
17
Myth #7
We know what threats to ICS look like
Capability
Black
Energy
Energetic Bear
Stuxnet
Exploits multiple ICS
vendor products
Trojan in ICS Software;
Utilizes ICS protocols
Exploits Siemens
Vulnerability
18
Advanced Threats
Threats are constantly evolving and it is difficult to predict
what the next advanced will do as far as attack
methodologies
It is important to be able to have technologies to detect and
stop zero day threats at the network and endpoints (HMI,
Server, Workstation)
19
Security Checklist
Deploy
Deploy aa defense-in-depth
defense-in-depth approach
approach to
to protect
protect unpatched
unpatched systems
systems
Apply
Apply Network
Network IPS/AV
IPS/AV to
to stop
stop known
known exploits
exploits &
& malware
malware
Apply
Apply network sandboxing
sandboxing to
to detect
detect & stop
stop network-borne,
network-borne, zero-day
zero-day
malware
malware
Make
Make sure
sure solution
solution supports
supports local
local creation
creation of
of protections
protections (AV,
(AV, URL/DNS
URL/DNS
signatures)
signatures)
At
At the
the endpoint
endpoint themselves,
themselves, use
use aa non-signature
non-signature based
based approach
approach to
to
stop
stop zero-day
zero-day exploits
exploits & malware
Consider
Consider the
the more
more effective
effective technique
technique based
based approach
approach
Develop
Develop clear ICS usage policies
policies and
and utilize
utilize granular traffic visibility to
detect
detect anomalies,
anomalies, ifif technologies
technologies do not detect
detect threats
threats
20
Other Myths
Myth #8 - Compliance to cyber regulations equals
security
Myth #9 Each industry requires a different approach
Myth #10 If we keep our heads down, they wont find
us
21
Na
t
ive
gr
at
ed
t
oin
p
d
En
yi
Networ
nkt
e
Ex
t
en
si
bl
e
Next-Generation Firewall
Clo Automat
ed
ud
Na
t
gr
at
ed
t
oin
p
d
En
yi
Networ
nkt
e
High-performance, high-availability
Ex
t
bl
e
en
si
Next-Generation Firewall
Learn More
Whitepapers
Whitepapers
Defining
Defining the
the 21
21stst Century
Century ICS
ICS Cybersecurity
Cybersecurity Platform
Platform
https
https
://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-prote
://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-prote
ction-platformction-platformics.html
ics.html
Palo
Palo Alto
Alto Networks
Networks Security
Security Platform
Platform for
for ICS
ICS
https://www.paloaltonetworks.com/resources/whitepapers/enterprise-security-platform
https://www.paloaltonetworks.com/resources/whitepapers/enterprise-security-platform
-critical-criticalinfrastructure.html
infrastructure.html
Webinars
Webinars
Network
Network Segmentation
Segmentation for
for ICS
ICS
http://connect.paloaltonetworks.com/scada
http://connect.paloaltonetworks.com/scada
Grid
Grid Security/NERC
Security/NERC CIP
CIP
http://connect.paloaltonetworks.com/energy-sec-ondemand
http://connect.paloaltonetworks.com/energy-sec-ondemand
24
25
Question and
Answer
Del Rodillas
ICS
ICS &
& SCADA
SCADA Solution
Solution Lead
Lead
Palo
Palo Alto
Alto Networks
Networks
To
To ask
ask aa question,
question,
type
type your
your question
question in
in the
the Chat
Chat area
area of
of your
your screen.
screen.
You
You may
may need
need to
to click
click on
on the
the double
double arrows
arrows
to
to open
open this
this function.
function.
#ISSAWebConf
#ISSAWebConf
Thank you!
Del Rodillas
ICS & SCADA Solution Lead
Palo Alto Networks
26
Mario Chiock,,
CISSP, CISM & CISA
API Chair Security Sub-Committee
Webinar Goals
ICS & SCADA have no security by default
ICS & SCADA Challenges
Recommendations to reduce Risk
28
29
What is ICS ?
Industrial Control Systems -> Automation for physical
process
What is SCADA ?
Supervisory Control and Data Acquisition
What is DCS ?
Distributed Control System
30
SCADA systems
31
Modbus
Oldest ICS Protocol
Controls I/O Interfaces
(MOSTLY!!!!)
No authentication or
encryption! (Surprise!!!)
No broadcast suppression
Vulnerabilities are
published
33
BACnet
Commonly used for Building Automation
No authentication
No encryption
No access rights
34
35
Tools
Shodan - http://www.shodanhq.com/
Redpoint - Digital Bond's ICS Enumeration Tools
https://github.com/digitalbond/Redpoint
Snort-Quickdraw
http://www.digitalbond.com/tools/quickdraw/download/
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
http://www.digitalbond.com/tools/the-rack/nessus/
http://www.digitalbond.com/tools/the-rack/nessus/
Wireshark -
37
38
Exposed to public
networks
Unable to pen-test in
production
No time for remediation
Standardization
Share accounts or no
authentication
Connecting IT & OT
Vulnerability tracking
Unsupported OS
39
Access
Skills and Know the
process &
Expertise facility
40
41
Sensors
Control
Processing
43
Data Diodes
Also known as a unidirectional network or
unidirectional security gateway.
Data diodes ensure the safety of sensitive information
within a network By creating a physical barrier that
only allows data transfers in one direction (hence the
uni in unidirectional) we can enhance security in one
of two ways:
Write only
Read only
44
Perform Drills
Update plan
45
46
Procurement Language
http://
energy.gov/sites/prod/files/oeprod/DocumentsandMedia/SCADA_Procurem
ent_Language.pdf
Summary
Incident Response
Cyber
Threat - Essentials
Information
Sharing
ICS-ISAC ES-ISAC
ONG-ISAC
InfraGard (US)
Engage with FBI DHS
Invest on Preparedness
Prepare for the worse
Desktop exercise
Lessons learned
Network Segmentation
& Application white
Everyone must be Responsiblelisting
& are
key Cyber-Security Skill set
Build
Accountable for cyber-security
Training
Adopt the Safety Culture into
Network with peers
Cyber-Security
Adopt Best Practices
IT & OT need to work together
https://scadahacker.com/library/
http://www.digitalbond.com/
49
50
Question and
Answer
Mario
Chiock
CISSP, CISM & CISA
API Chair Security Sub-Committee
To ask a question,
type your question in the Chat area of your screen.
You may need to click on the double arrows
to open this function.
#ISSAWebConf
Thank you!
Mario Chiock
CISSP, CISM & CISA
API Chair Security Sub-Committee
51
Security Testing
the SCADA/ICS World
SCADA-ICS Security
The original sin
53
54
SCADA/ICS Security
For years SCADA/ICS systems relied on security
through obscurity
Industrial systems, which have been designed and
intended to be alone, became magically connected to
the world
No perception of modern security threats and risks,
from both SCADA vendors and end consumers
55
56
58
59
Scenario-driven attacks
61
62
63
64
65
66
67
Conclusions
ICS are critical, vulnerable, exposed
Identifying their weaknesses is paramount
Security testing can be done safely
Specific methodologies and expertise are needed
Thanks for your attention! Get in touch: @raistolo or
s.zanero@securenetwork.it
68
69
Question and
Answer
Dr. Stefano
Zanero, PhD
International Director, ISSA
Chairman, Secure Network
To
To ask
ask aa question,
question, type
type
your
your question
question in
in the
the Chat
Chat area
area of
of your
your screen.
screen.
You
You may
may need
need to
to click
click on
on the
the double
double arrows
arrows
to
to open
open this
this function.
function.
#ISSAWebConf
Thank you!
70
Mario Chiock
CISSP,
CISSP, CISM
CISM &
& CISA
CISA
API
API Chair
Chair Security
Security Sub-Committee
Sub-Committee
To ask a question,
type your question in the
Chat area of your screen.
You may need to click on
the double arrows
to open this function.
71
#ISSAWebConf
Closing Remarks
I would like to thank Del, Mario and
Stefano for lending their time and
expertise to this ISSA Educational
Program.
Thank you to Palo Alto Networks for
sponsoring this webinar.
Thank you Citrix for donating the Webcast
service.
#ISSAWebConf
72
CPE Credit
Within 24 hours of the conclusion of this webcast,
you will receive a link via email to a post Web
Conference quiz.
After the successful completion of the quiz you will be
given an opportunity to PRINT a certificate of
attendance to use for the submission of CPE credits.