ATS 2017 June 8 - atsgroep.be · ATS 2017 –June 8 A fairly known and commonly used protocol: RDP...
Transcript of ATS 2017 June 8 - atsgroep.be · ATS 2017 –June 8 A fairly known and commonly used protocol: RDP...
ATS 2017 – June 8
Management of Security Vulnerabilities in Industrial Networks
Do you need security incidents to come to a good design of your industrial automation network?
Ing. Tijl DeneutProject assistant Industrial Security – Lecturer Howest
2
Industrial Security Center
ATS 2017 – June 8
Management of Security Vulnerabilities in Industrial Networks
3
Within our security project, we had a lot of ICS factories andcompanies askingourhelp.
Lessons LearnedFrom Troubleshooting REAL
companies
ATS 2017 – June 8
Lessons Learned
We Fake Your Tiles!
FicTile
FicTile
Tijl DeneutIT Manager
ATS 2017 – June 8
Management of Security Vulnerabilities in Industrial Networks
“Enable remote monitoring by
connecting industrial equipment to the
company network”
Operations Manager
ATS 2017 – June 8
Management of Security Vulnerabilities in Industrial Networks
ATS 2017 – June 8
Enable Remote Monitoring of Industrial Equipment
Presses
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
Furnace Dosing equipment
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
1. Non-human, accidental issues• And how FicTile “solved” it
2. Human on the job, accidental issues• And how FicTile “solved” it
3. Human recreational, accidental issues• And how FicTile “solved” it
ATS 2017 – June 8
Encountered in Real Life, three major kinds of “problems”
Please help: “PLC of dosing equipment goes into stop mode every day at 4 AM”
Tijl DeneutIT Manager
ATS 2017 – June 8
Scenario 1
ATS 2017 – June 8
PLC of the dosing equipment continuously goes in stop mode
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
TCP-broadcastsBig TCP Window
Presses Furnace Dosing equipment
“Solution”: Buy a new type of router that filters out these types of broadcasts
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
TCP-broadcastsBig TCP Window
Presses Furnace Dosing equipment
ATS 2017 – June 8
Please help: “Dosing equipment mysteriously goes into error and can not be restarted”
Tijl DeneutIT Manager
ATS 2017 – June 8
Scenario 2
Dosing equipment mysteriously goes into error
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
PLC program downloadedto PLC in wrong hall
Presses Furnace Dosing equipment
PRES-1
ATS 2017 – June 8
“Solution”:OrganizeatrainingtocreateawarenessforPLCprogrammers
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
OT training to create awareness
PRES-1
Presses Furnace Dosing equipment
ATS 2017 – June 8
Please help: “USB stick causes a complete shutdown of production”
Tijl DeneutIT Manager
ATS 2017 – June 8
Scenario 3
Thumb drive causes a complete shutdown of production
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
Presses Furnace Dosing equipment
ATS 2017 – June 8
ATS 2017 – June 8
“Solution”: Installanew andexpensiveAntivirusprogramonthelaptop
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)Antivirusinstallation
Presses Furnace Dosing equipment
Intermezzo:recentmalwarecalledWannacrypt(orWannacry)
ATS 2017– June 8
The so-called “flat” network
o One “broadcast” domaino The differences in IP addresses are only on papero Each equipment has a direct connection with any other equipmento No opportunity for segmentation in zones or areaso No control on network traffic
An untrusted network!
- Not safe: bad configurations or errors have an influence on the whole network
- Not secure: illegitimate access is not manageable
ATS 2017 – June 8
The Real Problem?
Solution: network segmentation
Ideal Solution: Use of VLANs (Physical subdivision on switch)
- Configure traffic control on one location- Broadcast traffic is limited to VLAN- Switches have to support this (managed switches)- Needs to be thought through in advance, if necessary change subnetmask
ATS 2017 – June 8
The (starting) solution?
ATS 2017 – June 8
Configuring VLANs
P L C P L C
H M I
172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16
H M I
P L C
P L C
P L C
H M I
Office / datacenter (172.20.0.0 /16)
Presses Furnace Dosing equipment
ATS 2017 – June 8
Configuring VLANs, example (maybe requires extra cables)
Office / datacenter (172.20.0.0 /24)
P L C P L C
H M I
172.20.2.0 /24 (ID 2000) 172.20.3.0 /24 (ID 3000)
H M I
P L C
P L C
P L C
H M I
172.20.1.0 /24 (ID 1000)
TRUNK
VLAN ID 1000
VLAN ID 2000
VLAN ID 3000
Presses Furnace Dosing equipment
Weassistedsomecompaniestomakethismigration,wehavesomePREandPOSTstatisticsVerycommonin*all*ofthesecompanies:redundanttraffic
ATS 2017 – June 8
The other upside: Real Life Statistics
Hacker damage ...
Tijl DeneutIT Manager
ATS 2017 – June 8
And am I safe then? Safer, but not secure!
So what can a hacker do on your network?
Using traditional protocols in new ways
Example demonstration: scanning and hacking using the Profinet Discovery Protocol (DCP)
-> Solution: Network Segmentation
ATS 2017 – June 8
Hacking Industrial Networks
What does a hacker have at his disposal?The internet!
shodan.io
Shodan ICS Radar
ATS 2017 – June 8
Let’s get into the Hacker Mindset
• HyperText Transport Protocol is the uniform protocol used by almost every website
• However, HTTP is insecure• All data transferred using HTTP is clearly readable by
“listeners”
• A solution for this could be HTTPS, where the “S” stands for ‘Secure’
• A good tool to verify this is, Wireshark
ATS 2017 – June 8
HTTP or HTTPS?
ATS 2017 – June 8
A fairly known and commonly used protocol: RDP
• Technique for taking over a Windows PC remotely
• Client is present on every Windows version since XP (mstsc.exe)
• Supports a lot of features:Copy-Paste, File System & Audio Redirection, Printer & Port Redirection
ATS 2017 – June 8
Remote Desktop Protocol vulnerability
Without getting to technical:
Remote Desktop can be sniffed
Example demonstration: Sniffing RDP
Solution1: Enable NLA
Solution2: Encryption …
Manager at ahotel
Sensitive PCat work
Theoretically and ideally
Internet
Attacker at local network
HOTEL
Sensitive PCat work
Manager at ahotel
WORK
Attacker at remote network
VPN Connection
ATS 2017 – June 8
Remote access
• Use a VPN solution, there are many options here, not all of them equally secure
• Use a “Jump Station”, don’t allow third parties ‘unlimited’ access to your network
Internet HOTEL
Manager at ahotel
VPN ConnectionWORK
NON-Sensitive PC at work (VM)---------------------
- Up-to-date AV- RDP client- “refreshed” each night Sensitive PC
at work
ATS 2017 – June 8
Some remote access guidelines
Restricted © Siemens AG 2017
June 8, 2017Seite 34
Industrial Security
The Siemens Solution
• Physical access protection to the plant and
critical systems
• Security management and policies
• Security services for protection of a plant's
entire lifecycle
• Secure remote access to the
plant via the Internet or mobile
networks
• Protection of the plant / machine
network through segmentation
• Secured communication
• Protection of system integrity through
integrated functions
• Access protection and rights
management
Restricted © Siemens AG 2017
June 8, 2017Seite 35
Industrial Security
SIMATIC S7-1500 and the TIA Portal
Security Highlights
The SIMATIC S7-1500 and the TIA Portal provide several security features:
• Increased Know-How Protection in STEP 7
Protection of intellectual property and effective investment
• Increased Copy Protection
Protection against unauthorized reproduction of executable programs
• Increased Access Protection (Authentication)
Extensive protection against unauthorized project changes
• Via Security CP1543-1 by means of integrated firewall and VPN communication
• Expanded Access Protection
Extensive protection against unauthorized project changes
• Increased Protection against Manipulation
Protection of communication against unauthorized manipulation for high plant availability
Restricted © Siemens AG 2017
June 8, 2017Seite 36
Industrial Security
VLAN - Portfolio
Switch Graphic Areas of application
XB-200
• For setting up line, star and ring structures
• For PROFINET and EtherNet/IP applications
• Compact and small dimensions
XC-200
• Extended temperature range from -40 °C to +70 °C
• Gigabit-capable, can be equipped with SFPs, PROFINET and
EtherNet/IP
• Certifications for trackside railway applications, marine applications1)
Additional FW functionalities: Fiber monitoring, VLANs, HRP standby
XP-200
• High degree of protection (IP65/67) for use outside of the control
cabinet and in extreme ambient conditions from -40 °C to +70 °C
• PROFINET, EtherNet/IP applications with up to 1 Gbit/s and
IEEE 802.3at Type 2 (max. 120 W)
• Certifications for railway, motor vehicles, marine applications
X-300
• For high-performance plant networks
• VLANs, Gigabit, Power-over-Ethernet (PoE)
• Flexibility with different media modules
XM400
• Layer 3 routing
• Combo ports
• Expandable up to 24 ports
• NFC
XR500• Modular
• Up to 52 ports
• 10 Gbit
Restricted © Siemens AG 2017
June 8, 2017Seite 37
Industrial Security
Cell Protection with Security Communication Processor
Restricted © Siemens AG 2017
June 8, 2017Seite 39
Industrial Security
Cell Protection with Communication Processor - Portfolio
S7-1500 S7-300/S7-400 ET200 SP CPU PC
CM 1542-1 CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/
1623/ 1626
Cell segmentation
Cell Protection
S7-1500 S7-1200 S7-300/S7-400 ET200 SP CPU PC
CM 1543-1 CP 1243-1 CP 343-1/CP443-1
Advanced
CP 1543SP-1 CP 1628
Restricted © Siemens AG 2017
June 8, 2017Seite 40
Industrial Security
Cell Protection and remote access with SCALANCE S
BILDSolution
Individual segments are secured with a SCALANCE S variant which
controls access to the lower-level segment by means of a firewall.
• An S602 is placed upstream a segment and is also able to take
on the identity of a lower-level device by means of the GHOST
method, e.g. robot control.
• An S612 is placed upstream a segment and is also able to
protect communication from and to this segment by means of
VPN.
• An S615 is placed upstream a segment and is able to secure
multiple further lower-level cells by means of VLAN.
• An S623 separates the automation network from the office
network and facilitates data exchange between these networks
via DMZ without requiring direct access.
• An S627-2M is placed upstream a lower-level ring (FO or Cu)
and controls data communication. If required, a second S627-2M
can be placed in standby mode in a redundant manner in order
to increase availability in case of fault.
Task
For risk minimization, a large automation network is to be
segmented into several safety-technical areas. The individual
segments are subject to different requirements.
Restricted © Siemens AG 2017
June 8, 2017Seite 43
Industrial Security
Remote access with Sinema Remote Connect
SINEMA RC example of a configuration: Remote service for special machine
building
Central management of the machines and service technicians in
SINEMA RC
Assignment and management of user rights and access rights
Logging access
Remote access to special machines and sensitive areas
High transparency and security
Avoidance of errors with unique assignment of the possessors of
know-how to the relevant plant sections
Transparent IP communication
Task
Solution
Benefits
Restricted © Siemens AG 2017
June 8, 2017Seite 45
Industrial Security
First Vendor with Certification on Achilles Level 2
+ Protection against DoS
attacks
+ Defined behavior in case
of attack
• Improved Availability
• IP Protection
• International Standard
Certified CPUs
LOGO!
S7- 300 PN/DP
S7- 400 PN/DP
S7- 1500 PN/DP
S7- 1200
S7- 400 HF CPU V6.0
S7- 410-5H
Certified CPs
CP343-1 Advanced
CP443-1 & Advanced
CP1243-1
CP1543-1
CP1628
Certified DP
ET 200 PN/DP CPUs
ET 200SP PN CPUs
Certified Firewalls
SCALANCE S602, S612,
S623, S627-2M
Restricted © Siemens AG 2017
June 8, 2017Seite 46
Industrial Security
CERT@Siemens
www.siemens.com/industrialsecurity
Cyber Emergency Readiness Team
Restricted © Siemens AG 2017
June 8, 2017Seite 48
Industrial Security
Siemens Security Services
Siemens Plant Security Services
Assess
Security
Implement
Security
Manage
Security
Siemens products and systems offer integrated security
Know how and
copy protection
Firewall and
VPN (Virtual
Private Network)
Authentication
and user
management
System
“hardening”
The Siemens security concept –
“Defense in Depth”
Restricted © Siemens AG 2017
June 8, 2017Seite 49
Assess Security
How do we figure out which assessment we need in each case?
Which assessment do I need?
Do I have a close to
100% SIMATIC PCS 7
installation? Or do I
have an heterogeneous
environment?
Or do I rather get a
deep, time intensive
analysis of my
industrial environment,
including data
collection?
Would I like to have a
quick check against
the best known
security standard?
Would I like to have a
quick check against the
best known security
standard for Industrial
Control Systems?
Page 49
SIMATIC PCS 7 &
WinCC Assessment
Risk & Vulnerability
Assessment
ISO 27001
Assessment
IEC 62443
Assessment
Restricted © Siemens AG 2017
June 8, 2017Seite 52
IEC 62443 Assessment
Identify security gaps and define measures to mitigate risks
Assessment of compliance to IEC 62443 international standard
(Industrial communication networks – Network and system security)
• Focus on parts 2-1 “Establishing an industrial automation and
control system security program” and 3-3 “Security for industrial
process measurement and control – Network and system
security”
• Available for Siemens and third party systems
• 2 days on-site
• Coordinated by a security consultant and a security engineer
• Questionnaire-based checklist to identify and classify risks
• Up to 30 pages report containing recommendations for risk mitigation
measures
Page 52
Restricted © Siemens AG 2017
June 8, 2017Seite 53
ISO 27001 Assessment
Identify security gaps and define measures to mitigate risks
Quick assessment of plant security according to the ISO 27001
international standard (Information Security Management)
• Onsite workshop incl. questionnaire-based checklist:
• 1 day on-site
• Coordinated by a security consultant and a security engineer
• Typical attendants: Management and customer‘s responsible for
production, IT security and physical security, maintenance staff,
engineering staff, …
• Offline evaluation of the results: Analysis, risk identification and classification,
definition of risk mitigation measures and prioritization of actions (based on
cost/benefit scenario)
• Up to 30 pages report containing recommendations for risk mitigation
measures
Page 53
Restricted © Siemens AG 2017
June 8, 2017Seite 54
SIMATIC PCS 7 & WinCC Assessment
Identify security gaps and define measures to mitigate risks
Quick assessment of the SIMATIC PCS 7 & WinCC installation
• Onsite workshop incl. questionnaire-based checklist:
• 1 day on-site
• Coordinated by a SIMATIC PCS 7 & WinCC security consultant
• Typical attendants: Customer‘s responsible for production, IT security
and physical security, maintenance staff, engineering staff, …
• Offline analysis of the results: Risk identification and classification and
definition of risk mitigation
• Up to 30 pages report containing recommendations for risk mitigation
measures
Page 54
Restricted © Siemens AG 2017
June 8, 2017Seite 55
Risk & Vulnerability Assessment
Identify, classify and evaluate risks for a risk-based security program
People
We evaluate security awareness, security-related skills
and knowledge
Processes
We assess the maturity of organizational processes and
work instructions as they apply to the security of Industrial
Control Systems
We perform a gap analysis based upon standards, best
practices and existing policies
We check if the current policies and work instructions are
adequate to protect the plant against the latest and emerging
threats
Technology
We collect installed base data and system
architecture to perform a vulnerability
assessment on Industrial Control Systems
We evaluate the current security risk situation of
the production networks and systems
Restricted © Siemens AG 2017
June 8, 2017Seite 56
Risk & Vulnerability Assessment
Identify, classify and evaluate risks for a risk-based security program
• Report including:
• Project documentation:
• Scope description
• Current network topology
• Current system architecture
• Risk analysis and scoring methodology
• Findings:
• Network topology analysis results
• Installed Base data analysis results
• System criticality results (likelihood and business
impact)
• Risk level including risk scoring
• Training needs
• Risk mitigation measures for each finding
• Management presentation as a first step to establish a security
roadmap
Page 56
Restricted © Siemens AG 2017
June 8, 2017Seite 57
Implement Security
to mitigate risks
Knowledge transfer to secure the "weakest link"• SITRAIN training
• Web-based, one-hour training
• Generate security awareness for the staff: Introduce current threat landscape, describe how to handle risks and help
identifying security incidents
Security Policy Consulting
Establish standard practice in industrial control system (ICS) security
• Establish new or review and enhance existing policies, processes, procedures and work instructions which influence
security in the shop-floor
• Integration with enterprise cyber security practice
• Examples: Patch and backup strategy, handling of removable media, …
Network Security Consulting
Support on secured network design and setup • Cell segmentation in security cells support based on IEC 62443 standard and SIMATIC PCS 7 & WinCC security
concept
• Design and planning of a perimeter protection network: DMZ network (Demilitarized)
• Perimeter firewall rule establishment / review and implementation
Security Awareness Training
Restricted © Siemens AG 2017
June 8, 2017Seite 58
Implement Security
to mitigate risks
First line of defense against highly developed threats• Based on Automation Firewall Appliance
• Installation, configuration, commissioning and test of firewall system and traffic rules
• Configuration backup
• Consideration of customer-specific applications (e.g. fine-tuning of intrusion detection / prevention system (IDS/IPS))
Clean Slate Validation
Validate “clean-slate” status of environment• Identification of security gaps thanks to virus scanning with two different scan engines
• Use of McAfee Command Line Scanner and Kaspersky Rescue Disk
• No installations required: Use of USB stick and Command Lines
Anti Virus Installation
Virus protection solution for malware detection and prevention• Installation and configuration of virus protection software (McAfee Virusscan Enterprise Agents)
• Installation of the McAfee ePO* central management console recommended when more than 10 anti-virus agents
installed
• Compatibility consideration for SIMATIC PCS 7 Systems
Perimeter Firewall Installation
* ePolicy Orchestrator
Restricted © Siemens AG 2017
June 8, 2017Seite 59
Implement Security
to mitigate risks
Application control solution for malware detection and prevention• Installation of whitelisting software (McAfee Application Control)
• Installation of the McAfee ePO* central management console recommended when more than 10 whitelisting agents
installed
• Compatibility consideration for SIMATIC PCS 7 Systems
System Backup
Industrial control system backup• Performance of one-time backup of systems in plant environment
• Symantec System Recovery software procured and owned by customer
Windows Patch Installation
Installation of Microsoft OS Patches• Installation of automation vendor validated and customer approved Microsoft® OS patches via customer-owned
WSUS server
• Consideration of compatibility: Patches recommended by the supplier of automation technology AND authorized by the
customer
Whitelisting Installation
* ePolicy Orchestrator
Restricted © Siemens AG 2017
June 8, 2017Seite 60
Industrial Security
If you want to work secure
Work with