ATS 2017 June 8 - atsgroep.be · ATS 2017 –June 8 A fairly known and commonly used protocol: RDP...

ATS 2017 – June 8

Management of Security Vulnerabilities in Industrial Networks

Do you need security incidents to come to a good design of your industrial automation network?

Ing. Tijl DeneutProject assistant Industrial Security – Lecturer Howest

2

Industrial Security Center

ATS 2017 – June 8


3

Within our security project, we had a lot of ICS factories andcompanies askingourhelp.

Lessons LearnedFrom Troubleshooting REAL

companies

ATS 2017 – June 8

Lessons Learned

We Fake Your Tiles!

FicTile

FicTile

Tijl DeneutIT Manager

ATS 2017 – June 8


“Enable remote monitoring by

connecting industrial equipment to the

company network”

Operations Manager

ATS 2017 – June 8


ATS 2017 – June 8

Enable Remote Monitoring of Industrial Equipment

Presses

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

Furnace Dosing equipment

H M I

P L C

P L C

P L C

H M I

Office / datacenter (172.20.0.0 /16)

1. Non-human, accidental issues• And how FicTile “solved” it

2. Human on the job, accidental issues• And how FicTile “solved” it

3. Human recreational, accidental issues• And how FicTile “solved” it

ATS 2017 – June 8

Encountered in Real Life, three major kinds of “problems”

Please help: “PLC of dosing equipment goes into stop mode every day at 4 AM”


ATS 2017 – June 8

Scenario 1

ATS 2017 – June 8

PLC of the dosing equipment continuously goes in stop mode

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I


TCP-broadcastsBig TCP Window

Presses Furnace Dosing equipment

“Solution”: Buy a new type of router that filters out these types of broadcasts

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I


TCP-broadcastsBig TCP Window


ATS 2017 – June 8

Please help: “Dosing equipment mysteriously goes into error and can not be restarted”


ATS 2017 – June 8

Scenario 2

Dosing equipment mysteriously goes into error

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I


PLC program downloadedto PLC in wrong hall


PRES-1

ATS 2017 – June 8

“Solution”:OrganizeatrainingtocreateawarenessforPLCprogrammers

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I


OT training to create awareness

PRES-1


ATS 2017 – June 8

Please help: “USB stick causes a complete shutdown of production”


ATS 2017 – June 8

Scenario 3

Thumb drive causes a complete shutdown of production

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I



ATS 2017 – June 8

ATS 2017 – June 8

“Solution”: Installanew andexpensiveAntivirusprogramonthelaptop

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I

Office / datacenter (172.20.0.0 /16)Antivirusinstallation


Intermezzo:recentmalwarecalledWannacrypt(orWannacry)

ATS 2017– June 8

The so-called “flat” network

o One “broadcast” domaino The differences in IP addresses are only on papero Each equipment has a direct connection with any other equipmento No opportunity for segmentation in zones or areaso No control on network traffic

An untrusted network!

- Not safe: bad configurations or errors have an influence on the whole network

- Not secure: illegitimate access is not manageable

ATS 2017 – June 8

The Real Problem?

Solution: network segmentation

Ideal Solution: Use of VLANs (Physical subdivision on switch)

- Configure traffic control on one location- Broadcast traffic is limited to VLAN- Switches have to support this (managed switches)- Needs to be thought through in advance, if necessary change subnetmask

ATS 2017 – June 8

The (starting) solution?

ATS 2017 – June 8

Configuring VLANs

P L C P L C

H M I

172.20.1.0 /16 172.20.2.0 /16 172.20.3.0 /16

H M I

P L C

P L C

P L C

H M I



ATS 2017 – June 8

Configuring VLANs, example (maybe requires extra cables)


P L C P L C

H M I

172.20.2.0 /24 (ID 2000) 172.20.3.0 /24 (ID 3000)

H M I

P L C

P L C

P L C

H M I

172.20.1.0 /24 (ID 1000)

TRUNK

VLAN ID 1000

VLAN ID 2000

VLAN ID 3000


Weassistedsomecompaniestomakethismigration,wehavesomePREandPOSTstatisticsVerycommonin*all*ofthesecompanies:redundanttraffic

ATS 2017 – June 8

The other upside: Real Life Statistics

Hacker damage ...


ATS 2017 – June 8

And am I safe then? Safer, but not secure!

So what can a hacker do on your network?

Using traditional protocols in new ways

Example demonstration: scanning and hacking using the Profinet Discovery Protocol (DCP)

-> Solution: Network Segmentation

ATS 2017 – June 8

Hacking Industrial Networks

What does a hacker have at his disposal?The internet!

shodan.io

Shodan ICS Radar

ATS 2017 – June 8

Let’s get into the Hacker Mindset

http://shodan.io/

https://ics-radar.shodan.io/

https://ics-radar.shodan.io/

http://www.shodan.io/

http://www.shodan.io/

• HyperText Transport Protocol is the uniform protocol used by almost every website

• However, HTTP is insecure• All data transferred using HTTP is clearly readable by

“listeners”

• A solution for this could be HTTPS, where the “S” stands for ‘Secure’

• A good tool to verify this is, Wireshark

ATS 2017 – June 8

HTTP or HTTPS?

ATS 2017 – June 8

A fairly known and commonly used protocol: RDP

• Technique for taking over a Windows PC remotely

• Client is present on every Windows version since XP (mstsc.exe)

• Supports a lot of features:Copy-Paste, File System & Audio Redirection, Printer & Port Redirection

ATS 2017 – June 8

Remote Desktop Protocol vulnerability

Without getting to technical:

Remote Desktop can be sniffed

Example demonstration: Sniffing RDP

Solution1: Enable NLA

Solution2: Encryption …

Manager at ahotel

Sensitive PCat work

Theoretically and ideally

Internet

Attacker at local network

HOTEL

Sensitive PCat work

Manager at ahotel

WORK

Attacker at remote network

VPN Connection

ATS 2017 – June 8

Remote access

• Use a VPN solution, there are many options here, not all of them equally secure

• Use a “Jump Station”, don’t allow third parties ‘unlimited’ access to your network

Internet HOTEL

Manager at ahotel

VPN ConnectionWORK

NON-Sensitive PC at work (VM)---------------------

- Up-to-date AV- RDP client- “refreshed” each night Sensitive PC

at work

ATS 2017 – June 8

Some remote access guidelines

Restricted © Siemens AG 2017

June 8, 2017Seite 34

Industrial Security

The Siemens Solution

• Physical access protection to the plant and

critical systems

• Security management and policies

• Security services for protection of a plant's

entire lifecycle

• Secure remote access to the

plant via the Internet or mobile

networks

• Protection of the plant / machine

network through segmentation

• Secured communication

• Protection of system integrity through

integrated functions

• Access protection and rights

management



Industrial Security

SIMATIC S7-1500 and the TIA Portal

Security Highlights

The SIMATIC S7-1500 and the TIA Portal provide several security features:

• Increased Know-How Protection in STEP 7

Protection of intellectual property and effective investment

• Increased Copy Protection

Protection against unauthorized reproduction of executable programs

• Increased Access Protection (Authentication)

Extensive protection against unauthorized project changes

• Via Security CP1543-1 by means of integrated firewall and VPN communication

• Expanded Access Protection

Extensive protection against unauthorized project changes

• Increased Protection against Manipulation

Protection of communication against unauthorized manipulation for high plant availability



Industrial Security

VLAN - Portfolio

Switch Graphic Areas of application

XB-200

• For setting up line, star and ring structures

• For PROFINET and EtherNet/IP applications

• Compact and small dimensions

XC-200

• Extended temperature range from -40 °C to +70 °C

• Gigabit-capable, can be equipped with SFPs, PROFINET and

EtherNet/IP

• Certifications for trackside railway applications, marine applications1)

Additional FW functionalities: Fiber monitoring, VLANs, HRP standby

XP-200

• High degree of protection (IP65/67) for use outside of the control

cabinet and in extreme ambient conditions from -40 °C to +70 °C

• PROFINET, EtherNet/IP applications with up to 1 Gbit/s and

IEEE 802.3at Type 2 (max. 120 W)

• Certifications for railway, motor vehicles, marine applications

X-300

• For high-performance plant networks

• VLANs, Gigabit, Power-over-Ethernet (PoE)

• Flexibility with different media modules

XM400

• Layer 3 routing

• Combo ports

• Expandable up to 24 ports

• NFC

XR500• Modular

• Up to 52 ports

• 10 Gbit



Industrial Security

Cell Protection with Security Communication Processor



Industrial Security

Cell Protection with Communication Processor - Portfolio

S7-1500 S7-300/S7-400 ET200 SP CPU PC

CM 1542-1 CP 343-1/CP443-1 CP 1542SP-1 CP 1616/ 1612/ 1613/

1623/ 1626

Cell segmentation

Cell Protection

S7-1500 S7-1200 S7-300/S7-400 ET200 SP CPU PC

CM 1543-1 CP 1243-1 CP 343-1/CP443-1

Advanced

CP 1543SP-1 CP 1628



Industrial Security

Cell Protection and remote access with SCALANCE S

BILDSolution

Individual segments are secured with a SCALANCE S variant which

controls access to the lower-level segment by means of a firewall.

• An S602 is placed upstream a segment and is also able to take

on the identity of a lower-level device by means of the GHOST

method, e.g. robot control.

• An S612 is placed upstream a segment and is also able to

protect communication from and to this segment by means of

VPN.

• An S615 is placed upstream a segment and is able to secure

multiple further lower-level cells by means of VLAN.

• An S623 separates the automation network from the office

network and facilitates data exchange between these networks

via DMZ without requiring direct access.

• An S627-2M is placed upstream a lower-level ring (FO or Cu)

and controls data communication. If required, a second S627-2M

can be placed in standby mode in a redundant manner in order

to increase availability in case of fault.

Task

For risk minimization, a large automation network is to be

segmented into several safety-technical areas. The individual

segments are subject to different requirements.



Industrial Security

Remote access with Sinema Remote Connect

SINEMA RC example of a configuration: Remote service for special machine

building

Central management of the machines and service technicians in

SINEMA RC

Assignment and management of user rights and access rights

Logging access

Remote access to special machines and sensitive areas

High transparency and security

Avoidance of errors with unique assignment of the possessors of

know-how to the relevant plant sections

Transparent IP communication

Task

Solution

Benefits



Industrial Security

First Vendor with Certification on Achilles Level 2

+ Protection against DoS

attacks

+ Defined behavior in case

of attack

• Improved Availability

• IP Protection

• International Standard

Certified CPUs

LOGO!

S7- 300 PN/DP

S7- 400 PN/DP

S7- 1500 PN/DP

S7- 1200

S7- 400 HF CPU V6.0

S7- 410-5H

Certified CPs

CP343-1 Advanced

CP443-1 & Advanced

CP1243-1

CP1543-1

CP1628

Certified DP

ET 200 PN/DP CPUs

ET 200SP PN CPUs

Certified Firewalls

SCALANCE S602, S612,

S623, S627-2M



Industrial Security

CERT@Siemens

www.siemens.com/industrialsecurity

Cyber Emergency Readiness Team



Industrial Security

Siemens Security Services

Siemens Plant Security Services

Assess

Security

Implement

Security

Manage

Security

Siemens products and systems offer integrated security

Know how and

copy protection

Firewall and

VPN (Virtual

Private Network)

Authentication

and user

management

System

“hardening”

The Siemens security concept –

“Defense in Depth”



Assess Security

How do we figure out which assessment we need in each case?

Which assessment do I need?

Do I have a close to

100% SIMATIC PCS 7

installation? Or do I

have an heterogeneous

environment?

Or do I rather get a

deep, time intensive

analysis of my

industrial environment,

including data

collection?

Would I like to have a

quick check against

the best known

security standard?

Would I like to have a

quick check against the

best known security

standard for Industrial

Control Systems?

Page 49

SIMATIC PCS 7 &

WinCC Assessment

Risk & Vulnerability

Assessment

ISO 27001

Assessment

IEC 62443

Assessment



IEC 62443 Assessment

Identify security gaps and define measures to mitigate risks

Assessment of compliance to IEC 62443 international standard

(Industrial communication networks – Network and system security)

• Focus on parts 2-1 “Establishing an industrial automation and

control system security program” and 3-3 “Security for industrial

process measurement and control – Network and system

security”

• Available for Siemens and third party systems

• 2 days on-site

• Coordinated by a security consultant and a security engineer

• Questionnaire-based checklist to identify and classify risks

• Up to 30 pages report containing recommendations for risk mitigation

measures

Page 52



ISO 27001 Assessment


Quick assessment of plant security according to the ISO 27001

international standard (Information Security Management)

• Onsite workshop incl. questionnaire-based checklist:

• 1 day on-site

• Coordinated by a security consultant and a security engineer

• Typical attendants: Management and customer‘s responsible for

production, IT security and physical security, maintenance staff,

engineering staff, …

• Offline evaluation of the results: Analysis, risk identification and classification,

definition of risk mitigation measures and prioritization of actions (based on

cost/benefit scenario)


measures

Page 53



SIMATIC PCS 7 & WinCC Assessment


Quick assessment of the SIMATIC PCS 7 & WinCC installation

• Onsite workshop incl. questionnaire-based checklist:

• 1 day on-site

• Coordinated by a SIMATIC PCS 7 & WinCC security consultant

• Typical attendants: Customer‘s responsible for production, IT security

and physical security, maintenance staff, engineering staff, …

• Offline analysis of the results: Risk identification and classification and

definition of risk mitigation


measures

Page 54



Risk & Vulnerability Assessment

Identify, classify and evaluate risks for a risk-based security program

People

We evaluate security awareness, security-related skills

and knowledge

Processes

We assess the maturity of organizational processes and

work instructions as they apply to the security of Industrial

Control Systems

We perform a gap analysis based upon standards, best

practices and existing policies

We check if the current policies and work instructions are

adequate to protect the plant against the latest and emerging

threats

Technology

We collect installed base data and system

architecture to perform a vulnerability

assessment on Industrial Control Systems

We evaluate the current security risk situation of

the production networks and systems



Risk & Vulnerability Assessment

Identify, classify and evaluate risks for a risk-based security program

• Report including:

• Project documentation:

• Scope description

• Current network topology

• Current system architecture

• Risk analysis and scoring methodology

• Findings:

• Network topology analysis results

• Installed Base data analysis results

• System criticality results (likelihood and business

impact)

• Risk level including risk scoring

• Training needs

• Risk mitigation measures for each finding

• Management presentation as a first step to establish a security

roadmap

Page 56



Implement Security

to mitigate risks

Knowledge transfer to secure the "weakest link"• SITRAIN training

• Web-based, one-hour training

• Generate security awareness for the staff: Introduce current threat landscape, describe how to handle risks and help

identifying security incidents

Security Policy Consulting

Establish standard practice in industrial control system (ICS) security

• Establish new or review and enhance existing policies, processes, procedures and work instructions which influence

security in the shop-floor

• Integration with enterprise cyber security practice

• Examples: Patch and backup strategy, handling of removable media, …

Network Security Consulting

Support on secured network design and setup • Cell segmentation in security cells support based on IEC 62443 standard and SIMATIC PCS 7 & WinCC security

concept

• Design and planning of a perimeter protection network: DMZ network (Demilitarized)

• Perimeter firewall rule establishment / review and implementation

Security Awareness Training



Implement Security

to mitigate risks

First line of defense against highly developed threats• Based on Automation Firewall Appliance

• Installation, configuration, commissioning and test of firewall system and traffic rules

• Configuration backup

• Consideration of customer-specific applications (e.g. fine-tuning of intrusion detection / prevention system (IDS/IPS))

Clean Slate Validation

Validate “clean-slate” status of environment• Identification of security gaps thanks to virus scanning with two different scan engines

• Use of McAfee Command Line Scanner and Kaspersky Rescue Disk

• No installations required: Use of USB stick and Command Lines

Anti Virus Installation

Virus protection solution for malware detection and prevention• Installation and configuration of virus protection software (McAfee Virusscan Enterprise Agents)

• Installation of the McAfee ePO* central management console recommended when more than 10 anti-virus agents

installed

• Compatibility consideration for SIMATIC PCS 7 Systems

Perimeter Firewall Installation

* ePolicy Orchestrator



Implement Security

to mitigate risks

Application control solution for malware detection and prevention• Installation of whitelisting software (McAfee Application Control)

• Installation of the McAfee ePO* central management console recommended when more than 10 whitelisting agents

installed

• Compatibility consideration for SIMATIC PCS 7 Systems

System Backup

Industrial control system backup• Performance of one-time backup of systems in plant environment

• Symantec System Recovery software procured and owned by customer

Windows Patch Installation

Installation of Microsoft OS Patches• Installation of automation vendor validated and customer approved Microsoft® OS patches via customer-owned

WSUS server

• Consideration of compatibility: Patches recommended by the supplier of automation technology AND authorized by the

customer

Whitelisting Installation

* ePolicy Orchestrator



Industrial Security

If you want to work secure

Work with

ATS 2017 June 8 - atsgroep.be · ATS 2017 –June 8 A fairly known and commonly used protocol: RDP...

Documents

Transcript of ATS 2017 June 8 - atsgroep.be · ATS 2017 –June 8 A fairly known and commonly used protocol: RDP...