Francisco (Paco) Bolaños - PANDUIT 2016 - Trac… · · 2016-02-17Francisco (Paco) Bolaños...
Transcript of Francisco (Paco) Bolaños - PANDUIT 2016 - Trac… · · 2016-02-17Francisco (Paco) Bolaños...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Francisco (Paco) BolañosConsultor IoT Business Unitfor Latin America
Paco is a 22 years professional experience in the Telecom industry, and 15 year veteran at Cisco. He has workedfor well recognized companies as Alcatel, and Anrtitsu prior joining Cisco in 2000, as part of the Service Providerengineering team in Mexico, supporting big accounts as Nextel International, Telefonica, Alestra. In 2007 he joinsthe public sector team focusing on Education, and Energy sectors, supporting Education Ministry, and Energyincumbents PEMEX (Oil&Gas) and CFE (utilities). In 2013 he joins the IoT BU as Consulting Systems Engineerfor LATAM.
His areas of expertise include: Routing&Switching, MPLS, Service Providers, Oil&Gas, Energy, Manufacturing,and Transportation.
He holds a BS in Electronics and Communications by National Polytechnic Institute in Mexico, and also holds thefollowing certifications: CCDA, CCNA, CMNA, CCIP, CCDP, and CCNP and is former CIGRE Member.
He has also participated as speaker on the following forums:
IEEE ROC Mexico, Cisco Live, Mexican Oil Institute, Rockwell´s RSTech Ed, Tech de Monterrey, UANL and ITAM.
He has also written technical articles on IoT topics on El Occidental newspaper, and Infochannel magazine in Mexico.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
La hiperconectividad relacionada con la evolución de las arquitecturasde comunicación para el Internet de las Cosas, ha generado unaintensa actividad alrededor del desarrollo de estándares, y tecnologíasque permitan asegurar tanto desde el punto de vista lógico como físicola integridad de la información y de los sistemas mismos en las redesindustriales y de infraestructura crítica.
Para tal efecto las normativas mas completas para el aseguramientode arquitecturas industriales basadas en el modelo ISA95 son NERC yCIP, las cuales están marcando la pauta a nivel mundial.
En esta sesión se hará una revisión de estas normas en su versión 5,presentando las recomendaciones que hace en cada capítulo, y suaplicación en el diseño de las redes industriales modernas.
Extracto
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Ciber Seguridad para Redes Industriales –NERC/CIP v5
Francisco BolañosConsultor IoT BU México & LATAMfbolañ[email protected]
Febrero, 2016
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Efectos de un Ciberataque
4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Common Areas of Vulnerability
• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup• Little or no device level authentication• Poor network design – daisy chains, hubs• Windows based IA servers – patching, legacy OS• Unnecessary services running – FTP, HTTP• Open environment, no port security, no physical security of switch,
Ethernet ports• Limited auditing and monitoring of access to IA devices• Unauthorised use of HMI, IA systems for browsing, music/movie
downloads• Lack of IT expertise in IA networks, many blind spots
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
10% Trusted Third-Party Connection(Includes Infected Laptopsand Is Growing)
49% Via Corporate WAN andBusiness Network
3% Wireless System
7% VPN Connection
7% Dial-up Modem
7% Telco Network
17% Internet Directly
Source of IndustrialSecurity IncidentsSource: BCIT (2009)
Average Cost of Manufacturing Downtime = $210,000 per HourSource: Infonetics (2005)
Industrial Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Arquitectura Industrial Según ModeloISA99/ISA95/IEC62443
Cell/AreaZone
Manufacturing Zone
DemilitarizedZone(DMZ)
Separation between Control & Enterprise Networks
Interconnection between Cell Zones, Server Farms, and DMZ
Network Connection for Controllers, HMIs, I/Os, & Drives
EnterpriseNetwork
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services
Patch Management AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.
ApplicationServer
Factory Directory
Engineering Workstation
Domain Controller
FactoryClient
Operator Interface
FactoryClient
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
DMZWeb
E-MailCIP
Area Supervisory Control
Basic Control
Process
Cybersecurity for ICS- for ISA95 Architecture
Active IPS, firewall, app control, content security, malware protection, etc.
Active IPS, firewall, malware protection, etc.
Passive/Active HybridIDS, zone enforcement, app control, malware protection, etc.
Passive/Active HybridPLC/RTU config management
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
11
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Enterprise Network
Site Business Planning & Logistics Network
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Site Manufacturing Operationsand Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalkClient
HMI MagelisHMI
EngineeringWorkstation
OperatorInterface
BatchControl
DiscreteControl
DriveControl
ContinuousProcessControl
SafetyControl
FactoryTalkApp Server
FactoryTalkDirectory
EngineeringWorkstation
DomainController
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
First Stage –Secured Connectivity
Second Stage –Secured Visibility & Control
Third Stage –Converged Security & Depth
v v
Zone SegmentationControlled Conduits
Application ControlThreat Control
Policy Driven ResponseDeeper Vision / Control
Phased Security Architecture for ISA95/IEC61850
Sec
Ops
+
MPLS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Changes from NERC/CIP v3
Risk Management and Scopeof Applicable Systems
Risk Management and Scopeof Applicable Systems
- “From the cyber security standpoint, redundancy does not mitigate cyber security vulnerabilities.”
- ESPs require two distinct security measures including malicious traffic inspection
- “From the cyber security standpoint, redundancy does not mitigate cyber security vulnerabilities.”
- ESPs require two distinct security measures including malicious traffic inspection
- Based on NIST Risk Management Framework
- “If rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”
- Based on NIST Risk Management Framework
- “If rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”
From Assets to SystemsFrom Assets to Systems
- Responsible Entity determines granularity
- Responsible Entity determines granularity
Defense-in-Depth and IDS/IPS/IFW
Defense-in-Depth and IDS/IPS/IFW
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Steps to Compliance
Discover and Classify
Establish ESPs and
PSPsEnforce Controls
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
NERC CIP v5R1 R2 R3 R4 R5
CIP‐002‐5.1 BES Cyber System Categorization
CIP‐003‐5 Security Management Controls
CIP‐004‐5.1 Personnel and Training
CIP‐005‐5 Electronic Security Perimeter(s)
CIP‐006‐5 Physical Security
CIP‐007‐5 System Security Management
CIP‐008‐5 Incident Reporting and Response Planning
CIP‐009‐5 Recovery Plans
CIP‐010‐1 Config Change Mgmt and VA
CIP‐011‐1 Information Protection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15Cisco Confidential 15© 2013 Cisco and/or its affiliates. All rights reserved.
CIP-002-5.1: Cyber System Identification and Categorization
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cyber System Identification and Categorization CIP-002-5.1
• Passive discoveryNo impact to sensitive ICS devices
No introduced latencybetween real-time devices
Learn “normal” network and user behaviors
• BaselineWhitelist approved protocols and applications
Detect anomalies as they occur
Focus on anomalous behaviors
• ContextPrioritize events based upon system value and relevance of events
Defense-in-depth
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17Cisco Confidential 17© 2013 Cisco and/or its affiliates. All rights reserved.
CIP-005-5: Electronic Security Perimeter
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Electronic Security PerimeterCIP-005-5
• VisibilityConsolidated view for NG-IPS, NGFWCentralized response, reporting, administration
• ControlZone enforcementPolicy-based
• ProtectionTraffic and application control at all ingress and egress pointsIsolation and enforcement of critical segmentsPassive or active response per segment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19Cisco Confidential 19© 2013 Cisco and/or its affiliates. All rights reserved.
CIP-006-5: Physical Security Perimeter
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Physical Security PerimeterCIP-006-5
- Access logging- Access logging
Requirement 1Requirement 1
- Multiple methods of physical access
- Technical and human monitoring methods
- Access logging/video recording
- Multiple methods of physical access
- Technical and human monitoring methods
- Access logging/video recording
Requirement 2Requirement 2 Requirement 3Requirement 3
- PACS maintenance and testing program documentation
- PACS maintenance and testing program documentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Red de SubestaciónBus de Procesos
Red de SubestaciónAnillo Ethernet Multiservicios
Bus de Estación detrás del Perímetro de Seguridad Electrónica (ESP) para
cumplimiento con NERC/CIP
Anillo Ethernet Multiservicio permite la comunicación de múltiples tipos de trafico mediante la segmentación de la red incluyendo la red de
componentes de seguridad física y segregando el trafico de la red de control eléctrico y de los componentes detrás del ESP
Bus de Procesos
HMI
Anillo Ethernet
Multiservicios
IEEE 802.3
Bus de Procesos hacia Dispositivos de Planta
Estación Remota
de Gestión
Agregación NAN
PLC PLC… IED IED … IEDIED
Seguridad Física
Controlaor Distribuido
RTU
Acceso inalámbrico
Enlace WAN Respaldo
Enlace WAN
Primario
Biometric
Card Reader
Red 1 Red 2 Red 3
MPLS MPLS
Wireless ESP/PSP
ESP
PSP
Electronic & Physical Security Perimeters• CIP-005 & 6
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22Cisco Confidential 22© 2013 Cisco and/or its affiliates. All rights reserved.
CIP-007-5: System Security Management
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
System Security ManagementCIP-007-5
• Ports and ServicesDiscover open ports and servicesDetect changes/anomalies in real-timeEnforce policies
• Malicious Code PreventionAdvanced malware protectionContinuous analysis
• Patch ManagementVulnerability researchThird-party vulnerability assessment integrationsThreat mitigation
• Security Event MonitoringInternal reporting databaseThird-party SIEM/logging integrations
• System Access ControlsRole-based anomaly detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Malicious Code PreventionCIP-007-5 R3.x
Actual Disposition = Bad = Blocked
Antivirus
SandboxingInitial Disposition = Clean
Point‐in‐time Detection
Retrospective Detection,Analysis Continues
Initial Disposition = Clean
Continuous
Blind to scope of compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time
Visibility and Control are Key
Not 100%
Analysis Stops
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25Cisco Confidential 25© 2013 Cisco and/or its affiliates. All rights reserved.
CIP-010-1: Configuration Change Management and Vulnerability Assessment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Configuration Change Management and Vulnerability AssessmentCIP-010-1
Security patches
Custom apps
Commercial/open source apps
Network ports
OS/firmware
Threat Research
Threat Research
WhitelistingWhitelisting
Anomaly DetectionAnomaly Detection
ICS-Specific Content
ICS-Specific Content
Retrospective Security
Retrospective Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27Cisco Confidential 27© 2013 Cisco and/or its affiliates. All rights reserved.
In Conclusion
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Security Reccomendations
Controls Security Policy
Demilitarised Zone (DMZ)
Defending the Control Edge (IPS/IFW, ISE)
Protect the Interior (ACL/Port Security)
Remote Access Policy
Physical Security
Endpoint Hardening
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ERP, etc.
Plant Floor
Plant IT Network
ManufacturingRouter
Distribution Routers
IT Servers
CoreRouters
EnterpriseAutomation and Control Applications
Automation and Control Devices
Plant Wi-Fi Network
Sensor Mesh Network
Remote
Access Switches
Ethernet
BUS IEC61850Wireless Sensor Network
SiSiSiSi
SiSiSiSi
Teleworkers/Customers and Partners
Wi-Fi Mesh and Location Receivers
Wi-Fi Voice
Industrial
Video
LocationChokepoint
Location Tags
Substation DMZ
WirelessController
LocationEngine
Security and Network Administration
TerminalServer
Video
Voice
Wireless, Video and Voice Servers
Managers, Engineers
MESHMESH
LWAPP
Internet
Wide AreaNetwork
IOS Security Protocols
• IP Unicast /Multicast /VRF routing• Port Security to Limit the # of MAC• 802.1x Authenticator• MAC Access Lists• Infrastructure ACLs• DHCP Spoofing• Debug• Port mirroring• BPDU and Root Guard
• IGP Authentication• Authorization: Radius based on Username, DHCP Option 82, vMAC in
RADIUSAttr31• MD5• ACLs• Debug• DoS protection
• Firewall• IPS• Security Manager
• WPA2• WIPS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Visibility and Context
Firewall
App Control
VPN
Acces Control
Vuln Mgmt
NAC
IPS
Antivirus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
Mapping Technologies to the Model
BEFOREDiscoverEnforce Harden
DiscoverEnforce Harden
AFTERScope
ContainRemediate
ScopeContain
Remediate
Attack Control Continuum
Detect Block
Defend
Detect Block
Defend
DURING
1st
1st
1st
2nd2nd
2nd
2nd
2nd
3rd
3rd
3rd
3rd
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Phased Security Architecture for Substation Automation
FAN AggregationFAN Aggregation
Multiservice BusMultiservice Bus
Physical SecurityPhysical Security
Workforce Enablement
Workforce Enablement
Serial, C37.94, E&M
SubstationMPLS Router
Electronic Security Perimeter (ESP)
PT BreakerCT CTPT
BreakerIED
BreakerIEDMUMU
IEC 61850Station BusIEC 61850
Station Bus
IEC 61850Process
Bus
IEC 61850Process
Bus
DistributedControllerDistributedControllerHMIHMI HMIHMI
LegacyRTU
PT CT
HardwiredI/O
Sensor
LegacyTeleprotection
RelayBay
ControllerBay
Controller RTURTU ProtectionRelay
ProtectionRelay
CommProcessor
CommProcessor
Breaker
PMUPDCPMUPDC
TeleprotectionRelay
TeleprotectionRelay
Private WiMax or LTE to Field Area NetworkZone-1
Zone-2
Zone-3
Utility WANPhysical Security Perimeter (PSP)
1. First Stage –Secured Connectivity
2. Second Stage –Secured Visibility & Control
3. Third Stage –Converged Security & Depth
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Arquitectura Integrada
Plano de Control Ind
Capa de Gestión y Administración de Red
Core IP / MPLS
MPLS
Capa de Aplicaciones y Servicios
VRF A
Red de Transmisión y Acceso MPLS
PE
P P
P
Process
IED HMI
Celda
Process
IED HMI
Celda
3G/4GInternet VOZ VIDEO DC CRM
VRF B VRF C VRF D
WAN7MPLSPE
PE
PASBR
PLCs
Medición Energia
Flotillas
Nodos Remotos
Red Planta2
VRF E
VLAN 1
VLAN 2
VLAN 3
VLAN 4
VLAN 5
λ1
λ2
λn
SDTSDD SDG SDC
Wireless
Wireless
VRF F VRF G VRF H VRF I
Safety
SCADA AAA
Northbound
DHCP CA
HER
CGNMS
MDM
Factory Control CenterNERC/CIP
Physec
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Integrated Industrial Protection
URL Filtering(Subscription)
On-box or Centralized
Management
Advanced Malware
Protection (AMP)(Subscription)
Application Visibility and Control
(AVC)
Network FirewallRouting | Switching
WWW
VPN
Next-Generation Intrusion Prevention
(NGIPS)(Subscription) IFW
IIPS
AMP
VPN
APPs