Francisco (Paco) Bolaños - PANDUIT 2016 - Trac… · · 2016-02-17Francisco (Paco) Bolaños...

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Francisco (Paco) BolañosConsultor IoT Business Unitfor Latin America

Paco is a 22 years professional experience in the Telecom industry, and 15 year veteran at Cisco. He has workedfor well recognized companies as Alcatel, and Anrtitsu prior joining Cisco in 2000, as part of the Service Providerengineering team in Mexico, supporting big accounts as Nextel International, Telefonica, Alestra. In 2007 he joinsthe public sector team focusing on Education, and Energy sectors, supporting Education Ministry, and Energyincumbents PEMEX (Oil&Gas) and CFE (utilities). In 2013 he joins the IoT BU as Consulting Systems Engineerfor LATAM.

His areas of expertise include: Routing&Switching, MPLS, Service Providers, Oil&Gas, Energy, Manufacturing,and Transportation.

He holds a BS in Electronics and Communications by National Polytechnic Institute in Mexico, and also holds thefollowing certifications: CCDA, CCNA, CMNA, CCIP, CCDP, and CCNP and is former CIGRE Member.

He has also participated as speaker on the following forums:

IEEE ROC Mexico, Cisco Live, Mexican Oil Institute, Rockwell´s RSTech Ed, Tech de Monterrey, UANL and ITAM.

He has also written technical articles on IoT topics on El Occidental newspaper, and Infochannel magazine in Mexico.


La hiperconectividad relacionada con la evolución de las arquitecturasde comunicación para el Internet de las Cosas, ha generado unaintensa actividad alrededor del desarrollo de estándares, y tecnologíasque permitan asegurar tanto desde el punto de vista lógico como físicola integridad de la información y de los sistemas mismos en las redesindustriales y de infraestructura crítica.

Para tal efecto las normativas mas completas para el aseguramientode arquitecturas industriales basadas en el modelo ISA95 son NERC yCIP, las cuales están marcando la pauta a nivel mundial.

En esta sesión se hará una revisión de estas normas en su versión 5,presentando las recomendaciones que hace en cada capítulo, y suaplicación en el diseño de las redes industriales modernas.

Extracto


Ciber Seguridad para Redes Industriales –NERC/CIP v5

Francisco BolañosConsultor IoT BU México & LATAMfbolañ[email protected]

Febrero, 2016


Efectos de un Ciberataque

4


Common Areas of Vulnerability

• Fragile TCP/IP Stacks – NMAP, Ping Sweep lockup• Little or no device level authentication• Poor network design – daisy chains, hubs• Windows based IA servers – patching, legacy OS• Unnecessary services running – FTP, HTTP• Open environment, no port security, no physical security of switch,

Ethernet ports• Limited auditing and monitoring of access to IA devices• Unauthorised use of HMI, IA systems for browsing, music/movie

downloads• Lack of IT expertise in IA networks, many blind spots


10% Trusted Third-Party Connection(Includes Infected Laptopsand Is Growing)

49% Via Corporate WAN andBusiness Network

3% Wireless System

7% VPN Connection

7% Dial-up Modem

7% Telco Network

17% Internet Directly

Source of IndustrialSecurity IncidentsSource: BCIT (2009)

Average Cost of Manufacturing Downtime = $210,000 per HourSource: Infonetics (2005)

Industrial Security


Arquitectura Industrial Según ModeloISA99/ISA95/IEC62443

Cell/AreaZone

Manufacturing Zone

DemilitarizedZone(DMZ)

Separation between Control & Enterprise Networks

Interconnection between Cell Zones, Server Farms, and DMZ

Network Connection for Controllers, HMIs, I/Os, & Drives

EnterpriseNetwork


Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services

Patch Management AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkE-Mail, Intranet, etc.

ApplicationServer

Factory Directory

Engineering Workstation

Domain Controller

FactoryClient

Operator Interface

FactoryClient

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

ContinuousProcess Control

Safety Control

Sensors Drives Actuators Robots

DMZWeb

E-MailCIP

Area Supervisory Control

Basic Control

Process

Cybersecurity for ICS- for ISA95 Architecture

Active IPS, firewall, app control, content security, malware protection, etc.

Active IPS, firewall, malware protection, etc.

Passive/Active HybridIDS, zone enforcement, app control, malware protection, etc.

Passive/Active HybridPLC/RTU config management


11

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Enterprise Network

Site Business Planning & Logistics Network

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone

Site Manufacturing Operationsand Control

Area Supervisory Control

Basic Control

ProcessSensors Drives Actuators Robots

FactoryTalkClient

HMI MagelisHMI

EngineeringWorkstation

OperatorInterface

BatchControl

DiscreteControl

DriveControl

ContinuousProcessControl

SafetyControl

FactoryTalkApp Server

FactoryTalkDirectory

EngineeringWorkstation

DomainController

Terminal Server RDP Server App Server Patch Mgmt.

E-Mail, Intranet, etc.

First Stage –Secured Connectivity

Second Stage –Secured Visibility & Control

Third Stage –Converged Security & Depth

v v

Zone SegmentationControlled Conduits

Application ControlThreat Control

Policy Driven ResponseDeeper Vision / Control

Phased Security Architecture for ISA95/IEC61850

Sec

Ops

+

MPLS


Changes from NERC/CIP v3

Risk Management and Scopeof Applicable Systems

Risk Management and Scopeof Applicable Systems

- “From the cyber security standpoint, redundancy does not mitigate cyber security vulnerabilities.”

- ESPs require two distinct security measures including malicious traffic inspection

- “From the cyber security standpoint, redundancy does not mitigate cyber security vulnerabilities.”

- ESPs require two distinct security measures including malicious traffic inspection

- Based on NIST Risk Management Framework

- “If rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”

- Based on NIST Risk Management Framework

- “If rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”

From Assets to SystemsFrom Assets to Systems

- Responsible Entity determines granularity

- Responsible Entity determines granularity

Defense-in-Depth and IDS/IPS/IFW

Defense-in-Depth and IDS/IPS/IFW


Steps to Compliance

Discover and Classify

Establish ESPs and

PSPsEnforce Controls


NERC CIP v5R1 R2 R3 R4 R5

CIP‐002‐5.1 BES Cyber System Categorization

CIP‐003‐5 Security Management Controls

CIP‐004‐5.1 Personnel and Training

CIP‐005‐5 Electronic Security Perimeter(s)

CIP‐006‐5 Physical Security

CIP‐007‐5 System Security Management

CIP‐008‐5 Incident Reporting and Response Planning

CIP‐009‐5 Recovery Plans

CIP‐010‐1 Config Change Mgmt and VA

CIP‐011‐1 Information Protection

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15Cisco Confidential 15© 2013 Cisco and/or its affiliates. All rights reserved.

CIP-002-5.1: Cyber System Identification and Categorization


Cyber System Identification and Categorization CIP-002-5.1

• Passive discoveryNo impact to sensitive ICS devices

No introduced latencybetween real-time devices

Learn “normal” network and user behaviors

• BaselineWhitelist approved protocols and applications

Detect anomalies as they occur

Focus on anomalous behaviors

• ContextPrioritize events based upon system value and relevance of events

Defense-in-depth


CIP-005-5: Electronic Security Perimeter


Electronic Security PerimeterCIP-005-5

• VisibilityConsolidated view for NG-IPS, NGFWCentralized response, reporting, administration

• ControlZone enforcementPolicy-based

• ProtectionTraffic and application control at all ingress and egress pointsIsolation and enforcement of critical segmentsPassive or active response per segment


CIP-006-5: Physical Security Perimeter


Physical Security PerimeterCIP-006-5

- Access logging- Access logging

Requirement 1Requirement 1

- Multiple methods of physical access

- Technical and human monitoring methods

- Access logging/video recording

- Multiple methods of physical access

- Technical and human monitoring methods

- Access logging/video recording

Requirement 2Requirement 2 Requirement 3Requirement 3

- PACS maintenance and testing program documentation

- PACS maintenance and testing program documentation


Red de SubestaciónBus de Procesos

Red de SubestaciónAnillo Ethernet Multiservicios

Bus de Estación detrás del Perímetro de Seguridad Electrónica (ESP) para

cumplimiento con NERC/CIP

Anillo Ethernet Multiservicio permite la comunicación de múltiples tipos de trafico mediante la segmentación de la red incluyendo la red de

componentes de seguridad física y segregando el trafico de la red de control eléctrico y de los componentes detrás del ESP

Bus de Procesos

HMI

Anillo Ethernet

Multiservicios

IEEE 802.3

Bus de Procesos hacia Dispositivos de Planta

Estación Remota

de Gestión

Agregación NAN

PLC PLC… IED IED … IEDIED

Seguridad Física

Controlaor Distribuido

RTU

Acceso inalámbrico

Enlace WAN Respaldo

Enlace WAN

Primario

Biometric

Card Reader

Red 1 Red 2 Red 3

MPLS MPLS

Wireless ESP/PSP

ESP

PSP

Electronic & Physical Security Perimeters• CIP-005 & 6


CIP-007-5: System Security Management


System Security ManagementCIP-007-5

• Ports and ServicesDiscover open ports and servicesDetect changes/anomalies in real-timeEnforce policies

• Malicious Code PreventionAdvanced malware protectionContinuous analysis

• Patch ManagementVulnerability researchThird-party vulnerability assessment integrationsThreat mitigation

• Security Event MonitoringInternal reporting databaseThird-party SIEM/logging integrations

• System Access ControlsRole-based anomaly detection


Malicious Code PreventionCIP-007-5 R3.x

Actual Disposition = Bad = Blocked

Antivirus

SandboxingInitial Disposition = Clean

Point‐in‐time Detection

Retrospective Detection,Analysis Continues

Initial Disposition = Clean

Continuous

Blind to scope of compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Too Late!!

Turns back time

Visibility and Control are Key

Not 100%

Analysis Stops


CIP-010-1: Configuration Change Management and Vulnerability Assessment


Configuration Change Management and Vulnerability AssessmentCIP-010-1

Security patches

Custom apps

Commercial/open source apps

Network ports

OS/firmware

Threat Research

Threat Research

WhitelistingWhitelisting

Anomaly DetectionAnomaly Detection

ICS-Specific Content

ICS-Specific Content

Retrospective Security

Retrospective Security


In Conclusion


Security Reccomendations

Controls Security Policy

Demilitarised Zone (DMZ)

Defending the Control Edge (IPS/IFW, ISE)

Protect the Interior (ACL/Port Security)

Remote Access Policy

Physical Security

Endpoint Hardening


ERP, etc.

Plant Floor

Plant IT Network

ManufacturingRouter

Distribution Routers

IT Servers

CoreRouters

EnterpriseAutomation and Control Applications

Automation and Control Devices

Plant Wi-Fi Network

Sensor Mesh Network

Remote

Access Switches

Ethernet

BUS IEC61850Wireless Sensor Network

SiSiSiSi

SiSiSiSi

Teleworkers/Customers and Partners

Wi-Fi Mesh and Location Receivers

Wi-Fi Voice

Industrial

Video

LocationChokepoint

Location Tags

Substation DMZ

WirelessController

LocationEngine

Security and Network Administration

TerminalServer

Video

Voice

Wireless, Video and Voice Servers

Managers, Engineers

MESHMESH

LWAPP

Internet

Wide AreaNetwork

IOS Security Protocols

• IP Unicast /Multicast /VRF routing• Port Security to Limit the # of MAC• 802.1x Authenticator• MAC Access Lists• Infrastructure ACLs• DHCP Spoofing• Debug• Port mirroring• BPDU and Root Guard

• IGP Authentication• Authorization: Radius based on Username, DHCP Option 82, vMAC in

RADIUSAttr31• MD5• ACLs• Debug• DoS protection

• Firewall• IPS• Security Manager

• WPA2• WIPS


Visibility and Context

Firewall

App Control

VPN

Acces Control

Vuln Mgmt

NAC

IPS

Antivirus

Email/Web

IDS

FPC

Forensics

AMD

Log Mgmt

SIEM

Mapping Technologies to the Model

BEFOREDiscoverEnforce Harden

DiscoverEnforce Harden

AFTERScope

ContainRemediate

ScopeContain

Remediate

Attack Control Continuum

Detect Block

Defend

Detect Block

Defend

DURING

1st

1st

1st

2nd2nd

2nd

2nd

2nd

3rd

3rd

3rd

3rd


Phased Security Architecture for Substation Automation

FAN AggregationFAN Aggregation

Multiservice BusMultiservice Bus

Physical SecurityPhysical Security

Workforce Enablement

Workforce Enablement

Serial, C37.94, E&M

SubstationMPLS Router

Electronic Security Perimeter (ESP)

PT BreakerCT CTPT

BreakerIED

BreakerIEDMUMU

IEC 61850Station BusIEC 61850

Station Bus

IEC 61850Process

Bus

IEC 61850Process

Bus

DistributedControllerDistributedControllerHMIHMI HMIHMI

LegacyRTU

PT CT

HardwiredI/O

Sensor

LegacyTeleprotection

RelayBay

ControllerBay

Controller RTURTU ProtectionRelay

ProtectionRelay

CommProcessor

CommProcessor

Breaker

PMUPDCPMUPDC

TeleprotectionRelay

TeleprotectionRelay

Private WiMax or LTE to Field Area NetworkZone-1

Zone-2

Zone-3

Utility WANPhysical Security Perimeter (PSP)

1. First Stage –Secured Connectivity

2. Second Stage –Secured Visibility & Control

3. Third Stage –Converged Security & Depth


Arquitectura Integrada

Plano de Control Ind

Capa de Gestión y Administración de Red

Core IP / MPLS

MPLS

Capa de Aplicaciones y Servicios

VRF A

Red de Transmisión y Acceso MPLS

PE

P P

P

Process

IED HMI

Celda

Process

IED HMI

Celda

3G/4GInternet VOZ VIDEO DC CRM

VRF B VRF C VRF D

WAN7MPLSPE

PE

PASBR

PLCs

Medición Energia

Flotillas

Nodos Remotos

Red Planta2

VRF E

VLAN 1

VLAN 2

VLAN 3

VLAN 4

VLAN 5

λ1

λ2

λn

SDTSDD SDG SDC

Wireless

Wireless

VRF F VRF G VRF H VRF I

Safety

SCADA AAA

Northbound

DHCP CA

HER

CGNMS

MDM

Factory Control CenterNERC/CIP

Physec


Integrated Industrial Protection

URL Filtering(Subscription)

On-box or Centralized

Management

Advanced Malware

Protection (AMP)(Subscription)

Application Visibility and Control

(AVC)

Network FirewallRouting | Switching

WWW

VPN

Next-Generation Intrusion Prevention

(NGIPS)(Subscription) IFW

IIPS

AMP

VPN

APPs


Thank You

Francisco (Paco) Bolaños - PANDUIT 2016 - Trac… · · 2016-02-17Francisco (Paco) Bolaños...

Documents

Transcript of Francisco (Paco) Bolaños - PANDUIT 2016 - Trac… · · 2016-02-17Francisco (Paco) Bolaños...