Presentation by Derek Manky, Real-Time Threat Protection in a ...
31
Fortinet Confidential Real-Time Threat Protection in a SCADA Environment Derek Manky Cyber Security & Threat Research, FortiGuard Cyber Security for Energy and Communications September 29th, 2009
-
Upload
sandra4211 -
Category
Documents
-
view
111 -
download
2
description
Transcript of Presentation by Derek Manky, Real-Time Threat Protection in a ...
Fortinet Confidential
Real-Time Threat Protection in a SCADA Environment
Derek MankyCyber Security & Threat Research, FortiGuard
Cyber Security for Energy and Communications September 29th, 2009
2
Presentation Overview
• FortiGuard services• Research
• SCADA threats
• Elements of SCADA• Compliances
• Real-time threat protection• Mitigation solutions
• Visibility & monitoring
• Management
2
3
FortiGuard Distribution Network System
3 Fortinet Confidential
Vancouver15 Servers
Singapore2 Servers
Beijing2 Servers
Tokyo4 Servers
Ottawa3 Servers
San Francisco4 Servers
New Jersey6 Servers
London2 Servers
Frankfurt5 Servers
40+ servers in 9 strategic locations balance traffic loads and provide the
highest quality of service with redundancy
• Up to date scanning with signature database
Antivirus - hourly IPS True zero-day protection Application control Database Vulnerability management
• Real time queries AV Query Webfiltering Antispam
• Real time queries AV Query Webfiltering Antispam
4
FortiGuard Intelligence Systems
4 Fortinet Confidential
FortiGuard Intelligence Systems
High capacity intelligence systems Automated signatures Stays in stride with arms race Consolidated Intelligence
Frequent daily updates to all devicesImmediate hot updates for breaking threats
5
FortiGuard Research
• Responsible disclosure• Worldwide team• 69 zero-days discovered since 2008
• NVC: 588 critical (March 2008) / 178 exploited
• Proactive Detection• MS09-043 office Web components:
1 year advanced protection
• Microsoft MAPP partner• Breaking updates
5
6
History of SCADA Security Threats
• 1998: Government penetration tests on US grid hack questioned• “Highly decentralized structure of the power plants”[1]
• 2000: Unknown intruders hijacked an electric company's FTP servers• Access through power company's servers by exploiting a
vulnerability in the company's file storage service• "The intruders used the hacked FTP site to store and play
interactive games that consumed 95 percent of the organization's Internet bandwidth… "The compromised bandwidth threatened the (company's) ability to conduct bulk power transactions.“
• 2003: The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant, disabling a safety monitoring system for nearly five hours
6
[1] Wired: http://www.wired.com/science/discoveries/news/1998/06/12746
7
History of SCADA Security Threats
• 2008: Hackers shut off power in multiple regions outside USA, demand payments• CIA official: “All involved intrusions through the Internet”[1]
• April 7, 2009: NERC releases public warning on Cyber Asset Identification• Reports surfaced of China/Russia infiltrating US electrical
grid, malware left behind[1]
• 2009: DHS official on SCADA intrusions• “..They are growing”, “There were a lot last year.”[2]
7
[1] Wired: http://www.wired.com/dangerroom/2008/01/hackers-take-do/[2] Wall Street Journal: http://online.wsj.com/article/SB123914805204099085.html
8
Real-Time Threat Protection?
• Unique solutions for each threat• Require multiple security point
products
• Limited to no product interoperability
• Costly to own – costly to operate• High capital and operational
expense
• Disparate management consoles
• No central threat dashboard
• Not flexible• No deployment flexibility
• Limited product offering
• No Support for DNPV3
8
Need Cost-Effective, All-in-One Security Solutions
UsersUsers
ServersServers
SSL VPNSSL VPN
IPSIPS
FirewallFirewall
AntivirusAntivirus
AntispamAntispam
URL FiltersURL Filters
IPSEC VPNIPSEC VPN
AntiSpywareAntiSpyware
9
Consolidated Intelligence: FortiGuard
Solution AAntiVirus
PublicPublic
Solution DAntiSpam
FortiGuardSolution
Solution BWCF
Solution CIPS
FreshWeb
0-Day Exploit
Variant #2Hosted
Variant #1 Attached
Mass Mail
12
3
4
5
1
1 2 3 4 5
2 5
3
4
10
Elements of a SCADA System
• A Human – Machine Interface• HMI is the apparatus which presents process data to a human
operator, and through this, the human operator, monitors and controls the process
• A supervisory system• A computer gathering/acquiring data on the process and
sending commands (control) to the process
• Remote Terminal Units• RTUs connect to sensors in the process, converting sensor
signals to digital data and sending digital data to the supervisory system
• Communications Infrastructure• Connect the supervisory system to the RTU’s
11
Elements of a SCADA System
12
SCADA Application & Function
HMI
DNP V3
ICCP
Wireless 3G/WIFI connectivity to RTU stations
Database Systems
Application Function Security Technology
Secured AP technology that includes AV, IPS, and
application control
Distributed control systems control systems integration to
EMS systems
IPS protection from protocol anomalies and systems
attacks
SCADA Main to SCADA remote RTU
Application control for TCP/IP DNP protocol control, IPS for buffer, header and network
attacks
RTU control TerminalAV/IPS to secure against
Threats to terminal (no AV allowed on HMI Terminals)
Data storage for HMI and RTU systems
Database security control with schema, table auditing
and control
13
SCADA Compliance and Certifications
Fortinet Confidential
HIPAAHealthcare
Baseline ISO 17799, 27001FW, AV, IPS, DB controls, Visibility, Audit
Encryption in Transport
NERC CIPElectrical
PCIRetail
SOX, Multilateral Instruments
52-109, 52-111Corporations
Baseline ISO 17799, 27001FW, AV, IPS – visibility, audit
security perimeter for all cyber assetsnetwork segmentation, authentication
Baseline ISO 17799, 27001FW, AV, IPS, Database controls, Visibility,
Audit, Network Segmentation, Authentication, Encryption in Transport
Baseline ISO 17799, 27001FW, AV, IPS, IM Controls, Database controls,
Visibility, Audit, Network Segmentation, Authentication
Fortigate – FW, VPN, AV, IPSFortiManager, FortiAnalyzer,
FortiDBForticlient
FortiGate – FW, VPN, AV, IPS,network segmentation, app.authentication, FortiManager
FortiAnalyzer, FortiDB
Fortigate – FW, VPN, AV, IPSNetwork Segmentation
Authentication, FortiManagerFortiAnalyzer, FortiDB, Forticlient
Fortigate – FW, VPN, AV, IPSIM Controls, Fortimail, Network Segmentation
Authentication, FortiManagerFortiAnalyzer, FortiDB, Forticlient
Compliance Requirements Fortinet Solution
14
Key NERC Requirements
• Cyber-asset identification• Professional services to help identify• Built in scanning tools (Fortinet)
• Security management controls• Role/group based user management• FortiGate policy enforcement
• Personnel & training• Professional services/training• FortiGuard advisories/analysis/reports & blog (RSS)
• Electronic security perimeter(s)• FortiGate solution with AV/IPS and role based policy enforcement
• Physical security of critical cyber assets• Segmentation of network with FortiGate• Role based security policies
• Systems security management• Change management with the FortiManager
• Incident reporting and response management• FortiAnalyzer will fill this role easily
15
Where are the Threats Coming From?
• External Sources• SCADA systems are normally interconnected to other SCADA
systems and their own RTU’s/MGMT stations via public networks• Software as a Service (SaaS)• Internal sources• Virus’ brought into SCADA network via portable devices• Corporate espionage• Third party applications• File sharing, P2P and social networks
• HMI terminals do not have or are not allowed to install an AV solution
• Wireless sources• SCADA network often employ WiFi or 3G based wireless
connectivity to RTU’s.• Rogue AP set up as original equipment SSID• Host of encryption exploits• No host based security features on RTU’s
16
How You can Protect your SCADA Environment
• Control application/ communication into/out of the network• Control application/ communication inside the network• Includes ICCP and DNPV3
• Control what/who can interface with SCADA systems• Monitor the network for virus/ attacks and be able to
react to those events quickly
17
How Fortinet Can Help
• External firewall security• IPS SCADA signatures available today
• Modbus, DNP3, etc• IPS anomaly/DDoS mitigation• Application control for DNPv3 and ICCP• Firewall rules, user access control, endpoint control
• Internal firewall security• IPS, AV, application control• User Access control, DLP
• Wireless/3G• Rogue AP detection• Multiple security methods
• MAC address, WEP, WPA, WPA2 Enterprise• Role based security rules at RTU Access point
• Restrict to RTU and MGMT IP’s• IPSec VPN from AP to CTU/MGMT station
18
Protection from the Outside (ingress)
• Firewall. Inspects content in network packets to ensure no unauthorized traffic passes into or out of the intranet. With adequate performance, a firewall can be deployed in-line for real-time protection.
• Intrusion Detection and Prevention. Stops attacks at network perimeter by analyzing traffic for worms, viruses and exploits. Analysis techniques include behavior-based learning and heuristics in addition to signatures defining known hazards.
• VPN. Enables secure communications tunnels across the public Internet between computing devices. With adequate performance, a VPN can authenticate users, encrypt data and manage sessions.
• Antispam. Eliminates entry to the intranet of junk email, file attachments and web access of blacklisted websites, domains and key words.
19
Protection from the Outside (ingress)
• Web-based Content Filtering. Processes all Web content to block inappropriate material and malicious scripts from Java Applet, Cookies and ActiveX scripts entering the intranet. Assures improved productivity by minimizing time wasted on non-business use of the network.
• Vulnerability Scanning. This automated process checks network devices and applications to identify and rank the severity level of known vulnerabilities caused by unpatched software, mis-configurations and other causes. Scan reports provide a blueprint to remove vulnerabilities for stronger security.
• All these security applications can and should be installed at every SCADA network endpoint. The biggest challenge is operational – how to deploy them and manage their use in a cost-effective manner.
20
Protection from the Inside
• Once an intruder is on the inside of a network, the SCADA system is vulnerable from several points, the HMI (Human-Machine Interface) and RTU (Remote Terminal Units). The HMI is a direct interface to the databases that the RTU sends and receives commands from. For example a HMI user working at a fuel tank farm, can manage the flow of fuel from a pipeline into various storage tanks and then into a piping system into delivery trucks or another pipeline. The HMI sends commands to the RTU to open/close valves, turn on pumps, record the amount of fuel/temp/water content of a storage tank, all real time. If the HMI interface were to be exploited, either by a bot, worm, or a known exploit that gives command/control access to an external user, what could happen?
21
Protection from the Inside
• Secure (encrypted) communications to/from RTU’s• Firewall policies that restrict users/IP’s to only operational
personnel• Antivirus/IPS profiles within network• Secure database communications• FortiDB• DLP• Application control to limit unwanted or potentially
dangerous applications from being installed within SCADA network
22
Wireless Protection
• WiFi• Use non-broadcast SSID
• Use WPA-PSK 128 or better encryption
• WPA2 Enterprise (RADIUS)
• Lock wireless access to known MAC/IP addresses
• VPN to CTU or DB
• 3G Based Wireless• Static IP devices
• MPLS to SCADA network
• VPN into SCADA network
• Restrict VPN to know IP addresses
23
Enterprise Security Tools
Firewalls, VPN
AAA, Anti Virus
AAA, IDS,
Encryption
Application
Security
Database Security
AuthorizedUser
External
Internal
Network
PC, Printers
Server Domain
HMI Applications
SCADA Databases
Da
tab
as
e S
ec
uri
ty
UT
M
24
The Solution:A Defense-in-Depth Security Strategy
• A Defense-in-depth strategy deploys application security at both the host RTU and the network level• Deploy security systems that offer tightly integrated
multiple detection mechanisms:• IPS• Antivirus• Antispam• Application control• Web filtering• DB• Stateful firewall• VPN
• Automated processes to update AV and IPS signature databases• Known SCADA Exploits already in AV/IPS databases
25
Protection of the HMI Database
• Vulnerability assessment• Centralize signature/policy management• Separation of duties• Create custom signatures/policies• Implement expert-level remediation advice• Analyze database security trends• Supports well known DB systems
• Audit control – monitoring/audit• Unauthorized access/change of data circumventing application
controls• Segregation of duties - database security/audit should be external to
the database• Control on rules for who, when, where makes a change in the database
without authorization • Change control on schemas • User privilege changes• Failed logins and failed actions • Data integrity of critical data
26
Vulnerability Assessment
Key Features• Assesses and provides industry standard remediation
advice that strengthens the integrity and security of databases. This helps with eliminating weaknesses in passwords, access, privileges, configuration settings, and more. • Automatically discover all databases• Accelerate security & compliance best practices (PCI,
SOX, HIPAA)• Centralize signature/policy management• Separation of duties• Easily create custom signatures/policies• Brand reports for easy identification• Implement expert-level remediation advice• Analyze database security trends• Supports (Oracle, SQL, DB2 UDB and Sybase)
27
Audit Control – Monitoring/Audit
•Reduces the risk of information theft / leak / fraudulent update; automates compliance processes• Automation of IT internal controls (database specific)• Unauthorized access/change of data circumventing
application controls• Segregation of duties - database security/audit should be
external to the database• Power user activities• Control on rules on who when where makes a change in
the database without authorization • Change control on schemas • User privilege changes• Failed logins and failed actions • Data integrity of critical data
28
Reporting and Analysis of SCADA
• More than 300 different report templates available• Report configuration wizard• Reports are completely customizable• Example reports• Events/attacks by:• Sensor • Source• Category• Threat• Protocol
• Mail Usage• ICCP, DNP usage• Bandwidth usage• Protocol usage
29
Management in a SCADA Environment
INTERNET
Back BoneSwitching
Out of Band
Management w/Centralized Logging and Reporting
RTU A RTU B
RTU C
RTU F
RTU DRTU B
SCADA DB System
Internet Access
30
Multi-Threat Security with Fortinet
• Fortinet advantages• Provides comprehensive security approach• Minimizes down-time from individual threats (FortiGuard)• Reduces number of vendors and appliances• Simplifies security management• Coordinates security alerting, logging, and reporting• Improves detection capabilities
IPSIPS
HMI HMI
FirewallFirewall
Core DBCore DB
AntivirusAntivirusAntispamAntispam
URL FiltersURL FiltersVPNVPN
31
