Securing Industrial Control Systems in the Age of IoT · PDF fileSecuring Industrial Control...
Transcript of Securing Industrial Control Systems in the Age of IoT · PDF fileSecuring Industrial Control...
© 2016 Belden Inc. | belden.com | @BeldenInc | info.beldon.com/iiot
October 2016
Jeff Lund
Securing Industrial Control Systems in the Age of IoT
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 2
Control System Security Is Gaining Public Recognition
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 3
Control System Security Is Gaining Public Recognition
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 4
Control System Security Is Gaining Public Recognition
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 5
Reported Vulnerabilities & Incidents are Increasing
Source: FireEye iSight Intelligence 2016 ICS Vulnerability Trend Report
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 6
• <10% of issues are related to hackers
• Most “attacks” are device or human errors
But ICS Cybersecurity Is Much More than Hackers
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 7
• <10% of issues are related to hackers
• Most “attacks” are device or human errors
But ICS Cybersecurity Is Much More than Hackers
ICS cybersecurity is about
• Improving system reliability
• Reducing down time
• Increasing productivity
• Decreasing operating costs
• Ensuring safety
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 8
• <10% of issues are related to hackers
• Most “attacks” are device or human errors
But ICS Cybersecurity Is Much More than Hackers
ICS cybersecurity is about
• Improving system reliability
• Reducing down time
• Increasing productivity
• Decreasing operating costs
• Ensuring safety
And protecting from hackers
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 9
Industrial Systems Bring Unique Security Challenges
• Most of the devices are preexisting, don’t speak IP, use inherently insecure protocols— and live in the field for decades
• Configuration, testing and maintenance must be done without shutting down the network
• Patching is usually not practical
• Active scans can damage systems
• Systems must keep running even if under attack or impaired
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 10
• Regional wastewater treatment plant
− Mid-sized city in the Eastern U.S.
− 24 buildings / 500 pieces of equipment
− 15 treatment processes
− 13 million gallons of wastewater daily
− Runs 24 hours a day every day
• Little protection or separation of the SCADA network from the
city’s IT network
− Even the city’s high school students could gain access if they tried
Real World Example: The Problem
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 11
• Protect critical plant infrastructure from
malware, traffic storms, errors and
attacks
• Without giving up the ability to share
data interdepartmentally or remote
support and maintenance capabilities
• While increasing system reliability by
following ISA/IEC 62443 cybersecurity
standards
− Partition into zones; secure through
conduits
− Security embedded throughout the
system, not just as the perimeter
The Requirements
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 12
• Engaged ICS security consultant to analyze system and partition
into zones per ISA/IEC 62443 cybersecurity standard
• Each zone protected by a specialized
industrial security appliance
− “Field-level firewall”
− Transparent to the network (no IP address)
Easy to install, hard to attack
No changes required to network or subnet
addressing
− Deep Packet Inspection for industrial protocol
communications
Protects against all malformed packet attacks –
even ones that have yet to be discovered
Enforces use-case driven security policy
The Approach
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 13
The Solution: Final Application
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 14
• Tofino Security Appliances were
easily wired into the network
• No disruption to the active network
during configuration
• New system uses custom rules to
manage network traffic
• Tofino Security Appliances block
unneeded/unwanted traffic− Protects and strengths system
− Allows access to all needed business
and maintenance information
• Network is on the forefront of industrial
cybersecurity
The Results
© 2016 Belden Inc. | belden.com | @Belden Inc | info.belden.com/iiot 15
• Most IIoT systems are “brown
field” with existing devices
using insecure protocols
• Safety and reliability are job #1
in industrial IoT systems
• Cyber security has a major role
to play in ensuring these goals
• Security is not just perimeter
protection or air gaps; security
needs to be woven throughout
the network fabric
Key Points to Take With You