Wonderware Conference. Schneider Electric...

Wonderware Conference. Schneider Electric confidential.

TSS-02 WSP 2014 R2 Whitelisting & Cyber Security Recommendations Alicia Rantos Principal Technical Support Engineer Global Customer Support


Introduction: Alicia Rantos ● Principal Technical Support Engineer, Global Customer Support (GCS) for WSP.

● Project lead for GCS Training, GCS vCloud and GCS Cyber Security Lead & Liaison for

R&D and other Schneider Electric entities.

● B.S. in Computer Information Systems from Chapman University and MBA from University of California, Irvine.

● Trained with the Department of Homeland Security via CSSP and SANS in 2014.

● GIAC Global Industrial Cyber Security Professional (GICSP) certified 2015.


Summary

This session covers whitelisting as an industrial controls cyber security solution and recommended configuration details for Whitelisting our Wonderware System Platform (WSP) 2014 R2 products with Intel Security’s McAfee ePolicy Orchestrator (ePO) products. Plus, other important industrial security recommendations


Agenda

●Whitelisting as a cyber security solution ●McAfee ePO and Application Control for whitelisting ●Compatibility, Installation and Administration ●Whitelisting specifics for WSP 2014 R2 and related components ● Installing system updates ●Additional defense-in-depth cyber security recommendations


Whitelisting Solution Overview

●Application Whitelisting is a proactive security technique where only a limited set of approved programs are allowed to run, while all other programs are blocked from running by default.

●Application Whitelisting is not a replacement for traditional security software, such as antivirus and host firewalls. It should be used as one layer in a defense-in-depth strategy.


Whitelisting Solution Overview

●Many control systems are isolated.

●Most control systems cannot be rebooted or can be rebooted only at specific times in very tight maintenance windows.

●Control systems generally have limited memory and hardware resources.

●Many control systems today are running on older operating systems.

● Trend is BMS and Microgrids are adopting a whitelisting solution.


Whitelisting Solution Overview NERC’s Critical Infrastructure Protection Standards (CIP Standards) address cyber attacks specifically and the ability of cyber attacks to create multiple, simultaneous failures in the grid. Utilities that fail to comply with applicable CIP Standards do so at considerable cost: a penalty of up to $1,000,000 per violation. Requirements R3 and R4 of CIP-007 are directly related to securing the critical process control systems at the core of the electric infrastructure: Energy Management Systems (EMS), Distributed or Digital Control Systems (DCS), and Plant Control Systems (PCS). Whitelisting is an effective malicious software prevention tool that satisfies the requirements of CIP-007, R3 and R4.


Whitelisting Solution Overview ●Stuxnet - The virus that ravaged Iran's Natanz nuclear facility

●Known for reportedly destroying roughly a fifth of Iran’s nuclear centrifuges by causing them to spin out of control.

●The complicated malware included a .dll file with additional code to load and perform the attack.

●Whitelisting would have detected the modified .dll and stopped it.


McAfee Application Control ● McAfee Application Control software provides an effective way to block unauthorized

applications and code servers, workstations and fixed function devices.

● After the installation and activation of McAfee Application Control, all executable applications and files are protected against modification. Updates of authorized applications in the list can be integrated via, trustworthy: ● Users (user) ● Manufacturers (certificate) ● Directory ● Binary file ● Updaters (updating programs, e.g. Windows Update or virus scanners)

http://www.intelsecurity.com/


McAfee Application Control

●Offers functions that monitor the main memory, provide protection against buffer overflow, and protect files that are running in the main memory.

● Is a component of McAfee Integrity Control. McAfee Integrity Control includes the components McAfee Application Control and McAfee Change Control.

● In the WSP environment, only the functionality of the whitelisting, McAfee Application Control, has been tested.


Compatibility, Installation, Administration ●Currently WSP 2014 R2 (or higher) is compatible with McAfee ePO version 5.1

and Application Control version 6.1.3.

●Administration ●The administration of McAfee Application Control can be done in two

different ways: ● Locally on a computer system (standalone) ●Centrally via the administration software McAfee ePolicy Orchestrator (ePO) ●We recommend central administration using ePO which is what we’ve

tested our WSP products with.


Central Administration ●Central administration of the whitelisting takes place via the McAfee ePO. ●All local McAfee Application Control commands and options are centrally

managed via the ePO.

● The McAfee ePO administration software must be installed on its own computer with up-to-date hardware and a respectively compatible, McAfee supported Windows Server operating system ● Windows 2008 R2 or Windows 2012 R2.

●Notes:

● McAfee ePO must not be installed on a WSP computer or an Active Directory domain controller. ● We highly recommend using Active Directory for Access Control.


Central Administration


Whitelisting WSP 2014 R2 Installation Preparations Installation and Configuration; Central administration via ePO ● Installation of the ePO server

● Install McAfee ePolicy Orchestrator (ePO). ● Install Solidcore Extension Package. ● Apply license for Solidcore or McAfee Application Control.

The standard settings recommended by McAfee for the installations of these products can be used.


Whitelisting WSP 2014 R2 Installation Preparations

1. Setup of the system based on the recommendations of the WSP documentation. Reference the WSP Readme.

2. Install and configure the operating system including available security updates.

3. Install the required programs and components including WSP. 4. Install all available security updates for the program and program related

components. 5. Install a virus scanner including security updates and the newest, available

virus signature files.


Whitelisting WSP 2014 R2 Installation Preparations

6. If possible, isolate the connection to external / third-party networks. 7. Execute a complete virus scan of the computer. 8. Install McAfee Application Control via ePO. 9. Run and test systems in Observe Mode. 10. Execution of the "Solidify" process for all local hard drives and partitions. 11. Activate McAfee Application Control. 12. Restart the computer


Whitelisting Specifics for Application Server, InTouch, Historian ● Publishers:

●Updater Label: Any name (we used Invensys Certificate in our example) ●Issued To: Invensys System, Issued By: VeriSign Class 3 Code Signing 2010 CA ●Extracted From: WSP 2014 R2 (or later) Setup.exe


Whitelisting Specifics for WSP 2014 R2

● Updaters:

● Updater By Name: Framework\Bin\aaDCOMTransport.exe ● Updater Checksum(for aaDCOMTransport.exe):

64695e7b00763efb0ea975950f566078e0445c39 ● Updater By Name: c:\program files

(x86)\archestra\framework\filerepository\t_object.msi


Whitelisting Specifics for WSP 2014 R2 ● Updaters


Whitelisting Specifics for WSP 2014 R2 ● Installers:

●aaDCOMTransport.exe ●aaPim.exe ●******_Temp.msi ****** = Platform node name (an entry for each node) ●T_Object.msi ●AAMXCore.msm ●MxAccess.msm ●LmxProxy.msm ●SmartCardAL.msm ●RTCommon_IDEGR_Runtime.msm


Whitelisting Specifics for WSP 2014 R2

● Installers: ●Security_IDEGR_Runtime.msm ●SysObject_IDEGR_Common_Deploy.msm ●SysObject_GR_Common_Deploy.msm ●ObjectIcons_Common.msm ●PFServer_GR_Runtime.msm ●LegacyIGDSupport.msm ●DASClientRedist.msm ●DCOMConfig.msm ●DASRedist.msm


Whitelisting Specifics for WSP 2014 R2 ● Installers


Whitelisting Specifics for WSP 2014 R2 ● To enable installers, set the following in Solidcore 6.1.3: Application Control Options

(Windows) on the Features tab for your policy in the System Tree of the ePO: • Package Control # • Bypass Package Control


Whitelisting Specifics for FS Gateway

●FS Gateway is included in the WSP installation which is digitally signed. Once the WSP setup.exe is added as a Publisher, FS Gateway is allowed to run and update the system.

●Nothing additional is needed for FS Gateway in the Whitelisting process.


Whitelisting Specifics for DAS ABCIP Updaters:

Updater Checksum(for Setup.exe DASABCIP): 36c05f9fad9971aee17a631cce7d117bb09e8774


Whitelisting WSP 2014 R2

Video


Installing Updates

Service packs, updates, hotfixes and patches from WSP can only be installed during completed runtime and the activation of the update mode of McAfee Application Control.

1. Power down and close all WSP applications. 2. Restart the computer. If Autologin and Autostart have been configured for WSP

systems, they must be deactivated prior to the restart. 3. Switch on Update Mode of Application Control via Client Task in the ePO. 4. Install the WSP and / or other product update.


Installing Updates

Service packs, updates, hotfixes and patches from WSP can only be installed during completed runtime and the activation of the update mode of McAfee Application Control.

4. Restart the computer. 5. Start the completely updated WSP application. 6. Activate the Autologin and Autostart if those have been deactivated previously. 7. Terminate Update Mode of Application Control via Client Task in the ePO.


Whitelisting Summary and Important Notes ●There is no out-of-the box whitelisting configuration.

●Each configuration must be tailored to meet needs based on software

and hardware of a system.

●Multicore processors eliminate latency that can occur on single processor systems with the Sha-1 hash comparison operation.

●Not a silver bullet solution.

●Defense-in-depth, multi-layered approach is required.


Questions


Defense-In-Depth Security Recommendations


Defense-In-Depth Security Recommendations ●Cyber Security Framework: IEC-62443


Defense-In-Depth Security Recommendations ●People, Policies and Procedures, Technologies

People Training Policies SOP’s and

Tools Technology


People, Policies and Procedures, Technologies All 3 security pillars can be used to protect a simple control system. • The technology pillar includes the firewall protecting the system and the

login accounts to the control system. In a secure environment the login accounts for the control system would be separate from the general corporate accounts.

• Policies and procedures provide a second pillar by specifying who can be granted login accounts and what training is required before access is granted.

• Training required of employees, people, before they are granted system access. Including reasons for the secure environment, any known risks, and consequences for failing to protect that environment.

Wonderware Conference. Schneider Electric confidential. From the NIST Cyber Security Framework


Defense-In-Depth Security Recommendations Common Attack Vectors ● External/Removable Media:

● Attack executed from removable media, such as USB drive, CD or a peripheral device. ● Attrition:

● Attack that employs brute force methods to compromise, degrade, destroy systems, networks, or services.

● Web: ● Attack executed from a website or web-based application.

● Email: ● An attack executed via an email message or attachment.

● Improper Usage ● Any incident resulting from violation of an organization’s acceptable usage policies by an

authorized user. ● Loss or Theft of Equipment

● Loss or theft of a computing device or media used by the organization; a laptop or smartphone.


Defense-In-Depth Security Recommendations

• A security incident is an event that breaches a baseline

• This implies that you know what the baseline is • And know that the baseline has been breached

Average time an organization gets breached to when they find out about the breach = 250 days


Defense-In-Depth Security Recommendations ● Incident Response - Prepare Capability ●Create an Incident response policy and plan ●Develop procedures performing incident handling and reporting ●Set guidelines for communicating with outside parties ●Select a team structure and staffing model ●Establish relationships and lines of communication between the incident

response team and other groups ●Determine what services the incident response team should provide ●Staff and train the incident response team


Industrial Controls Cyber Security Resources ● The Schneider Electric security team offers a comprehensive portfolio of cyber security

solutions to help address any internal, industry or regulatory requirement needs.

● Schneider Electric’s Global Cyber Security Services ● Bernie Pella (706)504-7753 ● [email protected]

•Product Selection/Specification •Compliance •Program Definition •Assessment •Remediation •Program Deployment •Audit Preparation •Audit Support

mailto:[email protected]


Communication Channels Security • Security Central

• Product Security Bulletins • Microsoft Security Bulletins

https://softwaresupportsp.invensys.com/Pages/securitycentral.aspx








Communication Channels Assistance, Reporting, Feedback

• GCS: Global Customer Support • [email protected] • [email protected] • (800)966-3371

https://softwaresupportsp.invensys.com/pages/ContactUsWW.aspx













http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page


Communication Channels Cyber Security Blogs

• Thought Leadership from Doug Clifton • http://blog.schneider-

electric.com/author/dclifton/

http://blog.schneider-electric.com/author/dclifton/

http://blog.schneider-electric.com/author/dclifton/


Training • DHS: https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT

• SANS: http://www.sans.org/critical-security-controls/

• InfoSec: http://www.infosecinstitute.com/

• ISA: http://www.isasecure.org/en-US/

• McAfee/Intel: http://www.mcafee.com/us/services/mcafee-education-

services.aspx

https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT

http://www.sans.org/critical-security-controls/

http://www.infosecinstitute.com/

http://www.isasecure.org/en-US/

http://www.mcafee.com/us/services/mcafee-education-services.aspx

http://www.mcafee.com/us/services/mcafee-education-services.aspx


Industrial Control Cyber Security Resources

McAfee Application Control Software http://www.mcafee.com/us/products/application-control.aspx

ICS CERT Targeted Cyber Intrusion Detection and Mitigation Strategies – Update B https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B

National Security Agency – Central Security Service

www.nsa.gov

http://www.mcafee.com/us/products/application-control.aspx

https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B

http://www.nsa.gov/

Wonderware Conference. Schneider Electric confidential. ©2015 Schneider Electric. All Rights Reserved. All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies or their respective owners.

Thank you!

Wonderware Conference. Schneider Electric...

Documents

Transcript of Wonderware Conference. Schneider Electric...