View
9
Download
0
Category
Preview:
Citation preview
Practical Applications for Automation Systems Management
Walter Sikora, Vice President, Security Solutions, Industrial DefenderMike Dugent, Security Consultant, Industrial Defender
2012 SANS North America SCADA & Process Control Summit
1/29/2012 3© 2010 Industrial Defender
Understanding the differencesAutomation Systems Management
Enterprise IT SystemsManagement
Not life threatening
Availability important
Transactional orientation
IBM, SAP, Oracle, etc.
People ~= Devices
PCs and Servers
Web services model is dominant
MS Windows is dominant OS
Many commercial software products installed on each PC
Protocol is primarily HTTP/HTTPS over TCP/IP - widely known
Office environment, plus mobile
Cross-industry IT jargon
Cross-industry regulations (mostly)
Automation Systems Management
Safety first
Non-interruption critical
Real-time focus
ABB, Siemens, GE, Honeywell, Emerson, etc.
Few people; many, many devices
Sensors, Controllers, Servers
Polled process control model
Vendor embedded operating systems
Purpose-specific devices
Many industrial protocols, some over TCP/IP - vendor
and sector-specific
Harsh operating plant environments
Industry sector-specific jargon
Industry-specific regulations
1/29/2012 4© 2010 Industrial Defender
The Challenges in Automation Systems Management
• Automation Systems becoming more complex:o Mix of legacy and next generation architectureso Heterogeneous Systemso Exponential Increase in intelligent deviceso Unclear responsibility/ownership
• Need for increased securityo Threat landscape is only getting worse
• Increasing compliance requirementso Both Internal (Audit) & external (regulatory)
• Downward Budgetary Pressure• Fewer Resources / increasing skill set gaps
Managing Diverse Requirements of Automation Systems Environments
The convergence of:
Balancing Operational Requirements with Security, Compliance, Change Management requirements
1/29/2012 5© 2010 Industrial Defender
Key Requirements for Addressing Challenges in Automation Systems Management
• Solutions that will automate and manage tedious manual tasks, resulting in:– Reduced labor cost– Reduced complexity– Improved operations efficiency
• Unified approach to security, compliance, and change management activities
• Purpose built tools engineered with deep domain expertise– OT is different from IT
• Eliminate need to deploy and manage multiple point solutions
Lowers Total Cost of Ownership
1/29/2012 6© 2010 Industrial Defender
System is PWNED
9
Attacker disguises as security expert at
conference and hands out CD
1Victim takes CD to office and opens
PDF files on business computer – no viruses found
2Policy:Automatic AVS scan on all removable media and downloaded files
Attacker works on victim computer at
night with access to credentials, files, remote desktop
4Policy:Computers to remain ON at night for backup and patching.
Attacker finds VPN connection to trusted control system network
5Policy:No connections below ICS-DMZ shall be allowed except through VPN tunnels
Firewall rulesetmodified to allow
outbound connections
7
Attacker compromises engineering
workstation with previous pwd hash
6Policy:Single sign-on shall be used across entire enterprise
Backdoor created and attacker is
“called” via standard service
ports
3Policy:HTTP TCP/80 only open for outbound traffic originating inside
Backdoor created and attacker is
“called” via new service port
8
“Think like a hacker ... to secure industrial control systems”
1/29/2012 7© 2010 Industrial Defender
What we’ve learned from recent hacks…
• Anti-virus would not have prevented hacks like Stuxnet, Duqu or Night Dragon
• Perimeter and data diodes would not have prevented them
• Air gapping would not have prevented them
• Being compliant with NERC CIP would not have stopped them
• Logging would not have stopped them, but would have detected them
• Managing changes would have detected them
• Host Intrusion prevention “Whitelisting” would have prevented some of them
Automation Control Systems are vulnerable and are being targetAdversaries are thinking and working on how to attack your system
1/29/2012 8© 2010 Industrial Defender
SANS Top 20 Critical Security Controls - Version 3.1
Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations for Hardware and Software
on Laptops, Workstations, and Servers• Critical Control 4: Continuous Vulnerability Assessment and
Remediation Critical Control 5: Malware Defenses Critical Control 6: Application Software Security• Critical Control 7: Wireless Device Control Critical Control 8: Data Recovery Capability• Critical Control 9: Security Skills Assessment and Appropriate Training
to Fill Gaps Critical Control 10: Secure Configurations for Network Devices such as
Firewalls, Routers, and Switches
1/29/2012 9© 2010 Industrial Defender
SANS Top 20 Critical Security Controls…
Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
Critical Control 12: Controlled Use of Administrative Privileges Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Security
Audit Logs• Critical Control 15: Controlled Access Based on the Need to Know Critical Control 16: Account Monitoring and Control• Critical Control 17: Data Loss Prevention Critical Control 18: Incident Response Capability• Critical Control 19: Secure Network Engineering• Critical Control 20: Penetration Tests and Red Team Exercises
1/29/2012 10© 2010 Industrial Defender
Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs• Log monitoring is key but…
– It’s difficult to configure, manage and keep systems up to date
• Log monitoring is difficult– It’s boring– It’s hard to develop and maintain skills– Many devices do not provide logs– It’s a 24x7 job
• Consider outsourcing to MSSP
1/29/2012 11© 2010 Industrial Defender
No Silver bullets
• Many open source & home grown security solutions• Swatch• Snare• Syslog NG• Splunk• Shell Scripts• Kiwi• LogView4Net• Flow tools• Countless commercial solutions
People who have built their own solutions now face the maintenance burden
1/29/2012 12© 2010 Industrial Defender
What to log?
• Collect all CCA logs and events to a central event collector
• Monitor:– Servers, Workstations, HMIs– Applications, Databases– PLCs, RTUs, IEDs– Gateways, Routers, Switches– Firewall, Access control, VPN
• Analyze logs for events of interest like:– Unauthorized access– Failed Logins– System changes– Root Users
1/29/2012 14© 2010 Industrial Defender
What events are interesting?
• Just logging is not enough• You either must manually
review logs or automate• Having a baseline of your
system is helpful• Look for anything that is not
normal or not expected on the system
• Document your actions and activity
• Top Five from SANS– Attempts to gain access
through existing accounts– Failed file or resource
access attempts– Unauthorized changes to
users, groups, and services– Suspicious or unauthorized
network traffic patterns– Systems most vulnerable to
attack
1/29/2012 15© 2010 Industrial Defender
Example of setting up IDS alert priority for EMS
config classification: attempted-dos, Attempted Denial of Service Activity which should not ever be seen on control system network. Any alerts should be investigated at a high priority
1/29/2012 17© 2010 Industrial Defender
Change management
Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations for Hardware and Software
on Laptops, Workstations, and Servers
1/29/2012 18© 2010 Industrial Defender
Baselines are an easy way to spot the differences
• Inventory all system devices• Collect device configuration
– Software– Patches– Configuration– Ports & Server– User accounts– Firewall rules
• Compare one device to another• Establish “gold” standard
baseline and compare• Check periodically• File integrity checks• Registry monitoring
1/29/2012 19© 2010 Industrial Defender
Protecting your A$$ets
Critical Control 5: Malware Defenses Critical Control 6: Application Software Security Critical Control 13: Boundary Defense
• Defense-in-depth• Physical security• Strong Passwords• Firewalls• Network Intrusion detection / prevention• Host Intrusion detection / prevention• Anti-virus• Application Whitelisting
Application whitelisting is a security technology that maintains a list of executable files, and denies the execution of a file that is not on the list, depending on policy settings
1/29/2012 20© 2010 Industrial Defender
Application Whitelisting
• It’s not a silver bullet• It cannot stop all attacks• Works better than AV
– Zero day attacks– No signature DAT updates
• Good for– Software Inventory– Change management
• Requires knowledge of applications– Validation testing– Complex legacy apps– Corner cases can be bad
1/29/2012 21© 2010 Industrial Defender
Use Case Demonstrations
• Monitoring for intrusions– Use case 1 – typical event logging (agentless)– Use case 2 – Agent based host intrusion detection
• File integrity, Registry, Ports, Services…
• Change management and compliance– Use case 3 - show how change management can detect an attack– Use case 4 – demonstrate baseline concept to detect differences
• Host protect using Whitelisting technology– Use case 5 – show how whitelisting blocks malware / executables
• Wrap-up discussions
Recommended