1

Process Control Networks Secure Architecture Design

2

Instructor

Chee Ban Ngai Industrial IT Solutions, Leader Asia Pacific

Chee Ban leads Honeywell’s Industrial IT Solutions in Asia Pacific. For over 18 years, he has provided consulting expertise in the oil & gas, and corporate IT sectors focusing on cyber security, remote services and information risk management. He graduated from Nanyang Technological University in mechanical engineering and also received his master in software engineering from the National University of Singapore. A mechanical engineer by training, he was with a risk management consultancy in Singapore and headed IT security offices in Malayan Banking and PETRONAS before joining Honeywell.

Chee Ban holds Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications, and is based out from Kuala Lumpur.

ISACA

3

Agenda

• Defining Secure Network Architecture

– Why a secure network architecture

– Who needs a secure network architecture

• What is a Secure Network Architecture

– Defense in depth

– Layers of security

– ISA-95 4-Levels

• IEC 62443 (ISA 99) on Secure Process Control Network Architecture

– Zone and Conduit Models

– Security levels

• Questions & Answers

4

Stuxnet: The attack that changed the ICS’s perspective about cyber

security

“Stuxnet is really a paradigm shift, as Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication, e.g. by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates, and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool. The fact that perpetrators activated such an attack tool, can be considered as the "first strike", i.e. one of the first organized, well prepared attack against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future. After Stuxnet, the currently prevailing philosophies on CIIP will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods. Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks. All security actors will thus have to be working more closely together and develop better and more coordinated strategies.” Dr Helmbrecht concludes.

The Executive Director of ENISA, Dr Udo Helmbrecht, comments:

5

Why A Secure Network Architecture

• “Open” Systems

• Targeted Attacks

• Skill-Resource

Limitations

• Compliance and

Regulation

6

Who Needs A secure Network Architecture

• Critical Infrastructure

• Regulated Industries

• Manufacturing

• Businesses that depend

on Process Systems

7

How do you know if your Network Architecture is

secure?

Industry Control Systems (ICS/SCADA) saw more than

six fold increase in vulnerabilities from 2010 to 2012 NSS Labs, Inc. 2013 VULNERABILITY THREAT TRENDS

8

Layered Approach to Process Network Security

Physical Access Control

Secure Network Architecture

Monitoring & Interceptions

Application Layer Security

Redundancy

Secure Network Architecture Design

9

Defense in depth approach provides layers of

security to protect critical assets.

Defense in depth

Multiple protection

mechanisms

Layers of protection

Resilient to attack

10

Typical PCS Network Topology

Router

ESC ESF EST ACE Experion

Server

ESVT Safety Manager

Terminal

Server

Qualified Cisco Switches

Optional HSRP

Router

Domain

Controller ESF EAS

PHD

Server Experion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

Server Patch

Mgmt

Server

Anti

Virus

Server

eServer PHD

Shadow

Server

Level 2

Domain

Controller

Level 1

L1 to L1

Lim

ite

d L

2 t

o

L1

L2 to L2

L3 to L3

Lim

ite

d L

2 t

o

L3

Limited L3.5 to L3.5

Very

L

imit

ed

L

3

to L

3.5

Very

L

imit

ed

L2

to L

3.5

Comm flow

L4 to L4

Very

L

imit

ed

L

3.5

to

L4

N

o D

irec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

o

r L

2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

o

r L

4

11

ISA-95: 4-Levels Security

– Level 1 - Controllers and real time control

– Level 2 – Servers, Operator Stations and supervisory control.

– Level 3 - Historians and Advanced Control and other Level 2 areas or units.

– Level 3.5 - DMZ accessed from the Business Network and the PCN.

– Level 4 - Is the business network with clients for Historians or Advanced Control applications.

– Level 3 and 3.5 utilizes standard open systems Ethernet technology and Level 4 utilizes standard open systems LAN technology.

12

Level 4 - Business Network

Router

ESC ESF EST ACE Experion

Server

ESVT Safety Manager

Terminal

Server

Qualified Cisco Switches

Optional HSRP

Router

Domain

Controller ESF EAS

PHD

Server Experion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

Server Patch Mgmt

Server

Anti

Virus

Server

eServer PHD

Shadow

Server

Level 2

Domain

Controller

Level 1

L1 to L1

Lim

ite

d L

2 t

o

L1

L2 to L2

L3 to L3

Lim

ite

d L

2 t

o

L3

Limited L3.5 to L3.5

Very

L

imit

ed

L

3

to L

3.5

Very

L

imit

ed

L2

to L

3.5

Comm flow

L4 to L4

Very

L

imit

ed

L

3.5

to

L4

N

o D

irec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

o

r L

2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

o

r L

4

– Is the business network with clients for Historians or Advanced Control applications.

– Untrusted Network

– Separated by a firewall

– No direct connection to Level 3 or below

– Managed by Business IT department

– Level 4 utilizes standard open systems LAN technology.

13

Level 3.5 – Demilitarized Zone (DMZ)

Router

ESC ESF EST ACE Experion

Server

ESVT Safety Manager

Terminal

Server

Qualified Cisco Switches

Optional HSRP

Router

Domain

Controller ESF EAS

PHD

Server Experion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

Server Patch

Mgmt

Server

Anti

Virus

Server

eServer PHD

Shadow

Server

Level 2

Domain

Controller

Level 1

L1 to L1

Lim

ite

d L

2 t

o

L1

L2 to L2

L3 to L3

Lim

ite

d L

2 t

o

L3

Limited L3.5 to L3.5

Very

L

imit

ed

L

3

to L

3.5

Very

L

imit

ed

L2

to L

3.5

Comm flow

L4 to L4

Very

L

imit

ed

L

3.5

to

L4

N

o D

irec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

o

r L

2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

o

r L

4

– Is commonly called the DMZ

– Typical nodes WSUS, Anti-Virus Server, Terminal

Server, etc.

– Provides connectivity for devices that are to be accessed from the Business Network and the PCN.

– Security zone between the PCN and outside networks

– Can be redundant, but not FTE capable

14

Level 3 – Advanced Control

Router

ESC ESF EST ACE Experion

Server

ESVT Safety Manager

Terminal

Server

Qualified Cisco Switches

Optional HSRP

Router

Domain

Controller ESF EAS

PHD

Server Experion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

Server Patch

Mgmt

Server

Anti

Virus

Server

eServer PHD

Shadow

Server

Level 2

Domain

Controller

Level 1

L1 to L1

Lim

ite

d L

2 t

o

L1

L2 to L2

L3 to L3

Lim

ite

d L

2 t

o

L3

Limited L3.5 to L3.5

Very

L

imit

ed

L

3

to L

3.5

Very

L

imit

ed

L2

to L

3.5

Comm flow

L4 to L4

Very

L

imit

ed

L

3.5

to

L4

N

o D

irec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

o

r L

2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

o

r L

4

– Connections for Historians and Advanced Control

– Routing

– Access List control

– Connect other Level 2 areas or units

– Can be redundant, but not FTE capable

– HSRP

15

Level 2 – Supervisory Control

Router

ESC ESF EST ACE Experion

Server

ESVT Safety Manager

Terminal

Server

Qualified Cisco Switches

Optional HSRP

Router

Domain

Controller ESF EAS

PHD

Server Experion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

Server Patch

Mgmt

Server

Anti

Virus

Server

eServer PHD

Shadow

Server

Level 2

Domain

Controller

Level 1

L1 to L1

Lim

ite

d L

2 t

o

L1

L2 to L2

L3 to L3

Lim

ite

d L

2 t

o

L3

Limited L3.5 to L3.5

Very

L

imit

ed

L

3

to L

3.5

Very

L

imit

ed

L2

to L

3.5

Comm flow

L4 to L4

Very

L

imit

ed

L

3.5

to

L4

N

o D

irec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

o

r L

2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

o

r L

4

– Connections for Servers and Operator Stations

– Supervisory control

– Connection to Level 1

– Protection for Level 1 with access lists

– FTE capable

16

Level 1 – Process Control

Router

ESC ESF EST ACE Experion

Server

ESVT Safety Manager

Terminal

Server

Qualified Cisco Switches

Optional HSRP

Router

Domain

Controller ESF EAS

PHD

Server Experion

Server

Firewall

3RD Party App Subsystem

Interface

Enterprise Switch

Level 3

Level 3.5 DMZ

Level 4

Terminal

Server Patch

Mgmt

Server

Anti

Virus

Server

eServer PHD

Shadow

Server

Level 2

Domain

Controller

Level 1

L1 to L1

Lim

ite

d L

2 t

o

L1

L2 to L2

L3 to L3

Lim

ite

d L

2 t

o

L3

Limited L3.5 to L3.5

Very

L

imit

ed

L

3

to L

3.5

Very

L

imit

ed

L2

to L

3.5

Comm flow

L4 to L4

Very

L

imit

ed

L

3.5

to

L4

N

o D

irec

t c

om

mu

nic

ati

on

s b

etw

ee

n L

4 &

L3

o

r L

2

No

co

mm

un

ica

tio

ns

be

twe

en

L1

&

L3

o

r L

4

– Controllers and real time control

– Controllers and Console Stations.

– FTE Bridge (FTEB) or C300

– Protected by all other levels

17

IEC 62443 / ISA 99 – Key References

Key references:

• IEC 62443-3-2 SL, zones & conduits

• IEC 62443-3-3 Security Requirements

• IEC 62443-2-2 Non-technical controls

18

Security Levels (SL)

• SL 1 – PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e.

changing a setpoint to a value outside engineering defined conditions,

interception of a password send over the network in clear text.)

• SL 2 – PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE

MEANS (I.e. virus infection, exploiting commonly known vulnerabilities of DMZ

hosts)

• SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols.

Attacker requires advanced security knowledge, advanced domain knowledge,

advanced knowledge of the target system. I.e. password cracking.)

• SL 4 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but

attacker now has extended resources to their disposal. I.e. StuxNet attack)

Online Shopping Portal – Unauthorized Pricing Alteration

Application compromised.

Immediate impact of financial loss.

Shopping portal reputation at stake.

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS – Case Example

With a legitimate online

account login, the tester

purported to buy this

In a Penetration

Test , this Online

Shopping Portal

was found with a

“form-field

manipulation”

security weakness.

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS – Case Example

Unit price

was

$449.00

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS – Case Example

Tester

proceeded to

“buy” 5 units

of this and

placed in

online

shopping cart

for $2,245.

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS – Case Example

The tester exploited

on the found

vulnerability, by

altering the unit price

from $449 to $1.00

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS – Case Example

The tester

successfully

changed the total

payable amount

from $2,245 to

$1.00.

The Online

shopping portal

was successfully

hacked.

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS – Case Example

25

Using Zones: An Example Oil Refinery

Courtesy: Tofino

26

Specifying the Zones

Courtesy: Tofino

27

Defining the Conduits

Courtesy: Tofino

28

Defining the Data Flow Between Zones

Courtesy: Tofino

29

Security Levels (SL): Mapping of SRs & REs

SL 1 – PROTECTION AGAINST CASUAL OR COINCIDENTAL VIOLATION (I.e.

changing a setpoint to a value outside engineering defined conditions,

interception of a password send over the network in clear text.)

SL 2 – PROTECTION AGAINST INTENTIONAL VIOLATION USING SIMPLE MEANS

(I.e. virus infection, exploiting commonly known vulnerabilities of DMZ hosts)

SL 3 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS (I.e. exploits in operating systems, protocols.

Attacker requires advanced security knowledge, advanced domain knowledge,

advanced knowledge of the target system. I.e. password cracking.)

SL 4 – PROTECTION AGAINST INTENTIONAL VIOLATION USING

SOPHISTICATED MEANS WITH EXTENDED RESOURCES (Similar to SAL 3 but

attacker now has extended resources to their disposal. I.e. StuxNet attack)

30

SLs as a Vector : Using Foundational Requirements (FR)

• Instead of compressing SL down to a single number

• Concept of SL-Target, SL-Capabilities, SL-Achieved

• Use of vector approach based on 7 Foundational Requirements (FRs)

• As defined by ISA-62443-1-1 (99.01.01)

1. IAC – Identification & Authentication Control

2. UC – Use Control

3. SI – System Integrity

4. DC – Data Confidentiality

5. RDF – Restricted Data Flow

6. TRE – Timely Response to Events

7. RA – Resource Availability

Example: SL-T (Zone A) = { 2 2 0 1 3 1 3 }

IAC UC SI DC RDF TRE RA

31

SLs as a Vector : Using FRs, translated into SRs & REs

For eg.

The requirements for the four SL levels that relate to RDF are:

SL-C(RDF, control system) 1: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4

SL-C(RDF, control system) 2: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4

SL-C(RDF, control system) 3: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4

SL-C(RDF, control system) 4: SR 5.1, SR 5.2 , SR 5.3 , SR 5.4

+ RE(1) + RE(1)

+ RE(1)

+ RE(2)

+ RE(3)

+ RE(1)

+ RE(2)

+ RE(1)

+ RE(1)

+ RE(2)

+ RE(3)

+ RE(1)

+ RE(2)

+ RE(3)

+ RE(1)

Example: SL-T (Zone A) = { 2 2 0 1 3 1 3 }

RDF IAC UC SI DC TRE RA or SL-T (RDF, Zone A) = 3

SR = Security Requirement

RE = Requirement Enhancement

32

SLs as a Vector : Using FRs, translated into SRs & REs

33

SLs as a Vector : Capabilities vs. Target, & Achieved

Example:

SL-T (Zone A) = { 2 2 0 1 3 1 3 }

vs.

SL-C (Zone A) = { 1 1 0 1 2 3 4 }

Ok

Ok

Ok

Shortfall – needs enhancement

(component level security improvements)

Ok

Final outcome after enhancements implementation:-

SL-A (Zone A) = { 2 2 0 1 2 3 4 }

34

Questions

Contacts

2012 35 Honeywell Proprietary

Follow us: Blog: http://insecurity.honeywellprocess.com

Website: http://www.honeywellprocess.com

Website: http://www.becybersecure.com

Chee Ban Ngai Industrial IT Solutions, Leader, Asia Pacific

phone: +603 7958 4988

cell: +6012 233 0915

cheeban.ngai@honeywell.com

Mike Spear Global Operation Manager, Industrial IT Solutions

phone: +1 (770) 689-1132

cell: +1 (678) 447-6422

mike.spear@honeywell.com