Application Whitelisting and DPI in ICS (English)

©2014 by Elbit Systems | Elbit Systems Proprietary

Cyber security for ICS

Lev – 1Lev – 2

Lev - 3

Rani Kehat CISSP

Director MarketingIntelligence & Cyber SolutionsElbit [email protected]


Siting by my computer screenWhite turns to Black, Black turns to WhiteAll just Shades of Grey


ICS ProtectionApplication and DPI White Listing


AIG – New Cyber Policy

Will cover :

Physical Damage

Property

Harm to People

Not only “ data breach “

SecurityWeek April 2014 :“ request especially from SCADA industrial power plants , but as they review applicants , they refused most of them…. that protection were inadequate “

AIG is setting high demands ?

or inadequate protection ?

Or both ??


Application White Listing


What is What?


What is AWL

Node level protection against Malware and unauthorized executable .

Scans disk for executable and stamps them with HASH ( MD5, SHA1 , SHA256…)

To each HASH a security Policy is attached .

One policy for all nodes , or differentiated according to operational function .

Policy example : File creation , Trusted Path , File Integrity, Execution control .

HASH to Policy: A Rule

Rule B

Run

Pending

Deny

HashExecutableFile


In two words ... Or More

Whitelisting – Only allow the Trusted good to run

Anti Virus – Only stops known bad things to run

What about the rest ?

Executable

Run Process

Trusted

Pending

Bad

Not allowedBad

A=BB>CC<DD=C


AWL Protection – Benefits

We get protection against unsigned Malware .

We get Log Audit on systems instances , allowing greater visibility to data integrity and user accountability .

End point Security – driver level – USB , I/O , execute only …..

File Rights management – Access Control and rights to Folders & Files

Snapshot – Gold Image ( Baseline ) Config’ , inventory of files

Proactive - only needed when software changes are made , ( can cut down patching – but does not mean you can stop all together )

Change Management – Certificate ,Temporary Policy for updates, trusted location , manual approval


Turning Grey to White

Trusted User

Trusted Directory

Updater – An uplifted privilege application – SCCM ( system Center Configuration Management )

Installer – Using a HASH DB

Publisher – Using digitally signed applications

Binary – Precompiled binary , registered by HASH , Interpreters

End User Notification

Grey App’ – Run in restrictive mode , limited access to corporate data , no network access .

Administrating a whitelisting system is a key function that must be understood and planned .


Turning Grey to White – Trusted Change

Check as part of your it Operational Best Practice: TNO ( Trust no One )

3rd party digital certificates ( CRL )

IT department digital certificates

Periodically check your trusted sources

Integration to SIEM / Security dashboard

New AWL policies during plant operation

Tools for rollout policy changes to entire system

Check performance issues on Host and Network


Golden Image – For relatively static environments

Hardware from a secure chain of supply

If possible , secure code review on executable with access to source .

Harden not only Application but Hardware and drivers according to chosen Best Practice .

Run in staging environment “ SandBox – mode “ i.e using non intrusive anomaly visibility tools for host and network .Trying to simulate real-time environment - user , applications , services , protocols , Topology, Boot up the machine’s .

Run Observe Mode at “Staging site “ ( Lab ) – and preform policy discovery

Pull your Whitelist and check reputation

Then the Gold image is HASHed


AWL - What it does NOT Do

Memory based attacks – DLL injection , IAT ( import address table ) Hooking

Interpreted Code ( JavaScript _ JAR , Pearl_PL , Piton _ PY ) – Conflicker , Duqu

Text instructions can be stored anywhere: web pages, databases, project files, “tmp” files

WEB interface in Control systems are written in Scripting Languages ( PHP , Pearl .. ) , very susceptible to injection attack’s .

DDoS - Bandwidth or Application attacks

Does NOT prevent White Application High jacking :

Corruption / Theft of DataRouge commands to SCADA servicesDenial of Service at the application and network Level

Filed to center threats - Not at All

Field to Field threats –Not at All


Shellshock – Bash Bug – Sep’ 2014

Allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments


White Application High jacking

Filed to center threats

Field to Field threats

Does not address Authenticity , but Anomaly .

Open database solution allows for correlation with process data, alarm data and traditional IT products like SIEM solution

Static and well defined Environment

AWL _ DPI


DNP3 - 2013

Send a request or command or change the protocol stack to drive the Master Station crazy

It makes no difference if its IP or native Serial .

DPI – WL relevant to the ICS environment

Encryption – is a bump in the wire , your may be encrypting the bad stuff.


ICS - Multi Vendor environment

Modbus TCP/RTU/+ IEC 60870-5-101/104 MDLC / MDLC over IP DNP3 / DNPi Siemens Profinet/Profibus Siemens Teleperm XP Siemens TIM GE UDH Rockwell Automation DF1 C37.118 (Smart Grid Synchrophasor) IEC 60870-6-503 (TASE.2) IEC 61850 (GOOSE) ICCP And more…….

Very few Logs on our SCADA Data

Catch the crafted commands coming into your trusted Application .


www.c4-security.com

AWL - DPI

XiXiXiXiXiXiXiXiiXiXXiXXXXXX


To Summarize - Defense in Layers

AWL

AWL

AWL DPI

System

Network

Host


Thank You

ありがとう

Rani Kehat CISSP

Director MarketingIntelligence & Cyber SolutionsElbit [email protected]

Application Whitelisting and DPI in ICS (English)

Technology

Transcript of Application Whitelisting and DPI in ICS (English)