Federico Tandeter - CLKmedia.arpel2011.clk.com.uy/ciber/12.pdf · attack. Cyber attackers are...
Transcript of Federico Tandeter - CLKmedia.arpel2011.clk.com.uy/ciber/12.pdf · attack. Cyber attackers are...
Nombre: Federico Tandeter
Cargo: Senior Manager de Seguridad
Teléfono: +54 9 11 3397 0364
Email: [email protected]
Nombre: Yeffry El Jammal
Cargo: Senior Manager de Consultoría
Teléfono: +54 9 11 5585 7098
Email: [email protected]
Nombre: Pablo A. Vaquero
Cargo: Manager de Seguridad
Teléfono: +54 9 11 4022 9978
Email: [email protected]
Copyright © 2016 Accenture. All rights reserved.
Los riesgos de las nuevas tecnologías de operación
inteligentesIndustrial Internet of Things (IIoT)
Copyright © 2016 Accenture. All rights reserved.
Introduction to Industrial Internet of Things (IIoT)
Copyright © 2016 Accenture. All rights reserved.
The IIoT is the 4th industrial revolution
Technology
Progress
Evolution of production
systems
Connectivity
Data Centers IT Standards
CPU Performance
Chip Miniaturization
Software Push
Internet Backbone
+Connected,
always-on, intelligent,
software & data powered
autonomous devices
Profound
changes
in the entire
industrial
ecosystem
=
Cyber Physical
Systems
(4th Industrial
Revolution)
Smart
Devices
The drivers for change in the 4th Industrial Revolution
Copyright © 2016 Accenture. All rights reserved.
Digital Industry 4.0 …. It’s complicated !
Copyright © 2016 Accenture. All rights reserved.
Where does IIoT fit in the broader technology landscape?Key insights
• Business pressures to increase revenue and decrease costs has led
to increased automation and remote management through internet
connectivity, but also exposes systems to the potential of cyber
attack. Cyber attackers are becoming more sophisticated and attacks
are increasing at incredible pace, 30% year over year compounded.
• The complex and often conflicting operational and security
requirements of the IT and OT domains mean that a new type of
thinking is required. There are many challenges to address before the
economic benefits of IT and OT convergence can be achieved.
• The long life of a typical ICS (20 year or more) denotes that many
were designed before the need for internet connectivity became a
compelling business driver, and so securing ‘brown field’
deployments from cyber attack can throw up many challenges.
• Many organizations are only now beginning to understand the
importance of security as an enabler for successful operations, but
are struggling with the complexities of IT/OT convergence, the
increasing need for regulatory compliance, and the safe operation if
IP connected OT.
Internet of Things
High level concept of a global network of “smart” physical objects of various
kinds (wearables, cars, smartphone, home appliances etc.), equipped with
connectivity, usually wireless, to networks such as the Internet for the
purpose of monitoring, data gathering and reporting, remote control etc.
Industrial Internet of Things
Subset of IoT specific to industry (as opposed to for example consumer
market), where networked devices range from anything like advanced field
sensors, GPS asset location, drones, traffic lights to all varieties of “smart”
hardware deployed in transportation, manufacturing, etc.
Industrial Control Systems
Segment of the market, focused on automation, computerized monitoring and
control of physical industrial processes like oil refining, offshore drilling and
production, pipeline management, power grid operations, mining, chemicals
production, robotized manufacturing, water treatment and more.
Critical Infrastructure
Critical infrastructure refers to processes, facilities, technologies, networks
and systems (including IIoT and ICS) that control and manage essential
services like utilities, transportation and specific industries like Resources and
Chemicals. Disruptions of critical infrastructure could result in catastrophic
loss of life, adverse economic effects and significant harm to public
confidence.
IoT
IIoT
ICS
CI
Copyright © 2016 Accenture. All rights reserved.
What does it consist of?
A combination of Information Technology (IT) and Operational Technology (OT) hardware and software assets, systems, and networks used to operate and supply power, gas, water, sewerage, transportation and communication networks
• IT systems are in place allowing machines to
exchange information directly with systems like
Enterprise Resources Planning (ERP), Customer
Relationship Management (CRM) systems, office-
based productivity tools and mobile computing
devices
• Industrial organizations have experienced an
exponential increase in quantity and quality of IT
systems
Information Technology
• OT is integrated hardware and software components
commonly used to operate machinery and physical
processes
• Information is actually used to identify a change of
state primarily in physical infrastructures
• If an engine is running too hot, OT regulates the
temperature to return it to a moderate state
• If a gas pipeline experiences pressure beyond its
operating parameters, OT can bring it back within
tolerance levels opening or closing a valve
Operational Technology
ICS
SCADA
Supervisory Control and Data Acquisition
(SCADA) generally refers to control systems that
span a large geographic area such as a gas pipeline,
power transmission system or water distribution
system.
Industrial control systems (ICS) is a subset of the
operational technology sector. It comprises systems
that are used to monitor and control industrial
processes (e.g. oil refinery cracking towers, power
consumption on electricity grids, etc.).
Both SCADA and ICS
terms are used
interchangeably but
the correct term to
use is ICS when
referring to industrial
automation of all
types.
Copyright © 2016 Accenture. All rights reserved.
IT Domain vs OT Domain
IT DomainOT Domain
Integrity ConfidentialityAvailability
Limited data capacity and computing power
Safety Operations is critical
High availability & integrity are vital with less stringent
confidentiality requirements
Critical operation and systems at edge of network with
human operators at the center
Essential equipment and operations remotely deployed
at edge of network
Slow response to threats – rapid patching might be
impossible due to outages
Long life resulting in legacy, unsupported infrastructure
High data capacity and computing power
Few safety critical operations
Confidentiality & integrity are vital while availability is
important
Critical operation and systems at centre of network.
Human users at edge
Essential equipment and operations concentrated
at centre of network
Rapid response to threats, patching and
reboots acceptable
Continuous equipment upgrade with short life cycles
The IT and OT domains have conflicting many operational requirements that need to be
understood to ensure effective and seamless security across both domains.
Copyright © 2016 Accenture. All rights reserved.
Connections are only going to increase…
Connected Worker Connected Network Connected Plant, Assets & Equipment
• How do you enable access to real-time data from enterprise IT systems to OT/ICS?
• What is the impact of intelligent devices at the edge?
• What is the impact when your backend systems are in the cloud?
• How do you manage wireless connectivity that is pervasive?
Sample of key questions …
Copyright © 2016 Accenture. All rights reserved.
IIoT Evolution
Copyright © 2016 Accenture. All rights reserved.
IIoT Security Challenges
Copyright © 2016 Accenture. All rights reserved.
Traditionally, data is usually stored in silos managed and owned by different parts of the organization. No insights available over virtual organization walls.
Data
Consumers
Data
Sources
Data Silos
Operations MaintenanceSupply Chain
Management
Research &
Development
Finance &
Controlling
Projects &
Engineering
Health &
Safety
Very often the department has
no direct access to this data.
Process Data
Historian
Data
Warehouse
Relational
Database
Content /
Document
Management
Unstructured
Data
ERP
MES /
DCS
Sensor
s
LIMS Business
Application
Business
Application
Business
Application
(Office)
Docs
Drawings
/ P&ID
Logs
Video Feeds
Images
Logs
Copyright © 2016 Accenture. All rights reserved.
Industrial Internet of Things (IIoT) bridges the different levels of information systems in the plant, across the organization and along the value chain….
ISA 95 Levels and Related Manufacturing Systems
Level 4
Level 1
Level 2
Level 3
Business & LogisticsPlanning
Manufacturing OperationsManagement (MOM)
Batch Control
DiscreteControl
ContinuousControl
Planning
Establish the basic plant schedule-production, material usage, goods receiving and products shipping. Determining inventory levels.
Time frame:month, weeks, days
Operation
Work flow / recipe control to produce the desired end products. Maintaining records and optimizing the production process.
Time frame: days, shifts, hours, minutes, seconds
Control
Monitoring, supervisory control and automated control of the production process.
Time frame: hours, minutes, seconds, sub seconds
Plant
Sensing the production process (sensors), manipulating the production process (actors).
Enterprise
Site
Area
Unit Unit Unit
Work
Cell
Work
Cell
Work
Cell
Activity View Organizational View System View
Business
Application
(e.g. ERP)
MOM Application
(e.g. MES/ APS)
Industrial
Automation
(e.g. PCS)
Dimensions
Between Devices (M2M)
Vertical
Horizontal
Level 4
Level 3
Level 2
Level 1
ERP
MES
Plant Control
Field Devices
Across Plants
Value Chain
Copyright © 2016 Accenture. All rights reserved.
…allowing to perform analytics in real time, enabling also the possibility of analytics-based process control
Copyright © 2016 Accenture. All rights reserved.
But as data flows through many configurations – end to end, many security questions will have to be answered..
Who has physical access?
How are vulnerabilities patched?
Has the data been manipulated?
Is sensor data being missed?
Can configuration and update mechanisms be used
to do harm?
What happens when systems fail safe?
Who has access to process data?
Are the reports showing the right data / analytics results?
Are our office / ERP systems being used to infiltrate?
How can I trust a system that is essentially available from
anywhere?
Is my channel back into my production being intercepted?
Copyright © 2016 Accenture. All rights reserved.
Attacks on critical infrastructure have already begun. How has the attack surface evolved?Prior to 2000, attackers largely needed physical access systems to cause damage. However, the introduction of new technology (e.g. – remote management via the internet) has eroded traditional defenses for critical infrastructure.
MAROOCHY SHIRE (sewage plant) exploited by contractor who used an external entity to access SCADA systems resulting in uncontrolled release of raw sewage into waterways
BLASTER worm shuts down Washington rail traffic for 1.5 days. SLAMMERworm causes failure of safety monitoring system at Davis-Besse nuclear power station in Ohio
AURORA experiment by the U.S. Department of Homeland Security destroys electrical power generator by exploiting vulnerabilities
DRAGONFLY malware delivered onto ICS through a targeted spear phishing campaign allowed attackers to monitor, disrupt/sabotage, and steal (Energy and Pharmaceutical industries)
TRAM CRASH caused by teen hacker who modified a TV remote control to hack tram system
SHAMOON malware infects 30,000 – 55,000 windows machines at Saudi Aramco causing severe disruption to its oil distribution process by shutting down its internal network for over a week
STUXNET worm destroys approximately 1000 uranium enrichment centrifuges in Natanz (Iran)Malicious Apps
Custom Virus Droppers
Sophisticated Social engineering
Trojans, Worms/ self replicating/distributing Malware
Malicious Web Sites/ virus droppers
First Denial of Service Attacks (Blaster, Slammer)
Cryptographic Extortion
Spyware (pre-attack information gathering)
Crude Social engineering (SPAM)
BLACK ENERGY malware causes wide-spread disruption of the Ukrainian electricity grid
Copyright © 2016 Accenture. All rights reserved.
ICS Systems are Exposed to the Internet
Copyright © 2016 Accenture. All rights reserved.
US industrial control systems attacked 295 times in 12 months. Manufacturing Sector led all others in 2015, followed by EnergyIndustries that ICS-CERT was called on to help.
In 2016 the Critical Manufacturing sector reported the most number of
incidents, mainly because of a wide-spread spear phishing campaign
targeting that industry. However network scanning attacks and
exploitation of weak authentication remain top attack vectors.
Data Source:https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monitor_Nov-Dec2015_S508C.pdf
Critical Manufact
uring33%
Energy16%
Transportation
Systems8%
Water8%
Unknown9%
Manipulation of View (MoV)
The operational view of equipment being controlled is
not correct resulting in operators issuing incorrect and
dangerous commands
Denial of View (DoV)
Temporary loss of view of remote equipment by the
centralized control room caused by an attack on the
supervisory components in the ICS, or through denial of
service attacks reducing the ability of operational data
and controls to flow through the system
Loss of View (LoV)
A situation where the operator is receiving no
operational updates from the remote processes and
equipment being controlled. Attacks on the operating
system running on the DCU in the control rooms causing
the HMI to fail resulting in system components going into
a fail safe state
Denial of Control (DoC)
A temporary inability to control ICS hardware or
operational processes (e.g. a DoC attack on PLCs could
be implemented by intercepting control messages and
replaying expected responses, while at the same time
causing the PLC to execute damaging operations)
Loss of Control (LoC)
A sustained inability to control or correct operational
behavior, potentially resulting in loss of service caused
by equipment failing or entering fail safe states. Attacks
can occur in clear sight of operators with the HMI
indicating that an attack is taking place, but with the
operators unable to take preventative action. LOC may
persist after an attack has completed, with requiring
technicians to physically reset/replace the equipment
Manipulation of Control (MoC)
When control logic is interfered with to override or ignore
legitimate operator commands. MoC could also be
caused by MITM attacks and used by the attacker to
interfere with or control operational processes or
equipment
Copyright © 2016 Accenture. All rights reserved.
Origins of the Security ProblemUnpatched SystemsSecurity updates are difficult to install on OT infrastructure. In many cases, it takes
considerable planning and coordination to bring down a system for patching Further,
automatic security updates are not an option as that would cause the systems to
restart or shutdown. restart or shut down.
Lack of Authentication FunctionalityA lot of the control processes are designed to accept and trust all control commands as
being genuine so that authentication of users and automated processes are often not
required.
Expanded Attack SurfaceOT systems are becoming increasingly less isolated from the IT network.
Connecting OT systems to the IT network exposes the OT systems to exploits
within the enterprise and the conflicting security operational demands within the IT
network.
Unsecured Protocols There is no authentication or encryption inherent in many of the industrial protocols.
Known vulnerabilities are publicly documented in ICS–CERT. Digital Bond has
published dozens of vulnerabilities against industrial protocols such as DNP3.
Off-the-Shelf OTMore and more companies have adopted commercial off the shelf (COTS) products
for standardization and to lower costs. The rapid development of these COTS
products often lead to inherent security weaknesses that were not factored into
the design.
Lack of Wireless SecurityPoorly configured and supported wireless sensor connections and access points can
result in attackers remotely accessing and connecting to the ICS network to gain control
of the systems.
Limited Compute PowerOT systems typically run on small processors with limited computing and storage
capabilities, which prevents most OT systems from installing security updates and
from performing other security functions such as authentication and encryption to
protect the network communications.
Legacy SystemsIn many OT environments, systems and devices that have life spans of more than 15
years are no longer supported by the vendors. While most OT systems were not
designed and built with security in mind, the inherent vulnerabilities continue to be a risk
in the existing systems.
Remote ConnectivityThe operational need for vendors and support staff to remotely connect to the OT
network has resulted in exposing the process control systems and network to the
Internet (SHODAN), and unauthorized access to the network when user accounts
are not kept up to date.
IT and OT IntegrationIncreasing pressure to improve efficiency and reduce operating overhead is forcing
companies to merge their IT and OT domains – leading to the increased possibility
of attackers being able to gain access to the OT domain by exploiting weaknesses
in the IT network.
Copyright © 2016 Accenture. All rights reserved.
Case Study Example: Ukraine Power Grid Hack
Ivano Frankivsk region of Western Ukraine
The Ukraine Blackout is the first confirmed hack to take down a power grid
Analysis has shown that it was a brilliant multi-stage attack combining sophisticated logistics and planning with an ability to craft devastating malware to cripple different devices used by each power company.
The control systems used in the Ukraine used what were thought to be well segmented networks policed by robust firewalls, but they were undermined by the lack of 2Factor Authentication to confirm the identities of workers connecting remotely, and the lack of deep packet inspection for messages crossing IT/OT domains
Power supplies were eventually restored by manual operation, and disruption to electricity supplies was limited between 1 – 6 hours.
However, it took more than two months for the operations and control centers to become fully operational again.
Copyright © 2016 Accenture. All rights reserved.
Case Study Example: Ukraine Power Grid HackCyber attackers targeted key IT personnel via Spear-phishing social engineering attacks
Targeted employees opened email attachment containing BlackEnergy3 malware, allowing it to install itself into the IT network
Ivano Frankivsk region of Western Ukraine
The Ukraine Blackout is the first confirmed hack to take down a power grid
Analysis has shown that it was a brilliant multi-stage attack combining sophisticated logistics and planning with an ability to craft devastating malware to cripple different devices used by each power company.
The control systems used in the Ukraine used what were thought to be well segmented networks policed by robust firewalls, but they were undermined by the lack of 2Factor Authentication to confirm the identities of workers connecting remotely, and the lack of deep packet inspection for messages crossing IT/OT domains
Power supplies were eventually restored by manual operation, and disruption to electricity supplies was limited between 1 – 6 hours.
However, it took more than two months for the operations and control centers to become fully operational again.
All Employees should attend
Security awareness training
Enterprise Network
Attackers
Employees
Copyright © 2016 Accenture. All rights reserved.
Case Study Example: Ukraine Power Grid HackAttackers exploited lack of multifactor authentication to impersonate remote access by employees over VPN to access IT systems remotely
Black Energy malware enables backdoor access to IT systems where attackers were able to identify connected assets, and steal employee credentials
VPN connections to critical
systems must be secured using
MFA to confirm employee and
device identity
Cyber attackers targeted key IT personnel via Spear-phishing social engineering attacks
Targeted employees opened email attachment containing BlackEnergy3 malware, allowing it to install itself into the IT network
Ivano Frankivsk region of Western Ukraine
The Ukraine Blackout is the first confirmed hack to take down a power grid
Analysis has shown that it was a brilliant multi-stage attack combining sophisticated logistics and planning with an ability to craft devastating malware to cripple different devices used by each power company.
The control systems used in the Ukraine used what were thought to be well segmented networks policed by robust firewalls, but they were undermined by the lack of 2Factor Authentication to confirm the identities of workers connecting remotely, and the lack of deep packet inspection for messages crossing IT/OT domains
Power supplies were eventually restored by manual operation, and disruption to electricity supplies was limited between 1 – 6 hours.
However, it took more than two months for the operations and control centers to become fully operational again.
All Employees should attend
Security awareness training
Enterprise Network
Attackers
Employees
IT
OT
Copyright © 2016 Accenture. All rights reserved.
Case Study Example: Ukraine Power Grid HackAttackers exploited lack of multifactor authentication to impersonate remote access by employees over VPN to access IT systems remotely
Black Energy malware enables backdoor access to IT systems where attackers were able to identify connected assets, and steal employee credentials
VPN connections to critical
systems must be secured using
MFA to confirm employee and
device identity
Cyber attackers targeted key IT personnel via Spear-phishing social engineering attacks
Targeted employees opened email attachment containing BlackEnergy3 malware, allowing it to install itself into the IT network
Ivano Frankivsk region of Western Ukraine
The Ukraine Blackout is the first confirmed hack to take down a power grid
Analysis has shown that it was a brilliant multi-stage attack combining sophisticated logistics and planning with an ability to craft devastating malware to cripple different devices used by each power company.
The control systems used in the Ukraine used what were thought to be well segmented networks policed by robust firewalls, but they were undermined by the lack of 2Factor Authentication to confirm the identities of workers connecting remotely, and the lack of deep packet inspection for messages crossing IT/OT domains
Power supplies were eventually restored by manual operation, and disruption to electricity supplies was limited between 1 – 6 hours.
However, it took more than two months for the operations and control centers to become fully operational again.
Kill Disk
installed
UPS outage
schedule
Critical Asset configuration information was modified by attackers without detection
• Attackers stole VPN credentials to reach the devices in the electrical distribution network
• Attackers remotely accessed UPS mechanisms for control centers to disable them –that when power was cut, the control centers would be without power
• Kill Disk malware was installed in operator consoles, resulting in them being ‘bricked’ after a reboot
Configuration changes to
critical systems should require
additional authentication, and
be logged in SIEM
All Employees should attend
Security awareness training
Enterprise Network
Attackers
Employees
IT
OT
Copyright © 2016 Accenture. All rights reserved.
Case Study Example: Ukraine Power Grid HackAttackers exploited lack of multifactor authentication to impersonate remote access by employees over VPN to access IT systems remotely
Black Energy malware enables backdoor access to IT systems where attackers were able to identify connected assets, and steal employee credentials
VPN connections to critical
systems must be secured using
MFA to confirm employee and
device identity
Cyber attackers targeted key IT personnel via Spear-phishing social engineering attacks
Targeted employees opened email attachment containing BlackEnergy3 malware, allowing it to install itself into the IT network
Cyber attackers implemented final phase of attack
• Attackers used remote access tools to take control of operator HMI and pull circuit breakers at substations. Malicious firmware was installed into serial-to-Ethernet converters at substations to sever comms to operator consoles.
• Telephone denial of Service attack was launched against call centers to prevent customers from reporting power outage and scale of attack
Protect Communication across
IT and OT domains by firewalls
(preferably through a buffer
network/DMZ) with rigorous
whitelisted rules relating to
message originators, content
and destination
Ivano Frankivsk region of Western Ukraine
The Ukraine Blackout is the first confirmed hack to take down a power grid
Analysis has shown that it was a brilliant multi-stage attack combining sophisticated logistics and planning with an ability to craft devastating malware to cripple different devices used by each power company.
The control systems used in the Ukraine used what were thought to be well segmented networks policed by robust firewalls, but they were undermined by the lack of 2Factor Authentication to confirm the identities of workers connecting remotely, and the lack of deep packet inspection for messages crossing IT/OT domains
Power supplies were eventually restored by manual operation, and disruption to electricity supplies was limited between 1 – 6 hours.
However, it took more than two months for the operations and control centers to become fully operational again.
Kill Disk
installed
UPS outage
schedule
Critical Asset configuration information was modified by attackers without detection
• Attackers stole VPN credentials to reach the devices in the electrical distribution network
• Attackers remotely accessed UPS mechanisms for control centers to disable them –that when power was cut, the control centers would be without power
• Kill Disk malware was installed in operator consoles, resulting in them being ‘bricked’ after a reboot
Configuration changes to
critical systems should require
additional authentication, and
be logged in SIEM
All Employees should attend
Security awareness training
Enterprise Network
Attackers
Employees
IT
OT
Copyright © 2016 Accenture. All rights reserved.
Security Call to Action
Copyright © 2016 Accenture. All rights reserved.
Security needs to be integrated within the entire lifecycle of components and services across critical infrastructure
Devices/Sensors• Industrial standards compliant devices to
ensure interoperability and ease of
maintenance
• Device specific digital identities and validation
in ICS
Network/Communications
• Adoption of industrial communication standards for wireless sensor networks (WiHART or ISA100.11a) to
enable encryption of communications
• Use self healing/self-organizing wireless mesh technology to ensure high network availability
• Establish segmented subnets and DMZ to limit access to critical components
• Establish strong firewalls between IT and OT networks and subnets
Management
• High availability and resiliency designed into the system
• Automated failsafe operation and multiple redundancy
• Intrusion detection and monitoring
Control Systems
• Design redundancy into the process control
system so that each controlling component in
critical operations will operate autonomously,
and revert to a fail safe state under alarm
conditions if communications to the control
room is lost
• Protect all communications to DCU and PLC
using suitably strong encryption
• Detect unauthorized access to ICS components
(physical or logical)
• Detect unauthorized traffic on network by
monitoring firewall ports and traffic
Critical Challenges Addressed
• Operational security
• Operational availability
• Software patching
• Secure communications
• Access control
• Digital identities
• Data security & integrity
Copyright © 2016 Accenture. All rights reserved.
Apply traditional security methods and lessons learned for each technology layer of the IIoT ecosystem
Traditional methods of securing the industrial controls systems
(ICS) environment, the cloud, Enterprise IT, and mobile
devices are still relevant for IIoT.
Applying these known security measures with a new set of
security controls specific to IIoT will augment the overall
security posture across the IIoT ecosystem.
New advances in security technologies and practices specific
to IIoT will have to be explored, specifically on the topics of:
• Identity and Access Management
• Network Connectivity
• Security Analytics & Response
• Endpoint Security
IIoT
Security
Mobile Security
Operational
Monitoring
ICS Security
Cloud Security
Enterprise IT
Security
Copyright © 2016 Accenture. All rights reserved.
IT and OT domain convergence – Best PracticeThe IIoT cannot operate effectively if cyber attackers are able to cause disruption or outages in its IT or OT domains.
The Ukraine blackout of 2015 showed that it is possible for cyber attackers to exploit weaknesses in the defenses of one
domain to penetrate the other to cause outages. There are many steps that can be taken to make the IT and OT domains
more robust against cyber attack, and to limit the extent of any breaches.
IT Domain
Enterprise IT Systems Cloud
OT Domain
Layer 1 PLC
Layer 1 PLC
Layer 1 PLC
Layer 1 PLC
Smart Grid OT
Control Center
Layer 2 DCS
IT and OT domains separated by DMZ
buffer network. Strict access control,
whitelisted firewalls and rigorously
policed communications limited to only
what is absolutely required
DMZ
• Use SIEM to tog network traffic and events to allow forensic analysis of any attacks or faults detected
• Use rigorous anti-virus and intrusion detection mechanisms to detect suspicious activities
• Ensure software is upgraded with latest security patches
• Employ MDM, MCM or MAM policies for all approved mobile devices
• Enforce strict policies to eliminate easy to guess, well known and hardcoded passwords
• Use access control lists to restrict employee access rights to the minimum required to perform their roles
• Enforce separate and rigorous authentication for access to IIoT systems – and keep authorized employees to minimum required.
Best Practice
• Train employees to recognise and report attacks (e.g. social engineering)
• Implement intrusion detection and incident response strategies to detect and respond to cyber attacks in a timely manner
• Implement a DMZ ( buffer network) between IT and IIoT domains to restrict and authenticate all communication to expected and authorized traffic
• Prevent outside internet access for devices in the OT domain
• Prevent BYOD devices from connecting to or accessing information in the OT domain
• Ensure regular audit of all devices connected in eth IIoT domain, and deny access to any unknown or unexpected connected devices.
• Use self healing technologies in IIoT domain to eliminate single points of failure in communication and power distribution
Copyright © 2016 Accenture. All rights reserved.
Point Solutions Examples: Uni-directional gatewaysUnidirectional Gateways can replace firewalls in industrial and critical network environments with one-way communications. Unidirectional Gateway solutions come in pairs: the TX appliance contains a laser, and the RX appliance contains an optical receiver. The Gateway pair can transmit information out of an operations network, but is incapable of propagating any virus, DOS attack, human error or any information at all back into the protected network.
Operational values are collected from the OT domain by a dedicated server which uses the unidirectional gateway to send the values to a Replicating server in the IT domain where the data values are reconstituted The server-replication process is transparent to external users, and has no effect on the original operations servers. External users access and use the replica servers in the same way they would access and use the original operations servers, without changing working procedures
Copyright © 2016 Accenture. All rights reserved.
Point Solutions Examples: Bidirectional OT Security Gateways
The Binary Armor device is installed inline between PLCs, remote terminal units, intelligent electronic devices or
controllers and the WAN/LAN; and provides bi-directional security across all communication layers.
Features Network Security
• Segregates critical control networks
from WAN/LAN
• Blocks all ports and network traffic
except those explicit to ICS
• Firewall – IP Tables
• Network Syslog notifications
Advanced Message Engine
• Accounts for every byte in every
message
• White-listing of messages based on
operational system logic
• Dynamic “state based” rule sets
• Broad range of industry standard and
proprietary protocols supported
High Availability
• Carrier Grade Linux
• Hardware watchdog
failsafe circuit
How a Bidirectional OT Security GatewayWould Have Helpedon the UkrainePower Grid Hack
How Deployment of a Bidirectional OT Security Gateway Across the Ukrainian Power Grid Would Have Prevented this Attack from Causing Power Outages
• The gateway is installed at every substation between remote PLCs, RTUs and serial converters and the WAN/LAN networks
• Rule sets are configured to match operational logic, which preventsbreakers from being tripped under normal operation
• The gateway is monitoring every message and maintaining system statein real-time
• The gateway blocks messages from compromised HMI to open breakers because they do not comply with operational logic
• Although HMI would still be compromised, damage to critical assets & power outage is prevented
CorporateLAN or WAN
IEDs
Relays
Digital
Analog
Copyright © 2016 Accenture. All rights reserved.
Future Developments Examples
Copyright © 2016 Accenture. All rights reserved.
The rapid expansion of the IoT and the increasingly sophisticated automation that it enables means that Identity management must be extended to machines – but traditional mechanisms are built around human identity.
The concept of identity must evolve from human-based attributes to include machine based elements that can be authenticated by other machines,
especially in automated environments or closed-loop systems.
Without this ability, the IoT cannot scale quantitatively or qualitatively because attackers could duplicate, emulate or ’impersonate’ device identities to
compromise or disrupt the increasingly sophisticated automated systems that we are increasingly reliant upon.
Human identity authentication has always be based on at least
one of the following:
• Something you are:
for millions of years this has been the use of basic biometric information
– the ability to recognize somebody’s face or voice to establish their identity. Signatures were the first evolution of biometric
authentication, which now includes fingerprint and iris recognition.
• Something you have:
To be able to authenticate the identity of strangers, passports, driving licenses, Id Cards, letters of introduction, and smart cards
have been used.
• Something you know:
Passwords, pass phrases, Pin Code, swipe pattern.
These Identity attributes are key to human identity authentication – but they are not suitable for the machines; machines can be made
up of multiple replaceable components, and can only ‘know’ validate with certainty based on predefined logic or sharing of information
Copyright © 2016 Accenture. All rights reserved.
Traditional identifiers can be used for communication between connected devices, but are not immutable, and therefore susceptible to being manipulated, cloned or impersonated.Can we use conventional attributes to identify machines?
None of these attributes is secure against cyber attackers copying them to emulate or impersonate trusted hardware devices.
A new approach is required to ensure that M2M communication can be established in an automated, secure fashion.
IP Address: A logical address assigned to devices on a network that communicate using the Internet Protocol. Connected machines can
share or have multiple IP addresses, which are typically dynamically assigned. Numerous legacy and new IoT devices utilize domain-
specific protocols, and are not always IP compatible.
MAC Address: Media Access Control address is a unique identifier assigned to the network interface of a device. Each communication
interface has an associated MAC address. Machines may share communication interfaces, and so MAC cannot uniquely identify a
connected machine. MAC Addresses can also be spoofed or emulated.
UUID: Universal Unique Identifier is a 128 bit number used to identify entities, relying on a combination of components for uniqueness.
UUIDs are guaranteed to be ‘practically unique’ as opposed to unique but are susceptible to being spoofed or copied.
Device Serial Number: Manufacturer allocated number to identify a device. This number does not identify the smart components
contained within the device and may not be unique amongst manufacturers. Device Serial numbers can be copied and reproduced by
cyber attackers.
Copyright © 2016 Accenture. All rights reserved.
New technologies to ensure immutable machine identity
Chip and platform manufacturers are now
embedding the necessary components to
allow powerful and secure computations
to be performed securely by supporting
hardware.
Advanced chip architectures from ARM and
Intel now support secure boot, secure code
execution and encrypted memory –
unlocking the capability to perform the
computations required for secure
computation, key exchange and storage.
By combining the emerging capability to
prove immutable chip level identity with
centralized, scalable identity management,
Accenture is able to address the Identity
Management Requirements for the IoT of
today and the future.
Secure Code Execution
Secure Boot
Secure Data Storage
Automated Hardware
Encryption
Encrypted Stored
credentials
Chip Level Identifier
PKI, EPID and Blockchain are mathematically complex operations and require sufficient compute
power and memory to enable the required computations to be performed in a timely manner. Chip
manufacturers are now beginning to embrace the need for this by implementing hardware
architectures which support hardware encryption, secure execution and embedded chip identifiers:
Copyright © 2016 Accenture. All rights reserved.
Improved visibility across multiple domains to detect suspicious activity with cross-domain IT and OT analytics
OT Infrastructure
Full visibility across the converged IT/OT fabric
Security Analytics
Result output to
SIEM/Dashboard
Standardize
Filter
Aggregate
Correlation
Anomaly Detection
IT Infrastructure
Enterprise
Events/Alerts
Control Layer
Events/Alerts
Supervisory
Events/Alerts
IDS/IPS Alerts
Network events
IDS/IPS AlertsEnterprise Network
Supervisory System Mobile Operator
Historian server Application server
Sensor & Device
Events/AlertsSensors/ Actuators
ECHO (Event Correlation across Heterogeneous Operations)
is a cross-domain event analysis engine developed by Accenture
Tech Labs to detect complex threat vectors against the IIoT
networks and effectively correlate security incidents in both IT and
OT networks, processing events and alerts generated by various
security components to provide a clear view for analysis.
Integrated Event Detection & Correlation
• Monitor and detect complex events occurring across IT and OT domains
• Combine heterogeneous sensor data to provide an expanded view of
cross domain activity
• Conduct enhanced root cause analysis of complex events
Increased Accuracy
• Provide seamless processing from sensor data to complex events in
multi-site industrial internet infrastructure
• Provide agile gathering, processing and archiving of OT data
• Develop improved event detection models using a larger spectrum of
IT and OT data
Context Driven Mitigation Strategies
• Leverage contextual data from multiple and diverse sources in industrial
internet to enable fine grained security controls
• Easier to manage attack surface with improved visibility into the attack path
• Improved root cause analysis of complex multi-step attacks
Copyright © 2016 Accenture. All rights reserved.
Wrap Up
Copyright © 2016 Accenture. All rights reserved.
Main Takeaways - Challenges
Internet connected systems are vulnerable to attack 24/7 from anywhere in the world
The economic disruption caused by a successful attack on critical infrastructure and industrial environments means that controlling systems are the main target for attackers
The cost and complexity of industrial control systems used to operate critical infrastructure have extremely long lifespans meaning that the security mechanisms might not have been included or accounted for
The components used in critical infrastructure systems are often focused on a specific task or process and could have proprietary components that make integration with other components troublesome
Copyright © 2016 Accenture. All rights reserved.
Main Takeaways – RecommendationsThe Industrial Internet of Things has great promise, but the security challenges surrounding its implementation must be addressed before these systems become widely embraced.
Integrate measures to protect the availability and integrity of Industrial Control Systems right from the start of an IT-OT Integration project
Don’t rely on IT experts to understand the complexity of your OT world, and vice versa – Get yourself an expert partner that understands both worlds
Align to government regulations for critical infrastructure availability and security. Use secure industrial standard communication protocols
Security needs to be designed into the end-to-end solution – incorporating both IT and OT operations.
The long life of OT means that obsolescence and replacement of components must be factored into the design of the solution
Copyright © 2016 Accenture. All rights reserved.
Questions & Answers