Introduction to SCADA Security
20
Copyright 2013, Cimation. All Rights Reserved. Introduction to SCADA Security 12/20/2013 Clint Bodungen Class 5: Mitigation Strategies
description
Introduction to SCADA Security. Class 5: Mitigation Strategies. 12/20/2013 Clint Bodungen. Mitigation STRATEGY. Now let’s take everything we’ve learned about Threats, Vulnerabilities, Exploits, and Attack Methodology, and apply it towards building mitigation strategies. - PowerPoint PPT Presentation
Transcript of Introduction to SCADA Security
Copyright 2013, Cimation. All Rights Reserved.
Introduction to SCADA Security
12/20/2013Clint Bodungen
Class 5: Mitigation Strategies
Copyright 2013, Cimation. All Rights Reserved.
Now let’s take everything we’ve learned about Threats, Vulnerabilities, Exploits, and Attack Methodology, and apply it towards building mitigation strategies.
FACT: A study by DHS reported that by the time an intrusion is
discovered, an average of at least 90 days has passed since the
initial exposure.
FACT: That same study reported that relating to ICS/SCADA
networks, it takes an average of about a year from the time a
vulnerability is discovered within an application or firmware until
the vulnerability is patched within the operator’s systems.
Mitigation STRATEGY
(Idaho National Laboratories, “Empirical Estimates of Zero-Day Vulnerabilities in Control Systems”, 2009)
2
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
EnterpriseConfidentialityIntegrityAvailability
Security 101: What are we protecting?
IndustrialAvailabilityIntegrityConfidentiality
VS.
3
Copyright 2013, Cimation. All Rights Reserved.
• Risk can never be fully mitigated• Risk is either mitigated, reduced or accepted/managed• Remember our Threats, Vulnerabilities, and Exploits? Now think of these like a fire triangle
(ingredients required for a fire to burn):
Mitigation StrategySecurity 101: Strategy Overview
Take any one leg out, and the Fire will be mitigated. This same principle applies with all 3 aspects of security.
Fire Attack
Vul
nera
bilit
y
Exploit
Threat
4
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Eliminating Exploits– While you can’t eliminate exploits, understanding them will help you maximize your mitigation strategy later by
knowing exactly what controls to implement and how to deploy them most effectively
• Eliminating Threats– Like exploits, it is nearly impossible to eliminate the actual threats aside from terminating employees (not Arnold
Schwarzenegger style)– But understanding their methods allows you to anticipate how and when they will strike, thereby maximizing
your mitigation deployments
• Eliminating Vulnerability– Eliminating or blocking access to vulnerabilities is the only real direct control you have in the attack triangle
scenario– Primary methods of eliminating vulnerabilities:
• Restrict access to the system• System Hardening (Eliminate the vulnerability, remove/block ability to exploit)
Security 101: Strategy Overview
5
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Network Segmentation– Concept of filtering by protocol/services/source and destination address to isolate network traffic and services
from private or sensitive parts of the network; e.g., traffic restricted to an extranet– Design the network architectures to separate “untrusted” traffic apart from “private” and “trusted” network
segments/sub-domains– Accomplished by:
• Filtering by protocol/services• Filtering by source and destination address• Network design
– ISA99/IEC 62433, NERC CIP, API 1164 and many others process control security standards require it
• Technologies– Firewalls
• Implement stateful inspection• White list IP address access when possible• Explicit port ingress and egress when possible• Should block malformed packets.• Detect and mitigate against DDoS or DoS storms.• Bridged “bump in the wire” firewall for field devices and SCADA network segmentation
– DMZ Implementation• Denies endpoints access to networks when endpoints do not meet security requirements• Allows thin client access instead of direct network access
Security 101: Restricting Network Access
6
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Network Segmentation
Security 101: Restricting Network Access
1. Process2. HSE/Control3. Supervisory Control4. Operations Management5. Enterprise
0
1
2
3
4
7
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Technologies– Firewalls
• Implement stateful inspection• White list IP address access when possible• Explicit port ingress and egress when possible• Should block malformed packets.• Detect and mitigate against DDoS or DoS storms.• Bridged “bump in the wire” firewall for field devices and SCADA network segmentation
– DMZ Implementation• Denies endpoints access to networks when endpoints do not meet security requirements• Allows thin client access instead of direct network access
– Switch Port Security• MAC Address filtering helps prevent unauthorized port access to switches• It’s not fool proof as MAC addresses can be spoofed• “Sticky MACs” tie specific MAC addresses to specific switch ports and add extra layers of security
Security 101: Restricting Network Access
8
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Never use WiFi (802.x) on your SCADA Network!• But if you feel you must:
– Do NOT use WEP– Enable WPA/WPA2– Use enterprise TKIP– Change SSID default values from vendor’s configuration– Disable SSID broadcast– Implement another layer of authentication (IPSec)– Logically place the AP in a DMZ with a firewall between the AP and internal network– Physically place the AP in the center of the building if possible
• Beware of windows and other rogue APs
Security 101: Restricting Network Access
9
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Password Security – Poor, weak passwords have the following characteristics
• Contains less than eight characters• Is a word found in a dictionary (English or foreign)• Is a common usage word such as• Birthdays and other personal information, such as addresses and phone numbers• Word or number patterns like • Common words spelled backwards.• Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
– Strong passwords have the following characteristics• Contain both upper and lower case characters• Contain special characters• Are at least eight alphanumeric characters long (15 characters to defeat rainbow tables)• Are not a word in any language, slang, dialect, jargon, etc.• Are not based on personal information, names of family, etc.• Never be written down or stored online
Security 101: Restricting Host Access
10
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Strong Authentication For Remote Access– Something you know (i.e. a password)– Something you have (i.e. token or smart card)
NOTE - 2-Factor Authentication Should be used for physical access as well:– Proximity cards alone are simply RFID
– Proximity card + pin or bio reader should be used
– Proximity card access alone can be easily defeated
– Most organizations don’t use two factor authentication with proximity card security
Security 101: Restricting Host Access
11
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Use VPN when possible• Secure Shell (SSH) instead of telnet• SSL instead of standard HTTP
Security 101: Communications Security
12
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Security Patching & Anti-Virus Software– Should be done in accordance with vendor recommendation– Should be tested in a test and development environment before deploying– Typical Anti-Virus drawbacks
• Requires regular updates• Signature based• Only as good as the signatures and updates• Does not protect against Zero-Day• Use Heuristics based (can be difficult to “tune” and might cause problems in SCADA networks)
• Application White Listing (AWL)– Provides an alternative when other malware prevention isn’t an option– Only allows authorized processes to run instead of signature based– Protects against most Zero-Day– Small footprint– Does not require updates– “Learning modes” provide safe installation without interruption
Security 101: Blocking Exploitation/System Hardening
13
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• ICS/SCADA System Specific Security– SCADA, DCS or HMI Software
• Should be ran under a user account with least privileges.• Security model of the software should be used for individual (not group) login accounts for accountability.• All user actions should be logged.• SCADA, DCS or HMI software should be on a patch cycle based on the frequency of change from the vendor. BHP
should not allow its software to get more than (3) revisions old if an upgrade or patch can be safely made without affecting the operations of the facility.
• Set key executables, services and DLLs to auto-restart upon failure.– Data Historian or Archival Applications
• Should be installed in a neutral DMZ network not in SCADA or IT environments.• Do not install multiple network cards in the historian server and directly connect it to all networks that it needs to
communicate with.• Specific firewall rules should govern the flow of data from SCADA to the data historian servers.
Security 101: Blocking Exploitation/System Hardening
14
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Intrusion Detection System (IDS)– Requires expertise– Limited application
• Security Information and Event Management (SIEM)– Combines IDS, management console, log management, vulnerability assessment integration, etc.– Adds threat intelligence– Vendors
• AlienVault• OSSIM (free AlienVault)• Mcafee SIEM (Nitro)• ArcSight• Qradar• Cisco MARS
Security 101: Monitoring
15
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Standards and best practices recommend a layered defense model (a.k.a. – Defense in Depth)• Multiple layers of security controls provide enhanced deterrence against all but the most determined
attackers in addition to alternative defense where direct controls are not an option– For example: Anti-virus software may not be an option for some DCS environments so alternative, layered
defense would be appropriate
Layered “Defense in Depth” Strategy
16
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• But this can be taxing on resources• How can we maximize cost/benefit ratio?
Layered “Defense in Depth” Strategy
17
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• The Topological Vulnerability Analysis (TVA) strategy is much more efficient in terms of resource utilization
• When combined with a proper risk analysis, TVA provides a strategy that still effectively mitigate security threats, while meeting budget requirements
• TVA provides comprehensive vision of your organization’s risk profile by overlaying system vulnerability details and potential attack paths onto a network diagram.
Topological Vulnerability Analysis Strategy (TVA)
18
Copyright 2013, Cimation. All Rights Reserved.
Mitigation Strategy
• Inventory systems, diagram networks and communication paths
• Determine system criticalities
• Assess and rate threats and vulnerabilities
• Estimate attack methodologies and likelihood according to communication paths
• Prioritize mitigation by most critical systems with the highest level of vulnerabilities and the most communication pathways
Topological Vulnerability Analysis Strategy (TVA)
19
Copyright 2013, Cimation. All Rights Reserved.
Questions?
Clint BodungenSenior ICS/SCADA Security Researcher, Cimation
20
If you liked this week’s cyber security training lectures on ICS/SCADA security, check out Cimation University! Coming January 2014: •Introduction to ICS/SCADA Security•ICS/SCADA Security Vulnerability Assessment (SVA)•ICS/SCADA Security Risk Analysis and Mitigation•Hacking SCADA: Advanced ICS/SCADA Vulnerability Assessment & Penetration Testing www.cimation.com/CimationUniversity
