IoT Security Update: Understanding IT vs. OT Concerns

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

IoT Security Update: Understanding IT vs. OT Concerns

Robert Albach

Security Product Line Manager

Cisco IoT Business Unit

[email protected]


• This session will discuss the security options available today in the Cisco portfolio for some sample industrial needs as well as coming products.

• We will discuss a step by step approach to building out a secured OT infrastructure for your customers.


• Primarily IT oriented audience with some industrial networking awareness.

• NetAcad students and Instructors

• A moderate to good grounding in security and network design concepts.


• Why the need for a change in OT Security?

• Some Quick IT vs. OT Differences

• Where to Start with Security

• Phased Approach

• Learning – Your own Progress to Success


• Operations Technology

“Industrial” NW and Compute

Working with electronic endpoints (IEDs) where the end point generally has no people involved

Autonomous but highly limited

More than SCADA

…and what is that SCADA(Supervisory Control and Data Acquisition) thing?

Or is that ICS (Industrial Control Systems)?

Same / Different

Depends on your POV


Why Must OT Security Change?

• Trends in discovery and correlation with external events.

0

2

4

6

8

10

12

14

0

50

100

150

200

250

300

350

400

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Vulns

Stux News

Black Hat

Source: osvdb.org.; blackhat; google news search


• How Networks were built

• Network / Device Attributes

• Network traffic differences


• Manufacturing

Ad Hoc – This piece of the NW was built by our paint system provider.

Multiple sources – This section came from the conveyer system.

Assembled - The integrator put these pieces together.

• Utilities

Top Down – “We (our engineering consultants) built this sub-station.”

Integrated – “We interface with the LCRA here (grid interconnects).”

TelComm groups - <if the utility is large enough>


• Transport

Bus / Train / Plane / Boarding systems / ticket systems / physical security

Each from a different source / different “network”

• Oil and Gas / Mining

Upstream – exploration / drilling / production / pipeline

Downstream – refinery / pipeline / retail


Security Policies IT Network IoT Network

Focus Protecting Intellectual Property and

Company Assets 24/7 Operations, High OEE, Safety, and Ease of

Use

Priorities

1. Confidentiality

2. Integrity

3. Availability

1. Availability

2. Integrity

3. Confidentiality

Types of Data Traffic Converged Network of Data,

Voice and Video (Hierarchical) Converged Network of Data, Control Protocols,

Information, Safety and Motion (P2P & Hierarchical)

Access Control Strict Network Authentication

and Access Policies

Strict Physical Access

Simple Network Device Access

Implications of a Device Failure

Continues to Operate Could Stop Processes, Impact Markets, Physical

Harm

Threat Protection Shut Down Access to

Detected Threat and Remediate Potentially Keep Operating

with a Detected Threat

Upgrades and Patch Mgmt ASAP

During Uptime Scheduled

During Downtime

Most commonly heard concerns:

availability, safety, and ease-of-use

Biggest pain point is the management of who,

what, where, when, and how (people, data,

devices, and processes)


Asset Description Examples and Notes

IEDs

Intelligent Electronic Device – Commonly used within

a control system, and is equipped with a small

microprocessor to communicate digitally.

Sensor, actuator, motor, transformer,

circuit breaker, pump

RTUs

Remote Terminal Unit – Typically used in a substation

or remote location. It monitors field parameters and

transmit data back to central station.

Overlap with PLC in terms of capability

and functionality

PLCs

Programmable Logic Controller – A specialized

computer used to automate control functions within

industrial network.

Most PLCs do not use commercial OS,

and use “ladder logic” for control functions

HMIs

Human Machine Interfaces – Operator’s dashboard or

control panel to monitor and control PLCs, RTUs, and

IEDs.

HMIs are typically modern control

software running on modern operating

systems (e.g. Windows).

Supervisory

Workstations

Collect information from industrial assets and present

the information for supervisory purposes.

Unlike HMI, a supervisory workstation is

primarily read-only.

Data Historians

Software system that collects point values and other

information from industrial devices and store them in

specialized database.

Typically with built-in high availability and

replicated across the industrial network.

Other Assets Many other devices may be connected to an industrial

network.

For example, printers can be connected

directly to a control loop.

Less

Complexity

More

Less

Threat

Vectors

More

2%

40%

40%

8%

10%


Every Network has its Challenges

IT Networks

Lots of Different Applications

Dynamic

Interoperability rarely constrained

Large market of knowledgeable workers

OT Networks

Fixed / Limited Applications

Stagnant / Stable

Limited interoperability


IT Networks – Data Flows

End points are smart –independently driven.

If data leaves – it goes far…

Web – data center / internet

Email

File / Print shares

Nearby devices largely unrelated

When the end points talk:

Short conversations

Lots of connections

Short TCP sessions – SYN SYN/ACK ACK

– a few secs max

Largely egalitarian – anybody talk to anybody


OT Networks – Data Flows

End points are not smart – repetitive.

If data leaves – it goes to same places

…or not far at all

Interaction is largely local

Movement not very visible

if it does leave – streams out

Not a conversation

When the end points talk:

Long conversations

Lots of connections

Long TCP sessions – lots of keep alives– hours / days


• An attribute of discrete / segmented modularly built networks <like manufacturing systems>

• Generally references network span

• Small subnets

• Zone segmentation much more than VLANs

*Rockwell Automation


• NTP – Network Time Protocol

Precision levels - coarse

CPU or mother board oscillator

• PTP – Precision Timing Protocol

Precision levels 100 ns

Specialized HW <Phy level>

Smart Grid

Industrial Solutions

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 17

• Weak Access controls to HMI and other equipment

− Separation of duty for operator, administrator, audit

− Little or no Password management

• Physical segmentation of the SCADA network

− Dual-homed servers or PLCs act as Firewall

− Segmented network has only physical security

• Unauthenticated command execution

• Communication is un-encrypted

• Outdated operating systems left unpatched

• Rogue wireless access points without encryption

• Insufficient controls on contractors (i.e. access policy, laptops, etc…)

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 18

By Count most of the “things” in IoT: Won’t have an IP Address


• The obvious – Industrial conditions are more strenuous

• Next obvious – meeting those needs are not an “add on” activity

• Not so obvious – never confuse “operating” levels with “non-operating” levels

Believability / Liability

Operating Environment - -40C to

60C in a fully enclosed cabinet (no

airflow)

Storage Environment -

Temperature: -40 to +85 degrees C


• Driven by the IT vs. OT differences discussed

Frequently - Latency trumps Throughput

Frequently - Application control trumps Threat control

Frequently – Simplicity trumps Sophistication

This equipment *might* get swapped out in a decade.

…Availability trumps Security

• Hardware / Software must change to respond


• Introduce Ethernet • ISA-99 Compliance

Separate / Segregate into Zones

Connect via Conduits

Functions

Protocols

Applications


• Design your networks

Physical / Logical Organization

Mostly Physical

• Remember the OT NW Traffic Profile?

Intra-”cell” traffic is dominant

Little cell to cell communication

Lends itself to the zone / conduit model


Controlled Communications

Think ACLs

DACLs?

Or perhaps Security Group Tags (SGTs)?

Think VLANs

Secured Communications

Think VPNs


Phase 1: What they have today –

Network design

Switches and Routers

Phase 2: With dedicated security offerings

Firewalls (ASA)

NG IPS (SourceFire)

Phase 3: Beyond Zones and Conduits


• A bad network design is as big a threat to security success as the lack of security.

• Better to know what you are missing than to think you are safe.

Enterprise Ethernet

Proprietary Ethernet

To next machine

I/O Fieldbus Motion Net

Safety Net

STAR

TRUNK/DROP

FIBER RING

DAISY CHAIN

This does not mean that there was no architecture -

It is likely that the architecture eroded over time.


• Switches / Routers / Wireless

• Management

• Advantages:

Simple – easily achieved, limited knowledge needed

Checkbox security

• Disadvantage:

Static – less flexible

Usually results in wider access than desired

VLAN propagation


• Get them networked!

• Design the network with Zones / Conduits in mind.

• Build the network with the future in mind – dedicated security appliances / features

• What to deploy:

Industrial Switches / Routers / Wireless (combinations)

NW Expertise

• Who:

Local Buying Center

OT Centric

Some Possible IT Department Involvement

Basic NW knowledge at play (but still possibly new)


• Dedicated Security Appliances

• Network Security Monitoring – Level 1

• Who:

Local Buying Center

OT Centric

Some Possible IT Department Involvement

Introducing Security unique knowledge

Assume there are no CC** involved in the implementation

Don’t assume they are dumb – they debug with oscilloscopes


• Where - At major demarcation points

IT >> OT (Layer 3.5)

Physical / Functional NW

Plant level / Generation level

Floor level / Distribution level

Cell level / Sub-station level

• What - Firewall / IPS

Multi-context for traffic specific needs

VPNs

Application Control

Protocols / Applications / Individual Commands

Threats

Generic / OS Specific / Application Specific

Don’t just throw an IT

solution with a few new

signatures into a 3rd

party shell!


RJ Console

Power Input A,

5.0 mm Centers

Reset

Front Serial

Label

Mini USB

Console with

Hazloc Screw

Dual USB-A

With Hazloc

Screws

Power Input B,

5.0 mm Centers

Alarm Connector,

3.81 mm Centers

Chassis Ground

Connection

RJ Management Port

Dual Ethernet Ports

Dual Ethernet Ports SD Card Slot

…and this

device

should run

for

DECADES


• Identifiers

Threats

Protocols

Applications / Commands / Devices

• Configurations

OT Rules Configurations

OT Function Prioritizations

IT Rules / Function De-Prioritizations


• Threat protection grows as threats grow

• Updates are like AV updates – automated and no impact on base code

(1:29202) PROTOCOL-SCADA Modbus read coil status response - too many coils

(1:29203) PROTOCOL-SCADA Modbus read fifo response invalid byte count

(1:29204) PROTOCOL-SCADA Modbus read holding register response - invalid byte count

(1:29205) PROTOCOL-SCADA Modbus read input registers response invalid byte count

(1:29206) PROTOCOL-SCADA Modbus read write register response - invalid byte count

(1:29317) PROTOCOL-SCADA Modbus invalid exception message

(1:29318) PROTOCOL-SCADA Modbus invalid encapsulated interface response

(1:29319) PROTOCOL-SCADA Modbus invalid encapsulated interface request

(1:29505) PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt

(1:29515) PROTOCOL-SCADA ScadaTec Procyon Core server password overflow attempt

(1:29534) PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt

(1:29954) PROTOCOL-SCADA CODESYS Gateway-Server heap buffer overflow attempt

(1:29959) PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime stack buffer overflow attempt

(1:29960) PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime DoS attempt

(1:29964) PROTOCOL-SCADA Siemens SIMATIC WinCC flexible runtime directory traversal attempt

(1:15071) PROTOCOL-SCADA Modbus exception returned

(1:15074) PROTOCOL-SCADA Modbus user-defined function code - 65 to 72

(1:15075) PROTOCOL-SCADA Modbus user-defined function code - 100 to 110

(1:15389) PROTOCOL-SCADA OMRON-FINS memory area write attempt

(1:15390) PROTOCOL-SCADA OMRON-FINS memory area fill attempt

(1:15391) PROTOCOL-SCADA OMRON-FINS memory area transfer attempt

(1:15713) PROTOCOL-SCADA DNP3 device trouble

(1:15714) PROTOCOL-SCADA DNP3 corrupt configuration

(1:15715) PROTOCOL-SCADA DNP3 event buffer overflow error

(1:15716) PROTOCOL-SCADA DNP3 parameter error

(1:15717) PROTOCOL-SCADA DNP3 unknown object error

(1:15718) PROTOCOL-SCADA DNP3 unsupported function code error

(1:15719) PROTOCOL-SCADA DNP3 link service not supported

(1:17782) PROTOCOL-SCADA Modbus write multiple registers from external source

(1:17783) PROTOCOL-SCADA Modbus write single register from external source

(1:17784) PROTOCOL-SCADA Modbus write single coil from external source

(1:17785) PROTOCOL-SCADA Modbus write multiple coils from external source

(1:17786) PROTOCOL-SCADA Modbus write file record from external source

(1:17787) PROTOCOL-SCADA Modbus read discrete inputs from external source

(1:17788) PROTOCOL-SCADA Modbus read coils from external source

(1:17789) PROTOCOL-SCADA Modbus read input register from external source

(1:17790) PROTOCOL-SCADA Modbus read holding registers from external source

(1:17791) PROTOCOL-SCADA Modbus read/write multiple registers from external source


• NSM or Network as Security Sensor / Enforcer

• Acknowledges that product(s) alone are not enough.

• Answers the question:

What am I looking for?

What do I do when I find it?

BUT – who knows what they are looking for?


• General MSSP Services

Your Services

Cisco Remote Managed Services

Your Favorite Partner

IT Department’s Favorite Partner

• OT Knowledgeable

Your Services

Cisco Secure Ops

Your Favorite Partner

Probably not IT Department’s Favorite Partner


• Beyond Zones and Conduits

• Where the IT and OT NW and Security Converge

• Who:

More Central IT Buying Center

IT NW and IT Security Involved

Dedicated Security teams

IT

OT (hopefully)


• Security Overlays

Enhanced Access Control Policy Management

SIEMs

Network Behavior Analysis

• Enhanced Protections

Heuristics

Malware ID

Sandboxing

• Content

Email

Web

• ISE*

• Partner SIEMs*

• Cisco Cyber Threat Defense*

• IOC*

• AMP*

• ThreatGRID*

• ESA

• WSA


• Networking

• Security Basics

ASA (Firewall)

SourceFire (NG IPS)

• Trustsec / ISE

• Cisco Connected X / Industry Solutions

Cisco Architectures with Security


Robert Albach

[email protected]

IoT Security Update: Understanding IT vs. OT Concerns

Documents

Transcript of IoT Security Update: Understanding IT vs. OT Concerns