Practical Applications for Automation Systems Management

Walter Sikora, Vice President, Security Solutions, Industrial DefenderMike Dugent, Security Consultant, Industrial Defender

2012 SANS North America SCADA & Process Control Summit

1/29/2012 3© 2010 Industrial Defender

Understanding the differencesAutomation Systems Management

Enterprise IT SystemsManagement

Not life threatening

Availability important

Transactional orientation

IBM, SAP, Oracle, etc.

People ~= Devices

PCs and Servers

Web services model is dominant

MS Windows is dominant OS

Many commercial software products installed on each PC

Protocol is primarily HTTP/HTTPS over TCP/IP - widely known

Office environment, plus mobile

Cross-industry IT jargon

Cross-industry regulations (mostly)

Automation Systems Management

Safety first

Non-interruption critical

Real-time focus

ABB, Siemens, GE, Honeywell, Emerson, etc.

Few people; many, many devices

Sensors, Controllers, Servers

Polled process control model

Vendor embedded operating systems

Purpose-specific devices

Many industrial protocols, some over TCP/IP - vendor

and sector-specific

Harsh operating plant environments

Industry sector-specific jargon

Industry-specific regulations

1/29/2012 4© 2010 Industrial Defender

The Challenges in Automation Systems Management

• Automation Systems becoming more complex:o Mix of legacy and next generation architectureso Heterogeneous Systemso Exponential Increase in intelligent deviceso Unclear responsibility/ownership

• Need for increased securityo Threat landscape is only getting worse

• Increasing compliance requirementso Both Internal (Audit) & external (regulatory)

• Downward Budgetary Pressure• Fewer Resources / increasing skill set gaps

Managing Diverse Requirements of Automation Systems Environments

The convergence of:

Balancing Operational Requirements with Security, Compliance, Change Management requirements

1/29/2012 5© 2010 Industrial Defender

Key Requirements for Addressing Challenges in Automation Systems Management

• Solutions that will automate and manage tedious manual tasks, resulting in:– Reduced labor cost– Reduced complexity– Improved operations efficiency

• Unified approach to security, compliance, and change management activities

• Purpose built tools engineered with deep domain expertise– OT is different from IT

• Eliminate need to deploy and manage multiple point solutions

Lowers Total Cost of Ownership

1/29/2012 6© 2010 Industrial Defender

System is PWNED

9

Attacker disguises as security expert at

conference and hands out CD

1Victim takes CD to office and opens

PDF files on business computer – no viruses found

2Policy:Automatic AVS scan on all removable media and downloaded files

Attacker works on victim computer at

night with access to credentials, files, remote desktop

4Policy:Computers to remain ON at night for backup and patching.

Attacker finds VPN connection to trusted control system network

5Policy:No connections below ICS-DMZ shall be allowed except through VPN tunnels

Firewall rulesetmodified to allow

outbound connections

7

Attacker compromises engineering

workstation with previous pwd hash

6Policy:Single sign-on shall be used across entire enterprise

Backdoor created and attacker is

“called” via standard service

ports

3Policy:HTTP TCP/80 only open for outbound traffic originating inside

Backdoor created and attacker is

“called” via new service port

8

“Think like a hacker ... to secure industrial control systems”

1/29/2012 7© 2010 Industrial Defender

What we’ve learned from recent hacks…

• Anti-virus would not have prevented hacks like Stuxnet, Duqu or Night Dragon

• Perimeter and data diodes would not have prevented them

• Air gapping would not have prevented them

• Being compliant with NERC CIP would not have stopped them

• Logging would not have stopped them, but would have detected them

• Managing changes would have detected them

• Host Intrusion prevention “Whitelisting” would have prevented some of them

Automation Control Systems are vulnerable and are being targetAdversaries are thinking and working on how to attack your system

1/29/2012 8© 2010 Industrial Defender

SANS Top 20 Critical Security Controls - Version 3.1

Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations for Hardware and Software

on Laptops, Workstations, and Servers• Critical Control 4: Continuous Vulnerability Assessment and

Remediation Critical Control 5: Malware Defenses Critical Control 6: Application Software Security• Critical Control 7: Wireless Device Control Critical Control 8: Data Recovery Capability• Critical Control 9: Security Skills Assessment and Appropriate Training

to Fill Gaps Critical Control 10: Secure Configurations for Network Devices such as

Firewalls, Routers, and Switches

1/29/2012 9© 2010 Industrial Defender

SANS Top 20 Critical Security Controls…

Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services

Critical Control 12: Controlled Use of Administrative Privileges Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Security

Audit Logs• Critical Control 15: Controlled Access Based on the Need to Know Critical Control 16: Account Monitoring and Control• Critical Control 17: Data Loss Prevention Critical Control 18: Incident Response Capability• Critical Control 19: Secure Network Engineering• Critical Control 20: Penetration Tests and Red Team Exercises

1/29/2012 10© 2010 Industrial Defender

Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs• Log monitoring is key but…

– It’s difficult to configure, manage and keep systems up to date

• Log monitoring is difficult– It’s boring– It’s hard to develop and maintain skills– Many devices do not provide logs– It’s a 24x7 job

• Consider outsourcing to MSSP

1/29/2012 11© 2010 Industrial Defender

No Silver bullets

• Many open source & home grown security solutions• Swatch• Snare• Syslog NG• Splunk• Shell Scripts• Kiwi• LogView4Net• Flow tools• Countless commercial solutions

People who have built their own solutions now face the maintenance burden

1/29/2012 12© 2010 Industrial Defender

What to log?

• Collect all CCA logs and events to a central event collector

• Monitor:– Servers, Workstations, HMIs– Applications, Databases– PLCs, RTUs, IEDs– Gateways, Routers, Switches– Firewall, Access control, VPN

• Analyze logs for events of interest like:– Unauthorized access– Failed Logins– System changes– Root Users

1/29/2012 13© 2010 Industrial Defender

Finding that event of interest is hard – if done manually

1/29/2012 14© 2010 Industrial Defender

What events are interesting?

• Just logging is not enough• You either must manually

review logs or automate• Having a baseline of your

system is helpful• Look for anything that is not

normal or not expected on the system

• Document your actions and activity

• Top Five from SANS– Attempts to gain access

through existing accounts– Failed file or resource

access attempts– Unauthorized changes to

users, groups, and services– Suspicious or unauthorized

network traffic patterns– Systems most vulnerable to

attack

1/29/2012 15© 2010 Industrial Defender

Example of setting up IDS alert priority for EMS

config classification: attempted-dos, Attempted Denial of Service Activity which should not ever be seen on control system network. Any alerts should be investigated at a high priority

1/29/2012 16© 2010 Industrial Defender

Conceptual model of central logging

1/29/2012 17© 2010 Industrial Defender

Change management

Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations for Hardware and Software

on Laptops, Workstations, and Servers

1/29/2012 18© 2010 Industrial Defender

Baselines are an easy way to spot the differences

• Inventory all system devices• Collect device configuration

– Software– Patches– Configuration– Ports & Server– User accounts– Firewall rules

• Compare one device to another• Establish “gold” standard

baseline and compare• Check periodically• File integrity checks• Registry monitoring

1/29/2012 19© 2010 Industrial Defender

Protecting your A$$ets

Critical Control 5: Malware Defenses Critical Control 6: Application Software Security Critical Control 13: Boundary Defense

• Defense-in-depth• Physical security• Strong Passwords• Firewalls• Network Intrusion detection / prevention• Host Intrusion detection / prevention• Anti-virus• Application Whitelisting

Application whitelisting is a security technology that maintains a list of executable files, and denies the execution of a file that is not on the list, depending on policy settings

1/29/2012 20© 2010 Industrial Defender

Application Whitelisting

• It’s not a silver bullet• It cannot stop all attacks• Works better than AV

– Zero day attacks– No signature DAT updates

• Good for– Software Inventory– Change management

• Requires knowledge of applications– Validation testing– Complex legacy apps– Corner cases can be bad

1/29/2012 21© 2010 Industrial Defender

Use Case Demonstrations

• Monitoring for intrusions– Use case 1 – typical event logging (agentless)– Use case 2 – Agent based host intrusion detection

• File integrity, Registry, Ports, Services…

• Change management and compliance– Use case 3 - show how change management can detect an attack– Use case 4 – demonstrate baseline concept to detect differences

• Host protect using Whitelisting technology– Use case 5 – show how whitelisting blocks malware / executables

• Wrap-up discussions

1/29/2012 22© 2010 Industrial Defender

1/29/2012 23© 2010 Industrial Defender

Corporate Overview

Webwww.industrialdefender.com

Blogblog.industrialdefender.com

Twitter@i_defender