Protecting Operational Technology (OT) · Enterprise Business Servers FSSO Authentication Services...
Transcript of Protecting Operational Technology (OT) · Enterprise Business Servers FSSO Authentication Services...
© Copyright Fortinet Inc. All rights reserved.
Taipei, 15th November 2018
Protecting Operational Technology (OT)
Stuart Phillips
Global Enablement Engineer
Fortinet Operational Technology
Critical Infrastructure Team
2
What is Operational Technology (OT)?
Manipulation of Physical Things
» Opening a valve, measuring flow,
recording temperature etc.
AKA SCADA or Industrial Control
Systems (ICS)
Much older than IT
» 1980’s automobile manufacturing
Traditionally Physically Segmented
or Air Gapped
Long term deployment – 10-30
years or older
3
Critical Infrastructure Sectors
• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials, & Waste Sector
• Transportation Systems Sector
• Water and Wastewater Systems Sector
4
OT and IT: Different Roots, Different Priorities
OT
Manipulate information Manipulate physical things
CIA (IT) Triangle
• Confidentiality
• Integrity
• Availability
OT Triangle
• Safety
• Availability
• Confidentiality
Standardization Specialization
IT
5
Main Elements of an OT/ICS Environment
Valve
Fan
Pump
FIELD NETWORK
PLANT FLOOR
OT DMZ
NETWORK
Historian
PROCESS
NETWORK
HMI
ICS
Server
CONTROL
NETWORK
YOKAGAWA
ABB
SIEMENS
ROCKWELL
EMERSON
SCHNEIDER ELECTRIC
MITSUBISHI
HONEYWELL
ETC.
MODBUS
PROFINET
S7
BACNET
DNP3
ELCOM
OPC
ETC.
WINDOWS
LINUX
WINDOWS
SERVERS
IT Network
ICS
PROTOCOLS
TCP/IP
ICS SENSOR
VENDORS
NOZOMI
CLAROTY
DRAGOS
SECURITY
MATTERS
INDEGY
ETC.
FIREWALL
TO KEEP
OUT IT
THIS ENVIRONMENT IS CHANGING, WHETHER THE OPERATORS WANT IT TO OR NOT
6
Real Threats To Manufacturing
Taken from Verizon 2017 Data Breach Investigations Report
ICS customers are primary targets for industrial cyber espionage
Attacks are often sponsored by competitors with state connections
Seek to replicate the target products for sale in local markets and in effect steal the entire company IP and Brand
Data stolen includes formulas, purchase orders, the equipment used in production, device settings etc.
7
Critical Manufacturing Insider Threat
Unintentional: Malware coming into the network though traditional means and
infecting the more vulnerable outdated systems in OT/ICS networks, particularly
older Windows systems.
» “Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack”
https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/
Intentional: Spear-phishing attacks against employees and supply partners to
gain information and access. Often escalated to bribery of a targeted employee.
» “American Superconductor Destroyed For A Tiny Bribe”
https://www.forbes.com/sites/joanlappin/2011/09/21/american-superconductor-destroyed-for-a-tiny-
bribe/#3f08fe856958
8
IPS & Application Control for Industrial Systems
Some of the Supported Protocols -------------------------------- BACnet
DNP3
Elcom
EtherCAT
EtherNet/IP
HART
IEC 60870-6
(TASE 2) /ICCP
IEC 60870-5-104
IEC 61850
Supported Applications and Vendors ----------------------------------------------------- 7 Technologies/
Schneider Electric
ABB
Advantech
Broadwin
CitectSCADA
CoDeSys
Cogent
DATAC
Eaton
GE
Iconics
InduSoft
IntelliCom
Measuresoft
Microsys
MOXA
PcVue
Progea
QNX
RealFlex
Rockwell Automation
RSLogix
Siemens
Sunway
TeeChart
VxWorks
WellinTech
Yokogawa
Deep Packet Inspection (DPI) Application Control Context Signatures Modbus, IEC 60870-6 (ICCP) and IEC.60870-5.104
Context Logging to FortiAnalyzer, FortiSIEM, and Syslog
LONTalk
MMS
Modbus
OPC
Profinet
S7
SafetyNET
Synchrophasor
9
IPS/ Application Control for Industrial Systems
244 Granular Application Controls
(DNP3 Example) ----------------------------------------------------- DNP3
DNP3_Assign.Class
DNP3_Cold.Restart
DNP3_Confirm
DNP3_Delay.Measurement
DNP3_Direct.Operate
DNP3_Direct.Operate.Without.Ack
DNP3_Disable.Spontaneous.Messages
DNP3_Enable.Spontaneous.Messages
DNP3_Freeze.And.Clear
DNP3_Freeze.And.Clear.Without.Ack
DNP3_Freeze.With.Time
DNP3_Freeze.With.Time.Without.Ack
DNP3_Immediate.Freeze
DNP3_Immediate.Freeze.Without.Ack
DNP3_Initialize.Application
DNP3_Initialize.Data
DNP3_Operate
DNP3_Read
DNP3_Response
DNP3_Save.Configuration
DNP3_Select
DNP3_Start.Application
DNP3_Stop.Application
DNP3_Unsolicited.Message
DNP3_Warm.Restart
DNP3_Write
10
FortiGuard Industrial Security
Target Market/Segment
» Securing Critical Infrastructure
(Industrial Control and SCADA)
» Need special type of applications
– not generally used in an Enterprise
environment
» Over 1,400 industrial app signatures
11
Purdue Model
ISA-99, IEC-62443, RMF
Effective Layered Security Model
Aligns to Fortinet Fabric
Logical Level Approach
Focused on Business requirements
Stronger Together!
Enhances Model by introducing our Fortinet Fabric
» Greater Visibility and Control
» Policy enforcement with multiple security technologies
» Real-time protection that communicates security information
to other fabric members
» Threat feed integration within entire solution
& Purdue Model
NETWORK
MULTI-CLOUD
PARTNER API
EMAIL UNIFIED ACCESS
IOT-ENDPOINT
WEB APPS
ADVANCED THREAT PROTECTION
MANAGEMENT-ANALYTICS
12
Critical Manufacturing Plant Floor
Level 0
Physical Plant Floor
Instrumentation Bus Network
Level 1
Process Control
Local Area Network
Level 2
Supervisory
Control Network
Industrial Control System
Physically Segmented
Production Line
FortiGate
FortiLink
FortiSwitch
Private VLANs
Micro Segmentation
Fortinet Secure
Unified Access Solution
Fortinet
Operational Technology
Fabric Solution
Remote Edge
Manufacturing Plant
FortiGate
Firewall
Internal Segmentation
Wide Area Network
MPLS, SD-WAN, 3G, 4G, APN, VPN
ADSL, Cable
FortiGate Edge Firewall
Enterprise Protection
Physical Internal
Segmentation of Production Lines
Wide Area
SD WAN
3G 4G Extension
VPN
Authentication
Two Factor
Access Control
FortiGate Firewall
Industrial FortiGuard
Application Control
IPS
Physical Security
Physical Relays
Stack lights
Presence Analytics
FortiCAM
FortiSwitch
FortiAP’s
Micro Segmentation
Layer Two
FortiLink
Operator PC
Serial to IP
Mic
ro
Segm
enta
tio
n
PLC or RTU
Engineering
WorkStation
Purdue, ISA-99, IEC-62443
13
Level 3
Operational DC
Manufacturing Zone
Level 3.5
Operational DC DMZ
Management Zone
FortiGate
FortiLink
FortiSwitch
Private VLANs
Micro Segmentation
Wide Area Network
MPLS, SD-WAN, 3G, 4G,
APN, VPN
ADSL, Cable
FortiSwitch
Remote User
Level 4
External
Enterprise LAN
Corporate Environment
Level 5
Internet DMZ
Enterprise
Corporate Environment
Remote Vendor
Zones of Control
Zones and Conduits
Micro Segmentation
Physical and Virtual
Segmentation
Engineering
Server Zone
Historian
Server Zone
Application
Server Zone
Engineering
WorkStation Zone
Operator
WorkStation Zone
Domain
Controller
FortiClient
EMS Server
FortiAuthenticator
FortiManager
FortiAnalyzer
FSSO
FortiSandbox
FortiSIEM
FortiMail
FortiWeb
Servers
Web
Servers
Enterprise
Desktops
Business
Servers
FSSO
Authentication Services
&
Domain Controllers
Level External
Internet
FortiSwitch
FortiGate
FortiGate
FortiGate
FortiGuard Threat
Intelligence
Service
FortiGuard
Global
Intelligence
Operational Technology (OT) Authentication Boundary
Purdue, ISA-99, IEC-62443
Applying Fortinet’s Reference Architecture to Purdue
14
Best Practice - OT Cyber Security Approach
ISA 99 / IEC 62443
» Separation of networks – Air gapped, network
based or software based
Visibility
» Examine all traffic for known and unknown threats
» Use even in air gapped networks
Context
» Understand network traffic
» Build understanding of device relationships
Control
» Isolate infected devices/systems
» Remove botnets and other malware
» Prevent new infections
15
Addressing the Insider Threat - Visibility
Segmentation
of different
ICS Networks
IT
FortiGate
Process
Network
Control
Network
Secure
Gateway
Plant
Floor
FortSwitch
HMI HMI
RTU PLC
ICS Network 2
Process
Network
Control
Network
Plant
Floor
FortSwitch
HMI HMI
RTU PLC
Granular
Segmentation
within the ICS
Network
Implement ISA-99, IEC-62443
Segment and examine the traffic
as much as possible
Use Next Generation Firewalls to
define North-South traffic – Create
multiple DMZs internally
Enable Microsegmentation on
switch ports to limit traffic East-
West traffic
ICS Network 1
Internet
DMZ Network w/ PI Historians
16
Addressing the Insider Threat - Context
Examine all
traffic
IT
FortiGate
Process
Network
Control
Network
Secure
Gateway
Plant
Floor
FortSwitch
HMI HMI
RTU PLC
ICS Network 2
Process
Network
Control
Network
Plant
Floor
FortSwitch
HMI HMI
RTU PLC
Examine all traffic – Even in
Air Gapped networks
Use FortiAnalyzer to examine
and filter known threats
Use FortiSandbox to detonate
unknown threats safely
Use FortiGuard Labs to get
constant threat intelligence
and artificial intelligence
based threat analysis
ICS Network 1
Internet
DMZ Network w/ PI Historians
FortiSandbox FortiAnalyzer
17
Addressing the Insider Threat - Control
IT
FortiGate
Process
Network
Control
Network
Plant
Floor
FortSwitch
HMI HMI
RTU PLC
ICS Network 2
Process
Network
Control
Network
Plant
Floor
FortSwitch
HMI HMI
RTU PLC
Identify all devices as much as
possible FortiNAC network access
control
Proxy traffic using FortiADC Web
Application Firewall for all updates
Limit or block unwanted applications
on ICS network – Provide separate
Wi-Fi for operators
Use FortiSIEM for all reporting and
compliance
ICS Network 1
FortiNAC Internet
DMZ Network w/PI Historians
FortiADC – Proxy Server
FortiSIEM
Demonstration …
19
20
Key SCADA Components
Human-Machine Interface (HMI): is the
component in charge of displaying process
data to a human operator. The
operator monitors and controls the process
through the HMI.
SCADA Master(TRIDIUM JACE) : is the
component in charge to collect all data
from different devices and control the
entire process.
SCADA Slave(TRIDIUM SEDONA):
connect to sensors and convert their
signals to digital data and send it to the
supervisory system.
SCADA Protocol (Modbus):
Modbus is a "Master/Slave " Protocol.
Some versions of Modbus can also be
sent over Ethernet or TCP/IP.
21