Vincent Fu 傅國書 台灣區技術總監 · affecting a variety of PLC models of the top SCADA...
Transcript of Vincent Fu 傅國書 台灣區技術總監 · affecting a variety of PLC models of the top SCADA...
Vincent Fu 傅國書 | 台灣區技術總監
2 ©2018 Check Point Software Technologies Ltd. ©2018 Check Point Software Technologies Ltd.
Vincent Fu 傅國書 | SE Manager, Taiwan
自動化安全與IIOT安全防護
IIOT/ICS SECURITY BEST PRACTICE
3 ©2018 Check Point Software Technologies Ltd.
IoT已經影響現代人生活模式
IoT的延伸應用將深入你我日常所需的所有事物…
Connected Cars Connected Home
Smart Cities
Healthcare Smart Buildings
Industrial IoT
4 ©2018 Check Point Software Technologies Ltd.
Faxploit: 透過事務機 入侵企業內部網路
5 ©2018 Check Point Software Technologies Ltd.
Home Hack 有人在窺探你家?
©2018 Check Point Software Technologies Ltd.
PROTECTING THE IOT DEVICES
©2018 Check Point Software Technologies Ltd.
7 ©2018 Check Point Software Technologies Ltd.
Connected Medical Devices
Regulation
High Risk
Lack of Control
Outdated OS / SW
Up Time
Weakest Link
IoMT
8 ©2018 Check Point Software Technologies Ltd.
The micro Gateway
Protects Medical Devices
1X1 VPN & FW Security
Centrally Managed
Easily Deployed
9 ©2018 Check Point Software Technologies Ltd.
One Common OS
Anti Malware
VPN Firewall URL
Filtering
Anti Bot Anti
Ransomware Forensics
App Control
10 ©2018 Check Point Software Technologies Ltd.
Introducing GEN VI - NANO-SECURITY
NANO AGENTS
AI ADAPTIVE
SECURITY CONTROLS
(開放原始碼) 軟體插件 控制所有裝置安全屬性
CENTRAL INTELLIGENCE AND CONTROL
基於可分享的威脅智能分析 自動化安全管理政策
OS
MobileOS
Cloud services
IoT devices
Web Services
Micro services
11 ©2018 Check Point Software Technologies Ltd.
Transportation
Manufacturing
Smart cities
Smart buildings
Banking
Utilities
Healthcare
Telecom
Automotive
Energy
Smart homes
cloud
AI智能引擎 自適性的安全控制
12 ©2018 Check Point Software Technologies Ltd.
AUTOMOTIVE車聯網
Internet
Cloud Security
Mobile Threat Defense
Nano security
13 ©2018 Check Point Software Technologies Ltd.
Sensor Hub Sensor Hub
Private
NGFW 1200R
Sensor Hub
VPN + Clean Pipe
R80 Management
Internet
Internet Public
Internet
• Device Control as App Control feature
Future Solution Protecting the public cloud with vSEC
Cloud Platform
VPN Client and Clean Pipe Connection
智慧城市應用
©2018 Check Point Software Technologies Ltd.
PROTECTING THE
ENTERPRISE ENVIRONMENT
15 ©2018 Check Point Software Technologies Ltd.
The Enterprise Environment
While Some See Things… We See a Trojan Horse
Building Office
16 ©2018 Check Point Software Technologies Ltd.
The Security Challenges
Devices Lack of Security
Protocol Vulnerabilities
Non Upgradable / Not Updated
East - West
Most of the Devices do not have security mechanisms built in
Protocol vulnerabilities may allow infected devices to attack from within
Devices are not updated with latest version due to capability / knowledge
One device attacking the other / IT resources
17 ©2018 Check Point Software Technologies Ltd.
The Corporate Building (BMS)
Energy Management
HVAC
Lighting
Elevators
Access & Security
Water
And more…
Perimeter Segmentation
Functional Zone Segmentation
DPI of BMS Protocols
SCADA/IoT
MQTT, BACNET
18 ©2018 Check Point Software Technologies Ltd.
ICS & IoT Convergence (BMS Environment)
Control Network
PLC PLC
Security Gateway
SCADA Server
MQTT
BACNET
R80
Elevator AC Water
ICS Visibility
Building
NAC
MQTT Over Ethernet
WLAN / LAN
Office April 2018
19 ©2018 Check Point Software Technologies Ltd.
Remote Maintenance for Elevator or HVAC (and more)
PLC
Security Gateway
Elevators (or AC)
Building
VPN Connection
Company’s service center
• Secured connectivity (VPN)
• Protocol Visibility
• Command provisioning
• Access Control
• Remote Access VPN Client
Protocol ?
©2018 Check Point Software Technologies Ltd.
PROTECTING
ICS AND CRITICAL INFRASTRUCTURE
©2018 Check Point Software Technologies Ltd.
21 ©2018 Check Point Software Technologies Ltd.
Industrial Control Systems (ICS)/SCADA are All Around Us
… and we rely on it every day for our basic functions and needs.
Industrial Automation Oil & Gas Critical manufacturing
Water & Sewage Electricity Transportation
Building Management
22 ©2018 Check Point Software Technologies Ltd.
ICS Threat Landscape – Attackers and Attacks
The Onslow Water and Sewer Authority in Jacksonville was hit by the Ryuk ransomware that shut down its computer operations.
Oct. 2018
“ClearEnergy” ransomware is capable of affecting a variety of PLC models of the top SCADA and ICS manufacturers.
April. 2017
Attack Sources
State Actors Government-sponsored groups with resources and power to develop state-of-the-art tools, and political motives to leverage them and time to plan the attack.
ICS Vulnerabilities Flaws found in the ICS network components, such as the PLC or SIS, and could allow privilege escalation.
Insiders Employees with access to the operational system, and a financial or vindictive a motive to cause damage.
Otherwise, employees infected by a spear-phishing campaign in order to leverage their network access.
APT attack - “Triton” Malware has
been spotted targeting Schneider
Electrics’ Triconex controllers in
Saudi Arabia and caused a
shutdown of it
Dec. 2017
A Monero Cryptominer was found in
the network of a water utility provider
in Europe, after infecting the HMI
Feb. 2018
23 ©2018 Check Point Software Technologies Ltd.
US ICS-CERT report: (Jan-18) FY 2017 Most Prevalent Weaknesses
Transportation Systems 5%
Government Facilities 6%
Water 6%
Energy 20%
Communication 21%
Critical Manufacturing
22%
Most Attacked Sectors 2016
3rd year in a row
24 ©2018 Check Point Software Technologies Ltd.
Best Practices for Securing OT
Secure Both OT and IT
Environments
Protect IT with Advanced Threat Prevention Technologies
Clear Segmentation between
OT and IT/Internet
Deploy Specialized ICS/SCADA Security Technologies
25 ©2018 Check Point Software Technologies Ltd.
Visibility
Real Time SCADA/ICS Network monitoring
Field Devices
Controllers (PLC/RTU)
Sensor Data Pressure Flow Temp. Voltage State
Analyze the ICS
Network Traffic
Control Network
Control Center
Network
Traffic
IT/OT Segmentation
Level 0
Level 3
Level 1
Level 2
Purdue Reference
Model
SCADA/HMI/DCS
26 ©2018 Check Point Software Technologies Ltd.
SCADA/ICS 特定通訊協定支援
Over 1300 SCADA and IoT commands
in Check Point Application Control
MMS
DNP3
Siemens Step7
IEC 60870-5-104
IEC 61850
ICCP
OPC
DA & UA
Profinet
CIP IoT
MQTT MODBUS
And many more…..
BACNET
Updated list: appwiki.checkpoint.com
27 ©2018 Check Point Software Technologies Ltd.
Virtual patching Over 300 dedicated IDS/IPS signatures
PROTECTED by
Check Point
IPS
NSS Labs
Highest Rating
Stops exploits of known
vulnerabilities and detects
anomalous traffic
SCADA專屬的IDS/IPS特徵碼
28 ©2018 Check Point Software Technologies Ltd.
• Fully featured Check Point security gateway
Check Point 1200R New Purpose-Built Ruggedized Security Gateway Appliance
• Compliant to the most rigid regulations:
IEC 61850-3 and IEEE 1613
• 6x1GbE ports and firewall throughput of 2Gbps
• Compact fan-less design with no moving parts; temperature
range from -40°C to 75°C
• Can be used in In-line or Tap (Mirror) modes
• Routing and networking (e.g: BGP, OSPF, IPsec, etc.)
29 ©2018 Check Point Software Technologies Ltd.
OT Security Blueprint Management Facility
Shop Floor – Line A Shop Floor – Line B
PLC1 PLC2 PLC3 PLCx
Main Control Center
SmartEvent
HMI
AAD
Check Point GW
SCADA
Adding Asset Management &
Anomaly Detection
SCADA
Traffic
1200R 1200R
Adding
Visibility and
Micro Segmentation
30 ©2018 Check Point Software Technologies Ltd.
Full IT-OT Convergence Blueprint
IT Network
ERP
Domain Server
LAN
ICS
Network IT/OT
Segmentation
31 ©2018 Check Point Software Technologies Ltd.
Central Site Substation
SCADA Server
Data Center
RTU
LAN MPLS
IED
RTU –
Substation
Controller
IEC-104/
DNP3
Backup Site
Smart Event
• Typical power utility security deployment in substations
• Single or cluster solution for combined OT and IT traffic
• SCADA security
Power Utilities — Substation Security
SCADA Server
Data Center
Smart Event
32 ©2018 Check Point Software Technologies Ltd.
Customized Visibility
Unified Policy
Everywhere Monitoring
整合IT環境與OT產線的安全管理 FOR BEST ROI AND OPTIMAL PROTECTION
Management integration With Leading SIEM systems: Q-Radar, ARCSight, Splunk And more like Predix and others
33 ©2018 Check Point Software Technologies Ltd.
REPORTED by
Check Point COMPLIANCE BLADE
Real-time assessment of
compliance with major regulations
法令遵循與安全管理監控功能
SCADA SPECIFIC COMPLIANCE CHECKS
34 ©2018 Check Point Software Technologies Ltd.
End to End Security suite for Critical Infrastructure IT and OT networks
Most extensive security support of ICS/SCADA protocols
Asset Management and Anomaly Detection
Full OT to IT security segmentation
Large Scale Management – Market “Gold Standard” (Gartner)
Check Point offers complete security suite from Mobile, End-Point to the Cloud – including Private cloud for separation of IT from OT
35 ©2018 Check Point Software Technologies Ltd.
Infinity Total Protection Gen V 安全架構
分享即時威脅情資與智能
整合安全管理
行動裝置
端點設備
混合雲
邊際網路與資料中心
雲服務 雲服務 行動裝置
36 ©2018 Check Point Software Technologies Ltd. ©2018 Check Point Software Technologies Ltd.
THANK YOU