Richard Wood
Cyber Security Best Practices for the Industrial IoT
Product Marketing ManagerIndustrial Ethernet Infrastructure
Agenda
Cyber Security Landscape in the IoT Era
Unique Challenges for Industrial Automation
Cyber Security Standards
Industrial Best Practices
Case Studies
Confidential
Megatrend – Internet of Things (IoT)“The IoT refers to devices, systems, and services communicating with each other via the Internet to enable smarter operations and new applications.”
Confidential
Industrial Systems are in the Crosshairs
Source:Honeywell Cyber Security Lab
PLCSafety Systems
Plant Management System
Assess Management System
SCADA
DCS
No Vendor or user is immune from a potential cyber security incident
Security Landscape
Confidential
Factory is Vulnerable to Cyber Attacks
Source: ICS-CERT 2013 Report, Region: the U.S.
Cyber attacks may come from both outside AND inside factory
Security Landscape
Confidential
The Landscape Today: Easy to Find a Target Project SHINE: 1,000,000 Internet-Connected SCADA and ICS Systems and Counting
Industrial Device search engines (Example: SHODAN)• The SHODAN search engine works by searching for commonly used
TCP/UDP port numbers• Web, Telnet, SNMP and FTP are some of the more common ones• Logs of the response on these ports is saved in a searchable database• Try searching “OpenSSL”, “GNU”, or “NTPD” or industrial vendor’s names
Security Landscape
Executive Order for Improving Cyber Security
Executive Order 13636:“Improving Critical Infrastructure Cybersecurity”
Information Sharing Privacy Adoption of cyber security
practices
Security Landscape
Confidential
Continuous Reporting of ICS Vulnerability Industrial control system devices are not always
updated with the latest vulnerability patch
Security Landscape
Confidential
NIST Published Final ICS Cybersecurity Guidelines
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
Security Landscape
Unique ChallengesIndustrial Control Systems
Confidential
Types of Incidents ICS May Face Blocked or delayed flow of information through ICS networks
which could disrupt ICS operation Unauthorized changes to instructions, commands, or alarm
thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life
Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects
ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects
Interference with the operation of safety systems, which could endanger human life.
Confidential
Industrial Challenges
Confidential
Harsh Industrial Environments
Field Sites
Extended Operating Temperature
Severe Vibration / Shock
Electromagnetic Interference
High Humidity / Pollution
CONTROLLED TEMPERATURE
CONTROLLED HUMIDITY
CONTROLLED AIR QUALITY
Control Center
Industrial Challenges
Industrial Protocols are Difficult to Secure
Deep Packet Inspection of Modbus TCP
Confidential
Industrial Challenges
Confidential
Industrial-grade Enterprise-grade
Target Devices• RTU, PLC & DCS, critical industrial
devices• SCADA system, Control Network
• Computer, data server• Prevent virus to affect PC
Operating Environment
• High EMC/EMI/Surge environment• Fanless to high temperature• Dusty-proof/shock-proof• Working with industrial power supply,
24VDC
• Common IT environment with air conditioners
Content to filtering
• IP filtering/port filtering• Industrial automation protocols, e.g.
Modbus/TCP, PROFINET, EtherNet/IP, Foundation Fieldbus, Lonworks
• IP filtering/port filtering• HTTP, Email, POP, SMTP• MSN, Skype, Facebook, Game...
Industrial Firewall vs. Enterprise FirewallIndustrial Challenges
Confidential
Industrial Security Concerns
PLC/IO Network
Control Network
Field Site / FactoryControl Room
Attack frompublic network
Unauthorizedconnection
Malfunctioning PLC
Broadcast Storm
• VPN function for data encryption• VPN server for dynamic remote access• Standard protocol: IPSec, L2TP, PPTP
SECURED REMOTE ACCESS
• Protect unauthorized connections to critical devices (PLC, RTU, DCS)
• Isolated broadcast packets from malfunctioning device to entire network
CRITICAL DEVICE PROTECTION
VPN tunnel Firewall
Industrial Challenges
StandardsIndustrial Control Systems
Confidential
Confidential
TSA Published Pipeline Security Guidelines (2011)
https://www.tsa.gov/sites/default/files/assets/pdf/Intermodal/tsa_pipeline_sec_guideline_april2011.pdf
Standards
Confidential
Standards for Industrial Automation
Industrial Control System
ISA / IEC 62443
Power Industry
NERC CIP V5
Standards
Confidential
What’s ISA /IEC 62443?
For Network System:• Secure Zones and Conduits
For Network Equipment:• Technical security requirement
Standards
Best PracticesIndustrial Control Systems
Confidential
Defense-In-Depth Strategy
Principle #1Defense on multiple fronts
- @Network Perimeter- @Edge device
Principle #2
Layered Defense- 1: Detection- 2: Remediation- 3: Prevention
Best Practices
Confidential
Cyber Security Implementation in Automation Network
Employ a security life cycle process• Assessment of threats• Implementation of countermeasures and
verification• Monitoring and Maintenance
Network segmentation• Breaking down the network into physical or
logical zones with similar security requirements
Define the zone to zone interaction• Device requirements• Identification of allowed traffic over conduits• Requirements of safe communication
Best Practices
Confidential
Cyber Security Implementation at Edge Devices
Authentication• Use centralized user management• Radius and TACACS+ authentication
Authorization• Only authorized devices can be connected• Disable any unused ports• 802.1X• MAC address control at port
Data Integrity and Encryption• Use HTTPS, disable HTTP• Use SSH, disable TELNET• Use SNMPv3, disable SNMPv1/v2
Best Practices
Confidential
How to Secure Zones and Conduits (example)(IEC 62443-3-2 )
Firewall and VPN to ensure Industrial Control System to meet the security requirement for zone and conduit• Firewall: control traffic flow between zones • VPN: encrypted sensitive control data in conduits
Define Zones Define Conduits
Traffic Control Data Encryption
Best Practices
Confidential
Industrial Firewall and VPN Solution in Plant Network
25000 FPS Throughput
Firewall between different function zones
70 Mbps Throughput
VPN tunnels between function zones
10000 FPS Throughput
Firewall between devices to isolate the unnecessary traffic
17 Mbps Throughput
VPN tunnel between end device and supervisory controller
40000 FPS Throughput
Firewall between enterprise network and plant network
150 Mbps Throughput
VPN gateway connecting uplink back to enterprise control center
Firewall VPNEnterprise security system
Enterprise security system
Best Practices
Confidential
Transparent Firewall made ICS Cybersecurity Easy
No network change required Add into live network without disruption Aim at industrial protocols 5-Step visualized setting wizard
SiteZoneCellIn-Cell Network Protection
10.0.0.110.0.0.2
10.0.0.3 10.0.0.4
Best Practices
Confidential
Real-Time Intrusion Detection
SNMP Trap
SyslogLocal DB
Detection Remediation Prevention
3rd Party SIEM
Best Practices
Confidential
Modbus TCP Filtering (Deep packet inspection)
Filtering Modbus Protocol:1. Function code2. Access address range3. Device ID
Best Practices
Case StudiesIndustrial Control Systems
Confidential
Manufacturing >> Country: U.S.
Network Traffic isolation for Semiconductor Clean Room Equipment
EDR-810 provided support for 7 ports at WAN interface for connecting to different systems
Easy integration into equipment due to industrial design of power and DIN-rail installation
Reliable & stable for mission critical manufacturing
Why Moxa?
Isolate broadcast traffic from external network to critical laser equipment.
Required firewall with ability to connect to multiple WAN’s
Need a easy management of the secure router configuration for over 100 stations
Background & Requirements
Confidential
Oil and Gas >> Country: U.S.
Secured Remote Monitoring of Gas Transmission Stations along pipeline
EDR-G903 provides high-performance of VPN up to 150Mbps for large amount of data acquisition
EDR-G903 provides up to 350 NAT rules for all 100 stations with single configuration file for easy management
Built-in Modbus TCP deep packet inspection to provide protection for unsecured Modbus communication
Why Moxa?
Gas stations are built along pipeline over thousands of miles and require a efficient and easy way for monitoring
This system utilize public network (Satellites and 3G/4G) for remote gas analyzer data acquisition and request a secured tunnel between gas station and control center
Need a easy management of the secure router configuration for over 100 stations
Background & Requirements
Thank You
© 2013 Moxa Inc. All rights reserved.
Top Related