Cybersecurity on IoT€¦ · Estratégia de Segurança em Sistemas de Automação Industrial System...

Cybersecurity on IoT

Bruno Mariath Zeidan, CCIE#6646

IoT Solutions Executive, Latin America

[email protected]

16 June 2016

Cisco Confidential

IoT Regional Forum / São Paulo

mailto:[email protected]

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

• Introdução

• Desafios Atuais de Segurança no Ambiente Industrial

• Estrategias efetivas para gerenciar a Segurança em redes Industriais

• Demonstração: Plataforma Cisco de Gerenciamento de Ameaças para ambientes Industriais


Quizz: Qual é a melhor estratégia para proteção de uma rede industrial?


Quizz: Qual é a melhor estratégia para proteção de uma rede industrial?

a) ”Air Gap”? (separação física entre as redes)

b) Colocá-la em um bunker de concreto com pelo menos 2m de espessura,

há 15 metros debaixo da terra, cercada por forças militares israelenses, e

operada por monges tibetanos de acordo com instruções alemãs?

c) nenhuma das anteriores.


A realidade das redes industriais nos dias atuais…

Acesso remoto às redes de automação (PCN) é uma realidade, seja por eficiencia operacional ou necessidade de negócio (ex. BI)

Conectividade Direta ou Indireta à Internet

Mudança de soluções proprietárias a produtos de mercado

Adoção de tecnologias de T.I.

Windows/Intel

TCP/IP e Web

Conectividade sem fios

Dispositivos de controle e protocolos vulneráveis

Limitado conhecimento de segurança

Foco na disponibilidade e confiabilidade em detrimento da segurança


Breaking News!

Mais um Malware direcionado a sistemas industriais Publicado em 2 Junho 2016

Sources:

http://thehackernews.com/2016/06/irongate-stuxnet-malware.html

http://securityintelligence.com/news/new-ics-malware-irongate-channels-stuxnet-to-scam-scada-systems/






























Incidentes de Segurança aos sistemas de Controle de Processos

Represents a global data-set from critical infrastructure asset owners

103 total cyber incidents reported from industrial companies

20% of incidents intentional attacks – 50% from outside

80% unintended disruptions – 50% from device failures

Vast majority of reported cyber incidents accidental in nature

Primary threat was non-intentional malware through USB media

October 2012 – May 2013

Information specific to US critical infrastructure sectors

~2019 total cyber incidents reported to DHS for response

111 (53%) of incidents from energy asset owners (O&G, Power)

2010, 41 incidents reported (18 from Energy sector)

Clear upward trend in cyber incidents in Energy sector

Source: DHS Security Cyber Incident Report 2013

Unintentional, 80%

Intentional 20%

Source: Repository of industrial security incidents 2011


Custo da conformidade e segurança para as operações é

demasiado alto

Padronização de larga escala é necessária, mas recursos e

mão de obra para sua implementação são escarsos

Visibilidade e controle e baixo; Equipes de segurança “voando

por instrumentos” sem qualquer informação dos ambientes

Controles e soluções de segurança difíceis de implementar e

manter

Risco de problemas recorrentes e onerosos sem ferramentas

adequadas de análise forense

Fabricantes de Automação requerem acesso aos sistemas atraves

de ferramentas de terceiros/proprietárias

Desafios


Estratégias de Defesa


A Visão da Cisco

Criação de plataformas específicas para ambiente Industrial (ICS) • Leverage characteristics of ICS networks for effective

security and operational benefits

• Integrate security as part of the operations

• Dramatically enhance visibility into ICS networks

ANTIGO PARADIGMA NOVO PARADIGMA

Integração das soluções de Seguranca de IT Ineffective in addressing the ICS specific challenges, not cost-effective

NATIVE SECURITY FABRIC

Segurança de Perímetro

Perimeter is too porous, no real detection capabilities within the perimeter

Segurança Pervasiva (Post-Perimeter Era) • Introduce a new security paradigm for ICS • Improve availability and security by truly understanding

native ICS networks


Estratégia de Segurança em Sistemas de Automação Industrial

System

Patches

Network

Segmentation

Anti-virus

Incident

Response

Proactive

Monitoring

Security

Monitoring

IPS / Signatures

Threat

Defense

Disaster

Recovery

Backup

and Restore

Continuous

Improvement

Organize Harden Detect Respond Defend

White & Blacklisting

Security Log

Collection and

Management

Anomaly

Detection

Malware

Detection

Intrusion

Detection

Security

Policy

Virtualization

Encryption

KPI’s and

Analytics

Location

Awareness

Process

Inventory

Assessments

Change

Management

Education &

Awareness

Dashboards &

Reporting

Addresses the most significant attack vectors within Industrial Automation Systems by establishing required controls associated with best of breed security practices

PCN Access &

Control

Physical

Security

Industrial

Wireless

Portable Media

Security

Before During After

PLAN BUILD RUN MONITOR MANAGE

Secure Storage

Asset

Inventory &

Management


Next generation Cyber Security, Risk

Management and Compliance Solution for

critical infrastructure

Designed to support Implementation &

Maintenance of Security Controls

Forms a foundational technology platform;

provides a “building block” approach to

implementing desired security controls

Allows central leadership to understand risks

and make informed investment decisions

Secure Ops

Supported and embraced by ICS

Engineering Partners

A solução definitiva para o gerenciamento de segurança e conformidade no ambiente industrial


Estratégia de Segurança em Sistemas de Automação Industrial

System

Patches

Network

Segmentation

Anti-virus

Incident

Response

Proactive

Monitoring

Security

Monitoring

IPS / Signatures

Threat

Defense

Disaster

Recovery

Backup

and Restore

Continuous

Improvement

Organize Harden Detect Respond Defend

White & Blacklisting

Security Log

Collection and

Management

Anomaly

Detection

Malware

Detection

Intrusion

Detection

Security

Policy

Virtualization

Encryption

KPI’s and

Analytics

Location

Awareness

Process

Inventory

Assessments

Change

Management

Education &

Awareness

Dashboards &

Reporting

Addresses the most significant attack vectors within Industrial Automation Systems by establishing required controls associated with best of breed security practices

PCN Access &

Control

Physical

Security

Industrial

Wireless

Portable Media

Security

Before During After

PLAN BUILD RUN MONITOR MANAGE

Secure Storage

Asset

Inventory &

Management


Solução Cisco Secure Ops Segurança fim-a-fim para ambientes TA

Increased System

Availability via SLOs

E2E OT Cyber

Security

System-wide

compliance visibility

& enforcement

Orderable Now

Defense

Energy-Utility

City

Manufacturing

Oil and Gas

Mining

Transportation

Delivers people, process and technology to solve OT security

Passive asset discovery (both open and proprietary OT protocols) at Levels 1-3.5 (Purdue Model) – all OS types

Centralized information repository for visualization, reporting and evidence collection

Single pane of glass for cyber security, risk management, and compliance across all sites and assets

Risk Management

Secure access to ICS/SCADA networks and devices

Contextually aware anomaly detection of IP and Non-IP protocols using deep packet inspection (including fieldbus)


Secure Ops: Oferta Modular e Modelo de operação

Security Assessment Services

Bas

eli

ne

B

uil

din

g

Blo

ck

s

Secure Ops Platform (Foundation) +

Asset Discovery & Inventory

Asset

Discovery &

inventory

Fo

un

da

tio

n

Snap shot in time asset discovery and inventory

Identify Risks & Vulnerabilities

Quantify Risk ($)

Make recommendations

Residual Risk ($)

Provide ongoing (continuous) visibility of environment

via asset discovery & inventory

Support desk, People and Process integration

SLO/SLA measurement, tracking and reporting

Implement and maintain requisite risk/security

controls, depending on risks and vulnerabilities within

the environment

Adjacent Services Assessments Security Optimization

Flexible Commercial Models Asset Ownership Hosting Consumption models

Secure

Access (Secure, Remote

Access from

Contractors/Empl

oyees)

Security

Intelligence

& Response (Monitoring/DPI,

contextual

awareness)

Compliance

Monitoring

& Reporting (Compliance to

Internal Security

Policies)

Secure

Distribution (AV, Patching,

etc.)


DCS & Operational Business Systems

Engineer

Workstations

Domain

Controller DCS Power

Monitoring

SCADA

Historian MES

(vir

tuali

zed

/no

n-v

irtu

alized

)

Application

Servers

Remote

Access

Termina

l

Server

Asset

Mgt

Control Center(s) / Room(s)

I-D

MZ

Operator

Workstations

Secure Ops : SecureSite

(vir

tuali

zed

Serv

ers

)

Wir

ele

ss

Anomaly

Detection

Remote

Access

Asset

Inventory Patching Anti

Virus

Sensor

(FieldBus)

Control Room Operational Aggregation Control Room Aggregation

(Some services may reside outside of the I-DMZ depending on deployment choice)

Internet

Hypervisor File

Transfer

Services

Log

Collection

Secure Ops : SecureCenter Data or Operations Centre

Secure Ops

Dashboard

Identity

Services

Log

Collection

AAA/

TACACS Patching Anti

Virus SourceFire

Hypervisor File

Transfer

Services

Active

Directory

SIEM/SOC

Integration

Secure Ops

Dashboard

Compliance

Reporting

Proactive

Monitoring

Anomaly

Detection

3rd Party

Enterprise

Secure Ops

Dashboard

Remote Worker

Secure Ops :

Satellite Site

(vir

tuali

zed

Serv

ers

)

Vo

ice &

In

cid

en

t

Resp

on

se

Ph

ysic

al

Secu

rity

Control Center(s) / Room(s)

Wired Process Control

Controller Controller Controller Controller

Historian HMI Historian HMI

Instrumentation Instrumentation

PLC R I/O PLC PLC R I/O

Wired Safety Critical

Facility Operational Networks Aggregation Facility Network Aggregation

Instrumentation

Controller

PLC Motors

& Drives Metering

IED

LM/LV

Protection

Historian HMI

Power Management

CCTV/Video Access Control Voice Data

Wired Multiservice Multiservice

Networks

Operational

Networks

Managed

Services

Operations

Centre

NOC

Dashboard

Sensor

(FieldBus)

Historian HMI

Controller

IT/OT Converged Security Model


IT/OT Converged Security Model

Control &

Safety

Level 1

Device

Level 0

Control

Center

Level 3

Legacy RTU

Process Control & Safety Networks Multiservice Networks

Wireless

Sensor

Sensor Motor Valve Drive Pump Breaker Power

Monitor Starter

Historian HMI

Power Room

Safety

Process

Power

Process

CCTV

Access

Control

Voice

Mobile

Worker

Controller Controller Controller

Serial/Hardwired

Process Ethernet Multiservice Ethernet

WAN

Wireless

Fleet

RFID

SIEM

Actuator

Safety

Systems Printer

Instrumentation

SIEM

SCADA System

Head-end

Operator & Engineer

Workstations

Process Automation

System Server

SIEM

SIEM

Process Historian /

Distributed Historian

Application Servers

Operational Business

Systems

SIEM

SIEM

SIEM

Safety &

Security

Manufacturing Execution

System (MES)

SIEM

SIEM

Distributed Control

System (DCS)

SIEM

SIEM

PCN Domain

Controller

Enterprise

Levels 4-5

DMZ

Level 3.5

Operational Telecoms - LAN/Field

Core Networks

Internet

Supervisory

Level 2

DMZ Domain

Controller

SIEM

Site

Identity

Services

SIEM

Centralized

Log Collection

SIEM

Compliance

SIEM

Center

Remote

Engineering

via Secure

TPA

SIEM

Historian

SIEM

Vendor

Qualified

Anti-Virus

Vendor

Qualified

Patching

SIEM

SIEM

Terminal

Services

SIEM

Asset

Inventory

SIEM


Asset Discovery and Inventory

Control &

Safety

Level 1

Device

Level 0

Control

Center

Level 3

Legacy RTU

Process Control & Safety Networks

Wireless

Sensor

Sensor Motor Valve Drive Pump Breaker Power

Monitor Starter

Historian HMI

Power Room

Safety

Process

Power

Process

Controller Controller Controller

Serial/Hardwired

Process Ethernet Multiservice Ethernet

WAN

Wireless

SIEM

Actuator

Safety

Systems Printer

Instrumentation

SIEM

SCADA System

Head-end

Operator & Engineer

Workstations

Process Automation

System Server

SIEM

SIEM

Process Historian /

Distributed Historian

Application Servers

Operational Business

Systems

SIEM

SIEM

SIEM

Safety &

Security

Manufacturing Execution

System (MES)

SIEM

SIEM

Distributed Control

System (DCS)

SIEM

SIEM

PCN Domain

Controller

Enterprise

Levels 4-5 DMZ

Level 3.5

Operational Telecoms - LAN/Field

Core Networks

Internet

Supervisory

Level 2

DMZ Domain

Controller

SIEM

Site

Identity

Services

SIEM

Centralized

Log Collection

SIEM

Compliance

SIEM

Center

Remote

Engineering

via Secure

TPA

SIEM

Historian

SIEM

Vendor

Qualified

Anti-Virus

Vendor

Qualified

Patching

SIEM

SIEM

Terminal

Services

SIEM

Asset

Inventory

SIEM

Solution passively reads traffic off a SPAN/mirror port and sensors on the fieldbus- covers both IP and serial networks Passive asset discovery on all assets at Levels 1-3 (Purdue Model) – all OS types Covers both open and proprietary ICS specific protocols: DNP3, Ethernet/IP, CIP, OPC-UA, Modbus, IEC 61850, BACNET, ProfiBus, TCP/IP, SNMP,SSH, HTTP, telnet, ftp, SMB/CIFS, and others Attributes discovered in passive mode: MAC/physical address, IP (or equivalent ID for serial), name, OS, protocols, vendor, type of equipment

Passive discovery

Uses WMI and SNMP queries

Any attribute that could be queried could be

discovered: e.g.: services running, software

installed, patches installed, AV versions, etc.

(list is customizable)

Active query


30

The Solution OT VISIBILITY & INSIGHT

PROCESS INTEGRITY CYBER SECURITY

OPERATIONAL EXCELLENCE

EFFICIENCY


31

There’s Sight. And There’s Insight.

Known Port:

44818

IP: 10.10.3.177

IP: 10.10.3.161

Network

Visibility ICS visibility

PLC

Serial No. 00987DBF

Model No.1756-ENBT/A

Command:

Read Current,

Frequency

WinCC 13.0

FieldBus

IED IED

Contextual Awareness:

Operations & Security

PLC

Serial No. 00987DBF


WinCC 13.0

FieldBus

IED IED

Logic Change

E/IP values

Spoofing Anomalous Behavior

WinCC 13.0

Vulnerable -

CVE-2015-2823

ICS Insights &

Threat Intelligence

PLC

Serial No. 00987DBF


FieldBus

IED IED

Switch

Misconfiguration

Slow Connection

Call Home

Attempt


Demonstração


Main Dashboard


Asset Drilldown


Asset Management, Sorted by IP


Abnormal Traffic Event


IP Conflict Event


New Asset Detected Event


PLC Update Event


Malicious Port Scanning Event


Man-In-The-Middle Attack Event


Remote Access – User View


Remote Access – User Requesting Access


Remote Access – Remote User Session


Remote Access – Session Recording


Compliance Monitoring & Reporting Overview


Compliance – Individual Endpoint Patch Status


Compliance – Endpoint Patch Status Report


Conclusão

Desafios de segurança são crescentes e continuarão demandando de recursos

Uma abordagem nova, com visão holistica, sobre a seguranca em ambiente industrial é necessária

Experiência profunda nas 3 disciplinas é fundamental: Engenharia de T.A. + Redes/T.I. + Segurança

Modelos de consumo flexível transferem o risco dos operadores de automação

Comprovada experiência na implementação padronizada de controles de segurança, segurança cibernética, e conformidade numa plataforma eficiente em custos e ”future proof”

Dúvidas?

Obrigado!

Cybersecurity on IoT€¦ · Estratégia de Segurança em Sistemas de Automação Industrial System...

Documents

Transcript of Cybersecurity on IoT€¦ · Estratégia de Segurança em Sistemas de Automação Industrial System...