The document summarizes a workshop on whether antivirus is an efficient tool for industrial network protection. The workshop was presented by Marcelo Branquinho and Jan Seidl of TI Safe in Hannover, Germany in March 2013. The workshop agenda covered topics like malware in automation networks, the limitations of signature-based antivirus detection, and the need for a defense-in-depth approach using tools like intrusion detection systems and whitelisting rather than solely relying on antivirus. Test results were presented that showed many antivirus solutions were unable to detect hacking tools and custom malware.
Is antivirus enough to protect industrial networks
1. Workshop: Is antivirus an
efficient tool for industrial
network protection?
Marcelo Branquinho & Jan Seidl
CEBIT - March of 2013
Hannover, Germany
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
2. Presentors
Marcelo Branquinho Jan Seidl
marcelo.branquinho@tisafe.com jan.seidl@tisafe.com
• CEO at TI Safe. • Technical Coordinator at TI Safe.
• Senior member of ISA and committee • Expert in risk analysis in
member of ANSI/ISA-99.
automation systems.
• Researcher in security technologies to
• Researcher in the field of malware
protect critical infrastructure.
engineering.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
3. Follow us!
• Twitter: @tisafe
• SlideShare: www.slideshare.net/tisafe
• Facebook: www.facebook.com/tisafe
• Flickr: http://www.flickr.com/photos/tisafe
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
4. You don’t have to copy...
http://www.slideshare.net/tisafe
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
5. Workshop Agenda
• Malware in automation networks
• The is no silver-bullet/turnkey solution
• Signature-based detection is almost useless
• Bonus: Free tools can also bypass AV
• IDPS and Whitelisting
• Defense in depth and segmentation
• Training and awareness: Educating users
• Finding “Patient Zero” and regaining control through “Divide
and Conquer”
• Closing comments
• Audience Q&A
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
6. Malware in SCADA networks
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
7. Vectors of infection
• Exploits
• Removable media (Pen Drives, External HD)
• Shared Networks
• External networks (connections with other company´s networks)
• 3G networks
• Virtual Private Networks (VPNs)
• Disgruntled employees
• Lack of user’s expertise (click on links and attachments ...)
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
8. The “Happy clicker” user
I should click here!
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
9. Vectors of spreading
• Exploits
• Removable media (Pen Drives, External HD)
• Shared Network Drives
• External networks (connections with other company‘s networks)
• 3G networks
• VPNs
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
10. Possible infection impacts
• Unavailability of engineering and supervisory workstations.
• Unavailability of control servers.
• Unavailability of controllers (PLCs, IEDs, RTUs).
• Disruption of control network.
• Loss of data.
• Intellectual property theft.
• Physical damage.
• Loss of human lives.
• Environmental damage.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
11. Impact
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
12. Documented Incidents in Brazil
Incidents # Cases
Malware 5
In most cases of contaminations
Human error 14
observed in our customers, there Device failure 7
Others 4
was an antivirus solution installed
Incidents in Brazil
on the infected hosts...
… that wasn't able to detect and Picture: Documented industrial incidents in
prevent the spread of infection Brazil until December of 2012.
throughout the network. Source: TI Safe Knowledge Base.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
13. There is no silver-bullet / turn-key solution :(
and there will 'never' be.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
14. Why?
Security is a concept not a monolithic solution.
Many solutions working together build up security.
Don't trust “all-in-one” solutions (UTMs, applications that work in
multiple areas, etc.)
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
15. Why?
You need the best solution for each area. Each vendor has expertise
in its own area and probably won't master all of them at the same time.
Security is not only for your hosts but also networks and personnel.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
16. Signature-based detection is
almost useless
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
17. Why?
Signatures are based in known patterns in files.
What about unknown threats?
Polymorphism isn't something new.
A wide variety of malware has its source code available. Anybody can
change it, recompile it and... VOILÁ!
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
18. Why?
Remember: Hackers don't follow patterns!
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
19. Why?
We tested some free hacking
tools against antivirus software
from popular vendors...
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
20. Why?
… and got some interesting and
alarming results.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
21. Antivirus solutions tested
• McAfee Antivirus Plus 2012 • F-Secure Antivirus 2012
• Kaspersky Antivirus 2012 • avast! Pro Antivirus 6
• Panda Antivirus Pro 2012 • AVG Anti-Virus FREE 2012
• Trend Titanium Maximum • Sophos Anti-Virus 7
Security 2012 • Microsoft Security Essentials
• Norton Antivirus 2012 • E-SET NOD32 Antivirus 5
All antivirus software tested (except for the free ones) were obtained from the websites of
All antivirus software tested (except for the free ones) were obtained from the websites of
their manufacturers in their 32-bit evaluation version (English).
their manufacturers in their 32-bit evaluation version (English).
All antivirus solutions were installed on the 'Recommended‘ setting.
All antivirus solutions were installed on the 'Recommended‘ setting.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
23. Test Results
AV's can't stop targeted attacks and custom
malware.
Java-based malware is even tougher to
detect.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
24. Test Results
Most of the antivirus solutions were unable
to detect the threat in memory.
Remember: antivirus were developed for
home and corporate use, not for
automation plants.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
25. Test results: Infections and detections by malware type
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
26. Test results: Detection and Infection rates
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
27. Test results: our final ranking
# Antivirus Score
F-Secure 2012
1 13
Sophos 7
McAfee Plus 2012
Kaspersky 2012
Avast! Pro 6
Microsoft Security Essentials
2 E-SET NOD32 5 12
3 Panda Pro 2012 11
Norton 2012
4 AVG FREE 2012 9
5 Trend Titanium Maximum Security 8
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
28. Detect behaviours, not patterns
Use up-to-date network-based
and host-based IDPS
Yes, they also use pattern-based signatures but most of them also have behavior
detection schemes
Some antivirus products are shipped with a Host IDPS to work together.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
29. Whitelisting is better than Blacklisting
Photo credit: Codinghorror
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
30. Whitelisting is better than Blacklisting
Because you can't relate ALL malicious
URLs and/or keywords.
Stop your internal dialog!
You CAN'T! Get over it :)
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
31. Whitelisting is also not bulletproof
“No Tools? No Problem! Building a
PowerShell Botnet”
Christopher “@obscuresec” Campbell at Shmoocon Firetalks 2013
http://bit.ly/150V4fM
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
32. The defense in depth
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
33. The defense in depth
Firewalls, IDPS, Data
Locks, cameras etc
diodes
Segmentation, VLANs,
port-mirrored IDS
Whitelisting software, HIDPS,
central logging
WAFs, strong architechture
Photo credit: Sentrillion
Encryption and access control
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
34. Network Segmentation
The zones and conduits model as proposed by ANSI ISA-99
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
35. Educating Users
Promote workshops and “security days” to promote awareness.
Your users don't really know the impact of using a 3G modem to check
their personal email or Facebook wall.
Even less that they can ruin plant's processes by clicking on a link sent
by that hot girl he's been chatting for weeks.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
36. Never forget what your users
means to your security
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
39. Finding patient zero
You´d better have monitoring!
Find hosts that are communicating with ports and hosts that shouldn't,
performing unusual network noise.
Perform forensic analysis on suspected hosts to confirm infection date.
Find the first infection point (Mark Zero). Try to determinate how it
happened. Close the hole.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
40. Cleaning by dividing & conquering
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
41. Cleaning by dividing & conquering
Isolate clean networks from infected ones.
Create a clean copy of the infected network structure.
Reinstall infected hosts from known-good backups and place them in
the clean network copy to avoid reinfection.
Destroy and set fire to infected network.
(fire actually not needed).
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
43. Closing Comments
Sophisticated Malware or unknown vulnerabilities (zero-day) easily
overcome the protection provides by most antivirus solutions.
We can assure that no market anti-virus solution is able to provide
complete protection for automation networks. These solutions lead
companies to have a "false sense of security".
It's absolutely necessary to use complementary controls.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
44. Closing Comments
We recommend the following security practices:
Segment your network according to the zones and conduits model as
specified by the ANSI/ISA-99 standard.
Perform periodic reviews of firewalls and IPS rules that protect
automation networks, driven by the best practices.
Configure your protection software with customized SCADA signature
packages (IT rules are almost useless in automation networks).
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
45. Closing Comments
We recommend the following security practices:
Enforce control over any device that is connected to the SCADA
network (third party laptops, removable media, modems, etc.).
Perform deep inspection of new software before they are installed can
increase the security level and prevent infections.
Do not allow the use of e-mail and web access from inside the
automation network by any means and, where possible, update critical
computer security patches according to vendor's recommendation.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
46. Closing Comments
Our experience shows that the disinfection of a contaminated SCADA
network is time and resource costly, complex and depends on the
cooperation of manufacturers for success, rendering this process slow.
We encourage the international community to create a best practices
guide for automation network disinfection that will serve as a
baseline for companies that are experiencing this problem to regain
control over their control networks on a planned and fast way.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
47. Closing Comments
Companies should be prepared for the worst and
have a contingency plan.
It's essential to have automated backup tools installed on servers as
well as redundant critical automation network.
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
48. Audience Q&A
???
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.
49. We can help you!
Marcelo.branquinho@tisafe.com
Jan.seidl@tisafe.com
Rio de Janeiro: +55 (21) 2173-1159
São Paulo: +55 (11) 3040-8656
Twitter: @tisafe
Skype: ti-safe
Opening first office in Europe Next Q2/2013
www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2008.Todos os direitos reservados.