Contenu connexe
Similaire à [CLASS 2014] Palestra Técnica - Delfin Rodillas (20)
[CLASS 2014] Palestra Técnica - Delfin Rodillas
- 1. Defending ICS from Cyberthreats with
Next-generation Platform Security
Del Rodillas
Sr. Manager, SCADA & ICS Initiative
- 2. Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Supplier of Industry-leading Enterprise Security Platform
Safely enables all applications through granular use control…
Prevents known and unknown cyber threats…
for all users on any device across any network.
Experienced team of 1,650+ employees
Q3FY14: $150.7M revenue; 17,000+ customers
$13
Revenues
$49
4.700
9.000
13,500
17.000
$400
$300
$200
$100
18.000
16.000
14.000
12.000
10.000
8.000
6.000
4.000
2.000
0
Jul-11 Jul-12
$255
$396
$420
$119
$0
FY09 FY10 FY11 FY12 FY13 FY14TD
Enterprise customers
$MM
FYE July
Jul-13 May-14
2 | ©2014, Palo Alto
Networks
- 3. What is a
Cyberthreat?
Cyber Threat
Availability, Confidentiality, Industrial Control Systems, Integrity
Information Systems
Malicious Unintentional
3 | ©2014, Palo Alto
Networks
- 4. What Keeps SCADA Security Supervisors Up at Night?
SANS 2014 Survey on Industrial Control Systems
What are the top three threat vectors you are most concerned with?
0% 5% 10% 15% 20% 25% 30%
External threats (hacktivism, nation states)
Malware
Insider exploits
Email phishing attacks
Attacks coming from within the internal network
Cybersecurity policy violations
Industrial espionage
Other
Extortion or other financially motivated crimes
Percent Respondents
First Second Third
4 | ©2014, Palo Alto
Networks
- 5. Advanced Targeted Attacks
Norway Oil & Gas Attacks
Social Engineering: Removable media
Exploits zero-day vulnerabilities (Windows, Siemens)
Propagation/Recon via general IT apps and file-types
Goal: Disrupt uranium enrichment program
Social Engineering: Spearphishing, Watering hole,
Trojan in ICS Software
Enumerates OPC assets (ICS-protocol!)
Goal: IP theft and ICS Attack PoC?
Energetic Bear
Social Engineering: Spearphishing, Watering hole
Goal: IP Theft and ???
5 | ©2014, Palo Alto
Networks
- 6. Malicious Insider Attack
Sewage treatment facility in Maroochy Shire,
Queensland, Australia
Disgruntled employee of ICS vendor sought
revenge on customer (shire council) and employer
Used intimate knowledge of asset owner’s ICS to
gain access and wreak havoc
Impact
Spillage of 800,000 liters of raw sewage into
local parks, rivers and hotel grounds
Loss of marine life, damage to environment,
health hazard
Source: Applied Control Solutions
6 | ©2014, Palo Alto
Networks
- 7. Unintentional Cyber Incidents
Platform shared by operator and royalty partner
Slammer infection on rig via partner network
Workstations and SCADA servers crashed
Systems would not restart after reboot
8 hours to restore the SCADA and restart production
Consequences
Immediate loss of monitoring down-hole wells
Loss of production for all 4 major wells
Total losses $1.2M before production finally restored
Source: Red Tiger Security
Application Visibility and Risk Report
conducted at energy company in E. Europe
Plant manager insisted “not internet-facing”
Rogue broadband link and risky web
applications found on SCADA system
Wuala (storage), eMule (P2P), DAV (Collaboration)
Concerns over loss of IP, network availability,
malware introduction
Source: Palo Alto Networks
SQL
Slammer
7 | ©2014, Palo Alto
Networks
- 8. Revisiting the Trust Model in ICS
PCN
Internet WAN
PCN Servers
HMI
PLCs / RTUs
Local
HMI
Remote Station / Plant Floor
DEV
PLCs / RTUs
Local
HMI
PLCs / RTUs
Local
HMI
Vendor/Partner
Enterprise Network
Mobility
Internal Actors
8 | ©2014, Palo Alto
Networks
- 9. Observations
Broken Trust Model
Micro-segmentation is critical
Granular visibility of traffic is an essential capability
Applications, users, content
Shared context
End-to-end security is required
Threats originate at endpoints and via networks
Real and potentially high risks with ICS cyber incidents
Must focus on prevention vs. just detection
Advanced attacks will be “zero-day”
The capability to detect and stop unknown threats quickly is needed
Automated threat analysis and information sharing would be helpful
9 | ©2014, Palo Alto
Networks
- 10. Legacy Security Architecture and Its Challenges
Stateful inspection
Firewall
“helpers”
IPS AV URL Sandbox IM Proxy
Firewall
Traditional
Endpoint
Security
Characteristic Associated Challenges
Stateful inspection firewall as a base
o Visibility to port numbers and IP addresses
o No content identification
Limited visibility to ICS traffic risks
Coarse access control; not role based
Firewall “helpers” bolted on to try to fill
the security gaps
Uncorrelated Information silos; slow forensics
Increased administrative effort
Performance drop off / serial processing
Limited to No zero-day threat detection
/prevention capabilities
Highly vulnerable to targeted attacks
Disjointed endpoint network technologies
10 | ©2014, Palo Alto Networks
- 11. What is Required? Platform Approach Focused on Prevention
Next-Generation Network Security
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile virtual networks
Threat Intelligence Cloud
Gathers potential threats from
network and endpoints
Analyzes and correlates threat
intelligence
Disseminates threat intelligence to
network and endpoints
Advanced Endpoint Protection
Inspects all processes and files
Prevents both known unknown exploits
Integrates with cloud to prevent known
unknown malware
11 | ©2014, Palo Alto Networks
- 12. Next-generation Network Security
Application identifiers
Application User Content
Additional Intelligence
User/User-group mapping
Threat / Vulnerability signatures
URL database
Classification Engine (L7)
Threat
Prevention
AV, AS,
Exploits
URL
Filtering
Unknown
Threat
Prevention
Mobile
Security
Natively supported services
Application
Visibility and
Control
12 | ©2014, Palo Alto Networks
- 13. Systematic Approach to Network Security
Apply new protections to
prevent future attacks
Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls
Improve Situational Awareness w/ Granular Traffic Visibility
13 | ©2014, Palo Alto Networks
- 14. Systematic Approach to Network Security
Apply new protections to
prevent future attacks
Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls
Improve Situational Awareness w/ Granular Traffic Visibility
14 | ©2014, Palo Alto Networks
- 15. Protocol/Application Identifiers for SCADA ICS
Protocol / Application Protocol / Application Protocol / Application
Modbus base ICCP (IEC 60870-6 / TASE.2) CIP Ethernet/IP
Modbus function control Cygnet Synchrophasor (IEEE C.37.118)
DNP3 Elcom 90 Foundation Fieldbus
IEC 60870-5-104 base FactoryLink Profinet IO
IEC 60870-5-104 function control MQTT OPC
OSIsoft PI Systems BACnet
15 | ©2014, Palo Alto Networks
- 16. Functional Application Identifiers
Function Control Variants (15 total)
Modbus-base
Modbus-write-multiple-coils
Modbus-write-file-record
Modbus-read-write-register
Modbus-write-single-coil
Modbus-write-single-register
Modbus-write-multiple-registers
Modbus-read-input-registers
Modbus-encapsulated-transport
Modbus-read-coils
Modbus-read-discrete-inputs
Modbus-mask-write-registers
Modbus-read-fifo-queue
Modbus-read-file-record
Modbus-read-holding-registers
Applipedia entry for Modbus-base App-ID
16 | ©2014, Palo Alto Networks
- 17. ICS-ISAC SARA Testbed at the Enernex Smart Grid Lab
Substation Server
Rugged Server
GE EnerVista
PC
Phasor Data
Concentrator
Line Distance
Protection
Transformer
Protection
Feeder
Protection
Rugged Ethernet
Switch
Line Distance
Relay
DNP3
IEC 61850
Modbus
DNP3
IEC 61850
C37.118
Modbus
C37.118
IEC 61850
Mirror/SPAN Port
Palo Alto Networks
Next-generation Firewall
ics-isac.org/sara
17 | ©2014, Palo Alto Networks
- 18. Sample Traffic from SARA Testbed (SPAN Port
Monitoring)
Protocol/Protocol-function visibility
- 19. Systematic Approach to Network Security
Apply new protections to
prevent future attacks
Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls
Improve Situational Awareness w/ Granular Traffic Visibility
19 | ©2014, Palo Alto Networks
- 20. User Identification is a Key Enabler of Role-based Access
Policy enforcement based on users and groups
20 | ©2014, Palo Alto Networks
- 21. Segmentation with Application and User Identification
Remote/S
upport
Zone
Business User access to Historian Application, e.g.
Pi
Business
Zone
Server Zone
User Zone
Process
Zone
Process
Zone
Business
Zone
Remote/S
upport
Zone
Server Zone
User Zone
Sr. Engineer access to Modbus Write, SSH
Remote/
Support
Zone
Business
Zone
Process
Zone
Server Zone
User Zone
3rd Party application use via Jump Server
21 | ©2014, Palo Alto Networks
- 22. Systematic Approach to Network Security
Apply new protections to
prevent future attacks
Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls
Improve Situational Awareness w/ Granular Traffic Visibility
22 | ©2014, Palo Alto Networks
- 24. IT-centric exploits, but also relevant to OT
Browser-based HMIs and
other applications in ICS
Several ICS vendors issued
HeartBleed advisories
Vulnerabilities being
discovered all the time
XP Server are still widely
used in ICS
XP and older Server versions
no longer supported
24 | ©2014, Palo Alto Networks
- 26. Benefits of Shared Information
2 Simplified policy implementation management
Applications Threat Profiles
Security Zones
User / User Group
1 Accelerated forensics
26 | ©2014, Palo Alto Networks
- 27. Systematic Approach to Network Security
Apply new protections to
prevent future attacks
Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls
Improve Situational Awareness w/ Granular Traffic Visibility
27 | ©2014, Palo Alto Networks
- 29. Platform Approach to Stopping Energetic Bear
WildFire
“Zero-day”
Havex Variant
Protections and
Intelligence
Allowed Allowed
AV
Apply application visibility and control for OPC and other allowed traffic.
Apply User-ID for role based policy. Control content access to web.
1
Apply Threat Prevention for known Havex malware signatures,
exploits, and command and control traffic associated with Havex
2
Exploits
CNC CNC
Isolate suspicious files which could be a zero-day variant of Havex.
Automatically convert to known threat, receive protections and
additional intelligence from the cloud
3
29 | ©2014, Palo Alto Networks
- 30. Endpoint Security: The failures of traditional approaches
EXE
Targeted Evasive Advanced
Known signature?
NO
Known strings?
NO
Previously seen
behavior?
NO
Legacy
Endpoint Protection
PDF
Malware
direct execution
Exploit
vulnerability
to run any code
30 | ©2014, Palo Alto Networks
- 31. Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities and
exploits a year
Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year
10’s – 100’s of new malware
sub-techniques every year
31 | ©2014, Palo Alto Networks
- 32. Introducing Traps
The right way to deal with advanced cyber threats
Prevent Exploits
Including zero-day exploits
Prevent Malware
Including advanced unknown malware
Collect Attempted-Attack Forensics
For further analysis
Scalable Lightweight
Must be user-friendly and cover complete enterprise
Integrate with Network and Cloud Security
For data exchange and crossed-organization protection
32 | ©2014, Palo Alto Networks
- 33. Central Management and Reporting
Central
Admin
Central Management Platform
Local Device
Logs Reports
Aggregate reports
PCN Admin PCN Remote Admin Remote Station
Centralized deployment of universal rules while giving IT and OT admins
ability to set local policies
Role based administration for added security (tiered admin rights)
Centralized reports which facilitate forensics and regulatory compliance
33 | ©2014, Palo Alto Networks
- 34. Summary – New Kind of Security Needed for ICS
Platform-based…
Network, Endpoint, Cloud
Prevention-focused
Stop advanced attacks vs. just telling you that you have a problem
Network
Delivers granular visibility and segmentation
Protocol visibility, User-based controls
Stop known and unknowns
Endpoint
Stop the fundamental techniques vs. signatures
Threat intelligence cloud
Automated analysis and correlation
Interacts with Network and Endpoint
Palo Alto Networks Next-generation Platform meets these requirements
34 | ©2014, Palo Alto Networks
- 35. Learn more about Next-generation Security 1 for SCADA/ICS
Download our SCADA/ICS Solution Brief
go.secure.paloaltonetworks.com/secureics
Sign up for a Live Online Demo at:
http://events.paloaltonetworks.com/?event_type=632
2 Learn how your control network is being used and what threats may exist
Sign up for a free Application Visibility and Risk Report (AVR) at:
http://connect.paloaltonetworks.com/AVR
Control Network
35 | ©2014, Palo Alto Networks