[CLASS 2014] Palestra Técnica - Delfin Rodillas

Defending ICS from Cyberthreats with
Next-generation Platform Security
Del Rodillas
Sr. Manager, SCADA & ICS Initiative

Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Supplier of Industry-leading Enterprise Security Platform
Safely enables all applications through granular use control…
Prevents known and unknown cyber threats…
for all users on any device across any network.
Experienced team of 1,650+ employees
Q3FY14: $150.7M revenue; 17,000+ customers
$13
Revenues
$49
4.700
9.000
13,500
17.000
$400
$300
$200
$100
18.000
16.000
14.000
12.000
10.000
8.000
6.000
4.000
2.000
0
Jul-11 Jul-12
$255
$396
$420
$119
$0
FY09 FY10 FY11 FY12 FY13 FY14TD
Enterprise customers
$MM
FYE July
Jul-13 May-14
2 | ©2014, Palo Alto
Networks

What is a
Cyberthreat?
Cyber Threat
Availability, Confidentiality, Industrial Control Systems, Integrity
Information Systems
Malicious Unintentional
Networks

What Keeps SCADA Security Supervisors Up at Night?
SANS 2014 Survey on Industrial Control Systems
What are the top three threat vectors you are most concerned with?
0% 5% 10% 15% 20% 25% 30%
External threats (hacktivism, nation states)
Malware
Insider exploits
Email phishing attacks
Attacks coming from within the internal network
Cybersecurity policy violations
Industrial espionage
Other
Extortion or other financially motivated crimes
Percent Respondents
First Second Third
Networks

Advanced Targeted Attacks
Norway Oil & Gas Attacks
Social Engineering: Removable media
Exploits zero-day vulnerabilities (Windows, Siemens)
Propagation/Recon via general IT apps and file-types
Goal: Disrupt uranium enrichment program
Social Engineering: Spearphishing, Watering hole,
Trojan in ICS Software
Enumerates OPC assets (ICS-protocol!)
Goal: IP theft and ICS Attack PoC?
Energetic Bear
Social Engineering: Spearphishing, Watering hole
Goal: IP Theft and ???
Networks

Malicious Insider Attack
Sewage treatment facility in Maroochy Shire,
Queensland, Australia
Disgruntled employee of ICS vendor sought
revenge on customer (shire council) and employer
Used intimate knowledge of asset owner’s ICS to
gain access and wreak havoc
Impact
Spillage of 800,000 liters of raw sewage into
local parks, rivers and hotel grounds
Loss of marine life, damage to environment,
health hazard
Source: Applied Control Solutions
Networks

Unintentional Cyber Incidents
Platform shared by operator and royalty partner
Slammer infection on rig via partner network
Workstations and SCADA servers crashed
Systems would not restart after reboot
8 hours to restore the SCADA and restart production
Consequences
Immediate loss of monitoring down-hole wells
Loss of production for all 4 major wells
Total losses $1.2M before production finally restored
Source: Red Tiger Security
Application Visibility and Risk Report
conducted at energy company in E. Europe
Plant manager insisted “not internet-facing”
Rogue broadband link and risky web
applications found on SCADA system
Wuala (storage), eMule (P2P), DAV (Collaboration)
Concerns over loss of IP, network availability,
malware introduction
Source: Palo Alto Networks
SQL
Slammer
Networks

Revisiting the Trust Model in ICS
PCN
Internet WAN
PCN Servers
HMI
PLCs / RTUs
Local
HMI
Remote Station / Plant Floor
DEV
PLCs / RTUs
Local
HMI
PLCs / RTUs
Local
HMI
Vendor/Partner
Enterprise Network
Mobility
Internal Actors
Networks

Observations
Broken Trust Model
Micro-segmentation is critical
Granular visibility of traffic is an essential capability
Applications, users, content
Shared context
End-to-end security is required
Threats originate at endpoints and via networks
Real and potentially high risks with ICS cyber incidents
Must focus on prevention vs. just detection
Advanced attacks will be “zero-day”
The capability to detect and stop unknown threats quickly is needed
Automated threat analysis and information sharing would be helpful
Networks

Legacy Security Architecture and Its Challenges
Stateful inspection
Firewall
“helpers”
IPS AV URL Sandbox IM Proxy
Firewall
Traditional
Endpoint
Security
Characteristic Associated Challenges
Stateful inspection firewall as a base
o Visibility to port numbers and IP addresses
o No content identification
Limited visibility to ICS traffic risks
Coarse access control; not role based
Firewall “helpers” bolted on to try to fill
the security gaps
Uncorrelated Information silos; slow forensics
Increased administrative effort
Performance drop off / serial processing
Limited to No zero-day threat detection
/prevention capabilities
Highly vulnerable to targeted attacks
Disjointed endpoint network technologies
10 | ©2014, Palo Alto Networks

What is Required? Platform Approach Focused on Prevention
Next-Generation Network Security
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile virtual networks
Threat Intelligence Cloud
Gathers potential threats from
network and endpoints
Analyzes and correlates threat
intelligence
Disseminates threat intelligence to
network and endpoints
Advanced Endpoint Protection
Inspects all processes and files
Prevents both known unknown exploits
Integrates with cloud to prevent known
unknown malware

Next-generation Network Security
Application identifiers
Application User Content
Additional Intelligence
User/User-group mapping
Threat / Vulnerability signatures
URL database
Classification Engine (L7)
Threat
Prevention
AV, AS,
Exploits
URL
Filtering
Unknown
Threat
Prevention
Mobile
Security
Natively supported services
Application
Visibility and
Control

Systematic Approach to Network Security
Apply new protections to
prevent future attacks
Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls
Improve Situational Awareness w/ Granular Traffic Visibility

Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls

Protocol/Application Identifiers for SCADA ICS
Protocol / Application Protocol / Application Protocol / Application
Modbus base ICCP (IEC 60870-6 / TASE.2) CIP Ethernet/IP
Modbus function control Cygnet Synchrophasor (IEEE C.37.118)
DNP3 Elcom 90 Foundation Fieldbus
IEC 60870-5-104 base FactoryLink Profinet IO
IEC 60870-5-104 function control MQTT OPC
OSIsoft PI Systems BACnet

Functional Application Identifiers
Function Control Variants (15 total)
Modbus-base
Modbus-write-multiple-coils
Modbus-write-file-record
Modbus-read-write-register
Modbus-write-single-coil
Modbus-write-single-register
Modbus-write-multiple-registers
Modbus-read-input-registers
Modbus-encapsulated-transport
Modbus-read-coils
Modbus-read-discrete-inputs
Modbus-mask-write-registers
Modbus-read-fifo-queue
Modbus-read-file-record
Modbus-read-holding-registers
Applipedia entry for Modbus-base App-ID

ICS-ISAC SARA Testbed at the Enernex Smart Grid Lab
Substation Server
Rugged Server
GE EnerVista
PC
Phasor Data
Concentrator
Line Distance
Protection
Transformer
Protection
Feeder
Protection
Rugged Ethernet
Switch
Line Distance
Relay
DNP3
IEC 61850
Modbus
DNP3
IEC 61850
C37.118
Modbus
C37.118
IEC 61850
Mirror/SPAN Port
Palo Alto Networks
Next-generation Firewall
ics-isac.org/sara

Sample Traffic from SARA Testbed (SPAN Port
Monitoring)
Protocol/Protocol-function visibility

Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls

User Identification is a Key Enabler of Role-based Access
Policy enforcement based on users and groups

Segmentation with Application and User Identification
Remote/S
upport
Zone
Business User access to Historian Application, e.g.
Pi
Business
Zone
Server Zone
User Zone
Process
Zone
Process
Zone
Business
Zone
Remote/S
upport
Zone
Server Zone
User Zone
Sr. Engineer access to Modbus Write, SSH
Remote/
Support
Zone
Business
Zone
Process
Zone
Server Zone
User Zone
3rd Party application use via Jump Server

Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls

ICS-Specific IPS Signatures
Product-specific
Risky Protocol Commands
DNP3 Modbus

IT-centric exploits, but also relevant to OT
Browser-based HMIs and
other applications in ICS
Several ICS vendors issued
HeartBleed advisories
Vulnerabilities being
discovered all the time
XP Server are still widely
used in ICS
XP and older Server versions
no longer supported

Anti-Virus and Anti-Spyware

Benefits of Shared Information
2 Simplified policy implementation management
Applications Threat Profiles
Security Zones
User / User Group
1 Accelerated forensics

Discover
2 3
unknown threats
Prevent
known threats
Apply
1
positive controls

Zero-day Malware Detection Prevention

Platform Approach to Stopping Energetic Bear
WildFire
“Zero-day”
Havex Variant
Protections and
Intelligence
Allowed Allowed
AV
Apply application visibility and control for OPC and other allowed traffic.
Apply User-ID for role based policy. Control content access to web.
1
Apply Threat Prevention for known Havex malware signatures,
exploits, and command and control traffic associated with Havex
2
Exploits
CNC CNC
Isolate suspicious files which could be a zero-day variant of Havex.
Automatically convert to known threat, receive protections and
additional intelligence from the cloud
3

Endpoint Security: The failures of traditional approaches
EXE
Targeted Evasive Advanced
Known signature?
NO
Known strings?
NO
Previously seen
behavior?
NO
Legacy
Endpoint Protection
PDF
Malware
direct execution
Exploit
vulnerability
to run any code

Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities and
exploits a year
Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year
10’s – 100’s of new malware
sub-techniques every year

Introducing Traps
The right way to deal with advanced cyber threats
Prevent Exploits
Including zero-day exploits
Prevent Malware
Including advanced unknown malware
Collect Attempted-Attack Forensics
For further analysis
Scalable Lightweight
Must be user-friendly and cover complete enterprise
Integrate with Network and Cloud Security
For data exchange and crossed-organization protection

Central Management and Reporting
Central
Admin
Central Management Platform
Local Device
Logs Reports
Aggregate reports
PCN Admin PCN Remote Admin Remote Station
Centralized deployment of universal rules while giving IT and OT admins
ability to set local policies
Role based administration for added security (tiered admin rights)
Centralized reports which facilitate forensics and regulatory compliance

Summary – New Kind of Security Needed for ICS
Platform-based…
Network, Endpoint, Cloud
Prevention-focused
Stop advanced attacks vs. just telling you that you have a problem
Network
Delivers granular visibility and segmentation
Protocol visibility, User-based controls
Stop known and unknowns
Endpoint
Stop the fundamental techniques vs. signatures
Threat intelligence cloud
Automated analysis and correlation
Interacts with Network and Endpoint
Palo Alto Networks Next-generation Platform meets these requirements

Learn more about Next-generation Security 1 for SCADA/ICS
Download our SCADA/ICS Solution Brief
go.secure.paloaltonetworks.com/secureics
Sign up for a Live Online Demo at:
http://events.paloaltonetworks.com/?event_type=632
2 Learn how your control network is being used and what threats may exist
Sign up for a free Application Visibility and Risk Report (AVR) at:
http://connect.paloaltonetworks.com/AVR
Control Network

[CLASS 2014] Palestra Técnica - Delfin Rodillas

[CLASS 2014] Palestra Técnica - Delfin Rodillas

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à [CLASS 2014] Palestra Técnica - Delfin Rodillas

Similaire à [CLASS 2014] Palestra Técnica - Delfin Rodillas (20)

Plus de TI Safe

Plus de TI Safe (20)

Dernier

Dernier (20)

[CLASS 2014] Palestra Técnica - Delfin Rodillas