Copyright Belden 2013
Hirschmann and Tofino Implementing Security
Sven Burkard
Industrial Solution Manager [email protected] or 717.491.1770
Copyright Belden 2013
Where network failures occur…
Source: Datacom, Network Management Special
Network Reliability in the OSI Model
8 %
10 %
35 %
25 %
12 %
7 %
3 %
Physical
Data Link
Network
Transport
Session
Presentation
Application
3
How Belden mitigates this…
Cable
Switches
Routers &
Firewalls
Deep-Packet
Inspection
Copyright Belden 2013
ICS and SCADA
Security
Are you at risk?
5
Copyright Belden 2013
• Salt River Project SCADA Hack
• Maroochy Shire Sewage Spill
• Software Flaw Makes MA Water Undrinkable
• Trojan/Keylogger on Ontario Water SCADA System
• Viruses Found on Auzzie SCADA Laptops
• Audit/Blaster Causes Water SCADA Crash
• DoS attack on water system via Korean telecom
• Penetration of California irrigation district wastewater
treatment plant SCADA.
• SCADA system tagged with message, "I enter in your
server like you in Iraq."
Security Incidents in the Water Industry
Source: Repository of Industrial Security Incident (RISI) Database 6
Copyright Belden 2013
• Electronic Sabotage of Venezuela Oil Operations
• CIA Trojan Causes Siberian Gas Pipeline Explosion
• Anti-Virus Software Prevents Boiler Safety Shutdown
• Slammer Infected Laptop Shuts Down DCS
• Virus Infection of Operator Training Simulator
• Electronic Sabotage of Gas Processing Plant
• Slammer Impacts Offshore Platforms
• SQL Slammer Impacts Drill Site
• Code Red Worm Defaces Automation Web Pages
• Penetration Test Locks-Up Gas SCADA System
• Contractor Laptop Infects Control System
Security Incidents in the Oil Industry
Source: Repository of Industrial Security Incident (RISI) Database 7
Copyright Belden 2013
• IP Address Change Shuts Down Chemical Plant
• Hacker Changes Chemical Plant Set Points via
Modem
• Nachi Worm on Advanced Process Control
Servers
• SCADA Attack on Plant of Chemical Company
• Contractor Accidentally Connects to Remote PLC
• Sasser Causes Loss of View in Chemical Plant
• Infected New HMI Infects Chemical Plant DCS
• Blaster Worm Infects Chemical Plant
Security Incidents in the Chemical Industry
Source: Repository of Industrial Security Incident (RISI) Database 8
Copyright Belden 2013
• Slammer Infects Control Central LAN via VPN
• Slammer Causes Loss of Comms to Substations
• Slammer Infects Ohio Nuclear Plant SPDS
• Iranian Hackers Attempt to Disrupt Israel Power
System
• Utility SCADA System Attacked
• Virus Attacks a European Utility
• Facility Cyber Attacks Reported by Asian Utility
• E-Tag Forgery Incident in Power PSE
• Power Plant Security Details Leaked on Internet
Security Incidents in the Power Industry
Source: Repository of Industrial Security Incident (RISI) Database 9
Copyright Belden 2013
Stuxnet Had Many Paths to its
Victim PLCs
Copyright Belden 2013
Some Lessons Learned
•A modern ICS or SCADA system is highly
complex and interconnected
•Multiple potential pathways exist from the outside
world to the process controllers
•Assuming an air-gap between ICS and corporate
networks is unrealistic
•Focusing security efforts on a few obvious
pathways (such as USB storage drives or the
Enterprise/ICS firewall) is a flawed defense
Copyright Belden 2013
Cyber Security Incident Types
© 2011 Security Incidents Organization
External
Hacker
Software or
Device Flaw
Human
Error
Malware
Infection
Disgruntled
Employee
12
Copyright Belden 2013
• January 2001: Oil pipeline shut down for 6 hours after
software is accidently uploaded to a PLC on the plant
network instead of test network
• August 2005: 13 Chrysler auto plants were shut down by
a simple Internet worm; 50,000 workers stop work for 1
hour while malware removed
• August 2006: Operators at the Browns Ferry nuclear
power plant forced to “scram” the reactor after cooling
drive controllers crashed due to “excessive network
traffic”
Typical ICS Cyber Security Incidents
13
Copyright Belden 2013
• “Soft” Targets
• PCs run 24x7 without security updates or even
antivirus
• Controllers are optimized for real-time I/O, not for
robust networking connections
• Multiple Network Entry Points
• The majority of cyber security incidents originate from
secondary points of entry to the network
• USB keys, maintenance connections, laptops, etc.
• Poor Network Segmentation
• Many control networks are “wide-open” with no
isolation between different sub-systems
• As a result problems spread rapidly through the
network
Security Issues in Control Networks
14
Copyright Belden 2013 15
Copyright Belden 2013 16
Copyright Belden 2013
Five Important Differences
IT and SCADA
#1 - Differing Risk Management Goals
#2 - Differing Performance Requirements
#3 - Differing Reliability Requirements
#4 - “Unusual” Operating Systems and Applications
#5 - Differing Security Architectures
•Problems occur because assumptions that are
valid in the IT world may not be valid on the plant
floor
17
Copyright Belden 2013
Why is SCADA Security a Challenge?
“Why not just apply the already developed
practices and technologies from existing
Information Technology security to plant floor
security - isn't that good enough to solve the
problem?”
Cisco Researcher
July 2002
18
Copyright Belden 2013
Why is SCADA Security a Challenge?
“None of this would be a problem if those █████
plant floor people just used proper security policies –
what █████ is wrong with them?”
IT Manager after a Security Incident
19
Copyright Belden 2013
Differing Security Focus
• IT…. Privacy First - “Protect the Data”
•SCADA/ICS… Safety First - “Protect the Process”
Priority IT SCADA/ICS
#1 Confidentiality Availability
#2 Integrity Integrity
#3 Availability Confidentiality
20
Copyright Belden 2013
• Cost Savings
• Reduced down time and maintenance costs
• Improved productivity
• Enhanced business continuity
• Enhanced Security and Safety
• Improved safety for the plant, employees and
community
• Improved defense against malicious attacks
• Simplified Regulatory and Standards Compliance
• FERC / NERC CIP
• ISA/IEC-62443 (formerly ISA-99)
• More to Come…
Why is Cyber Security Important?
21
Copyright Belden 2013
7 Steps to ICS and
SCADA Security
22
Copyright Belden 2013
Step 1 – Assess Existing Systems
•Security starts with understanding the risks that
control system security (or insecurity) can have on
a business
• Determine threats that pose a danger to the business
• Rank these risks
• Lets companies prioritize their security dollars and
effort.
•Don’t throw money into a solution for a minor risk,
and leave more serious risks unaddressed
•Consider 3rd-party/independent industrial cyber-
security firms (www.exida.com), for risk assessment
and actions needed
23
Copyright Belden 2013
Example Risk Analysis at Oil Refinery
Event Vulnerability
Possible Threat
Source
Skill Level
Required Potential Consequence Severity Likelihood Risk Release of
hazardous
product
Manipulate control
system
Organized Crime,
Activist
Intermediate Major Injury
Complaints or Local Community
Impact
Medium Low Low
Disable/manipulate
emergency
shutdown
Terrorist, Organized
Crime, Activist
High Fatality or Major Community
Incident
High Low Medium
Process
reactivity
incident
Manipulate control
system
Domestic or Foreign
Terrorist,
Disgruntled
Employee
Intermediate Lost Workday or Major Injury
Complaints or Local Community
Impact
Medium Low Low
Disable/manipulate
emergency
shutdown
Domestic or Foreign
Terrorist
High Fatality or Major Community
Incident
High Very Low Medium
Process
shutdown
Trip emergency
shutdown
Malware, Novice
Hacker
Low Shutdown > 6 Hours Medium High High
Cause Loss of View
of SIS
Malware, Novice
Hacker
Low Shutdown > 6 Hours Medium High High
Manipulate control
system
Hacker, Disgruntled
Employee
Intermediate Shutdown > 6 Hours Medium Medium Medium
Disable PCN
communications
Malware, Novice
Hacker
Low Shutdown < 6 Hours Low High Medium
Spoof operators Hacker, Disgruntled
Employee
Intermediate Shutdown < 6 Hours Low Medium Low
Environmental
spill
Manipulate control
system
Activist Intermediate Citation by Local Agency Medium Low Low
Mislead operators Activist Intermediate Citation by Local Agency Medium Low Low
24
Copyright Belden 2013
Step 2 – Document Policies & Procedures
•Start With Policy, Not Technology
•Should be technology and architecture
independent
•Do not include the implementing procedures and processes
•Leave the details of specific technologies and how to implement them for later
Security policy outlines what you want to achieve, NOT how to do it
25
Copyright Belden 2013
Step 3 – Train Personnel & Contractors
•Ensure personnel are aware of the
existence and importance of these
materials
•First conduct an awareness program
•Second is a staff training program that
informs employees:
•How to be secure
•What their roles and responsibilities are
•What to do if they suspect there is a security
breach
26
Copyright Belden 2013
Step 4 – Design a Secure Control System
Architecture
• A core concept in the ISA/IEC 62443.02.01
security standard (Formerly ISA-99) is known
as “Zones and Conduits”
• ICS networks divided into layers or zones
based on control function
• Separate zones allow a “defense in depth”
strategy
27
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Typical Control Network Architecture
28
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Typical Control Network Architecture
29
Copyright Belden 2013
•We can’t just install a firewall at the edge of
the network and forget about security.
• The bad guys will eventually get in
• Many problems originate inside the plant network
•We must harden the plant floor.
•We need Defense in Depth.
A Perimeter Defense is Not Enough
We’re crunchy on the Outside - Soft in the
Middle
30
Copyright Belden 2013
Security Zone Definition
• “Security zone: grouping of logical or physical
assets that share common security
requirements” [ANSI/ISA-62443.02.01–2009 -
3.2.116]
•A zone has a clearly defined border (either
logical or physical), which is the boundary
between included and excluded elements
PLC Zone HMI Zone
31
Copyright Belden 2013
Conduits
•A conduit is a path for the flow of data
between two zones
•Can provide the security functions that allow
different zones to communicate securely
•Any communications between zones must
have a conduit
Conduit
PLC Zone HMI Zone
32
Copyright Belden 2013
Using Zones: An Example Oil Refinery
33
Copyright Belden 2013
Specifying the Zones
34
Copyright Belden 2013
Defining the Conduits
35
Copyright Belden 2013
Step 5 – Control Access to the System
•Next step is to control access to assets within
those zones
• Important to control both physical and logical
access
• Identifying who and what should have access to
what resources:
• What privileges?
• How that should be enforced?
• What technology should be used?
•This is the installation and commissioning phase
37
Copyright Belden 2013 38
Conduit Deep Packet Inspection
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Zones and Conduits provide
Defense in Depth
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
39
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Zones and Conduits provide
Defense in Depth
40
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Zones and Conduits provide
Defense in Depth
41
Copyright Belden 2013
Step 6 – Harden the Components
of the System
•Hardening means locking down the
functionality of the various components in your
system to prevent unauthorized access or
changes, remove unnecessary functions or
features, and patch any known vulnerabilities.
•Especially important in modern ICS which
utilize commercial off-the-shelf (COTS)
technology.
• Includes patch management, AV deployment,
shutting down unneeded services
42
Copyright Belden 2013
Step 7 – Monitor & Maintain
System Security
•Security is a lifestyle, not a goal
•Maintaining security involves activities
such as:
•Updating antivirus signatures and white lists
• Installing security patches
•Monitoring for suspicious activity
• Periodically testing and assessing the system
43
Copyright Belden 2013
Expectations, responsibilities and
opportunities for the Control
Engineer and System Integrator
44
Copyright Belden 2013
Expectations
•Not infecting the control system through bad
staff practices:
• Poor USB Key/CD/DVD handling
• Poor laptop security practices
• Poor remote access security practices
• Inadequate staff training
•Understanding and compliance to current
security standards like ISA/IEC 62443 and
NERC CIP
45
Copyright Belden 2013
Responsibilities
•Not designing/installing an insecure system
•Not making a system less secure through
upgrades and changes
•Meeting security practice requirements as
defined in relevant standards
•Meeting record-keeping requirements as
defined in relevant standards
46
Copyright Belden 2013
Opportunities – The Assessment Step
• Involves analyzing a new or existing system
to determine the security threats and risks
• Audits Risk and Threat Analysis
• Asset inventories
• Network and communications reviews
• Software/platform reviews
• Staff competency reviews
47
Copyright Belden 2013
Opportunities – The Design Step
• Involves designing a system architecture
design
• Creating a zone and conduit strategy
• Network architecture design
• Network system and components selection
• Prioritization based on risk
48
Copyright Belden 2013
Opportunities – The Implementation Steps
• Implementing the system architecture and
required security controls
• Restructuring of the network (if required)
• Security control technology deployment and
commissioning
•Equipment hardening
•Testing and validation
49
Copyright Belden 2013
Opportunities – The Maintain Step
•Maintaining the security targets through
periodic assessments and effective
management processes.
• System reviews
• Threat landscape reviews
• Staff upgrading
• Change Management process reviews
• Continuous monitoring services
50
Copyright Belden 2013
Summary
•The world of control systems has
changed since Stuxnet
• ISC/SCADA Security is not the same as
IT Security
•Asset owners need their SIs to support
their security programs
•Use ISA/IEC-62443 as a roadmap to
deploying a security program
51
Copyright Belden 2013
New Standards and
Regulations in Control
System Security
52
Copyright Belden 2013
Government Efforts and Regulations
•Department of Homeland Security (DHS)
• 6 CFR part 27: Chemical Facility Anti-Terrorism
Standards (CFATS)
• National Cyber Security Division
•Department of Energy
• Federal Energy Regulatory Commission (FERC)
– 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)
•Nuclear Regulatory Commission (NRC)
• 10 CFR 73.54 Cyber Security Rule (2009)
• RG 5.71
•National Institute of Standards and Testing (NIST)
• SP800-82 Guide to Industrial Control Systems (ICS)
Security
53
Copyright Belden 2013
New Standards in the ICS Environment
• International Society for Automation (ISA)
• ISA99/62443, Industrial Automation and Control System
(IACS) Security
• International Electrotechnical Commission (IEC)
• IEC 62443 standards (equivalent to ISA 99)
• International Instrument Users' Association (WIB)
• M 2784-X-10 Process Control Domain Security
Requirements for Vendors
• ISASecure
• Embedded Device Security Assurance Certification
54
Copyright Belden 2013
Industry Specific Guidance
• American Petroleum Institute (API)
– API Standard 1164 - SCADA Security
• American Chemistry Council (ACC)
• ChemITC™ Chemical Sector Cyber Security Program
– Guidance for Addressing Cyber Security in the Chemical
Industry Version 3.0
• North-American Electric Reliability Council (NERC)
– Critical Infrastructure Protection (CIP) 002 – 009
• Department of Homeland Security
– Chemical Facility Anti-terrorism Standards (CFATS)
– Risk-based Performance Standards (RBPS) (RBPS 8)
55
Copyright Belden 2013
Active Hardware
Copyright Belden 2013
Product Overview in Short-form Catalog
57
Copyright Belden 2013
Securing Physical
Access
58
Copyright Belden 2013
Web Access
• By default, the web interface of the switch is enabled.
You have the option to either disable this access or to
configure it to use a more secure connection.
• HTTP (Hyper Text Transfer Protocol – TCP Port 80)
• HTTPS (Hyper Text Transfer Protocol Secure – TCP
Port 443) 59
Copyright Belden 2013
HiDiscovery Access
• IP addressing tool
• Uses MAC addresses to ID
• Useful if installed assigned DHCP IP address
• The red pencil indicates Read-Write Access.
• The glasses indicates Read-Only access. 60
Copyright Belden 2013
HiDiscovery Access
• In a secured environment, you may want to
designate the switch as being read-only or not
visible at all via the HiDiscovery program.
61
Copyright Belden 2013
Securing Empty Ports
• Good security practices include the disabling of
unused ports to prevent unauthorized
connections to empty ports on the switch.
62
Copyright Belden 2013
Monitoring Connected Ports
• You can also use a SNMP management
application such as Industrial HiVision to monitor
the connection status of your infrastructure ports
in your network
63
Copyright Belden 2013
MAC Based Port Security
• MAC based filter on a per port basis allows only the
authorized MAC address to forward traffic from the
given port.
• Up to 10 MAC addresses listed per port or you can
use a range of MAC addresses that you wish to allow.
64
Copyright Belden 2013
IP Based Port Security
• IP based filter on a per port basis.
• IP-Based Port Security internally relies on MAC-
Based Port Security. Principle of operation: When
you configure the function, the device translates
the entered source IP address into the respective
MAC address.
65
Copyright Belden 2013 66
Placing Network Terminations in Your Hands
Copyright Belden 2013
Modular design MIPP
6 SC-Duplex Module 12 LC-Duplex Double Module 4 RJ45 Keystone Module
Housing
Modules
67
Copyright Belden 2013
Alarming and
Notification
68
Copyright Belden 2013
Industrial HiVision Network Management
and Visualization Software
• Rapid deployment with multi-device config
• Graphical interface
• Network views incl. unmanaged and WLAN
• Auto-topology discovery
• Event log
• Event handling
• Asset management
• Client / Server
• ActiveX control
• SCADA/OPC server
• Flexible licensing
Network Management Software
69
Copyright Belden 2013 70
Copyright Belden 2013 71
Copyright Belden 2013 72
Copyright Belden 2013 73
Copyright Belden 2013
Belden’s Unique Position
• End-to-end Network Solution • Wired and wireless
• Active networking products
• Cable and connectors
• Cable management
• Software
• Services
• One Face
• One Source
• All Globally
74
Copyright Belden 2013
Thank you!
Merci beaucoup!
Obrigado !
Muchas gracias!
Toa chie!
Domo arigato!
Danke schön!
75