Welcome to PHOENIX CONTACT
Industrial network security seminar
Matt CowellMatt CowellPhoenix ContactASE – North Central
Who am I?
Matt CowellASE (Automation Sales Engineer) – Central region( g ) gTenure – Joined Phoenix Contact Jan 2008Located Gurnee, IL (north of Chicago)
R ibl f ll A t ti d t l i C t lResponsible for all Automation product sales in Central RegionAutomation product responsibility includes Ethernet, p p y
controllers and software, Industrial PC’s, HMI’s, I/O and WirelessTerritory includes IL WI MN MO IA KS NE ND SDTerritory includes IL, WI, MN, MO, IA, KS, NE, ND, SDBackground – Various Engineering roles with later years
focused in Process Automation
2 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Agenda
Industrial networking introductionRecent product vulnerabilitiesRecent product vulnerabilitiesCase studies of recent security breaches ‘Typical’ network layouts and comparisons to ITyp y p Introduction to basic Hacking techniquesLive demonstration of hacking techniques used Highlighting ease of implementation on live network Offering simple countermeasures and prevention
How mGuard can helpHow mGuard can helpRemote connectivity reviewMore secure remote connectivity options to consider
3 | Presentation | Matt Cowell | ASE Central | 25 April 2012
y p
Objectives of this seminar
Not intended as a class in hacking toteach would-be hackersteach would be hackers
Raise awareness to often overlooked vulnerabilities
Offer simple concepts and solutionsf i d itfor improved security
4 | Presentation | Matt Cowell | ASE Central | 25 April 2012
WARNING!
Lots of TLA’s and other acronyms
5 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Why consider security now?
Scope of industrial networks has grown beyond conventional “switch only” networks (layer 2) Device access from IT/enterprise network is desired Remote access to SCADA systems is required for support Industrial devices lack network security features we have become y
familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS etc.) Vulnerabilities are being discovered dailyg y Increase in network devices & trends are relying upon use of ‘the cloud’ Few standards in place yet to enforce security Stuxnet demonstrated the sophistication and damage that can be Stuxnet demonstrated the sophistication and damage that can be
caused by industrial specific malware – don’t wait for stuxnet 2.0 Industrial attacks are becoming more common and brazen - 1/3 of ALL
malware was developed in past year (Stuxnet Night Dragon Stars all
6 | Presentation | Matt Cowell | ASE Central | 25 April 2012
malware was developed in past year (Stuxnet, Night Dragon, Stars all made news headlines)
You already know physical security…
Cameras and surveillance Analogous to IDS (Intrusion Detection System)/logginga ogous to S ( t us o etect o Syste )/ ogg g
Access control – access based upon credentials Analogous to account/password control policy
Perimeter security – fences, gates, locks Analogous to firewall’s
AlarmsAlarms Analogous to Email/SMS/SNMP/HMI alarms SIEM (Security Information & Event Management) or IDS
Security guard Analogous to IT/security focused professional
W ll t k h i l it i lWe generally take physical security very seriously7 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Typical industrial network - machineTypical production network interfaceOft S it hOften Switch
sometimes router
8 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Characteristics of an Ind. Eth. network
Often engineer governedDesire high speed (typically small data transfer – bits vsDesire high speed (typically small data transfer bits vs.
mB)DeterministicAcceptable latency typically measured in mSHigh reliability data transfer in rugged form factor
T i ll i i i t l (M db TCP DNP3Typically comprising various protocols (ModbusTCP, DNP3, E/IP) Interconnected via various media (Fiber copper wirelessInterconnected via various media (Fiber, copper, wireless,
leased lines etc.)Originally isolated islands (no WAN or internet connectivity)Longer system life cycle = more older technology and OS
9 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Typical Enterprise network
Large network, vast data transfer, variable speed dependant upon load, latency measured in seconds, isolation of p , y ,devices less critical, broadcast traffic common, integrated
security (anti virus/sw firewall)
Internet
10 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Industrial link to Enterprise?Enterprise/Company level
Why use router/firewall here?Internet
hout
Limit excess traffic – control network doesn’t need to be burdened with excess traffic (broadcasts etc) from enterprise network
Router/Firewall
Production Floor level
s th
roug
hpSecurity – Engineering can control who/what can access control networkSimplification of IP addresses often machine IP
Acc
essSimplification of IP addresses – often machine IP
addresses come preset, a router can provide network access without changing IP addresses on control devices
11 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Machine/Cell/Line level
The cyber threat is real….
12 | Presentation | Matt Cowell | ASE Central | 25 April 20128:40
Types of cyber incident
Auditing Legitimate attack/testeg t ate attac /test Vulnerability assessment
Accidental Broadcast storm, misconfiguration, faulty product etc..Wrong IP
Non malicious intrusionNon malicious intrusionMonitoring data, stealing information etc..
Malicious intrusion Bad intentions/causing harm Breaking something (equipment/process/data)
13 | Presentation | Matt Cowell | ASE Central | 25 April 2012
A few recently discovered vulnerabilities
All confirmed and published by US CERT (DHS) Schneider Sc e de
– ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET MODULE MULTIPLE VULNERABILITES
– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER BUFFER OVERFLOWBUFFER OVERFLOW
– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER MULTIPLE VULNERABILITIES
SiemensSiemens– ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION
VULNERABILITIES– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE
VULNERABILITIESVULNERABILITIES – ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN
SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES
14 | Presentation | Matt Cowell | ASE Central | 25 April 2012
..more recently discovered vulnerabilities
Rockwell Automation– VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC
th ti ti d th i ti l bilitiauthentication and authorization vulnerabilities– ICSA-10-070-01A-UPDATE ROCKWELL AUTOMATION RSLINX CLASSIC
EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™
COMMUNICATION INTERFACE – ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE
VULNERABILITY
Others Others– ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS
GENESIS (32 & 64) – ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASSICSA 11 173 01 CLEARSCADA REMOTE AUTHENTICATION BYPASS – ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX
VULNERABILITIES– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN
DATA ARCHIVER BUFFER OVERFLOW VULNERABILITYDATA ARCHIVER BUFFER OVERFLOW VULNERABILITY
15 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Network security breach case study: StuxnetStuxnetThe industrial virus that brought mass media attentionComplex rootkit exploiting 4 x zero day exploitsComplex rootkit exploiting 4 x zero day exploitsDesigned to attack Siemens control networks and Win OSUsed stolen digital certificates to look inconspicuousg pCould manipulate PLC logic and network trafficAutomatically spreads via USB jump driveReports updates back to internet serverTargeted Iran’s uranium enrichment centrifuges causing
significant damage but also spread worldwidesignificant damage but also spread worldwideSuspected to be a state sponsored virus It has a ‘kill date’ coded into it to stop spreading on 6/24/12It has a kill date coded into it to stop spreading on 6/24/12
16 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Network security breach case study: South Houston wastewater facilitySouth Houston wastewater facility On Nov 18th 2011 a hacker named ‘Pr0f’ breached into south Houston’s
network as reaction to DHS downplaying suspected security breach in IL He posted his rant and HMI screenshots on pastebin.com Took advantage of Siemens vulnerability using 3 character default
password to gain access to publicly available HMI Breach wasn’t malicious but could have been He could of affected processes causing harm as well as accessing site
documentation and drawingsg He could also have placed virus on the network to cause harm/gain
access at later date No official announcement was made other than the DHS and FBI areNo official announcement was made other than the DHS and FBI are
investigating further
17 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Network security breach case study: Maroochy Shire wastewater facilityMaroochy Shire wastewater facilityDisgruntled former contractor gained access via insecure
wireless networkReleased 264,000 gallons of sewage into rivers Responsible for killing marine life not to mention create a
stench for residentsThis occurred over 3 week period, no one noticed for 1st 2.5
wkswks.He was later arrested and sentenced to prison
18 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Even Big Bird cant help you!
19 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Why do people ‘hack’?
There are a number of motivators, including: Egogo Criminal Political/Spying
H kti i Hacktivism TerrorismWar Personal gain Corporate gain Sabotage Sabotage Retribution Personal Concern
20 | Presentation | Matt Cowell | ASE Central | 25 April 2012
How do people hack? Inside job/disgruntled employee - abusing network privileges Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure
messages (HTTP, SNMP v1 & 2) may contain passwords in text form Password cracking exploiting defaults password generator phishing Password cracking – exploiting defaults, password generator, phishing,
keylogging, brute force DoS – Denial of Service attacks overwhelm a network interface by sending
excessive traffic to that device. Spoofing – Firewalls define rules based upon IP address, mac address and
port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter Wireless attack – Using packet captures and decryption tools its possible toWireless attack Using packet captures and decryption tools its possible to
extract the WEP key of a wireless AP. Virus/Worm – Self replicating infectious computer code (malware) that can take
control of a system or steal information. Infect and spread.T j M li i d tt h d t l iti t fil i th Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would. Exploiting vulnerabilities – latest windows updates, stuxnet Social Engineering – manipulating people to divulge information or perform
21 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Social Engineering manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing
How easy is it to ‘hack’ a facility?
Just ask GoogleWireless breachWardriving
If no access to the inside network, first have to find it: Specialist search engines Public IP and Port scans Social engineering via Trojan or Phishingg g j g
Vulnerabilities Easy targets Publically available online and being found daily
Dedicated tools to make life easieras we will see…..as we will see
22 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Our demonstration scenario 192.168.0.100
PC (HMI)Master
LANWAN192.168.0.200
192.168.0.101Attacking PC
Internet
LANWAN
Lean Managed
Switch
PC
192.168.0.11.2.3.4
Router
Perimeter
PLCSlave
23 | Presentation | Matt Cowell | ASE Central | 25 April 2012
192.168.0.102
1. Explore and learn the network (learning)
Time
24 | Presentation | Matt Cowell | ASE Central | 25 April 2012
1. Explore and learn the network
What did we learn? What subnet they are using (192.168.0.x – ie 255.255.255.0) What devices are on the network (Linksys, LMS, VL, PLC)
– What manufacturer (First 3 bytes MAC ID)– What host name (if used)
What IP addresses/MAC addresses appear vacant for our attacking PC What traffic is being broadcasted and who from – see multicast too with
unmanaged switch.
Recommendations: Regulate who has access to network – layer 1 prevention? Isolation using Routers/VLAN’s eliminate what devices can be scanned
25 | Presentation | Matt Cowell | ASE Central | 25 April 2012
2. Sniffing (learning cont.)
Time
26 | Presentation | Matt Cowell | ASE Central | 25 April 2012
2. Sniffing
What did we learn? Switch sends traffic to destination MAC address only, therefore to sniff
someone elses packets, need to do an ARP spoof Now we can see what devices are communicating with each other (VL-
PLC) What type of traffic is flowing (UDP 44818 – E/IP) What device seems to be a router/firewall (192.168.0.1) The LMS password as we happened to intercept an HTTP packet from
Valueline to LMS that contained password (‘phoenix’) Could intercept/modify any unencrypted data - Stuxnet
Recommendations: Incorporate software or switch that monitors ARP activity Encrypt traffic - Use HTTPS where possible
27 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Encrypt traffic Use HTTPS where possible
3. Port Scanning (learning cont.)
Time
28 | Presentation | Matt Cowell | ASE Central | 25 April 2012
3. Port Scanning (learning)
What did we learn?What ports are open on each deviceat po ts a e ope o eac de ce
– TCP– UDP
Potentially exploit known vulnerabilities Potentially exploit known vulnerabilities & back doors
Recommendations: Use a firewall when possible Use logging to notify you of port scan’s
29 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Use logging to notify you of port scan s
4. DoS Attack
Time
30 | Presentation | Matt Cowell | ASE Central | 25 April 2012
4. DoS Attack 192.168.0.100
PC (HMI)Master
LANWAN192.168.0.200
192.168.0.101Attacking PC
Internet
LANWAN
Lean Managed
Switch
PC
192.168.0.11.2.3.4
Perimeter
PLCSlave
31 | Presentation | Matt Cowell | ASE Central | 25 April 2012
192.168.0.102
4. Denial Of Service attack
What did we learn?With information we collected by learning the network, we can
now break it Network adapters (particularly on Industrial devices) can be
overwhelmed if you send excessive packets This can manifest in many devastating ways – preventing
legitimate communications and in some cases locking up the device requiring power cycle or losing its program
Recommendations: Use Firewalls to control/restrict accessUse Firewalls to control/restrict access Use managed switches with bandwidth limitation or routers to
prevent excess traffic Enable monitors/logging to watch and automatically notify of
32 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Enable monitors/logging to watch and automatically notify of dangerous traffic levels
Control the ‘inside’
Prevent unnecessary access to industrial devices/networkUse a firewall to control traffic rulesUse a firewall to control traffic rulesBe careful of open ports and ‘backdoors’Ensure adequate encryption when using wireless (WPA2) & q yp g ( )
long, unusual pass phraseRestrict USB drive usage
B f l f i f t d i t l PC’ Vi T jBe careful of infected internal PC’s – a Virus or Trojan can run on the inside ‘inside job’, cause havoc and send information out Its claimed 60-70% of all security breaches are carried out
by insiders
33 | Presentation | Matt Cowell | ASE Central | 25 April 2012
5. Outside Port Scan and DoS
Time
34 | Presentation | Matt Cowell | ASE Central | 25 April 2012
5. Outside Port Scan and DoS 192.168.0.100
PC (HMI)Master
LANWAN
192.168.0.101Internet
LANWAN
Lean Managed
SwitchPort forwardUDP44818 to 4481844818 OPEN
192.168.0.11.2.3.4
RouterUDP44818 to 4481844818 OPEN
Perimeter
PLCSlave
Att ki
35 | Presentation | Matt Cowell | ASE Central | 25 April 2012
192.168.0.102Attacking PC
5. Outside Port Scan and DoS
What did we learn? Simple port scans on public IP address uncover open/unrestricted ports
– 448181 open The public network is constantly being scanned by scripts looking for
open ports/backdoors Not only can we learn from the outside but can cause damage also Don’t rely on ‘Security by Obscurity’ and don’t assume that somebody
else has it covered
Recommendations: Don’t open ports without due care - Use VPN instead!p p Set firewall rules to restrict any open access Enable monitors/logging to watch and automatically notify of unknown
traffic or dangerous traffic levels
36 | Presentation | Matt Cowell | ASE Central | 25 April 2012
g
6. WIFI cracking (on the outside)
Time
37 | Presentation | Matt Cowell | ASE Central | 25 April 2012
6. Gaining access through WIFI crack
What did we learn? WIFI packets are transmitted over the air for all to see Using specialist tools its easy to intercept 802.11 network traffic and get
enough ‘samples’ to decipher a WEP encrypted keyword. Which can then be used to gain access to the network from afar.
WPA b b h d t b t i bit ti d th f WPA can be breached too but requires a bit more time and the use of rainbow tables or brute force A wireless network could also be jammed rather than penetrated
Some recommendations: Some recommendations: Only use wireless if truly necessary and be aware of consequences Use the highest level of encryption available (min WPA2 for WIFI) Disable SSID broadcasting Disable SSID broadcasting Use long, complex passphrases when possible Use an Intrusion Detection System (IDS) and logging Segment wireless networks and place behind firewalls
38 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Segment wireless networks and place behind firewalls
The solution?Partial
mGuard Industrial Router, Firewall and VPN
There
Internet
There
Here
39 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Here
Our demonstration scenario 192.168.0.100
PC (HMI)Master
LANWAN192.168.0.200
192.168.0.101Attacking PC
Internet
LANWAN
Lean Managed
Switch
PC
192.168.0.11.2.3.4
Router
Perimeter
PLCSlave
40 | Presentation | Matt Cowell | ASE Central | 25 April 2012
192.168.0.102
How would mGuard help in this instance?
Stealth mode – drop in solution (no changes required to existing devices IP’s, default gateway) – least intrusive to g , g y)existing network.
LeanLean Managed
Switch
192.168.0.200
PLCSlave
Rules
41 | Presentation | Matt Cowell | ASE Central | 25 April 2012
How would mGuard help in this instance?
Stateful Firewall – define rules of access – allow only legitimate access to those who need it. Locked down to gthose who don’t and all other ports are blocked (potential vulnerabilities or backdoors). Keeps track of connections to prevent illegitimate traffic (spoofed)prevent illegitimate traffic (spoofed).
42 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Firewall cont.
NOTE use of a firewall is a common recommendation by the US CERT for posted vulnerabilitiesp
43 | Presentation | Matt Cowell | ASE Central | 25 April 2012
How could we prevent this attack?
Extra Control – Device to check packet consistency to block malformed packets (checksum, packet size), regulate p ( , p ), guse of PING’s, regulate TCP connectionsSometimes used to hack a device
44 | Presentation | Matt Cowell | ASE Central | 25 April 2012
How would mGuard help in this instance?
DoS flooding prevention – Restrict number of incoming SYN requests (prevent SYN flood), further ICMP and ARP q (p ),control
45 | Presentation | Matt Cowell | ASE Central | 25 April 2012
How would mGuard help in this instance?
Logging and notification – Local logging, remote logging using SYSLOG, SNMP trapsg , p
46 | Presentation | Matt Cowell | ASE Central | 25 April 2012
6. Inside DoS Attack with mGuard protectionprotection
Time
47 | Presentation | Matt Cowell | ASE Central | 25 April 2012
6. DoS Attack with mGuard 192.168.0.100
PC (HMI)Master
LANWAN192.168.0.200
192.168.0.101Attacking PC
Internet
LANWAN
Lean Managed
Switch
PC
192.168.0.11.2.3.4
PLCSlave
Perimeter
48 | Presentation | Matt Cowell | ASE Central | 25 April 2012
192.168.0.102
6. Denial Of Service attack with mGuard
What did we learn? The mGuard can easily be dropped into an existing network Firewall rules are quick and easy to add and allow to define
control in either direction based upon IP, Port and MAC The mGuard prevents the attack from getting to the target device
(PLC) whilst allowing legitimate communications to continue The PLC continues to operate as expected during the attack The SYSLOG suggests something untoward is happening as our gg g pp g
signal for attention
49 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Other Remote connectivity solutions
Dial up modem – Analog linesCellular modem – GSM/GPRSCellular modem GSM/GPRSSatellite3rd party hosted connection – Citrix, GoToMyPC, Webexp y yVPN TunnelingOthers? – dedicated circuits (leased line, T1, T3 etc)
?? LocalRemote
50 | Presentation | Matt Cowell | ASE Central | 25 April 2012
3rd party hosted connection
Typically remote desktop type solution thus requires PCUsing a service provided by a 3rd party & special software. TheUsing a service provided by a 3rd party & special software. The
3rd party acts as a middle man for remote connectionsRequires all necessary software and LICENSES to be installed
t PCon remote PCPotential for security vulnerability as data is publicLink is owned and maintained by 3rd party, therefore becomingLink is owned and maintained by 3 party, therefore becoming
reliant upon themTypically ongoing cost – monthly fee’sSlower than direct connection as traffic has to travel to 3rd party
data center and then on to destinationCan be relatively slow under limited bandwidth conditions as
51 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Can be relatively slow under limited bandwidth conditions as streaming live GUI information
VPN tunneling
Virtual Private Network connection between VPN routers using encrypted authentication and encrypted data transferg yp ypProvides complete network access as if you were physically
connected to the remote networkProvides very secure network access across public networkTypically used across the internet to provide secure tunnelRequires higher level networking/security knowledgeRequires higher level networking/security knowledgeCan be connected directly to Internet. If behind another
router (ie on private network) a NAT rule or port forward ( p ) pwould be required.Fast data transfer (70mpbs is possible with mGuard)
52 | Presentation | Matt Cowell | ASE Central | 25 April 2012
VPN continued
Different types of VPN – open standards IPsec – Internet Protocol Security – end to endsec te et otoco Secu ty e d to e d SSL – Secure Socket Layer - require log in via browser PPTP – Point to Point Tunneling Protocol – Mature technology
L2TP L 2 T li P t l M t t h l L2TP – Layer 2 Tunneling Protocol – Mature technologySecurity - Ability to encrypt traffic traversing internet,
authentication to only allow exchanges between approved y g ppdevices and ability to prevent message alteration Authentication - recommend X.509 certificates
E ti d h hi 3DES AES SHA1 t Encryption and hashing - 3DES, AES, SHA1 etc Firewall
mGuard Ports – UDP 500 & 4500 but can encapsulate in
53 | Presentation | Matt Cowell | ASE Central | 25 April 2012
pTCP also
VPN scenario 1 (Remote mGuard receive VPN connection)
This will require IT interaction at each installed location. The IT department will need to ensure that they provide the following:
A t ti IP dd f th G d WAN t A static IP address for the mGuard WAN port An internet connection to the mGuard WAN port (through corp network,
DMZ, cable modem etc) Knowledge of the company’s public IP address for the incoming Knowledge of the company s public IP address for the incoming
connection (or DynDNS name if public address is not static). Ensure that the VPN traffic to the public IP address is either port
forwarded or NAT’d to the mGuard IP WAN address and the firewall is opened for these ports.
IT Involvement required hereRules:
Rules:
Initiator
Receiver
FirewallInternet
Remote (machine) network
Company Network
OR
Firewall
S/W clientports UDP 500 & 4500
54 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Flow of initiated traffic
VPN Scenario 2 (Remote mGuard initiate VPN connection –RECOMMENDED when possible!)p )
Heavily reduce the amount of IT interaction required at the remote end (i.e. Your customer’s customer) ( )Take advantage of looser outbound firewall rulesUse CMD button to initiate tunnel ‘home’Can now use DHCP for the WAN IP at the remote end
IT Involvement required here
Rules:Initiator
Receiver
Remote (machine) network
InternetFirewall
Company Network
Firewall
Flow of initiated traffic
Rules:
55 | Presentation | Matt Cowell | ASE Central | 25 April 2012
VPN Scenario 2 continued
Does not necessarily require connection to be physically connected to receiving mGuard ie for when ‘on the road’gCompatible with any IPSec VPN client – software/hardwareHub and Spoke model S/W client ORInitiator
Rules:Up to
250 VPNs
Remote (machine) network
InternetFirewall
Company Network
Firewall
Flow of initiated traffic
Rules:ReceiverInitiator
56 | Presentation | Matt Cowell | ASE Central | 25 April 2012
The clock is ticking…
Cybersecurity Act of 2012
57 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Summary - Prevention is better than cure
Many industrial devices are vulnerable…not just AB MLX 1100 An Air gap is a good line of defense if possible but not complete Adopt a defense in depth strategy employing various layers of security Keep an inventory of networked devices and watch for
vulnerabilities/updatesI l t l 1 it l ti l k bl l t h bl t Implement layer 1 security solutions, lockable panels, patch cables etc.. Use updated AV/Spyware and ensure any PC’s are routinely
patched/updatedWhen interconnecting devices/panels use a firewallWhen interconnecting devices/panels use a firewall Isolate industrial devices and restrict network access to only those that
need it (access control) Consider specialist firewall functions (DoS prevention CIFS monitoring) Consider specialist firewall functions (DoS prevention, CIFS monitoring) VLAN’s and MAC filtering can be used to provide some defense using
managed switches Change default passwords and use ‘strong’ passwords
58 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Change default passwords and use strong passwords
Summary - Prevention is better than cure
Use VPN for ALL remote connections Restrict use of USB jump drives (disable PC autorun feature, consider
t d j d i d ’t ll ’ ti k)encrypted jump drives, don’t allow anyone’s stick) Restrict/prevent web access to internet from control network Try to use HTTPS exclusively when using passwords/secure webpages
C id i t k l i SNMP Al t I t i d t ti Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?When using wireless always encrypt with minimum of WPA2 for WIFI
Be aware of smartphone vulnerabilities and their place in SCADA Be aware of smartphone vulnerabilities and their place in SCADA Implement authentication/authorization policy including how to handle
access credentials for former employee’s/contractors Security is not a one and done solution continuously evolving Security is not a one and done solution – continuously evolving
standards, new vulnerabilities – someone has to stay on top of things Security is also more than just a one product solution – it’s a way of life Security requires behavioral diligence from EVERYONE
59 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Security requires behavioral diligence from EVERYONE
Summary - Prevention is better than cure
Take ownership, don’t assume it is already covered – ask questions Take advantage of online resources Talk to a specialist and consider getting a vulnerability assessment Educate all employees Evaluate your system conceptually using the free US CERT - CSET tool
( i k l i )(risk analysis) Devise a cyber security policy – what are your security goals? Devise a response/recovery plan to any potential events and have
secure backups of all critical codesecure backups of all critical code
60 | Presentation | Matt Cowell | ASE Central | 25 April 2012
The Phoenix Contact productsLayer 2 Layer 3
Function
SFN Unmanaged
Switches
UnmanagedSwitches
Lean ManagedSwitch
Managed Compact Switch
Modular ManagedSwitch
Smart ManagedCompact Switch
(gigabit)
mGuard Router
Port Flexibility Fixed: 5,8 Fixed: 5,8,16 Up to 8 ports Fixed 16 ports Mix Cable Types & Expand to 24 ports Fixed 8 ports Lan/WanExpand to 24 ports
Security Functions No No No Yes Yes Yes Yes
Message Filtering No No Yes Yes Yes Yes Yes
Redundancy No No Yes Yes Yes Yes N/A
Diagnostics HW (LED, Alarm Contact*)
HW (LED, Alarm Contact)
HW + SW (Web, SNMP)
HW + SW (Web, SNMP)
HW + SW (Web, SNMP)
HW + SW (Web, SNMP) Yes
Application Distributed Panels Distributed Panels Central Panels Central or
Distributed Panels Central Panels Central or Distributed Panels
Security, remote access or NAT
61 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Panels Distributed Panels Distributed Panels access or NAT
Thank You – Questions?
Distrust and caution are the parents of security - Benjamin Franklin
62 | Presentation | Matt Cowell | ASE Central | 25 April 201212:00
Online Resources
www.us-cert.gov http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
www.isa.orgwww.nist.gov
h i t twww.phoenixcontact.com http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf
63 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Tools
WiresharkNMAPCain and AbelColasoft Packet Builder
C l ft MACColasoft MAC scannerBrutus
Backtrack 4 OSEttercapKismet – AirPCAP or DroneBeEFMetasploit
64 | Presentation | Matt Cowell | ASE Central | 25 April 2012
Metasploit