Securing the Network:Understanding CIA, Segmentation, and Zero Trust

Jacek SzamrejVP of CybersecuritySEDC

Jacek SzamrejVP of CybersecuritySEDC

?

C

IA

What are we protecting?

DATA

Confidentiality

IntegrityAvailability

What are we protecting?

DATA

Confidentiality

IntegrityAvailabilityRTORPOMTD

PublicPersonalSecret

CryptographyMeta data

What are we protecting?

Confidentiality

IntegrityAvailabilityRTORPOMTD

PublicPersonalSecret

CryptographyMeta data

DATA

DATADATADATA

DATA

Data Classification Example

DATADATADATA

SCADA

Intranet, E&O

PII & PCI

AMI

Defense in Depth

We divided data into different categories for more effective protection

Now we can support this defense with network segmentation

Data segmentation example

Account Number Meter Number Usage Data5489425345 43534504234 0.2, 0.5, 0.3, 1.2,…

Account Number Meter Number Usage Data2cb6128ecc85fa4916491a626d876cfd

be799977f7b518b1416daa371f890809

0.2, 0.5, 0.3, 1.2,…

MD5HASH

MD5HASH Copy

No Segmentation

http://www‐labs.iro.umontreal.ca/~vaucher/History/Ships_Discovery/

Segmentation

http://www.titanicology.com/FloodingByCompartment.html

Segmentation

http://www.titanicology.com/FloodingByCompartment.html

Segmentation

https://www.porttechnology.org/news/maersk_to_build_10_of_the_worlds_largest_ever_container_ships

Segmentation

https://www.bleepingcomputer.com/news/security/maersk‐reinstalled‐45‐000‐pcs‐and‐4‐000‐servers‐to‐recover‐from‐notpetya‐attack/

How do we apply CIA to our network?

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

TrustedNetworkTrustedNetwork

UntrustedUntrusted

DMZDMZ

How do we apply CIA to our network?

Ukraine Power Grid Cyberattack 2015

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

Ukraine Power Grid Cyberattack 2015Email with BlackEnergy malware

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

Ukraine Power Grid Cyberattack 2015Pivot to server and establish C&C

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

Ukraine Power Grid Cyberattack 2015

They found pre‐shared key for VPN on SCADA firewall

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

Ukraine Power Grid Cyberattack 2015

Firmware has been changedon SCADA devices

DMZ

 SCADA

S1 S2

Office

SubstationSCADA

Ukraine Power Grid Cyberattack 2015

They use SCADA HMIto open breakers

Ukraine Power Grid Cyberattack 2015

Ukraine Power Grid Cyberattack 2015

Full document with all recommendations:http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

Network Segmentation

Definition:Network segmentation in computer networking is the act or profession of splitting a computer network into subnetworks, each being a network segment. 

Advantages of such splitting are primarily for boosting performance and improving security.https://en.wikipedia.org/wiki/Network_segmentation

Common Reasons for Network Segmentation

Performance

Security

Compliance

VLAN/ACLVirtual Firewall Air Gap

Network Segmentation Examples

Data DiodeFirewallACL

Source: Gartner (July 2016)

Levels of Trust

Zero Trust Model

All resources are accessed in a secure manner regardless of location

Access control is on a “need‐to‐know” and is strictly enforced

Inspect and log all traffic

Concepts of Zero‐Trust Model

Zero Trust Network Diagram

https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice

Zero Trust Network Diagram

Next Generation Firewall:FW ‐ FirewallIPS – Intrusion Prevention SystemCF  ‐ Content FilteringAC – Activity MonitoringCrypto ‐ CryptographyAM – Access Control

https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice

Zero Trust Network Diagram

Management jumpboxin separate zone

https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice

Zero Trust Network Diagram

MCAP (Micro Core and Perimeter):• Protected L2 switching zone• MCAP members have similar 

functionality

https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice

Zero Trust Network Diagram

DAN (Data Acquisition Network):• Zone dedicated to log analysis• SIEM• Network Analysis and Visibility 

(NAV)

https://www.slideshare.net/AlgoSec/5‐steps‐to‐a‐zero‐trust‐network‐from‐theory‐to‐practice

http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Software Defined Perimeter

All network connections are authenticated (using MFA and/or PKI), the health of each endpoint is inspected

Originated at the Defense Information Systems Agency (DISA), now maintained by Cloud Security Alliance

BeyondCorp is Google version of this concept

https://cloudsecurityalliance.org/group/software‐defined‐perimeter/#_overview

Software Defined Perimeter

http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Micro‐Segmentation

Software defined segmentation

Isolates applications in virtual environment 

Focus on east‐west communication  

Security defined at granular level

http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Micro‐Segmentation Models

Native micro‐segmentation

Vendors examples:Amazon, Cisco, Microsoft, VMware 

http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Micro‐Segmentation Models

Native micro‐segmentation

Third‐party model

Vendor examples:Cisco, Check Point, Fortinet, Juniper Networks, Palo Alto Networks, SonicWall, Sophos, Huawei 

http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Micro‐Segmentation Models

Native micro‐segmentation

Third‐party model

Overlay model  

Vendor examples:Cisco, CloudPassage, Drawbridge Networks, GuardiCore, Illumio,Juniper Networks, ShieldX, vArmour, Unisys, Tempered Networks

http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Micro‐Segmentation Models

Native micro‐segmentation

Third‐party model

Overlay model  

Hybrid model

Example of Native Micro‐Segmentation

https://vinfrastructure.it/2014/09/micro‐segmentation‐with‐nsx/

Controller: analyzing traffic, allows communication, apply and adjust policies

How Overlay Segmentation Works

Internet

Firewall

DMZ-S1 DMZ-S2

S1 S2

S3 PBX1SW1 SW2

SW3

SW4

W1 W2

W3 W4-CC

PR1 P3

P1 P2

SW-D1

Controller

Agent Agent

Agent Agent

AgentAgent

Controller: analyzing traffic, allows communication, apply and adjust policies

Internet

Firewall

DMZ-S1 DMZ-S2

S1 S2

S3 PBX1SW1 SW2

SW3

SW4

W1 W2

W3 W4-CC

PR1 P3

P1 P2

SW-D1

Controller

Agent Agent

Agent Agent

AgentAgent

How Overlay Segmentation Works

Some vendors are offering deception features

Internet

Firewall

DMZ-S1 DMZ-S2

S1 S2

S3 PBX1SW1 SW2

SW3

SW4

W1 W2

W3 W4-CC

PR1 P3

P1 P2

SW-D1

Controller

Agent Agent

Agent Agent

AgentAgent

How Overlay Segmentation Works

Cyber DeceptionExample

https://www.nytimes.com/2017/05/09/world/europe/hackers‐came‐but‐the‐french‐were‐prepared.html

Purdue Enterprise Reference Architecture

Enterprise network

IT Applications (CIS, GIS, OMS, AMI?)

SCADA Historian

FEP, SCADA Master

Meter, RTU

CT, PT, other sensors

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0Source: https://www.slideshare.net/MarinaKrotofil/s4x16europekrotofil

Phases of Network Segmentation

Data Classification 

Analyze network traffic (types, volume)

Network structure, monitoring methods

Select vendor, install equipment

Monitoring

Source: https://www.slideshare.net/MarinaKrotofil/s4x16europekrotofil

Classification

Design

Analysis

Implementation

Monitor traffic, apply changes

Bison Valley Electric CooperativeNetwork Segmentation Project 

Our Guests• Gary Jeger – Palmetto Electric Co‐op• George Buckner – Central Florida Electric Co‐op• Jack Daniels – Bison Valley Electric Co‐op

Gary Jeger – Palmetto Electric Cooperative

George Buckner – Central Florida Electric Cooperative

Jack Daniels – Bison Valley Electric Cooperative

http://www.cablinginstall.com/articles/slideshow/2013/09/closet‐cleanup‐before‐and‐after‐photos/pg004.html

BVEC Network

Before After

BVEC ‐ Network Segmentation Project 

ObjectiveFollow Zero‐Trust Model and recommendations from PCI DSS and US‐CERT TA16‐250A.

Solution BVEC is considering three different approaches to segment their network.

Questions How these options follow concept of Zero‐Trust Model, PCI DSS, and TA16‐250A recommendations?

US‐CERT Alert (TA16‐250A)The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

“Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availabilityof communication and services across an enterprise.”

BVEC ‐ Network Segmentation Project 

TA16‐250A Recommendations:1. Segregate Networks and Functions2. Limit Unnecessary Lateral Communications3. Harden Network Devices4. Secure Access to Infrastructure Devices5. Perform Out‐of‐Band Management6. Validate Integrity of Hardware and Software

BVEC ‐ Network Segmentation Project 

BVEC Network

DMZ

CISAMIMDMGISOMS

DMZ

Fiber & Radio

Dispatch &

 SCADA

Office

VM2VM1S1 S2

District Office

Server RoomOffice

MS MS MS FIN CFO CEO

E&O E&O E&O E&O LG COO

AD & FSExchangeIntranetDB1DB2

Substation

CAMI PTZSCADA

Substation

CAMI PTZSCADA

BVEC Network Option 1 ‐ Segmentation Gateway

BVEC Network Option 1 ‐ Segmentation Gateway

Multiple NGFW vendors:(Palo Alto, Checkpoint, Fortinet,  Juniper, etc)

Shall we use the same vendor as edge firewall or 

different?

We will need High Availability option which 

is more expensive.

DMZ

CISAMIMDMGISOMS

DMZ

Fiber & Radio

Dispatch &

 SCADA

Office

VM2VM1S1 S2

District Office

Server RoomOffice

MS MS MS FIN CFO CEO

E&O E&O E&O E&O LG COO

AD & FSExchangeIntranetDB1DB2

Substation

CAMI PTZSCADA

Substation

CAMI PTZSCADA

BVEC Network Option 2 ‐ VMWare NSX 

BVEC Network Option 2 ‐ VMWare NSX 

CIS AMI MDM GIS OMS

VM2VM1

AD & FSExchangeIntranetDB1DB2

vSphere Distributed Switch DFW

Distributed Firewalls

Physical

VDS

CIS AMI MDM GIS OMS

VM2VM1

AD & FSExchangeIntranetDB1DB2

vSphere Distributed Switch DFW

Distributed Firewalls

Physical

VDS

BVEC Network Option 2 ‐ VMWare NSX 

Uses proprietary VMWare NSX solution, bare metal servers are not included.

Consultant might be needed to determine optimal configuration.

Throughput not tied to hardware, easy to scale, can be extended to the 

cloud.

BVEC Network Option 3 ‐ Identity Defined Network 

DMZ

CISAMIMDMGISOMS

DMZ

ADFS

ExchangeIntranetApps

Fiber & Radio

Dispatch &

 SCADA

Office

VM2VM1S1 S2

District Office

Server Room

Substation

CAMI CCVSCADA

Substation

CAMI CCVSCADA

HIP Server

HIP Server

Conductor

HIP Server

HIP Client

HIP Server

HIP Client

DMZ

CISAMIMDMGISOMS

DMZ

ADFS

ExchangeIntranetApps

Fiber & Radio

Dispatch &

 SCADA

Office

VM2VM1S1 S2

District Office

Server Room

Substation

CAMI CCVSCADA

Substation

CAMI CCVSCADA

HIP Server

HIP Server

Conductor

HIP Server

HIP Client

HIP Server

HIP Client

BVEC Network Option 3 ‐ Identity Defined Network 

Based on HIP standard, but IDN is a proprietary 

solution.

Can be tested locally before installed. 

Does not require major hardware installation.

It can be extended to the cloud in the future.

BVEC Network Option 1 ‐ Segmentation Gateway

DMZ

CISAMIMDMGISOMS

DMZ

Fiber & Radio

Dispatch &

 SCADA

Office

VM2VM1S1 S2

District Office

Server RoomOffice

MS MS MS FIN CFO CEO

E&O E&O E&O E&O LG COO

AD & FSExchangeIntranetDB1DB2

Substation

CAMI PTZSCADA

Substation

CAMI PTZSCADA

BVEC Network Option 2 ‐ VMWare NSX 

BVEC Network Option 3 ‐ Identity Defined Network 

DMZ

CISAMIMDMGISOMS

DMZ

ADFS

ExchangeIntranetApps

Fiber & Radio

Dispatch &

 SCADA

Office

VM2VM1S1 S2

District Office

Server Room

Substation

CAMI CCVSCADA

Substation

CAMI CCVSCADA

HIP Server

HIP Server

Conductor

HIP Server

HIP Client

HIP Server

HIP Client

Summary

Classify your data by using CIA triad

Network segmentation can be designed in‐house

Consider segmenting SCADA, PCI, and PII first 

Thank you!

Jacek Szamrej, SEDCjaceks@sedata.com