stories from the trenches: securing industrial control
TRANSCRIPT
Energy | Environment | National Security | Health | Critical Infrastructure
July 2011
Stories from the Trenches: Securing Industrial Control
Systems with Application Whitelisting and Change
Detection
Gib Sorebo, SAIC, Vice President/Chief Cybersecurity Technologist
©SAIC. All rights reserved.
SAIC.com
Overview
• The Challenges Unique to Critical
Infrastructure
• Need for Detecting and Controlling
Change
• Application Whitelisting
• Change Detection
2
©SAIC. All rights reserved.
SAIC.com
The Challenges Unique to Critical Infrastructure
3
Topic Information Technology Control Systems
Protection from malicious software Anti-virus tools, firewalls, intrusion detection system (IDS)
Physical segregation, firewalls, and very limited number of software packages
Support technology lifetime Three to five years Up to 20 years
Outsourcing Common and widely used Rarely used
Hardware/software maintenance Regular and scheduled software patches
Scheduled hardware maintenance but limited software maintenance
Change management Varies by organization
Well-defined procedures for process control system components; more limited for software changes on supervisory control and data acquisition (SCADA) workstations and servers
Time-critical content Generally delays accepted Critical because of safety
Availability Generally delays accepted 24/7/365 forever
Security awareness Good in private and public sector Poor except for physical
Security testing and audit Scheduled and mandated Occasional testing for outages
Physical security Secure in primary data centers Remote and unmanned at field operations; secure at control center
©SAIC. All rights reserved.
SAIC.com
The Need for Detecting and Controlling Change
4
• Control systems often highly sensitive to small changes
• Real-time nature means that any latency could have a dramatic effect
on operations
• Many process control networks not designed around connected
computer networks (often assume serial connections)
• May leverage public networks that are more vulnerable to infiltration or
bandwidth limitations
• Regulatory and business processes dictate strict change management
• NERC CIP auditors routinely ask for justification for all changes to
firewall rules or network port access
• Critical infrastructure businesses are designed around following
consistent processes that need authorization for changes
• In production operations, predictability is essential to maintaining
efficiency and reliability (can’t just reboot a server because a process is
misbehaving)
NERC CIP = North American Electric Reliability Corporation Critical Infrastructure Protection
©SAIC. All rights reserved.
SAIC.com
The Data Is Also Important
5
• Integrity of information is critical
• Using complex algorithms, renewable
resources such as solar and wind can be
dispatchable
• Tampering with or errors in algorithms can
lead to power outages when an expected
power resource is not available
• Protection of the software supply chain will
be critical
©SAIC. All rights reserved.
SAIC.com
Resources Are Limited
6
• Any solution must leverage automation
• Insufficient people or expertise available to
manually compare checksums or sort out
false positive from alerts
• Need solutions that can baseline operations
across multiple devices and quickly identify
anomalies and unauthorized changes
• Equally important, systems must be able to
limit the kinds of processes that are allowed
to run and what those processes can do
©SAIC. All rights reserved.
SAIC.com
• Limiting what applications can be used
– Highly granular controls that restrict not only installation, but execution of
software
– Enforces more secure updating methods to protect against supply chain
threats
– Protects against many improper uses of application if sufficiently defined
(for example, spawning shells)
– Generally offer some in-memory protection
• Logging and alerting
– Allows centralized management and alerting
– Can be used to detect trends in attacks not detected by network and host
intrusion detection tools
– Allows administrators to learn of needs for application rights changes
before users complain 7
Introduction to Application Whitelisting
©SAIC. All rights reserved.
SAIC.com
Popular Application Whitelisting Products
• McAfee® Application Control
• Bit9® Parity® Suite
• Windows® AppLocker®
• CoreTrace Bouncer®
• Lumension® Application Control
• Faronics® Anti-Executable®
• Savant™ Protection
8
Trademarks attributed on last slide
©SAIC. All rights reserved.
SAIC.com
Application Whitelisting Weaknesses and Challenges
• Frequent software updates (particularly internally developed) can
make managing deployment problematic
– Option in many whitelisting products to exclude certain directories
– Need to make sure excluded directories are not targeted by hackers
– Most whitelisting products can accept updates from approved sources
(for example, those with digital signatures)
• Very heterogeneous environments with ability for users to use a lot
of discretion in what programs they install and how they use them
present difficulties
• Memory protection often done “by proxy” because programs look
slightly different when running in memory; often whitelisting can be
complemented by host intrusion protection systems that identify
known exploit techniques like spawning “cmd.exe”
9
©SAIC. All rights reserved.
SAIC.com
Application Whitelisting Vulnerabilities*
• Adobe® Acrobat® attacks
– Testing showed ability to spawn cmd.exe, exploit Javascript® and embed an exe
• Microsoft Office® documents (VBScript™ and macros)
• Windows Powershell®
– DLL injection/shellcode injection
• Java® and Javascript
– Can spawn a meterpreter from applet
– Firefox® and Chrome™ extensions
– HTML5 Javascript
• Microsoft Windows® Help files (could spawn cmd.exe)
• Man-in-the-middle network attacks (for example, ARP poisoning)
10
*Based on research and ShmooCon presentation by Curt Shaffer (Foreground Security) and Chris Cuevas (Secure Ideas).
DLL = Dynamic Link Library, ARP = Address Resolution Protocol
Trademarks attributed on last slide
©SAIC. All rights reserved.
SAIC.com
The Value of Change Detection
• Need for more global understanding of change
– Whitelisting tools focus largely on executables with less attention to data
and configuration files
– Offers ability to report on change over time
– Can be used to rollback to known good state
– Some offer option to detect acceptable and unacceptable changes based
on baselining across multiple devices
• Product examples
– Triumfant®
– Tripwire®
– Bit9® Parity™
11
Trademarks attributed on last slide
©SAIC. All rights reserved.
SAIC.com
Value of Whitelisting and Change Detection for Critical
Infrastructure
• Scale back on potentially disruptive anti-virus and vulnerability scans
• Have centralized record of changes to demonstrate compliance with
change management processes and to prevent/alert on unauthorized
changes
• Limit frequency of patching and the need to reboot or take production
system offline
• Prevent future Stuxnet-like attacks by restricting changes to
production software even when there is a vulnerability in the software
12
©SAIC. All rights reserved.
SAIC.com
Lessons Learned
• Have a clear plan for how tools will be used
– Oil/gas customer chose to target control system environment
– Worked closely with system owners and operators to understand how
the product would be used and possible impact (such as implications for
scripts that change frequently)
• Test, test, and test some more
– Just like access control, whitelisting can prevent programs from running
correctly if not configured correctly
– Some seldom used functions could be blocked in production if not tested
first
13
©SAIC. All rights reserved.
SAIC.com
Lessons Learned (continued)
• Make sure you have the capability to monitor events
– For both whitelisting and change management, it is critical that staff are
tasked to routinely view events
– One customer was using a whitelisting product for months before they
discovered that one program on particular host wasn’t starting because
of whitelisting
– Don’t wait for users to complain!
• Allocate lots of time for testing, deployment, and tweaking
– Pick deployment windows that have plenty of slack
– Use iterative deployment approaches that, at first, selectively deploy the
products with later deployments applying knowledge gained because
every organization is different 14
©SAIC. All rights reserved.
SAIC.com
Conclusion
15
• There are inherent risks and vulnerabilities in control systems
• There are unique security challenges to overcome those
vulnerabilities
• Application whitelisting and change control can effectively lock
down and protect control systems
• When deployed correctly, application whitelisting and change
detection can operate seamlessly in critical infrastructure with little
administrative overhead or help desk support required
©SAIC. All rights reserved.
SAIC.com
Questions?
16
Thank You.
Gib Sorebo
SAIC Vice President
Chief Cybersecurity Technologist
tel: 703-676-2605 | email: [email protected]
©SAIC. All rights reserved.
SAIC.com
Trademarks
17
McAfee is a registered trademark of McAfee, Inc. in the U.S. and/or other countries.
Windows Powershell, VBScript, Microsoft Office, AppLocker, and Microsoft Windows are trademarks or
registered trademarks of Microsoft Corporation in the U.S. and/or other countries.
Triumfant is a registered trademark of Triumfant, Inc. in the U.S. and/or other countries.
Tripwire is a registered trademark of Tripwire, Inc. in the U.S. and/or other countries.
Bit9 and Parity are registered trademarks of Bit9, Inc. in the U.S. and/or other countries.
CoreTrace Bouncer is a registered trademark of CoreTrace Corporation in the U.S. and/or other
countries.
Adobe and Acrobat are registered trademarks of Adobe Systems, Inc. in the U.S. and/or other countries.
Lumension is a registered trademark of Lumension Security, Inc. in the U.S. and/or other countries.
Java and JavaScript are registered trademarks of Oracle America, Inc. in the U.S. and/or other countries.
Faronics and Anti-Executable are registered trademarks of Faronics Corporation in the U.S. and/or other
countries.
Chrome is a trademark of Google Inc. in the U.S. and/or other countries.
Savant is a trademark of Savant Protection in the U.S. and/or other countries.
Firefox is a registered trademark of the Mozilla Foundation in the U.S. and/or other countries.