View
166
Download
1
Category
Tags:
Preview:
DESCRIPTION
Título da Palestra: Defendendo sistemas de controle industrial contra ameaças cibernéticas com segurança de próxima geração
Citation preview
Defending ICS from Cyberthreats with Next-generation Platform Security
Del Rodillas
Sr. Manager, SCADA & ICS Initiative
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Supplier of Industry-leading Enterprise Security Platform
Safely enables all applications through granular use control…
Prevents known and unknown cyber threats…
for all users on any device across any network.
Experienced team of 1,650+ employees
Q3FY14: $150.7M revenue; 17,000+ customers4.700
9.000
13,500
17.000
02.0004.0006.0008.000
10.00012.00014.00016.00018.000
Jul-11 Jul-12
$13$49
$255
$396$420
$119
$0
$100
$200
$300
$400
FY09 FY10 FY11 FY12 FY13 FY14TD
Revenues
Enterprise customers
$MM
FYE July
May-14Jul-13
2 | ©2014, Palo Alto Networks
What is a
Cyberthreat?Cyber Threat
Availability, Confidentiality, IntegrityIndustrial Control Systems ,Information Systems
Malicious Unintentional
3 | ©2014, Palo Alto Networks
What Keeps SCADA Security Supervisors Up at Night?
0% 5% 10% 15% 20% 25% 30%
Extortion or other financially motivated crimes
Other
Industrial espionage
Cybersecurity policy violations
Attacks coming from within the internal network
Email phishing attacks
Insider exploits
Malware
External threats (hacktivism, nation states)
Percent Respondents
What are the top three threat vectors you are most concerned with?
First Second Third
SANS 2014 Survey on Industrial Control Systems
4 | ©2014, Palo Alto Networks
Advanced Targeted Attacks
� Social Engineering: Removable media� Exploits zero-day vulnerabilities (Windows, Siemens)� Propagation/Recon via general IT apps and file-types� Goal: Disrupt uranium enrichment program
� Social Engineering: Spearphishing, Watering hole, Trojan in ICS Software
� Enumerates OPC assets (ICS-protocol!)� Goal: IP theft and ICS Attack PoC?
Energetic Bear
� Social Engineering: Spearphishing, Watering hole� Goal: IP Theft and ???
Norway Oil & Gas Attacks
5 | ©2014, Palo Alto Networks
Malicious Insider Attack
� Sewage treatment facility in Maroochy Shire, Queensland, Australia
� Disgruntled employee of ICS vendor sought revenge on customer (shire council) and employer
� Used intimate knowledge of asset owner’s ICS to gain access and wreak havoc
� Impact� Spillage of 800,000 liters of raw sewage into
local parks, rivers and hotel grounds � Loss of marine life, damage to environment,
health hazard
Source: Applied Control Solutions
6 | ©2014, Palo Alto Networks
Unintentional Cyber Incidents
� Platform shared by operator and royalty partner
� Slammer infection on rig via partner network
� Workstations and SCADA servers crashed� Systems would not restart after reboot� 8 hours to restore the SCADA and restart production
� Consequences� Immediate loss of monitoring down-hole wells� Loss of production for all 4 major wells� Total losses > $1.2M before production finally restored
Source: Red Tiger Security
� Application Visibility and Risk Report conducted at energy company in E. Europe
� Plant manager insisted “not internet-facing”
� Rogue broadband link and risky web applications found on SCADA system� Wuala (storage), eMule (P2P), DAV (Collaboration)
� Concerns over loss of IP, network availability, malware introduction
Source: Palo Alto Networks
SQL Slammer
7 | ©2014, Palo Alto Networks
Revisiting the Trust Model in ICS
PCN
PCN Servers
HMI
PLCs / RTUs
Local HMI
Remote Station / Plant Floor
DEV
PLCs / RTUs
Local HMI
PLCs / RTUs
Local HMI
Vendor/Partner
Mobility
Enterprise Network
Internet WAN
Internal Actors
8 | ©2014, Palo Alto Networks
Observations
� Broken Trust Model � Micro-segmentation is critical
� Granular visibility of traffic is an essential capability� Applications, users, content� Shared context
� End-to-end security is required� Threats originate at endpoints and via networks
� Real and potentially high risks with ICS cyber incidents� Must focus on prevention vs. just detection
� Advanced attacks will be “zero-day”� The capability to detect and stop unknown threats quickly is needed� Automated threat analysis and information sharing would be helpful
9 | ©2014, Palo Alto Networks
Legacy Security Architecture and Its Challenges
URLAVIPS ProxyIMSandbox
Stateful inspection Firewall
Characteristic Associated Challenges
� Stateful inspection firewall as a baseo Visibility to port numbers and IP addresseso No content identification
� Limited visibility to ICS traffic & risks� Coarse access control; not role based
Firewall “helpers”
� Firewall “helpers” bolted on to try to fill the security gaps
� Uncorrelated Information silos; slow forensics
� Increased administrative effort
� Performance drop off / serial processing
� Limited to No zero-day threat detection /prevention capabilities
� Highly vulnerable to targeted attacks
� Disjointed endpoint & network technologies
Traditional Endpoint Security
10 | ©2014, Palo Alto Networks
Next-Generation Network Security
� Inspects all traffic
� Blocks known threats
� Sends unknown to cloud
� Extensible to mobile & virtual networks
� Inspects all processes and files
� Prevents both known & unknown exploits
� Integrates with cloud to prevent known & unknown malware
Advanced Endpoint Protection
Threat Intelligence Cloud
� Gathers potential threats from network and endpoints
� Analyzes and correlates threat intelligence
� Disseminates threat intelligence to network and endpoints
What is Required? Platform Approach Focused on Prevention
11 | ©2014, Palo Alto Networks
Next-generation Network Security
Application identifiers
Additional Intelligence
Threat / Vulnerability signatures
URL database
User/User-group mapping
Classification Engine (L7)
Application User Content
Threat Prevention
AV, AS, Exploits
URL Filtering
Unknown Threat
Prevention
Mobile Security
Natively supported services
Application Visibility and
Control
12 | ©2014, Palo Alto Networks
Systematic Approach to Network Security
Discover unknown threats
Discover unknown threats
Improve Situational Awareness w/ Granular Traffic V isibility Improve Situational Awareness w/ Granular Traffic V isibility
Prevent known threats
Prevent known threats
2 3
Applypositive controls
Applypositive controls
1
Apply new protections to prevent future attacks
13 | ©2014, Palo Alto Networks
Systematic Approach to Network Security
Discover unknown threats
Discover unknown threats
Improve Situational Awareness w/ Granular Traffic V isibility Improve Situational Awareness w/ Granular Traffic V isibility
Prevent known threats
Prevent known threats
2 3
Applypositive controls
Applypositive controls
1
Apply new protections to prevent future attacks
14 | ©2014, Palo Alto Networks
Protocol / Application Protocol / Application Protocol / Application
� Modbus base � ICCP (IEC 60870-6 / TASE.2) � CIP Ethernet/IP
� Modbus function control � Cygnet � Synchrophasor (IEEE C.37.118)
� DNP3 � Elcom 90 � Foundation Fieldbus
� IEC 60870-5-104 base � FactoryLink � Profinet IO
� IEC 60870-5-104 function control � MQTT � OPC
� OSIsoft PI Systems � BACnet
Protocol/Application Identifiers for SCADA & ICS
15 | ©2014, Palo Alto Networks
Functional Application Identifiers
Function Control Variants (15 total)
Modbus-base
Modbus-write-multiple-coils
Modbus-write-file-record
Modbus-read-write-register
Modbus-write-single-coil
Modbus-write-single-register
Modbus-write-multiple-registers
Modbus-read-input-registers
Modbus-encapsulated-transport
Modbus-read-coils
Modbus-read-discrete-inputs
Modbus-mask-write-registers
Modbus-read-fifo-queue
Modbus-read-file-record
Modbus-read-holding-registers
Applipedia entry for Modbus-base App-ID
16 | ©2014, Palo Alto Networks
ICS-ISAC SARA Testbed at the Enernex Smart Grid Lab
Rugged Server
Substation Server
PC
GE EnerVista
Phasor Data Concentrator
Transformer Protection
Feeder Protection
Line Distance Protection
Rugged Ethernet Switch
Line Distance Relay
DNP3IEC 61850
Modbus
DNP3IEC 61850C37.118Modbus
C37.118
IEC 61850
Palo Alto NetworksNext-generation Firewall
Mirror/SPAN Port
ics-isac.org/sara
17 | ©2014, Palo Alto Networks
Sample Traffic from SARA Testbed (SPAN Port Monitoring)
Protocol/Protocol-function visibility
Systematic Approach to Network Security
Discover unknown threats
Discover unknown threats
Improve Situational Awareness w/ Granular Traffic V isibility Improve Situational Awareness w/ Granular Traffic V isibility
Prevent known threats
Prevent known threats
2 3
Applypositive controls
Applypositive controls
1
Apply new protections to prevent future attacks
19 | ©2014, Palo Alto Networks
User Identification is a Key Enabler of Role-based Access
� Policy enforcement based on users and groups
20 | ©2014, Palo Alto Networks
Segmentation with Application and User Identification
Business User access to Historian Application, e.g. Pi
BusinessZone
Server Zone
User Zone
Process Zone
Remote/Support Zone
Process Zone
Business Zone
Remote/Support Zone
Server Zone
User Zone
Sr. Engineer access to Modbus Write, SSH
Remote/ Support
Zone
Business Zone
Process Zone
Server Zone
User Zone
3rd Party application use via Jump Server
21 | ©2014, Palo Alto Networks
Systematic Approach to Network Security
Discover unknown threats
Discover unknown threats
Improve Situational Awareness w/ Granular Traffic V isibility Improve Situational Awareness w/ Granular Traffic V isibility
Prevent known threats
Prevent known threats
2 3
Applypositive controls
Applypositive controls
1
Apply new protections to prevent future attacks
22 | ©2014, Palo Alto Networks
ICS-Specific IPS Signatures� Product-specific
� Risky Protocol Commands
DNP3 Modbus
23 | ©2014, Palo Alto Networks
IT-centric exploits, but also relevant to OT
� Several ICS vendors issued HeartBleed advisories
� Browser-based HMIs and other applications in ICS
� Vulnerabilities being discovered all the time
� XP & Server are still widely used in ICS
� XP and older Server versions no longer supported
24 | ©2014, Palo Alto Networks
Anti-Virus and Anti-Spyware
25 | ©2014, Palo Alto Networks
Benefits of Shared Information
Threat ProfilesApplications
Security Zones
User / User Group
Simplified policy implementation & management2
Accelerated forensics1
26 | ©2014, Palo Alto Networks
Systematic Approach to Network Security
Discover unknown threats
Discover unknown threats
Improve Situational Awareness w/ Granular Traffic V isibility Improve Situational Awareness w/ Granular Traffic V isibility
Prevent known threats
Prevent known threats
2 3
Applypositive controls
Applypositive controls
1
Apply new protections to prevent future attacks
27 | ©2014, Palo Alto Networks
Zero-day Malware Detection & Prevention
28 | ©2014, Palo Alto Networks
Platform Approach to Stopping Energetic Bear
Apply application visibility and control for OPC and other allowed traffic. Apply User-ID for role based policy. Control content & access to web.
AllowedAllowed
1
Apply Threat Prevention for known Havex malware signatures, exploits, and command and control traffic associated with Havex
2
ExploitsAV
CNC CNC
WildFire“Zero-day”
Havex VariantProtections and
Intelligence
Isolate suspicious files which could be a zero-day variant of Havex. Automatically convert to known threat, receive protections and additional intelligence from the cloud
3
29 | ©2014, Palo Alto Networks
Endpoint Security: The failures of traditional approaches
EXE
Legacy Endpoint Protection
Known signature?NO
Known strings?NO
Previously seen behavior?
NO
Malwaredirect execution
Exploitvulnerability
to run any code
Targeted Evasive Advanced
30 | ©2014, Palo Alto Networks
Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities andexploits a year
Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year 10’s – 100’s of new malware
sub-techniques every year
31 | ©2014, Palo Alto Networks
Introducing TrapsThe right way to deal with advanced cyber threats
Prevent ExploitsIncluding zero-day exploits
Prevent MalwareIncluding advanced & unknown malware
Collect Attempted-Attack ForensicsFor further analysis
Scalable & LightweightMust be user-friendly and cover complete enterprise
Integrate with Network and Cloud SecurityFor data exchange and crossed-organization protection
32 | ©2014, Palo Alto Networks
Central Management and Reporting
Central Management Platform
Central Admin
Local Device Logs Reports
Aggregate reports
PCN Admin Remote AdminPCN Remote Station
� Centralized deployment of universal rules while giving IT and OT admins ability to set local policies
� Role based administration for added security (tiered admin rights)
� Centralized reports which facilitate forensics and regulatory compliance
33 | ©2014, Palo Alto Networks
Summary – New Kind of Security Needed for ICS
� Platform-based…� Network, Endpoint, Cloud
� Prevention-focused� Stop advanced attacks vs. just telling you that you have a problem
� Network� Delivers granular visibility and segmentation
� Protocol visibility, User-based controls
� Stop known and unknowns
� Endpoint� Stop the fundamental techniques vs. signatures
� Threat intelligence cloud� Automated analysis and correlation� Interacts with Network and Endpoint
� Palo Alto Networks Next-generation Platform meets these requirements
34 | ©2014, Palo Alto Networks
Learn more about Next-generation Security for SCADA/ICS 1
Download our SCADA/ICS Solution Briefgo.secure.paloaltonetworks.com/secureics
2 Learn how your control network is being used and what threats may exist
Control Network
Sign up for a free Application Visibility and Risk Report (AVR) at:http://connect.paloaltonetworks.com/AVR
Sign up for a Live Online Demo at:http://events.paloaltonetworks.com/?event_type=632
35 | ©2014, Palo Alto Networks
Recommended