Security in IoTbdoinea@cisco.com

Cluj-Napoca

Source: Cisco Consulting Services

What is IoT?

50BDevices Connected

by 2020

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Use cases for IoT Connections

Substations 3M sites

Cell Towers 15M sites

Wells 1M sites

Transportation

1M cabinets

Healthcare 50K sites

Defense 20K sites

Energy Efficiency

Street Lighting

Waste ManagementParking

Traffic Management Safety & Security

Manufacturing

Utilities

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Industrialization of Hacking There is a multi-billion dollar global industry targeting your prized assets

$450 Billion

to

$1 TrillionSocial

Security$1

MobileMalware

$150

$Bank

Account Info>$1000 depending

on account type and balance

FacebookAccounts$1 for an

account with 15 friends

Credit CardData

$0.25-$60

MalwareDevelopment

$2500(commercial

malware)

DDoS

DDoS asA Service~$7/hour

Spam$50/500K

emails MedicalRecords

>$50

Exploits$1000-$300K

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Edge

Devices

Data Computing TiersFog Nodes for Better Performance

Edge

Devices

Data Center

and

Applications

IoT Data System

Fog

Node

Fog

Node

Data Center

and

Applications

3 or More Tiered System2 Tiered System

Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.

IOx: Enabling Cisco IoT Gear for Fog Computing

Networking Devices Compute DevicesGW Devices Cameras

Fog Platform Host

Virtual

Machine

Fo

g

Se

rvic

es

App

ServicesStorage ML ESP

Conta

iner

Managem

ent

Java

App

Lua

App

Python

App…

CAF

Agent

IOx / Fog Platform

REST API

Docker

And

LXC

Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.

What is REST?

HTTP

GET

• Using HTTP/HTTPS to communicate between 2 software components written in any

language, over any environment

• Using HTTP GET/POST/PUT/DELETE to make a remote function call

• Using JSON to pass the parameters to the function call

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Fog Computing – some use-cases

• Cisco IR829/IR809 Router as:

Edge/Real-time Analytics

RTU Software

Assembly lines Analytics - factories

Metering Concentrator Software

Preventive Maintenance Data Provider

Data Virtualization – Healthcare

Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cyber Security Lessons learned

Security is a never-ending process (and an attitude)

New vulnerabilities are discovered daily

Threats continue to evolve

Personnel become lax, or find workarounds to security

measures

The weakest points in the system are the most likely targets

Assume that the attacker is at least as intelligent and

motivated as the defenders

All trust is limited!

There are external AND internal threats!

Internal Access Control needs continuous configuration

monitoring

Maik G. Seewald, CISSP

Application

Eng

Apps

Remote Access

(Engineering,

Maintenance)

Control Center, SCADA

Protection and Control ENG/SYS

HMI

Field Devices

Branch/ Manufacturing Hall/ Special Station

3rd Party

Branch

Utility Private WAN

(MPLS,SDH/PDH) WAN

WAN

AppsToolsApps

SCADA EMS Apps

Client ClientClient

Office Network

Data Center,

Enterprise Apps

Your normal IoT Network to Secure

LAN AccessWAN

Access Intrusion detection

Firewall FirewallVPN Server

Intrusion detectionWAN

Access

LAN Access

IP Transport

Intrusion

detectionIntrusion

detection

Security

Visibility

Everywhere

Maik G. Seewald, CISSP

LAN Access(for machines) – security and normalization

CPU: 1GHz total

Memory for Guest

OS: 200MB

Memory for IOS:

<800MB

Hardware

Software

Network InterfaceNetwork Interface

Hypervisor

Virtual

Serial I/F

Virtual

Ethernet I/F

Linux Kernel Space

Linux User Space

TCP/IP

Stack

Applications

Guest Operating System

Virtual

Serial I/FVirtual

Ethernet I/F

Virtual

Ethernet I/FVirtual

Ethernet I/F

IOS

Forwarding Engine

Southbound NetworkNorthbound Network

USB

Serial

Maik G. Seewald, CISSP

LAN Access(for humans) – policy with ISE

Identity Profiling

Wireless LAN Controller

DHCP

RADIUS

SNMP

NetFlow

HTTP

DNS

Cisco® ISE

Unified Access Management

IEEE 802.1x EAP User Authentication

1

HQ

2:38 p.m.

Profiling to Identify Device

2

6

Full or Partial Access Granted

PersonalAsset

Company Asset

3

Posture of the Device

PolicyDecision

4

5

Enforce Policy in the Network

Corporate

Resources

Internet Only

NMAP

Maik G. Seewald, CISSP

Application

Eng

Apps

Remote Access

(Engineering,

Maintenance)

Control Center, SCADA

Protection and Control ENG/SYS

HMI

Field Devices

Branch/ Manufacturing Hall/ Special Station

3rd Party

Branch

Utility Private WAN

(MPLS,SDH/PDH)

MPLS Priave Network

AppsToolsApps

SCADA EMS Apps

Client ClientClient

Office Network

Data Center,

Enterprise Apps

Private WAN – MPLS Recommendation

Maik G. Seewald, CISSP

iWAN – Best Practice for using Multiple ProvidersTransport Independent Design

Internet

Branch

3G/4G-LTE

AVC

MPLS

PrivateCloud

VirtualPrivateCloud

PublicCloudWAAS PfR

Application Optimization

• Application visibility

with performance

monitoring

• Application acceleration

and bandwidth

optimization

Secure Connectivity

• Certified strong encryption

• Comprehensive threat

defense

• Cloud Web Security for

secure direct Internet access

Intelligent Path Control

• Dynamic Application best

path based on policy

• Load balancing for full

utilization of bandwidth

• Improved network

availability

TransportIndependent

• Consistent operational model

• Simple provider migrations

• Scalable and modular design

• IPsec routing overlay design

Maik G. Seewald, CISSP

Application

Eng

Apps

Remote Access

(Engineering,

Maintenance)

Control Center, SCADA

Protection and Control ENG/SYS

HMI

Field Devices

Branch/ Manufacturing Hall/ Special Station

3rd Party

Branch

Utility Private WAN

(MPLS,SDH/PDH) WAN

WAN

AppsToolsApps

SCADA EMS Apps

Client ClientClient

Office Network

Data Center,

Enterprise Apps

Remote VPN

ASA VPN Server

Identity Services Engine

Identity policy

Maik G. Seewald, CISSP

Next Generation Firewall - AMP

Maik G. Seewald, CISSP

Intrusion Prevention

• For people – pretty obvious need – Cisco Sourcefire

• For things – do we need to?

• SCADA = implemented through different protocols depending on IoT Vertical, all being clear text (though the protocol is proprietary)

• What you do?

Maik G. Seewald, CISSP

Scada Strangelove

• “Group of security researchers focused on ICS/SCADA security to save Humanity from industrial disaster and to keep Purity Of Essence”

• Scada Scanner readily-available

Simple python script

Return device-name, IP, software version

Maik G. Seewald, CISSP

SCADA Protocol Fuzzing

• “Sergey Bratus, ISTS/Dartmouth, Fortune 500 utility company”, Black Hat 2008

• Created a SCADA Protocol Fuzzer that crashes most SCADA systems by applying machine learning and repeating certain strings(normal or mutating)

• Result? Crash SCADA Systems

Maik G. Seewald, CISSP

MiTM Attack

• Intercept communication between two or more devices

• Modify and inject packets

• Many tools available

• Ettercap

• Cain and able

• Dsniff

• Scope of attack: modify cause of transmission field (CoT)

• Intercept and set an invalid CoT value

• Detection with Snort(ISA3000)

• Source: http://www.slideshare.net/pgmaynard/man-inthemiddletalk

Maik G. Seewald, CISSP

Capture and modify (Wireshark, Fidler)

Maik G. Seewald, CISSP

Snort alert

Maik G. Seewald, CISSP

Application

Eng

Apps

Remote Access

(Engineering,

Maintenance)

Control Center, SCADA

Protection and Control ENG/SYS

HMI

Field Devices

Branch/ Manufacturing Hall/ Special Station

3rd Party

Branch

Utility Private WAN

(MPLS,SDH/PDH) WAN

WAN

AppsToolsApps

SCADA EMS Apps

Client ClientClient

Office Network

Data Center,

Enterprise Apps

Intrusion Detection(for Things)

Intrusion detection Intrusion detection

Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Industrial, Energy, Marine, Railway Applications Additional Certifications post-FCS

Services include Firewall, VPN and IPS, DHCP, and NAT

Two SKU’s Copper: 4x10/100/1000BaseT

Fiber: 2x1GbE (SFP), 2x10/100/1000BaseT

LED scheme is OT Ready

Follows the Industry Leading Industrial Ethernet (IE) look/feel

DIN Rail mounting with optional Rack Mounting

Connectors: Management Interface (RJ45 and USB); Power supports 24-12 AWG; Factory Reset

Thermals: -40C to 60C no airflow; -40C to 70C with 40LFM; -34C to 74C with 200LFM

Hazloc with nA protection

IEEE 1613, IEC 61850-3

EFT in Summer ‘15 and Launch in Fall ‘15

ISA 3000 Copper

ISA 3000 Fiber

ISA3000 Summary

Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.

ISA3000

Inspection

-Hardware/Software Failure

-Powered Off

-Power Outage

-Reload

Inspection

Bypass Triggered – Circuit closed (acting as a

wire)

ISA3000

Hardware Bypass?

Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Can be managed as other ASA with FirePOWER Services

Management for multiple devices

Comprehensive visibility and control over network activity

Optimal remediation through infection scoping and root cause determination

FireSIGHT

Management

offers:

Superior

reporting and

visibility

Centralized management - FireSIGHTVer 5.4.1

Maik G. Seewald, CISSP

Concluding

• Full IoT end-to-end stack protection

• A proven intrusion prevention system

• Design guide for integrating the OT with IT

• Proven solutions for Fog Computing use-cases

• Middleware/SDK for developing IoT Solutions: http://developer.cisco.com

• Use-cases for multiple verticals – come ask us :)