Professional Documents
Culture Documents
© 2004 ODVA
2YHUYLHZ
© 2004 ODVA
.QRZQYXOQHUDELOLWLHVLQ
FRQWUROV\VWHPQHWZRUNV
Design Implementation Configuration
Insecure comm links TCP/IP stack issues Weak/default passwords
Insecure devices & Protocol flaws 802.11 Defaults (no WEP)
protocols OS/App flaws Inadequate filtering on
Less than weak Windows HMI Flaws router/firewall
authentication in devices WEP/802.11 Flaws OS defaults and failure to
and protocols apply patches & upgrades
DoS to Network
Insecure remote access infrastructure Device
(i.e. dialin modems,
partner, integrator
connections)
Default insecure features
Undocumented and difficult or non-
commands/backdoors scalable secure features
Insecure coding practices
and inadequate testing
Ill-defined or unrealistic
security requirements
© 2004 ODVA
'HYLFH9XOQHUDELOLWLHV
• Most PLCs (Communication Modules) have no
ability to filter based on source IP address even
an the socket layer—let alone based on
application layer message types
• Few devices have the ability to do low-level
packet filtering (to mitigate network transport
layer attacks)
• TCP/IP Stack Issues
– Resource Exhaustion
– Poor Initial Sequence Number Selection
– Malformed Message
• Use of “IT” Protocols for Industrial Applications
© 2004 ODVA
3URWRFRO9XOQHUDELOLWLHV
© 2004 ODVA
+LJK/HYHO$WWDFNHU*RDOV
• Gather information about publisher/subscriber
• Write/Alter data on publisher
• Write/Alter data on subscriber
• Program PLC
• Compromise subscriber
• Compromise publisher
• Disable publisher
• Disable subscriber
• Disable publisher-subscriber communication’s link
© 2004 ODVA
$WWDFN2ULJLQV
• Within Cell
• Outside Cell (same zone)
• Outside Zone
• Wireless (802.11)
• Plant Engineering/IT
• Plant Direct/RAS Dialup
• Plant Business Partner
• Corporate RAS/VPN User
• Corporate Engineering/IT
• Corporate Data Center
• Corporate Internet Connection
© 2004 ODVA
5HYLHZRI)LOWHULQJ7HFKQRORJ\
• Intelligent switches/bridges
– Filter on L2 (MAC) source address
• Router Access Control Lists
– Filter source/dest by L3 (IP Address) and L4 (Port)
• Stateful Firewalls
– Filter based on TCP/ICMP/UDP “state” and limited
support for some applications
• Application Proxies
– Complete application and protocol support, typically
requires (reconfiguration of client
• Deep Packet Inspection and Network IPS
– High speed (possibly inline/transparent) filtering at all
application and protocol layers
© 2004 ODVA
%XW,VWKHUHUHDOO\DWKUHDW"
• I’m not even directly connected to the Internet
–The traditional perimeter is eroding – SOHO/VPN, wireless,
dial-up, partner connectivity
–Multiple application entry points – SMB, Email, Web Browser,
Web Server
• Worms and viruses only target Windows machines
–Network infrastructure devices aren’t directly targeted either,
but end up as “collateral damage”—what happens to
automation devices?
–Instead of attacking windowsupdate.com or whitehouse.gov
write your worm to overwrite firmware of you ControlLogix
• The bottom line—security controls must be integrated
throughout the network and end-devices must be
hardened
© 2004 ODVA
&RQFOXVLRQV
• Technology knows no organizational boundaries – “IT
Security Products” can be altered to secure control system
applications
• Security technologies and practices lag threats and
vulnerabilities – it is now 1995?
– Vulnerabilities are still known by a small but growing community – for
now?!
– Small target population – Industrial Ethernet (and wireless) have not
reached critical mass
– Threat picture is unclear – lack of automated tools (although this could
change quickly)
• Simple “type-code filtering” is better that the status quo but
is probably a partial (interim?) solution to more robust
security enhancement necessary for industrial devices and
protocols
© 2004 ODVA
&RQFOXVLRQVFRQW
• Security enhancements for automation protocols are 3-5
years away from widespread deployment, but legacy
devices will remain a problem after secure protocols
become a reality
• More Questions than Answers!?
– Operational constraints of deploying security deep within
the automation cell—especially management and
monitoring
– Operation control and interaction between multiple
security technologies (authentication servers, VPNs,
border routers, and firewalls)
– Integration of Control System Security Software and
Network Security Countermeasures?
– What device is best suited for application protocol
filtering: firewall, router, intelligent switch? Where should
it be deployed?
© 2004 ODVA
,QWHJUDWHG6HFXULW\
6WUDWHJ\
© 2004 ODVA
(VVHQWLDO6HFXULW\7HFKQRORJLHV
Extended
Perimeter • Permit or deny network/application access
Security
Secure
Connectivity • Protect traffic across untrusted networks
Security
• Management, monitoring, and analysis
Management
© 2004 ODVA
'HSOR\6HFXULW\$VDQ,QWHJUDWHG
6\VWHP
Surveillance and Alarms
Secured Doors and Vaults Patrolling Security Guard
Network and Host-Based
Firewalls and Router ACLs Intrusion Detection Scanner
Card Readers
Security Room CCTV Secure Transport
Identity, AAA, Access
Centralized Security and Control Servers and Encryption and Virtual
Policy Management Certificate Authorities Private Networks (VPNs)
© 2004 ODVA
:K\,QWHJUDWHG6HFXULW\"
• Everything is a target
• Routers are targets Some of these can be turned into
weapons
• Switches are targets
New breed of attacks have multiple
• Hosts are targets vectors that cannot be blocked by
• Networks are targets one device
• Applications are targets • Network security is a system –
Everything must be defended
• Information is a target
Layers of security are required
• Management tools are
targets Embedded security throughout the
network
• SAFE Integrated security in network
devices
• Secure management and reporting
© 2004 ODVA
,QWHJUDWHG1HWZRUN6HFXULW\
:KDW'R:H0HDQ"
Integrated Into All Devices:
Security In Everything
Routers, Switches, Servers, Firewalls, VPN Devices,
Intrusion Detection, Wireless, Telephony, Clients, Access
Control Servers
© 2004 ODVA
,QWHJUDWHG6HFXULW\6ROXWLRQV³
1HWZRUN%DVHGDQG$SSOLDQFHV
Cisco Delivers Security Solutions That Integrate With
Diverse Deployment Models
© 2004 ODVA
)LUHZDOO'HSOR\PHQW2SWLRQV
Small Business / Branch Office Internet Access
Corp HQ PIX 525, 535
Internet
Service
Provider
Cisco 1700, 2600, 3600,
Series with IOS Firewall Regional
or PIX 506, 515 Office
Internet
Telecommuter Access
Cisco 3700, Data Center & Internal Firewalls
7200 Series Cisco FWSM or PIX 525, 535
with IOS
ASP
Firewall or PIX
515, 525
© 2004 ODVA
,'6'HSOR\PHQW2SWLRQV
Business Internet
Extranet
Protection Partner Users Protection (NIDS)
(NIDS) Augments FW and
VPN by Monitoring
Monitors Partner Traffic for Malicious
Traffic Where Activity
“Trust” is Implied
But Not Assured
Corporate
Data Center Office Internet
Intranet/Internal NAS
Protection
(NIDS/HIDS) e-Business
Remote Access Server Farm Servers
Protects Data Protection (NIDS)
Centers and Critical
Protection
Systems from Hardens Perimeter (NIDS/HIDS)
Internal Threats Control by Protects e-Business
Monitoring Remote Servers from Attack
Users and Compromise
© 2004 ODVA
,GHQWLW\3RUWIROLR² ,GHQWLW\
6HUYLFHV
Enterprise AAA
802.1x support
LEAP, PEAP, WPA
RADIUS, TACACS+
LDAP, plus
© 2004 ODVA
6HFXULW\LVD6\VWHPDWLF
3URFHVV
Architecture
Design and
Implementation
Vulnerabilities
Corrective Action and Risk
Assessment
Surveillance, Monitoring,
Audit & Analysis
© 2004 ODVA
,QWUXVLRQ'HWHFWLRQ
2YHUYLHZ
© 2004 ODVA
,QWUXVLRQ'HWHFWLRQ$SSURDFKHV
Signature, Anomaly
Detection, Behavioral
Network and/or Host-
Based
© 2004 ODVA
$QRPDO\DQGRU6LJQDWXUH'HWHFWLRQ
© 2004 ODVA
+RVWYV1HWZRUN%DVHG
+RVWEDVHG“Agent” software
monitoring network, kernel and application
activity on hosts
1HWZRUNEDVHGCollects and analyzes
data from the network
© 2004 ODVA
6RPH*HQHUDO3URVDQG&RQV
Pros Cons
• Can verify success or failure • Impacts host resources
of attack
• Operating system dependent
Host- • Generally not impacted by
bandwidth or encryption • Scalability—Requires one
Based agent per host
• Understands host context and
may be able to stop attack
Target
0 Most damaging
9 Change very slowly
9 Inspiration for host
intrusion prevention
© 2004 ODVA
7\SLFDO,'6$UFKLWHFWXUH
Event database
Sensor configuration
Component
Communications
Sensor
Detection analysis NIDS Sensor
Generate alarms
Response/
countermeasures
HIDS Sensor
© 2004 ODVA
1HWZRUN,'66HQVRU
Network Link to the
Management Console
IP Address
Passive Interface
No IP Address
Monitoring the Network
Data Capture
Data Flow
© 2004 ODVA
1HWZRUN,QWUXVLRQ3UHYHQWLRQ
,QOLQH1HWZRUN,'6
Network Link to the
Management Console
IP Address
Passive Interfaces
No IP Address
Monitoring the Network
Data Flow
© 2004 ODVA
+RVW,'6,366HQVRU
Syslog
© 2004 ODVA
'HSOR\LQJ
,'6,36LQD
&RQWURO
6\VWHPV
(QYLURQPHQW
© 2004 ODVA
7HFKQRORJ\&KDOOHQJHV
• Scalability
–Large volume of data to analyze
• Access to the data stream
–Switch SPAN port sharing or Network Taps
–Remote Systems
–Non-IP Transport
• Skills required to monitor/operate
the systems
–Understand what the alarms mean and what to do
–Certifying Host Agents on Process Control Systems
–Adhering to regulatory CPU utilization guidelines
© 2004 ODVA
)DOVH3RVLWLYH
(OLPLQDWLRQ$ODUP9DOLGDWLRQ
• Generally there are four primary ways that
vendors have attempted to eliminate false
positives or validate alarms
- Correlation of IDS and other security logs
- Correlation of active scanning and alarm data
- Correlation of passive scanning and alarm data
- Just in time analysis
© 2004 ODVA
&276$WWDFN6HTXHQFH
Target
© 2004 ODVA
'HSOR\PHQW&RQVLGHUDWLRQV
IRU3&1
• How do most commercial IDS protect the PCN system?
They protect the COTS systems that have protocols or
operating systems that are understood by the IDS.
• Specific threats to PCN embedded systems and PCN have
not been widely publicly identified, so most commercial
NIDS (host or network) do not support the protocols and
embedded operating systems in use by PCN systems
• Anomaly Detection based systems need testing to determine
the applicability to PCN systems.
© 2004 ODVA
3&1$WWDFN6HTXHQFH
•Ping Addresses
•Scan ports for
particular PCN
protocols
•Send specific function
codes to cause specific
behavior on embedded
system
•Use default passwords
on system interface
•Modify existing
configuration on the
Target device
•Enable new services on
the device
© 2004 ODVA
,36&RQVLGHUDWLRQVIRU3URFHVV
&RQWURO1HWZRUNV3&1
• IPS is the marketing term of choice. However, their
applicability to a PCN system needs to be carefully evaluated.
• Anonymous Quote “People would be foolish to run IPS on a
regulated pipeline”
• However, IPS at the edge of the control system is sensible,
since the IPS can protect COTS systems that can’t be patched
or have run out of support and no patch is available.
• The deployment of an IPS revolves around the degree of
certainty the IDS operator has that the IDS dropped the correct
traffic. This is sometimes called the “fidelity” of the
alarm/signature.
© 2004 ODVA
6HFXULW\$UFKLWHFWXUH
IRU3ODQW)ORRU
© 2004 ODVA
(QWHUSULVH+LJK/HYHO'HVLJQ
Corp. Engr
Corporate WAN
Remote external access for
suppliers and vendors.
Dedicated lines, dial and VPN.
Plant IT
Internet
Plant Engr Plant Network(s)
Corporate WAN
Business
Plant Data Center Partners WAN/PSTN
Process Controls Process Controls Process Controls
© 2004 ODVA
/RJLFDO,QGXVWULDO(WKHUQHW3ODQW
7RSRORJ\
In all instances where applicable a QOS IT WAN
template should be engineered and deployed.
A minimum configuration to classify traffic at
the access layer must be employed to ensure Plant IT, Plant
Engineering, Plant Data
a QOS template in the future. Si Si
Center
Internet
Si Si
Remote Access
WAN/PSTN
VLAN 101
Zone
VLAN 104
VLAN 103
VLAN 102 VLAN 105
Direct Remote Access Cell Cell
PSTN
© 2004 ODVA
/RJLFDO=RQH7RSRORJ\
Plant Network
PSTN
© 2004 ODVA
(QWHUSULVH+LJK/HYHO'HVLJQ
Corp. Engr
Plant IT
Internet
Business
Plant Data Center Partners WAN/PSTN
© 2004 ODVA
/RJLFDO,QGXVWULDO(WKHUQHW 3ODQW
7RSRORJ\
IT WAN Possible Focal Points
for policy enforcement
Plant IT, Plant
Engineering, Plant Data
Si Si
Center
Internet
Si Si
Remote Access
WAN/PSTN
VLAN 101
Zone
VLAN 104
VLAN 103
VLAN 102 VLAN 105
Direct Remote Access Cell Cell
PSTN
© 2004 ODVA
/RJLFDO=RQH7RSRORJ\
Plant Network Possible Focal Points
for policy enforcement
PSTN
© 2004 ODVA
(QWHUSULVH(GJH'HWDLO
To Internet Via
Central policy control of Partner Remote
authentication and authorization
the Corporate
Access Internet Module
VPN
To Edge
Distribution
Module Site-to-
Site VPN
Dial Access
Servers
PSTN
Business
Partner Routers
© 2004 ODVA
3ODQW(GJH
IT WAN
Central policy control of Partner
authentication and authorization
Si Si
Internet
Si Si
Remote Access
WAN/PSTN
© 2004 ODVA
3ODQW'LVWULEXWLRQ
Central policy control of Partner
authentication and authorization.
Embed FW, VPN and NIDS
technology into the distribution
layer. Theses technologies protect
each set of production cells that feed Si Si
into them.
© 2004 ODVA
/RJLFDO=RQH7RSRORJ\
Central policy control of Partner Possible Focal Points
authentication and authorization. Plant Network
for policy enforcement
Embed FW, VPN and NIDS
technology into the distribution
layer. Theses technologies protect
each set of production cells that feed
into them. Standards compliant
WPA security scheme
Additionally, if performance and should be used to
compatibility allows HIDS or secure 802.11 wireless VLANs provide user
Personal FWs can be deployed on Video segmentation. ACLs
the systems that run a general Feed for only authorized
purpose OS. production traffic?
Programmable Logic
Controllers (PLC)
Human Machine
Interface (HMI)
PC-Based
Controllers
Wireless Video
Monitoring
PSTN
Motors, Drives,
Actuators
Robotics
Scanner
Audit of direct dial
interfaces should be Handheld
conducted to
guarantee that the Sensors and other Device Level Network
lines are known and Input/Output
meet security policy Devices © 2004
Ethernet ODVA
&LVFR6HFXULW\$JHQW7RXU
© 2004 ODVA
&LVFR6HFXULW\$JHQW.H\
$GYDQWDJHV
1. Agents are managed from same console as
Firewall, Network IDS, and VPN devices
2. Protection is proactive – no need for
repeated signature updates (“Zero Update”)
3. Simple to customize
4. Protects Windows and Unix, servers and
desktops
© 2004 ODVA
$JHQWVDUHPDQDJHGIURPVDPHFRQVROH
DV)LUHZDOO1HWZRUN,'6DQG931
GHYLFHV
• Cisco Security Agent Management Center runs under
Cisco Works VPN and Security Management System
(VMS)
• CSA MC installs and configures all necessary components
automatically
– Manager software
– Web Server CGIs
– Database
• CSA MC automatically builds agent kits for distribution to
systems
• No encryption key distribution to agents
• No need to log in to CSA MC to get agent kits protecting
systems
© 2004 ODVA
7HVWLQJ3URWHFWLRQ
8QOLNH+RVW,'6V\VWHPV\RXQHHGWRDWWDFNWKH&6$WRVHH
DOHUWV
7RRO 6LWH &RPPHQWV
QPDS KWWSZZZLQVHFXUHRUJ 0RVWVRSKLVWLFDWHGQHWZRUNPDSSLQJ
DQGGLVFRYHU\WRRO'RHVDQ
H[FHOOHQWMRERILGHQWLI\LQJWKH
1HVVX KWWSZZZQHVVXVRUJ $IUHH/LQX[EDVHG2SHQ6RXUFH
2SHUDWLQJ6\VWHPRIWKHWDUJHW
V YXOQHUDELOLW\VFDQQHU&RQWDLQVD
GHYLFH
YHU\ODUJHOLVWRIFXUUHQWH[SORLWVIRU
:LQGX KWWSZLQGXPSSROLWRLW +LJKTXDOLW\IUHHQHWZRUNSDFNHW
ERWK8QL[DQG:LQGRZVV\VWHPV
PS DQGSDVVZRUGFDSWXUHWRRO:LQGRZV
(WKHU KWWSZZZZLOGSDFNHWVFRP YHUVLRQRI8QL[WFSGXPS
*RRGFRPPHUFLDOSDFNHWVQLIIHU
SHHN
6LOHQWO KWWSSDFNHWVWRUPGHFHSWLFRQVRUJ:L .H\VWURNHORJJHUZLWKVRXUFHFRGH
RJ Q6LOHQW/RJ]LS
3ZGX KWWSUD]RUELQGYLHZFRPWRROVILOHVSZ $OORZVHQFU\SWHGSDVVZRUGVWREH
PS GXPS]LS GXPSHGHYHQLIWKH:LQGRZV
)LUHKR KWWSNHLUQHWILUHKROHKWPO V\VWHPLVSURWHFWHGZLWK6<6.(<
3HUVRQDO)LUHZDOOWHVWLQJWRROWKDW
OH XVHV'//,QMHFWLRQ
QHWFD KWWSZZZDWVWDNHFRPUHVHDUFKWRROV $PRQJRWKHUIHDWXUHVFDQDFWDVD
W UHPRWHORJLQVHUYHURQDQ\SRUW
&RPP 6\VWHPURRW?V\VWHP?FPGH[H /HWV\RXUXQFRPPDQGV
DQG :LQGRZVELQVK 8QL[
6KHOO
© 2004 ODVA
3URDFWLYH3URWHFWLRQ
… when any
application …
… tries to write …
… system
executables,
libraries, or
drivers.
© 2004 ODVA
6LPSOHWR&XVWRPL]H
… when any
application …
… tries to write …
… system
executables,
libraries, or
drivers.
© 2004 ODVA
3ROLF\7XQLQJ:L]DUG
7KH7XQLQJ:L]DUGDXWRPDWHVSROLF\
FXVWRPL]DWLRQDFFRUGLQJWR&LVFR
UHFRPPHQGHG´%HVW3UDFWLFHVµ
+RWOLQNVIURPDOHUWVLQYRNHDZL]DUG
WKDWGHWHUPLQHVKRZWRXSGDWHSROLFLHV
LQWKHDSSURSULDWHPDQQHU
,I\RXDUHXVLQJWKH&LVFR6HFXULW\
$JHQW3URILOHUSURGXFWWKHZL]DUGZLOO
FRQILJXUHWKH3URILOHUWRLQYHVWLJDWH
DSSOLFDWLRQV
© 2004 ODVA
3URWHFWV8QL[DQG:LQGRZV
6HUYHUVDQG'HVNWRSV
7KH&LVFR6HFXULW\$JHQWSURWHFWVQRW
RQO\:LQGRZV'HVNWRSVDQG6HUYHUVEXW
6RODULVVHUYHUVDVZHOO
'HIDXOW8QL[6HUYHUSROLF\SURYLGHV
UREXVWVHFXULW\´RXWRIWKHER[µ
² +DUGHQVWKH2SHUDWLQJ6\VWHPDQGHQVXUHV
LWVLQWHJULW\
² %XIIHU2YHUIORZSURWHFWLRQ
² %ORFNVSDFNHWVQLIIHUV
² %ORFNV7URMDQ+RUVH´EDFNGRRUµ SURJUDPV
© 2004 ODVA
&LVFR6HFXULW\$JHQW6XPPDU\
© 2004 ODVA
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. © 2004 ODVA 60