protecting critical industrial control systems keep critical... · industrial control systems at...

©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals

Protecting Critical Infrastructure and Industrial Control Systems

Oded Gonda

VP, Network Security Products

October 2014

2 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |

Agenda

Check Point at a Glance

Critical Infrastructure at Risk

A Security Strategy

Check Point Critical Infrastructure Protection Solutions

Summary

3 ©2014 Check Point Software Technologies Ltd. 3

Since 1993

US $1.4 Billion sales in 2013

Over 100,000 customers including

ALL Fortune 100

Over 3,000 People Dedicated to Security

#1 Security Gateway Market share - IDC

16 Years Firewall MQ Leader - Gartner

About Check Point

100% focus on security


Granular Control of All Security Layers

Gra

nu

lar V

isib

ility

Identity Awareness

DLP

Mobile Access

SmartEvent

Application Control

URL-Filtering

IPS

Anti-Bot

Antivirus

Threat-Emulation


Agenda


Industrial Control Systems at Risk

A Security Strategy

Check Point Industrial Control Protection Solutions

Summary


Industrial Control at Risk!

Critical and industrial systems

makes our modern world

Like other IT systems, they

are prone to attacks

The consequences of such attacks

are much greater:

- Power failures

- Water pollution or floods

- Disruption of transportation

systems

- Malfunction of Production Lines


Infrastructure is Targeted Source: ICS-CERT Responses 2013


Important Attacks

Stuxnet, Duqu, Flame

Pacific Energy,

Saudi Arabia Aramco

German Power Utility, 50Hertz

Illinois Water System

Queensland, Harrisburg and Willows

Water System attacks


SCADA devices were not designed for security and are vulnerable

SCADA devices and networks are more reachable than it seems

Why attacks can happen?

2

1


Controllers are Vulnerable

• Programmable Logic Controllers (PLC) are purpose-built computers used for

automation of electromechanical processes such as control of pumps, valves,

pistons, motors, etc.

• PLCs are small computers. They have software applications, accounts and

logins, communication protocols, etc.

• Analysis of PLCs from leading vendors

shows variety of vulnerabilities:

- Backdoors

- Lack of authentication and encryption

- Weak password storage

- Bugs leading to buffer overruns


PLC Vulnerability Example Published by Digital Bond in January 2012

Firmware

Best Config

Web

Fuzzing

Exhaustion

Undoc Features

Backdoors

Ladder Logic

N/A N/A

"x" indicates the vulnerability is

present in the system and is

easily exploited

“!” indicates the vulnerability

exists but exploit is not available

“v” indicates the system lacks

this vulnerability.


Source: Idaho

National Lab,

2011


IT and SCADA networks are Interconnected

Survey of hundreds of Energy sector environment shows

average of 11 direct connections and up to 250 in some

cases! (US National Cybersecurity and Communications Integration Center, 2011)

Business Intelligence

Geographic

Information Systems Energy Market

Outage Management

System

Remote Maintenance

Backup

Billing / ERP


Attack How-To

• Step 1: get access to the network

- Social Engineering

- Spear phishing

- Drive-by

- USB Keys

- Contractor Laptops

- Maintenance Remote Access Links

• Step 2: use a tool-kit or run specially

crafted attack

• Step 3: alter commands

sent to the controllers, or

change sensors readings


Agenda



A Security Strategy


Summary


Security is about Prevention


Specialization Required

Critical industries use dedicated systems, on

specialized networks with unique protocols

Environments cannot be changed and

solutions needs to last for 10,20 and

even 30 years

General purpose security solutions lack

support for technology and environmental

requirements


Independently Log ALL SCADA activity

Define Baseline (Allowed / Not Allowed / Suspicious)

Identify Deviations

Alert / Prevent

Check Point SCADA Approach


Agenda



A Security Strategy


Customer Case & Summary


Security Products

with granular

SCADA Support

Advanced

Protections for

ICS networks

threats

Specialized

Gateways

Introducing: Security for Critical Industries


Product Deployment Architecture

Management Facility

Field Facility

Corporate

WAN

SCADA

WAN

SCADA Monitoring Network

Corporate

Network

PLCs 2

3

(1) Corporate Security Gateways

(2) SCADA Security Gateway

(3) SCADA Field Security Gateway

(4) Endpoint Security Agent

(5) SCADA Logging and Management

4

5

1 1


Protecting the Perimeter

Multi Layered Threat

Prevention

Pre Infection

Post Infection

Static

Analysis

Dynamic

Analysis

IPS

Anti Virus

Threat Emulation

Anti Bot


Prevent exploit of

known vulnerabilities

Block download of

known malware

Unknown Threats Block Bot

Communication

Real Time Security Collaboration

Powered by ThreatCloud

IPS

Anti-Bot

Antivirus

Fighting Unknown

Threats

?

?

Threat Emulation

Threat Prevention Solutions


SCADA Application Control

Protocol-specific controls

with directional

awareness

Policy granularity at the

command level: e.g.,

read/write/get


• IEC 60870-5-104

• ICCP (IEC 60870-6)

• OPC

• DNP3

• MMS

• Modbus

• BACNet

SCADA Protocols Support

• Profinet

• ELCOM-90 *

• Profibus *

* In Development

Additional protocols

are constantly

added


History of all SCADA

commands in the network

History of attempts to send

excessive amount of

commands

History of all network

reconnaissance attempts

Complete Forensics down

to packet captures

SCADA SmartEvent Forensics are key for any investigation !


SCADA Intrusion Prevention

Citect SCADA ODBC Overflow Attempt

Rockwell RSLogix Denial of Service Vulnerability

Schneider Electric UnitelWay Windows Device Driver Buffer Overflow

Siemens Automation License Manager Multiple Vulnerabilities

RealWin HMI Service Buffer Overflow 2

RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow

Broadcast Request from an Authorized Client

IGSS SCADA STDREP Request Buffer Overflow

Rockwell RNA Message Negative Header Length

WonderWare SuiteLink DOS Attempt

ClearSCADA Cross-site Scripting Attempt

IGSS SCADA ReadFile Function Buffer Overflow

RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_ADDTAGMS Buffer Overflow

Sielco Sistemi WinLog Stack Overflow Attempt

SCADA Engine OPC Client Buffer Overflow Vulnerability

Siemens Tecnomatix FactoryLink Stack Overflow Vulnerability

ScadaTEC SCADAPhone and ModbusTagServer Buffer Overflow

Automated Solutions Modbus/TCP Master OPC server Modbus TCP Header Corruption

Unauthorized Miscellaneous Request to a PLC

IGSS SCADA RMS Report Template WriteFile Command Buffer Overflow

Iconics Genesis SCADA Freeing of Unitialized Memory Trigger

Intellicom NetBiter Config HICP Hostname Buffer Overflow

ClearSCADA Heap Overflow Attempt

Ecava IntegraXor Directory Traversal Attempt

IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution – 0xa

Rockwell RNA Message Header Not Null Terminated

SCADA

Integrated SCADA IPS

signature set

Built on industry leading

IPS Software Blade

Support for both ICS-

specific and corporate IPS

requirements

Full packet capture and

integrated event monitoring

and analysis


SCADA Workstation Security


Product Deployment Architecture

Management Facility

Field Facility

Corporate

WAN

SCADA

WAN

SCADA Monitoring Network

Corporate

Network

PLCs 2

3

(1) Corporate Security Gateways

(2) SCADA Security Gateway

(3) SCADA Field Security Gateway

(4) Endpoint Security Agent

(5) SCADA Logging and Management

4

5

1 1


Configuration Options

Multiple configuration scenarios

Monitor-only and protect settings

Staged activation: move from monitor to protect over time

Layer 3 inline and layer 2 bridge mode

Single interface tap mode


Secure Interconnectivity to other parties

Maintain segregation between

providers

on the grid

Enable RTU capacity

reporting but prevent

commands to PLCs

Build IP-based networks for

future SmartGrid functionality


Compliance Management


Security Appliance for Environmentally controlled Locations

Ultra High-End

Datacenter Grade

Enterprise Grade Small Office /

Desktop

12000 Appliances

4000 Appliances

2200 Appliance

61000 System and

21400 Appliance

SECURITY FOR

ENTIRE RANGE


Ruggedized Security Appliances

High

Performance

Rack Mountable

Din Rail Mounted

RuggedCom/Siemens

Industrial Edge

• Wide Temperature range

• No moving parts—fan-less design with SSD drive & no internal cabling

• Isolation power design with wide AC/DC input range

• IEC 61850-3 and IEEE 1613 compliant

Medium

Performance

Rack Mountable

IAS T1

IAS U1


Managed Security Service ™

Check Point

Human Expertise

Threat Intelligence

Threat Prevention

Software Blades

AV

Anti Bot

IPS

Monitors your Check Point gateways for advanced threats and provides expert resources to optimize your security

around the clock

IPS

Anti-Bot

Antivirus

Threat-Emulation

Threat

Emulation


Agenda



A Security Strategy


Summary


Approaches to the Problem

Pro-active

Wait for the regulation

Wait for the cyber-attack


Summary & Recommendations

Maintain a strong perimeter to avoid infections

Monitor SCADA activity, collect forensics and detect anomalies

Deploy SCADA Specific PREVENTION technologies such as

Firewalling, Application Control and Threat Prevention

Conduct a risk-free out-of-band POC in your network to examine

your traffic and plan a security strategy together.

protecting critical industrial control systems keep critical... · industrial control systems at...

Documents