protecting critical industrial control systems keep critical... · industrial control systems at...
TRANSCRIPT
©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals
Protecting Critical Infrastructure and Industrial Control Systems
Oded Gonda
VP, Network Security Products
October 2014
2 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Agenda
Check Point at a Glance
Critical Infrastructure at Risk
A Security Strategy
Check Point Critical Infrastructure Protection Solutions
Summary
3 ©2014 Check Point Software Technologies Ltd. 3
Since 1993
US $1.4 Billion sales in 2013
Over 100,000 customers including
ALL Fortune 100
Over 3,000 People Dedicated to Security
#1 Security Gateway Market share - IDC
16 Years Firewall MQ Leader - Gartner
About Check Point
100% focus on security
4 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Granular Control of All Security Layers
Gra
nu
lar V
isib
ility
Identity Awareness
DLP
Mobile Access
SmartEvent
Application Control
URL-Filtering
IPS
Anti-Bot
Antivirus
Threat-Emulation
5 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Agenda
Check Point at a Glance
Industrial Control Systems at Risk
A Security Strategy
Check Point Industrial Control Protection Solutions
Summary
6 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Industrial Control at Risk!
Critical and industrial systems
makes our modern world
Like other IT systems, they
are prone to attacks
The consequences of such attacks
are much greater:
- Power failures
- Water pollution or floods
- Disruption of transportation
systems
- Malfunction of Production Lines
7 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Infrastructure is Targeted Source: ICS-CERT Responses 2013
8 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Important Attacks
Stuxnet, Duqu, Flame
Pacific Energy,
Saudi Arabia Aramco
German Power Utility, 50Hertz
Illinois Water System
Queensland, Harrisburg and Willows
Water System attacks
9 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
10 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
SCADA devices were not designed for security and are vulnerable
SCADA devices and networks are more reachable than it seems
Why attacks can happen?
2
1
11 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Controllers are Vulnerable
• Programmable Logic Controllers (PLC) are purpose-built computers used for
automation of electromechanical processes such as control of pumps, valves,
pistons, motors, etc.
• PLCs are small computers. They have software applications, accounts and
logins, communication protocols, etc.
• Analysis of PLCs from leading vendors
shows variety of vulnerabilities:
- Backdoors
- Lack of authentication and encryption
- Weak password storage
- Bugs leading to buffer overruns
12 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
PLC Vulnerability Example Published by Digital Bond in January 2012
Firmware
Best Config
Web
Fuzzing
Exhaustion
Undoc Features
Backdoors
Ladder Logic
N/A N/A
"x" indicates the vulnerability is
present in the system and is
easily exploited
“!” indicates the vulnerability
exists but exploit is not available
“v” indicates the system lacks
this vulnerability.
13 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Source: Idaho
National Lab,
2011
14 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
IT and SCADA networks are Interconnected
Survey of hundreds of Energy sector environment shows
average of 11 direct connections and up to 250 in some
cases! (US National Cybersecurity and Communications Integration Center, 2011)
Business Intelligence
Geographic
Information Systems Energy Market
Outage Management
System
Remote Maintenance
Backup
Billing / ERP
15 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Attack How-To
• Step 1: get access to the network
- Social Engineering
- Spear phishing
- Drive-by
- USB Keys
- Contractor Laptops
- Maintenance Remote Access Links
• Step 2: use a tool-kit or run specially
crafted attack
• Step 3: alter commands
sent to the controllers, or
change sensors readings
16 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Agenda
Check Point at a Glance
Critical Infrastructure at Risk
A Security Strategy
Check Point Critical Infrastructure Protection Solutions
Summary
17 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Security is about Prevention
18 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Specialization Required
Critical industries use dedicated systems, on
specialized networks with unique protocols
Environments cannot be changed and
solutions needs to last for 10,20 and
even 30 years
General purpose security solutions lack
support for technology and environmental
requirements
19 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Independently Log ALL SCADA activity
Define Baseline (Allowed / Not Allowed / Suspicious)
Identify Deviations
Alert / Prevent
Check Point SCADA Approach
20 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Agenda
Check Point at a Glance
Critical Infrastructure at Risk
A Security Strategy
Check Point Critical Infrastructure Protection Solutions
Customer Case & Summary
21 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Security Products
with granular
SCADA Support
Advanced
Protections for
ICS networks
threats
Specialized
Gateways
Introducing: Security for Critical Industries
22 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Product Deployment Architecture
Management Facility
Field Facility
Corporate
WAN
SCADA
WAN
SCADA Monitoring Network
Corporate
Network
PLCs 2
3
(1) Corporate Security Gateways
(2) SCADA Security Gateway
(3) SCADA Field Security Gateway
(4) Endpoint Security Agent
(5) SCADA Logging and Management
4
5
1 1
23 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Protecting the Perimeter
Multi Layered Threat
Prevention
Pre Infection
Post Infection
Static
Analysis
Dynamic
Analysis
IPS
Anti Virus
Threat Emulation
Anti Bot
24 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Prevent exploit of
known vulnerabilities
Block download of
known malware
Unknown Threats Block Bot
Communication
Real Time Security Collaboration
Powered by ThreatCloud
IPS
Anti-Bot
Antivirus
Fighting Unknown
Threats
?
?
Threat Emulation
Threat Prevention Solutions
25 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
SCADA Application Control
Protocol-specific controls
with directional
awareness
Policy granularity at the
command level: e.g.,
read/write/get
26 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
27 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
• IEC 60870-5-104
• ICCP (IEC 60870-6)
• OPC
• DNP3
• MMS
• Modbus
• BACNet
SCADA Protocols Support
• Profinet
• ELCOM-90 *
• Profibus *
* In Development
Additional protocols
are constantly
added
28 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
History of all SCADA
commands in the network
History of attempts to send
excessive amount of
commands
History of all network
reconnaissance attempts
Complete Forensics down
to packet captures
SCADA SmartEvent Forensics are key for any investigation !
29 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
SCADA Intrusion Prevention
Citect SCADA ODBC Overflow Attempt
Rockwell RSLogix Denial of Service Vulnerability
Schneider Electric UnitelWay Windows Device Driver Buffer Overflow
Siemens Automation License Manager Multiple Vulnerabilities
RealWin HMI Service Buffer Overflow 2
RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow
Broadcast Request from an Authorized Client
IGSS SCADA STDREP Request Buffer Overflow
Rockwell RNA Message Negative Header Length
WonderWare SuiteLink DOS Attempt
ClearSCADA Cross-site Scripting Attempt
IGSS SCADA ReadFile Function Buffer Overflow
RealFlex RealWin SCADA On_FC_CTAGLIST_FCS_ADDTAGMS Buffer Overflow
Sielco Sistemi WinLog Stack Overflow Attempt
SCADA Engine OPC Client Buffer Overflow Vulnerability
Siemens Tecnomatix FactoryLink Stack Overflow Vulnerability
ScadaTEC SCADAPhone and ModbusTagServer Buffer Overflow
Automated Solutions Modbus/TCP Master OPC server Modbus TCP Header Corruption
Unauthorized Miscellaneous Request to a PLC
IGSS SCADA RMS Report Template WriteFile Command Buffer Overflow
Iconics Genesis SCADA Freeing of Unitialized Memory Trigger
Intellicom NetBiter Config HICP Hostname Buffer Overflow
ClearSCADA Heap Overflow Attempt
Ecava IntegraXor Directory Traversal Attempt
IGSS SCADA dc.exe Server Directory Traversal Arbitrary File Execution – 0xa
Rockwell RNA Message Header Not Null Terminated
SCADA
Integrated SCADA IPS
signature set
Built on industry leading
IPS Software Blade
Support for both ICS-
specific and corporate IPS
requirements
Full packet capture and
integrated event monitoring
and analysis
30 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
SCADA Workstation Security
31 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Product Deployment Architecture
Management Facility
Field Facility
Corporate
WAN
SCADA
WAN
SCADA Monitoring Network
Corporate
Network
PLCs 2
3
(1) Corporate Security Gateways
(2) SCADA Security Gateway
(3) SCADA Field Security Gateway
(4) Endpoint Security Agent
(5) SCADA Logging and Management
4
5
1 1
32 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Configuration Options
Multiple configuration scenarios
Monitor-only and protect settings
Staged activation: move from monitor to protect over time
Layer 3 inline and layer 2 bridge mode
Single interface tap mode
33 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Secure Interconnectivity to other parties
Maintain segregation between
providers
on the grid
Enable RTU capacity
reporting but prevent
commands to PLCs
Build IP-based networks for
future SmartGrid functionality
34 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Compliance Management
35 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Security Appliance for Environmentally controlled Locations
Ultra High-End
Datacenter Grade
Enterprise Grade Small Office /
Desktop
12000 Appliances
4000 Appliances
2200 Appliance
61000 System and
21400 Appliance
SECURITY FOR
ENTIRE RANGE
36 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Ruggedized Security Appliances
High
Performance
Rack Mountable
Din Rail Mounted
RuggedCom/Siemens
Industrial Edge
• Wide Temperature range
• No moving parts—fan-less design with SSD drive & no internal cabling
• Isolation power design with wide AC/DC input range
• IEC 61850-3 and IEEE 1613 compliant
Medium
Performance
Rack Mountable
IAS T1
IAS U1
37 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Managed Security Service ™
Check Point
Human Expertise
Threat Intelligence
Threat Prevention
Software Blades
AV
Anti Bot
IPS
Monitors your Check Point gateways for advanced threats and provides expert resources to optimize your security
around the clock
IPS
Anti-Bot
Antivirus
Threat-Emulation
Threat
Emulation
38 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Agenda
Check Point at a Glance
Critical Infrastructure at Risk
A Security Strategy
Check Point Critical Infrastructure Protection Solutions
Summary
39 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Approaches to the Problem
Pro-active
Wait for the regulation
Wait for the cyber-attack
40 ©2014 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Summary & Recommendations
Maintain a strong perimeter to avoid infections
Monitor SCADA activity, collect forensics and detect anomalies
Deploy SCADA Specific PREVENTION technologies such as
Firewalling, Application Control and Threat Prevention
Conduct a risk-free out-of-band POC in your network to examine
your traffic and plan a security strategy together.