[class 2014] palestra técnica - ilan barda
DESCRIPTION
Título da Palestra: Integração de segurança física e cibernética para sistemas SCADA distribuídos.TRANSCRIPT
Holistic Security
for
Critical Infrastructure
Ilan Barda
SCADA Security conference
November 2014, Brasil
RADiFlow - Overview
• Utilities deploy modern Distributed Automation devices
connecting Remote locations over large-scale IP networks
• Exposing Critical assets to Cyber Security Attacks
-2- © Copyright 2014, RADiFlow Ltd.
RADiFlow provides cyber security solutions
for critical distributed automation networks
Growing Install-base
-3- © Copyright 2014, RADiFlow Ltd.
Cyber Security deployments are lagging
• Multiple cases of breaches in
critical infrastructure
• Multiple studies identified the
critical gaps in cyber security
• There is a hype of
discussions and interest
• … but deployments are lagging
– Lack of strict regulations
– Lack of financial incentives
– Lack of blue-print solutions
© Copyright 2014, RADiFlow Ltd.
Current OT Cyber Security practices
• A Separate operation network is not necessarily secure
• L2/L3 security is not sufficient
– IP spoofing
– VLAN hopping
• Security in the control-center can be bypassed
– Field to Field attack
– Man-in-the-Middle attack
-5-
“smart grid cyber-security guidelines did not address an important
element… risk of attacks that use both cyber and physical means” Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011
© Copyright 2014, RADiFlow Ltd.
A Holistic Security Solution is Required
Protecting Distributed SCADA from Insider Attacks
Attack vector
• Control-Center malware
• Field-site breach
• Man-in-the-Middle
• Maintenance access
Security Measure
• Service-aware firewall
• Distributed firewalls
• Encryption
• Identity Management
© Copyright 2014, RADiFlow Ltd.
HMI Engineering
Station
Controller1 Controller2
Dev1.2
Dev2.1
Dev2.2
Dev1.1
Facility1 Facility2
Control Center
-6-
Distributed IPS for ICS networks
• Per-user role-based validation of
SCADA sessions
– Applied to both IP & Serial devices
• Deployment next to each end-point
– Inline IPS or Virtual IDS
• End-to-End support logic
– Intuitive provisioning based on auto-learning
– Event log with SOC tools integration
-7- © Copyright 2014, RADiFlow Ltd.
Protocol
Header
Function
Code
Function
Parameters
Ethernet & IP
Header
Firewall use-case – Power meter logic
• A field attack from a Smart-
Grid site on other sites
• SCADA firewall enables all
monitoring commands
-8- © Copyright 2014, RADiFlow Ltd.
Data
Center
Control
Center
Firewall use-case – RTU software update
• The technician laptop infects
the Engineering station in
the control center
• The Engineering station
downloads new software to
the field RTUs
• Distributed SCADA firewall
blocks access to the
firmware address-range
• Stuxnet scenario can be
prevented
-9-
Eng. Station
Sub-Station
Control Center
S.S.
RTU
Facility
RTU
IEC61850 IEDs
Technician
© Copyright 2014, RADiFlow Ltd.
Physical & Cyber security – Integrated solution
• Correlate SCADA access rights to
physical access-control indications
• Validate user operations using DPI of
SCADA commands
• SCADA DPI integrated in field routers
enabling distributed IPS deployment
• Automatic learning of the normal
traffic patterns of SCADA application
• Integration with SIEM tool for roles
provisioning and activity log
-10- © Copyright 2014, RADiFlow Ltd.
Restricted user operations in the cyber corridors of
Distributed automation networks
Physical & IT & OT security – Integrated solution
-11- © Copyright 2014, RADiFlow Ltd.
Correlation of security events – PACS, IT, OT
Detecting APT patterns
Active Directory
Integrated security in a Ruggedized site gateway
-12-
Multi-
Service
Resilient
Network
Ruggedized
System
Secure
Access
Service
Validation
Service
Management Operational Simplicity
Defense-in-depth solution
Solid infrastructure
© Copyright 2014, RADiFlow Ltd.
Security solution validated by US Research Labs
• Role Based IPS/IDS for SCADA Protocols
• Securing Data Traffic (Legacy or IP)
• Secure Authentication
• Persistent, Reliable Logging
• Integration with SOC tools
-13- © Copyright 2014, RADiFlow Ltd.
Focus applications
• Power T&D (Smart-Grid, Sub-station automation)
© Copyright 2014, RADiFlow Ltd.
• Smart-City, Safety and Security
• Intelligent Transportation (Railways, Highways)
• Drilling and Pipelines (Water, Oil & Gas)
• Out-of-Band Maintenance (Telco, CATV)
Case Study – Sub-station LAN
-15-
Router +
Firewall 1 Router +
Firewall 2 High Availability VRRP
Sub station LAN
Primary Sub-Station
MPLS PE 1 MPLS PE 2
Power Monitoring
Serial RTU
VoIP GW
• IEC61850-3 compliant
switch/router
• IEC104/61850 Firewall
• Inter-site IPSec VPN
• Integration with PSIM
MPLS carrier 1
Backbone
MPLS Carrier 2
Backbone
ETH RTU
© Copyright 2014, RADiFlow Ltd.
CCTV
Case Study – Consolidated Smart-Grid network
• Mix of fiber and cellular backhauling
• Regulation for Separate VPNs for AMI and DA
-16-
• Implementation highlights − Service-aware VPN functionality
− IEC101/104 SCADA firewall
− Fiber or cellular uplinks
− Service-aware QoS for cellular network
© Copyright 2014, RADiFlow Ltd.
Smart-City network infrastructure
• Compact ruggedized switch for smart-city cabinets
– Ethernet with PoE for CCTV
– Serial and discrete I/O ports for simple
automation devices
– Cellular modem for backup
• Integrated security mechanisms
– IPSec VPN for public network
– ModBus Firewall for automation devices
• Integration with PSIM in control center
-17-
Traffic Control
Message board
Smart-City
cabinet
CCTV
Control
Center
© Copyright 2014, RADiFlow Ltd.
Case Study – Highway automation & monitoring
-18-
Ring 1
Ring 6
Ring 1
Ring 6
Central site
1588 clock
RS-232/485
Remote site
Traffic control Security cameras
Tetra basestationsMessage
boards
PoE 1588 clock sync
QoS
• Large-scale transportation control applications require
– Scalable & resilient network architecture
– Mixture of Ethernet, Serial & Discrete devices
– ModBus firewall for critical automation services
– PoE support for CCTV cameras
– IEEE15888v2 support for radio synchronization
© Copyright 2014, RADiFlow Ltd.
Case-study – Gas drilling sites
-19-
• Remote management from across the US
– Connecting RTUs, CCTV and user LAN from each site
• Main access via private fiber ring + leased-line with
backup over cellular
– Data Encryption over public network
– Validation of SCADA ModBus sessions
– Network resiliency – Fiber and Cellular
– Compact Ruggedized system with Serial, ETH and PoE
Public Carrier
© Copyright 2014, RADiFlow Ltd.
• Operators need to establish new remote POPs
– CATV, FTTH, Satellite, Campus WiFi, LTE micro-cell
• Normal management use in-band network
• Out-Of-Band management use alternative physical media
Cost-effective Out-Of-Band connectivity
– NO need for wired infrastructure
– EASY ESTABLISHMENT over LTE/3G
– RESILIENT CONNECTIVITY by 2 SIM cards
– SECURE connections by IPSec and Firewall
– LAN PORTS for seamless LAN connectivity
– TERMINAL SERVER for CONSOLE PORT
– DISCRETE IO for alarm forwarding
Separate Out-Of-Band
Network
Control Center
In-band Management
Out-Of-Band Management
Network Elements
© Copyright 2014, RADiFlow Ltd.
Case-study – Out-of-Band maintenance
Summary
• Modern critical infrastructure deployments use Ethernet
– A holistic security solution is mandatory
• RADiFlow Secure communication solution
– Unique distributed service-aware firewall by the network
– Integrated defense-in-depth tool-set
– Optimize CapEx and OpEx
-21- © Copyright 2014, RADiFlow Ltd.
For more details:
www.radiflow.com