how security can be stronger than a firewall: 13 different ways breaking through firewalls
DESCRIPTION
by Andrew Ginter VP Industrial Security - Waterfall Security Solutions mail: andrew.ginter@waterfall–security.comTRANSCRIPT
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd.
UNIDIRECTIONAL SECURITY GATEWAYS™
How Security Can Be Stronger Than a Firewall 13 Different Ways Breaking Through Firewalls
Andrew Ginter VP Industrial Security Waterfall Security Solutions
2013 Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions Ltd.
1st Ibero-American Industrial Cybersecurity Congress
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 2
Industrial Security Priorities
Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 3
Safety, Reliability, Confidentiality
Attribute Enterprise / IT Control System
Scale Huge – 100,000’s of devices 100-500 devices per DCS
Priority Confidentiality Safety and reliability
Target Data Theft Sabotage
Exposure Constant exposure to Internet content
Exposed to business network, not Internet
Equipment lifecycle
3-5 years 10-20 years
Security discipline:
Speed / aggressive change – stay ahead of the threats
Security is an aspect of safety - Engineering Change Control (ECC)
Most IT controls are not appropriate. You manage IT and ICS networks differently
Proprietary Information – Copyright © 2012 by Waterfall Security Solutions Ltd. 4
Elephants in the Room
● Plain text communication protocols – at least for local / DCS communications
● Anti-virus / constant change is hard – many sites limit use of AV
● Security updates / constant change is worse
● Vulnerable designs / components: 100,000 vulnerabilities
● Old equipment – will anyone sell you anti-virus signatures for Windows 2000?
● Timing, network traffic and other sensitivities
Industrial sites deploy compensating measures such as physical security and cyber-perimeter security
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 5
1) Phishing / drive-by-download – victim pulls attack
2) Social engineering / steal a password / keylogger
3) Compromise domain controller – create fwall acct
4) Attack exposed servers – SQL injection / DOS / etc
5) Attack exposed clients – compromise web servers
6) Session hijacking – MIM / steal HTTP cookies
7) Piggy-back on VPN – split tunnelling / viruses
8) Firewall vulnerabilities –zero-days / design vulns
9) Errors and omissions – bad rules / IT errors
10) Forge an IP address –rules are IP-based
11) Bypass network perimeter – eg: rogue wireless
12) Physical access to firewall – reset to fact defaults
13) Sneakernet – removable media / laptops
13 Ways Through a Firewall
Keeping a firewall secure takes people and processes…
Photo: Red Tiger Security
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 6
#1 Phishing / Spam / Drive-By-Download
● Single most common way through (enterprise) firewalls
● Client on business network pulls malware from internet, or activates malware in email attachment
● “Spear-phishing” – carefully crafted email to fool even security experts into opening attachment
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 7
#2 Social Engineering – Steal a Password
● VPN password on sticky note on monitor, or under keyboard
● Call up administrator, weave a convincing tale of woe, and ask for the password
● Ask the administrator to give you a VPN account
● Shoulder-surf while administrator enters firewall password
● Guess
● Install a keystroke logger
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 8
#3 Compromise Domain Controller – Create Account
● More generally – abuse trust of external system
● Create account / change password of exposed ICS server, or firewall itself
● Other external trust abuse – compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc.
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 9
#4 Attack Exposed Servers
● Every exposed port is vulnerable:
● SQL injection
● buffer overflow
● default passwords
● hard-coded password
● denial of service / SYN-flood
Night Dragon Attack
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 10
1) Phishing / drive-by-download – victim pulls attack
2) Social engineering / steal a password / keylogger
3) Compromise domain controller – create fwall acct
4) Attack exposed servers – SQL injection / DOS / etc
5) Attack exposed clients – compromise web servers
6) Session hijacking – MIM / steal HTTP cookies
7) Piggy-back on VPN – split tunnelling / viruses
8) Firewall vulnerabilities –zero-days / design vulns
9) Errors and omissions – bad rules / IT errors
10) Forge an IP address –rules are IP-based
11) Bypass network perimeter – eg: rogue wireless
12) Physical access to firewall – reset to fact defaults
13) Sneakernet – removable media / laptops
13 Ways Through a Firewall
Keeping a firewall secure takes people and processes…
Photo: Red Tiger Security
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 11
Industrial Network Corporate Network
Unidirectional Security Gateways
Waterfall TX
Server
Waterfall RX
Server
Waterfall
TX appliance Waterfall
RX appliance
● Laser in TX, photocell in RX, fibre-optic cable – you can send data out, but nothing can get back in to protected network
● TX uses 2-way protocols to gather data from protected network
● RX uses 2-way protocols to publish data to external network
● Absolute protection against online attacks from external networks
Proprietary Information – Copyright © 2013 by Waterfall Security Solutions Ltd. 12
PLCs
RTUs
Historian
Workstations
Replica
Historian
Waterfall
TX agent
Waterfall
RX agent
Corporate Network Industrial Network
Unidirectional Historian replication
Unidirectional
TX appliance Unidirectional
RX appliance
Secure Historian Replication
● Hardware-enforced unidirectional historian replication
● Replica historian contains all data and functionality of original
● Corporate workstations communicate only with replica historian
● Industrial network and critical assets are physically inaccessible from corporate network & 100% secure from any online attack
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 13
Leading Industrial Applications/Historians
● OSIsoft PI, PI AF, GE iHistorian, GE iFIX
● Scientech R*Time, Instep eDNA, GE OSM
● Siemens: WinCC, SINAUT/Spectrum
● Emerson Ovation, Wonderware Historian
● SQLServer, Oracle, MySQL, SAP
● AspenTech, Matrikon Alert Manager
Leading IT Monitoring Applications
● Log Transfer, SNMP, SYSLOG
● CA Unicenter, CA SIM, HP OpenView, IBM Tivoli
● HP ArcSight SIEM , McAfee ESM SIEM
File/Folder Mirroring
● Folder, tree mirroring, remote folders (CIFS)
● FTP/FTFP/SFTP/TFPS/RCP
Leading Industrial Protocols
● OPC: DA, HDA, A&E, UA
● DNP3, ICCP, Modbus
Remote Access
● Remote Screen View™
● Secure Manual Uplink
Other connectors
● UDP, TCP/IP
● NTP, Multicast Ethernet
● Video/Audio stream transfer
● Mail server/mail box replication
● IBM MQ series, Microsoft MSMQ
● Antivirus updater, patch (WSUS) updater
● Remote print server
Waterfall Unidirectional Gateway Connectors
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 14
Use Case: Iberdrola Confrentes Nuclear Plant
● Replicates plant historian to corporate network
● Unidirectional gateways are deployed at the majority of American nuclear generators
● Protect safety networks, control networks and plant networks
● Routinely replicate OPC, historians, Syslog, Modbus and SNMP
● Specified in NRC 5.71 and NEI 08-09 regulatory guides
NRC Regulatory Guide 5.71
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 15
Use Case: New Brunswick Power – Power Generation
● Inter Control Center Protocol (ICCP) replication to regional electric system control center
● OSIsoft PI Server replication at all generating plants
● Deployed fleet-wide: 3000 MW
● Absolute protection from external network attacks
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 16
Use Case: Detroit Water – Waterfall Solution
● Replaced firewall a service provider was managing: $10,000/mo
● Deployed OSIsoft PI Server and replica: aggregate all information to be shared with business network
● Hydraulic optimization reduces $50M/year power costs by 3-7%
● Cell-phone loop-check improves field technician productivity
● Real-time sewage utilization to client utilities reduces their costs and increases customer satisfaction
Proprietary Information -- Copyright © 2012 by Waterfall Security Solutions Ltd. 17
Trends in Standards and Guidance ● Increasingly, regulations, standards and best-practice guidance recognizes
hardware-enforced unidirectional communications
● Most recent: ISA SP-99-3-3/IEC 62443-3-3 and NERC-CIP V5
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 18
● Headquarters in Israel, sales and operations office in the USA
● Hundreds of sites deployed in all critical infrastructure sectors
Best Practice Award 2012, Industrial Network Security 2013 Oil & Gas Customer Value Enhancement Award
IT and OT security architects should consider Waterfall for their operations networks
Waterfall is key player in the cyber security market –2010, 2011, & 2012
● Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors
Waterfall Security Solutions
Proprietary Information -- Copyright © 2013 by Waterfall Security Solutions 19
Unidirectional Gateways: Secure IT/OT Integration
● Firewalls are porous
● Security: absolute protection of safety and reliability of control system assets, from network attacks originating on external networks
● Compliance: best-practice guidance, standards and regulations are evolving to recognize strong security
● Costs: reduces security operating costs: improves security and saves money
andrew . ginter @ waterfall – security . com
www.waterfall-security.com