scada and hmi security in indusoft web studio
DESCRIPTION
In this security focused webinar, we will learn from InduSoft experts how to protect systems against cybersecurity threats, and we’ll have an opportunity to learn more from IT experts at Capstone Works about how to protect networks from both internal and external threats to security.TRANSCRIPT
SCADA AND HMI SECURITY IN INDUSOFT WEB STUDIO
July 16, 2014
AGENDA
Agenda
Enhancing Cybersecurity on InduSoft Projects– Sundar Krishnan, Cybersecurity and Counter Terrorism– [email protected]
Firewalls and other SCADA Security Considerations– Chuck Adams, President, Capstone Works– [email protected]
ENHANCING CYBERSECURITY ON INDUSOFT PROJECTS
Agenda
Cybersecurity in SCADA world – a background
Guidelines to improve security on Indusoft projects to thwart cyber-attacks
Trainings, further readings, and certifications
Summary
CYBERSECURITY IN SCADA WORLD
SCADA CYBERSECURITY Overview
SCADA (Industrial Control Systems)- Key to nation's critical infrastructure
SCADA world- Consists of Electronic components, computers, applications
Threats from Cyberspace on SCADA infrastructure
416 days before Advanced Hackers are detected (Mandiant)
Cost of cyber-attacks within the USA at $8.9 billion in 2012 (Ponemon Institute)
SCADA CYBERSECURITY – Actors
WHITE-HATBLACK-HAT
CAREER/MAINSTREEM HACKERSORGANIZED HACKERS (FOR A CAUSE)SPONSORED/TERRORIST HACKERS
SCRIPT-KIDDIES INSIDER THREATS
CYBERSECURITY EXPERTSPENETRATION-TESTING EXPERTSHACK FOR NON-MALICIOUS PURPOSES
GREY-HAT
HACKERS FOR A FEECOMBINATION OF WHITE AND BLACK TACTICS
SCADA CYBERSECURITY STANDARDS & GUIDELINES – Highlights
Focus of SCADA standards and guidelines on various Threat-groupsCourtesy: Teodor Sommestad, Göran N. Ericsson, Jakob Nordlander, SCADA System Cyber Security – A Comparison of Standards
SCADA CYBERSECURITY STANDARDS & GUIDELINES – Highlights contd.
Focus of SCADA standards and guidelines on various Countermeasure-groupsCourtesy: Teodor Sommestad, Göran N. Ericsson, Jakob Nordlander, SCADA System Cyber Security – A Comparison of Standards
GUIDELINES ON IMPLEMENTING CYBERSECURITY MEASURES
RISK MANAGEMENT
RISK = Vulnerability x Probability (Likelihood) x Impact(Consequences)
Risk Plan, Matrix, Assessment - Key to implement Cybersecurity on Indusoft projects
Risk Assessment - perform at screen/control levels
Risk Assessment boundary - include Networks, Applications, Databases, Encryption,
Interfaces, Project tasks, Resources, Stakeholders etc.
Risk Tools - CSET (DHS), Risk Register, CIA Ranking, RACI Charts,
Plot: Vulnerability Vs. Probability Vs. Impact etc.
Risk Management process - Continuous & Iterative
Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization - Certified Information Systems Auditor (CISA) Review Manual 2006
FRAME RISKS
ASSESSRESPOND
MONITOR
RISK MANAGEMENT Cycle (continuous and iterative)
RISK MANAGEMENT– cont.
Intergrity
Confidentiality
Accountability
CIA TRIAD
RISK MATRIX
RISK MANAGEMENT
PROCESS
INCIDENT MANAGEMENT
PLAN
DISASTER RECOVERY
PLAN
CHANGE MANAGEMENT
PLAN
BUSINESS CONTINUITY PLAN (BCP)
RISK TREATMENTSAvoidance (distant)
Reduction (mitigate)
Sharing (transfer – outsource or insure)
Retention (accept and budget)
RISK MANAGEMENT– cont.• Who is responsible for
this Risk (Owner)• Who can work on this
Risk (Subject Matter Expert)
R• Whose head will roll if
this Risk occurs?• Who has the Authority to
take a decision on this Risk
A• Who can be consulted on
this RISKC• Anyone to be informed if
this Risk occurs• Who needs to be updated
on the progress during the Risk (Incident response)
I
PROJECT SECURITY DESIGN
Security Design/Architecture - a secure project artifact on all Indusoft projects
Completed before the start of the project
Periodically revisited for change
Address threats identified in the Risk assessment
Address all interfaces to the project/solution
Outline owners of components
Passwords, encryption keys, sensitive information – Secure storage
Contain details of Network Topology and Security, Application Security, Database Security, Operating System security, Encryptions, Protocols, Web Certificates, Patches, Firmware, Hardware etc.
STRONG PASSWORDS
STRONG = minimum of 8 alpha-numeric characters long (combination
of upper, lower, numbers and special characters)
Configure to periodically change
Reset all passwords post go-live of project (hand-off)
NO blank passwords
NO default passwords (from 3rd party applications)
NO scribble/scrawl of credentials
at workplace for easy recollection
NO sharing
NO reuse
SECURITY BEYOND PASSWORDS
2-tier security– Example:
• Combination of strong passwords + e-keyboard (scramble keys)
OR• Combination of strong passwords + pattern match via touch
Multi-Layered security– Example:
• Access level security – screen control level
OR• Access level security – screen level
• Balance Excess Security Vs. User Comfort
• SAFETY Vs. SECURITY : Allow for approved security overrides during emergencies.
SECURITY BEYOND PASSWORDS - contd
Project Security design should address:– Runtime Security– Engineering Access– Auto Log-Off options– Account Lockup (after 3 tries)
[to be strictly enforced]– Password options enforcement
INDUSOFT SECURITY LAYERS
File – Level Security Main Password: Secures the various security layers
ONLINE TUTORIAL: http://www.indusoft.com/Marketing/Article/ArtMID/684/ArticleID/285/Security-Video
INDUSOFT PROJECT FILES ENCRYPTION
Security at Project level
Indusoft Built-In security feature
Addresses Intellectual property (IP) concerns
Use “Verify” feature for identifying project inconsistencies
SECURITY GROUPS (ROLE SEGGREGATION)
Indusoft: GROUP = SECURITY ROLE
Need for Security Role segregation
Balance Security Groups Vs. Overall Complexity
Secure default Guest Group
Restrict ADMIN GROUP (Highest level)
DATABASE USERS & PRIVILEGES
Strong passwords
NO blank passwords
Prefer Windows (NT) Integrated Security
Password expiry, logon attempts
Limit database privileges (role)
Configure database connection timeouts
DATABASE – DATA & OBJECT(S)
Encrypt sensitive data on tables
Restrict user access to tables
Promote use of views
Avoid “easy” naming of objects
WEB CERTIFICATES
Promote using web security certificates (https)
Use latest browser version with patches
Secure browser with proper security settings
Disable Internet access on Production environment
SMTP(S) - SSL & PORTS
Avoid default port “25”settings
Enable SSL for SFTP
Configure for "authentication-required“
Avoid default FTP port 21
Use SFTP on scheduled tasks, services, batch jobs etc.
Avoid using TCP Server “default” 1234 port
25 for non SSL465 for SSL
DOMAIN LDAP (AD) AUTHENTICATION
Centralized & standardized login authority and security policies
Centralized identity across both UNIX and Windows
Single & secure authentication against disconnected systems
One password to remember
LADP: Lightweight Directory Access Protocol for accessing and maintaining distributed directory information services
SERVICE ACCOUNTS – LOCAL & VIRTUAL
Use Windows NT Integrated security
Use NT Service accounts for Database connections, file-folder permissions etc.
Use Virtual Service accounts (Win7 & Win2008 onwards)
Use NT group and policies when applicable
DO NOT use administrator accounts or groups
FILE/FOLDER-LEVEL SECURITY PERMISSIONS
Check file/folder security permissions
Check folder hierarchy permissions
Restrict users for Full Control
Check for missing .dlls
Check .dlls for SHA1 or MD5 hash/signatures
– Microsoft’s File Checksum Integrity Verifier tool (Free)
Perform above checks periodically
NETWORK SECURITY
Need for firewalls, IDS, IPS, Routers
Block unused ports (free-port management)
Segregate business networks from corporate network via firewalls.
Understand communication protocols used
Implement tools to continuously monitor and manage networks
Evaluate SSL, VPN, Encryption, Malware defenses on Indusoft projects
INDUSOFT REMOTE AGENT
Secure Remote connections with built-in Encryption
TUTORIAL: http://www.indusoft.com/Marketing/Article/ArtMID/684/ArticleID/283/Remote-Management-Video
MOBILE SECURITY
Evaluate Risk with mobile devices (Use a risk-based approach such as the NIST Cybersecurity Framework)
Identify and catalog mobile devices on network
Assign proper content and functionality to each device specific to user
Ensure passphrase or password lock feature with periodically change.
Use of encryption
Deliver only location-based content to the device via fencing restrictions (based on GPS coordinates or Wi-Fi triangulation of their portal)
Follow other security best practices
InduSoft delivers a HMI application’s Smart Device Content securely to HTML5 compliant mobile browsers
Forensic investigations rely on Events, Logs and Alarms
EVENTS, LOGS & ALARMS
Need for logging of events and alarms
Clarity in Log data/information
Log data – determine what needs to be IN/OUT
Logs/Alarms – based on Risk factors
Balance: Volume vs. Disk-space vs. Operator Acknowledgment
FORENSIC TIP: DO NOT POWER-OFF A COMPROMISED COMPUTER UNTIL INCIDENT/FORENSIC TEAM RESPONDS. YOU MAY ONLY UNPLUG THE COMPUTER FROM THE NETWORK WHILE WAITING.
LOGS & ALARM HISTORY
Alarm database history > 7 days (preferably on an external secured database)
Immediate Backup and Secure alarm database post incident – Forensic Evidence
Do not overwrite log files.
Secure log files
INDUSOFT PROJECT CODE
KISS: Keep it Simple and Secure
Avoid printout of code files
Smart/simple/efficient coding
Refer to best-practices during coding
Avoid sensitive information in-script comments
Close un-used connections (FTP, Database, SMTP)
Handle errors/exceptions
Check for SQL Injections
Check for Cross-Site Scripting (XSS)
Option Explicit
On Error Resume Next
If Err ThenHandleErrorErr.Clear End IfOn Error Goto 0
PROJECT DOCUMENTATION
Safeguard project documentation
Destroy sensitive documents
Privacy Concerns
Use Configuration Management process
Promote TFS Integration
CYBERSECURITY AWARENESS
External media usage
Social-engineering, like phishing
Avoid sharing project details on LinkedIn, discussion forums
Watch for shoulder surfing
Watch for insider threats
Prepare for Incident Reporting
Learn about SCADA Malwares, Exploits
TRAININGS, FURTHER READINGS, AND CERTIFICATIONS
TRAININGS , FURTHER READING & CERTIFICATIONS
• NIST Framework - http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf• ICS-CERT – Industrial Control Systems Cybersecurity Online trainings – FREE• ICS-CERT – Industrial Control Systems Cybersecurity Certifications – FREE• OWSAP - Open Web Application Security Project – FREE membership @ local chapters• National SCADA Test Bed Program Online security trainings (http://www.inl.gov/scada/training/) – FREE• Cyber Terrorism Defense Initiative (FEMA - http://www.cyberterrorismcenter.org/registration.html) – FREE• Infraguard- Security awareness trainings ( https://www.infragardawareness.com/ ) – FREE• SANS Institute Webcasts (https://www.sans.org/webcasts/ ) – FREE
SUMMARY
SUMMARY
Cybersecurity Threats in the SCADA world are for real
Volume and complexity of Cyber-threats grow each day
Project Goals to incorporate “Security”
Implement project’s Risk Management process in essence
Incorporate Security alongside Safety in all levels of designs
All project stakeholders need to be Cybersecurity Evangelists
SECURE SCADA WORLD = SECURE NATIONAL INFRASTRUCTURE
FIREWALLS AND OTHER SCADA SECURITY CONSIDERATIONS
Firewalls, and other SCADA Security considerationsWHAT YOU DON’T KNOW CAN HURT YOU!
Threats abound Control systems have become the target of actors seeking to damage national infrastructure.
Many control systems are “too vulnerable” and can be exploited as SPAM bots or much worse
Lets talk about two examples…
Threat Scenario – Harrisburg, PA
The water supply system in Harrisburg, Pennsylvania was attacked in 2006.◦ An employee has a company laptop on the internet at his
home office, connected to the control network through a VPN (Virtual Private Network)
◦ A hacker from overseas infects the laptop with a virus over the Internet
◦ The virus then propagates over the VPN connection into the control network and infects another Windows PC located right in the heart of the control system
◦ The infected systems were used to distribute SPAM email
Threat Scenario - Stuxnet
In June 2010, the existence of Stuxnet was revealed to the world, a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant.
As a worm it spreads autonomously, often over a computer network. This worm was an unprecedentedly masterful and malicious piece of code that attacked in three phases.
◦ First, it targeted Microsoft Windows machines and networks, finding vulnerable machines and repeatedly replicating itself.
◦ Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges.
◦ Finally, it compromised the programmable logic controllers. The worm’s authors could thus spy on the activities of industrial systems and even cause the fast-spinning centrifuges to tear themselves apart, while reporting “normal” performance readings to the human operators at the plant.
Threat Mitigation◦ Firewalls◦ Managing Industry specific protocols◦ Network file and folder level security◦ Controlling Physical access◦ Blocking known threats and unknown ports◦ Disabling USB insertion◦ Software updates
Firewalls – what are they, anyway?◦ Perimeter Security◦ Stands between you and the “bad guys”◦ Works at a fairly low level – data and network layers
◦ (OSI Layer 2 and OSI Layer 3)◦ Inspects packets, dropping those matching its “threat”
rules◦ Typically requires specific IT expertise to “get it right”
Basic types of Firewalls◦Three broad categories of firewalls
◦ Packet Filters◦ Stateful Packet Filters◦ Application Aware Packet Filters
What is a packet anyway
Packet Filters or “Simple Firewalls”◦ At their most simple level, firewalls inspect the TCP and UDP traffic
in and out of your business and drop packets that match threat rules.
◦ Decisions are made based solely on the information contained within the packet
◦ Decisions are made without regard for each packet’s potential relationship with other packets.
◦ Work is done at the network and physical layers, checking the transport layer for only source and destination port numbers.
◦ Rules are static◦ Limitations
◦ Cannot understand the context of a connection◦ Cannot understand the bounds of an application
Packet “Inspection”
Stateful or Second Generation Firewalls◦ These preform all the functions of the simple firewall,
plus:◦ They retain the packet long enough to know if the packet is
◦ the start of a new connection◦ part of an existing connection◦ not part of any connection
◦ Rules are still static, but can now make decisions based on connection state
◦ Limitations◦ Cannot detect events that would be out of bounds for a particular
application protocol
Stateful Packet Inspection
Next Generation Firewalls
Application aware◦ Operates at TCP/UDP protocols and below - OSI Layer 2,3
and 4 ◦ “Understands” FTP (21), SMTP (25), DNS (53), HTTP (80),
HTTPS (443), and certain firewall industry specific protocols
◦ Can detect attempts to gain access through misuse of standard or known application ports
◦ Performs their work through deep packet inspection◦ Delving into the contents and message contained within the
TCP/UDP packets.
Industry Specific Firewalls◦ Understand SCADA specific protocols◦ Process and block SCADA specific threats◦ The most effective in protecting SCADA/HMI applications◦ Allows for security zones —as recommended in ISA/IEC
62443 standards ◦ Can provide Centralized management
and reporting across the facility
Industry Specific Firewalls
Benefits◦ Pre-emptive, protocol specific, threat detection◦ Threat termination◦ Centralized threat reporting◦ Allows for the mitigation of threats prior to the
subsequent release of new firmware and eliminates the need to immediately interrupt production for an unscheduled maintenance window.
Application Aware Inspection
Network and File Level Security
File Level Encryption Windows NTFS Permissions
◦ Security Groups◦ Share Permissions
SMB Signing◦ places a digital signature into each server message block,
which is used by both SMB clients and servers to prevent so-called “man-in-the-middle” attacks and guarantee that intra-machine SMB communications are not altered.
Network and File Level Security
Remote Desktop Limitations◦ Restrict access to only known IP Addresses/Subnets
Caveats◦ Given users with access to the Indusoft project folder,
security must be managed◦ Secure critical areas using file & folder level security
◦ Windows Domain level security is best ◦ Workgroup security is much less granular and not centrally
managed
Physical Access Controls◦ Physical Room Access
◦ Password/Keypad◦ Biometric Access – Fingerprint/Retina Scans◦ GOFL – Good Old Fashioned Locks
◦ Compartmentalized Machine Access◦ Locked Racks within locked rooms
◦ Limit USB Keys◦ Disable USB Key Drivers to prevent USB Key insertion
Proactive Security◦ Block Known Access Ports◦ Use “non standard” ports through port translation or
setup configurations◦ Open only the minimum required ports for your
application◦ Pen-Test periodically to reveal oversights and omissions
Software Security Patches
◦ Windows◦ Keep your networks current
◦ vulnerabilities may not start in your HMI infrastructure◦ Can easily start on a laptop or desktop and then spread to SCADA
systems
Software Security Patches
◦ Vendor Patches and Service Packs◦ Latest: Indusoft v7.1 SP3
◦ Hardware firmware◦ Vendor Firmware Updates
Common Vulnerabilities and Exposures
Be aware of relevant CVE’s - http://cve.mitre.org ◦ CVE-2014-0780
◦ allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
◦ CVE-2011-4051◦ execute arbitrary code via vectors related to creation of a file, loading a DLL, and process
control.◦ CVE-2011-0340
◦ allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.
◦ CVE-2011-4052◦ allows remote attackers to execute arbitrary code via a crafted 0x15 (aka Remove File)
operation for a file with a long name.◦ CVE-2011-4051
◦ allows remote attackers to execute arbitrary code via vectors related to creation of a file, loading a DLL, and process control.
References http://en.wikipedia.org/wiki/Cyber_security_standards http://www.popularmechanics.com/technology/military/4307528
http://www.ethicalhacker.net http://www.watchguard.com https://www.tofinosecurity.com/products/overview http://www.automation.com/automation-news/project/belden-supplies-tofino-firewall-software-to-schneider-electric
https://www.tofinosecurity.com/products/tofino-xenon-security-appliance
http://cve.mitre.org http://www.networkworld.com/article/2229737/microsoft-subnet/smb-signing-and-security.html
Q & A
HOW TO CONTACT INDUSOFT
Email(US) [email protected](Brazil) [email protected](Germany) [email protected]
Support [email protected] site
(English) www.indusoft.com(Portuguese) www.indusoft.com.br(German) www.indusoft.com.de
Phone (512) 349-0334 (US)+55-11-3293-9139 (Brazil)+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375
Germany
USA
Brazil
Contact InduSoft Today