Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Project 9: Real Time Data Transfer “Name of Presenter” Presenter Enter details about the presenter here. More details about the presenter. © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 2 The LOGIIC Model of Government and Industry Partnership Linking the Oil and Gas Industry to Improve Cyber Security © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 3 Project 9: Real Time Data Transfer Background Assessment Approach Assessment Findings Conclusion © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 4 Real Time Data Transfer (RTDT) Background Overview • Focused on assessment and analysis • Solutions provide data sets that support decisions • Evaluated different RTDT technologies • Conducted assessments in an IACS laboratory • Findings were published in a report © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 6 Objective Evaluate Solutions Presently Available Corporate Domain Level 4 IEC 62443 RTDT SERVER DeMilitarized Zone (DMZ) Level 3.5 IEC 62443 RTDT RELAY Industrial Automation and Control Systems (IA/CS) Up to Level 3 IEC 62443 RTDT BPCS WS Reference Architecture BPCS 1 BPCS 1 BPCS WS BPCS 2 BPCS WS BPCS WS BPCS 2 BPCS EWS IMS Antivirus Backup Alarms Historian Server Antivirus Backup Alarms Historian Server BPCS 1 NETWORK BPCS EWS IMS BPCS 2 NETWORK © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 7 Purpose RECOMMEND EVALUATE IMPROVE STUDY PREPARE PROVIDE FOUNDATIONS © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — — 88 © 2016 LOGIIC CONFIDENTIAL Surveys • Identified available vendor technologies • Surveyed Executive Committee members • Used to define scope, use cases, and test scenarios © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 9 Real Time Data Transfer (RTDT) Assessment Approach Methodology THREAT RISK VULNERABILITY CONSEQUENCE Risk = Threat x Vulnerability x Consequence © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 11 Onsite Assessment • Reconnaissance TEST PLAN • Information Capture and Data Retrieval Attempts • Targeted Attacks • Denial of Service (DoS) © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 12 Vendor Approach Automation Vendor Solutions Third-Party Solutions Each assessment conducted as an independent sub-project. © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 13 Test Approach Insider and Outsider Threat Scenarios using SME Methods • Public and customized exploits • Custom payloads • Specialized test equipment © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 14 Pre-work Phase • Connection of test equipment • Network validation • Reconnaissance • Traffic capture © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 15 Test Scenarios 0 1 Packet Captures 0 2 Configuration of Servers 0 3 Configuration of Firewalls 0 4 Network Access Control © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 16 0 5 Man-in-the-Middle 0 6 Data Packet Replay 0 7 Application Authentication 0 8 Denial of Service 17 © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 17 0 9 Default Account Configuration 1 0 Audit Logs 11 Applicable Existing Exploits 18 © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 18 Test Tools KALI LINUX™ U U U EXISTING EXPLOITS U U NESSUS® NMAP FORENSIC ANALYSIS u U ETTERCAP CUSTOM ATTACK SCRIPTS U WIRESHARK® U REVERSE ENGINEERING TOOLS U ARP SPOOFING TOOLS U © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 19 Analysis of Findings TECHNICAL OPERATIONAL Research Usability Documentation Ease of Setup Assessment Tests Maintenance Requirements Background Info Observations Functional Tests Skillsets to Maintain and Use System © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 20 Real Time Data Transfer (RTDT) Assessment Findings Positive Security Attributes Automation and Third-Party Vendors Solution Footprint Third-Party Technology within Automation Vendor Solutions Networking Components Encryption Network and Packet Handling Layered Security Management and Maintenance © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 22 Positive Security Attributes Correct Encryption Implementation Packet Integrity and Privacy Patching Disabling Unnecessary Ports and Services Securing Data at Rest Log File Structure and Protection Removal of Default Settings Configuration of Network Devices © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 23 Automation and Third-Party Vendors • Automation Vendors who offer full control systems alongside RTDT solutions • Third-Party Vendors who specialize in the RTDT area and do not sell full control systems Both vendor solutions use OPC UA, DA, and DCOM protocol standards © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 24 Automation Vendor Solutions • Designed primarily to interface with a particular control system • Larger footprint, more components, more configurability • Typically more hardware and networking components • Comprehensive “package” for asset owners • Assured it will work with their control system © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 25 Third-Party Vendors • Perform a single objective • Significantly smaller and consisted only of software • No networking hardware is included in the solution © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 26 Solution Footprint THIRD-PARTY VENDORS AUTOMATION VENDORS Smaller footprint Larger footprint Smaller attack surface Broader attack surface Less threat vectors Vendor maintenance ops Requires protection from surrounding architecture Accreditation is attractive, but not necessarily more secure © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 27 Third-Party Technology within Automation Vendor Solutions • Common • Vulnerabilities may exist at various levels • Unpatched third-party OPC components • Components must be configured to recommendations made by the third-party vendor • Asset owners need supply-chain assurance © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 28 Networking Components • Often include networking hardware and firewall configuration • Components did not always provide the required security or perform as anticipated • Asset owner assurance • Management and patch maintenance © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 29 Encryption • When encryption is available, correct implementation is critical • Significant assessment findings focus on encryption • All solutions assessed offered some type of encryption © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 30 Encryption Algorithm • Commensurate with industry best practices • Vendors should clearly identify the algorithm in use • Asset owners assumptions • Assessments identified algorithm implementation discrepancies • Independent validation and testing © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 31 Encryption Implementation • Secure only when implemented correctly • Key generation, handling, and storage details • Hard-coded keys or confusion on how to change a key creates risks © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 32 Understanding When and Where Encryption Exists Passwords Data Paths Server authentication Q Q Q Data at Rest Storage locations (optional) © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 33 Network and Packet Handling • Firewalls and switches do not necessarily protect against MiTM attacks • ARP spoofing may also be possible • Packet integrity or privacy protected against MiTM attacks and data alteration • Use of a true DMZ (as defined by industry guidelines) © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 34 Layered Security Storage - Commonly a SQL database - Configured with access controls Log Files - Content and system information - Access controls such as read-only restrictions © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 35 Default Settings - Default accounts and passwords - Permission levels - Application settings - Unnecessary ports and services disabled Tag Security - Configurable tag security - Granular access controls - Default settings © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 36 Management and Maintenance Troubleshooting No significant obstacles Time Range 45 minutes to 10 hours ! INSTALL ATION d Elements Hardware, software, configuration, and network H P User Interface Provided for configuration and management 5 u Settings Recommendations to change defaults Patches Each handled differently per vendor © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 37 Real Time Data Transfer (RTDT) Conclusion Solutions • Functionality is effectively the same for automation and third-party vendors • Varied in size, structure, and integration • Automation vendor solutions typically include hardware, software, and networking components • Third-party vendors typically provided software-only solutions © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 39 Technical Findings • Larger footprints create an increased attack surface • Solutions with third-party components require security at all layers • Encryption to protect data in transit - Algorithm - Key generation - Key handling - Storage © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 40 Security • Securing networking components is critical • Configure user settings, tag security, application security • Patching and updates are necessary • A defense-in-depth approach within the design © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 41 Process • Asset owners should work closely with vendors • All technical details should be considered • Operational considerations should be evaluated © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 42 It is possible to securely transfer data outside the core IACS environment if all facets of the RTDT solution have been secured and a plan is established to maintain the needed level of security throughout the life-cycle. © 2016 LOGIIC APPROVED FOR PUBLIC RELEASE — 43