Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Unix security wikipedia , lookup
Wireless security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Mobile security wikipedia , lookup
Computer security wikipedia , lookup
Network tap wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
CriticalInfrastructureCybersecurity Module 3 Technologies Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Lesson Objectives • List several types of networking hardware and explain the purpose of each. • List and describe the functions of common communications protocols and network standards used within CI. • Identify new types of network applications, such as TCP/IP<, and how they can be secured. • Identify and understand the differences between IPv4 and IPv6. • Discuss the unique challenges/characteristics of devices associated with industrial control systems. • Explain how existing network administration principles can be applied to secure CIKR. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Comparison of Information Technology versus Operational Technology Information Technology (IT) Operational Technology (OT) Purpose Process transactions, provide information Control or monitor physical processes and equipment Architecture Enterprise-wide infrastructure and applications Event-driven, real-time, embedded hardware and software (custom) Interfaces GUI, web browser, terminal, and keyboard Electromechanical, sensors, actuators, coded displays, hand-held devices Performance Non real-time, high throughput Real-time, response is time-critical, modest throughput is acceptable Connectivity Corporate network, IP-based Control networks, hard-wired twisted pair and IPbased Role Supports people Controls machines Throughput Requires high throughput Time-critical, but does not need high throughput Source: CNSSI No. 1253 Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Major Components of an ICS • Control Server • SCADA Server or Master Terminal Unit (MTU) • Remote Terminal Unit (RTU) • Programmable Logic Controller (PLC) • Intelligent Electronic Devices (IED) • Sensors/Actuators • Human-Machine Interface (HMI) • Data Historian • Input/Output (IO) Server From top left, clockwise: Programmable Logic Controller (PLC); rack and servers located in an Energy Operations Center; temperature sensor; actuator. Source: CNISSI No. 1253 Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Network Components Many different architectures and network topologies exist within control systems. Most of these networks now communicate over the Internet or over corporate networks, connecting to corporate networks Major components of an ICS network may include: ◦ Fieldbus network ◦ Communications routers ◦ Firewall ◦ Modems ◦ Remote Access Points Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Fieldbus Network – IEC 61158 • An industrial network system connecting instruments, sensors, and other devices to a PLC or controller. • Eliminates the need for point-to-point wiring between the controller and each device, as devices share a common communication channel. • Typically fieldbus protocols are proprietary, and controllers interfacing with fieldbus usually have less computing capability. • Inherently insecure, due to its shared nature. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Routers • Routers are network layer devices that transfer data between two different networks. • Commonly used in SCADA networks to connect MTUs and RTUs to long-distance medium for SCADA communication. • Routers used in SCADA environments may be “ruggedized” as they must operate in field conditions. • Many come with SCADA-aware firewall capability. Router between 3 LonTalk networks Source: CNSSI No. 1253 Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Firewalls A network security device that monitors and filters traffic on a network using predefined “rules” or policies. Used to segregate ICS networks from corporate networks. Different types of firewalls can be deployed: ◦ Stateless, or packet filtering – Older firewalls that operated at the Network (Layer 3) only, using “rules” matching traffic to pre-defined rules. Because of their size and cost-efficiencies, these are commonly built into devices but have many security vulnerabilities. ◦ Stateful – Operate at the Transport and Network Layer of the OSI model, examining each packet and making determinations about whether or not each packet is allowed based on context (what has been received before). ◦ Application – Examine application-layer data (http, ftp, browser requests). Because they have to read further into the data packets, they are often too slow for ICS networks. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Modems • Modulators/demodulators. Modems convert digital signals to analog so that they can be transmitted over analog phone lines. • Used in SCADA systems to transmit data between MTUs and remote field devices. • Also used in SCADA systems, DCSs, and PLCs for gaining access to manage devices and perform maintenance or diagnostics to troubleshoot issues. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Remote Access Points Devices, such as personal digital assistants (PDAs), phones, tablets, or laptops, that remotely access data over a local area network (LAN) through a wireless connection. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Communications Protocols Proprietary – Specific to a hardware manufacturer. Limited, if any, compatibility with other equipment or protocols. Open Architecture – Designed to be interoperable with equipment and standards. Popular open communication protocols: ◦ LonWorks ◦ BACNet ◦ Modbus ◦ DNP3 ◦ HART Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Modbus • Created by PLC manufacturer Modicon in 1979 for use with its programmable logic controllers (PLCs); now owned by Telemechanique • Established (de facto) standard as it is a simple protocol to transmit data over serial lines between electronic devices • Modbus TCP/IP runs over a TCP/IP network Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. IPv4 vs. IPv6 As with ModBus, many systems are converging with data networks, or sending data over the Internet, encapsulated in TCP/IP packets. TCP/IP is a protocol suite, developed in 1974, that was adopted for communications over the Internet. IPv4, developed in 1974, is limited with its 32-bit address space in its ability to support the number of devices that would be needed with large-scale addressable. IPv6 was developed in 1998 and, in addition to supporting 128-bit address space, contains many security features not in IPv4: ◦ Support for authentication of origin (prevents spoofing) ◦ Encryption While the Internet backbone is IPv6, many private networks run IPv4 to support legacy devices. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. ICS Device Challenges “Compromise of devices that run or are connected to different critical infrastructure systems could have the potential for major economic disruption, kinetic damage impacting public safety, or in extreme cases , catastrophic failure of national infrastructure or critical systems.” — NSTAC Report to the President on the Internet of Things National Security Telecommunications Advisory Committee Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. ICS Device Challenges (cont. 1) Summary of NSTAC findings: • It is estimated that, by 2020, there will be as many as 50 billion or more Internetconnected devices (sensors, processors, actuators), most of these directly supporting the nation’s critical infrastructure systems. • Most of these will be controlled remotely, across the public Internet, from personal smartphones or tablets. • If security is not a made a core consideration, “there will be significant consequences to both national and economic security.” Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. ICS Device Challenges (cont. 2) The many required connections to other networks and the Internet afford opportunities to attackers. ◦ Absence of basic security “hygiene” in legacy networks. ◦ Many ICS devices are too small to support authentication or encryption. ◦ Patching is difficult; most often devices are disposed of rather than patched. ◦ Many field-located devices must operate in harsh conditions, requiring them to be “ruggedized.” ◦ Prolific use of proprietary protocols and even operating systems complicate interoperability, security, and support. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Network Architecture for Nuclear Power Plant Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Securing Critical Infrastructure and Key Resources (CIKR) • Practice “defense-in-depth,” integrating people, technology, and operations capabilities. 1 • Minimize known vulnerabilities and design devices to be future compatible. 2 • Identify and assess security vulnerabilities. 2 • Develop interoperable security and trust frameworks to enable threat information sharing. 2 • As industries update to new technologies, need to segment/separate from networks still containing legacy devices. 3 1 Glossary of Key Information Security Terms, NISTIR 7298 Revision 2, NIST. 2 NSTAC Report to the President on the Internet of Things, National Security Telecommunications Advisory Committee. 3 Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 1. Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. ICS Firewall Design Considerations ICS networks should be segregated (separated) from the corporate network. Use a stateful inspection firewall: ◦ Deny all, grant by exception, blocking all traffic to the ICS network, except specific ICS traffic. ◦ Enable strong authentication (passwords, multi-factor authentication using tokens, biometrics, smart cards) to the ICS network. ◦ Design in the capability to disconnect the ICS network from the corporate network in the event of a compromise to either. “Firewall with DMZ between Corporate Network and Control Network” Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College. Last Slide CyberWatch West Is funded by a National Science Foundation Advanced Technology Education Grant and is located at Whatcom Community College 237 West Kellogg Road Bellingham, WA 98226 T: 360.383.3176 www.cyberwatchwest.org Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution 4.0 International License. ©2017 CyberWatch West, Whatcom Community College.