Transcription
Security and Hardeningof Your PI SystemLubos Mlcoch, Cyber Security Advisor#PIWorld 2019 OSIsoft, LLC
Agenda1. Prologue2. Sliding Scale of Security3. The Big 4 of Cyber Security4. Cyber Security Data Sheets5. Call to Action#PIWorld2 2019 OSIsoft, LLC
But my mission is just Attacker viewpointSmall electricity generatorPathway to bulk electric systemIoT manufacturerPlatform for botnetNon critical process plantExploit development systemICS systems integratorMalware distribution channel#PIWorld 2019 OSIsoft, LLC
Three Laws ofSCADA Security1. Nothing is secure2. All software can be hacked3. Every piece of information can bean attackGinter, Andrew (2016) SCADA Security: What’s broken and how to fix it.4#PIWorld 2019 OSIsoft, LLC
Threat SpectrumThreatResourcesAttacksNation States Military GradeNearly UnlimitedAutonomous Targeted MalwareIntelligence AgenciesProfessionalRemote Control0-Day VulnerabilitiesHacktivistsSkilled AmateurRemote ControlExploit PermissionsSCADA InsidersAmateurExploit PermissionsOrganized CrimeProfessionalMalwareKnown vulnerabilitiesCorporate InsidersAmateurExploit PermissionsGinter, Andrew (2016) SCADA Security: What’s broken and how to fix it.#PIWorld5 2019 OSIsoft, LLC
Sliding Scale of Security DMZ Authentication Updates Modern OS Whitelisting Least Function Monitoring SIEM SOC Reputation External Feeds Threat HuntingThe Sliding Scale of Cyber Security - Robert M. World 2019 OSIsoft, LLC
Fundamental PI System Security AdvantageCritical SystemsLimits direct access to critical systemswhile expanding the use of information.Transmission& DistributionSCADAPlant DCSInfrastructurePLCsEnvironmentalSystemsOther criticaloperations systemsSecurity PerimeterReduce the risks on critical systems#PIWorld 2019 OSIsoft, LLC
Undesirable TopologyPI ServersConnector NodexControl NetworkDMZEnterprise Network#PIWorld 2019 OSIsoft, LLC8
Good TopologyPI Interface /PI ConnectorPI ServersControl NetworkDMZEnterprise Network#PIWorld 2019 OSIsoft, LLC9
Better TopologyPI Interface /PI ConnectorPI ServersControl NetworkDMZPI VisionEnterprise Network#PIWorld 2019 OSIsoft, LLC10
PI System 2019 Reference ArchitectureNERC CIP, NIST 800-53, and NIST 800-82#PIWorld 2019 OSIsoft, LLC11
Reduce Surface Area of the PlatformWindows Server CoreLess installed, less running(No GUI applications)Fewer open portsLess patchingLess MaintenanceLower TCO . More secureSupported OSIsoft products:PI Data ArchivePI AF ServerPI VisionPI Web APIPI ConnectorsMicrosoft Mechanics. "Exploring Nano Server for Windows Server 2016 with Jeffrey Snover."Online video clip. YouTube, 10 Feb. 2016#PIWorld 2019 OSIsoft, LLC
Reduce Surface Area of the PlatformFree, browser-basedapp for managingWindows Servers(including Server Core)#PIWorld 2019 OSIsoft, LLC
Whitelisting#PIWorld 2019 OSIsoft, LLC
Whitelisting – using built-in Windows featuresWhitelisting with Windows Defender Application Control- Used to be called Device Guard- Available since Windows 10 / Server 2016 (incl. Core)Whitelisting with AppLocker- Can be used in tandem with WDAC- Available on older OS version, but doesn't work in Server CoreWhitelisting PI applications based on catalog files- OSIsoft provides a Catalog file for products that use unsigned third-party files#PIWorld 2019 OSIsoft, LLC
Upgrade your softwareOSIsoft is consistently:Implementing compiler flagsas they become availableApplying least privileges toservicesAdding support for WindowsCore systems#PIWorld 2019 OSIsoft, LLC
Role Based Access:Leverage Windows Integrated SecurityLess work for administrators: Active Directory provides SSO and Identity and AccessManagement.AD GroupAuthorizedAccessDenied UserAD User#PIWorld 2019 OSIsoft, LLC
Authentication ManagementEnforce the strongest authentication method server-side.PI API trusts can be disabled with the installation and configuration ofthe PI API 2016 for WIS and later#PIWorld 2019 OSIsoft, LLC
Audit ConnectionsWIS provides connection auditingthrough Security event logsPI Message Logs provide connectionauditing (Message ID: 7082)PI Data Archive connection history#PIWorld 2019 OSIsoft, LLC
Analyzing Attack Surface #1AHA - AttackSurface HostAnalyzersite: https://aha-project.github.io/code: github.com/AHA-Project/AHA-GUI#PIWorld 2019 OSIsoft, LLC
#PIWorld 2019 OSIsoft, LLC
Windows Server 2008 R2Mean ScoreWindows Server 2016 CoreMean ScoreExternal Attack Surface9.5%External Attack Surface80%Internal Attack Surface8.2%Internal Attack Surface80%#PIWorld 2019 OSIsoft, LLC
Analyzing Attack Surface #2Microsoft AttackSurface Analyzer 2.0Site & code: #PIWorld 2019 OSIsoft, LLC
#PIWorld24 2019 OSIsoft, LLC
#PIWorld25 2019 OSIsoft, LLC
Material Safety Data Sheets#PIWorld 2019 OSIsoft, LLC
Cyber Security Data Sheets Get the full TAM reportMichael Thow mthow@epri.comMatt Gibson mgibson@epri.com#PIWorld 2019 OSIsoft, LLC
CSDS part 1TAM Step 1 Characterize Attack Surfaceand identify Exploit Sequences28#PIWorld 2019 OSIsoft, LLC
#PIWorld 2019 OSIsoft, LLC29
CSDS part 1 – Attack Pathways#PIWorld30 2019 OSIsoft, LLC
EPRI TAM – Attack Surface Characterization#PIWorld 2019 OSIsoft, LLC
Exploit Sequence Exploit Objective Attack Pathway Exploit MechanismAn exploit sequence is an attack pathway and exploitmechanism that allows an attacker to achieve anexploit objective.#PIWorld 2019 OSIsoft, LLC
33Exploit Sequence ExampleExploit Objective:Modify time-seriesdata in transitAttack Pathway:Wired connectionExploitMechanism:MITM#PIWorld 2019 OSIsoft, LLC
CSDS part 1 – Exploit Sequences#PIWorld34 2019 OSIsoft, LLC
CSDS part 2TAM Step 2 Engineered Security Control Methodsscoring and allocation35#PIWorld 2019 OSIsoft, LLC
36Allocating Engineered Security Control MethodsExploit Objective:Modify time-seriesdata in transitAttack Pathway:Wired connectionSet Target Levels for:ProtectionDetectionResponse & RecoveryExploitMechanism:MITMSecurity ControlMethod:Native PINettransportsecurityCalculate efficacy based on:ProtectionDetectionResponse & RecoveryPersistenceImplementation cost#PIWorld 2019 OSIsoft, LLC
Allocating Engineered Security Control Methods#PIWorld37 2019 OSIsoft, LLC
Allocating Engineered Security Control Methods#PIWorld38 2019 OSIsoft, LLC
Allocating Engineered Security Control Methods#PIWorld39 2019 OSIsoft, LLC
Cyber Security DataSheetsStructured Security DocumentationForward looking with focus on: Modern Platform Recommended Architecture#PIWorld 2019 OSIsoft, LLC
TAM Step 3 Mitigate residual Exploit Sequences Shared Security Control Methods41#PIWorld 2019 OSIsoft, LLC
Residual Exploit Sequences are expected!Residual ExploitSequencesAllocate SharedSecurity ControlMethodsAssetprotectedMap toRegulatoryRequirementsOptional, but useful: RG 5.71 NEI 08-09 NERC CIP NIST 800-53#PIWorld 2019 OSIsoft, LLC
Call to Action:#PIWorld 2019 OSIsoft, LLC43
Cyber Security Data Sheets can be delivered byvendors as part of the supply chainStep 1 & 2 by EPRI, Vendors, and otherStakeholdersContact us to obtain PI DataArchive and PI VisionCyber Security DataSheets.We'd love to hear yourfeedback!#PIWorld 2019 OSIsoft, LLC
Contact us for more information Lubos Mlcochlmlcoch@osisoft.comCyber Security AdvisorOSIsoft, LLC#PIWorld 2019 OSIsoft, LLC45
Useful links OSIsoft PI System Cyber Security – Hub SANS - Sliding Scale of Cyber Security Windows Server 2019 — Server Core vs. Desktop Experience (GUI) Explained &Compared Hello, Windows Admin Center! AttackSurface Host Analyzer (AHA) Microsoft Attack Surface Analyzer EPRI - Cyber Security Technical Assessment Methodology: Risk Informed ExploitSequence Identification and Mitigation, Revision 1#PIWorld 2019 OSIsoft, LLC46
#PIWorld 2019 OSIsoft, LLC47
Questions?Please remember to Complete Survey!Please wait forthe microphoneState yourname & companyNavigate to this session inmobile agenda for surveyDOWNLOADTHE MOBILEAPP#PIWorld 2019 OSIsoft, LLC48
PI Vision. #PIWorld 2019 . PI System 2019 Reference Architecture NERC CIP, NIST 800-53, and NIST 800-82. #PIWorld 2019 OSIsoft, LLC Reduce Surface Area of the Platform Windows Server Core Less installed, less running (No GUI applications) . Less work for administrators: Active Directory provides SSO and Identity and Access Management .
