Transcription
Strong Security in NERC CIP Version 5:Unidirectional Security GatewaysChris HumphreysCEOThe Anfield GroupProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.Andrew GinterDirector of Industrial SecurityWaterfall Security Solutions2013
13 Ways Through a Firewall1) Phishing / drive-by-download – victim pulls attack2) Social engineering / steal a password / keylogger3) Compromise domain controller – create fwall acct4) Attack exposed servers – SQL injection / DOS / etc5) Attack exposed clients – compromise web servers6) Session hijacking – MIM / steal HTTP cookies7) Piggy-back on VPN – split tunnelling / viruses8) Firewall vulnerabilities –zero-days / design vulns9) Errors and omissions – bad rules / IT errors10) Forge an IP address –rules are IP-based11) Bypass network perimeter – eg: rogue wireless12) Physical access to firewall – reset to fact defaults13) Sneakernet – removable media / laptopsPhoto: Red Tiger SecurityKeeping a firewall secure takes people and processes Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.2
Targeted Attacks Manual Remote Control “Spear phishing” pulls attack through firewall Low-volume RAT evades anti-virus Steal/create passwords: keystroke logger, pass-the-hash, compromisedomain With passwords: explore networks, firewalls, systems at leisureIT teams have admitted they are unableto block targeted attacks at the corporateperimeter.Control system networks are simpler, andgenerally are still protectable.Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.3
Unidirectional Security Gateways Laser in TX, photocell in RX, fibre-optic cable – you can send data out,but nothing can get back in to protected network TX uses 2-way protocols to gather data from protected network RX uses 2-way protocols to publish data to external network Defeats advanced / remote control attacks Server replication, not protocol emulationProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.4
Historian Replication at Generator Site TX agent is conventional historian client – request copy of new dataas it arrives in historian RX agent is conventional historian collector – drops new data intoreplica as it arrives from TX TX agent sends historical data and metadata to RX using nonroutable, point-to-point protocol Complete replica, tracks all changes, new tags, alerts in replicaProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.5
OPC Replication OPC-DA protocol is complex: based on DCOM object model –intensely bi-directional TX agent is OPC client: gathers data from production OPC servers RX agent is OPC server: serves data to business OPC clients TX agent sends only OPC data and metadata to RX OPC protocol is used only in production network, and businessnetwork, but not across unidirectional linkProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.6
Unidirectional Gateway Deployments Deployed routinely in generators Deployed routinely where plant network connects to business net Deployed less commonly: Where generating unit control network connects to plant network In substations and control centers Most commonly replicates: Historian servers OPC servers File servers Remote Screen ViewProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.7
Turbine Management Turbines: steam, water, combustion (gas) Eventual performance degradation Gas: blade fouling, corrosion, erosion Steam: scale, corrosion, chipping Water: pitting, metal fatigue, erosion Condition monitoring – very effective whenmalfunctions are found before seriousfailure occurs Temperatures, pressures, vibration,cavitation, lubricant temperaturesTurbine vendor support programsrequire remote monitoring and remotecontrolPhoto courtesy: SiemensProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.8
Remote Screen View Vendors can see control system screens in web browser Remote support is under control of on-site personnel Any changes to software or devices are carried out by on-sitepersonnel, supervised by vendor personnel who can see site screensin real-time Vendors supervisesite personnel Site people supervisethe vendorsEach perspective islegitimate, both needs are metProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.9
True Remote Control: Secure Manual Uplink Physically connects/disconnects copper network cables Automatically disconnects again after programmable interval Activation modes: Physical key Electronic keyProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.10
Temporary Remote Control 100% secure, 99% of the timeAs secure as a firewall the rest of the timeOn-site personnel decide when to grant accessRemote access further controlled by conventional firewalls, VPNs, etc.Temporary Remote ControlProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.11
Strong Security in NERC CIP Version 5:Unidirectional Security GatewaysBy: Chris HumphreysCEO/Director
Overview- NERC CIP Version 5 Firewall Changes- External Routable Connectivity Defined- Remote Support Options
High/Med/Low Impact Cyber Systems- High Impact – control centers- Medium Impact – analogous to V4 CCAsoutside of control centers, includingassets in generating plants- Low Impact – other systems at “brightline” facilities
Firewall Changes for CIP V5- Electronic Security Perimeter – stillrequired- Electronic Access Point – defined only forassets with External RoutableConnectivity- Electronic Access Points in ControlCenters must use network intrusiondetection systems
External Routable Connectivity“The ability to access a BES Cyber Systemfrom a Cyber Asset that is outside of itsassociated Electronic Security Perimeter viaa bi-directional routable protocolconnection”- Unidirectional Gateways are not bidirectional. The hardware can onlycommunicate in one direction.- Common Criteria EAL4 certificationattests to this
ERC S Cyber System CategorizationSecurity Management ControlsPersonnel & TrainingElectronic Security PerimetersPhysical SecuritySystems Security ManagementIncident Reporting & Resp. PlanningRecovery PlansChange Mgmt & Vuln AssessmentsInformation ProtectionTotals:RequirementsMed Impactwith ERCExemptedHigh Impactwith ERCExempted7419814209101041031551253733Plus: many exemptions for Physical Access Control Systems withoutExternal Routable Connectivity
Interactive Remote Access“User-initiated access by a personemploying a remote access client orother remote access technology using aroutable protocol”- Remote Screen View is not “access”- RSV is equivalent to remote videoviewing- SMU is very likely remote access, eventhough it is temporary
Strong Security- Unidirectional Security Gatewaysintegrate systems without thevulnerabilities of firewalls- CIP V5 includes provisions encouragingthe use of Unidirectional Gateways – thisis not accidental- A CIP program should be about security.Compliance is a natural consequence ofstrong security.
Strong Security Security: absolute protection of safety and reliability of control systemassets, from network attacks originating on external networks Compliance: best-practice guidance, standards and regulations areevolving to recognize and encourage strong security Costs: reduces security / firewall operating costs – improves securityand saves money in the long run“When you are considering security foryour control networks, you need tokeep in mind innovative securitytechnologies such as unidirectionalgateways” Tim Roxey, NERC CSSOProprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.20
- Unidirectional Security Gateways integrate systems without the vulnerabilities of firewalls - CIP V5 includes provisions encouraging the use of Unidirectional Gateways - this is not accidental - A CIP program should be about security. Compliance is a natural consequence of strong security. Strong Security
