Transcription
Protecting Operational Technology (OT)Stuart PhillipsGlobal Enablement EngineerFortinet Operational TechnologyCritical Infrastructure TeamTaipei, 15th November 2018 Copyright Fortinet Inc. All rights reserved.
What is Operational Technology (OT)? Manipulation of Physical Things» Opening a valve, measuring flow,recording temperature etc. AKA SCADA or Industrial ControlSystems (ICS) Much older than IT» 1980’s automobile manufacturing Traditionally Physically Segmentedor Air Gapped Long term deployment – 10-30years or older2
Critical Infrastructure Sectors Chemical SectorCommercial Facilities SectorCommunications SectorCritical Manufacturing SectorDams SectorDefense Industrial Base SectorEmergency Services SectorEnergy SectorFinancial Services SectorFood and Agriculture SectorGovernment Facilities SectorHealthcare and Public Health SectorInformation Technology SectorNuclear Reactors, Materials, & Waste SectorTransportation Systems SectorWater and Wastewater Systems Sector3
OT and IT: Different Roots, Different PrioritiesITOTManipulate informationManipulate physical thingsStandardizationSpecializationCIA (IT) TriangleOT Triangle Confidentiality Safety Integrity Availability Availability Confidentiality4
Main Elements of an OT/ICS EnvironmentFIREWALLTO KEEPOUT ITValveICSServerHistorianHMIOT IT NetworkFanICSPROTOCOLSTCP/IPICS OMOPCETC.PumpFIELD NETWORKPLANT FLOORYOKAGAWAABBSIEMENSROCKWELLEMERSONSCHNEIDER ELECTRICMITSUBISHIHONEYWELLETC.THIS ENVIRONMENT IS CHANGING, WHETHER THE OPERATORS WANT IT TO OR NOT5
Real Threats To ManufacturingTaken from Verizon 2017 Data Breach Investigations Report ICS customers are primary targetsfor industrial cyber espionage Attacks are often sponsored bycompetitors with state connections Seek to replicate the targetproducts for sale in local marketsand in effect steal the entirecompany IP and Brand Data stolen includes formulas,purchase orders, the equipmentused in production, device settingsetc.6
Critical Manufacturing Insider Threat Unintentional: Malware coming into the network though traditional means andinfecting the more vulnerable outdated systems in OT/ICS networks, particularlyolder Windows systems.» “Maersk Shipping Reports 300M Loss Stemming from NotPetya Attack” m-loss-stemming-from-notpetya-attack/127477/ Intentional: Spear-phishing attacks against employees and supply partners togain information and access. Often escalated to bribery of a targeted employee.» “American Superconductor Destroyed For A Tiny Bribe” /#3f08fe8569587
IPS & Application Control for Industrial SystemsSome of the Supported Protocols------------------------------- BACnet DNP3 LONTalk Elcom MMS EtherCAT Modbus EtherNet/IP OPC HART Profinet IEC 60870-6 S7(TASE 2) /ICCP IEC 60870-5-104 IEC 61850 SafetyNET SynchrophasorSupported Applications and --------- 7 Technologies/Schneider Electric ABB Advantech Broadwin CitectSCADA CoDeSys Cogent DATAC Eaton GE RealFlex Iconics InduSoft RockwellAutomation IntelliCom RSLogix Measuresoft Siemens Microsys Sunway MOXA TeeChart PcVue VxWorks Progea WellinTech QNX YokogawaDeep Packet Inspection (DPI) Application Control Context SignaturesModbus, IEC 60870-6 (ICCP) and IEC.60870-5.104Context Logging to FortiAnalyzer, FortiSIEM, and Syslog8
IPS/ Application Control for Industrial Systems244 Granular Application Controls(DNP3 ---------- DNP3 DNP3 Immediate.Freeze.Without.Ack DNP3 Assign.Class DNP3 Initialize.Application DNP3 Cold.Restart DNP3 Initialize.Data DNP3 Confirm DNP3 Operate DNP3 Delay.Measurement DNP3 Read DNP3 Direct.Operate DNP3 Response DNP3 Direct.Operate.Without.Ack DNP3 Save.Configuration DNP3 Disable.Spontaneous.Messages DNP3 Select DNP3 Enable.Spontaneous.Messages DNP3 Start.Application DNP3 Freeze.And.Clear DNP3 Stop.Application DNP3 Freeze.And.Clear.Without.Ack DNP3 Unsolicited.Message DNP3 Freeze.With.Time DNP3 Warm.Restart DNP3 Freeze.With.Time.Without.Ack DNP3 Write DNP3 Immediate.Freeze9
FortiGuard Industrial Security Target Market/Segment» Securing Critical Infrastructure(Industrial Control and SCADA)» Need special type of applications– not generally used in an Enterpriseenvironment» Over 1,400 industrial app signatures10
Purdue ModelMANAGEMENTANALYTICS ISA-99, IEC-62443, RMFMULTICLOUDPARTNERAPI Effective Layered Security Model Aligns to Fortinet FabricIOTENDPOINTNETWORK Logical Level Approach Focused on Business requirementsWEBAPPSUNIFIEDACCESSEMAILADVANCED THREATPROTECTION& Purdue Model Stronger Together! Enhances Model by introducing our Fortinet Fabric» Greater Visibility and Control» Policy enforcement with multiple security technologies» Real-time protection that communicates security informationto other fabric members» Threat feed integration within entire solution11
Critical ManufacturingPlant FloorWide Area NetworkMPLS, SD-WAN, 3G, 4G, APN, VPNADSL, CableRemote EdgeManufacturing PlantFortiGateFirewallInternal SegmentationIndustrial Control SystemPhysically SegmentedProduction LineOperator PCAuthenticationTwo FactorAccess ControlFortiGate FirewallIndustrial FortiGuardApplication SwitchPrivate VLANsMicro SegmentationPhysical Plant FloorInstrumentation Bus NetworkPhysical InternalSegmentation of Production LinesEngineeringWorkStationLevel 2SupervisoryControl NetworkLevel 0Wide AreaSD WAN3G 4G ExtensionVPNFortiGate Edge FirewallEnterprise ProtectionFortinetOperational TechnologyFabric SolutionLevel 1Process ControlLocal Area NetworkFortinet SecureUnified Access SolutionSerial to IPFortiLinkPLC or RTUFortiSwitchFortiAP’sMicro SegmentationLayer TwoPhysical SecurityPhysical RelaysStack lightsPresence AnalyticsFortiCAMPurdue, ISA-99, IEC-6244312
Applying Fortinet’s Reference Architecture to PurdueLevel ExternalInternetRemote VendorRemote UserLevel 5Internet DMZEnterpriseCorporate EnvironmentFortiGateLevel 4ExternalEnterprise LANCorporate lligenceEmailServersFortiWebFortiGuard ersAuthentication Services&Domain ControllersEnterpriseDesktopsOperational Technology (OT) Authentication BoundaryFSSOLevel 3.5Operational DC DMZManagement FortiSwitchFortiClientEMS ServerFortiAuthenticatorZones of ControlZones and ConduitsMicro SegmentationPhysical and VirtualSegmentationLevel 3Operational DCManufacturing e VLANsMicro SegmentationWide Area NetworkMPLS, SD-WAN, 3G, 4G,APN, VPNADSL, CableFortiGateHistorianServer ZoneDomainControllerApplicationServer ZoneEngineeringServer ZoneEngineeringWorkStation ZoneOperatorWorkStation ZonePurdue, ISA-99, IEC-6244313
Best Practice - OT Cyber Security Approach ISA 99 / IEC 62443» Separation of networks – Air gapped, networkbased or software based Visibility» Examine all traffic for known and unknown threats» Use even in air gapped networks Context» Understand network traffic» Build understanding of device relationships Control» Isolate infected devices/systems» Remove botnets and other malware» Prevent new infections14
Addressing the Insider Threat - Visibility Implement ISA-99, IEC-62443 Segment and examine the trafficas much as possible Use Next Generation Firewalls todefine North-South traffic – Createmultiple DMZs internally Enable Microsegmentation onswitch ports to limit traffic EastWest trafficITInternetSecureGatewayFortiGateDMZ Network w/ PI HistoriansSegmentationof differentICS NetworksICS Network 2ICS Network ssNetworkGranularSegmentationwithin the etworkRTUPLCPlantFloor15
Addressing the Insider Threat - ContextFortiAnalyzer Examine all traffic – Even inAir Gapped networks Use FortiSandbox to detonateunknown threats safely Use FortiGuard Labs to getconstant threat intelligenceand artificial intelligencebased threat analysisITInternetSecureGatewayFortiGate Use FortiAnalyzer to examineand filter known threatsDMZ Network w/ PI HistoriansExamine alltrafficICS Network 2ICS Network PLCControlNetworkRTUPLCPlantFloor16
Addressing the Insider Threat - Control Identify all devices as much aspossible FortiNAC network accesscontrolFortiSIEMFortiGateInternetFortiADC – Proxy Server Proxy traffic using FortiADC WebApplication Firewall for all updates Limit or block unwanted applicationson ICS network – Provide separateWi-Fi for operators Use FortiSIEM for all reporting andcomplianceFortiNACITDMZ Network w/PI HistoriansICS Network 2ICS Network tworkRTUPLCPlantFloor17
Demonstration
19
Key SCADA ComponentsHuman-Machine Interface (HMI): is thecomponent in charge of displaying processdata to a human operator. Theoperator monitors and controls the processthrough the HMI.SCADA Master(TRIDIUM JACE) : is thecomponent in charge to collect all datafrom different devices and control theentire process.SCADA Slave(TRIDIUM SEDONA):connect to sensors and convert theirsignals to digital data and send it to thesupervisory system.SCADA Protocol (Modbus):Modbus is a "Master/Slave " Protocol.Some versions of Modbus can also besent over Ethernet or TCP/IP.20
21
Questions?sphillips@fortinet.com22
modbus profinet s7 bacnet dnp3 elcom opc etc. windows linux windows servers it network ics protocols tcp/ip ics sensor vendors nozomi claroty dragos security matters indegy etc. firewall to keep out it this environment is changing, whether the operators want it to or not . 6
