Industrial Security in Upravljanje Z Industrijskimi Omrežji

4. Poglavje

Industrial Security in upravljanje z industrijskimi omrežji

Matjaž Demšar

GSM: +386 (31) 684 810 [email protected] reliable industrial communication networks are the backbone of a digital enterprise Industrial Security – Essential in the Age of Digitalization Challenges for Companies Productivity, Cost Pressure and Regulations

• Externally caused incidents Protect through increasing connectivity Protect Productivity against • Internal misbehavior • The evolving Threat Landscape

• For qualified personnel Reduce cost Costs • For essential Security Technologies

Comply • Reporting Requirements Comply to regulations • Minimum Standards to • Security Know-how challenge bring everyone to the table

IT-Security Industrial Security

confidentiality availability

integrity integrity availability confidentiality Challenges are similar but reality is very different in IT and Industrial (OT) Security

IT Security Industrial Security

Confidentiality Availability

3-5 years Asset lifecycle 20-40 years Forced migration (e.g. PCs, smart phone) Software lifecycle Usage as long as spare parts available High (> 10 “agents” on office PCs) Options to add security SW Low (old systems w/o “free” performance) Low (~2 generations, Windows 7 and 10) Heterogeneity High (from Windows 95 up to 10) Standards based (agents & forced patching) Main protection concept Case and risk based The ever-changing threat landscape

Professional Hackers Vulnerabilities

§ § Cybersecurity laws and Internet of § § Things Regulations Evolution of the cyber threat landscape

Digital Information Processing Digital Connectivity Digital Automation and Intelligence 1950s – 1960s 1970s 1980s 1990s 1991 1999 2000s 2010s 2015 2020s

Internet of Things, Smart Military, governments and other Computers make their way The World Wide Web becomes and autonomous systems, organizations implement into schools, homes, business and Mobile flexibility publicly accessible Artificial Intelligence, Big computer systems industry Data

Digital enhancement of The globe is connected Cloud computing enters the Home computer is introduced Industry 4.0 electrification and automation by the internet mainstream

Industroyer/Chrashoverride Cyberwar WannaCry Stuxnet Phishing Targeting Critical Morris Worm Infrastructure

AT&T Hack Blue Boxing NotPetya The threat landscape keeps growing and AOHell Cryptovirology Cloudbleed changing and attackers are targeting industrial Level Seven Crew hack sl1nk SCADA hacks and critical infrastructures Denial of service attacks Meltdown/Spectre Challenges and drivers Most critical threats to Industrial Control systems Outdated operating systems² Windows NT 4.0 30. June 2004 Industrial Control System Security Windows XP 08. April 2014 Top 10 Threats and Countermeasures1 Windows 7 14. January 2020 Infiltration of Malware via Removable Media Windows 10 14. October 2025 1 and External Hardware 2 Malware Infection via Internet and Intranet 3 Human Error Sabotage Compromising of Extranet and Cloud 4 Components 5 Social Engineering and Phishing 6 (D)Dos Attacks Control Components Connected to the 7 Internet 8 Intrusion via Remote Access 9 Technical Malfunctions and Force Majeure Compromising of Smartphones in the 10 Production Environment

1 Source © BSI Publications on Cyber Security | Industrial Control System Security 2019 2 Source © Microsoft Industrial Security Lifecycle of security management

Assess Security

Evaluation of the current security status of an ICS environment Manage Security

Comprehensive security through monitoring and vulnerability Implement Security management Risk mitigation through implementation of security measures Industrial Security Phases in details

• IEC 62443 • ISO 27001 • Penetration testing

• Industrial Security Monitoring • Industrial Vulnerability • User Training Management • OT network infrastructure • Patch Management • Automation Firewalls • Remote Incident Handling • Application Whitelisting • Antivirus • Industrial Anomaly Detection Assess Security Following a risk-based approach

… covers a holistic analysis of threats and vulnerabilities, the identification of risks …

… and recommen- Assess dations of security Security measures to close the identified gaps. IEC 62443 Assessment Assessment of compliance to the IEC 62443 international standard

• Focus on parts 2-1 “Establishing an industrial automation and control system security program” and 3-3 “Security for industrial process measurement and control – Network and system security” Result chart bar • 2 days on-site with the customer, coordinated by a security consultant and a security engineer Result spider diagram • Questionnaire-based checklist to identify and classify risks Questionnaire • Up to 30 pages report containing recommendations for risk mitigation measures ISO 27001 Assessment Assessment of security according to the ISO 27001 international standard

• 1 day on-site workshop with the customer, to identify and classify risks • Coordinated by a security consultant and a security engineer • Typical attendants: Management and customer’s responsible for production, IT-security and physical security, maintenance staff, engineering staff, … • Offline evaluation of the results • Up to 30 pages report containing analysis, recommendations for risk mitigation measures and prioritization of actions (based on cost/benefit scenario) Network Scanning Detection of relevant vulnerabilities in the production environment

Rapid transparency over vulnerabilities and end of life information mitigations in automation Visualization environments of scan results

Industrial scan profiles optimized for production environment … reduce the risk of downtimes … provide relevant results only

Service delivery by automation specialists ensures project‘s success by

… deep system know-how Vulnerabilities, … combined expertise within IT and OT area configuration Selected Open-Source and problems Commercial Tools Implement Security To mitigate risks

… means the Implementation of security measures …

… to increase the Implement protection level Security of shop-floor environments.

Page 16 June 2018 Security Awareness Training Challenge • 91% of the security incidents in 2015 consisted of stolen credentials by use of phishing e-mails1 • Only 3% of targeted individuals reported the phishing e-mail1 Goal • 70% of all security incidents are caused by human error2 Increase security awareness among shop-floor staff to avoid security Common approach incidents caused by human error • No cyber security training at all • Cyber security training for the office environment focusing on classic IT-security topics

Weak points of common approach • Increased vulnerability due to human error threats • Lack of automation perspective when training staff on cyber security topics

1 Source © Verizon 2016 2 Source © Ponemon Institute Research 2013 OT network infrastructure and policies

Policy Consulting Industrial Network Security Consulting • Cell segmentation of networks based on • Establish new or review and enhance IEC 62443 standard or SIMATIC PCS 7 and existing policies, processes, WinCC security concept procedures and work instructions which influence • Design and planning of a perimeter security in the shop-floor protection (DMZ – demilitarized zone) • Integration with existing enterprise • Perimeter firewall rule establishment, cybersecurity practices review and implementation • Examples: Patch and backup strategy, handling of removable media Unsecure Zone

DMZ

Protected Zone

Page 18 Automation Firewall Next Generation

Challenge • Shop-floor landscape changed from isolated islands to highly complex networks • Automation networks historically grown and often Goal evolved to huge flat networks without any segmentation Increase network security with Today’s solutions • Perimeter protection for the office environment or the whole site a perimeter protection solution in • Perimeter protection for the automation network but controlled line with security requirements for by office IT without automation know-how industrial automation and tested and approved for usage with Siemens Weak points of today’s solution process control system • Spread of failures due to flat networks • Inconsistent configuration of protection measures due to lack of automation expertise (e.g. perimeter firewall configured to protect the office against the automation network and not the other way around) • No perimeter protection at all

Digital Factory Division Application Whitelisting

Challenges Our Solution

In 90% of attacks in 2014, old vulnerabilities that With Application Whitelisting application, only trusted already had patches available were leveraged – some of applications are allowed to run on the computer systems. which were more than decade old1. These applications are maintained in a positive list (whitelist). It prevents executions of unknown applications and Total zero-day vulnerabilities increased exponentially executables like malware or unwanted applications. in the last years2: Application Whitelisting application must be approved for use • 2013: 23 in different automation and process control software products like SIMATIC PCS 7, WinCC, and SINUMERIK3. • 2014: 24 (+4%)

• 2015: 54 (+125%), more than one per week

1 Source © CNN Money 1 Source: © CNN Money | 2 Source: © Symantec 2| Source3 Selected © Symantec SINUMERIK 840D PCU50.X versions 3 Selected SINUMERIK 8400 PCU50 X versions Antivirus

Challenges Solution

The total number of 2015 vulnerabilities reflects 77% Antivirus software protects systems and single files from virus increase compared to 20111. infections, trojans and other malware by using continuously updated signature files. Almost one million never-before-seen malware are being released on a daily basis2. Antivirus application must be approved for use in different Siemens’ software products like SIMATIC PCS 7, WinCC or Until now, more than 550 Millions malware have been TIA Portal. released in 20163. Information technologies are used in industrial automation. The number of open standards and PC- based systems has increased enormously in the last years.

1 Source © Risk Based Security 2 Source © Symantec 1 Source: © Risk Based Security 2016 | 2 Source: © Symantec | 3 Source: © AV-Test 3 Source © AV-Test Industrial Anomaly Detection Transparency of communication with your production assets

Correlation of the current traffic against your own baseline of Transparency over data normal operation allows the exchange within the plant detection of anomalies in the networks provides you network, including advanced continuous and proactive deep packet inspection identification of changes Automated asset identification (anomalies) in the system to assist in risk analysis and mitigation Industrial Anomaly Detection Transparency of communication with your production assets

Transparency over data exchange within the Aligned with requirements of standards, plant networks provides you continuous & regulations and acts to protect critical proactive identification of changes infrastructure (anomalies) in the system

Use of an advanced machine learning Automated asset identification to assist system, so the detection rate will be in risk analysis and mitigation enhanced over time

Correlation of the current traffic against your own baseline of normal operation allows the 100% passive monitoring oversees the detection of anomalies in the network, plant network without impact to the including advanced deep packet inspection monitored systems Anomaly Detection Software

• Many professional vendors as well as Open Source solutions • Considerations • Maturity • Scalability • Stability • Support • Development approach (IEC62443-4-1 and IEC62443-4-2) • Intrusion Detection for OT networks specific issues OT Network graph Asset Insights Attack Detection Root cause analysis Reporting capabilites Manage Security For a comprehensive, always up-to-date industrial security solution

… means the continuous monitoring and renewal …

… of implemented Manage measures through our Security centralized services.

Page 30 June 2018 Industrial Security Monitoring

Scenario: Joint IT / OT / IoT Security Monitoring & Operation Customer data data Customer

data gathering data provisioning

SIEM Event Receiver sources IT / IoT SOC

correlation & aggregation

SIEM Manager Customer Service Service Customer Operation Analysis of Security Events 1st & 2nd level SOC

root cause elimination cause root SOC for IT / OT & IoT

root cause analysis & forensic 3rd level vSOC IT / IoT OT / IoT SOC Customer OT / IoT IT / OT / IoT Industrial Vulnerability Management Process

Challenge • Every day new software vulnerabilities get reported • Currently manufacturers and operators struggle to identify if their manufactured or used automation products are affected Goal Provide relevant security information, Solutions • Manual checking of different web pages from providers of to enable manufacturers and opera- automation technology (e.g. on the Siemens web page tors of automation technology to pro- https://www.siemens.com/cert/en/cert-security-advisories.htm) actively manage their cyber risks. • Customers need to compare the findings on these web pages against their lists of software components in their products or in the automation environment

Considerations • High manual effort and consequently neglecting already officially reported vulnerabilities • Customers stay unaware of the real threat and consequently they do not trigger proactive measures (e.g. patching). Industrial Vulnerability Management application example

Definition what software Notifications in case Risk based management components to monitor of detected vulnerabilities of vulnerabilities and possible patches Patch Management Managing critical updates in Microsoft products Challenge • Patches contribute toward stable system operation and/or eliminate known security vulnerabilities. Regular and prompt installation of patches represents a vital element of a comprehensive security concept Goal • Patching with an incompatible patch can cause unplanned downtimes Support operations by testing automation software with Microsoft security and Common approach critical patches when new patches are • Customer has to release the Microsoft patches manually on a WSUS, released in order to check the based on Siemens SIMATIC PCS 7 compatibility excel sheet • No patching is performed at all or no WSUS server is used, but compatibility of patches are downloaded directly by the endpoints the PCS 7 software with these patch classifications1 and providing metadata about approved patches at the Weak points of common approach • Possibility of system disruption due to missing consideration of customer site compatibility or failures due to manual work • Need to manual check for updated excel sheet on Siemens Website • Labor intensive process (monthly occurring)

1 Only “Security Patches” and “Critical Patches” are necessary to ensure that SIMATIC PCS 7 operation is secure and stable Patch Management Managing vulnerabilities and critical updates in Microsoft products

Fully automatic release of patch information Solution designed combining Security (only metadata, no automatic installation to know how with Process Control expertise avoid plant downtime)

Reduce probability of wrong Reduction of manual work on-site implementation of patches

Reduce the consequences that might have Timely release of patches after finishing of impact on plant availability tests (approx. 2 weeks after Microsoft patch day) Incident Handling Fast reaction upon security relevant threats

Team of experts Incident Handling Report • Root-cause analysis performed by experts for industrial security • Analysis of root-cause and criticality • Report incl. suggestions how to clean the affected systems

• What shall I do with the system? • What protects me for the future? Ukrainian power grids cyberattack A forensic analysis based on ISA/IEC 62443

Information from publicly available resources Ukrainian power grids cyberattack Phase 1: Malware & spear phishing

Vir: isa.org Ukrainian power grids cyberattack Phase 2: Preparing the attack, network scans & „APT“

Vir: isa.org Ukrainian power grids cyberattack Phase 3: The attack

Vir: isa.org Ukrainian power grids cyberattack Analysis • Seems easy to detect • Significant network activities • Activities on multiple systems • Normal network activity? • Volume of traffic Ukrainian power grids cyberattack IEC 62443 assessment

• IEC 62443-3-3 • 51 system requirements in 7 foundational requirements • SL-A estimation • Approx. half of SR could be estimated • Overall SL-A = 0 • Takeaways • Do not aim for high SL in some areas • Keep controls in place to ensure SL-A • Plan for contingency actions • SR 6.2 at SL = 2 could prevent the attack! Thank you for your attention! Matjaž Demšar Digital Industries Customer Services

+386 31 684 810 [email protected]

Subject to changes and errors. The information given in this document only contains general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further development of the products. The requested performance features are binding only when they are expressly agreed upon in the concluded contract. All product designations, product names, etc. may contain trademarks or other rights of Siemens AG, its affiliated companies or third parties. Their unauthorized use may infringe the rights of the respective owner.

siemens.com/industrial-security-services Questions and Answers 5. Poglavje

Anketa in diskusija

Rok Koren

GSM: +386 (51) 681 455 [email protected]