(Steven Hsu) Product Marketing Director Adaptive Cybersecurity Solutions for OT Shop Floor Protection Industry WHO WE ARE Adaptive Solution

A joint venture company of and

30 years+ Cybersecurity Threat Intelligence

+ Threat 30 years OT Network Expertise Defense OT-Focused Expertise Technology

Keep the Operation Running ICS Threat Overview OT is under a significant cyber attack in 2020 The 10 industries most targeted by ransomware attacks in 2020 Trend Micro 2020 Annual Cybersecurity Report

31,906 Government 22,082 Banking

17,071 Manufacturing

15,701 Healthcare

4,917 Finance

4,578 Education 4,216 Technology 3,702 Food and beverage 2,281 Oil and gas

2,002 Insurance Typical ICS Attack Method

Control Center Network Backbone Network Control System Network Field Bus

EWS Insiders Threat Unmanaged notebook

PLC

Contaminated USB HMI

Historian EWS

MES PLC Firewall

OPC Client HMI

Server EWS

Bot PLC Advanced Presistent Threat

HMI

Ransomware Level 3 Level 1,2 Level 0 ICS Cybersecurity Weakness – How and Why The nature of ICS - Variance, Volume, Vastitude

Networks Endpoints

• ICS Proprietary Protocols • Diversity of OS • Existing architecture is not • Mixture of legacy and designed for the security- modernize devices centric purpose • Seldom to update Top operating systems in the manufacturing industry

60.2% Windows 7 28.9% Windows 10

5.% Windows 8.1

4.4% Windows XP

0.5% Windows XP 64

0.4% Windows 8 0.2% Windows Vista 0.1% Windows 2000

EOL

Source: Trend Micro Securing Smart Factories Threats to Manufacturing Environments in the Era of Industry 4.0 Variant ICS Protocols

More than 69 proprietary OT protocols

Process Automation, Industrial control system, Building automation, Power-system automation

• S-I • EtherNet/IP • IO-Link • MTConnect • 1-Wire • FIP • IEC 60870-5 • BSAP • Factory • MECHATROLI • OPC DA • BACnet • KNX • IEC 60870-6 • CC-Link Industrial Instrumentation NK • OPC HDA • BatiBUS • LonTalk • DNP3 Networks Protocol • MelsecNet • OPC UA • C-Bus • oBIX • Factory Instrumentation • CIP • FINS • Modbus • CEBus • VSCP Protocol • CAN bus • FOUNDATION • Optomux • DALI • X10 • IEC 61850 • CANopen, fieldbus • PieP • DSI • xAP • IEC 62351 • DeviceNet • H1 • PROFIBUS • DyNet • xPL • ControlNet • HSE • PROFINET • EnOcean • Z-Wave • DF-1 • GE SRTP • RAPIEnet • EHS • ZigBee • DirectNET • HART Protocol • SERCOS • EIB • EtherCAT • Honeywell SDS interface • Ethernet Global Data • HostLink • SERCOS III (EGD) • INTERBUS • Sinec H1 • Ethernet Powerlink • IO-Link • SynqNet • INTERBUS • TTEthernet

https://en.wikipedia.org/wiki/List_of_automation_protocols As the result - OT/ICS is so vulnerable

Worm/Malware brought in, Massive number of or Misuse of PLC and Unknow Legacy assets with complex and critical assets, by Assets mixture systems included Intentional or Attack legacy, EOL operating unintentional insiders. systems

No network Difficult to conduct the segmentation, in many Flat Patching patching and updating cases the whole network process due to several is a big flat L2 network Network Absent practical reasons ICS Segmentation Overview ICS Segmentation – A little bit history briefing here

Zones & Purdue Zero-Trust Conduits Model Model OT/Operation DMZ IT/Enterprise Zone A Zone B Maintenance RTU Server MES RTU SCADA Server Patch Conduit Server Application – Modbus PLC PLC Historian HMI • • • • • • • break Reply on Conduit segmentation is very easy to amount and diversities of OS within the same zone due to increasing of assets Difficult to deploy the same security requirement 99 security standard network control for Zones and Conduits basic network segmentation Air gapped concept Approach Tiers Three Traditional between two zones Conduit: a path for the flow of information (ANSI/ISA99.01.01 securityshare common requirements Zone: grouping of logical or physical assets that - - 2007 – introduced in the the in ANSI/ISA introduced introduce DMZ introduce - 3.2.116) - IT/ENTERPRISE MANAFACTURING MANAFACTURING OPERATION & & OPERATION NETWORK INDUSTRIAL SUPERVISORY SUPERVISORY CONTROL CELL/AREA CELL/AREA CONTROLS DMZ CONTROL PROCESS SITE SITE

LEVEL 4/5 LEVEL 3 LEVEL 0 LEVEL 1 LEVEL 2 DMZ Zone B Maintenance Conduit RTU Server MES – Modbus RTU SCADA Server Patch Gateway IoT IoT Server Application Conduit PLC – OPC UA PLC Historian HMI Zone A • • • • • – roles import very a play appliances network ICS and setup Required network administrator for configuration upgraded be to need appliances network ICS modified be to needs architecture network ICS Extend VLANs, Routing, Firewall or SDN • • • • zones zones to withcommunicate each other conduit A zone conduit A zone A zone A the Zones and Conduits concepts Conduits and Zones the can can can cannot have more than one conduit. have sub be used for two or more traverse more than one one than more traverse - zones MANAFACTURING MANAFACTURING IT/ENTERPRISE OPERATION & & OPERATION INDUSTRIAL NETWORK SUPERVISORY SUPERVISORY CONTROL CELL/AREA CELL/AREA CONTROLS DMZ CONTROL PROCESS SITE SITE

LEVEL 3 LEVEL 4/5 LEVEL 0 LEVEL 1 LEVEL 2 DMZ Maintenance RTU Server MES RTU SCADA Server Patch Gateway IoT IoT Server Application PLC PLC Historian HMI • • • • • • • ROI will be the main decision to assets owners continually The management efforts networks) (endpoints, Solutions across multiple assets introduced for the perimeter the for introduced Micro A access apply to both endpoints and networks Zero intension for the network architecture network the for intension operation or business to related more It is Trust - - Trust model based on the least privilege privilege least the on based model Trust list approach for policy management policy for approach list - segmentation concept v.s - . operation . operation centric defense has owners been Network segmentation why it matters in OT/ICS? With Segmentation Without Segmentation

Network Segmentation has been highly addressed in the following ICS standard • IEC 62443 • NIST SP 800-82 • NERC CIP Network Segmentation Benefits

• Security purpose • Management purpose

Risk Mitigation Prevent Lateral Outbreak Movement Prevention

Deal with Massive Future Private 5G Zero Trust Network IoT Adoption Connection To prevent the unknow attack by network segmentation and virtual patch Zero Day Meet your Mean Vulnerability The patch is not available or Time To Patch not compatible with legacy Deadline apps / OS

Get the handle Patch Network on Availability Vulnerability Segmentation

Prevent Virtual Risk mitigation by vulnerabilities Patch isolating vulnerable exploit attack devices COVID-19 as the example for the unknow attack – Segmentation

Zero-day Attack by the Vulnerability Vulnerability

https://www.tlu.edu/covid-updates/staying-healthy-on-campus/quarantine-and-self- isolation-protocols COVID-19 as the example for the unknow attack– Virtual Patch

Mask – Virtual Patch Before vaccine is available Vaccine – Patch Upgrade your system for future immune Network Segmentation – Why it so hard in ICS IT network segmentation does not work in ICS

1 VLANs 2 Routing 3 Firewall 4 SDN

• Complicated and time- • NOC is needed • Not support multiple and • Expensive to change the consuming setup • Difficulty in network issue proprietary OT protocols entire network • Chance to miss trouble shooting and commands architecture configuration • Configuration only • Not able to automate for available during the new segmentation is maintenance needed

It needs to change existing OT network architecture Different scale of manufacturer required different network segmentation method Network Segmentation to the large-scale manufacturer is a mission impossible How TXOne can help? Best Practices for ICS Cybersecuirty Resilience

Network Periodical Virtual Patch Trust List Segmentation Inspection

Auditing, inbound Risk mitigation, Shield vulnerable Unknown attack and outbound malware assets, detect prevention containment lateral movement Inspection Adaptive ICS Cybersecurity Solutions for Shop Floor Protection

Hassle-free, installation-free malware inspection

Security Inspection

The Edge series, industrial The Stellar series, all-terrain IPS in multiple form factors NGAV & lockdown

Network Endpoint Defense Protection Example - Helping several medical centers to deal with vulnerable legacy modalities

• Hardening the modalities • Virtual patch shields legacy OS endpoints • Network segmentation to reduce other attack surfaces

Guest Network LAN Business Office LAN Data Center Clinical Service LAN Biomedical Engineering Modality LAN Remote Access LAN Contact us if you have more question about OT/ICS network segmentation © 2021