(Steven Hsu) Product Marketing Director Adaptive Cybersecurity Solutions for OT Shop Floor Protection Industry WHO WE ARE Adaptive Solution
Total Page:16
File Type:pdf, Size:1020Kb
(Steven Hsu) Product Marketing Director Adaptive Cybersecurity Solutions for OT Shop Floor Protection Industry WHO WE ARE Adaptive Solution A joint venture company of and 30 years+ Cybersecurity Threat Intelligence + Threat 30 years OT Network Expertise Defense OT-Focused Expertise Technology Keep the Operation Running ICS Threat Overview OT is under a significant cyber attack in 2020 The 10 industries most targeted by ransomware attacks in 2020 Trend Micro 2020 Annual Cybersecurity Report 31,906 Government 22,082 Banking 17,071 Manufacturing 15,701 Healthcare 4,917 Finance 4,578 Education 4,216 Technology 3,702 Food and beverage 2,281 Oil and gas 2,002 Insurance Typical ICS Attack Method Control Center Network Backbone Network Control System Network Field Bus EWS Insiders Threat Unmanaged notebook PLC Contaminated USB HMI Historian EWS MES PLC Firewall OPC Client HMI Server EWS Bot PLC Advanced Presistent Threat HMI Ransomware Level 3 Level 1,2 Level 0 ICS Cybersecurity Weakness – How and Why The nature of ICS - Variance, Volume, Vastitude Networks Endpoints • ICS Proprietary Protocols • Diversity of OS • Existing architecture is not • Mixture of legacy and designed for the security- modernize devices centric purpose • Seldom to update Top operating systems in the manufacturing industry 60.2% Windows 7 28.9% Windows 10 5.% Windows 8.1 4.4% Windows XP 0.5% Windows XP 64 0.4% Windows 8 0.2% Windows Vista 0.1% Windows 2000 EOL Source: Trend Micro Securing Smart Factories Threats to Manufacturing Environments in the Era of Industry 4.0 Variant ICS Protocols More than 69 proprietary OT protocols Process Automation, Industrial control system, Building automation, Power-system automation • S-I • EtherNet/IP • IO-Link • MTConnect • 1-Wire • FIP • IEC 60870-5 • BSAP • Factory • MECHATROLI • OPC DA • BACnet • KNX • IEC 60870-6 • CC-Link Industrial Instrumentation NK • OPC HDA • BatiBUS • LonTalk • DNP3 Networks Protocol • MelsecNet • OPC UA • C-Bus • oBIX • Factory Instrumentation • CIP • FINS • Modbus • CEBus • VSCP Protocol • CAN bus • FOUNDATION • Optomux • DALI • X10 • IEC 61850 • CANopen, fieldbus • PieP • DSI • xAP • IEC 62351 • DeviceNet • H1 • PROFIBUS • DyNet • xPL • ControlNet • HSE • PROFINET • EnOcean • Z-Wave • DF-1 • GE SRTP • RAPIEnet • EHS • ZigBee • DirectNET • HART Protocol • SERCOS • EIB • EtherCAT • Honeywell SDS interface • Ethernet Global Data • HostLink • SERCOS III (EGD) • INTERBUS • Sinec H1 • Ethernet Powerlink • IO-Link • SynqNet • INTERBUS • TTEthernet https://en.wikipedia.org/wiki/List_of_automation_protocols As the result - OT/ICS is so vulnerable Worm/Malware brought in, Massive number of or Misuse of PLC and Unknow Legacy assets with complex and critical assets, by Assets mixture systems included Intentional or Attack legacy, EOL operating unintentional insiders. systems No network Difficult to conduct the segmentation, in many Flat Patching patching and updating cases the whole network process due to several is a big flat L2 network Network Absent practical reasons ICS Segmentation Overview ICS Segmentation – A little bit history briefing here Zones & Purdue Zero-Trust Conduits Model Model • Traditional Three Tiers Approach • Air gapped concept – introduce DMZ • Zones and Conduits basic network segmentation IT/Enterprise for control network - introduced in the ANSI/ISA- 99 security standard Patch Application MES Server Server DMZ • Zone: grouping of logical or physical assets that share common security requirements (ANSI/ISA99.01.01-2007-3.2.116) Zone A • Conduit: a path for the flow of information Maintenance Server Historian between two zones • Difficult to deploy the same security requirement within the same zone due to increasing of assets OT/Operation SCADA HMI amount and diversities of OS Conduit – Modbus Zone B • Reply on Conduit segmentation is very easy to break RTU RTU PLC PLC IT/ENTERPRISE NETWORK • Extend the Zones and Conduits concepts • A zone can have sub-zones LEVEL 4/5 LEVEL • A zone can have more than one conduit. • A conduit cannot traverse more than one zone • A conduit can be used for two or more INDUSTRIAL Patch Application MES Server Server DMZ DMZ zones to communicate with each other SITE 3 MANAFACTURING • ICS network appliances play a very import roles OPERATION & CONTROL Maintenance LEVEL – VLANs, Routing, Firewall or SDN Server Historian CELL/AREA Conduit – Modbus Conduit – OPC UA SUPERVISORY CONTROLS Zone B Zone A • ICS network architecture needs to be modified LEVEL 2 LEVEL SCADA HMI • ICS network appliances need to be upgraded • Required network administrator for configuration IoT CONTROL Gateway LEVEL LEVEL 1 and setup RTU RTU PLC PLC PROCESS LEVEL 0 LEVEL IT/ENTERPRISE • Zero-Trust model based on the least privilege NETWORK access apply to both endpoints and networks LEVEL 4/5 LEVEL • A Micro-segmentation concept has been introduced for the perimeter-centric defense INDUSTRIAL Patch Application MES Server Server DMZ DMZ • Trust-list approach for policy management • It is more related to business or operation SITE 3 MANAFACTURING intension for the network architecture OPERATION & CONTROL Maintenance LEVEL Server Historian CELL/AREA SUPERVISORY • Solutions across multiple assets owners CONTROLS LEVEL 2 LEVEL (endpoints, networks) SCADA HMI • The management efforts v.s. operation IoT continually CONTROL Gateway LEVEL LEVEL 1 • ROI will be the main decision to assets owners RTU RTU PLC PLC PROCESS LEVEL 0 LEVEL Network segmentation why it matters in OT/ICS? With Segmentation Without Segmentation Network Segmentation has been highly addressed in the following ICS standard • IEC 62443 • NIST SP 800-82 • NERC CIP Network Segmentation Benefits • Security purpose • Management purpose Risk Mitigation Prevent Lateral Outbreak Movement Prevention Deal with Massive Future Private 5G Zero Trust Network IoT Adoption Connection To prevent the unknow attack by network segmentation and virtual patch Zero Day Meet your Mean Vulnerability The patch is not available or Time To Patch not compatible with legacy Deadline apps / OS Get the handle Patch Network on Availability Vulnerability Segmentation Prevent Virtual Risk mitigation by vulnerabilities Patch isolating vulnerable exploit attack devices COVID-19 as the example for the unknow attack – Segmentation Zero-day Attack by the Vulnerability Vulnerability https://www.tlu.edu/covid-updates/stayinG-healthy-on-campus/quarantine-and-self- isolation-protocols COVID-19 as the example for the unknow attack– Virtual Patch Mask – Virtual Patch Before vaccine is available Vaccine – Patch Upgrade your system for future immune Network Segmentation – Why it so hard in ICS IT network segmentation does not work in ICS 1 VLANs 2 Routing 3 Firewall 4 SDN • Complicated and time- • NOC is needed • Not support multiple and • Expensive to change the consuming setup • Difficulty in network issue proprietary OT protocols entire network • Chance to miss trouble shooting and commands architecture configuration • Configuration only • Not able to automate for available during the new segmentation is maintenance needed It needs to change existing OT network architecture Different scale of manufacturer required different network segmentation method Network Segmentation to the large-scale manufacturer is a mission impossible How TXOne can help? Best Practices for ICS Cybersecuirty Resilience Network Periodical Virtual Patch Trust List Segmentation Inspection Auditing, inbound Risk mitigation, Shield vulnerable Unknown attack and outbound malware assets, detect prevention containment lateral movement Inspection Adaptive ICS Cybersecurity Solutions for Shop Floor Protection Hassle-free, installation-free malware inspection Security Inspection The Edge series, industrial The Stellar series, all-terrain IPS in multiple form factors NGAV & lockdown Network Endpoint Defense Protection Example - Helping several medical centers to deal with vulnerable legacy modalities • Hardening the modalities • Virtual patch shields legacy OS endpoints • Network segmentation to reduce other attack surfaces Guest Network LAN Business Office LAN Data Center Clinical Service LAN Biomedical Engineering Modality LAN Remote Access LAN Contact us if you have more question about OT/ICS network segmentation © 2021.