Cybersecurity on IoT€¦ · Estratégia de Segurança em Sistemas de Automação Industrial System...
Transcript of Cybersecurity on IoT€¦ · Estratégia de Segurança em Sistemas de Automação Industrial System...
Cybersecurity on IoT
Bruno Mariath Zeidan, CCIE#6646
IoT Solutions Executive, Latin America
16 June 2016
Cisco Confidential
IoT Regional Forum / São Paulo
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Introdução
• Desafios Atuais de Segurança no Ambiente Industrial
• Estrategias efetivas para gerenciar a Segurança em redes Industriais
• Demonstração: Plataforma Cisco de Gerenciamento de Ameaças para ambientes Industriais
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Quizz: Qual é a melhor estratégia para proteção de uma rede industrial?
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Quizz: Qual é a melhor estratégia para proteção de uma rede industrial?
a) ”Air Gap”? (separação física entre as redes)
b) Colocá-la em um bunker de concreto com pelo menos 2m de espessura,
há 15 metros debaixo da terra, cercada por forças militares israelenses, e
operada por monges tibetanos de acordo com instruções alemãs?
c) nenhuma das anteriores.
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
A realidade das redes industriais nos dias atuais…
Acesso remoto às redes de automação (PCN) é uma realidade, seja por eficiencia operacional ou necessidade de negócio (ex. BI)
Conectividade Direta ou Indireta à Internet
Mudança de soluções proprietárias a produtos de mercado
Adoção de tecnologias de T.I.
Windows/Intel
TCP/IP e Web
Conectividade sem fios
Dispositivos de controle e protocolos vulneráveis
Limitado conhecimento de segurança
Foco na disponibilidade e confiabilidade em detrimento da segurança
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Breaking News!
Mais um Malware direcionado a sistemas industriais Publicado em 2 Junho 2016
Sources:
http://thehackernews.com/2016/06/irongate-stuxnet-malware.html
http://securityintelligence.com/news/new-ics-malware-irongate-channels-stuxnet-to-scam-scada-systems/
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Incidentes de Segurança aos sistemas de Controle de Processos
Represents a global data-set from critical infrastructure asset owners
103 total cyber incidents reported from industrial companies
20% of incidents intentional attacks – 50% from outside
80% unintended disruptions – 50% from device failures
Vast majority of reported cyber incidents accidental in nature
Primary threat was non-intentional malware through USB media
October 2012 – May 2013
Information specific to US critical infrastructure sectors
~2019 total cyber incidents reported to DHS for response
111 (53%) of incidents from energy asset owners (O&G, Power)
2010, 41 incidents reported (18 from Energy sector)
Clear upward trend in cyber incidents in Energy sector
Source: DHS Security Cyber Incident Report 2013
Unintentional, 80%
Intentional 20%
Source: Repository of industrial security incidents 2011
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Custo da conformidade e segurança para as operações é
demasiado alto
Padronização de larga escala é necessária, mas recursos e
mão de obra para sua implementação são escarsos
Visibilidade e controle e baixo; Equipes de segurança “voando
por instrumentos” sem qualquer informação dos ambientes
Controles e soluções de segurança difíceis de implementar e
manter
Risco de problemas recorrentes e onerosos sem ferramentas
adequadas de análise forense
Fabricantes de Automação requerem acesso aos sistemas atraves
de ferramentas de terceiros/proprietárias
Desafios
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Estratégias de Defesa
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
A Visão da Cisco
Criação de plataformas específicas para ambiente Industrial (ICS) • Leverage characteristics of ICS networks for effective
security and operational benefits
• Integrate security as part of the operations
• Dramatically enhance visibility into ICS networks
ANTIGO PARADIGMA NOVO PARADIGMA
Integração das soluções de Seguranca de IT Ineffective in addressing the ICS specific challenges, not cost-effective
NATIVE SECURITY FABRIC
Segurança de Perímetro
Perimeter is too porous, no real detection capabilities within the perimeter
Segurança Pervasiva (Post-Perimeter Era) • Introduce a new security paradigm for ICS • Improve availability and security by truly understanding
native ICS networks
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Estratégia de Segurança em Sistemas de Automação Industrial
System
Patches
Network
Segmentation
Anti-virus
Incident
Response
Proactive
Monitoring
Security
Monitoring
IPS / Signatures
Threat
Defense
Disaster
Recovery
Backup
and Restore
Continuous
Improvement
Organize Harden Detect Respond Defend
White & Blacklisting
Security Log
Collection and
Management
Anomaly
Detection
Malware
Detection
Intrusion
Detection
Security
Policy
Virtualization
Encryption
KPI’s and
Analytics
Location
Awareness
Process
Inventory
Assessments
Change
Management
Education &
Awareness
Dashboards &
Reporting
Addresses the most significant attack vectors within Industrial Automation Systems by establishing required controls associated with best of breed security practices
PCN Access &
Control
Physical
Security
Industrial
Wireless
Portable Media
Security
Before During After
PLAN BUILD RUN MONITOR MANAGE
Secure Storage
Asset
Inventory &
Management
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Next generation Cyber Security, Risk
Management and Compliance Solution for
critical infrastructure
Designed to support Implementation &
Maintenance of Security Controls
Forms a foundational technology platform;
provides a “building block” approach to
implementing desired security controls
Allows central leadership to understand risks
and make informed investment decisions
Secure Ops
Supported and embraced by ICS
Engineering Partners
A solução definitiva para o gerenciamento de segurança e conformidade no ambiente industrial
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Estratégia de Segurança em Sistemas de Automação Industrial
System
Patches
Network
Segmentation
Anti-virus
Incident
Response
Proactive
Monitoring
Security
Monitoring
IPS / Signatures
Threat
Defense
Disaster
Recovery
Backup
and Restore
Continuous
Improvement
Organize Harden Detect Respond Defend
White & Blacklisting
Security Log
Collection and
Management
Anomaly
Detection
Malware
Detection
Intrusion
Detection
Security
Policy
Virtualization
Encryption
KPI’s and
Analytics
Location
Awareness
Process
Inventory
Assessments
Change
Management
Education &
Awareness
Dashboards &
Reporting
Addresses the most significant attack vectors within Industrial Automation Systems by establishing required controls associated with best of breed security practices
PCN Access &
Control
Physical
Security
Industrial
Wireless
Portable Media
Security
Before During After
PLAN BUILD RUN MONITOR MANAGE
Secure Storage
Asset
Inventory &
Management
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solução Cisco Secure Ops Segurança fim-a-fim para ambientes TA
Increased System
Availability via SLOs
E2E OT Cyber
Security
System-wide
compliance visibility
& enforcement
Orderable Now
Defense
Energy-Utility
City
Manufacturing
Oil and Gas
Mining
Transportation
Delivers people, process and technology to solve OT security
Passive asset discovery (both open and proprietary OT protocols) at Levels 1-3.5 (Purdue Model) – all OS types
Centralized information repository for visualization, reporting and evidence collection
Single pane of glass for cyber security, risk management, and compliance across all sites and assets
Risk Management
Secure access to ICS/SCADA networks and devices
Contextually aware anomaly detection of IP and Non-IP protocols using deep packet inspection (including fieldbus)
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Secure Ops: Oferta Modular e Modelo de operação
Security Assessment Services
Bas
eli
ne
B
uil
din
g
Blo
ck
s
Secure Ops Platform (Foundation) +
Asset Discovery & Inventory
Asset
Discovery &
inventory
Fo
un
da
tio
n
Snap shot in time asset discovery and inventory
Identify Risks & Vulnerabilities
Quantify Risk ($)
Make recommendations
Residual Risk ($)
Provide ongoing (continuous) visibility of environment
via asset discovery & inventory
Support desk, People and Process integration
SLO/SLA measurement, tracking and reporting
Implement and maintain requisite risk/security
controls, depending on risks and vulnerabilities within
the environment
Adjacent Services Assessments Security Optimization
Flexible Commercial Models Asset Ownership Hosting Consumption models
Secure
Access (Secure, Remote
Access from
Contractors/Empl
oyees)
Security
Intelligence
& Response (Monitoring/DPI,
contextual
awareness)
Compliance
Monitoring
& Reporting (Compliance to
Internal Security
Policies)
Secure
Distribution (AV, Patching,
etc.)
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
DCS & Operational Business Systems
Engineer
Workstations
Domain
Controller DCS Power
Monitoring
SCADA
Historian MES
(vir
tuali
zed
/no
n-v
irtu
alized
)
Application
Servers
Remote
Access
Termina
l
Server
Asset
Mgt
Control Center(s) / Room(s)
I-D
MZ
Operator
Workstations
Secure Ops : SecureSite
(vir
tuali
zed
Serv
ers
)
Wir
ele
ss
Anomaly
Detection
Remote
Access
Asset
Inventory Patching Anti
Virus
Sensor
(FieldBus)
Control Room Operational Aggregation Control Room Aggregation
(Some services may reside outside of the I-DMZ depending on deployment choice)
Internet
Hypervisor File
Transfer
Services
Log
Collection
Secure Ops : SecureCenter Data or Operations Centre
Secure Ops
Dashboard
Identity
Services
Log
Collection
AAA/
TACACS Patching Anti
Virus SourceFire
Hypervisor File
Transfer
Services
Active
Directory
SIEM/SOC
Integration
Secure Ops
Dashboard
Compliance
Reporting
Proactive
Monitoring
Anomaly
Detection
3rd Party
Enterprise
Secure Ops
Dashboard
Remote Worker
Secure Ops :
Satellite Site
(vir
tuali
zed
Serv
ers
)
Vo
ice &
In
cid
en
t
Resp
on
se
Ph
ysic
al
Secu
rity
Control Center(s) / Room(s)
Wired Process Control
Controller Controller Controller Controller
Historian HMI Historian HMI
Instrumentation Instrumentation
PLC R I/O PLC PLC R I/O
Wired Safety Critical
Facility Operational Networks Aggregation Facility Network Aggregation
Instrumentation
Controller
PLC Motors
& Drives Metering
IED
LM/LV
Protection
Historian HMI
Power Management
CCTV/Video Access Control Voice Data
Wired Multiservice Multiservice
Networks
Operational
Networks
Managed
Services
Operations
Centre
NOC
Dashboard
Sensor
(FieldBus)
Historian HMI
Controller
IT/OT Converged Security Model
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT/OT Converged Security Model
Control &
Safety
Level 1
Device
Level 0
Control
Center
Level 3
Legacy RTU
Process Control & Safety Networks Multiservice Networks
Wireless
Sensor
Sensor Motor Valve Drive Pump Breaker Power
Monitor Starter
Historian HMI
Power Room
Safety
Process
Power
Process
CCTV
Access
Control
Voice
Mobile
Worker
Controller Controller Controller
Serial/Hardwired
Process Ethernet Multiservice Ethernet
WAN
Wireless
Fleet
RFID
SIEM
Actuator
Safety
Systems Printer
Instrumentation
SIEM
SCADA System
Head-end
Operator & Engineer
Workstations
Process Automation
System Server
SIEM
SIEM
Process Historian /
Distributed Historian
Application Servers
Operational Business
Systems
SIEM
SIEM
SIEM
Safety &
Security
Manufacturing Execution
System (MES)
SIEM
SIEM
Distributed Control
System (DCS)
SIEM
SIEM
PCN Domain
Controller
Enterprise
Levels 4-5
DMZ
Level 3.5
Operational Telecoms - LAN/Field
Core Networks
Internet
Supervisory
Level 2
DMZ Domain
Controller
SIEM
Site
Identity
Services
SIEM
Centralized
Log Collection
SIEM
Compliance
SIEM
Center
Remote
Engineering
via Secure
TPA
SIEM
Historian
SIEM
Vendor
Qualified
Anti-Virus
Vendor
Qualified
Patching
SIEM
SIEM
Terminal
Services
SIEM
Asset
Inventory
SIEM
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Asset Discovery and Inventory
Control &
Safety
Level 1
Device
Level 0
Control
Center
Level 3
Legacy RTU
Process Control & Safety Networks
Wireless
Sensor
Sensor Motor Valve Drive Pump Breaker Power
Monitor Starter
Historian HMI
Power Room
Safety
Process
Power
Process
Controller Controller Controller
Serial/Hardwired
Process Ethernet Multiservice Ethernet
WAN
Wireless
SIEM
Actuator
Safety
Systems Printer
Instrumentation
SIEM
SCADA System
Head-end
Operator & Engineer
Workstations
Process Automation
System Server
SIEM
SIEM
Process Historian /
Distributed Historian
Application Servers
Operational Business
Systems
SIEM
SIEM
SIEM
Safety &
Security
Manufacturing Execution
System (MES)
SIEM
SIEM
Distributed Control
System (DCS)
SIEM
SIEM
PCN Domain
Controller
Enterprise
Levels 4-5 DMZ
Level 3.5
Operational Telecoms - LAN/Field
Core Networks
Internet
Supervisory
Level 2
DMZ Domain
Controller
SIEM
Site
Identity
Services
SIEM
Centralized
Log Collection
SIEM
Compliance
SIEM
Center
Remote
Engineering
via Secure
TPA
SIEM
Historian
SIEM
Vendor
Qualified
Anti-Virus
Vendor
Qualified
Patching
SIEM
SIEM
Terminal
Services
SIEM
Asset
Inventory
SIEM
Solution passively reads traffic off a SPAN/mirror port and sensors on the fieldbus- covers both IP and serial networks Passive asset discovery on all assets at Levels 1-3 (Purdue Model) – all OS types Covers both open and proprietary ICS specific protocols: DNP3, Ethernet/IP, CIP, OPC-UA, Modbus, IEC 61850, BACNET, ProfiBus, TCP/IP, SNMP,SSH, HTTP, telnet, ftp, SMB/CIFS, and others Attributes discovered in passive mode: MAC/physical address, IP (or equivalent ID for serial), name, OS, protocols, vendor, type of equipment
Passive discovery
Uses WMI and SNMP queries
Any attribute that could be queried could be
discovered: e.g.: services running, software
installed, patches installed, AV versions, etc.
(list is customizable)
Active query
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
30
The Solution OT VISIBILITY & INSIGHT
PROCESS INTEGRITY CYBER SECURITY
OPERATIONAL EXCELLENCE
EFFICIENCY
Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
31
There’s Sight. And There’s Insight.
Known Port:
44818
IP: 10.10.3.177
IP: 10.10.3.161
Network
Visibility ICS visibility
PLC
Serial No. 00987DBF
Model No.1756-ENBT/A
Command:
Read Current,
Frequency
WinCC 13.0
FieldBus
IED IED
Contextual Awareness:
Operations & Security
PLC
Serial No. 00987DBF
Model No.1756-ENBT/A
WinCC 13.0
FieldBus
IED IED
Logic Change
E/IP values
Spoofing Anomalous Behavior
WinCC 13.0
Vulnerable -
CVE-2015-2823
ICS Insights &
Threat Intelligence
PLC
Serial No. 00987DBF
Model No.1756-ENBT/A
FieldBus
IED IED
Switch
Misconfiguration
Slow Connection
Call Home
Attempt
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Demonstração
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Main Dashboard
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Asset Drilldown
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Asset Management, Sorted by IP
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Abnormal Traffic Event
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IP Conflict Event
Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New Asset Detected Event
Cisco Confidential 42 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
PLC Update Event
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Malicious Port Scanning Event
Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Man-In-The-Middle Attack Event
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Remote Access – User View
Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Remote Access – User Requesting Access
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Remote Access – Remote User Session
Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Remote Access – Session Recording
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Compliance Monitoring & Reporting Overview
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Compliance – Individual Endpoint Patch Status
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Compliance – Endpoint Patch Status Report
Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Conclusão
Desafios de segurança são crescentes e continuarão demandando de recursos
Uma abordagem nova, com visão holistica, sobre a seguranca em ambiente industrial é necessária
Experiência profunda nas 3 disciplinas é fundamental: Engenharia de T.A. + Redes/T.I. + Segurança
Modelos de consumo flexível transferem o risco dos operadores de automação
Comprovada experiência na implementação padronizada de controles de segurança, segurança cibernética, e conformidade numa plataforma eficiente em custos e ”future proof”
Dúvidas?
Obrigado!