Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Cisco Public
BRKIOT-2112
Securing the
Internet of Things
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKIOT-2112
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The IoT pillars
While these pillars represent disparate technology, purposes, and challenges, what they all share are
the vulnerabilities that IoT devices introduce.
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Agenda
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Connected objects complexity
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Who is responsible ?
User
Internet Cloud
Service solution
Provider provider
Owner
Manufacturer
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Enterprise IoT
Enterprise IoT
• (Partially) controlled environment
• Security policies for objects (should) exist
• Cloud access security policies (should) exist
• but...
• Consumer objects may be connected by
users
• Unsecure objects get hacked in devious
ways
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Commercial Buildings Digitization
Enterprise IoT (EIoT)
Lighting
HVAC
Energy/Metering
Major Trend of Low-voltage transition, IP Convergence,
IoT-enabled Applications
Physical Security
Inventory
Sensors
Appliances
Cisco Smart & Connected Real Estate
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
IoT protocols, many options…
EnergyWise CoAP MQTT XMPP
End device OS Any, OpenRTOS Contiki, RIOT, Posix, windows Linux, iOS, • IoT still evolving
support TinyOS, mbed, Android, windows,
iOS, Android OSX, OpwnWRT • Multiple protocols
Transport Protocol TCP/UDP UDP TCP TCP emerging for IoT
Standard Proprietary & Open Open Open Open
• Open Source and
Development Cisco & Cisco Cisco, ARM, Eclipse Allseen alliance
community Partners Eclipse, libcoap, Mosquitto/Paho open standards
for widespread
Implementation C, Java C, Java, Python, C, Java, Python, C, Java,Perl, Ruby,
adoption
languages Go, C#, Ruby, Lua, C++ PHP, Lisp, Python,
Haskell, TCL, JS • CoAP gaining
Standards body Cisco / IETF IETF OASIS IETF traction in the
industry
Security PSK, TLS DTLS TLS TLS
Industry adoption Cisco, Cisco ARM, Cisco, IBM, Elecsys, Qualcomm,
trend partners Ericsson, Philips, Eurotech Alseen, Cisco
Huawei, Alcatel-
lucent
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Security Threats
Service Disruption Unauthorized Network Traditional Threats
Access
• Vulnerabilities on • IP/MAC spoofing
Endpoints • Potential network entry
point • MAC flooding
• Vulnerabilities on
Management • Unauthorized POE • DHCP related attacks
Applications.( i.e Devices • DDoS
Control/Monitoring)
• End Points support only • DNS poisoning
MAB – MAC spoofing risk
• MITM
• Snooping of Control traffic
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Industrial Control Systems
Assets We need to Protect
Asset Description Examples and Notes
Supervisory Collect information from industrial assets and present Unlike HMI, a supervisory workstation is
Workstations the information for supervisory purposes. primarily read-only.
Many other devices may be connected to an industrial For example, printers can be connected
Other Assets
network. directly to a control loop.
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Convergence of IT and OT
The Rigid Silos between IT and OT
Cyber-Security IT/OT Convergence
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Industrial Networks: Manufacturing +
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Where are these Protocols Found ?
TCP/IP
FieldBus
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CIP (Common Industrial Protocol) over Ethernet
• Developed in the late 90’s by Rockwell
• Now under the control of ODVA, known as EtherNet/IP Port
0xAF12
• Object-oriented approach
Ethernet TCP/UDP CIP
IP Header CRC
• Designed to be media-independent Header Header Payload
CIP Devices
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Profibus and Profinet (Profibus over Ethernet)
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Profibus and Profinet (Profibus over Ethernet)
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Modbus HMI
• Modbus is the oldest and perhaps the most
widely deployed industrial control protocol.
• Modbus is a request/response protocol
using only three distinct PDUs: Request,
Modbus TCP over Ethernet Response, and Exception Response.
• Modbus TCP uses TCP/IP to transport
PLC (Master)
Modbus commands and messages over
Ethernet-based routable networks.
• Modbus is typically deployed between PLCs
Modbus and HMIs, or between a Master PLC and
slave devices such as PLCs, Drives,
Sensors, and other I/O devices.
Ethernet TCP/UDP
IP Header Payload
Header Header
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
OPC (OLE for Process Control)
Windows • OPC is a suite of protocols that
collectively enable Process Control
Systems to communicate using
RPC
Microsoft’s Object Linking and
Embedding (OLE) architecture.
Windows
• Originally OPC was DCOM-based,
though recently has been updated to
use OPC-UA (Unified Architecture) and
OPC-XI (Express Interface). However,
legacy OPC systems remain heavily
deployed.
• OPC is typically used as a gateway
between fieldbus protocols and
Windows-based computing
networks.
• OPC inherits security risks and
vulnerabilities from Windows.
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
OPC (OLE for Process Control)
Windows • OPC is a suite of protocols that
collectively enable Process Control
Systems to communicate using
RPC
Microsoft’s Object Linking and
Embedding (OLE) architecture.
Windows
• Originally OPC was DCOM-based,
though recently has been updated to
use OPC-UA (Unified Architecture) and
OPC-XI (Express Interface). However,
legacy OPC systems remain heavily
deployed.
• OPC is typically used as a gateway
between fieldbus protocols and
Windows-based computing
networks.
• OPC inherits security risks and
vulnerabilities from Windows.
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
DNP3
• DNP3 is mainly used between master
SCADA Control Center control stations and remote slave devices
(e.g. RTUs).
HMI Historian
• DNP3 was a layer-2 protocol, and now works
over TCP/IP (typically using TCP or UDP port
IEDs/PLCs 20000).
• DNP3 is very reliable, while remaining
efficient and well-suited for real-time data
transfer.
Sub-station Sub-station
• DNP3 is bi-directional and support exception-
based reporting.
IEDs/RTUs IEDs/RTUs
• Secure DNP3 is a DNP3 variant that adds
authentication to the request/response
process.
• IEEE adopted DNP3 as IEEE Std 1815-2010
on the 23rd of July 2010 (Std 1815-2012 is
the latest).æ
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IEC 60870-5-104
• Standard for power system monitoring,
control & associated communications
for telecontrol, teleprotection, and
associated telecommunications for
electric power systems.
• IEC TS 60870-5-7 defines Security
extensions, including authentication
and end-to-end encryption, but rarely
implemented due to increased
complexity
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Common SCADA Security Issues
• Weak Access controls to HMI and other equipment
• Separation of duty for operator, administrator, audit
• Little or no Password management
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Purdue Reference Model – Like OSI for Manufacturing
Enterprise Network Level 5 5
Enterprise Zone
Site Business Planning and Logistics Network Level 4
4
3
Manufacturing Zone Site Manufacturing Operations and Control Level 3
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
OT Security Challenges
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Summary : Holistic View of Vertical Segments
Illustrative
Top Two: Manufacturing and Healthcare
IT – Info Tech OT Oper Tech
Level 5
100% IT 90% IT 90% IT 70% IT 60% IT 60% IT 30% IT 30% IT
Enterprise Network
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Agenda
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
October 21st, 2016
Netflix, Twitter, Amazon, AirBnb, Spotify, NYT, Box, PayPal, …
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Who is Dyn? (pronounced [ˈdaɪn])
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Authoritative & Recursive DNS
Your ISP
You, looking for DynDNS
Twitter.com OpenDNS
Google DNS …
…
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Why Did Dyn Fail
• A large network of compromised
devices (493,000 IoT devices
(Cameras, DVRs, …) infected by Mirai
was used to flood Dyn’s servers with
traffic
• In particular servers used as part of
Dyn’s enterprise offerings were
targeted
• Dyn wasn’t able to handle the
additional traffic, and its servers either
stopped responding or responses were
substantially delayed.
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
MIRAI Architecture overview
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
The MIRAI Botnet
• Reconnaissance phase
• Reporting of potential victims
• Malicious payload insertion
• Attack capabilities
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Infection spreading mechanism
• Scanner.c looks for targets using
random IP address generator
• Tries to access remote device using
a list of hardcoded credentials
• Once access is successfully
granted, sends back report
• Infects new remote device
• New remote device connects to
C&C
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Available attacks
• Straight up UDP flood
• Valve source engine query flood
• DNS water torture
• SYN flood with options
• ACK flood
• ACK flood to bypass mitigation devices
• GRE IP flood
• GRE Ethernet flood
• Plain UDP flood optimized for speed
• HTTP Layer 7 Flood
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Securing the IoT
• On the device : firmware, admin
password, physical access, …
• Between device and infrastructure :
encryption, RF communication
• Infrastructure : Stealthwatch,
Umbrella, Cloudlock, …
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Smartcache in use during authoritative DNS DDoS attack
against Dyn
2) OpenDNS try to reach tweeter’s authoritative
DNS servers hosted by Dyn
Umbrella
208.67.222.222
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
BrickerBot : Response to IoT-based DDos attacks
• Author : “the Janitor”
• Vigilante worm that destroys
insecure IoT devices, described as
“‘Internet Chemotherapy;’”
• Destroys low-security devices
running a Linux package called
BusyBox , which have telnet-based
interfaces with default passwords.
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Enterprise IoT
NOT an IoT attack after all...
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
IoT: Medical
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Internet of Things (IoT) in the Enterprise
• does not introduce “new”
security problems
• raises the stakes; medical
devices, traffic control
systems; IoT brings the
need for security into
daily life
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Manufacturing:
German Smelter 2014
December 2014 – Attack on German Smelter
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
German Smelter Attack
• What is known:
• Phishing Attack
• Malware
• Access to ICS
Cloud Systems
System
• Shutdown
commands
• Damaged smelter
* OT Baseline features
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Electric Utilities:
Ukraine 2015
Ukraine Power Grid
Incident
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
BlackEnergy & KillDisk
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Ukraine Grid Attack – Chronology of Events
Spear phishing to gain Theft of Remote operation
business network access KillDisk to erase MBR
Credentials of ICS Systems and delete targeted logs
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
The Target ICS Infrastructure – Iran’s Natanz Nuclear
Facilities
Profibus Stage Exhaust
CPS Controller Valve
(Siemens S7-417)
Isolation Valve
Pressure
Step 7 Control
Controller
Software running
on Windows Cascade Protection System
CDS Controller
Supervisory Network
(Siemens S7-315) Communication
Processor
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
What was so special about Stuxnet?
Ability to inject code into Hide from control system Remotely controlled by CC
PLC operators or act autonomously
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Agenda
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco IoT Threat Defense Components
• Stealthwatch- Visibility of • FP NGFW - Segment IT and
connections and OT environments
relationships • TrustSec - Segment OT
• ISE – Device / User identity devices in the IT network
• NGFW – App Activity • ISE – Align access with users /
• AMP – End Point Activity Segmented device
Visibility & • Switches – Dynamic
Access segmentation enforcement
Analysis
Control
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Access to the Manufacturing Floor – Cisco ISE
Network
Partner
Who Context Data
What
Cisco ISE
Where
Consistent Secure
Access Policy
When
How
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Profiling
• What ISE Profiling is:
• Dynamic classification of every device that connects to network using the infrastructure.
• Provides the context of “What” is connected independent of user identity for use in access policy
decisions
PCs
PCs Non-PCs
Non-PCs
UPS Phone
UPS Phone Printer
Printer AP
AP Infra
How?
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
How we profile?
Collection Classification
NMAP AD NetFlow
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Cisco IoT System Network Connectivity
IoT Network Network Visibility and Enforcement
IE Switches, IR Routers, ISE
Industrial Switching Industrial Routing
High performance, H/W accelerated VPN – IR 809, 829
IE 2000, 3000
Portfolio wide consistent policy enforcement CGS2000 IR 829
Who Bob
Discover Industrial
What Rockwell PLC
Assets using CIP,
PROFINET, Modbus,
When 11:00 AM EST on April 10th
BACNet Protocols
Where Extrusion, Zone-2, Cell-1
pxGrid How Wired Access
Visualize connectivity Yes
between automation and
Compliance
Industrial Identity
networking assets None
Network Services Threat
Director Engine
Vulnerability CVSS score of 6
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Policy and Segmentation with TrustSec
Firewall
Regardless of topology or location, policy
(Security Group Tag) stays with users, devices,
and servers Aggregation Layer Data Tag
Lights Tag
Guest Tag
HVAC Tag
Access Layer
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Visibility through NetFlow
172.168.134.2
Network as a Sensor
10.1.8.3 Switches Routers
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Cisco Stealthwatch
System Overview
Network
Non-NetFlow Devices
Capable Device NetFlow / NBAR / NSEL
Generate
NetFlow
SPAN
• Collect and analyze
Stealthwatch StealthWatch • Up to 4,000 sources
FlowSensor FlowCollector • Up to 240,000 FPS sustained
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Cisco AMP – Advanced Malware Protection
AMP Everywhere: See Once, Protect Everywhere
Visibility
Threat
Intelligence
WWW
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Cisco Umbrella
Visibility on Any Device, Anywhere
CHALLENGES
Multiple Internet
Service Providers
Direct-to-Internet
Branch Offices
Users Forget to
Always Turn VPN On
Different DNS
Log Formats
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Cisco Umbrella
Visibility on Any Device, Anywhere
BENEFITS
CHALLENGES
Global
MultipleInternet
Internet
Activity
Service Visibility
Providers
Network Security
Direct-to-Internet
w/o Adding
Branch Latency
Offices
Consistent Policy
Users Forget to
Enforcement
Always Turn VPN On
Internet-Wide
Different DNS
Cloud App Visibility
Log Formats
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
IT/OT Converged Security Model
Internet
Enterprise Network
Levels 4–5 Cloud-based Threat Protection
Network-wide Policy Enforcement
Access Control (application-level)
Web Apps DNS FTP
Demilitarized Zone
Level 3.5 Firewall Firewall VPN & Remote Access Services
(Active) (Standby) Patch Mgmt.
Gbps Link for Next-Generation Firewall
Failover Terminal Services
Detection Application Mirror
AV Server Intrusion Prevention (IPS)
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Q&A
Final thoughts
There is not one Internet of Things, there are
many
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
As always, for security, it starts with
designing the right policies & processes
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Related sessions
• BRKSEC-2339 - How IoT Threat Defense is protecting the promise of the IoT
• Mustafa Mustafa, IoT Security Technical Marketing Engineer , Cisco
• PSOSEC-4377- IoT Threat Defense and Ransomware Defense - Two solutions
that address critical business concerns
• Albert Salazar, Director Enterprise Solutions, Cisco
• BRKIOT-2111 - Power Utilities Energy Automation Design Session
• Paulo Pereira, Consulting Systems Engineer, Cisco
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKIOT-2112
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKIOT-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Thank you