Abb Ot

IT Security and OT Security
Understanding the Challenges

Security Maturity Evolution in Industrial Control
1950s
5/4/2012 # 2
© 2012 ABB
Security Maturity Evolution in Industrial Control
Technology Sophistication
Security
Management
Intrusion Automates
Prevention manual process
Network Based Enforces policy,
Event Monitor
Host Based process &
Central Logging procedures
Deep packet
Monitor and inspection Leverages
Intrusion respond “baselines”
Known Bad
Detection Alert on Events of signatures Manages
Network Based interest changes
Known Good
Host Based Log everything Signatures Audit reporting
and apply
Firewalls Known Bad forensics Whitelisting Continuous
Industrial System assessments
Business Incident
connectivity Protocols Management hardening Attestation data
Locks on Alarm System locked Doing it and
Flight recorder down Proving you are
the Door Sensors
doing it
2003 2005 2007 2009 2012

5/4/2012 # 3
© 2012 ABB
IT Drivers vs. OT Drivers
Enterprise IT
Automation
Systems
OT
5/4/2012 # 4
© 2012 ABB
Control Systems Have Unique Architectures
What Needs To Be Protected and

Monitored?
• Servers
• HMI’s
• Control System Networks
• Network Devices
• PLC’s IED’s RTU’s
Device Interfaces and Communications

• Event / log collection • Configuration and patch data collection
• IDS / IPS • Remote access controls
IEDs,
Servers: PCS, Automation Systems Devices Sensors, Controllers
SCADA, …
Hardened
Firewalls networking devices
Work stations HMI

Stations
5/4/2012 # 5
© 2012 ABB
Automation Systems Security Really Unique?
Corporate IT Automation Systems IT
Not life threatening Safety first
Availability important Non-interruption is critical
Transactional orientation Real-time focus
IBM, SAP, Oracle, ….. ABB, Emerson, GE, Honeywell, Siemens...
People ~= Devices Few people; Many, many devices
PCs and Servers Sensors, Controllers, Servers
Web services model is dominant Polled automation control model
MS Windows is dominant OS Vendor-embedded operating systems
Many commercial software products
Purpose-specific devices and application
installed on each PC
Protocol is primarily HTTP/HTTPS over Many industrial protocols, some over
TCP/IP -- widely known TCP/IP – vendor and sector-specific
Office environment, plus mobile Harsh operating plant environments
Cross-industry IT jargon Industry sector-specific jargon
Cross-industry regulations (mostly) Industry-specific regulations
5/4/2012 # 6
© 2012 ABB
IT/Data Center Environment
• Dedicated Specialists
- Desktop
- Database
- Network
- Security
• Dedicated Tools
- Desktop Management
- Database Management
- Network Management
- Security Monitoring
5/4/2012 # 7
© 2012 ABB
Operations Technology(OT) Environment
• OT Specialists
– Dedicated Applications Specialists
– Manage Control Network and Control Systems
– Generalists, Not Specialists
• OT Tools
– Diagnostic Tools Are Usually Supplied by Control Systems Vendor
– Control Systems Tools Are Application Centric
– Network, Security, Database, Desktop Support Tools Not Available
or Not Present
– Learning 4-5 IT Tools To Manage Environment Not Practical
5/4/2012 # 8
© 2012 ABB
Unique Challenge: 15+ Year Duty Cycle on Control Systems
• Legacy Systems Create Unique Challenges

– Operating Systems No Longer Supported by Manufacturer
• Windows NT
• Older Unix Systems Such as AIX or Solaris
• Limited Network Bandwidth

– Older Networks Will Be Adversely Affected By Some Standard IT Monitoring
Technologies
• Look For:
– Security Technologies That Support Legacy Systems
– Technologies That Utilize Limited Network Bandwidth For Reporting/Monitoring
5/4/2012 # 9
© 2012 ABB
Unique Challenge: Industrial Controls Environment
• Industrial Protocols Within Control System Networks

– Modbus
– DNP3
• Industrial End Point Devices

– Programmable Logic Controllers (PLCs)
– Intelligent Electronic Devices (IEDs)
– Remote Terminal Units (RTUs)
• Look For:
– Technologies that support network monitoring of industrial protocols via purpose
built signatures for industrial protocols
– Technologies that can monitor configurations of industrial end point devices
5/4/2012 # 10
© 2012 ABB
Recommended OT Security Deployment
• Network Segment Monitoring

– Network Intrusion Monitoring for Including Industrial Protocols
• Monitoring of Servers
– Syslog
– Embedded Agents
• Monitoring of Workstations
– Syslog
– Embedded Agents
• Perimeter Firewalls
• Anti-Virus Anti Malware
– Blacklist (signature based)
– Whitelist (application based)
• Configuration Management
– Monitoring and Baselines of Configuration Changes
5/4/2012 # 11
© 2012 ABB
Generation Plant Security Deployment
5/4/2012 # 12
© 2012 ABB
Security
Components
HMI Workstation w/ 4
Historian / PC Apps Servers w/
Monitors
MSL2024 Tape Library
Proliant DL380R06
SCADA
HP Domain Controller
SCADA Servers
StorageWorks
MSL2024
Ready Clean Attention Error Cancel Enter Tape
Library
Oracle Servers Previous Next
Servers
UDW Proliant DL380R06
1 2 3 4 5 6 7 8
ONLINE HP
SPARE
1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
POWER POWER
MIRROR serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi DL380G5 ONLINE HP ONLINE HP
PCI 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB SPARE SPARE
SUPPLY SUPPLY
RISER 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant 1 2 3 4 5 6 7 8
CAGE POWER POWER
MIRROR serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi DL380G5 POWER POWER
MIRROR serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi DL380G5 ONLINE HP
PCI 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB PCI 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB SPARE
DIMMS SUPPLY SUPPLY
RISER
SUPPLY SUPPLY
RISER 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant
MIRROR
CAGE CAGE serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi DL380G5
PPM
PPM
POWER POWER PCI
DIMMS DIMMS SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB
RISER
CAGE
PPM
PPM
PPM
PPM
DIMMS
PPM
PPM
PROC PROC
INTER
LOCK
FANS
PROC PROC PROC PROC
OVER
INTER INTER
TEMP LOCK LOCK
FANS FANS
PROC PROC
OVER OVER
INTER
TEMP TEMP LOCK
FANS
OVER
TEMP
UID 1 2
UID 1 2 UID 1 2
UID 1 2
Catalyst 2948G-L3
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47
1000 Base - X
CONSOLE
49
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
ONLINE HP ONLINE HP ONLINE HP
SPARE SPARE SPARE
1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant 1 2 3 4 5 6 7 8
50
POWER POWER
MIRROR serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi DL380G5 ONLINE HP
2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48 PCI PCI PCI
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB SPARE
1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k 1 port 10k ProLiant
RISER RISER RISER
MIRROR
STATUS AUX CAGE CAGE CAGE POWER POWER PCI
serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi serial scsi DL380G5
PSI RPSU 49 50 DIMMS DIMMS DIMMS SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB
10/100/100 ETHERNET RISER
CAGE
PPM
PPM
PPM
PPM
PPM
PPM
LAYER 3 SWI TCH
DIMMS
PPM
PPM
PROC PROC PROC PROC PROC PROC
INTER INTER INTER
LOCK LOCK LOCK
FANS FANS FANS
PROC PROC
OVER OVER OVER
INTER
TEMP TEMP TEMP LOCK
FANS
OVER
TEMP
UID 1 2 UID 1 2 UID 1 2
UID 1 2
Cisco Switch 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47
CONSOLE
Catalyst 2948G-L3
1000 Base - X
49
50
WS-C3560G-48TS
2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 44 46 48
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47
STATUS AUX
PSI RPSU 49 50
10/100/100 ETHERNET
LAYER 3 SWI TCH
Cisco Switch EMS LAN A

ProCurve
600 rps/eps EPS Port Status RPS Port Status
J8168A
PoE
Device Connected - E2 E1 Device Connected - R6 R5 R4 R3 R2 R1
Power Status - Power Status -
Fan/Temp
WS-C3560-48TS
Power Status
Fan/Temp Status flash = Temperature too high

Fault
Fan/Temp Status + Fault flash = Fan failure
EMS LAN B
RSA Two Factor ProCurve
600 rps/eps EPS Port Status RPS Port Status
ID HIPS
J8168A
RTU LAN A
PoE
Appliance
Device Connected - E2 E1 Device Connected - R6 R5 R4 R3 R2 R1
Power Status - Power Status -
Fan/Temp
Power Status
Fan/Temp Status flash = Temperature too high

Fault
Fan/Temp Status + Fault flash = Fan failure
To QAD PCU 400 Servers

RSA Two Factor
Appliance
RTU LAN B
Satellite Clock
ID NIDS
SBS
Technologies, Inc.
SBS
Technologies, Inc.
PCI Expansion Unit with
PCI Expansion
Unit
PCI Expansion
Unit
ICP Cards
16 Port Breakout
DMZ LAN A Panel
DMZ LAN B
1 2 3 4 5 6 7 8
ONLINE HP
SPARE
MIRROR
POWER POWER PCI
SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB
RISER
CAGE
DIMMS
PPM
PPM
1 2 3 4 5 6 7 8
ONLINE HP
SPARE
MIRROR
PROC PROC POWER POWER PCI
INTER SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB
LOCK
RISER
FANS CAGE
OVER DIMMS
TEMP
PPM
PPM
UID 1 2 PROC PROC

INTER
LOCK
FANS
OVER
TEMP
UID 1 2
1 2 3 4 5 6 7 8
HP
Modem Share Panel

ONLINE
SPARE
MIRROR
POWER POWER PCI
SUPPLY SUPPLY 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB 146 GB
RISER
CAGE
DIMMS
PPM
PPM
Thin Client Server

PROC PROC
INTER
LOCK
FANS
OVER
TEMP
UID 1 2
Proliant DL380R06
CNP / ICCP Servers
Proliant DL380R06
Customer Provided Modems

Customer RTU
ID ESP
HA
ID SEM
PRIMARY
Corporate Backup Control Routers Host Intrusion
WAN System Provided by RRI
Detection/Prevention
Example SCADA Management
System
5/4/2012 # 13
© 2012 ABB
Development of Secure Products
• Role-Based Access Control

– Functions and data
– Prevent database changes that produce system failures
– Prevent more than one operator from controlling a single point simultaneously.
• Encryption and Communications

• Audit Trail
– History of each users access to objects, attributes, data, displays, production areas
and controls.
• Vulnerability Testing
– Independent, un-biased
• Installation Best Practices and Guidelines
5/4/2012 # 14
© 2012 ABB
Cyber Security Project Execution
Planning
– Functional Design Specification
– Security Policy Communicate and agree
– Network Topology Drawings
– Upgrades and Testing
Deployment and Commissioning
– Installation and Hardening Guideline Secure the system and
– Remote Access and File Transfer make it available
– Networks and Interfaces
– Group Policy and Organizational Units
Operation
– Computer and User Administration Operation starts on day
– Backup and Recovery one
– Patch and Rollup Management
5/4/2012 # 15
© 2012 ABB
Summary
• OT Has Unique Operating Environments

– Legacy Systems
– Industrial Systems And Endpoints
• OT Has Unique Threats

• OT Has Limited Tools and Resources
• Look For:
– Tools That Are Specialized For OT
– Tools That Have Been Developed with Security as a Requirement
– Tools That Have Been Tested By Control System Vendors
– Are Purpose Built For OT Professionals
– Proven Methods for Developing and Deploying Secure SCADA Solutions
5/4/2012 # 16
© 2012 ABB
5/4/2012 # 17
© 2012 ABB

Abb Ot

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Abb Ot

Caricato da

Copyright:

Formati disponibili

IT Security and OT Security

Understanding the Challenges

2003 2005 2007 2009 2012

What Needs To Be Protected and

Device Interfaces and Communications

Work stations HMI

• Legacy Systems Create Unique Challenges

• Limited Network Bandwidth

• Industrial Protocols Within Control System Networks

• Industrial End Point Devices

• Network Segment Monitoring

Oracle Servers Previous Next

UID 1 2 UID 1 2 UID 1 2

Cisco Switch EMS LAN A

Fan/Temp Status flash = Temperature too high

Fan/Temp Status flash = Temperature too high

To QAD PCU 400 Servers

UID 1 2 PROC PROC

Modem Share Panel

Thin Client Server

Customer Provided Modems

• Role-Based Access Control

• Encryption and Communications

• Installation Best Practices and Guidelines

• OT Has Unique Operating Environments

• OT Has Unique Threats

Potrebbero piacerti anche