security - Cloudfront.net

Comments

Transcription

security - Cloudfront.net
Cybersecurity on IoT
IoT Regional Forum / São Paulo
Bruno Mariath Zeidan, CCIE#6646
IoT Solutions Executive, Latin America
[email protected]
16 June 2016
Cisco Confidential
•
•
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introdução
•
Desafios Atuais de Segurança no
Ambiente Industrial
•
Estrategias efetivas para gerenciar
a Segurança em redes Industriais
Demonstração: Plataforma Cisco de
Gerenciamento de Ameaças para
ambientes Industriais
Cisco Confidential
2
Quizz:
Qual é a melhor estratégia para
proteção de uma rede
industrial?
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Quizz: Qual é a melhor estratégia para proteção de uma
rede industrial?
a) ”Air Gap”? (separação física entre as redes)
b) Colocá-la em um bunker de concreto com pelo menos 2m de espessura,
há 15 metros debaixo da terra, cercada por forças militares israelenses, e
operada por monges tibetanos de acordo com instruções alemãs?
c) nenhuma das anteriores.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
A realidade das redes industriais nos dias atuais…
 Acesso remoto às redes de automação (PCN) é
uma realidade, seja por eficiencia operacional ou
necessidade de negócio (ex. BI)
 Conectividade Direta ou Indireta à Internet
 Mudança de soluções proprietárias a produtos de
mercado
 Adoção de tecnologias de T.I.
 Windows/Intel
 TCP/IP e Web
 Conectividade sem fios
 Dispositivos de controle e protocolos vulneráveis
 Limitado conhecimento de segurança
 Foco na disponibilidade e confiabilidade em
detrimento da segurança
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Breaking News!
Mais um Malware direcionado a sistemas industriais
Publicado em 2 Junho 2016
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sources:
http://thehackernews.com/2016/06/irongate-stuxnet-malware.html
8
Cisco Confidential
http://securityintelligence.com/news/new-ics-malware-irongate-channels-stuxnet-to-scam-scada-systems/
Incidentes de Segurança aos sistemas de Controle de
Processos
Intentional
20%
Unintentio
nal, 80%
Source: Repository
of industrial security
incidents 2011
Source: DHS Security
Cyber Incident Report
2013
 Represents a global data-set from critical infrastructure asset
 October 2012 – May 2013
owners
 103 total cyber incidents reported from industrial companies
 20% of incidents intentional attacks – 50% from outside
 80% unintended disruptions – 50% from device failures
 Vast majority of reported cyber incidents accidental in
nature
 Information specific to US critical infrastructure sectors
 ~2019 total cyber incidents reported to DHS for response
 111 (53%) of incidents from energy asset owners (O&G,
Power)
 2010, 41 incidents reported (18 from Energy sector)
 Clear upward trend in cyber incidents in Energy sector
 Primary threat was non-intentional malware through USB
media
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
Desafios



Custo da conformidade e segurança para as operações é
demasiado alto
 Padronização de larga escala é necessária, mas recursos e
mão de obra para sua implementação são escarsos
 Visibilidade e controle e baixo; Equipes de segurança “voando
por instrumentos” sem qualquer informação dos ambientes
 Controles e soluções de segurança difíceis de implementar e
manter
Risco de problemas recorrentes e onerosos sem ferramentas
adequadas de análise forense
Fabricantes de Automação requerem acesso aos sistemas atraves
de ferramentas de terceiros/proprietárias
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
Estratégias de Defesa
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
A Visão da Cisco
ANTIGO PARADIGMA
Integração das soluções de
Seguranca de IT
Ineffective in addressing the ICS specific
challenges, not cost-effective
Segurança de
Perímetro
Perimeter is too porous, no
real detection capabilities
within the perimeter
NOVO PARADIGMA
Criação de plataformas específicas
para ambiente Industrial (ICS)
• Leverage characteristics of ICS networks for effective
security and operational benefits
• Integrate security as part of the operations
• Dramatically enhance visibility into ICS networks
Segurança Pervasiva (Post-Perimeter Era)
• Introduce a new security paradigm for ICS
• Improve availability and security by truly understanding
native ICS networks
NATIVE SECURITY FABRIC
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Estratégia de Segurança em Sistemas de Automação
During
Before
Industrial
Organize
Addresses the most
significant attack
vectors within
Industrial Automation
Systems by
establishing
required controls
associated with best
of breed security
practices
Security
Policy
Process
Inventory
Asset
Inventory &
Management
Assessments
Harden
Network
Segmentation
Secure Storage
PCN Access &
Control
IPS /
Signatures
Anti-virus
White &
Blacklisting
System
Patches
Portable Media
Security
Encryption
Industrial
Wireless
Change
Management
Education &
Awareness
Dashboards &
Reporting
PLAN
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Virtualization
BUILD
Physical
Security
Defend
Security Log
Collection and
Management
KPI’s and
Analytics
Threat
Defense
RUN
Detect
Proactive
Monitoring
After
Respond
Incident
Response
Security
Monitoring
Anomaly
Detection
Malware
Detection
Disaster
Recovery
Backup
and Restore
Intrusion
Detection
Location
Awareness
MONITOR
Continuous
Improvement
MANAGE
Cisco Confidential
14
A solução definitiva para o gerenciamento de segurança e
conformidade no ambiente industrial
Secure Ops
Supported and embraced by ICS
Engineering Partners
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
 Next generation Cyber Security, Risk
Management and Compliance Solution for
critical infrastructure
 Designed to support Implementation &
Maintenance of Security Controls
 Forms a foundational technology platform;
provides a “building block” approach to
implementing desired security controls
 Allows central leadership to understand risks
and make informed investment decisions
Cisco Confidential
15
Estratégia de Segurança em Sistemas de Automação
During
Before
Industrial
Organize
Addresses the most
significant attack
vectors within
Industrial Automation
Systems by
establishing
required controls
associated with best
of breed security
practices
Security
Policy
Process
Inventory
Asset
Inventory &
Management
Assessments
Harden
Network
Segmentation
Secure Storage
PCN Access &
Control
IPS /
Signatures
Anti-virus
White &
Blacklisting
System
Patches
Portable Media
Security
Encryption
Industrial
Wireless
Change
Management
Education &
Awareness
Dashboards &
Reporting
PLAN
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Virtualization
BUILD
Physical
Security
Defend
Security Log
Collection and
Management
KPI’s and
Analytics
Threat
Defense
RUN
Detect
Proactive
Monitoring
After
Respond
Incident
Response
Security
Monitoring
Anomaly
Detection
Malware
Detection
Disaster
Recovery
Backup
and Restore
Intrusion
Detection
Location
Awareness
MONITOR
Continuous
Improvement
MANAGE
Cisco Confidential
16
Solução Cisco Secure Ops
Segurança fim-a-fim para ambientes TA
Delivers people, process and technology to solve OT security
Passive asset discovery (both open and proprietary OT
protocols) at Levels 1-3.5 (Purdue Model) – all OS types
Secure access to ICS/SCADA networks and devices
Centralized information repository for visualization, reporting
and evidence collection
Single pane of glass for cyber security, risk management,
and compliance across all sites and assets
Contextually aware anomaly detection of IP and Non-IP
protocols using deep packet inspection (including fieldbus)
E2E OT Cyber
Security
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Risk Management
Orderable Now
Transportation
Oil and Gas
Defense
Manufacturing
Mining
Energy-Utility
System-wide
compliance visibility
& enforcement
City
Increased System
Availability
via SLOs
18
Cisco Confidential
Foundation
Building
Blocks
Secure Ops: Oferta Modular e Modelo de operação
Security
Intelligence
& Response
Compliance
Monitoring
& Reporting
(Monitoring/DPI,
contextual
awareness)
(Compliance to
Internal Security
Policies)
Secure
Access
(Secure, Remote
Access from
Contractors/Empl
oyees)
Secure
Distribution
(AV, Patching,
etc.)
Provide ongoing (continuous) visibility of environment
via asset discovery & inventory
Support desk, People and Process integration
SLO/SLA measurement, tracking and reporting
Baseline
Secure Ops Platform (Foundation) +
Asset Discovery & Inventory
Security Assessment Services
Adjacent Services


Assessments
Security Optimization
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Implement and maintain requisite risk/security
controls, depending on risks and vulnerabilities within
the environment
Asset
Discovery &
inventory
Snap shot in time asset discovery and inventory
Identify Risks & Vulnerabilities
Quantify Risk ($)
Make recommendations
Residual Risk ($)
Flexible Commercial Models
 Asset Ownership
 Hosting
 Consumption models
Cisco Confidential
19
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
IT/OT Converged Security Model
Secure Ops : SecureCenter
AAA/
TACACS
Internet
Active
Directory
SCADA Application Remote
Servers Access
Historian
MES
Termina
l
Server
Secure Ops
Dashboard
Asset
Mgt
(Some services may reside outside of the I-DMZ depending on deployment choice)
Anti
Virus
Patching
Hypervisor
Asset
Inventory
Log
Collection
File
Anomaly
Transfer Detection
Services
Control Room Operational Aggregation
Historian
Historian
HMI
Controller
Wired Safety Critical
Controller
HMI
Controller
Sensor
(FieldBus)
Controller
Facility Network Aggregation
Power Management
Historian
Wired Multiservice
R I/O
PLC
PLC
Sensor
R I/O
(FieldBus)
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Instrumentation
Instrumentation
Operational
Networks
HMI
Controller
Historian
IED
PLC Motors
& Drives
Metering
Multiservice
Networks
HMI
Controller
CCTV/Video Access Control
PLC
Secure Ops :
Satellite Site
Control Room Aggregation
Facility Operational Networks Aggregation
Wired Process Control
Remote
Access
Control Center(s) / Room(s)
Physical
Security
Power
Domain
Monitoring Controller
Remote Worker
Identity
Services
Voice & Incident
Response
Operator
Workstations
DCS
3rd Party
Secure Ops : SecureSite
I-DMZ
DCS & Operational Business Systems
(virtualized/non-virtualized)
File Compliance Proactive Anomaly
SIEM/SOC Hypervisor
Transfer Reporting Monitoring Detection
Integration
Services
Control Center(s) / Room(s)
NOC
Dashboard
Log
SourceFire
Collection
(virtualized Servers)
Anti
Virus
Wireless
Secure Ops Patching
Dashboard
(virtualized Servers)
Secure Ops
Dashboard
Engineer
Workstations
Managed
Services
Operations
Centre
Data or Operations Centre
Enterprise
Voice
Data
LM/LV
Protection
Cisco Confidential
Instrumentation
25
IT/OT Converged Security Model
SIEM
DMZ
Level 3.5
SIEM
SIEM
Remote
Engineering
via Secure
TPA
Vendor
Qualified
Anti-Virus
SIEM
Vendor
Qualified
Patching
Asset
Inventory
Site
SIEM
SIEM
SIEM
Centralized
Log Collection
Identity
Services
Historian
SIEM
SIEM
SIEM
DMZ Domain
Controller
Compliance
Terminal
Services
Center
Enterprise
Levels 4-5
Core Networks
SIEM
Control
Center
Level 3
SIEM
SIEM
SCADA System
Head-end
SIEM
SIEM
Manufacturing Execution
System (MES)
SIEM
Distributed Control
System (DCS)
Operator & Engineer
Workstations
SIEM
Safety &
Security
Application Servers
SIEM
PCN Domain
Controller SIEM
SIEM
Process Automation
System Server
Serial/Hardwired
Process Ethernet
Multiservice Ethernet
WAN
Wireless
Process Historian /
Distributed Historian
Internet
Operational Business
Systems
Operational Telecoms - LAN/Field
Process Control & Safety Networks
Multiservice Networks
SIEM
Supervisory
Level 2
Historian
HMI
Safety
Systems
Printer
CCTV
Control &
Safety
Level 1
Safety
Controller
Controller
Power
Access
Control
Legacy
RTU
Process
RFID
Controller
Voice
Instrumentation
Device
Level 0
Sensor
Motor
Valve
Drive
© 2013-2014 Cisco and/or its affiliates. All rightsProcess
reserved.
Starter
Fleet
Pump
Actuator
Breaker
Power
Monitor
Power Room
Wireless
Sensor
Mobile
Worker
Cisco Confidential
26
Asset Discovery and Inventory
SIEM
DMZ
Level 3.5
SIEM
Remote
Engineering
via Secure
TPA
Vendor
Qualified
Anti-Virus
SIEM
Vendor
Qualified
Patching
Asset
Inventory
Site
Core Networks
SIEM
Control
Center
Level 3
SIEM
SCADA System
Head-end
SIEM
SIEM
Manufacturing Execution
System (MES)
SIEM
Distributed Control
System (DCS)
Operator & Engineer
Workstations
Historian
DMZ Domain
Controller
Compliance
Terminal
Services
Enterprise
Levels 4-5
SIEM
SIEM
SIEM
Center
Solution passively reads traffic off a
SPAN/mirror port and sensors on the fieldbuscovers both IP and serial networks
Application Servers
Safety &
Security
SIEM
Process Automation
System Server
Process Historian /
Distributed Historian
Passive asset discovery on all assets at Levels
1-3 (Purdue Model) – all OS types
Operational Business
Systems
Operational Telecoms - LAN/Field
Process Control & Safety Networks
SIEM
Supervisory
Level 2
Control &
Safety
Level 1
Historian
HMI
Safety
Systems
Printer
Safety
Controller
Power
Controller
Instrumentation
Device
Level 0
Sensor
Motor
Valve
Drive
© 2013-2014 Cisco and/or its affiliates. All rightsProcess
reserved.
Starter
Pump
Actuator
Covers both open and proprietary ICS specific
protocols: DNP3, Ethernet/IP, CIP, OPC-UA,
Modbus, IEC 61850, BACNET, ProfiBus,
TCP/IP, SNMP,SSH, HTTP, telnet, ftp,
SMB/CIFS, and others
Attributes discovered in passive mode:
MAC/physical address, IP (or equivalent ID for
serial), name, OS, protocols, vendor, type of
equipment
Legacy
RTU
Process
Controller
Serial/Hardwired
Process Ethernet
Multiservice Ethernet
WAN
Wireless
Passive discovery
SIEM
PCN Domain
Controller SIEM
SIEM
Centralized
Log Collection
Identity
Services
SIEM
SIEM
SIEM
SIEM
SIEM
Internet
Breaker
Power
Monitor
Power Room
Wireless
Sensor
Active query
Uses WMI and SNMP queries
Any attribute that could be queried could be
discovered: e.g.: services running, software
installed, patches installed, AV versions, etc.
(list is customizable)
Cisco Confidential
29
The Solution
OT VISIBILITY & INSIGHT
CYBER SECURITY
PROCESS INTEGRITY
EFFICIENCY
OPERATIONAL EXCELLENCE
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
There’s Sight. And There’s Insight.
Network
Visibility
ICS visibility
ICS Insights &
Threat Intelligence
Contextual Awareness:
Operations & Security
Call Home
Attempt
IP: 10.10.3.177
WinCC 13.0
WinCC 13.0
WinCC 13.0
Vulnerable CVE-2015-2823
Logic Change
Command:
Read Current,
Frequency
Known Port:
44818
Switch
Misconfiguration
Slow Connection
PLC
Serial No. 00987DBF
Model No.1756-ENBT/A
IP: 10.10.3.161
PLC
Serial No. 00987DBF
Model No.1756-ENBT/A
PLC
Serial No. 00987DBF
Model No.1756-ENBT/A
E/IP values
Spoofing
FieldBus
IED
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IED
Anomalous Behavior
FieldBus
IED
IED
FieldBus
IED
IED
Cisco Confidential
31
Demonstração
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Main Dashboard
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
Asset Drilldown
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
Asset Management, Sorted by IP
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
Abnormal Traffic Event
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
IP Conflict Event
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
New Asset Detected Event
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
PLC Update Event
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
Malicious Port Scanning Event
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
Man-In-The-Middle Attack Event
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
Remote Access – User View
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
Remote Access – User Requesting Access
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
46
Remote Access – Remote User Session
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
47
Remote Access – Session Recording
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
49
Compliance Monitoring & Reporting Overview
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
50
Compliance – Individual Endpoint Patch Status
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
Compliance – Endpoint Patch Status Report
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
Conclusão

Desafios de segurança são crescentes e continuarão demandando de recursos

Uma abordagem nova, com visão holistica, sobre a seguranca em ambiente
industrial é necessária

Experiência profunda nas 3 disciplinas é fundamental: Engenharia de T.A. +
Redes/T.I. + Segurança

Modelos de consumo flexível transferem o risco dos operadores de automação

Comprovada experiência na implementação padronizada de controles de
segurança, segurança cibernética, e conformidade numa plataforma eficiente
em custos e ”future proof”
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
54
Dúvidas?
Obrigado!