0 evaluări0% au considerat acest document util (0 voturi)
49 vizualizări23 pagini
Protecting SCADA From the Ground Up
AlxRogan (AARON BAYLES)
Industrial Control Systems (ICS) and SCADA are everywhere, whether you know it or not. Not only do they track flow rates and turn signs for businesses, but they also activate fans and dampers for fire protection and control water distribution in your town. You can't count on ICS and SCADA to be completely off the net anymore, they are being networked internally and Internet-facing more and more. Common Enterprise IT security methods and practices don't fully cover these systems, so come and learn how you should architect and protect the infrastructure that keeps the lights on.
Titlu original
DEFCON 22 AlxRogan - Protecting SCADA From the Ground Up
Protecting SCADA From the Ground Up
AlxRogan (AARON BAYLES)
Industrial Control Systems (ICS) and SCADA are everywhere, whether you know it or not. Not only do they track flow rates and turn signs for businesses, but they also activate fans and dampers for fire protection and control water distribution in your town. You can't count on ICS and SCADA to be completely off the net anymore, they are being networked internally and Internet-facing more and more. Common Enterprise IT security methods and practices don't fully cover these systems, so come and learn how you should architect and protect the infrastructure that keeps the lights on.
Protecting SCADA From the Ground Up
AlxRogan (AARON BAYLES)
Industrial Control Systems (ICS) and SCADA are everywhere, whether you know it or not. Not only do they track flow rates and turn signs for businesses, but they also activate fans and dampers for fire protection and control water distribution in your town. You can't count on ICS and SCADA to be completely off the net anymore, they are being networked internally and Internet-facing more and more. Common Enterprise IT security methods and practices don't fully cover these systems, so come and learn how you should architect and protect the infrastructure that keeps the lights on.
19 years In T]nIosec Worked In OII & Cas (O&C) Iast 8 years AIong the way PenetratIon testIng VuInerabIIIty assessment Network archItecture, desIgn & ImpIementatIon RIsk assessment Legacy equIpment]comms Remote (geographIc) connectIvIty AvaIIabIIIty, not conIIdentIaIIty or IntegrIty Is key (controI) Power]space Is a premIum LIIe saIety can be dependent The demands pIaced on ndustrIaI ControI Systems (CS) & SCADA networks don't match up wIth securIty requIrements
Understand your network & data IIows Does not requIre expert knowIedge Start wIth the basIcs Some concepts Ior enterprIse T can be used, wIth modIIIcatIon 8uIId reIatIonshIps between enterprIse T and IndustrIaI T Network segmentatIon PortabIe medIa controI ConIIguratIon management Patch management DIsaster recovery (DR) pIannIng WorkIorce deveIopment]traInIng
AIthough these may be sImIIar, sIgnIIIcant dIIIerences exIst FormaIIy the Purdue EnterprIse ReIerence ArchItecture (PERA) WIdeIy accepted wIthIn CS Industry CompatIbIe wIth muItIpIe standards, SA95, SA99, and EC 62443 Works wIth zone & conduIt concepts Represented by Layers 0]1-5 StartIng poInt Ior CS network segregatIon TraIIIc wIthIn same zone Is aIIowed TraIIIc passIng between zones vIa conduIts are controIIed Layer 2 (L2) can SET]CHANCE vaIues on L1 L3 can onIy READ vaIues Irom L2 & L1 ControI poInts aIso aIIow Ior reportIng CS appIIcatIons oIten mIsbehave OPC (Object LInkIng and EmbeddIng Ior Process ControI) uses MS DCOM They don't aIways communIcate stateIuIIy ProtocoIs have been subverted MOD8US DNP3 Some vendors have started to adapt to CS ToIIno (C1D2, DN raII mount) PaIo AIto (Rack mount onIy Ior now) Do not InstaII In bIockIng mode wIthout extensIve testIng & tunIng
#1 thIng that worrIes IIeId personneI Due to soItware Issues, vendors MUST approve OS]app patches Cannot patch monthIy TIme Ior testIng envIronment US8 & removabIe medIa controI AntI-vIrus]antI-maIware AppIIcatIon whIteIIstIng Patch management Ior EWS & servers Corporate T has these systems, 8UT CS cannot patch as IrequentIy AppIIcatIon & OS securIty modeIs dIIIer Dependent on dIrectory servIces (AD) 8uIId your own!
LIke enterprIse T, CS requIres remote support and maIntenance There have been breaches Irom thIs TeIvent Target Vendors oIten wIII not recommend a securIty archItecture 8uIId your own! ncIdent response requIres DATA CentraIIzed IoggIng TraIIIc anaIysIs Logstash, eIastIcsearch, and cactI RestorIng PLC programmIng or devIce conIIgs can be dIIIIcuIt SpecIaIIzed CS ConIIguratIon Management soItware exIsts MDT AutoSave SIemens TeamCenter
SpecIIIc CS securIty traInIngs & certIIIcatIons are uncommon SANS]CAC daho NatIonaI Laboratory (NL) 3 rd Party TraInIng OIIered by consuItIng]servIces companIes 8Iends nIosec wIth CS sensItIvItIes Targeted Ior exIstIng T skIIIsets
For some, DR Is sImpIy consIdered as havIng equIpment spares on sIte AbIIIty to rapIdIy restore servIces may not be pIanned 8usIness Impact anaIysIs Is key Updated IIsts oI vItaI assets and personneI must be maIntaIned My presentatIon Irom Iast year http:]]evuI.procIaII.net]dc21]og- InIosec-101.pdI Co-workers' presentatIon Irom 8H '13 https:]]medIa.bIackhat.com]us-13]US- 13-Forner-Out-oI-ControI- DemonstratIng-SCADA-SIIdes.pdI Latest copy oI these sIIdes at http:]]evuI.procIaII.net]dc22]protectIng -scada-101.pdI
aaronprocIaII.net AIxRogan VIsIt the CS VIIIage, Iots to expIore and Iearn!