Fortinet and SCADA

1
Real-Time Threat Protection in a SCADA
Environment
Derek Manky Cyber Security Threat Research,
FortiGuard Cyber Security for Energy and
Communications September 29th, 2009
Fortinet Confidential
2
Presentation Overview

• FortiGuard services
• Research
• SCADA threats
• Elements of SCADA
• Compliances
• Real-time threat protection
• Mitigation solutions
• Visibility monitoring
• Management

2
3
FortiGuard Distribution Network System
Vancouver 15 Servers
London 2 Servers
Ottawa 3 Servers
Beijing 2 Servers
Frankfurt 5 Servers
New Jersey 6 Servers
Tokyo 4 Servers
San Francisco 4 Servers

• Real time queries
• AV Query
• Webfiltering
• Antispam

• Up to date scanning with signature database
• Antivirus - hourly
• IPS
• True zero-day protection
• Application control
• Database
• Vulnerability management

Singapore 2 Servers
40 servers in 9 strategic locations balance
traffic loads and provide the highest quality of
service with redundancy
3
Fortinet Confidential
4
FortiGuard Intelligence Systems
FortiGuard Intelligence Systems

• High capacity intelligence systems
• Automated signatures
• Stays in stride with arms race
• Consolidated Intelligence
• Frequent daily updates to all devices
• Immediate hot updates for breaking threats

4
Fortinet Confidential
5
FortiGuard Research

• Responsible disclosure
• Worldwide team
• 69 zero-days discovered since 2008
• NVC 588 critical (March 2008) / 178 exploited
• Proactive Detection
• MS09-043 office Web components1 year advanced
  protection
• Microsoft MAPP partner
• Breaking updates

5
6
History of SCADA Security Threats

• 1998 Government penetration tests on US grid
  hack questioned
• Highly decentralized structure of the power
  plants1
• 2000 Unknown intruders hijacked an electric
  company's FTP servers
• Access through power company's servers by
  exploiting a vulnerability in the company's file
  storage service
• "The intruders used the hacked FTP site to store
  and play interactive games that consumed 95
  percent of the organization's Internet bandwidth
  "The compromised bandwidth threatened the
  (company's) ability to conduct bulk power
  transactions.
• 2003 The Slammer worm penetrated a private
  computer network at Ohio's Davis-Besse nuclear
  power plant, disabling a safety monitoring system
  for nearly five hours

1 Wired http//www.wired.com/science/discoverie
s/news/1998/06/12746
6
7
History of SCADA Security Threats

• 2008 Hackers shut off power in multiple regions
  outside USA, demand payments
• CIA official All involved intrusions through
  the Internet1
• April 7, 2009 NERC releases public warning on
  Cyber Asset Identification
• Reports surfaced of China/Russia infiltrating US
  electrical grid, malware left behind1
• 2009 DHS official on SCADA intrusions
• ..They are growing, There were a lot last
  year.2

1 Wired http//www.wired.com/dangerroom/2008/01
/hackers-take-do/ 2 Wall Street Journal
http//online.wsj.com/article/SB123914805204099085
.html
7
8
Real-Time Threat Protection?

• Unique solutions for each threat
• Require multiple security point products
• Limited to no product interoperability
• Costly to own costly to operate
• High capital and operational expense
• Disparate management consoles
• No central threat dashboard
• Not flexible
• No deployment flexibility
• Limited product offering
• No Support for DNPV3

Servers
Users
Need Cost-Effective, All-in-One Security Solutions
8
9
Consolidated Intelligence FortiGuard
Variant 1 Attached
2
5
1
2
Solution A AntiVirus
Mass Mail
Fresh Web
3
3
Solution B WCF
0-Day Exploit
4
4
Solution C IPS
5
Variant 2 Hosted
1
Solution D AntiSpam
Public
FortiGuard Solution
1
2
3
4
5
10
Elements of a SCADA System

• A Human Machine Interface
• HMI is the apparatus which presents process data
  to a human operator, and through this, the human
  operator, monitors and controls the process
• A supervisory system
• A computer gathering/acquiring data on the
  process and sending commands (control) to the
  process
• Remote Terminal Units
• RTUs connect to sensors in the process,
  converting sensor signals to digital data and
  sending digital data to the supervisory system
• Communications Infrastructure
• Connect the supervisory system to the RTUs

11
Elements of a SCADA System
12
SCADA Application Function
Application Function Security Technology
Secured AP technology that includes AV, IPS, and
application control
Wireless
3G/WIFI connectivity to RTU stations
Distributed control systems control systems
integration to EMS systems
IPS protection from protocol anomalies and
systems attacks
ICCP
Application control for TCP/IP DNP protocol
control, IPS for buffer, header and network
attacks
DNP V3
SCADA Main to SCADA remote RTU
AV/IPS to secure against Threats to terminal (no
AV allowed on HMI Terminals)
HMI
RTU control Terminal
Database security control with schema, table
auditing and control
Database Systems
Data storage for HMI and RTU systems
13
SCADA Compliance and Certifications
Compliance
Requirements
Fortinet Solution
HIPAAHealthcare
Baseline ISO 17799, 27001 FW, AV, IPS, DB
controls, Visibility, Audit Encryption in
Transport
Fortigate FW, VPN, AV, IPS FortiManager,
FortiAnalyzer, FortiDB Forticlient
NERC CIPElectrical
Baseline ISO 17799, 27001 FW, AV, IPS
visibility, audit security perimeter for all
cyber assets network segmentation, authentication
FortiGate FW, VPN, AV, IPS, network
segmentation, app. authentication,
FortiManager FortiAnalyzer, FortiDB
PCIRetail
Baseline ISO 17799, 27001 FW, AV, IPS, Database
controls, Visibility, Audit, Network
Segmentation, Authentication, Encryption in
Transport
Fortigate FW, VPN, AV, IPS Network
Segmentation Authentication, FortiManager FortiAna
lyzer, FortiDB, Forticlient
SOX, Multilateral Instruments 52-109,
52-111Corporations
Baseline ISO 17799, 27001 FW, AV, IPS, IM
Controls, Database controls, Visibility, Audit,
Network Segmentation, Authentication
Fortigate FW, VPN, AV, IPS IM Controls,
Fortimail, Network Segmentation Authentication,
FortiManager FortiAnalyzer, FortiDB, Forticlient
Fortinet Confidential
14
Key NERC Requirements

• Cyber-asset identification
• Professional services to help identify
• Built in scanning tools (Fortinet)
• Security management controls
• Role/group based user management
• FortiGate policy enforcement
• Personnel training
• Professional services/training
• FortiGuard advisories/analysis/reports blog
  (RSS)
• Electronic security perimeter(s)
• FortiGate solution with AV/IPS and role based
  policy enforcement
• Physical security of critical cyber assets
• Segmentation of network with FortiGate
• Role based security policies
• Systems security management
• Change management with the FortiManager
• Incident reporting and response management
• FortiAnalyzer will fill this role easily

15
Where are the Threats Coming From?

• External Sources
• SCADA systems are normally interconnected to
  other SCADA systems and their own RTUs/MGMT
  stations via public networks
• Software as a Service (SaaS)
• Internal sources
• Virus brought into SCADA network via portable
  devices
• Corporate espionage
• Third party applications
• File sharing, P2P and social networks
• HMI terminals do not have or are not allowed to
  install an AV solution
• Wireless sources
• SCADA network often employ WiFi or 3G based
  wireless connectivity to RTUs.
• Rogue AP set up as original equipment SSID
• Host of encryption exploits
• No host based security features on RTUs

16
How You can Protect your SCADA Environment

• Control application/ communication into/out of
  the network
• Control application/ communication inside the
  network
• Includes ICCP and DNPV3
• Control what/who can interface with SCADA systems
• Monitor the network for virus/ attacks and be
  able to react to those events quickly

17
How Fortinet Can Help

• External firewall security
• IPS SCADA signatures available today
• Modbus, DNP3, etc
• IPS anomaly/DDoS mitigation
• Application control for DNPv3 and ICCP
• Firewall rules, user access control, endpoint
  control
• Internal firewall security
• IPS, AV, application control
• User Access control, DLP
• Wireless/3G
• Rogue AP detection
• Multiple security methods
• MAC address, WEP, WPA, WPA2 Enterprise
• Role based security rules at RTU Access point
• Restrict to RTU and MGMT IPs
• IPSec VPN from AP to CTU/MGMT station

18
Protection from the Outside (ingress)

• Firewall. Inspects content in network packets to
  ensure no unauthorized traffic passes into or out
  of the intranet. With adequate performance, a
  firewall can be deployed in-line for real-time
  protection.
• Intrusion Detection and Prevention. Stops attacks
  at network perimeter by analyzing traffic for
  worms, viruses and exploits. Analysis techniques
  include behavior-based learning and heuristics in
  addition to signatures defining known hazards.
• VPN. Enables secure communications tunnels across
  the public Internet between computing devices.
  With adequate performance, a VPN can authenticate
  users, encrypt data and manage sessions.
• Antispam. Eliminates entry to the intranet of
  junk email, file attachments and web access of
  blacklisted websites, domains and key words.

19
Protection from the Outside (ingress)

• Web-based Content Filtering. Processes all Web
  content to block inappropriate material and
  malicious scripts from Java Applet, Cookies and
  ActiveX scripts entering the intranet. Assures
  improved productivity by minimizing time wasted
  on non-business use of the network.
• Vulnerability Scanning. This automated process
  checks network devices and applications to
  identify and rank the severity level of known
  vulnerabilities caused by unpatched software,
  mis-configurations and other causes. Scan reports
  provide a blueprint to remove vulnerabilities for
  stronger security.
• All these security applications can and should be
  installed at every SCADA network endpoint. The
  biggest challenge is operational how to deploy
  them and manage their use in a cost-effective
  manner.

20
Protection from the Inside

• Once an intruder is on the inside of a network,
  the SCADA system is vulnerable from several
  points, the HMI (Human-Machine Interface) and RTU
  (Remote Terminal Units). The HMI is a direct
  interface to the databases that the RTU sends and
  receives commands from. For example a HMI user
  working at a fuel tank farm, can manage the flow
  of fuel from a pipeline into various storage
  tanks and then into a piping system into delivery
  trucks or another pipeline. The HMI sends
  commands to the RTU to open/close valves, turn on
  pumps, record the amount of fuel/temp/water
  content of a storage tank, all real time. If the
  HMI interface were to be exploited, either by a
  bot, worm, or a known exploit that gives
  command/control access to an external user, what
  could happen?

21
Protection from the Inside

• Secure (encrypted) communications to/from RTUs
• Firewall policies that restrict users/IPs to
  only operational personnel
• Antivirus/IPS profiles within network
• Secure database communications
• FortiDB
• DLP
• Application control to limit unwanted or
  potentially dangerous applications from being
  installed within SCADA network

22
Wireless Protection

• WiFi
• Use non-broadcast SSID
• Use WPA-PSK 128 or better encryption
• WPA2 Enterprise (RADIUS)
• Lock wireless access to known MAC/IP addresses
• VPN to CTU or DB
• 3G Based Wireless
• Static IP devices
• MPLS to SCADA network
• VPN into SCADA network
• Restrict VPN to know IP addresses

23
Enterprise Security Tools
Firewalls, VPN AAA, Anti Virus AAA, IDS,
Encryption Application Security Database
Security
External
Network
Internal
UTM
PC, Printers
Authorized User
Server Domain
HMI Applications
Database Security
SCADA Databases
24
The SolutionA Defense-in-Depth Security Strategy

• A Defense-in-depth strategy deploys application
  security at both the host RTU and the network
  level
• Deploy security systems that offer tightly
  integrated multiple detection mechanisms
• IPS
• Antivirus
• Antispam
• Application control
• Web filtering
• DB
• Stateful firewall
• VPN
• Automated processes to update AV and IPS
  signature databases
• Known SCADA Exploits already in AV/IPS databases

25
Protection of the HMI Database

• Vulnerability assessment
• Centralize signature/policy management
• Separation of duties
• Create custom signatures/policies
• Implement expert-level remediation advice
• Analyze database security trends
• Supports well known DB systems
• Audit control monitoring/audit
• Unauthorized access/change of data circumventing
  application controls
• Segregation of duties - database security/audit
  should be external to the database
• Control on rules for who, when, where makes a
  change in the database without authorization  
• Change control on schemas
• User privilege changes
• Failed logins and failed actions
• Data integrity of critical data

26
Vulnerability Assessment

• Key Features
• Assesses and provides industry standard
  remediation advice that strengthens the integrity
  and security of databases. This helps with
  eliminating weaknesses in passwords, access,
  privileges, configuration settings, and more.
• Automatically discover all databases
• Accelerate security compliance best practices
  (PCI, SOX, HIPAA)
• Centralize signature/policy management
• Separation of duties
• Easily create custom signatures/policies
• Brand reports for easy identification
• Implement expert-level remediation advice
• Analyze database security trends
• Supports (Oracle, SQL, DB2 UDB and Sybase)

27
Audit Control Monitoring/Audit

• Reduces the risk of information theft / leak /
  fraudulent update automates compliance processes
• Automation of IT internal controls (database
  specific)
• Unauthorized access/change of data circumventing
  application controls
• Segregation of duties - database security/audit
  should be external to the database
• Power user activities
• Control on rules on who when where makes a change
  in the database without authorization  
• Change control on schemas
• User privilege changes
• Failed logins and failed actions
• Data integrity of critical data

28
Reporting and Analysis of SCADA

• More than 300 different report templates
  available
• Report configuration wizard
• Reports are completely customizable
• Example reports
• Events/attacks by
• Sensor
• Source
• Category
• Threat
• Protocol
• Mail Usage
• ICCP, DNP usage
• Bandwidth usage
• Protocol usage

29
Management in a SCADA Environment
RTU A
RTU B
Internet Access
RTU C
Back Bone Switching
SCADA DB System
RTU F
RTU D
Out of Band
RTU B
30
Multi-Threat Security with Fortinet

• Fortinet advantages
• Provides comprehensive security approach
• Minimizes down-time from individual threats
  (FortiGuard)
• Reduces number of vendors and appliances
• Simplifies security management
• Coordinates security alerting, logging, and
  reporting
• Improves detection capabilities

Core DB
HMI
31
(No Transcript)