Service-aware Security for Threat & Incident Management Dario Lobozzo.

Slides:

Advertisements

Similar presentations

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

Advertisements

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Guide to Network Defense and Countermeasures Second Edition

Firewalls Uyanga Tserengombo

IUT– Network Security Course 1 Network Security Firewalls.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Barracuda Web Application Firewall

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Chapter 12 Network Security.

Unified Logs and Reporting for Hybrid Centralized Management

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

Internet Protocol Security (IPSec)

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Chapter 11: Dial-Up Connectivity in Remote Access Designs

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

NetComm Wireless VPN Functionality Feature Spotlight.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Intranet, Extranet, Firewall. Intranet and Extranet.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

VPN’s – promise, pitfall, implementation and policy don murdoch odu – isso dmurdoch odu dot edu.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Module 11: Remote Access Fundamentals

C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Security fundamentals Topic 10 Securing the network perimeter.

Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

IS3220 Information Technology Infrastructure Security

Securing Access to Data Using IPsec Josh Jones Cosc352.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.

Security fundamentals

Virtual Private Networks

Working at a Small-to-Medium Business or ISP – Chapter 8

SECURING NETWORK TRAFFIC WITH IPSEC

Configuring and Troubleshooting Routing and Remote Access

Introduction to Network Security

AT&T Firewall Battlecard

Presentation transcript:

Service-aware Security for Threat & Incident Management Dario Lobozzo

© Copyright 2015, Radiflow Ltd. Remote utility sites are the weakest link SCADA networks were designed for security by obscurity –Industrial automation devices utilize basic authentication methods –SCADA protocols do not support any role-base authorizations Physical access to a remote site can be easily gained –Remote sub-stations are unmanned –Authorized site visitors gain access to the local network Inter-site sessions are not considered trusted –An insider in 1 site can gain unsupervised access to other sites –Man-in-Middle attacks can hack into the private network -2- “smart grid cyber-security guidelines did not address an important element… risk of attacks that use both cyber and physical means” Electricity Grid Modernization; Report to Congressional requesters, US GAO, January 2011

© Copyright 2015, Radiflow Ltd. Control center PLC OT network Excess Access Rights Man in the middle attack Compromised Field Device Malware in SCADA Computers Attack Vectors on the OT network

© Copyright 2015, Radiflow Ltd. Securing the Distributed SCADA operations Defense MethodAttack Vector SCADA Deep-Packet-Inspection to block unauthorized traffic from the SCADA server Malware in the SCADA Computers Encrypted VPN tunnels over the untrusted links Man in the Middle Restricted access to the critical assets using user-based and task-based policies Excess Access Rights in Remote site IPS/IDS (Intrusion Prevention/Detection) for behavioral analysis of distributed automation Compromised Field Device -4-

© Copyright 2015, Radiflow Ltd. Distributed IPS for ICS networks Per-user role-based validation of SCADA sessions –Applied to both IP & Serial devices Distributed each end-point –Inline IPS or Virtual IDS End-to-End support logic –Intuitive provisioning based on auto-learning –Event log with SOC tools integration -5- Patent Pending

© Copyright 2015, Radiflow Ltd. Cyber Security solutions for Critical Distributed Automation networks Isolation Self Learning Anomaly Detection Controlling Exceptions

© Copyright 2015, Radiflow Ltd. ISOC – Integrating IT/OT/PACS Security An efficient security solution should integrate: –IT security –OT security –Physical Access Control All information should be correlated in a central ISOC -7- “In twenty years as the Chief Director of Incident Response with the FBI I have seen 2 systems which were truly air-gapped”

© Copyright 2015, Radiflow Ltd. Requirements and Guidelines Focus on addressing the concerns as laid out by: NIST Cybersecurity Framework DOE ES-C2M2 NERC's CIPv5 RADiFlow Introduction Proprietary and Confidential -8-

© Copyright 2015, Radiflow Ltd. VPN over Cellular Network -9- Connecting private sub-networks over a public or private network Remote site connection using Hub & Spoke GRE tunnels IP Sec used to encrypt the GRE tunnels Certificates used to authenticate remote parties L2 or L3 VPN modes available Cell site ISP #1 NAT router Cell site ISP #2 Primary SIM Secondary SIM ACTIVE OFF INTERNET IPSec tunnel

© Copyright 2015, Radiflow Ltd. Secure Access for Substation Automation -10- Identity management for detailed per user authorizations Validation of SCADA behavior per user Automatic learning of SCADA behavior Detailed log of user activities IPsec VPN for inter-site connectivity Support Ethernet and Serial devices

© Copyright 2015, Radiflow Ltd. Controlling Exceptions: Authentication Proxy -11- The Goal: Controlling the openness of the network for maintenance operations. The Method: Setting policy per maintenance task, per user. Restricted access to site devices Applied both to IP and Serial Full Audit Log of user activities IPsec VPN for inter-site connectivity

© Copyright 2015, Radiflow Ltd. Authentication Proxy Use Case -12- SCADA1 central SCADA2 Remote site PLC RTU IED Technician Authentication. Profiles. Logs. rs232 Ethernet Profile based Remote user authentication at site gateway Restricted access to site devices Technician allowed transparent access On-the Fly Firewall Provisioning Utilization of Telnet, SSH, and in future releases TACACS+ and RADIUS Auth.

© Copyright 2015, Radiflow Ltd. Event Logger for Scalable deployment -13- Syslog Server central Site 1 PLC Syslog client RTU Syslog client Syslog server Syslog client Receive various types of events –Serial & IP –Multiple formats Re-format events –Unified Structure –Additional info Log raw data & formatted data Send formatted events to SIEM –After filtering –with flow-control Optional –Redundant uplinks –Encrypt Data

© Copyright 2015, Radiflow Ltd. Integrated Physical & Cyber security Distributed SCADA IPS in each site Correlation with physical security systems for dynamic user authentication Validate per-user SCADA operations Integration with central SIEM tool -14- Restricted user operations in the Cyber corridors of Distributed automation networks

© Copyright 2015, Radiflow Ltd. Integrated Physical & Cyber security Mercury Panel System Arch -15- Unified policy enforcement Cyber Policies enacted due to Physical Policies SCADA central Access Control Head End Remote site – Sub Station PLC RTU IED Technician Event Logger Tied to all points rs232 Ethernet Access Control Panel Mercury

© Copyright 2015, Radiflow Ltd. Cyber Physical Access Control List Allows for checking what is happening in both physical and cyber world against pre-defined rules in order to enforce minimum access required to perform an assigned task. IdentityAssigned TaskPhysical accessLogical (cyber) access GE engineer AFirmware Update GE rack area onlyAdmin command on GE RTU only Schneider engineer B System expansion Schneider rack area only Placement of new physical object in room Setup test command to new Schneider RTU only Historian engineer C Data backupControl room only access Historian server read only access

© Copyright 2015, Radiflow Ltd. Radiflow Solutions offering Security feature Radiflow 3180 Security feature Radiflow 3180 IP Sec VPNYesUser-to-IED activity logsYes VPN over cellularYesPassword management for IEDsYes X.509 certificatesYesSyslog messagesYes White list firewallYesIP RouterYes DPI firewall for SCADA protocolsYesSerial to IP gateway for SCADA protocolsYes Per IED firewall policyYesIntegration with Physical securityYes Authentication proxy - ETHYesIntegration with IDS serverYes Authentication proxy - SerialYes -Network & Application learning Yes IED password sync from central DBYes -SCADA Anomaly detection Yes Layer 2 SwitchYes -Dashboard & Map GUI Yes RADiFlow Introduction Proprietary and Confidential -17-

© Copyright 2015, Radiflow Ltd. Summary Intra-network security is mandatory RADiFlow Service-aware Industrial Networking solution –Unique distributed service-aware firewall by the network –Integrated defense-in-depth tool-set –Optimize CapEx and OpEx -18- For more details: