Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Encryption in industrial control systems; Is the juice worth the squeeze?
Semelhante a Encryption in industrial control systems; Is the juice worth the squeeze? (20)
Último
Último (20)
Encryption in industrial control systems; Is the juice worth the squeeze?
- 1. Brian Proctor – ICS Cyber Security Conference 2017 Encryption in ICS; ?
- 2. Who am I? Brian Proctor – GICSP, CISSP, CRISC 13+ years of cybersecurity utility experience • Southern California Edison (SCE) - ICS/SCADA Cybersecurity Engineer - NERC CIP Compliance Manager • San Diego Gas & Electric (SDG&E) - Principal Cybersecurity Engineer – Smart Grid and Electric Operations - Team Lead - Information Security Engineering, Research, & Development • Joined SecurityMatters in Feb 2017 Career focused on securing Operational Technology (OT) - SCADA (Electric Transmission & Distribution, Gas Storage & Transmission) - DCS (Power Generation, Distributed Energy Resources Speaker at Distributech, EnergySec, EPRI, UTC, ICSJWG - Situational awareness with a side of cybersecurity - Life After Ukraine; Real world strategies and trends - Do you know what time it is? Precision timing attacks and their impacts to utility operations 2www.secmatters.com - Public
- 3. Trivia Time!!! What 2004 movie is the quote “Because in your heart you know, that the juice is worth the squeeze?” www.secmatters.com - Public 3 The Girl Next Door
- 4. Conference vote! Idea from hotel bar last night; lets see how this goes… www.secmatters.com - Public 4 Raise hand if you believe you should encrypt remote access ICS/DCS protocols?
- 5. Why I wrote this talk…. www.secmatters.com - Public 5
- 6. Let’s start with the basics…. Encryption • Value - Confidentiality - Integrity - Non-repudiation - Authentication ICS Protocols • DNP3, MODBUS, Ethernet IP (CIP), MMS (ICCP), Step7, many other legacy or propriety protocols - No confidentiality - No integrity - No authentication • Encryption commonly used to wrap ICS protocols over untrusted networks or segments - Between modems, routers, firewalls (IPsec) - SSL/TLS between data concentrators or gateways - Wireless www.secmatters.com - Public 6
- 7. Sample utility architecture 7 Internet Field network (ISA 99 – Level 1) Business LAN (ISA 99 – Level 4) Supervisory Network DMZ (ISA 99 – Level 3) Historian www @ Control Network (ISA 99 – Level 2) Engineering WS DB MTU/FEPRTU IEDs/PLCsIEDs/PLCs SCADA/ HMI www.secmatters.com - Public DER/IEDs/PLCs Std encrypted paths Clear text LANs New End to End
- 8. Sample process control network architecture www.secmatters.com - Public 8 Level1 (Controllers) Level2 (Supervisory) Level3 (PCNMgmt) Level4 (PCNDMZ) Historian HMI EWS PLC Controller IED Std encrypted path Clear text LANs AD SFTP/FTP Jump/PAM DCS Server New End to End
- 9. Is the juice worth the squeeze? What’s the juice? • E2E encryption; GW and device on LAN Is it worth losing the following: • Asset inventory (vendor, model, firmware) • Remote and engineering monitoring - Users - Activities • Passive vulnerability management • ICS/DCS command monitoring • Behavior based alerting • Signature based alerting • SCADA firewall command filtering • Great DFIR artifacts www.secmatters.com - Public 9
- 10. With great powers comes great responsibility…. How are keys generated? Is it truly random? • Vendor default? Asset Owner PKI? Self-signed? • How is key stored? • What if private key compromised? Key management • Any commercial CAs which issue certificate types? • Lifetime • Rotation • Deployment Cryptographic algorithms deprecation Quantum computing = Public 10
- 11. So what does this all mean from my perspective? Use encryption where it makes sense • Wireless • Untrusted networks Understand what you lose if you do go end to end Understand operational responsibilities to support Understand long term implications Clear text can be your friend • Great situational awareness - Asset inventory/classification - Remote and engineering monitoring - Insider threat monitoring (rogue operator, engineer) - Provides SOC and IR/Forensics great info • Threats (insiders or external) can’t hide their activities Threat modeling and red teaming exercises Public 11
- 12. Is the juice worth the squeeze for you? My vote is no; gateway to gateway is sufficient • What attack scenarios are you preventing against? Lose situational awareness and visibility to your own systems Hide anomalous or malicious traffic Hide vendor activities or poor practices Introduces more open security questions and responsibilities Authentication and integrity can be achieve without encryption • Secure SCADA protocol of the 21st century (SSP-21) End of day = risk based decision Public 12
- 13. Questions and Thank You! Public 13 Twitter: @bproctor67 Email: Brian.proctor@secmatters.com
Notas do Editor
- Thanks for the introduction, wanted to start off with a little about me as I’m new to the speaking circuit. I’ve had the opportunity to work in the cybersecurity field for electric utilities my entire career which has been an amazing opportunity.; 7 years up at Southern California Edison and 4 years at San Diego Gas & Electric. The majority of my career has been mainly focused on the Operational Technology or OT side of things working in a variety of SCADA and DCS environments
- To describe the basic principles of the ICS Networks pointing out the connection among business lan, supervisory network and control system network. An industrial network is most typically made up of several distinct areas, which are simplified here as a business network or enterprise, business operations, a supervisory network, and process and control networks. The separation of assets into functional groups allows specific services to be tightly locked down and controlled, and is one of the easiest methods of reducing the attack surface that is exposed to attackers. Simply by disallowing all unnecessary ports and services, we also eliminate all of the vulnerabilities—known or unknown—that could potentially allow an attacker to exploit those services. That’s why we expect to find firewall to isolate these three areas. --------------- ISA 99 levels Level0: Defines the actual physical processes. Level1: Defines the activities involved in sensing and manipulating the physical processes. Level2: Defines the activities of monitoring and controlling the physical processes. Level3: Defines the activities of the work flow to produce the desired end-products. Level4: Defines the business-related activities needed to manage a manufacturing organization.