CSEC3002 Cyber Physical Systems Security Lecture PDF
Document Details
Uploaded by NourishingSparkle6401
De Montfort University
Ashraf Tantavy
Tags
Summary
This lecture covers implementing security and access controls for cyber-physical systems. Topics include network segmentation, network security controls, and host security controls. The material outlines various security devices, such as firewalls, IDS, IPS, and methods for detecting and preventing unauthorized access.
Full Transcript
CSEC3002 Cyber Physical Systems Security Implementing Security and Access Controls By Ashraf Tantavy Outline Network Segmentation Network Security Controls Host Security Controls 2 Network Segmentation Network Segmentation A zone is a lo...
CSEC3002 Cyber Physical Systems Security Implementing Security and Access Controls By Ashraf Tantavy Outline Network Segmentation Network Security Controls Host Security Controls 2 Network Segmentation Network Segmentation A zone is a logically/physically isolated network of components. It requires proper segmentation and access control to protect against attacks. To properly secure a zone: – Identify the zone perimeter, with its entry/exit points. – Develop a security policy and change management procedures. – Implement the security controls on the network and hosts. – Monitor the network. 4 Design Considerations A zone may expand across multiple geographical locations. Entry/exit points are still on the perimeter, not between sites. The link between two sites should conform to the security policy of the zone. 5 Design Considerations Ideally: zone is isolated as strictly as possible, with as few conduits as possible with adjacent zones. Minimise logical zones that could span multiple zone boundaries. Do not overlook wireless access points or dial-up connections (entry points). 6 Zone Boundary Ideally, zones separation should be at all seven OSI Layers. In practice, you may get a physically-flat network. Separation could be made logically, e.g., VLANs. Start with Layer 1 and work up the OSI layers, attempting to separate the zones at lower layers first. 7 Zone Documentation For each zone, you will develop a security policy. Effective security policy requires comprehensive zone documentation. Maintain the following as a minimum for each zone – Devices belonging to the zone, with MAC/IP addresses. – Software inventory for the devices (OS, key services running). – Users with authority over the zone. – Protocols, ports, services used within the zone. – Applications/technologies that should NOT be used in the zone. 8 Network Security Controls Network Security Controls Network security controls protect against unauthorized access to the zone (inbound) and prevents the enclosed system from accessing external systems (outbound). All inbound/outbound traffic must be forced through monitored and controlled network connection. Security devices must be installed at these connections. 10 Selecting Network Security Devices Devices include firewalls, IDS, IPS, network allowlisting devices, application monitors, and industrial protocol filters. Type of device used depends on the security level (criticality) of the zone. Example criticality-device from North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) 11 Selecting Network Security Devices Security devices vary in their capabilities to detect threats. Firewalls use “shallow packet inspection”. IPS uses deep packet inspection (DPI), but obviously slower. False positives (dropping packets) may be dangerous for industrial networks. 12 Application Layer Session Monitoring Gives a bigger picture. Detects out-of-sequence packets and sophisticated protocol attacks. 13 Data Diode Most stringent network security device. One-way network connection, enforced at the physical level (transmit wire/fiber, no receive wire). Can you think of an ICS scenario where this could be used? 14 Implementing Network Security Devices: Firewalls Use universal exclusion as a default policy (Deny All) Grant permissions on a case-by-case basis. ”Permit” rules should be IP and TCP/UDP port-specific. Prevent direct traffic from Process control to enterprise network. All traffic should terminate in the DMZ 15 IDS/IPS Configuration Guidelines Start with a large signature set and many active rules. If a protocol is not allowed in the zone, do not define specific detection signature for it, define general rule to block all of its traffic. Ensure every allowed protocol has all of its signatures enabled. Keep all signatures up to date. Identify the appropriate action for each signature (tricky!) Block industrial protocol packets that do not follow the specification. Alert industrial network port scans, function codes such as “Write” or “Alarm” messages. 16 Anomaly-Based Intrusion Detection Builds a profile (model) for normal network traffic – Communicating nodes – Packets/unit time, at which days/times. – Protocols and function codes used. In general, suffers from false positives. More reliable in industrial networks because of the predictable traffic. Machine learning is primarily used to build a model for normal behavior. ML simplifies the modeling task: – Deep learning automatically extracts important features. – Complex protocol patterns can be learned with sufficient network data. Can detect zero-day exploits. 17 Application and Protocol Monitoring Industrial protocols such as Modbus and DNP3 can be monitored and controlled using IDS/IPS. Applications such as HMI and Web interfaces can also be inspected (session inspection). Specialised industrial devices are being introduced to the market to monitor ICS protocols/applications. 18 Host Security Controls Host Security Not all attacks come from the network End devices themselves are susceptible to attacks. How can an end device get infected? – Network (wired, wireless) – Ports (USB, infrared, serial communication,…) – Look for any interface to the external world. – Software updates (OS, firmware, applications) 20 Host Security Controls Who is allowed to use the device How a device communicates on the network What files are accessible by the device What applications may be executed on the device. 21 Host Security Controls You should aim to deploy all host security controls (access control, Host IDS,….) on all end devices. This is not always possible. Some devices have limited processing power or proprietary (you will need to rely on vendor solutions). 22 Host Firewall Initial filter between the host and any attached network. Allows/denies inbound/outbound traffic based on specific configuration (rules). Can monitor the traffic only sent directly to the device or broadcast traffic. Not only protecting the host from inbound attacks, but also protects the rest of the network from outbound attacks if the host got infected. Can block lateral attacker movements. 23 Host IDS Monitors host system settings, configuration files, and applications. Can perform network packet inspection to protect the host from malicious inbound traffic. Generates alerts for policy violations. If it can actively block violating traffic/behavior, it is commonly referred to as Host IPS (HIPS). The boundary is getting blurred between Firewall, IDS, IPS, as software capabilities are evolving, and functionalities overlap. 24 Anti-virus Inspect files for malware using signature-based detection. When signature matches, the suspect file is quarantined, and an event is generated (alarm/log). Requires frequent signature update. Slows down the host (have you experienced this before?) 25 Application allowlisting Blocklist solution compares the monitored object to a list of “bad” objects. Requires frequent updates. Allowlist creates a list of what is known to be “good” [if not in the list, block it]. Allowlist applies to applications and files, so it can stop malwares from executing. Does not slow down the host compared to antivirus software. Ideal solution for legacy hosts that cannot use antivirus software. However, it does introduce delay to the execution of legitimate applications, may be unacceptable in some control loops. Cannot protect against authorised applications that got compromised 26 External Controls It is not always possible to deploy Firewalls, IDS, IPS,…on end devices (e.g., embedded devices, PLCs). External tools can be deployed and connected to end devices for monitoring/logging/control. Most external tools are used to holistically monitor the whole zone, not tied to a specific device. 27 Vulnerability Containment What if you cannot deploy security mechanisms to devices? One solution is to create a security zone and contain all devices that cannot be patched. Control the security conduit. 28 System Availability and Patching System availability requirements prevent frequent patching. It is a common design pattern in industry to have redundant systems (redundant PLCs, network equipment, …etc.) to achieve the required availability level. Why is it still difficult to patch redundant systems? Plant management needs to choose between operating the plan in a non-redundant configuration (hence higher risk of failure) vs patching against an unknown (and possibly non- existent) threat! One possible solution is to test the patches offline (testbed or in a virtual environment). 29 References Knapp, Eric D. Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Elsevier, 2024. [Chapter-10]. 30 31 Thanks for your attention
