SlideShare a Scribd company logo

Open and Secure SCADA: Efficient and Economical Control, Without the Risk

Download as PPTX, PDF
Inductive Automation
Inductive Automation

Join Don Pearson and Travis Cox from Inductive Automation and Chris Harlow from Bedrock Automation as they discuss an end-to-end approach to SCADA/ICS security that encompasses software as well as hardware. You’ll learn about: What built-in security is and why it’s essential Security benefits of OPC UA and MQTT How to secure your PLC, RTU, or DCS Best practices such as role-based access and authentication Security risks that are often overlooked And more!

Related slideshows

Ignition Edge: Simplifying the Edge of the Network
Ignition Edge: Simplifying the Edge of the NetworkIgnition Edge: Simplifying the Edge of the Network
Ignition Edge: Simplifying the Edge of the Network
 
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security GuidelinesDesign Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
 
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With EaseThe New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
The New Ignition v7.9 - See, Maintain, and Manage Your Enterprise With Ease
 
1 of 42
Keyno te:
Moderator Don Pearson Chief Strategy Officer Inductive Automation
Today’s Agenda • Introduction to Inductive Automation & Bedrock Automation • Security Threats • A Security New Approach • SCADA Security • Public-Private Key Infrastructure • Review of ICS & SCADA Security Best Practices • Q&A
About Inductive Automation • Founded in 2003 • HMI, SCADA, MES, and IIoT software • Installations in 100 countries • Used by 48% of Fortune 100 companies • Over 1,700 integrators • Working with Bedrock Automation to create the most secure control systems possible Learn more at: inductiveautomation.com/about
Ignition: Industrial Application Platform One Universal Platform for SCADA, MES & IIoT: • Unlimited licensing model • Cross-platform compatibility • Based on IT-standard technologies • Scalable server-client architecture • Web-managed • Web-launched on desktop or mobile • Modular configurability • Rapid development and deployment
• Incorporated in October 2013 • A subsidiary of Maxim Integrated (Nasdaq: MXIM 1983) • Combined 200+ man-years of automation and semiconductor experience • To date, 107 global patents filed with over 40 granted • Working with Inductive Automation to create the most secure control systems possible Learn more at: bedrockautomation.com About Bedrock Automation
Presenters Chris Harlow Product and Customer Service Manager, Bedrock Automation Travis Cox Co-Director of Sales Engineering, Inductive Automation
Cyber Threats to ICS and SCADA • Stolen Credentials • Ransomware • Human Factors • Social Engineering • Root Kit Attacks • Session Hijacking • Counterfeiting • DDoS Sensors/Actuators Networks Controllers Client Management Computers
Attack Vectors • Database attacks • Escalated privilege exploits • Network components/ communications hijacking • ‘Man-in-the-middle’ attacks • Backdoors and holes in network perimeter (field devices) • Attacks that access thru pins Outcomes • Denial of Service (DoS): crash the SCADA server leading to shutdown condition • Delete SCADA server system files: system downtime and loss of operations • Plant a Trojan and take complete control of system • Log sensitive company operational data for criminal or competitive use Attack Vectors and Outcomes
What You Want in a “Secure” System
The Flaw in Typical SCADA Architectures
The Flaw in Typical SCADA Architectures
The Flaw in Typical SCADA Architectures
What if Security Could Be... Built In versus Bolted On
Then Security Would Be... Layered and Embedded
And The Result Is... Security that just happens! To the Hardware Root of Trust ✓ Authenticated Control, I/O, IIoT Edge ✓ Authenticated Firmware ✓ Authenticated Control Database ✓ Authenticated Applications ✓ Authenticated Workstations ✓ Authenticated Networks ✓ Role-Based Access Authenticated ✓ Biometric Authentication
SCADA Security - Device/PLC Connections
SCADA Security - Device/PLC Connections Secure Your Device/PLC Connections: • Native device communication options: - Keep on a separate, private OT network - Network segmentation - VLAN with encryption - Set up routing rules - Use an edge gateway as a bridge between device & network • OPC UA and MQTT communication offers built-in security, and communications can be encrypted over TLS
SCADA Security - Device/PLC Connections
SCADA Security - Rethink Your Idea of Security • Understand that no system is inherently secure or insecure • You cannot eliminate security risk but you can significantly mitigate it • Focus on preventing intrusion • Don’t only secure the ICS/SCADA platform itself – you also need to secure all of the connections from the SCADA to devices, databases, clients, etc.
SCADA Security - Physical Security Implement physical security measures: • Badges & badge readers • Physical media controls (laptops, phones, USB keys, etc.) • Video monitoring • Policies and training • Guards
SCADA Security - Operating System Protect your OS by: • Removing any unnecessary programs. • Keeping OS patches & service packs up-to-date. • Disabling remote services on Windows. • Setting up firewalls to restrict network traffic; close all ports and only reopen necessary ports. • Setting up firewalls on redundant servers. • Getting a VPN device with good multi-factor authentication if remote access is required.
SCADA Security - Databases
SCADA Security - Databases Protect the database connection with the SCADA software: • Use TLS encryption if your database supports it. • Create a separate user account with limited privileges, instead of using a database owner account such as root or sa.
SCADA Security - Encryption Use encryption to: • Protect all data sent over HTTP • Protect against snooping & session hijacking • Protect the SCADA gateway • Encrypt OPC UA communication • Help secure databases that support TLS/SSL • Secure native device communication by using with a VLAN
SCADA Security - Databases
SCADA Security - Server & Clients
SCADA Security - Authentication Use authentication for: • Username/password (No default passwords or sticky notes) • User- and role-based security (Principle of Least Privilege) • Biometrics (fingerprints, retina scans) • Public Key Infrastructure (PKI) • Key cards • USB tokens • Application security (role-based application settings/permissions) • Database connection encryption • OPC UA connections
SCADA Security - Roles Security roles: • Security is based on roles assigned to specific users • You can create structure or hierarchy for roles (not default) • Users can have access to many roles or none • Be sure to think about how different roles affect the security of the project
SCADA Security - Zones Security zones: • Lists of gateways, computers, or IP addresses that are defined and grouped together • Place additional policies and restrictions on defined zones • Provide read-only and read/write access to specified locations • Help keep different areas of the business separate while allowing them to interconnect
SCADA Security - Audits Auditing: • Record details about specific events • Track down who did what from where • Helpful in deterring attacks by SCADA insiders • Use audit logs, trails, profiles
SCADA Security - Secure Standard Architecture
SCADA Security - Secure Hub & Spoke Architecture
Public-Private Key Infrastructure
How to Manage Keys • A Cloud SaaS is deployed for managing and administering cyber keys and certificates • User security administrator tool to define role-based access control • Keys embedded in the controller, no need for persistent cloud connection
Securing ICS – Best Practices Use a secure CPU with a secure RTOS Use physically secure controllers Use encryption between ICS and SCADA Use a PKI for role based access Sign and Encrypt ICS application code Use mutual authentication between ICS and SCADA Use ICS hardware with built in Anomaly Detection Ask your vendors what they’re doing to secure their products
Securing SCADA – Best Practices Secure PLC and device connections Implement physical security measures Protect the operating system Use encryption Use authentication Protect the database connection Use role-based security Use security zones
Closing Discussion Question To wrap up the discussion, what are your thoughts about how Inductive Automation and Bedrock Automation can help industrial organizations improve their security, both now and in the future?
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Sept. 17-19, 2018 Today is the last day to buy early-bird tickets at: icc.inductiveautomation.com
Jim Meisler x227 Vannessa Garcia x231 Vivian Mudge x253 IA Account Executives Myron Hoertling x224 Shane Miller x218 Ramin Rofagha x251 Maria Chinappi x264 Kristin Azure x260 Lester Ares x214 800-266-7798 x247 Melanie Moniz IA Director of Sales: Guest Presenter: Chris Harlow Chris.Harlow@BedrockAutomation.com Visit: BedrockAutomation.com Call: 781.821.0280 Questions & Comments
Thank You

More Related Content

Open and Secure SCADA: Efficient and Economical Control, Without the Risk

  • 2. Moderator Don Pearson Chief Strategy Officer Inductive Automation
  • 3. Today’s Agenda • Introduction to Inductive Automation & Bedrock Automation • Security Threats • A Security New Approach • SCADA Security • Public-Private Key Infrastructure • Review of ICS & SCADA Security Best Practices • Q&A
  • 4. About Inductive Automation • Founded in 2003 • HMI, SCADA, MES, and IIoT software • Installations in 100 countries • Used by 48% of Fortune 100 companies • Over 1,700 integrators • Working with Bedrock Automation to create the most secure control systems possible Learn more at: inductiveautomation.com/about
  • 5. Ignition: Industrial Application Platform One Universal Platform for SCADA, MES & IIoT: • Unlimited licensing model • Cross-platform compatibility • Based on IT-standard technologies • Scalable server-client architecture • Web-managed • Web-launched on desktop or mobile • Modular configurability • Rapid development and deployment
  • 6. • Incorporated in October 2013 • A subsidiary of Maxim Integrated (Nasdaq: MXIM 1983) • Combined 200+ man-years of automation and semiconductor experience • To date, 107 global patents filed with over 40 granted • Working with Inductive Automation to create the most secure control systems possible Learn more at: bedrockautomation.com About Bedrock Automation
  • 7. Presenters Chris Harlow Product and Customer Service Manager, Bedrock Automation Travis Cox Co-Director of Sales Engineering, Inductive Automation
  • 8. Cyber Threats to ICS and SCADA • Stolen Credentials • Ransomware • Human Factors • Social Engineering • Root Kit Attacks • Session Hijacking • Counterfeiting • DDoS Sensors/Actuators Networks Controllers Client Management Computers
  • 9. Attack Vectors • Database attacks • Escalated privilege exploits • Network components/ communications hijacking • ‘Man-in-the-middle’ attacks • Backdoors and holes in network perimeter (field devices) • Attacks that access thru pins Outcomes • Denial of Service (DoS): crash the SCADA server leading to shutdown condition • Delete SCADA server system files: system downtime and loss of operations • Plant a Trojan and take complete control of system • Log sensitive company operational data for criminal or competitive use Attack Vectors and Outcomes
  • 10. What You Want in a “Secure” System
  • 11. The Flaw in Typical SCADA Architectures
  • 12. The Flaw in Typical SCADA Architectures
  • 13. The Flaw in Typical SCADA Architectures
  • 14. What if Security Could Be... Built In versus Bolted On
  • 15. Then Security Would Be... Layered and Embedded
  • 16. And The Result Is... Security that just happens! To the Hardware Root of Trust ✓ Authenticated Control, I/O, IIoT Edge ✓ Authenticated Firmware ✓ Authenticated Control Database ✓ Authenticated Applications ✓ Authenticated Workstations ✓ Authenticated Networks ✓ Role-Based Access Authenticated ✓ Biometric Authentication
  • 17. SCADA Security - Device/PLC Connections
  • 18. SCADA Security - Device/PLC Connections Secure Your Device/PLC Connections: • Native device communication options: - Keep on a separate, private OT network - Network segmentation - VLAN with encryption - Set up routing rules - Use an edge gateway as a bridge between device & network • OPC UA and MQTT communication offers built-in security, and communications can be encrypted over TLS
  • 19. SCADA Security - Device/PLC Connections
  • 20. SCADA Security - Rethink Your Idea of Security • Understand that no system is inherently secure or insecure • You cannot eliminate security risk but you can significantly mitigate it • Focus on preventing intrusion • Don’t only secure the ICS/SCADA platform itself – you also need to secure all of the connections from the SCADA to devices, databases, clients, etc.
  • 21. SCADA Security - Physical Security Implement physical security measures: • Badges & badge readers • Physical media controls (laptops, phones, USB keys, etc.) • Video monitoring • Policies and training • Guards
  • 22. SCADA Security - Operating System Protect your OS by: • Removing any unnecessary programs. • Keeping OS patches & service packs up-to-date. • Disabling remote services on Windows. • Setting up firewalls to restrict network traffic; close all ports and only reopen necessary ports. • Setting up firewalls on redundant servers. • Getting a VPN device with good multi-factor authentication if remote access is required.
  • 23. SCADA Security - Databases
  • 24. SCADA Security - Databases Protect the database connection with the SCADA software: • Use TLS encryption if your database supports it. • Create a separate user account with limited privileges, instead of using a database owner account such as root or sa.
  • 25. SCADA Security - Encryption Use encryption to: • Protect all data sent over HTTP • Protect against snooping & session hijacking • Protect the SCADA gateway • Encrypt OPC UA communication • Help secure databases that support TLS/SSL • Secure native device communication by using with a VLAN
  • 26. SCADA Security - Databases
  • 27. SCADA Security - Server & Clients
  • 28. SCADA Security - Authentication Use authentication for: • Username/password (No default passwords or sticky notes) • User- and role-based security (Principle of Least Privilege) • Biometrics (fingerprints, retina scans) • Public Key Infrastructure (PKI) • Key cards • USB tokens • Application security (role-based application settings/permissions) • Database connection encryption • OPC UA connections
  • 29. SCADA Security - Roles Security roles: • Security is based on roles assigned to specific users • You can create structure or hierarchy for roles (not default) • Users can have access to many roles or none • Be sure to think about how different roles affect the security of the project
  • 30. SCADA Security - Zones Security zones: • Lists of gateways, computers, or IP addresses that are defined and grouped together • Place additional policies and restrictions on defined zones • Provide read-only and read/write access to specified locations • Help keep different areas of the business separate while allowing them to interconnect
  • 31. SCADA Security - Audits Auditing: • Record details about specific events • Track down who did what from where • Helpful in deterring attacks by SCADA insiders • Use audit logs, trails, profiles
  • 32. SCADA Security - Secure Standard Architecture
  • 33. SCADA Security - Secure Hub & Spoke Architecture
  • 35. How to Manage Keys • A Cloud SaaS is deployed for managing and administering cyber keys and certificates • User security administrator tool to define role-based access control • Keys embedded in the controller, no need for persistent cloud connection
  • 36. Securing ICS – Best Practices Use a secure CPU with a secure RTOS Use physically secure controllers Use encryption between ICS and SCADA Use a PKI for role based access Sign and Encrypt ICS application code Use mutual authentication between ICS and SCADA Use ICS hardware with built in Anomaly Detection Ask your vendors what they’re doing to secure their products
  • 37. Securing SCADA – Best Practices Secure PLC and device connections Implement physical security measures Protect the operating system Use encryption Use authentication Protect the database connection Use role-based security Use security zones
  • 38. Closing Discussion Question To wrap up the discussion, what are your thoughts about how Inductive Automation and Bedrock Automation can help industrial organizations improve their security, both now and in the future?
  • 40. Sept. 17-19, 2018 Today is the last day to buy early-bird tickets at: icc.inductiveautomation.com
  • 41. Jim Meisler x227 Vannessa Garcia x231 Vivian Mudge x253 IA Account Executives Myron Hoertling x224 Shane Miller x218 Ramin Rofagha x251 Maria Chinappi x264 Kristin Azure x260 Lester Ares x214 800-266-7798 x247 Melanie Moniz IA Director of Sales: Guest Presenter: Chris Harlow Chris.Harlow@BedrockAutomation.com Visit: BedrockAutomation.com Call: 781.821.0280 Questions & Comments