1 / 48

FIREWALL DEPLOYMENT FOR SCADA/PCN

FIREWALL DEPLOYMENT FOR SCADA/PCN. How closed need your network needs to be? How open can you afford your network to be? Where from the vulnerability is coming? How to mitigate the vulnerability? How to detect that anyone un-authorized is trying to jeopardize the network services?

timon-velasquez
Download Presentation

FIREWALL DEPLOYMENT FOR SCADA/PCN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FIREWALL DEPLOYMENT FOR SCADA/PCN

  2. How closed need your network needs to be? • How open can you afford your network to be? • Where from the vulnerability is coming? • How to mitigate the vulnerability? • How to detect that anyone un-authorized is trying to jeopardize the network services? • How the Business Continuity can be maintained in the long run with the steps taken? • How to envisage future requirements? Network Security

  3. Types of Attacks 1. Denial of Service 2. Unauthorized Access: Attempt to access command shell 3. Illicit command execution: • Hacking Administrator’s password • Changing IP Address • Putting a Start-up Script 4. Confidentiality Breach 5. Destructive Attacks • Data Diddling • Data destruction

  4. Balancing act between: • Keeping equipment and processes protected. • Allowing them to touch larger computing realms via Ethernet protocols and the internet to gain new connections and capabilities. Solution: • Multiple Zone Network with Subzone. Network Security

  5. Generic IT security goals versus ICS security goals

  6. Assessment process flow chart

  7. OSI Model – 7 Layers

  8. Network Security Tools • Intelligent Network Switches and Routers • Firewalls • Hardware and Software Devices for managing network connections • User Authentication • Encrypting Data • DMZ Network Security

  9. Firewall Firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on a network. • Compares traffic passing through it to a pre-defined security criteria • Can be a hardware device (CISCO PIX or Semantic Security Gateway) • Can be a hardware/Software unit with OS based firewall capabilities (“iptables” running on a Linux Server) • Host based software solution installed on the workstation directly (Norton Personal Firewall or Sygate Personal Firewall) FIREWALL

  10. Internet facing firewall protecting PC & PLC

  11. Network Traffic Network traffic is sent in discrete group of bits, called a packet which includes • Sender’s Identity (Source Address) • Recipient’s Identity (Destination Address) • Service to which the packet pertains (Port Number) • Network Operation and Status Flags • Actual payload of data to be delivered to service A firewall analyzes these characteristics and decides what to do with the packet based on a series of rules, known as Access Control Lists (ACL). Content of Network Traffic

  12. Host Based Firewalls • Available on Windows or Unix based platforms • Primary function is Workstation or Server Tasks like Database Access or Web Services • Can do little to regulate traffic destined for Embedded Control Devices Classes of Firewall

  13. Packet Filter Firewall • Simplest class of Firewall following a set of static rules • Only the IP Addresses and the port number of the packet is examined • No intelligence to identify spoofed (Forged source IP Address) packages Classes of Firewall

  14. Packet Filter Firewall

  15. Application Proxy Firewalls • Open Packets at Application Layer • Process them based on specific application rules • Reassemble and forward to target devices • No direct connection to external server • Possible to configure internal clients to redirect traffic without the knowledge of the sender • Possible to apply access control lists against the application protocol Classes of Firewall

  16. Acting as Intrusion Detection System; Logging denied packets, Recognizing network packages specifically designed to cause problems, Reporting unusual traffic patterns • Blocking infected traffic by deploying Front-line Anti-Virus Software on firewall • Authentication services through passwords or Public Key Encryption • Virtual Private Network (VPN) gateway services by setting up an encrypted tunnel between firewall and remote Host devices • Network Address Translation (NAT) where a set of IP addresses used on one side of a firewall are mapped to a different set on the other side. Other Firewall Services

  17. No direct connection from the Internet to the PCN/SCADA Network and vice versa • Restricted access from the enterprise network to the control network • Unrestricted (but only authorized) access from the enterprise network to shared PCN/Enterprise servers • Secured methods for authorized remote support of control system • Secure connectivity for wireless devices • Well defined rules outlining the type of traffic permitted • Monitoring the traffic attempting to enter PCN • Secure connectivity for management of firewall Overall Security Goals of PCN/SCADA Firewalls

  18. Security: The likely effectiveness of the architecture to prevent possible attacks. Manageability: Ability of the architecture to be easily managed (both locally as well as from remote). Scalability: Ability of the architecture to be effectively deployed in both large and small systems or in large numbers. Firewall Selection Criteria

  19. Dual-Homed Computers Common SCADA/PCN Segregation Architecture

  20. Dual Homed Server with Personal Firewall Software Common SCADA/PCN Segregation Architecture

  21. Packet Filtering Router/Layer-3 Switch between PCN & EN Common SCADA/PCN Segregation Architecture

  22. Two Port Firewall between PCN & EN Common SCADA/PCN Segregation Architecture

  23. Router/Firewall combination between PCN & EN Common SCADA/PCN Segregation Architecture

  24. DMZ is a critical part of a firewall. • Neither part of un-trusted Network, nor part of trusted network • Puts additional layer of security to DDCMIS LAN • Physical or Logical sub-network that provides services to users outside LAN DMZ

  25. Firewall with DMZ between PCN & EN Common SCADA/PCN Segregation Architecture

  26. Paired Firewalls with DMZ between PCN & EN Common SCADA/PCN Segregation Architecture

  27. Firewall with DMZ and SCADA/PCN VLAN Common SCADA/PCN Segregation Architecture

  28. Comparison Chart for PCN/SCADA segregation Architecture

  29. DDCMIS NETWORK SECURITY MEASURES TAKEN AT NTPC/TALCHER-KANIHA

  30. PI Server PI Client Port 5450 10.0.120.202 Office Network (NTPC LAN) Firewall-3 Firewall-2 Firewall-1 ABT OPC Server (Redundant) + PI OPC Interface Gateway PC Honeywell WAN Server OPC Server Main OPC Server Standby ABT Network L-3 Switch L-3 Switch Unit 3 Honeywell Experion System Unit 2 DDCMS Unit 1 DDCMS Unit 6 Honeywell Experion System Network Topology Stage II Plant Network

  31. HEADS OF PLC COOLING - O&M TOWER-1 - OPER -C&I SHIFT M/C - BOILER/TURBINE M/C ENGR etc -C&I M/C ENGR CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLCPLCPLCTOWER2 HEAD PLC OF PROJ PT PLANT SWITCH SERVICE BLDG SWITCH Ash handling fire proof AC CPU PLC PLCPLCPLC PC1 … .. P C n SERVER PR SWITCH SWAS C&I shift PC Incharge PC IT LAN FIREWALL BPOS system U#3,4,5 &6 ESP PCs # 3,4,5,6 GATEWAY PC MOR PC STATION LAN SWITCH STN LAN SERVER OWS in PR & CER UNIT-3 UNIT-4 UNIT-5 UNIT-6 OWS / LVS in CCR OWS in PR & CER Unit 1 Unit 2 UNIT HMI LAN U#3 SWITCH UNIT HMI SERVERS Station LAN of Talcher-II before PI connectivity Typical CONTROL SYSTEM

  32. HEADS OF PLC COOLING - O&M TOWER-1 - OPER -C&I SHIFT M/C - BOILER/TURBINE M/C ENGR etc -C&I M/C ENGR CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLCPLCPLCTOWER2 HEAD PLC OF PROJ PT PLANT SWITCH SERVICE BLDG SWITCH Ash handling fire proof AC CPU PLC PLCPLCPLC PI-SERVER PC1 … .. P C n PR SWITCH IT LAN FIREWALL SWAS C&I shift PC Incharge PC PI-Interface GATEWAY PC BPOS system U#3,4,5 &6 ESP PCs # 3,4,5,6 DMZ MOR PC STATION LAN SWITCH STN LAN SERVER OWS in PR & CER OWS / LVS in CCR OWS in PR & CER UNIT-4 UNIT-5 UNIT-6 UNIT-3 Unit 1 Unit 2 UNIT HMI LAN U#3 SWITCH Station LAN of Talcher-II after PI connectivity UNIT HMI SERVERS Typical CONTROL SYSTEM

  33. PI-Server NTPC Office LAN PI-Interface - - - PI system connectivity at Talcher-II

  34. Steps: • Review the existing LAN of NTPC/TalcherKaniha • Perform a Bandwidth Assessment Test • Perform a Vulnerability Test • Conduct a Penetration Test • Conduct a Security Audit • Conduct a CCTV Demo between TalcherKaniha & EOC-NOIDA • Recommendation and Suggested Up-Gradation Network Testing Methodology

  35. Finding Vulnerability on the Operating System • Vulnerability of Servers Tools: NMAP: To Map Open Ports NESSUS: To find the application running on Target Servers. MBSA: To find the missing patches on the operating system and applications Port Scanning and Network Mapping Used Traceroute, Hping2, Xprobe2 and Nmap tools. Fingerprinting and Vulnerability Mapping Server Operating system (Gateway PC) Fingerprinting • Security Patch Review using Microsoft Baseline Security Analyzer (MBSA) Vulnerability Test on Servers

  36. Bandwidth Testing: • To find out used Bandwidth of the Network • Identifying potential bottlenecks Tool Used: PRTG Methodology: Port Mirroring: All Tx/Rx Traffics of WAN Server, MOR Server and Gateway PC are mirrored into the Grapher LAN Capacity Testing

  37. Testing of Network and Components for security weaknesses. Flowchart: NMAP Nessus Ethereal Hping2/ Firewalk Password Cracking Tool/Web Server Scanner/OS Fingerprinting/SNMP Tests Penetration Test

  38. Ethereal: Sniffs Network Traffic to find clear-text username and passwords • Hping2: Command line oriented TCP/IP Packet assembler/analyzer. Used for Firewall Testing/Advanced Port Scanning, Remote OS Fingerprinting • Firewalk: Used to enumerate the rules of the firewall and ACLs • Cain & Abel,Johnthe ripper, L0phtcrack: Password auditing tool • Brutus: Password Cracker Penetration Tools

  39. Network Security To Do List: • Turn ON Virus Protection software and be vigilant about installing patches • Use Complex Passwords that includes numbers and mixed characters • Install Firewall. Monitor them to check who is accessing them and what software they are using. • Turn off unnecessary ports and devices • Turn down and lock down PCs as much as possible • Train staff to follow security policies. Network Security

  40. Chairman(HOD-C&I) Information Security Manager Information Security Coordinator System Administrator Network Administrator Database Administrator Information Security Team Structure

  41. Thank You

More Related