ICS VILLAGE - How can industrial IioT be protected from the great unwashed masses of IoT devices

Video thumbnail (Frame 0) Video thumbnail (Frame 1299) Video thumbnail (Frame 3437) Video thumbnail (Frame 4685) Video thumbnail (Frame 6858) Video thumbnail (Frame 9402) Video thumbnail (Frame 9895) Video thumbnail (Frame 10733) Video thumbnail (Frame 11899) Video thumbnail (Frame 13231) Video thumbnail (Frame 15101) Video thumbnail (Frame 17830) Video thumbnail (Frame 18871)
Video in TIB AV-Portal: ICS VILLAGE - How can industrial IioT be protected from the great unwashed masses of IoT devices

Formal Metadata

Title
ICS VILLAGE - How can industrial IioT be protected from the great unwashed masses of IoT devices
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Area Internetworking Mixed reality Plastikkarte Internet der Dinge Vulnerability (computing)
Area Installation art Execution unit Standard deviation Regulator gene Multiplication sign Water vapor Mass Power (physics) Session Initiation Protocol Word Boris (given name) National Institute of Standards and Technology Utility software Software framework Hacker (term) Exception handling
Game controller Connectivity (graph theory) Authentication Virtual machine Maxima and minima Password Regular graph Time domain Zugriffskontrolle Different (Kate Ryan album) Limit of a function Energy level Software framework Diagram Endliche Modelltheorie System identification Information security Backdoor (computing) Vulnerability (computing) Physical system Data type Cybersex Area Enterprise architecture Service (economics) Data recovery Plastikkarte Physicalism Mathematics Type theory Word Process (computing) Vector space System on a chip Telecommunication National Institute of Standards and Technology Software framework output Right angle Internet der Dinge Hospital information system Window Buffer overflow Domain name Spacetime
Scale (map) Architecture Virtual LAN Virtuelles privates Netzwerk Different (Kate Ryan album) Computer hardware Infinite conjugacy class property Bit Encryption
Freeware Similarity (geometry) Power (physics) Virtuelles privates Netzwerk Different (Kate Ryan album) Operator (mathematics) Energy level Utility software Configuration space Router (computing) Information security Domain name Surface Closed set IPSec Complex (psychology) Computer network Type theory Data management Software Integrated development environment Network topology Mixed reality Data center Configuration space Domain name Router (computing)
Gateway (telecommunications) Code Local area network Multiplication sign Demo (music) Workstation <Musikinstrument> Client (computing) Neuroinformatik Virtuelles privates Netzwerk Different (Kate Ryan album) Cuboid Diagram Information security Vulnerability (computing) Physical system Enterprise architecture Service (economics) Adaptive behavior Public-key cryptography Virtuelles privates Netzwerk Configuration space Website Remote procedure call Procedural programming Information security Server (computing) Authentication Adaptive behavior Virtual machine Exploit (computer security) Internetworking Software Energy level Communications protocol Reverse engineering Computing platform Plug-in (computing) Module (mathematics) Authentication Domain name Vulnerability (computing) Multiplication Gateway (telecommunications) Demo (music) Surface Code Computer network Denial-of-service attack Uniform resource locator Wind tunnel Software Key (cryptography) Routing Window Software protection dongle Domain name
Gateway (telecommunications) NP-hard Group action View (database) Stack (abstract data type) Public key certificate Optical disc drive Mathematics Computer configuration Encryption Flag Software framework Information security Physical system Area Rotation Overlay-Netz Service (economics) Algorithm Gamma function Electronic mailing list Motion capture SchlĂĽsselverteilung Connected space Virtual LAN Process (computing) Exterior algebra Hard disk drive National Institute of Standards and Technology Configuration space Website System identification Right angle Remote procedure call Laptop Point (geometry) Game controller Server (computing) Overhead (computing) Transport Layer Security Firewall (computing) Motion capture Online help Term (mathematics) Internetworking Bridging (networking) Computer hardware Utility software Gamma function Address space Alpha (investment) Module (mathematics) Key (cryptography) Expert system Local area network Cryptography Cartesian coordinate system Wind tunnel Software Integrated development environment System on a chip Video game Wireless LAN Software protection dongle Domain name Green computing
so there's a lot of places that IOT the Internet of Things could be and then there's the internet or the industrial Internet of Things right a IOT so those kinds of things are more industrial looking so they could be smart valves so normally you'd buy a valve in the old days that just open and closed some pipes and it would talk electrically to the PLC but not smart now they're smart you might have smart meters smart valves so those are industrial internet of things that come with vulnerabilities built-in that the end-user may not even want they buy a valve they don't necessarily need Wi-Fi on the valve but it might come with Wi-Fi so there's a IOT is in there as well down in that mix so I want to talk about that area here and and how a lot of those things are inherently insecure by design so you
know you're never gonna hear our vendors say hey we're insecure by design trademark so we all know what's been happening with ot in the past with from the late early past or long ago passed in in our world 2010 with Stuxnet or Ukraine or lately with you know with the Russians hacking into the the electrical system so have we been improving since all those times have we improved since 2010 I think in OT and a traditional ot sense yes but you know there's there's a legend that the before before Putin there was Boris Yeltsin and there was a legend this Boris else and when he was asked how's the economy doing in Russia and Boris Nelson said in a word good then he said in two words not good and that's basically where we are now it's like there's we are good but there's a lot of areas where we can improve and one area where we can really improve is the IOT or AI IOT area that's just the Wild West and as I said in the title you know the great unwashed masses of those devices can really affect the rest of the voti so it is a good it's a mixed bag of how we're doing and where are we going with this like what's helping us to move
forward well there's a lot of standards out there there's a standard for everybody some OTA OTA installations some plants use IT standards like ISO 27001 that might be all they use some people there's some plants might say oh no we want to really look at is a 62 443 which is the ICS standard but as we all know except for the Newark sip of the electrical industry there's no regulation you don't have to do anything except in that area but in all these other areas there's no regulation there's no incentive so what are you gonna do now well one of the things that did come out a couple years ago we all know about this is the NIST framework it's almost like the the standard that shall rule them all and kind of thing it encompasses everything so what does that do for us well it protects us from all
these vulnerabilities they're coming after us so we've got a lot of attacks a different way to attacks different attack vectors the NIST framework helps us protect the OT space and on the right side there we have a typical ot space and how many people are familiar with the Purdue model a few if I say that word okay all right so so it's just a model of ot it's a model of industrial control systems and on the right side is that is effectively a diagram of that model and what it shows is that at every level you could have these industrial internet of things you could have regular internet of things and any of any of those levels the lower level represents the i/o which would be which you could have smart cyber devices at the i/o level more and more you see that even though they're below the PLC they're actually can do processing themselves in some way some of it limited but some of it's very vulnerable right and then you can have the next level up as the PLC itself which of course we know that again in security by design sometimes and then higher level than that is the HMIS which are usually just windows machines which of course are and secured by the in that way and then higher the level than that is the enterprise where you could have other types of vulnerabilities and any level there can be so we need that in this framework to help or that we can use that in this framework what we like to do though is to say that the that's not enough we
really want to look at a foundation that supports that framework so that foundation is what we provide and one of the things we do is and we have these special tools we can support that in this framework and anything you need so every one of those levels know identify to protect detect okay all of those things have cyber and physical components to them so for example for detect you know a cyber advanced threat detection would be needed you know but for physical you might have some some special scanning processes with with cameras and with protects for cyber you want to protect some OTS communication between OT devices and we're physical with physical you might have some physical access control so what we're doing today is I want to talk about one little area and that is under the protect in cyber we want to introduce a way to protect that communication in that area okay so what what that does is we want to say ok you might need the whole thing it's a holistic idea right we want to do everything but in we want to talk about today just one area of that everything and how do we protect that infrastructure well there's many reasons why we need to you know there's an insecure ways of accessing it there's lots of vulnerabilities and in IOT and I IOT devices there's instability with GART regards to communication so you could brick something with sending certain packets to these devices there's backdoors to these devices there's buffer overflows there's lots of different you know that 10 years ago of ulnar abilities are now creeping back in because people are using IOT and IOT so
well the problem is that we have all these devices out there smart meters would be a typical thing the cameras would be another typical thing there's other things as well that are more like a IOT devices that support the the bigger ot and so we want to show now how do we how do we protect these devices against attacks will occur so we could use VLANs there's
lots of different ways you could do it you could use VLANs but you know they're not that secure especially how they're implemented you can use VPN in general the classic VPN but we want to show a different way of doing it with enclaves and with ways to protect different different devices using a secure tunnel so Ben is going to explain a little bit more about how that it goes in a deeper sense okay so what we're looking at here
is a on the left is a typical I Tod mix on a network we're doing a a high-level discovery and topology of all devices under under one scan in the center of what we're doing is identifying the OT devices and pulling those into a secure Enclave and removing them from the attack surface of the IT infrastructure so those are being pulled out and and separated from IT so we're in a secure tunnel with our ot devices ot can't see iti T can't see ot and this boils down to a essentially a closed network operation where we have our ot devices on a a secure tunnel that are separated from the rest of the IT devices and therefore out of the IT domain so how
could you do this now how is it typically done in the current environment well a VPN is unfortunately probably the best example or or similar concept but there are some fundamental differences with the the domain sticks protect but with the VPN I think a good example is a Cisco VPN with IPSec we're going to need at least two Cisco routers accompanying devices licenses power supplies those types of things the infrastructure to support it so power make sure we have air-conditioning requirements in the Indian datacenter configuration utilities any types of higher level management infrastructure we need for those and it most importantly would be an experienced and certified network engineer to design and configure these to be with security in mind so we have a very secure VPN that's creating a tunnel between these devices
unfortunately the biggest problem is with miss configuration or you are putting the the time to deployment and the simplicity of the design ahead of the security requirements and that maybe they're not they don't have the background understand that these are important or worried about those attack surfaces or it could just be they're being pushed to get this out and when they have end-users who are using Windows machines or other operating systems with VPN clients to communicate with these devices so that that increases our tax surface because we have miss configurations but we also have software and other pieces that we have to build into this tuned order be able to communicate on this VPN and some of the other common vulnerabilities and exploits a good one of the January 2018 I have to read this because it's long but it's a Cisco adaptive security appliance remote code execution a denial of service owner ability that was a mouthful but that was a exploit in the way XML was parsed which allow a unauthenticated attacker to gain access to the network and possibly to the VPN itself and take the network down so it's just a good example of the common vulnerabilities and some of the reasons why VPNs aren't the best solution even though they can technically be secure so
with domain six protect gateways they're a essentially what they are is a small network appliance that is that goes in between the OT device to be protected and the rest of the network that you want to connect to so these are and come in several different flavors to a small embedded computer to a small bump in the wire device so between a camera and the the bump on the wire to the Internet to connect back to a remote site where you have a monitoring system setup so you have multiple cameras different locations with a gateway that connects them as far as the device is concerned it's on a flat network that's all it sees so in this diagram this is our camera demo which is kind of a very simple boiled down explanation of how this is configured to give an idea and we have essentially two cameras in a monitoring station on this network what you see inside of the yellow box is going to be seen as a flat network across those devices and the nmap scan to the left is from the workstation on that but they're communicating through the the gateway zero and Gateway one that you see above them and then to whatever local network they're on whatever route or whatever existing IT infrastructure they're on but they're in an encrypted tunnel at that point and they're communicating with their embedded hardware keys through embedded TPM modules which is a private key to a remote server for authentification in establishment of that tunnel and the great thing about this is really the the key piece is these are very simple the it's we're not trying to manage a enterprise level VPN we're not trying to get all of the policies and procedures that have to be in place for your particular VPN these are encrypted tunnels that's what they do that's all they do so it's done once and it's done well and it's done secure across to the platform and there's simple devices it's essentially a plug-and-play very small appliance plugin and it's done which
eliminates a lot of the overhead in in equipment and configuration of utilities and this is our ICS village CTF so we do have a camera in the capture-the-flag area so the flag is the the MAC address of that camera which you can see the IP right there and the the goal is then to to capture that MAC address in the capture the flag area we also have a a laptop setup which is monitoring the the live attacks on the outside of that gateway and we have monitoring the inside of the gateway as well so we can see on both sides of it with our remote ELQ stack and in viewing of the software
you want to okay that's a quick overview of the details but we're gonna go into questions and answers but basically we just covered that one area on the NIST framework and we want to say why it might be a good idea to look at that kind of an option for that kind of a hybrid VPN you might say or something something else than that but any questions connection right what Alastor activity do you have no this would be your you're creating a flat I'm sorry you're creative so the question wasn't supposed to repeat that is is there any inherent security built-in for wireless devices correct so it's no there is not so these are for for Ethernet hardwired devices it's you're essentially creating a magic Ethernet cable is one way to look at it so between the end device that you're connecting to to whatever remote site it is it's this infinitely long network cable so there is no inherent you know Internet connectivity to that there is no inherent other infrastructure on top of that or support for wireless devices it is just connecting those two together and any wireless or any other connectivity would be on top of your life in wellness so if you were if you had a wireless access point say so you have your your wireless devices on this list land in your wireless access point and you need to connect back to a remote server then you would have that wireless access point connected to the Enclave gateway that Enclave gateway out but you're also exposing through the wireless those devices to that gateway on the inside yes oh sorry oh no I'm sorry it so the question was what are the security measures as opposed to IPSec over VPN so it actually is not IPSec over VPN that is an explanation just a similar concept so the oh I'm sorry oh okay yes so these are there they create an encrypted tunnel through the the they have a remote server that has a shared hardware key so there's a TPM module on the device a crypto key that is connecting to a remote server for identification so there's an encrypted tunnel that's established between the two and then the data inside of that tunnel is encrypted with layer 2 3 overlay 2 oh I'm sorry okay I may have to ask Christina Phillips here who has an engineer that has worked on this for a little more help on that okay so since you asked about the encryption sorry I'm Christina Phillips I work with the Parsons guys these devices use strong encryption it they're current you can we've been doing it with 2048-bit the actual devices were developed it's a repackage of an IC hardware that's been around for 20 years that's never been hacked so the thing is the key exchange is done by the secure bridge environment that's kidney on-prem or off prem and the encryption is actually put onto a USB i key it's not a hard drive it's just a USB i key and that creates the that has all the instructions for the secure tunnel and then there's a complete key rotation using PFS but at layer 2 the initial tunnel is created at layer 3 and you know for the negotiation and then it drops down to layer 2 so we're doing Mac - Mac encryption so whatever IP traffic you throw out on that on that encrypted tunnel is protected I know that sounds kind of odd but that's what we do so we okay so this is about the question was about pursuing third-party certification this hardware is FIPS 140-2 compliant the original spec developed 20 years ago was actually FIPS 140-2 certified but it has not been recertified since due to cost issues and a lot of changes in the certification process so it is that as I said there is a complete key exchange and it's there's no you don't have to put an SSL cert to do this because we don't use SSL we don't use TLS but there is an actual encryption when we create the secure policies that gets pushed down so if I had the hardware setup I could create tunnels for HVAC and one door controls and another and cameras in the third segregate them all and pass the traffic and nobody would see it but encrypted traffic on the outside network hopefully that helps you with your question I'm sorry with your question I I I can't explain all of the pieces because I'm not an encryption expert in terms of designing the algorithm for this but it it does work it hasn't been hacked in 20 plus years that I know yes sorry it will scale to that it will scale to that if you have a hundred devices we can scale to that that the solution is scalable it's cross-platform it doesn't care we can support legacy devices as well as IP devices so that's the point isn't detect the point is that the technology is flexible and that we can actually provide and we it's an alternative to what are considered traditional ways of providing security again VLANs or putting a firewall and segregating okay I've got all my IOT in one environment I've got my Siemens PLC's I got my Apogee hard software systems and all of that and that's all VLAN doubt and there's a firewall that segregates everything from my IT environment and then there's all of that so we don't have to do that we actually I like in talking to Ben I call it the wormhole it's how you get from the alpha quadrant to the Gamma Quadrant that's really how it works and then you just split that out and it's done and it's transparent it's easy to easy to deploy and it actually provides an our opinion a stronger solution to what is a very traditional problem and how that has been resolved by methods that really are not strong enough to support where the technology needs to be sorry any other questions okay I guess it's back to you then all right well thank you all right thanks that that shows that we need to protect that IO IO T from the OT we see that it's a flexible scalable and it's efficient use of human resources versus a traditional VPN and faster configuration and Hardware agnostic so we can put anybody on there okay thanks we can show this in the ICS village right over there so if you want to see that actually in action use over there
Feedback