November 14, 2019 By BlueAlly
In order to secure Critical Infrastructure environments, it is vital to keep a holistic view and look at every part of the network, both the IT and OT parts and investigate the systems and processes in each zone, analyze the attack vectors and risk and provide recommended security controls.
In order to do so, we use the Purdue model, which was adopted from the Purdue Enterprise Reference Architecture (PERA) model by ISA-99 and used as a concept model for Computer Integrated Manufacturing (CIM). [3] It is an industry adopted reference model that shows the interconnections and interdependencies of all the main components of a typical Industrial Control System, dividing the ICS architecture into 3 zones and subdividing these zones into 6 levels.
Applying Security to ICS should dissect the 6 different Purdue layers and how they map to different areas in the network. The idea is to explain the communication flows between the different levels in the Purdue model and how they should be secured.
The following drawing is a high-level representation of a typical IT/OT environment. However, the link between level 2 and 3 may vary depending on the organization type:
- Manufacturing plant (typically single-site, combining both OT and IT)
- Utilities and energy such as gas, water and electricity (typically distributed environments with many remote sites communicating back to a central facility). Bandwidth constraints might affect the proposed architecture here.
Level 5 and 4: The Enterprise IT Network and Business Logistics Systems
Recommended Security Controls:
As this is the IT network where the users reside and this is where the internet egress point is located, it is recommended to enable the full Next Generation Threat Extraction feature set on the network level:
- Firewall
- IPS
- Antivirus
- Antibot
- SandBlast (sandboxing)
- Application Control
- URL Filtering
- SSL inspection
It is also recommended to install the full Endpoint suite on the users’ machines.
Last but not least, it is also very important to secure (public) cloud services as these are usually also connected to corporate resources and therefore also a potential attack vector.
Enabling network and endpoint security can prevent and eliminate the attacks prior to breaching the ICS equipment. The SmartCenter is used as a management station for all the security gateways mentioned in this blueprint.
Level 3.5: The Industrial DMZ
Recommended Security Controls:
To ensure maximum availability of the remote access gateway allowing for third parties to remotely manage and monitor the OT equipment, it is vital to protect the gateway with an anti-DDoS solution (preferably on premises and cloud-based). In this blueprint, there is a jump server in the industrial DMZ. The VPN RAS sessions are terminated on the perimeter gateway in level 5. The gateway terminates VPN traffic, scans it for malware and only allows RDP traffic to the jump host. The jump host is then used to connect to operator workstations in level 2 for remote maintenance work. This approach is much safer than allowing inbound L3 VPN connections from the internet straight into level 2 and dramatically reduces the risk of the OT network becoming infected due to unsafe RAS connections originating from third parties. The jump server itself is protected by the gateway, which will only allow inbound RDP and has the necessary security controls enabled such as IPS, Anti bot and application control.
Level 3: Manufacturing Operations Systems
Recommended Security Controls:
- Anomaly and Asset detection and visibility
- Anti bot
- IPS (typically used as a virtual patch to protect the monitoring stations of the operators)
- Sandboxing technologies to prevent Zero-day attacks: Sandblast
- An application control security policy that only allows specific authorized commands to be sent from the operator workstation to PLC’s.
- The use of Identity Awareness can add an extra layer of security to the policy by only allowing authenticated users (i.e. operators) to send specific commands to devices in Level 2.
- Encryption of the control traffic between operators in L3 and PLC’s in L2 using IPsec to prevent eavesdropping and traffic replay attacks.
- Endpoint protection including Port Protection
Level 2 and 1: Securing Communications Between Levels
Recommended Security Controls:
- Use gateways running IPS to protect vulnerable systems as a virtual patch instead of patching the actual systems, causing downtime.
- The communication between level 2 and 3 can be encrypted using IPsec to protect sniffing and replay attacks.
- A security gateway can be connected to a mirror (SPAN) port on a switch in this level, operating as a sensor, feeding information about asset discovery and anomaly detection to the AAD
- Customers willing to consider inline security gateways in level 1 could separate local operator workstations and HMI’s from PLC’s and RTU’s ensuring no unauthorized commands can be sent to them. When using a gateway connected to a mirror port, this can also be detected, but not prevented.
- Endpoint security can be considered on machines with supported operating systems.
- Appropriate L2 security on switches
- Consider the use of an out of band network solely used for management traffic, signature updates and firmware updates of equipment in this level. Only SCADA protocols should be seen in Level 1.
- Do not allow remote technicians to directly connect to the level 1 network, prefer the use of a jump host in the DMZ in level 3.5: when unmanaged assets connect to this network, the security posture is unknown and can therefore not be trusted.
Level 0: Physical Processes
Recommended Security Controls:
It is recommended to use point to point connections between the intelligent devices in level 1 and the field devices in level 0.
In case the communication between level 1 and level 0 is done over IP, prefer point to point connections. If point-to-point links are not possible and Ethernet switches are used in level 0, ensure the appropriate L2 security is enforced: admin down of all unused switch ports, MAC authentication on used switch ports, consider the use of additional security gateways between Level 1 and Level 0. The use of a trusted baseline policy with the application control blade can warn an admin if an unknown command is sent to a field device.
The Check Point components that are offered in this structures:
- Check Point gateways (including threat prevention technologies)
- Asset and Anomaly detection engine
- Check Point management
5 Key Takeaways
Here are 5 key takeaways to protect critical infrastructures:
- Ensure proper segmentation is in place. Remember that this is not about having a lot of different VLAN’s and / or subnets and then just enabling routing between them. It is about having the correct security controls in place and enabled between the segments.
To recap: Sandboxing technologies and the full NGTX bundle at the perimeter (level 5), including SSL/TLS inspection. On internal segments (level 4 and below), Firewall, IPS, Identity awareness and application control should be the minimum. Sandboxing is vital to protect against zero-day attacks, a common attack vector used by hackers to target critical infrastructure.
- Threat Prevention is vital. Detection only informs you when the damage has already been done.
- The IPS blade contains several signatures that are specifically aimed at securing ICS environments. Enable IPS in prevent mode wherever possible and make sure to specifically monitor alerts for these signatures.
- The application control blade supports several SCADA protocols up to command-level and even parameter-level. This allows for the creation of a security policy that authorizes only specific commands to be sent to PLC’s and deny everything else.
- Visibility is key to security. Ensure there is enough man power to monitor the environment. Tools like SmartEvent, AAD and a dedicated SIEM can reveal a lot of information that may otherwise go unnoticed.