UFCF7P-15-M Critical Systems Security

UFCF7P-15-M CRITICAL
SYSTEMS SECURITY
Defence-in-depth

1
UFCF7P-15-M Critical Systems Security

RECAP

2
UFCF7P-15-M Critical Systems Security

Intelligence-driven computer network defence

• Kill chain model – the basis of intelligence-driven computer network

defence

• Kill chain analysis illustrates that the adversary must progress

successfully through each stage of the chain before it can achieve
its desired objective; just one mitigation disrupts the chain and the
adversary [1].

• Objectives:
– Identify phases of intrusion.
– Map adversary kill chain indicators to defender courses of action.
– Identify patterns that link individual intrusions into broader campaigns.
– Understand the iterative nature of intelligence.

3
UFCF7P-15-M Critical Systems Security

Indicators and the indicator life cycle

• The fundamental element of intelligence in the Cyber Kill Chain model
is the indicator; any piece of information that objectively describes
an intrusion.

• Three indicator types:

– Atomic
– Computed
– Behavioural

4
UFCF7P-15-M Critical Systems Security

Atomic indicators
• Atomic indicators are those which cannot be broken down into
smaller parts and retain their meaning in the context of an intrusion.
• Typical examples here are IP addresses, email addresses and
vulnerability identifiers.

companyname@company.com

8.1 .5
192.16 CVE-1999-0067

More on CVE: https://cve.mitre.org/

5
UFCF7P-15-M Critical Systems Security

Computed indicators
• Computed indicators are those which are derived from data involved
in an incident.

• Common computed indicators include hash values and regular

expressions.

6
UFCF7P-15-M Critical Systems Security

Behavioural indicators
• Behavioural indicators are collections of computed and atomic
indicators, often subject to qualification by quantity and possibly
combinatorial logic.

•Example:

•“the intruder would initially use a backdoor which generated network

traffic matching [regular expression] at the rate of [some frequency]
to [some IP address], and then replace it with one matching the [MD5
hash value] once access was established”

7
UFCF7P-15-M Critical Systems Security

ICS Cyber kill chain model: Stage 1

8
UFCF7P-15-M Critical Systems Security

ICS Cyber kill chain model: Stage 2

9
UFCF7P-15-M Critical Systems Security

This week

• ICS Security Architecture

• Network segmentation
• Boundary protection
• Firewalls
• Network segregation
• Defence-in-depth
• ISA/IEC 62443-3-2
• In the tutorial

10
UFCF7P-15-M Critical Systems Security

ICS Security Architecture

• Separate corporate network from ICS network

• If the networks must be connected, only minimal (single if possible)

connections be allowed and that the connection is through a firewall
and a DMZ.

11
UFCF7P-15-M Critical Systems Security

Network segmentation and segregation

• Operational risk analysis should be performed to determine critical

parts of the ICS network and define segmentation (partitioning the
network into smaller networks).

• Segmentation establishes security domains typically defined as

being managed by the same authority, enforcing the same policy,
and having a uniform level of trust.

• Goal: Minimise access to sensitive information, ICS communication

and equipment configuration.

12
UFCF7P-15-M Critical Systems Security

Network segmentation and segregation

• Traditionally, network segmentation and segregation is implemented at
the gateway between domains.

corporate LANs
control LANs

Internet

operational LANs
operational DMZs
13
UFCF7P-15-M Critical Systems Security

Network segmentation and segregation

Common technologies and methods:

• Logical network separation enforced by encryption or network

device-enforced partitioning (VLANs, VPNs, unidirectional gateways)

• Physical network separation to completely prevent any

interconnectivity of traffic between domains.

• Network traffic filtering use a variety of technologies at various

network layers to enforce security requirements and domains (e.g.
filtering based on IP, port and/or protocol or at the application layer).

14
UFCF7P-15-M Critical Systems Security

Defence in depth

• Deploy multiple layers of protection

• Redundancy in case a security measure fails

• Make the attacker’s life difficult!

15
UFCF7P-15-M Critical Systems Security

Network segmentation and segregation - Defence in

depth

Four common themes that implement the concept of defense-in-depth

by providing for good network segmentation and segregation:

1) Apply technologies at more than just the network layer.

2) Use the principles of least privilege and need‐to‐know.

3) Separate information and infrastructure based on security

requirements.

4) Implement whitelisting instead of blacklisting.

16
UFCF7P-15-M Critical Systems Security

Boundary protection (data transactions between

network segments)

Control the flow of information between interconnected security

domains.

Boundary protection controls include: gateways, routers, firewalls,

DMZs, network-based malicious code analysis and virtualisation
systems, intrusion detection systems (network and host-based),
encrypted tunnels, managed interfaces, mail gateways, and
unidirectional gateways (e.g. data diodes).

Boundary protection devices determine whether data transfer is

permitted, often by examining the data or associated metadata.

17
UFCF7P-15-M Critical Systems Security

Boundary protection (data transactions between

network segments)

• Common architectural construct is the DMZs; a host or network

segment inserted as a “neutral zone” between security domains.

• Denying communications traffic by default and allowing

communications traffic by exception (white-listing policy)

• Limit direct connectivity by implementing proxy servers that act as an

intermediary for external domains’ requesting information system
resources (e.g., files, connections, or services) from the ICS domain.

• Deep packet inspection firewalls and XML gateways.

18
UFCF7P-15-M Critical Systems Security

Boundary protection (data transactions between

network segments)

• Allow communication only between authorised and authenticated

source and destinations address pairs

• Extending the DMZ concept to other separate subnetworks is useful,

for instance isolating ICS to prevent adversaries from discovering
the analysis and forensics techniques of organisations.

• Enforce physical access control to limit authorised access to ICS

components

• Conceal network addresses of ICS components from discovery

(e.g., network address not published or entered in domain name
systems), requiring prior knowledge for access.

19
UFCF7P-15-M Critical Systems Security

Boundary protection (data transactions between

network segments)

• Disable control and troubleshooting services and protocols,

especially those employing broadcast messaging, which can facilitate
network exploration.

• Disable feedback (e.g., non-verbose mode) to senders when there is

a failure in protocol validation format to prevent adversaries from
obtaining information.

• Implement one-way data flow, especially between different security

domains.

• Establishing passive monitoring of ICS networks to actively detect

anomalous communications and provide alerts.

20
UFCF7P-15-M Critical Systems Security

Boundary protection (data transactions between

network segments)

Network and ICS security architects must decide:

• which domains are to be permitted direct communication,

• the policies governing permitted communication,
• the devices to be used to enforce the policy, and
• the topology for provisioning and implementing these decisions,
which are typically based on the trust relationship between domains.

21
UFCF7P-15-M Critical Systems Security

Firewalls

• Not just for the connection to the Internet.

• Restrict ICS inter-subnetwork communications; prevent

unauthorised access to the respective systems and resources within
the more sensitive areas.

Types of Firewalls:
- Packet Filtering Firewalls
- Stateful Inspection Firewalls
- Application-Proxy Gateway Firewalls

22
UFCF7P-15-M Critical Systems Security

Firewalls

• Not just for the connection to the Internet.

• Restrict ICS inter-subnetwork communications; prevent

unauthorised access to the respective systems and resources within
the more sensitive areas

Types of Firewalls:
- Packet Filtering Firewalls
- Stateful Inspection Firewalls
- Application-Proxy Gateway Firewalls

23
UFCF7P-15-M Critical Systems Security

Firewalls

• Not just for the connection to the Internet.

• Restrict ICS inter-subnetwork communications; prevent

unauthorised access to the respective systems and resources within
the more sensitive areas

Types of Firewalls:
- Packet Filtering Firewalls
- Stateful Inspection Firewalls
- Application-Proxy Gateway Firewalls

24
UFCF7P-15-M Critical Systems Security

Firewalls

• Not just for the connection to the Internet.

• Restrict ICS inter-subnetwork communications; prevent

unauthorised access to the respective systems and resources within
the more sensitive areas

Types of Firewalls:
- Packet Filtering Firewalls
- Stateful Inspection Firewalls
- Application-Proxy Gateway Firewalls

25
UFCF7P-15-M Critical Systems Security

Network segregation

26
UFCF7P-15-M Critical Systems Security

Network segregation

Dual-Homed Computer/Dual Network Interface Cards (NIC)

• No systems other than firewalls should be configured as dual-

homed to span both the control and corporate networks

• All connections between the control network and the corporate

network should be through a firewall.

27
UFCF7P-15-M Critical Systems Security

Defence-in-depth

• Multiple layer strategy involving two (or more) different overlapping

security mechanisms

• A defense-in-depth architecture strategy includes the use of firewalls,

the creation of demilitarised zones, intrusion detection capabilities
along with effective security policies, training programs, incident
response mechanisms and physical security.

• Also requires thorough understanding of possible attack vectors on an

ICS.

28
UFCF7P-15-M Critical Systems Security

Defence-in-depth

29
UFCF7P-15-M Critical Systems Security

ISA/IEC 62443
• ISA and IEC have developed the IEC 62443 series of standards to
address the need to design cybersecurity robustness and resilience
into industrial automation control systems (IACS)

• Provides the detailed information to implement a cyber-security

program.

• https://www.isa.org/training-and-certifications/isa-certification/
isa99iec-62443/isa99iec-62443-cybersecurity-certificate-programs/?
utm_medium=social&utm_campaign=smm-training-ISA-IEC-62443-
Cybersecurity-Certificate-Programs&utm_source=twitter

30
UFCF7P-15-M Critical Systems Security

ISA/IEC 62443

31
UFCF7P-15-M Critical Systems Security

ISA/IEC 62443-3-2: Security Risk Assessment and

System Design

• Includes the zone and conduit requirements (network segmentation

and aggregation)

• You can find it in the reading list. alternatively you can download it
from UWE’s Library online webpage.

32
UFCF7P-15-M Critical Systems Security

In the tutorial…

• NIST 800-82, Section 5.2 Boundary Protection

• Sans 401 Network Model

• Design defence-in-depth for an ICS.

• Attack Vectors,
• Attack Trees,
• Kill Chain

33
UFCF7P-15-M Critical Systems Security

References

Chapter 5 from: https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/

final

IEC/ISA 62443-3-2

34