firewall deployment for scada pcn
play

FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs - PowerPoint PPT Presentation

Sep 30, 2022 •151 likes •634 views

FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs to be? How open can you afford your network to be? Where from the vulnerability is coming? How to mitigate the vulnerability? How to detect that anyone

  1. FIREWALL DEPLOYMENT FOR SCADA/PCN

  2.  How closed need your network needs to be?  How open can you afford your network to be?  Where from the vulnerability is coming?  How to mitigate the vulnerability?  How to detect that anyone un-authorized is trying to jeopardize the network services?  How the Business Continuity can be maintained in the long run with the steps taken?  How to envisage future requirements? Network Security

  3. 1. Denial of Service Types of 2. Unauthorized Access: Attempt to access Attacks command shell 3. Illicit command execution: Hacking  Administrator’s password Changing IP Address  Putting a Start-up  Script 4. Confidentiality Breach 5. Destructive Attacks Data Diddling  Data destruction 

  4. Balancing act between:  Keeping equipment and processes protected.  Allowing them to touch larger computing realms via Ethernet protocols and the internet to gain new connections and capabilities. Solution:  Multiple Zone Network with Subzone. Network Security

  6. Generic IT security goals versus ICS security goals

  7. Assessment process flow chart

  8. OSI Model – 7 Layers

  9. Network Security Tools  Intelligent Network Switches and Routers  Firewalls  Hardware and Software Devices for managing network connections  User Authentication  Encrypting Data  DMZ Network Security

  10. Firewall Firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on a network.  Compares traffic passing through it to a pre- defined security criteria  Can be a hardware device (CISCO PIX or Semantic Security Gateway)  Can be a hardware/Software unit with OS based firewall capabilities (“ iptables ” running on a Linux Server)  Host based software solution installed on the workstation directly (Norton Personal Firewall or Sygate Personal Firewall) FIREWALL

  11. Internet facing firewall protecting PC & PLC

  12. Network Traffic Network traffic is sent in discrete group of bits, called a packet which includes  Sender’s Identity (Source Address)  Recipient’s Identity (Destination Address)  Service to which the packet pertains (Port Number)  Network Operation and Status Flags  Actual payload of data to be delivered to service A firewall analyzes these characteristics and decides what to do with the packet based on a series of rules, known as Access Control Lists (ACL). Content of Network Traffic

  13. Host Based Firewalls  Available on Windows or Unix based platforms  Primary function is Workstation or Server Tasks like Database Access or Web Services  Can do little to regulate traffic destined for Embedded Control Devices Classes of Firewall

  14. Packet Filter Firewall  Simplest class of Firewall following a set of static rules  Only the IP Addresses and the port number of the packet is examined  No intelligence to identify spoofed (Forged source IP Address) packages Classes of Firewall

  15. Packet Filter Firewall

  16. Application Proxy Firewalls  Open Packets at Application Layer  Process them based on specific application rules  Reassemble and forward to target devices  No direct connection to external server  Possible to configure internal clients to redirect traffic without the knowledge of the sender  Possible to apply access control lists against the application protocol Classes of Firewall

  20.  Acting as Intrusion Detection System ; Logging denied packets, Recognizing network packages specifically designed to cause problems, Reporting unusual traffic patterns  Blocking infected traffic by deploying Front-line Anti-Virus Software on firewall  Authentication services through passwords or Public Key Encryption  Virtual Private Network (VPN) gateway services by setting up an encrypted tunnel between firewall and remote Host devices  Network Address Translation (NAT) where a set of IP addresses used on one side of a firewall are mapped to a different set on the other side. Other Firewall Services

  21.  No direct connection from the Internet to the PCN/SCADA Network and vice versa  Restricted access from the enterprise network to the control network  Unrestricted (but only authorized) access from the enterprise network to shared PCN/Enterprise servers  Secured methods for authorized remote support of control system  Secure connectivity for wireless devices  Well defined rules outlining the type of traffic permitted  Monitoring the traffic attempting to enter PCN  Secure connectivity for management of firewall Overall Security Goals of PCN/SCADA Firewalls

  22. Security: The likely effectiveness of the architecture to prevent possible attacks. Manageability: Ability of the architecture to be easily managed (both locally as well as from remote). Scalability: Ability of the architecture to be effectively deployed in both large and small systems or in large numbers. Firewall Selection Criteria

  23. Dual-Homed Computers Common SCADA/PCN Segregation Architecture

  24. Dual Homed Server with Personal Firewall Software Common SCADA/PCN Segregation Architecture

  25. Packet Filtering Router/Layer-3 Switch between PCN & EN Common SCADA/PCN Segregation Architecture

  26. Two Port Firewall between PCN & EN Common SCADA/PCN Segregation Architecture

  27. Router/Firewall combination between PCN & EN Common SCADA/PCN Segregation Architecture

  28. DMZ is a critical part of a firewall.  Neither part of un-trusted Network, nor part of trusted network  Puts additional layer of security to DDCMIS LAN  Physical or Logical sub-network that provides services to users outside LAN DMZ

  29. Firewall with DMZ between PCN & EN Common SCADA/PCN Segregation Architecture

  30. Paired Firewalls with DMZ between PCN & EN Common SCADA/PCN Segregation Architecture

  31. Firewall with DMZ and SCADA/PCN VLAN Common SCADA/PCN Segregation Architecture

  32. Comparison Chart for PCN/SCADA segregation Architecture

  33. DDCMIS NETWORK SECURITY MEASURES TAKEN AT NTPC/TALCHER-KANIHA

  35. PI Server Port 5450 10.0.120.202 Office Network Firewall Firewall Firewall ABT OPC Gateway PC Gateway PC Server + PI Honeywell + + OPC Server OPC PI OPC PI OPC Interface Interface Interface Stage I Plant Network Stage II Plant Network ABT Network Unit 2 Unit 6 Unit 1 Unit 3 Keltron Honeywell Keltron Honeywell OPC Experion OPC Experion Server System Server System Network T opology

  36. Network Topology PI Server Port 545 PI Client 0 10.0.120.202 Office Network (NTPC LAN) Firewall Firewall-2 Firewall- -3 1 ABT OPC Gateway Server PC Honeywel OPC OPC (Redundant) l WAN + PI OPC Server Server Server Interface Main Standby ABT Network L-3 Switch L-3 Switch Unit 3 Unit 6 Unit 2 Unit 1 Honeywell Honeywell DDCMS DDCMS Experion Experion System System Stage II Plant Network

  37. HEADS OF PLC COOLING CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC - O&M TOWER-1 PLC PLC PLC PLC TOWER2 HEAD - OPER -C&I SHIFT M/C PLC OF - BOILER/TURBINE M/C ENGR PROJ etc -C&I M/C ENGR PT PLANT SWITCH SERVICE BLDG SWITCH Ash handling fire proof AC CPU PLC PLC PLC PLC PC1 … .. P C n SERVER PR SWITCH IT SWAS C&I shift PC Incharge PC FIREWALL BPOS system LA U#3,4,5 &6 N ESP GATEWAY PCs PC # MOR STN LAN STATION LAN SWITCH 3,4,5,6 PC SERVER OWS OWS / OWS UNIT-3 UNIT UNIT UNIT Unit 1 Unit 2 in PR LVS in PR -4 -5 -6 & CER in CCR & CER UNIT HMI LAN U#3 SWITCH Station LAN of Talcher-II UNIT HMI SERVERS Typical before PI connectivity CONTROL SYSTEM

  38. HEADS OF PLC COOLING CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC - O&M TOWER-1 PLC PLC PLC PLC TOWER2 HEAD - OPER -C&I SHIFT M/C PLC OF - BOILER/TURBINE M/C ENGR PROJ etc -C&I M/C ENGR PT PLANT SWITCH SERVICE BLDG SWITCH Ash handling fire proof AC CPU PI- PLC PLC PLC PLC SERVER PC1 … .. P C n PR SWITCH IT FIREWALL LA SWAS C&I shift PI- GATEWAY PC Incharge PC N BPOS system PC Interface U#3,4,5 &6 ESP PCs DMZ # 3,4,5,6 MOR STN LAN STATION LAN SWITCH PC SERVER OWS OWS OWS in PR UNIT-3 UNIT UNIT UNIT / LVS in PR Unit 1 Unit 2 & -4 -5 -6 in & CER UNIT CCR CER HMI LAN U#3 SWITCH Station LAN of Talcher-II UNIT HMI SERVERS after PI connectivity Typical CONTROL SYSTEM

  39. PI- Server NTPC Office LAN PI- Interface - - - PI system connectivity at Talcher-II

  40. Steps: 1. Review the existing LAN of NTPC/Talcher Kaniha 2. Perform a Bandwidth Assessment Test 3. Perform a Vulnerability Test 4. Conduct a Penetration Test 5. Conduct a Security Audit 6. Conduct a CCTV Demo between Talcher Kaniha & EOC-NOIDA 7. Recommendation and Suggested Up- Gradation Network Testing Methodology

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK.

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

303 views • 17 slides
SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen

SCADA SCADA Sec Securit urity SC SCADA Ne Netwo twork rk Sec Security urity Jodi Jensen Operations Support Manager Western Area Power Administration Sub Substation Ne station Netwo twork rk Sec Security urity Tyler Stinson

627 views • 13 slides
SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL

SCADA Security Eric Chan Fortinet SouthEast Asia & HK SCADA Network Architecture CONFIDENTIAL INTERNAL ONLY 2 Where are the Threats Coming From? External Sources SCADA systems are often interconnected to other SCADA systems and

480 views • 12 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS

THE APPLICATION OF THE APPLICATION OF GPRS FOR SCADA GPRS FOR SCADA COMMUNICATIONS COMMUNICATIONS Dieter Gtschow Telecommunications specialist Industry Association Resource Centre African Utility Week, 810 May 2006 Overview

549 views • 21 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and

SCADA STRANGELOVE SCADA.SL Sergey Gordeychik Internets Aleksandr Timorin StrangeLove movie and other Gleb Gritsai *All pictures are taken from Dr Group of security researchers focused on ICS/SCADA Alexander Timorin Dmitry Serebryannikov

1.13k views • 65 slides
_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor

_ ...... - I =-= I A Weatherford Enterra Company SCADA Systems Seminar TEST, Inc SCADA Ssmlnor slrtu030.doc ~_-Computer Alternate Signal Path (3 x #16 wires) 3.275 Ghz Satollite Earth Station 3.275 Ghz Satellite _-'/P"lnK Antenna

2.28k views • 183 slides
SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data

SCADA Supervisory Control and Data Acquisition What is SCADA? Superv rvisory Control and Data Acquisition SCADA is the system that controls the various operating processes at our facilities. It is also the system that collects and stores

1.17k views • 23 slides
System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is

System Management SCADA Replacing missing or incorrect values with estimates DM#12352252 What is SCADA? S upervisory C ontrol A nd D ata A cquisition , a computer system for gathering and analysing real-time data. SCADA systems are used to

309 views • 15 slides
Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems

www.elvac.eu Duan Vavreka September 2015 Quality metering RTU and SCADA RTU and SCADA Control systems for energetics Quality metering in class A ARTIQ 144 measurements 4V4I, communication interface RS-485, optionally Ethernet or USB,

605 views • 13 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh

10/30/2015 Introduction to SCADA Most of the slides are from ECE 450/CSE 450 (Fall 2010) taught at Lehigh University by Dr. Liang Cheng and Dr. Shalinee Kishore. Motivation for SCADA Suppose you have a simple electrical circuit consisting

538 views • 15 slides
Goldcorp GLAM IT Audit Controls Denver Trimble User Conference Chris Saari, Manager Compliance

Goldcorp GLAM IT Audit Controls Denver Trimble User Conference Chris Saari, Manager Compliance

Goldcorp GLAM IT Audit Controls Denver Trimble User Conference Chris Saari, Manager Compliance Land, RIM, Contracts May 2, 2018 Goals: Understand the purpose of SOX and ITGCs Understand the control attributes for information security,

1.09k views • 40 slides
DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios

DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios

DECENTRALIZED ACCESS CONTROL Sandra Siby EDIC Semester Project (DEDIS) Supervisors: Eleftherios Kokoris-Kogias, Prof. Bryan Ford 1 Motivation Access Control: Management of access to a resource Simple access control Static binding

494 views • 24 slides
Identity and Access Management IAM Lifecycle Committee Jan. 12, 2015 | Monday | 10:30 a.m.-12

Identity and Access Management IAM Lifecycle Committee Jan. 12, 2015 | Monday | 10:30 a.m.-12

Identity and Access Management IAM Lifecycle Committee Jan. 12, 2015 | Monday | 10:30 a.m.-12 p.m. | 561 Smith Center Agenda Short Program Status Update User Name Progress Discussion Topics: Sponsored people tool will be

613 views • 22 slides
Continuing to secure the Internet of Things Connected embedded devices Everything in our

Continuing to secure the Internet of Things Connected embedded devices Everything in our

Safety & Security for the Connected World Continuing to secure the Internet of Things Connected embedded devices Everything in our embedded world is becoming connected to The Internet Other connected devices Personal devices

248 views • 11 slides
Elk Management in Skagit and Whatcom Counties Amy Windrope Fenner Yarborough North Cascades elk

Elk Management in Skagit and Whatcom Counties Amy Windrope Fenner Yarborough North Cascades elk

Elk Management in Skagit and Whatcom Counties Amy Windrope Fenner Yarborough North Cascades elk herd Commonly referred to as Nooksack elk herd Current population of survey area~ 1,500 Population objective 1,700-2,000 Co-managed

237 views • 12 slides
Public Involvement Meeting Juneau County line Coloma Adams and Waushara counties Study ID

Public Involvement Meeting Juneau County line Coloma Adams and Waushara counties Study ID

Public Involvement Meeting Juneau County line Coloma Adams and Waushara counties Study ID 6160-00-29/6170-00-29 May 23, 2016 Introductions Study location Study purpose and need Access management planning Wisconsin State

293 views • 18 slides
Tentative Subdivision Map Case Number WTM19-001 Pleasant Valley Estates Washoe County Planning

Tentative Subdivision Map Case Number WTM19-001 Pleasant Valley Estates Washoe County Planning

Tentative Subdivision Map Case Number WTM19-001 Pleasant Valley Estates Washoe County Planning Commission October 1, 2019 1 Request 58-lot single-family residential, common- open-space tentative subdivision map Lots ranging in size

659 views • 35 slides
NET ETCard Card Ci Citibank tibank Monthly Statement Access Presented by: Department of

NET ETCard Card Ci Citibank tibank Monthly Statement Access Presented by: Department of

Procu Procurem rement ent, , Travel, el, and nd NET ETCard Card Ci Citibank tibank Monthly Statement Access Presented by: Department of Finance Main points in this presentation Instruction for set up of Citibank, CitiManager

218 views • 17 slides

More recommend