FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs - - PowerPoint PPT Presentation

firewall deployment for scada pcn
SMART_READER_LITE
LIVE PREVIEW

FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs - - PowerPoint PPT Presentation

Sep 30, 2022 151 likes •634 views

FIREWALL DEPLOYMENT FOR SCADA/PCN How closed need your network needs to be? How open can you afford your network to be? Where from the vulnerability is coming? How to mitigate the vulnerability? How to detect that anyone

slide-1
SLIDE 1

FIREWALL DEPLOYMENT FOR SCADA/PCN

slide-2
SLIDE 2

Network Security

 How closed need your network needs to

be?

 How open can you afford your network to

be?

 Where from the vulnerability is coming?  How to mitigate the vulnerability?  How to detect that anyone un-authorized is

trying to jeopardize the network services?

 How the Business Continuity can be

maintained in the long run with the steps taken?

 How to envisage future requirements?

slide-3
SLIDE 3

Types of Attacks

  • 1. Denial of Service
  • 2. Unauthorized Access:

Attempt to access command shell

  • 3. Illicit command

execution:

Hacking Administrator’s password

Changing IP Address

Putting a Start-up Script

  • 4. Confidentiality Breach
  • 5. Destructive Attacks

Data Diddling

Data destruction

slide-4
SLIDE 4

Network Security

Balancing act between:

 Keeping equipment and processes

protected.

 Allowing them to touch larger computing

realms via Ethernet protocols and the internet to gain new connections and capabilities. Solution:

 Multiple Zone Network with Subzone.

slide-5
SLIDE 5
slide-6
SLIDE 6

Generic IT security goals versus ICS security goals

slide-7
SLIDE 7

Assessment process flow chart

slide-8
SLIDE 8

OSI Model – 7 Layers

slide-9
SLIDE 9

Network Security

Network Security Tools

 Intelligent Network Switches and Routers  Firewalls  Hardware and Software Devices for

managing network connections

 User Authentication  Encrypting Data  DMZ

slide-10
SLIDE 10

FIREWALL

Firewall Firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on a network.

 Compares traffic passing through it to a pre-

defined security criteria

 Can be a hardware device (CISCO PIX or

Semantic Security Gateway)

 Can be a hardware/Software unit with OS

based firewall capabilities (“iptables” running

  • n a Linux Server)

 Host based software solution installed on the

workstation directly (Norton Personal Firewall

  • r Sygate Personal Firewall)
slide-11
SLIDE 11

Internet facing firewall protecting PC & PLC

slide-12
SLIDE 12

Content of Network Traffic

Network Traffic Network traffic is sent in discrete group of bits, called a packet which includes

 Sender’s Identity (Source Address)  Recipient’s Identity (Destination Address)  Service to which the packet pertains (Port

Number)

 Network Operation and Status Flags  Actual payload of data to be delivered to

service A firewall analyzes these characteristics and decides what to do with the packet based on a series of rules, known as Access Control Lists (ACL).

slide-13
SLIDE 13

Classes of Firewall

Host Based Firewalls

 Available on Windows or Unix based

platforms

 Primary function is Workstation or Server

Tasks like Database Access or Web Services

 Can do little to regulate traffic destined

for Embedded Control Devices

slide-14
SLIDE 14

Classes of Firewall

Packet Filter Firewall

 Simplest class of Firewall following a set

  • f static rules

 Only

the IP Addresses and the port number of the packet is examined

 No intelligence to identify spoofed (Forged

source IP Address) packages

slide-15
SLIDE 15

Packet Filter Firewall

slide-16
SLIDE 16

Classes of Firewall

Application Proxy Firewalls

 Open Packets at Application Layer  Process them based on specific application

rules

 Reassemble and forward to target devices  No direct connection to external server  Possible to configure internal clients to

redirect traffic without the knowledge of the sender

 Possible

to apply access control lists against the application protocol

slide-17
SLIDE 17
slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20

Other Firewall Services

 Acting as Intrusion Detection System;

Logging denied packets, Recognizing network packages specifically designed to cause problems, Reporting unusual traffic patterns

 Blocking infected traffic by deploying

Front-line Anti-Virus Software on firewall

 Authentication services through passwords

  • r Public Key Encryption

 Virtual Private Network (VPN) gateway

services by setting up an encrypted tunnel between firewall and remote Host devices

 Network Address Translation (NAT)

where a set of IP addresses used on one side

  • f a firewall are mapped to a different set on

the other side.

slide-21
SLIDE 21

Overall Security Goals of PCN/SCADA Firewalls

 No direct connection from the Internet to the

PCN/SCADA Network and vice versa

 Restricted access from the enterprise network to

the control network

 Unrestricted (but only authorized) access from

the enterprise network to shared PCN/Enterprise servers

 Secured methods for authorized remote support

  • f control system

 Secure connectivity for wireless devices  Well defined rules outlining the type of traffic

permitted

 Monitoring the traffic attempting to enter PCN  Secure connectivity for management of firewall

slide-22
SLIDE 22

Firewall Selection Criteria

Security: The likely effectiveness of the architecture to prevent possible attacks. Manageability: Ability of the architecture to be easily managed (both locally as well as from remote). Scalability: Ability of the architecture to be effectively deployed in both large and small systems

  • r in large numbers.
slide-23
SLIDE 23

Common SCADA/PCN Segregation Architecture

Dual-Homed Computers

slide-24
SLIDE 24

Common SCADA/PCN Segregation Architecture

Dual Homed Server with Personal Firewall Software

slide-25
SLIDE 25

Common SCADA/PCN Segregation Architecture

Packet Filtering Router/Layer-3 Switch between PCN & EN

slide-26
SLIDE 26

Common SCADA/PCN Segregation Architecture

Two Port Firewall between PCN & EN

slide-27
SLIDE 27

Common SCADA/PCN Segregation Architecture

Router/Firewall combination between PCN & EN

slide-28
SLIDE 28

DMZ

DMZ is a critical part of a firewall.

 Neither part of un-trusted Network, nor

part of trusted network

 Puts additional layer of security to

DDCMIS LAN

 Physical or Logical sub-network that

provides services to users outside LAN

slide-29
SLIDE 29

Common SCADA/PCN Segregation Architecture

Firewall with DMZ between PCN & EN

slide-30
SLIDE 30

Common SCADA/PCN Segregation Architecture

Paired Firewalls with DMZ between PCN & EN

slide-31
SLIDE 31

Common SCADA/PCN Segregation Architecture

Firewall with DMZ and SCADA/PCN VLAN

slide-32
SLIDE 32

Comparison Chart for PCN/SCADA segregation Architecture

slide-33
SLIDE 33

DDCMIS NETWORK SECURITY MEASURES TAKEN AT NTPC/TALCHER-KANIHA

slide-34
SLIDE 34
slide-35
SLIDE 35

Network T

  • pology

Firewall Gateway PC + PI OPC Interface Unit 3 Honeywell Experion System

Office Network

Honeywell OPC Server Unit 6 Honeywell Experion System PI Server

Port 5450

Stage II Plant Network Unit 1 Keltron OPC Server Unit 2 Keltron OPC Server Stage I Plant Network Firewall Gateway PC + PI OPC Interface ABT OPC Server + PI OPC Interface

ABT Network

Firewall

10.0.120.202

slide-36
SLIDE 36

Network Topology

Firewall- 1 Gateway PC

Unit 3 Honeywell Experion System

Office Network (NTPC LAN)

Honeywel l WAN Server

Unit 6 Honeywell Experion System

PI Server

Port 545

Stage II Plant Network

PI Client

Firewall-2

ABT OPC Server (Redundant) + PI OPC Interface

ABT Network

Firewall

  • 3

10.0.120.202

OPC Server Standby OPC Server Main Unit 1 DDCMS Unit 2 DDCMS

L-3 Switch L-3 Switch

slide-37
SLIDE 37

CONTROL SYSTEM

UNIT HMI SERVERS

OWS in PR & CER

STATION LAN SWITCH STN LAN SERVER

MOR PC Unit 1 Unit 2

GATEWAY PC ESP PCs # 3,4,5,6 SERVER PR SWITCH

SWAS C&I shift PC Incharge PC

PT PLANT SWITCH SERVICE BLDG SWITCH

Ash handling fire proof AC CPU PLC PLC PLC PLC CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLC PLC PLC TOWER2 HEAD PLC OF PROJ HEADS OF PLC COOLING

  • O&M

TOWER-1

  • OPER
  • C&I SHIFT M/C
  • BOILER/TURBINE M/C

ENGR etc

  • C&I M/C ENGR

PC1 … .. P C n

IT LA N

UNIT HMI LAN

UNIT-3

Typical FIREWALL

UNIT

  • 5

UNIT

  • 6

UNIT

  • 4

U#3 SWITCH

OWS / LVS in CCR OWS in PR & CER

Station LAN of Talcher-II before PI connectivity

BPOS system U#3,4,5 &6

slide-38
SLIDE 38

DMZ CONTROL SYSTEM

UNIT HMI SERVERS OWS in PR & CER

STATION LAN SWITCH STN LAN SERVER

MOR PC Unit 1 Unit 2 GATEWAY PC ESP PCs # 3,4,5,6

PI- SERVER

PR SWITCH

SWAS C&I shift PC Incharge PC

PT PLANT SWITCH SERVICE BLDG SWITCH

Ash handling fire proof AC CPU PLC PLC PLC PLC CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLC PLC PLC TOWER2 HEAD PLC OF PROJ HEADS OF PLC COOLING

  • O&M

TOWER-1

  • OPER
  • C&I SHIFT M/C
  • BOILER/TURBINE M/C

ENGR etc

  • C&I M/C ENGR

PC1 … .. P C n

IT LA N

UNIT HMI LAN UNIT-3

Typical FIREWALL

UNIT

  • 5

UNIT

  • 6

UNIT

  • 4

U#3 SWITCH

OWS / LVS in CCR OWS in PR & CER

Station LAN of Talcher-II after PI connectivity

BPOS system U#3,4,5 &6

PI- Interface

slide-39
SLIDE 39

PI- Server PI- Interface NTPC Office LAN

  • -
  • PI system connectivity

at Talcher-II

slide-40
SLIDE 40

Network Testing Methodology

Steps:

  • 1. Review the existing LAN of NTPC/Talcher

Kaniha

  • 2. Perform a Bandwidth Assessment Test
  • 3. Perform a Vulnerability Test
  • 4. Conduct a Penetration Test
  • 5. Conduct a Security Audit
  • 6. Conduct a CCTV Demo between Talcher

Kaniha & EOC-NOIDA

  • 7. Recommendation and Suggested Up-

Gradation

slide-41
SLIDE 41

Vulnerability Test on Servers

 Finding Vulnerability on the Operating System  Vulnerability of Servers

Tools: NMAP: To Map Open Ports NESSUS: To find the application running on Target Servers. MBSA: To find the missing patches on the

  • perating system and applications

Port Scanning and Network Mapping Used Traceroute, Hping2, Xprobe2 and Nmap tools. Fingerprinting and Vulnerability Mapping Server Operating system (Gateway PC) Fingerprinting

 Security Patch Review using Microsoft

Baseline Security Analyzer (MBSA)

slide-42
SLIDE 42

LAN Capacity Testing

Bandwidth Testing:

 To find out used Bandwidth of the

Network

 Identifying potential bottlenecks

Tool Used: PRTG Methodology: Port Mirroring: All Tx/Rx Traffics of WAN Server, MOR Server and Gateway PC are mirrored into the Grapher

slide-43
SLIDE 43

Penetration Test

 Testing of Network and Components for

security weaknesses. Flowchart:

NMA P Ness us Ether eal Hping2/ Firewalk Password Cracking Tool/Web Server Scanner/OS Fingerprinting/SNMP Tests

slide-44
SLIDE 44

Penetration Tools

 Ethereal: Sniffs Network Traffic to find clear-

text username and passwords

 Hping2: Command line oriented TCP/IP

Packet assembler/analyzer. Used for Firewall Testing/Advanced Port Scanning, Remote OS Fingerprinting

 Firewalk: Used to enumerate the rules of the

firewall and ACLs

 Cain & Abel,John the ripper, L0phtcrack:

Password auditing tool

 Brutus: Password Cracker

slide-45
SLIDE 45

Network Security

Network Security To Do List:

 Turn ON Virus Protection software and be vigilant

about installing patches

 Use Complex Passwords that includes numbers

and mixed characters

 Install Firewall. Monitor them to check who is

accessing them and what software they are using.

 Turn off unnecessary ports and devices  Turn down and lock down PCs as much as

possible

 Train staff to follow security policies.

slide-46
SLIDE 46

Information Security Team Structure

Chairman(HOD-C&I) Information Security Coordinator Database Administrator Information Security Manager System Administrator Network Administrator

slide-47
SLIDE 47
slide-48
SLIDE 48