CRITICAL INFRASTRUCTURE and

INDUSTRIAL AUTOMATION SECURITY

Preventing the Kill Chain in
Industrial Control Systems (ICS) / SCADA

Mati Epstein
Global sales manager
Critical Infrastructure and ICS

©2016 Check Point Software Technologies Ltd. 1

Industrial Control Systems (ICS)/SCADA are All Around Us

Water & Sewage Electricity Transportation

Critical manufacturing Industrial Automation Oil & Gas Building Management

… and we rely on it every day for our basic functions and needs.
©2016 Check Point Software Technologies Ltd. 2
 Facts and Reality
Dec 2014
German Steel Mill was hacked by Spear Phishing – Massive damage to
the factory

Dec 2015
Blackout across western Ukraine due to BlackEnergy Spear Phishing
malware attack (And again on January 19th)

March 2016
Hackers breached a water utility’s control system and changed the levels
of chemicals being used to treat tap water (Kemuri Water Company)

©2016 Check Point Software Technologies Ltd.

©2016 Check Point Software Technologies Ltd. 3
 Most recent news
June, 2017
NotPetya Ransomware hits Ukraine's power distribution company,
Mearsk and other’s OT infrastructure

July 16th, 2017

Energy sector hacking campaign targeted more than 15 U.S. firms

(Cyberscoop)

December, 2017 Triton Malware - Affecting S.E. Triconex Safety Controllers, which are
used widely in critical infrastructure . Threat actors deployed malware
capable of manipulating emergency shutdown systems
(Schneider Electric)

©2016 Check Point Software Technologies Ltd.

©2016 Check Point Software Technologies Ltd. 4
 US ICS-CERT report: (Jan-18)
FY 2017 Most Prevalent
3rd year inWeaknesses
a row

Most Attacked Sectors

2016

Critical
Manufacturing
22%
Transportation
Systems 5%
Government
Communication Facilities 6%
21%
Water
6%
Energy 20%

©2016 Check Point Software Technologies Ltd. 5

 WHO ARE THE

ATTACKERS?
State Actors EXAMPLES OF
BlackEnergy, CrashOverride INDUSTRY ATTACKS
OVER THE
PAST YEARS

Insiders
Maroochy County Sewage

Teenagers
Lodz Tram

Activists
Operation Green Rights

©2016
©2016 Check
CheckPoint
Point Software
Software Technologies
TechnologiesLtd.
Ltd. 6
 Why Are These Attacks Possible?

Legacy System Default Less/No Updates Less/No Encryption

Configuration

Policies & Less/No Latency Concerns

Procedures Segmentation

©2016 Check Point Software Technologies Ltd. 7

 Attack Vectors Reaching the OT Network

Removable Email Phishing Remote

Media and Attachments Technicians

Software Guest Networks

Vulnerabilities Unprotected Sockets
©2016 Check Point Software Technologies Ltd. 8
 HOW CAN WE SECURELY
AND RELIABLY
STAY AHEAD?

©2016 Check Point Software Technologies Ltd.

 Best Practices for Securing OT

Protect IT with Advanced Threat

Prevention Technologies
Secure Both
OT and IT
Environments

©2016 Check Point Software Technologies Ltd. 10

 Securing against Attack Vectors

Attack Vector Check Point solution

Removable Media Endpoint data protection
Spear Phishing Sandblast Emulation and Extraction
Ransomware SandBlast Anti-Ransomware
Remote Technicians Secured VPN Connectivity and
Two Factor Authentication
Software Vulnerabilities IDS/IPS
Virus’s and BOT’s Anti Virus and Anti-Bot
Missing Boundary Firewall and segmentation

©2016 Check Point Software Technologies Ltd. 11

 Best Practices for Securing OT

Secure Both
Clear Segmentation between
OT and IT OT and IT/Internet
Environments
Deploy Specialized ICS/SCADA
Security Technologies

©2016 Check Point Software Technologies Ltd. 12

 CHECK POINT’S
Security Solutions
for Industrial Control Systems/SCADA
CYBER DEFENSE

Ruggedized
Visibility of Enforcement of SCADA-Aware Appliances for
ICS/SCADA Traffic ICS/SCADA Traffic Threat Prevention Harsh
Environments

©2016 Check Point Software Technologies Ltd. 13

Visibility
Real Time SCADA/ICS Network monitoring
IT/OT Segmentation Level 3
Analyze the ICS SCADA/HMI/DCS
Network Traffic Purdue Reference
Model
SCADA
Control Center Historian / PI
Level 2

Network
Control Network Traffic

Controllers (PLC/RTU) Level 1

Sensor Data Pressure Flow Temp. Voltage State

Level 0

Field Devices

©2016 Check Point Software Technologies Ltd. 14

 Enhanced OT Visibility
Application Control AAD - Asset and Anomaly Detection VM

Communication Asset Network

Information Information Mapping

• IP and MAC Address • What assets you have on the

• Protocols & Commands
network?
• Asset connections within the • Equipment vendor
• How assets are communicating and
ecosystem • Equipment type (PLC, HMI, who is accessing them?
Engineering Workstation, Switch, etc.)
• Open/proprietary protocols • Uncover configuration issues and
• Asset model name and Serial # vulnerable assets
• Firmware version
• Physical data (rack slots)

©2016 Check Point Software Technologies Ltd. 15

Visibility by SCADA Protocols and Commands

OPC
CIP
IoT DA & UA
MMS Profinet

IEC 60870-5-104
BACNET

MQTT ICCP MODBUS

IEC 61850 DNP3

Siemens
Step7

And many more…..

Over 1200 SCADA and IoT commands
in Check Point Application Control
Updated list: appwiki.checkpoint.com
©2016 Check Point Software Technologies Ltd. 16
 Asset information
Detailed asset information – Type, Vendor, Firmware and more

©2016 Check Point Software Technologies Ltd. 17

 Assets View – by layered map
Asset layered view according to Perdue model, with variety of view options like neighbors assets,
communication direction, ARP baseline and hide assets with no communication

©2016 Check Point Software Technologies Ltd. 18

 CHECK POINT’S
Security Solutions
for Industrial Control Systems/SCADA
CYBER DEFENSE

Ruggedized
Visibility of Enforcement of SCADA-Aware Appliances for
ICS/SCADA Traffic ICS/SCADA Traffic Threat Prevention Harsh
Environments

©2016 Check Point Software Technologies Ltd. 19

 Enforcement
AAD – Asset and
Application Control Blade
Anomaly Detection VM

Pre-defined Anomaly
Policies Detection

• Learning phase - network traffic • Learning phase - Automatically

and logging Discover Assets and communication
• Manual setting of SCADA • Anomaly-Based Behavior Analysis
commands baseline • Generate High-Fidelity Baseline
• Specific Command policies Model
• Specific Values policies • Generate security and process
• Time of Day and traffic patterns threats
policies

Combined Enforcement of
Pre-Defined + Anomaly-Based analysis
©2016 Check Point Software Technologies Ltd. 20
 Setting the Baseline
Granular level logging of SCADA traffic –
DETAILED
Detailed forensics for
incident investigations

ANALYZED
by
Check Point
SMARTLOG &
SMARTEVENT

GROUPED

©2016 Check Point Software Technologies Ltd. 21

 Manual setting of SCADA commands
baseline

• Learning phase – logging of network traffic

• Setting SCADA commands baseline
• Specific Command policies
• Passive (Alert) or optional Active (Block) policy

©2016 Check Point Software Technologies Ltd. 22

 Alerts by Behavior Analysis
Alerts window with filtering capabilities and Alerts tree according to Process integrity and Security
events

©2016 Check Point Software Technologies Ltd. 23

 CHECK POINT’S
Security Solutions
for Industrial Control Systems/SCADA
CYBER DEFENSE

Ruggedized
Visibility of Enforcement of SCADA-Aware Appliances for
ICS/SCADA Traffic ICS/SCADA Traffic Threat Prevention Harsh
Environments

©2016 Check Point Software Technologies Ltd. 24

 Legacy Systems Are Often Unpatched

©2016 Check Point Software Technologies Ltd. 25

 Virtual patching
Over 300 dedicated IDS/IPS signatures

Stops exploits of known PROTECTED

by
vulnerabilities and detects Check Point
anomalous traffic
IPS

NSS Labs
Highest Rating

©2016 Check Point Software Technologies Ltd. 26

 CHECK POINT’S
Security Solutions
for Industrial Control Systems/SCADA
CYBER DEFENSE

Ruggedized
Visibility of Enforcement of SCADA-Aware Appliances for
ICS/SCADA Traffic ICS/SCADA Traffic Threat Prevention Harsh
Environments

©2016 Check Point Software Technologies Ltd. 27

 Check Point 1200R
New Purpose-Built Ruggedized Security Gateway Appliance

• Fully featured Check Point security gateway

• 6x1GbE ports and firewall throughput of 2Gbps
• Compliant to the most rigid regulations:
IEC 61850-3 and IEEE 1613

• Compact fan-less design with no moving parts; temperature

range from -40°C to 75°C

• Can be used in In-line or Tap (Mirror) modes

• Routing and networking (e.g: BGP, OSPF, IPsec, etc.)

©2016 Check Point Software Technologies Ltd. 28

 CrashOverride/Industroyer –
New ICS attack platform to Electric Grid Operations
• CrashOverride (called Industroyer as well) malware was the malware employed in the December 17th, 2016
cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact.
(As reported by ESET and Dragos)

• ICS-CERT reported on June 14, 2017 https://www.us-cert.gov/ncas/alerts/TA17-163A

̶ The tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical
information networks and systems.

• CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors,
specifically using IEC104 and IEC61850 protocols.
̶ The malware issues valid commands directly to RTU’s.
̶ Using Check Point protocols visibility and baselining would detect and alert on None-Baseline protocols and commands

• Could exploit Siemens SIPROTEC relay denial-of-service (DoS) vulnerability, leading to a shutdown of the
relay.
̶ Using CVE-2015-5374 to Hamper Protective Relays
̶ Check Point published on June 20th an IPS signature for virtual patching protection of the DoS vulnerability

©2016 Check Point Software Technologies Ltd. 29

 CASE STUDIES

©2016 Check Point Software Technologies Ltd.

 OT Security Blueprint
Management Facility

AAD

SCADA Check Point GW

Server

Main Control Center SmartEvent

SCADA
VPN

HMI

1200R 1200R

PLC1 PLC2 PLC3 PLCx

Shop Floor – Line A Shop Floor – Line B

©2016 Check Point Software Technologies Ltd. 31

 OT Security Blueprint – High Availability
Management Facility

Main Control
AAD
Center
SCADA
Server

Main Control Center SmartEvent

SCADA
VPN

HMI

PLC1 PLC2 PLC3 PLCx

Shop Floor – Line A Shop Floor – Line B

©2016 Check Point Software Technologies Ltd. 32

 Full IT-OT Convergence Blueprint

©2016 Check Point Software Technologies Ltd. 33

 The Corporate Building (BMS)
Energy Management

HVAC

Lighting

Elevators

Access & Security

Water
Perimeter DPI of BMS
Segmentation Protocols
Functional Zone
Segmentation SCADA/IoT And more…
MQTT, BACNET

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content 34

 ICS & IoT Convergence
(BMS Environment) R80

Security
NAC
Gateway
MQTT Over Ethernet

SCADA
Server Building
BACNET WLAN /
Control Network
LAN
ICS Visibility

April 2018 Office

PLC PLC
MQTT

Elevator AC Water

©2016 Check Point Software Technologies Ltd. 35

 Remote Maintenance for Elevator or HVAC
(and more)
VPN Connection

Protocol ?

Company’s service
center
Building
Security
Gateway

• Secured connectivity (VPN)

PLC
• Protocol Visibility
• Command provisioning
• Access Control
• Remote Access VPN Client

Elevators (or AC)

©2016 Check Point Software Technologies Ltd. 36
 Power Utilities — Substation Security
• Typical power utility security deployment in substations
• Single or cluster solution for combined OT and IT traffic
• SCADA security
Central Site Substation
SCADA RTU –
Server Substation RTU
Smart Event
Controller
MPLS
Data IEC-104/ LAN
Center DNP3

IED
Backup Site
SCADA
Server
Smart Event
Data
Center

©2016 Check Point Software Technologies Ltd. 37

 Connexus Energy Secures SCADA, ICS, and IT
Environments with a Single Integrated Solution

Check Point Ruggedized Appliances and Single-Pane-of-Glass Management Elevate

Energy Provider's Security Posture to a New Level Challenge
• Protect traditional SCADA and ICS networks from
cyberthreats
“The Check Point 1200R • Simplify security management
delivered ruggedization,
Solution
comprehensive security, • Check Point 1200R rugged appliances
centralized visibility, and • Check Point Compliance Software Blade
Check Point R80 Security Management
compliance best practices in one •

product. Its footprint is so small Results

that it easily fit in every • Gained high availability and reliability across integrated
security infrastructure
environment we needed to • Increased security team efficiency and effectiveness through
place it.” single-pane-of-glass management
• Created a robust incident response plan for the entire
company
Based in Ramsey, Minnesota, Connexus Energy is — Melissa Kjendle, Cybersecurity
Minnesota’s largest electric cooperative. and Senior Infrastructure Analyst

Learn more at:

Share this story https://www.checkpoint.com/customer-stories/connexus-energy/
©2016 Check Point Software Technologies Ltd. 38
 Securing a Transmission System Operator
(TSO) Control Systems
Reasons to Choose Check Point
• Simple to manage
• Virtual Machine deployment
• Ability to granularly inspect SCADA protocols

Remote Control Rooms

• Each Data center is designed
DMZ WKS SCADA
to control the entire national DMZ SCADA
1 SERVERS
grid in case of failure of all SW1
1

the others CONTROL ROOM

DMZ Control
Rooms
2
• Fully redundant topopolgy by 2
SW2
3
3 Firewalls per Data Center
3
EXTERNALS
1

2
MPLS
3

©2016 Check Point Software Technologies Ltd. 39

 Wind Farms Topology
SCADA 1200R

Server
High
PLC
MODBUS
Smart Event Availability

Data
Center

IT Zone

1200R
Communication cloud PLC
Ethernet/IP/MPLS
MODBUS
SCADA Cellular
Server

Smart Event

Data
Center
1200R
MODBUS
PLC
VPN

Compagnie Nationale
du Rhone

©2016 Check Point Software Technologies Ltd. 40

 Waste Water Treatment Network
Applicable in Oil and Gas (Off/On-Shore)

• Security Motivation – New regulation for Critical Infrastructure

• Challenge and CHKP Advantage – Managing thousands of remote sites

PLC PLC
MODBUS

MODBUS

Data Center CIP PLC

Smart Center

SCADA Server

OPC
PLC

©2016 Check Point Software Technologies Ltd. 41

 UNIFIED IT and OT MANAGEMENT
FOR BEST ROI AND OPTIMAL PROTECTION

Customized Unified Everywhere

Visibility Policy Monitoring

Management integration
With Leading SIEM systems:
Q-Radar, ARCSight, Splunk
And more like Predix and
others

©2016 Check Point Software Technologies Ltd. 42

 Dedicated Compliance and Regulation Monitoring

SCADA SPECIFIC COMPLIANCE CHECKS

REPORTED
by
Check Point
Real-time assessment of
COMPLIANCE BLADE compliance with major regulations

©2016 Check Point Software Technologies Ltd. 43

Industrial Security Process
Learning
Visibility – Passively log all SCADA activity:
Network, Protocols, Commands, Assets, Traffic Behavior

Define Baseline and Policies

Set Rules based on Known / Unknown / Not Allowed or Anomaly Based Behavior Analysis

Enforcement
Detection - Identify Deviations and Attacks / Anomaly Detection
Based on the defined rules, time of day, attack patterns, Behavior deviation

Enforcement – Passive (Alert) / Active (Prevent)

Based on configuration and/or topology – In-line or Tap
©2016 Check Point Software Technologies Ltd. 44
 Check Point Offering-
End to End Security suite for Critical Infrastructure
IT and OT networks

Most extensive security support of ICS/SCADA protocols

Full OT to IT security segmentation

Large Scale Management – Market “Gold Standard” (Gartner)

Check Point offers complete security suite from Mobile, End-Point to the
Cloud – including Private cloud for separation of IT from OT

©2016 Check Point Software Technologies Ltd. 45

 THANK YOU

©2016 Check Point Software Technologies Ltd. 46