“Demostración práctica de protección de

un escenario de automatización industrial"

E. Echave – Consultor CiberSeguridad, Grupo CMC
J.L.Laguna – Director Técnico, Fortinet Iberia
E. Capdeville – CEO, Nozomi Networks

1
Cognicase Management Consulting
üCreación en 1993, capital 100% nacional
üClientes en sectores como: Italia

ü Industria Farmacéutica Méjico

ü Automoción
ü Energía Portugal

ü Transporte e Infraestructuras
üEjecución proyectos de automatización Colombia

üIntegración soluciones seguridad perimetral

üUnidad especializada en Ciberseguridad Industrial
2
Lecciones aprendidas…
ü Actualización de equipamiento porque sea
más seguro, no es una prioridad
ü Definición de patrones y comportamientos
ü Difícil llevar a cabo según entornos
ü Requiere una inversión adicional de recursos
ü “Seguridad” perimetral primera medida
ü Visibilidad de planta
ü Impacto significativo en la actividad

3
Por tanto…
ü Interconexión = Mayor exposición
ü Infraestructura soporta gran parte del peso
ü Amenazas por red, respuesta por red
ü Flujos de tráfico, reflejo del proceso
ü Obligada monitorización
ü Contextualizar la información
ü Diferenciar entre Información e
Inteligencia sobre amenazas
ü Para securizar hay que conocer
el proceso y negocio
4
Nuestra apuesta…

5
NECESIDADES

Análisis del
Comportamiento

Proporcionar Tracking
Visibilidad (Forense)

6
 OT en la actualidad Recomendaciones

§ Integración con IT § Segmentación y cifrado Comunicaciones

§ Uso de protocolos comunes internet § Control de acceso (por dispositivo,

usuario, protocolo, aplicación…)
§ Incremento uso ethernet § Acceso seguro (red cableada o Wireless)

§ HW y OS de propósito general § Parcheo y escaneo de vulnerabilidades

§ Objetivo Ciberataques § Proporcionar Visibilidad, análisis del

comportamiento y tracking (forense)

7
Dispositivos diseñados para entornos Industriales
MODEL FGR-30D FGR-35D FGR-60D FGR-90D

Firewall
900 Mbps 550 Mbps 1.5 Gbps 2 Gbps
(1518/512/64 byte UDP)

Concurrent Sessions 750,000 750,000 500,000 2,500,000

New Sessions/Sec 5,000 5,000 4,000 20,000

IPSec VPN 45 Mbps 45 Mbps 1 Gbps 84 Mbps

IPS (Ent. Mix) 230 Mbps 230 Mbps 200 Mbps 1,100 Mbps
4 x GE RJ45 4 x GE RJ45 3 x GE RJ45
Interfaces 2 x SFP 2 x Shared Media Pairs 2x SFP
3 x GE RJ45
(LAN, WAN & DMZ) 2 x DB9 Serial 1 x DB9 Serial 1 x RJ45 Bypass Pair
2 x DB9 Serial

8
Switches y Access Points Ruggerizados
§ Gestión de acceso desde el Firewall
§ Configuración centralizada desde el Firewall (o plataforma de
Gestión)
§ Detección automática de dispositivos
§ Simplicidad!!

9
Único punto de gestión

10
FortiSIEM: SOC + NOC

NOC SOC SOC+NOC

• Gestión de • Monitorización • Monitorización
activos de accesos Servicios de
• Monitorización • Correlación Operación
de servicios Eventos
Seguridad
• Gestión
vulnerabilidades

Alertas y Acciones automáticas:

• Si la aplicación no responde
• Si hay un ataque o amenaza
• Si hay un problema de rendimiento o disponibilidad
• Si hay un cambio de la configuración
11
Integración FortiGate y SCADAguardian

12
 What is SCADAguardian?

SCADAguardian implements an innovative technology for

monitoring and assessing Industrial Control Systems.

• Is an appliance (physical or virtual) that passively connects to the

industrial network non-intrusively
Control Network SCADAguardian Process Networks

• Listens to all traffic within the control and process networks,

analyzing it at all levels of the OSI stack, passively (from L1 to L7)

• Uses Artificial Intelligence and Machine Learning techniques to

create detailed behavior profiles for every device according to the
process state to quickly detect critical state conditions

• Provides best-in-class network visualization, asset management,

ICS anomaly intrusion, vulnerability assessment, as well as
dashboards and reporting

13
One Comprehensive Solution for
ICS Cybersecurity and Monitoring

Nozomi Networks’ Solution Architecture

14
Capabilities Required of an Integrated
ICS Cybersecurity Solution

Reduce Quickly Recognize and

Troubleshooting and Remediate Operational
Remediation Efforts Anomalies

Rapidly Detect Cybersecurity Centrally Supervise and

Vulnerabilities, Threats Monitor Distributed
and Incidents Networks

Track Industrial Assets Deploy at Enterprise

and Corresponding Scale with Proven
Cybersecurity Risks Performance

15
SCADAguardian enables Monitoring and Detection
at All ICS Levels

Nozomi
Level 4 Networks
IT Network CMC
SIEM SOC Firewall Remote
Access

Level 3 Historian Firewall DNS

Operations
(ICT/DMZ)

Local SCADA Local SCADA Local SCADA

& HMI & HMI & HMI

Level 2
Process Network

Level 1
PLCs RTUs PLCs RTUs PLCs RTUs
Control Network

Level 0
Field Network
Site #1 Site #2 Site #N
16
SCADAguardian enables Monitoring and Detection
at All ICS Levels

Detected with SCADAguardian

• Monitoring of remote access connection to networks
• Connection to Internet\corporate network DMZ Nozomi
Level 4 • MITM & Scanning Attacks (Port, Network) Networks
• Unauthorized cross level communication
IT Network • IP conflicts
CMC
SIEM SOC Firewall Remote
Access

• Weak passwords (FTP / • Network topologies

Level 3 TFPTP / RDP / DCERPC) • Used ports of assets Historian Firewall DNS
• Traffic activity summaries • Unencrypted
Operations Bad configurations (NTP / communications (Telnet)
(ICT/DMZ) DNS / DHCP/ etc.) • Insecure Internet
connections

Local SCADA Local SCADA Local SCADA

& HMI & HMI & HMI
• Anomalous protocol behavior
• Online edits to PLC projects
• Communication changes
Level 2 • Configuration downloads
• New assets in the network
Process Network • Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes

• Authentication to PLCs
Level 1 • PLC actions (Start, Stop, Monitor, Run, Reboot, Program, PLCs RTUs PLCs RTUs PLCs RTUs
Control Network Test)

Level 0 • Fieldbus I/O monitoring

Field Network
Site #1 Site #2 Site #N
17
Nozomi Networks deployed all over the World

18
SCADAguardian with FortiGate:
Next-Level Active Security for ICS

Real-time passive monitoring guarantees Non-intrusive

no performance impact and permits In-line In-line separation between IT
Passive Protection and OT environments
visibility at different layers of the Control
and Process Networks
Monitoring

Deep understanding of all Deep SCADA Proactive filtering of malicious and

Active Traffic
key SCADA protocols, open unauthorized network traffic
Understanding Control
and proprietary

Automatically learns ICS Behavioral Security Policy Flexibility to enforce security policies
behavior and detects Analysis with different degree of granularity
Enforcement
suspicious activities

Turn–key Internal and Fine Tuning, Control and Proactive SCADA

Perimeter Visibility Monitoring of the Firewall Ruleset Security

19
Fortinet / Nozomi Networks Integrated Solution

Full Protection, Visibility and

Monitoring Thanks to Nozomi
Networks and Fortinet

The Nozomi Networks solution

passively monitors the network,
thus not affecting the performance
of the control system
Valve The appliance is connected to the
Fan system via a SPAN or mirror port
Pump on a switch

20
Responding to Threats in Real Time

Monitor
1 A threat is detected by SCADAguardian
and an alert is generated

2
3

2 Detect
User-defined policies are examined
and the appropriate corresponding
Valve action is triggered
1
Fan

Pump 3 Protect
FortiGate responds according to the user-
configured action (Node Blocking, Link
Blocking, or Kill Session) in order to
mitigate the issue

21
Three Use Case Scenarios:
Blocking Attack Vectors
1 2
Blocking Reconnaissance Activity
• New unknown node joins trusted
control network (or process
network)
• SCADAguardian detects it and
triggers alert to FortiGate
• FortiGate enforces policy and
blocks node from all access
Blocking Unauthorized Activity
• Node in trusted networks issues a
command to reprogram a PLC
• SCADAguardian detects anomaly
and triggers alert to FortiGate
• FortiGate enforces policy and
blocks communication
3
Blocking Advanced Malware or
Zero Day Attack
• SCADA Master changes process
in subtle way towards a critical
state
• SCADAguardian detects anomaly
and triggers alert for FortiGate
• FortiGate enforces policy and
blocks SCADA Master from all
access
22
Fortinet / Nozomi Networks Integrated Solution

23
 Nozomi Networks: Fortinet Fabric Ready for ICS

Leverages Security Fabric APIs to deliver pre-integrated, end-to-end

security offerings

Integrated products improve threat awareness & intelligence,

broaden & coordinate threat response and policy enforcement

Faster time-to-deployment & reduced costs due to pre-validation of

solutions

24
DEMOSTRACIÓN PRÁCTICA

25
Simulación de Planta Hidroeléctrica (Almacenaje Bombeado)
• Aprovechando la diferencia de altura entre
dos cuerpos de agua, se genera electricidad
cuando el agua pasa por una turbina desde el
embalse (arriba) a el lago (abajo).

• Cuando hay baja demanda de electricidad, el

exceso es usado para bombear el agua
arriba, hacia el embalse. Cuando la
demanda es alta, la represa genera
electricidad.

• En nuestra simulación asumimos que solo se

utiliza una de las turbinas.

26
 Baseline Process Cycle (Como aprende Nozomi Networks)

1. The Valve1 is open (1) an the Pump is off (0) → water

flows down passing through Turbine1
§ Reservoir Water Level decrease
§ Lake Water Level increase

2. The Valve1 is closed (0) an the Pump is on (1) → water

flows up passing through Pump
§ Reservoir Water Level decrease
§ Lake Water Level increase

27
28
MAPA DE RED TRIDIUM JACE
Modbus Client/Master
WWW Server
FortiGate
Rugged 90D

HMI

MODBUS TCP

HMI TRIDIUM SEDONA

FortiSwitch Modbus Server/Slave
Rugged 108D POE

29
Fortinet & Nozomi integration TRIDIUM JACE
Modbus Client/Master
WWW Server
FortiGate
Rugged 90D

HMI

MODBUS TCP

HMI TRIDIUM SEDONA

Modbus Server/Slave

NOZOMI
SCADAguardian R50

30
¡GRACIAS!

THANK YOU!!

31