Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 3
Separation
Cyber Attacks
Protecting National Infrastructure, 1st ed.
Copyright © 2012, Elsevier Inc. All Rights Reserved
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
- Using a firewall to separate network assets from intruders is the most familiar approach in cyber security
- Networks and systems associated with national infrastructure assets tend to be too complex for firewalls to be effective
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Introduction
Copyright © 2012, Elsevier Inc. All rights Reserved
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
- Three new approaches to the use of firewalls are necessary to achieve optimal separation
- Network-based separation
- Internal separation
- Tailored separation
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Introduction
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Fig. 3.1 – Firewalls in simple and complex networks
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Copyright © 2012, Elsevier Inc. All rights Reserved
*
- Separation is a technique that accomplishes one of the following
- Adversary separation
- Component distribution
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
What Is Separation?
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
- A working taxonomy of separation techniques: Three primary factors involved in the use of separation
- The source of the threat
- The target of the security control
- The approach used in the security control
(See figure 3.2)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
What Is Separation?
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.2 – Taxonomy of separation techniques
*
- Separation is commonly achieved using an access control mechanism with requisite authentication and identity management
- An access policy identifies desired allowances for users requesting to perform actions on system entities
- Two approaches
- Distributed responsibility
- Centralized control
- (Both will be required)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Functional Separation?
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.3 – Distributed versus centralized mediation
*
- Firewalls are placed between a system or enterprise and an un-trusted network (say, the Internet)
- Two possibilities arise
- Coverage: The firewall might not cover all paths
- Accuracy: The firewall may be forced to allow access that inadvertently opens access to other protected assets
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
National Infrastructure Firewalls
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.4 – Wide area firewall aggregation and local area firewall segregation
*
- Increased wireless connectivity is a major challenge to national infrastructure security
- Network service providers offer advantages to centralized security
- Vantage point: Network service providers can see a lot
- Operations: Network providers have operational capacity to keep security software current
- Investment: Network service providers have the financial wherewithal and motivation to invest in security
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
National Infrastructure Firewalls
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.5 – Carrier-centric network-based firewall
*
- Network-based firewall concept includes device for throttling distributed denial of service (DDOS) attacks
- Called a DDOS filter
- Modern DDOS attacks take into account a more advanced filtering system
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
DDOS Filtering
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.6 – DDOS filtering of inbound attacks on target assets
*
- SCADA – Supervisory control and data acquisition
- SCADA systems – A set of software, computer, and networks that provide remote coordination of control system for tangible infrastructures
- Structure includes the following
- Human-machine interface (HMI)
- Master terminal unit (MTU)
- Remote terminal unit (RTU)
- Field control systems
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
SCADA Separation Architecture
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.7 – Recommended SCADA system firewall architecture
*
- Why not simply unplug a system’s external connections? (Called air gapping)
- As systems and networks grow more complex, it becomes more likely that unknown or unauthorized external connections will arise
- Basic principles for truly air-gapped networks:
- Clear policy
- Boundary scanning
- Violation consequences
- Reasonable alternatives
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Physical Separation
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.8 – Bridging an isolated network via a dual-homing user
*
- Hard to defend against a determined insider
- Threats may also come from trusted partners
- Background checks are a start
- Techniques for countering insider attack
- Internal firewalls
- Deceptive honey pots
- Enforcement of data markings
- Data leakage protection (DLP) systems
- Segregation of duties offers another layer of protection
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Insider Separation
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.9 – Decomposing work functions for segregation of duty
*
- Involves the distribution, replication, decomposition, or segregation of national assets
- Distribution: creating functionality using multiple cooperating components that work together as distributed system
- Replication: copying assets across components so if one asset is broken, the copy will be available
- Decomposition: breaking complex assets into individual components so an isolated compromise won’t bring down asset
- Segregation: separation of assets through special access controls, data markings, and policy enforcement
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Asset Separation
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.10 – Reducing DDOS risk through CDN-hosted content
*
- Typically, mandatory access controls and audit trail hooks were embedded into the underlying operating system kernel
- Popular in the 1980s and 1990s
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Multilevel Security (MLS)
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.11 – Using MLS logical separation to protect assets
*
- Internet separation: Certain assets simply shouldn’t be accessible from the Internet
- Network-based firewalls: These should be managed by a centralized group
- DDOS protection: All assets should have protection in place before an attack
- Internal separation: Critical national infrastructure settings need an incentive to implement internal separation policy
- Tailoring requirements: Vendors should be incentivized to build tailored systems such as firewalls for special SCADA environments
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
National Separation Program
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer