Upload File

2015 industrial control system vulnerability trends · session id: #rsac amol sarwate 2015...

  • Home
  • Documents
  • 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys
30
SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys Inc. @amolsarwate

Upload: hoangphuc

Post on 08-Jul-2018

216 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

SESSION ID:

#RSAC

Amol Sarwate

2015 Industrial Control System Vulnerability Trends

SEC-F04

Director of Vulnerability Labs

Qualys Inc.

@amolsarwate

Page 2: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Agenda

ICS – Inside Out

Vulnerability Analysis

Recommendations

Page 3: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Industrial Control Systems from Outside

3

Page 4: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Industrial Control Systems from Inside

Field Control Center

4

Page 5: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Data Acquisition

5

Page 6: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Data Conversion

6

Page 7: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Communication

7

Page 8: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Presentation and Control

8

Page 9: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Agenda

ICS – Inside Out

Vulnerability Analysis

Recommendations

Page 10: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2009 - 2015 ICS Vulnerabilities

10

Page 11: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 - 2015 Data Acquisition Vulnerabilities

11

1%

Page 12: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 and 2015 Data Acquisition Vulnerabilities

12

Page 13: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Sensys Traffic Sensor Vulnerabilities

13

Page 14: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 - 2015 Data Conversion Vulnerabilities

14

1%

14%

Page 15: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Festo CECX-X-(C1/M1) Controller Vulnerabilities

15

Page 16: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

OleumTech WIO Family Vulnerabilities

16

Page 17: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 - 2015 Communication Vulnerabilities

17

1%

14%

21%

Page 18: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 - 2015 DNP Vulnerabilities

18

Page 19: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 - 2015 SSL Vulnerabilities

19

Page 20: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014 - 2015 Communication Vulnerabilities

20

Page 21: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014-2015 Presentation & Control Vulnerabilities

21

1%

14%

21%

63%

Page 22: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014-2015 Presentation & Control Vulnerabilities

22

Page 23: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

2014-2015 Presentation & Control Vulnerabilities

23

Page 24: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Agenda

ICS – Inside Out

Vulnerability Analysis

Recommendations

Page 25: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Challenges and Recommendations

Control system exposed to the Internet

Recommendation

Next Week:

Check if you system is accessible from other parts of the corporate network or the Internet!

Next Month:

Create a network architecture diagram

Check if existing architecture diagram is up-to-date and reflects reality

Policy for Remote Connectivity

Next Quarter:

Network Segmentation, Firewalls and DMZs

25

Page 26: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Challenges and Recommendations

Risk from off-the-shelf software (operating systems, databases, web servers, browsers and others)

Recommendation

Next Week:

Subscribe to vulnerability feeds like ICS-CERT

Next Month:

Create an inventory of off-the-shelf system components

Request a list of third party components from your vendor

Ongoing:

Apply experience from IT network security

26

Page 27: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Challenges and Recommendations

Patching, Passwords and Configuration

Recommendation

Next Week: Demand quick patches from ICS vendor

Familiarize yourself with reboot procedures and test them if possible

Next Month: Formulate strategy for updates and patches

Enable authentication and authorization per user

Next Quarter/Year:

Budget a small lab for patch testing. Use factory floor maintenance window

27

Page 28: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Challenges and Recommendations

Older ICS Protocols built for performance (not security)

Recommendation

Next Week:

Create inventory of all ICS protocols used in your system

Next Month/Quarter:

Enable newer versions as many protocols now support built in security

Policy for modernization and upgrades

Secure wireless connections

28

Page 29: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSAC

Recommendations

Ongoing:

Security Training for Engineers, Technicians, Administrators, and

Operators

Conduct Vulnerability and Risk Assessments

Complying with Security Standards for your industry

29

Page 30: 2015 Industrial Control System Vulnerability Trends · SESSION ID: #RSAC Amol Sarwate 2015 Industrial Control System Vulnerability Trends SEC-F04 Director of Vulnerability Labs Qualys

#RSACThank You@amolsarwate


VULNERABILITY REVIEW 2020 GLOBAL TRENDS

Application Vulnerability Trends Report 2014 · Probability of Vulnerability Type in any Given Application “Session Management Vulnerabilities Appear in 79% of Applications” Below

Status and Trends of Coastal Vulnerability to Natural ... · Status and Trends of Coastal Vulnerability to Natural Hazards Project Annual Report for Phase 5 by Walter Gillis Peacock,

Accelerating Poverty and Vulnerability Reduction: Trends

Structural Vulnerability Non-Structural Vulnerability ... · Structural Vulnerability Non-Structural Vulnerability Functional Vulnerability Mitigation National Society for Earthquake

Overwhelmed By Security Vulnerabilities? Learn … · Overwhelmed By Security Vulnerabilities? Learn How to Prioritize Remediation Amol Sarwate Director of Vulnerability Labs, Qualys

Realistic Trends in Vulnerability based on Hacking into

BSidesLV Vulnerability & Exploit Trends

Climate Change Trends and Vulnerability to Biome … · Climate Change Trends and Vulnerability to Biome Shifts in the Southern Sierra Nevada Patrick Gonzalez Page 3 Historical Climate

Poverty Inequality and Vulnerability 30.10 · PDF file · 2018-02-12Central Asia, and links these trends to discourses regarding vulnerability, ... Pro -poor and inclusive growth

Measuring Vulnerability: A Multidimensional Vulnerability ... › sites › default › files › publication-resource… · Measuring Vulnerability: A Multidimensional Vulnerability

Development Trends and Vulnerability To Storms

Update on Threat/Vulnerability Trends and Research for …/media/files/events/conference proceedings... · 2013-02-05 · Update on Threat/Vulnerability Trends and Research for

Do d trends increasing vulnerability to insiders

Immigration: Recent Apprehension Trends at the U.S ... · recent migration trends cite persistent poverty, inequality, demographic pressure related to high population growth, vulnerability

2015 Enterprise Vulnerability Management Trends Report

Vulnerability analysis of 2013 SCADA issues · Vulnerability analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc. ... Wired or wireless communication

Root Causes of Social Vulnerability: Demographic and Economic Trends Session 6

2.2 Emerging trends in hazards, vulnerability patterns and

Vulnerability to Poverty in the Philippines: An ... · DISCUSSION PAPER SERIES NO. 2018-10 AUGUST 2018 Vulnerability to Poverty in the Philippines: An Examination of Trends from 2003

Hosted by OWASP & the NYC Chapter Vulnerability Analysis of 2013 SCADA issues Amol Sarwate Director of Vulnerability Labs, Qualys Inc

Status and Trends of Coastal Vulnerability to Natural Hazards

Juglans Vulnerability Statement October 2017 - Germplasm … · 2017. 11. 20. · Juglans Vulnerability Statement October 2017 Juglans Crop Germplasm Committee. Production Trends

SPATIAL ANALYSIS OF TORNADO VULNERABILITY TRENDS …Hout, et al. p.1 SPATIAL ANALYSIS OF TORNADO VULNERABILITY TRENDS IN OKLAHOMA AND NORTHERN TEXAS Eric M. Hout1, 2, May Yuan3, John

Security Trends Report - OWASP · Security Trends Report ... the web to steal data and make money ... Automated vulnerability scanning for server and client exploits

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Vulnerability, Human Vulnerability, Human

Software Vulnerability Exploitation Trends

Connectivity Openness and Vulnerability - Macmillan ITU Trends 2009

Root Causes of Social Vulnerability: Demographic and Economic Trends Session 6

FIRST 2007 -Seville Cyber Fraud Trends and Mitigation · FIRST 2007 -Seville Cyber Fraud Trends ... Banking Web Server Exploits WMF Vulnerability ... diba.de:_USER,_PWD,_IDENT;volksbank.de:Direkt_Nummer,pinMPIN;!citibank

2015 Enterprise Vulnerability Managementlp.skyboxsecurity.com/rs/...Vulnerability-Management-Survey-EN.pdfSybo Surit 2015 Et Vulnerabilit M Trends 2 REPORT Executive Summary Vulnerability

SCADA Security: Why is it so hard? - Hack In Paris · 2016-03-10 · HACK IN PARIS SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June

SPATIAL ANALYSIS OF TORNADO VULNERABILITY TRENDS IN ... · Hout, et al. p.1 SPATIAL ANALYSIS OF TORNADO VULNERABILITY TRENDS IN OKLAHOMA AND NORTHERN TEXAS Eric M. Hout1, 2, May Yuan3,

Vulnerability Management - How Market Trends and Changing Threats Will Shape the Future of the Market