Industrial Control Systems Cyber Security
Proven Risk to Supply Chain Operations
Mark Fabro
Chief Security Scientist, Lofty Perch Inc.
Wednesday June 7, 2017
6/20/2017 1
Overview
• The role of industrial control systems (ICS) in supply chain
• Cyber Risk and ICS
• ICS attacks and trends
• Mitigation considerations
6/20/2017 2
The Main Points
• Industrial Control Systems (ICS), SCADA, DCS, OT are the heart of manufacturing and industry
• The suppliers you depend on use ICS to make/move/fix the materials you need
• Those systems can be vulnerable to attack, have been attacked and attacks are increasing
• Attacks impact availability of products, integrity of products, movement of products, timely delivery, health and well-being of people and ultimately effectiveness of force
6/20/2017 3
ICS in the Supply Chain – Everywhere…
• Manufacturing and Repair
• Road, Rail, Airfield Operations
• Seaways
• Ports
• Water/Wastewater
• Refineries
• Pipelines (oil, gas, other)
• Grid operations
• Energy Generation
• Healthcare
• Building Environmental Control
6/20/2017 4
Why is This Important to You?
• Your supply chain uses ICS
• Compromising ICS can result in:• Unavailable systems
• Compromise of sensitive production data
• Impact delivery of materials/parts/weapons
• Impact integrity of the part being produced/repaired
• ICS security is rarely part of a governed cyber security program
6/20/2017 5
Kinetic Impacts
6/20/2017 6
• As earlier as 1982 (Gazprom)
• Worchester Airfield
• 1994 (Salt River Project)
Cyber Incidents and Infrastructure
• 2003 ‘Slammer’ disables Davis-Besse safety mechanism• May 2001 Cal-ISO attack
• Undetected for 17 days from Californian and China (last source)• Compromise almost penetrated into energy provisioning systems
• August 2003 Blackout• Malfunction in Alarm and Event Processing (AEPR) due to race condition
• 2004 ‘Sasser’ disables connected oil platforms for several days• Sept 2004 SOCAL air traffic control failure
• Windows bug forced server to auto-reboot after 49.7 days• 800 planes in the air w/o contact for 3 hours• 400 delays, 600 cancellations
• 2005 ‘Zotob’ attacks Daimler-Chrysler• 2009 Brazilian Power Grid
More Interesting Cyber Events
Know Incidents Since 1982 (lots)
6/20/2017 9
EDIST 2010 © Lofty Perch, Inc.
DoD
Vulnerability Discovered by Year
• Research community gone wild
• Evolution of new techniques
• Looking for ‘zero days’
6/20/2017 11
Kapersky Lab
Disclosure by Year
6/20/2017 12
2016 FireEye
Zero Days in the Wild
• All well before Shadow Brokers
• Libraries part of larger suite?
6/20/2017 13
2016 FireEye
Going Unfixed
• Of 1,552 ICS vulnerabilities 516 did not have a patch at time of disclosure
• That means 33% are ‘0 days’
6/20/2017 14
2016 FireEye
Incidents by Sector and Vector 2015
6/20/2017 15
U.S. DHS ICS-CERT
By end of 2016
• Look at the top 3
• How will they affect operations?
6/20/2017 16
Kapersky Lab
Mitigation Activities
• Expand security assessment to the control systems of private sector partners
• Code analysis
• Develop attack trees and use cases to model the kill chain of the adversary
• Consider blended cyber/physical attacks• Exploit SME experience from around the globe
• Customization of COTS IT security to fit ICS/SCADA
• Learn from work done across sector
6/20/2017 17