SCADA SECURITY ASSESSMENT METHODOLOGY, THE MALAYSIA EXPERIENCE
Muhammad Reza Shariff
Security Assurance
Table of Contents
• Introduction
• Our Experience
• Preparation
• Approach and Methodology
• Tools for the Assessment
• Step by Step Assessment
• Top 5 Common Vulnerabilities Found
• Conclusion
2Copyright © 2013 CyberSecurity Malaysia
Introduction
Copyright © 2013 CyberSecurity Malaysia3
Introduction
Began its operation in 1997 as the Malaysian Computer Emergency Response Team (MyCERT) and renamed CyberSecurity Malaysia in 2007
Mandated and positioned itself as the national cyber security specialist under the Ministry of Science, Technology and Innovation (MOSTI)
It also provides safety tips, advisories, and specialized services in the fields of cyber security such as Digital Forensics, Security Assessment and Security Management and Best Practices
Copyright © 2013 CyberSecurity Malaysia4
Our Expertise and Specialization
Malaysia's Computer Emergency Response Team (MyCERT) / Cyber999 Service
Security Assurance & Product Evaluation using Common Criteria Standard
Cyber Security Training and Professional CertificationOutreach, Awareness, and Social Responsibility Programs
Digital Forensics & Data Recovery Services
Security Management and Best Practice
Cyber Security Strategic Policy and Legal Research
Copyright © 2013 CyberSecurity Malaysia5
Our Experiences
Copyright © 2013 CyberSecurity Malaysia6
Our Experience 2013
7
Control System Security
Assessment(Total 7 + 2)
Oil & GasWater Works
AirportShipping
Port
Copyright © 2013 CyberSecurity Malaysia
Preparation for the
assessment
Copyright © 2013 CyberSecurity Malaysia8
Preparation Prior to the
Assessment
Ensure Stakeholder Buy
In
Define Scope and Duration
Define Prerequisite (Eq.
HSSE Training)
Project Charter and NDA
To Confirm Project Manager
(Client side)
Copyright © 2013 CyberSecurity Malaysia9
Other Preparation
Hardware ready: Long cross cables,
fully charged notebooks, camera, torch lights, hubs,
etc
Customize Checklist -Know what
to do
Test the tools (at the
office)
Copyright © 2013 CyberSecurity Malaysia10
Entering a SCADA
installation may requires strict
and limited working
permits. Having the necessary
hardware / tools required
beforehand is important.
Approach & Methodology
Copyright © 2013 CyberSecurity Malaysia11
Approach & Methodology
ISA99
• Industrial Automation and Control Systems Security
ISMS 27001
• ISO/IEC 27001 Information Security Management System (ISMS)
Customize
• Vulnerability Assessment and Penetration Testing (VAPT)
Copyright © 2013 CyberSecurity Malaysia12
Approach & Methodology
13
Approach & Methodology
• Define project scope and terms of reference
•Define restrictions e.g. operating hours, tolerable downtime
(if any) etc.
•Customization of assessment procedures
• Information gathering
•Logistics
Copyright © 2013 CyberSecurity Malaysia14
STA
GE
1PROJECT PLANNING AND INITIATION
Approach & Methodology
•Check desktop / server role and compare against services
running
• Check patch level
• Check permission on critical directories
• Check logging / Anti Virus
*Request for SCADA Engineer / Contractor, for better
understanding of the system
Copyright © 2013 CyberSecurity Malaysia15
STA
GE
2DESKTOP AND SERVER SECURITY ASSESSMENT
Approach & Methodology
• Assessment on SCADA, RTU and PLC
• Check patch level
• Check connection type and communication
• Testing of register / coils
• No checking on program logics
*Request for SCADA Engineer / Contractor, for better
understanding of the system
Copyright © 2013 CyberSecurity Malaysia16
STA
GE
3SCADA SECURITY ASSESSMENT
Approach & Methodology
•Review current network architecture design
•Conduct assessment on Network device configurations
•Network sniffing
*Request for client to send a formal request to
Telecommunication Company for the network configurations
Copyright © 2013 CyberSecurity Malaysia17
STA
GE
4NETWORK ARCHITECTURE REVIEW & SECURITY
ASSESSMENT
Approach & Methodology
•Conduct physical assessment
•Check on the current policy
Copyright © 2013 CyberSecurity Malaysia18
STA
GE
5PHYSICAL ASSESSMENT
Approach & Methodology
•Analysis of Findings
• Identify Risk Rating
•Consolidate Reports
Copyright © 2013 CyberSecurity Malaysia19
STA
GE
6CSSA REPORT
Tools for Assessment
20Copyright © 2013 CyberSecurity Malaysia
Tools Used
• Nessus, ModScan, Wireshark & TCPDump
• MBSA, Customize Scripts & Nipper
• Solarwinds, Putty, Telnet, Nmap & Netcat
Non Intrusive
• Nessus, Metasploit
• Nmap & NetcatIntrusive
• Snapshots tools, Digital Cameras
• Wordpad (MSword change the file headers)
• TruecryptOthers
Copyright © 2013 CyberSecurity Malaysia21
Nessus
22
Nessus
23
Nessus
24
Nessus
25
Metasploit
Copyright © 2013 CyberSecurity Malaysia26
ModScan 32
Copyright © 2013 CyberSecurity Malaysia27
Best Practices for Tools
Clients are aware of the tools being used and its impact
Tools has been tested
Analyst are confident and well versed with the tools
Able to eliminate false positive findings
Tools are meant to make your work faster not easier
Copyright © 2013 CyberSecurity Malaysia28
Step by Step Assessment
29Copyright © 2013 CyberSecurity Malaysia
Desktop & Server Assessment
Interview Owner
• Maintenance and Corrective Preventive
• Log Book
• Purpose and Function of Machine
• Review Policy (if any)
Physical Assessment
• Check Physical Connection (Eth)
• External Drive Functionality (USB\CDROM)
• Hard Disk Space
• Backup System
OS and Application Assessment
• MBSA / Scripts
• Patch Level
• ACL
• Password
• Anti Virus
• Review of Programs / Application / Services (eg IIS, PDF, etc)
• Review of Ports
Copyright © 2013 CyberSecurity Malaysia30
SCADA Security Assessment
Interview Owner
• Maintenance and Corrective Preventive
• Log Book
• Purpose and Function of SCADA/RTU/PLC
• Review Policy (if any)
Physical Assessment
• Check Physical Connection (UTP/Fibre/etc)
• Available Physical Ports
• Power System / Grounding
Application Assessment
• Web Functionality
• Patch Level
• ACL
• Password
• Review of Ports
• Coil / Register
Copyright © 2013 CyberSecurity Malaysia31
Network Architecture Review
Interview Owner
• Review Current Network Design
• Review Devices Functionality Review
• Policy (if any)
Physical Assessment
• Map Current Network Design
• Review Network Segregation
• Test for external and internal (corporate) connection
Copyright © 2013 CyberSecurity Malaysia32
Network Security Assessment
Interview Owner
• Review Current Network Design
• Review Devices Functionality Review
• Request for scripts, configuration, & rules
• Policy (if any)
Physical Assessment
• Check Physical Connection (UTP/Fibre/etc)
• Available Physical Ports
• Network Sniffing
Device Assessment
• Web Functionality
• Patch Level
• ACL
• Password
• Review of Ports
• Access Common Management Ports (SSH, Telnet, Snmp, ftp)
• Review Routing Table
Copyright © 2013 CyberSecurity Malaysia33
Physical Assessment
Interview Owner
• Security of the Current Installation
• Review Security Policy or Standards being applied
Physical Assessment
• Site Walk
• Locate all possible entrance to Command Control Room, RTU, PLC and Connection
• Check on all door access, windows and it security
• Check on the Riser Room
Copyright © 2013 CyberSecurity Malaysia34
Top 5 Common Vulnerabilities
Found
35Copyright © 2013 CyberSecurity Malaysia
36
5Copyright © 2013 CyberSecurity Malaysia
SCADA Security Policy Issues
37
Applying Corporate IT Policy
Lack of Enforcement
No or Incomplete SCADA Security Policy
Copyright © 2013 CyberSecurity Malaysia
38
4Copyright © 2013 CyberSecurity Malaysia
Password Issues
39
No Access Control List
Default Password
All for One
Copyright © 2013 CyberSecurity Malaysia
PLC Web Enabled - Password
Copyright © 2013 CyberSecurity Malaysia40
Annuaire.XML for Topkapi
Copyright © 2013 CyberSecurity Malaysia41
Hardcoded Password in the Registry
Copyright © 2013 CyberSecurity Malaysia42
43
3Copyright © 2013 CyberSecurity Malaysia
Network Architecture and Design
44
Web Enabled RTU and PLC
Active Ports Available
No Segregation of Network
Copyright © 2013 CyberSecurity Malaysia
Coils Read & Write
Copyright © 2013 CyberSecurity Malaysia45
46
2Copyright © 2013 CyberSecurity Malaysia
Antivirus Issues
47
Fear of System Disruption
Missing AV or Updates
False Sense of Security – Closed Network
Copyright © 2013 CyberSecurity Malaysia
Antivirus Issues
Copyright © 2013 CyberSecurity Malaysia48
49
1Copyright © 2013 CyberSecurity Malaysia
Operating System & Applications
50
No Hardening
Obsolete OS, Missing Patches & Services Packs
Vulnerable to Malware, DOS, Hacking, & etc
Copyright © 2013 CyberSecurity Malaysia
Obsolete System
Copyright © 2013 CyberSecurity Malaysia51
Conclusion
1• Stakeholder BUY IN is important
• Know the chain of command, who is the Project Manager (Client Side)
2• SCADA Assessment are similar to common security assessment
• Commercial of the shelf (COTS) tools are commonly being used
3
• Experienced Analyst needed, SCADA are delicate and some obsolete systems do exist
• Manual assessment are sometime needed, where minimum use of tools
Copyright © 2013 CyberSecurity Malaysia52
Good References
• NIST Special Publication 800-53A
http://csrc.nist.gov/publications/nistpubs/800-
53A-rev1/sp800-53A-rev1-final.pdf
• ISA99
http://www.isa.org/MSTemplate.cfm?MicrositeID
=988&CommitteeID=6821
Copyright © 2013 CyberSecurity Malaysia53