fundamentals of industrial control risks, vulnerabilities...

Keeping the Lights On

Fundamentals of Industrial Control Risks, Vulnerabilities, Mitigating Controls, and Regulatory Compliance

© Copyright 2014 Netsecuris Inc. All rights reserved

Learning Goals

o Understanding definition of industrial controls

o Understanding differences between traditional IT networks vs. industrial control networks

o Understanding risks and mitigating controls associated with industrial controls

o Understanding regulatory compliance and service resilience


What is Industrial Control?


Industrial Control Defined

o A system that controls a process

o Industrial Control System – traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS)

o Supervisory Control and Data Acquisition System (SCADA)

o Remote Terminal Units (RTU)

o Programmable Logic Controllers (PLC)


Why learn about this topic?

o Industrial controls are pervasive!

o Utilities

o Factories

o Automobiles

o Military

o Data Centers

o Appliances

o Industrial controls are being networked like traditional IT networks.


Industrial Controls that might Surprise You o Environmental controls in your data center

o Missiles launched by the military

o Assembly line controller in a factory

o SCADA systems at utilities

o Gasoline pumps at a convenience store


T-shirt Question

Can you name an industrial control or application I have not already mentioned?


National Critical Infrastructures


o Chemical

o Commercial Facilities

o Communications

o Critical Manufacturing

o Dams

o Defense Industrial Base

o Emergency Services

o Energy

o Financial Services

o Food and Agriculture

o Government Facilities

o Healthcare and Public Health

o Information Technology

o Nuclear Reactors, Materials, and Waste

o Transportation Systems

o Water and Wastewater Systems

Get Involved

o Join a Cyber Security or Physical Security Working Group in your Sector. o https://www.dhs.gov/critical-infrastructure-sectors

o Join an Information Sharing Analysis Center (ISAC) in your industry. o http://www.isaccouncil.org/memberisacs.html

o http://itlaw.wikia.com/wiki/Information_Sharing_and_Analysis_Center


What’s important in the industrial space


o Life Safety is foremost.

o Reliability is a close second.

o Integrity and Availability is primary.

o Confidentiality is secondary or not important at all.

What can happen

o Cyber Security failures have the potential to cause physical consequences.

o Cyber Security issues can arise out of supply chain relationships.

o Human decisions can cause devastating consequences.

o Productivity can be affected.


Cyber Security Implication – Physical Consequences o Electric Power Blackouts

o September 2007 cyber attack in Brazil

o 2003 Northeast blackout

o 1999 Southern Brazil blackout

o 1965 Northeast blackout

o 1979 Three Mile Island Nuclear Plant Accident

o 2000 Maroochy Shire cyber event

o 2007 Aurora Generator Test

o 2009 Stuxnet

o 2010 San Bruno natural gas pipeline explosion


Look what happens when …


Supply Chain Cybersecurity


o Google’s headquarters in Sydney, Australia was breached due to building management vendor.

o Researchers discovered that they could breach the circuit breakers of a Sochi Olympic arena through their HVAC supplier.

o Watering hole attack on a major oil company’s network

o Major retailer breach due to relationship with HVAC vendor.

What makes an Industrial Control System fragile? o COTS

o Microsoft Windows

o Use of specialized communications protocols o Modbus

o DNP3 (Distributed Network Protocol)

o OPC (Open Platform Communications formerly known as OLE for Process Control)

o Manufacturers deviating from RFC

o Poor software design


Survey of Specialized Communications Protocols


Modbus


o Open protocol standard

o Moves raw bits or words without placing many restrictions on vendors.

o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.

DNP3


o An Open Standard

o Designed to be reliable but not secure.

o Header may look perfectly normal but the data payload could crafted to carry malicious code.

o No authentication mechanism in basic DNP3. o Secure DNP3

OPC


o Based on the OLE, COM, and DCOM technologies developed by Microsoft.

o Any vulnerabilities in these technologies is carried into this protocol.

o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports.

o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors.

o OPC is complicated to setup so some vendors leave exposures in their products.

IT Cyber Security vs. OT Cyber Security


IT Cyber Security vs. OT Cyber Security - Performance Requirements


Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Availability Requirements



IT Cyber Security vs. OT Cyber Security - Risk Management Requirements



IT Cyber Security vs. OT Cyber Security - Change Management Requirements



IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements



Regulatory Compliance Survey


Regulatory Compliance - Electric


o North American Electric Reliability Corporation (NERC)

o Transmission and Generation

o Critical Infrastructure Protection (CIP) v3 o Requirements CIP-002 to CIP-009

o CIP-003 Security Management Controls

o CIP-005 Electronic Security Perimeter(s)

o CIP-007 Systems Security Management

o CIP v5 is approved and is in effect April 2016 for all High and Medium Assets and April 2017 for Low Assets.

Regulatory Compliance – Oil and Natural Gas o US Department of Transportation in conjunction

with US Department of Homeland Security’s Transportation Security Administration (TSA) o TSA wrote the “Pipeline Security Guidelines” and

published in April 2011. o Section 7 Cyber Asset Security Measures

o Baseline Cyber Security Measures

o Enhanced Cyber Security Measures

o TSA performs audits and reports results to US DOT.

o US DOT enforces regulation and levies fines.


Regulatory Compliance - Dams

o Federal Energy Regulatory Commission (FERC) has jurisdictional authority, granted by Congress, over non-public hydroelectric dams and facilities. o Provides cyber security guidelines

o Cannot levy fines but can stop a company from selling electricity produced by the hydroelectric facility


Regulatory Compliance - Chemical o US Department of Homeland Security developed and

released the Chemical Facility Anti-Terrorism Standards in 2007.

o Risk-Based Performance Standards (RBPS) o RBPS8 covers cyber security requirements.

o RBPS address to primary risks.

o Sabotage

o Diversion

o Heavy fines o Divulging information about a CFATS tiered facility

o Divulging information about Security Plans and Procedures

o Not meeting RBPS requirements


Avoid Cyber Security Misconceptions

o Avoid the Air Gap Myth

o “We have a firewall!”

o “We’re just a small company, we’re not a target”


Shodan

oAn industrial control system and network search engine

ohttp://www.shodanhq.com/


Shodan


Netsecuris

o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments.

o Contact Information o Leonard Jacobs, MBA, CISSP

o President/CEO

o [email protected]

o 952-641-1421


Questions and Answers

Thank you


fundamentals of industrial control risks, vulnerabilities...

Documents