scada security assessment methodology, the malaysia experience · assessment methodology, the...

SCADA SECURITY ASSESSMENT METHODOLOGY, THE MALAYSIA EXPERIENCE

Muhammad Reza Shariff

Security Assurance

Table of Contents

• Introduction

• Our Experience

• Preparation

• Approach and Methodology

• Tools for the Assessment

• Step by Step Assessment

• Top 5 Common Vulnerabilities Found

• Conclusion

2Copyright © 2013 CyberSecurity Malaysia

Introduction

Copyright © 2013 CyberSecurity Malaysia3

Introduction

Began its operation in 1997 as the Malaysian Computer Emergency Response Team (MyCERT) and renamed CyberSecurity Malaysia in 2007

Mandated and positioned itself as the national cyber security specialist under the Ministry of Science, Technology and Innovation (MOSTI)

It also provides safety tips, advisories, and specialized services in the fields of cyber security such as Digital Forensics, Security Assessment and Security Management and Best Practices


Our Expertise and Specialization

Malaysia's Computer Emergency Response Team (MyCERT) / Cyber999 Service

Security Assurance & Product Evaluation using Common Criteria Standard

Cyber Security Training and Professional CertificationOutreach, Awareness, and Social Responsibility Programs

Digital Forensics & Data Recovery Services

Security Management and Best Practice

Cyber Security Strategic Policy and Legal Research


Our Experiences


Our Experience 2013

7

Control System Security

Assessment(Total 7 + 2)

Oil & GasWater Works

AirportShipping

Port

Copyright © 2013 CyberSecurity Malaysia

Preparation for the

assessment


Preparation Prior to the

Assessment

Ensure Stakeholder Buy

In

Define Scope and Duration

Define Prerequisite (Eq.

HSSE Training)

Project Charter and NDA

To Confirm Project Manager

(Client side)


Other Preparation

Hardware ready: Long cross cables,

fully charged notebooks, camera, torch lights, hubs,

etc

Customize Checklist -Know what

to do

Test the tools (at the

office)


Entering a SCADA

installation may requires strict

and limited working

permits. Having the necessary

hardware / tools required

beforehand is important.

Approach & Methodology



ISA99

• Industrial Automation and Control Systems Security

ISMS 27001

• ISO/IEC 27001 Information Security Management System (ISMS)

Customize

• Vulnerability Assessment and Penetration Testing (VAPT)



13


• Define project scope and terms of reference

•Define restrictions e.g. operating hours, tolerable downtime

(if any) etc.

•Customization of assessment procedures

• Information gathering

•Logistics


STA

GE

1PROJECT PLANNING AND INITIATION


•Check desktop / server role and compare against services

running

• Check patch level

• Check permission on critical directories

• Check logging / Anti Virus

*Request for SCADA Engineer / Contractor, for better

understanding of the system


STA

GE

2DESKTOP AND SERVER SECURITY ASSESSMENT


• Assessment on SCADA, RTU and PLC

• Check patch level

• Check connection type and communication

• Testing of register / coils

• No checking on program logics

*Request for SCADA Engineer / Contractor, for better

understanding of the system


STA

GE

3SCADA SECURITY ASSESSMENT


•Review current network architecture design

•Conduct assessment on Network device configurations

•Network sniffing

*Request for client to send a formal request to

Telecommunication Company for the network configurations


STA

GE

4NETWORK ARCHITECTURE REVIEW & SECURITY

ASSESSMENT


•Conduct physical assessment

•Check on the current policy


STA

GE

5PHYSICAL ASSESSMENT


•Analysis of Findings

• Identify Risk Rating

•Consolidate Reports


STA

GE

6CSSA REPORT

Tools for Assessment


Tools Used

• Nessus, ModScan, Wireshark & TCPDump

• MBSA, Customize Scripts & Nipper

• Solarwinds, Putty, Telnet, Nmap & Netcat

Non Intrusive

• Nessus, Metasploit

• Nmap & NetcatIntrusive

• Snapshots tools, Digital Cameras

• Wordpad (MSword change the file headers)

• TruecryptOthers


Nessus

22

Nessus

23

Nessus

24

Nessus

25

Metasploit


ModScan 32


Best Practices for Tools

Clients are aware of the tools being used and its impact

Tools has been tested

Analyst are confident and well versed with the tools

Able to eliminate false positive findings

Tools are meant to make your work faster not easier


Step by Step Assessment


Desktop & Server Assessment

Interview Owner

• Maintenance and Corrective Preventive

• Log Book

• Purpose and Function of Machine

• Review Policy (if any)

Physical Assessment

• Check Physical Connection (Eth)

• External Drive Functionality (USB\CDROM)

• Hard Disk Space

• Backup System

OS and Application Assessment

• MBSA / Scripts

• Patch Level

• ACL

• Password

• Anti Virus

• Review of Programs / Application / Services (eg IIS, PDF, etc)

• Review of Ports


SCADA Security Assessment

Interview Owner

• Maintenance and Corrective Preventive

• Log Book

• Purpose and Function of SCADA/RTU/PLC

• Review Policy (if any)

Physical Assessment

• Check Physical Connection (UTP/Fibre/etc)

• Available Physical Ports

• Power System / Grounding

Application Assessment

• Web Functionality

• Patch Level

• ACL

• Password

• Review of Ports

• Coil / Register


Network Architecture Review

Interview Owner

• Review Current Network Design

• Review Devices Functionality Review

• Policy (if any)

Physical Assessment

• Map Current Network Design

• Review Network Segregation

• Test for external and internal (corporate) connection


Network Security Assessment

Interview Owner

• Review Current Network Design

• Review Devices Functionality Review

• Request for scripts, configuration, & rules

• Policy (if any)

Physical Assessment

• Check Physical Connection (UTP/Fibre/etc)

• Available Physical Ports

• Network Sniffing

Device Assessment

• Web Functionality

• Patch Level

• ACL

• Password

• Review of Ports

• Access Common Management Ports (SSH, Telnet, Snmp, ftp)

• Review Routing Table


Physical Assessment

Interview Owner

• Security of the Current Installation

• Review Security Policy or Standards being applied

Physical Assessment

• Site Walk

• Locate all possible entrance to Command Control Room, RTU, PLC and Connection

• Check on all door access, windows and it security

• Check on the Riser Room


Top 5 Common Vulnerabilities

Found


36


SCADA Security Policy Issues

37

Applying Corporate IT Policy

Lack of Enforcement

No or Incomplete SCADA Security Policy


38


Password Issues

39

No Access Control List

Default Password

All for One


PLC Web Enabled - Password


Annuaire.XML for Topkapi


Hardcoded Password in the Registry


43


Network Architecture and Design

44

Web Enabled RTU and PLC

Active Ports Available

No Segregation of Network


Coils Read & Write


46


Antivirus Issues

47

Fear of System Disruption

Missing AV or Updates

False Sense of Security – Closed Network


Antivirus Issues


49


Operating System & Applications

50

No Hardening

Obsolete OS, Missing Patches & Services Packs

Vulnerable to Malware, DOS, Hacking, & etc


Obsolete System


Conclusion

1• Stakeholder BUY IN is important

• Know the chain of command, who is the Project Manager (Client Side)

2• SCADA Assessment are similar to common security assessment

• Commercial of the shelf (COTS) tools are commonly being used

3

• Experienced Analyst needed, SCADA are delicate and some obsolete systems do exist

• Manual assessment are sometime needed, where minimum use of tools


Good References

• NIST Special Publication 800-53A

http://csrc.nist.gov/publications/nistpubs/800-

53A-rev1/sp800-53A-rev1-final.pdf

• ISA99

http://www.isa.org/MSTemplate.cfm?MicrositeID

=988&CommitteeID=6821


Contacts

[email protected]

[email protected]


scada security assessment methodology, the malaysia experience · assessment methodology, the...

Documents