security vulnerabilities: stay one step ahead
Post on 11-Sep-2014
21 views
DESCRIPTION
exida webinar that explores strategies that automation system suppliers can employ to improve the inherent security of their products while also staying one step ahead of the researchers who aim to expose their flaws. These strategies can also be useful in preparing to react to vulnerabilities found either internally and externally. We will also discuss suggestions for how end-users can enhance the security of their installed systems and respond to news of vulnerabilities found in the products they use.TRANSCRIPT
![Page 1: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/1.jpg)
idae
ICS Security Vulnerabilities:
Stay One Step AheadStay One Step Ahead
![Page 2: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/2.jpg)
idae
We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems
Copyright © 2010 - exida
![Page 3: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/3.jpg)
idaeJohn A. Cusimano, CFSE, CISSP
• Director of Security Solutions for exida• 20+ years experience in industrial automationy p• Employment History:
− Eastman Kodak− Moore Products − Siemens
• Certifications:− CFSE, Certified Functional Safety Expert, y p− CISSP, Certified Information Systems Security Professional
• Industry Associations:− ISA S99 Committee (WG4, WG5, WG7, WG8)( , , , )− ISA S84 Committee (WG9)− ISA Security Compliance Institute− ICSJWG Workforce Development & Vendor Subgroups
Copyright © 2010 - exida
![Page 4: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/4.jpg)
idae Agenda
• SituationRecommended Strateg for S ppliers• Recommended Strategy for Suppliers
• Recommended Strategy for End Users
![Page 5: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/5.jpg)
idae Situation
• ICS products have rapidly evolved to incorporate COTS technology
• Security was not a big concern in ICS environment until recentlyMost ICS vendors do not follow a mature security• Most ICS vendors do not follow a mature security development lifecycle
• Security researcher community has suddenly become y y yaware of the ICS market
• They are having success at finding and publishing l bilitivulnerabilities
![Page 6: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/6.jpg)
idaeStuxnet Responsep
“Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”
Mark WeatherfordVice President and Chief Security OfficerNERCNERC
![Page 7: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/7.jpg)
idae
Software related SCADA incidentsSoftware related SCADA incidents
• Software Vendor Patch Crashes SCADA SystemSoftware Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake DrainFaulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel
ClosureClosure• Computer Software Faults May Have Caused
Chinook Helicopter CrashC oo e copte C as• Gas Leak Caused by Computer Malfunction
7
Incidents from the Repository of Industrial Security Incidents (RISI) database(www.securityincidents.org)
![Page 8: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/8.jpg)
idae Luigi Auriemma• March 21, 2011 • Independent security researcher Luigi Auriemma
published 34 zero day vulnerabilities affecting 4 differentpublished 34 zero-day vulnerabilities affecting 4 different SCADA/HMI products:– Iconics Genesis32 v9.21 and Genesis64 v10.51 (13)– Siemens Tecnomatix FactoryLink v8.0.1.1473 (6)– DATAC RealWin 2.1 build 6.1.10.10 (7)– 7-Technologies IGSS v9 00 00 11059 (8)7 Technologies IGSS v9.00.00.11059 (8)
• Included code and commands to exploit the vulnerabilities
• Vulnerabilities include stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees memory corruptionsdouble and arbitrary memory frees, memory corruptions, directory traversals, design problems, etc.
![Page 9: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/9.jpg)
idae Gleg Ltd. SCADA+ Pack
• Moscow-based security firm, Gleg Ltd., recently began sellling an exploit pack called SCADA+ Pack
• Includes both previously known and zero-day SCADA vulnerabilities– Atvise SCADA (zero-day)Atvise SCADA (zero day)– Control Microsystems ClearScada (zero-day)– DataRate SCADA WebControl and RuntimeHost
( d )(zero-day)– Indusoft SCADA Webstudio (zero-day) – ITS SCADAITS SCADA– Automated Solutions Modbus/TCP OPC Server– BACnet OPC client Advantech Studio Web server– Iconics Genesis
![Page 10: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/10.jpg)
idae Rubén Santamarta• April 4, 2011• Independent security researcher, Rubén Santamarta,
identified an RPC vulnerability in Advantech/BroadWinWebAccess, a web browser-based HMI product
• The vulnerability affects the WebAccess Network• The vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution
• Rubén reported to ICS-CERT and publicly released p p ydetails of the vulnerability including exploit code and instructions on how to use it
![Page 11: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/11.jpg)
idae Others• Joel Langill of SCADAhacker.com has
responsibly disclosed several zero-day vulnerabilities with exploits to ICS-CERT and the affected vendors
• Steve James of exploited security, recently notified ICS-CERT of a vulnerability in AGG OPC SCADAViewerOPC SCADAViewer
![Page 12: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/12.jpg)
idae Dillon Beresford• May 9, 2011• Security researcher Dillon Beresford of NSS Labs
t d l it l biliti th Sireported several security vulnerabilities on the Siemens S7 PLC to ICS-CERT and Siemens, including proof-of-concept exploit code
• On May 18th he was asked to cancel his scheduled demonstration at the TakeDownCon security conferenceH l t t d hi fi di t A ti H k• He later presented his findings at Austin Hackers Anonymous on May 26th
• Beresford claims to be able to produce a Linux shell onBeresford claims to be able to produce a Linux shell on the PLC and have root level access to the OS
![Page 13: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/13.jpg)
idae Exploit Hub
• Marketplace for validated, non-zero-day exploits• iPhone App-Store style marketplace for security• iPhone App-Store style marketplace for security
researchers to sell their exploits
![Page 14: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/14.jpg)
idaeStuxnet Responsep
“Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”
Mark WeatherfordVice President and Chief Security OfficerNERCNERC
![Page 15: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/15.jpg)
idae
Software related SCADA incidentsSoftware related SCADA incidents
• Software Vendor Patch Crashes SCADA SystemSoftware Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake DrainFaulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel
ClosureClosure• Computer Software Faults May Have Caused
Chinook Helicopter CrashC oo e copte C as• Gas Leak Caused by Computer Malfunction
15
Incidents from the Repository of Industrial Security Incidents (RISI) database(www.securityincidents.org)
![Page 16: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/16.jpg)
idae
Recommended Strategy for Suppliers
![Page 17: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/17.jpg)
idae Recommended Strategy f A t ti S lifor Automation Suppliers
• Integrate security into development lifecycle (SDL)
• Evaluate existing productsg p• Specific testing for security vulnerabilities• 3rd party evaluation• 3rd party evaluation• Be prepared to respond to a disclosure
![Page 18: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/18.jpg)
idaeIncorporating Security into the Software p g y
Development LifecycleSecurity
Response Planning
Security Training
Security Requirements
gand
Execution
Security
Security Validation
TestingSecurity Architecture
Design
Fuzz testing, Abuse case testing
Testing
Security Risk Assessment g
and Threat Modeling
Security Coding
Security Code Reviews &Static Analysis
18
Coding Guidelines
![Page 19: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/19.jpg)
idae Guidance• Microsoft - The Security Development Lifecycle1
• DACS - Enhancing the Development Life CycleDACS Enhancing the Development Life Cycle to Produce Secure Software2
• DHS – “Build Security In”3y• ISASecure – Software Development Security
Assessment (SDSA) specification4( ) p
1 Howard Michael and Steve Lipner The Security Development Lifecycle: SDL a Process for Developing Demonstrably More Secure1. Howard, Michael, and Steve Lipner. The Security Development Lifecycle: SDL, a Process for Developing Demonstrably More Secure Software. Redmond, WA: Microsoft, 2006. Print.2. Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 20083, https://buildsecurityin.us-cert.gov/bsi/home.html4. www.isasecure.org ESDA-312 Software Development Security Assessment (v1_4) (SDSA)
![Page 20: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/20.jpg)
idae Threat Modeling
• Identify critical assets and interfacesCreate an architect re o er ie• Create an architecture overview
• Identify trust boundaries• Identify and rate threats • Identify vulnerabilitiesIdentify vulnerabilities• Identify existing mitigations
Quantify residual risk• Quantify residual risk
![Page 21: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/21.jpg)
idae
Security Integration TestingSecurity Integration Testing
• Fuzz testingFuzz testing – Software testing technique, often automated or semi-
automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in codeexceptions such as crashes or failing built in code assertions.
• White box testing for security (abuse case)te bo test g o secu ty (abuse case)– Based on knowledge of how the system is
implemented– Comprehend and analyze security– Create tests to exploit software
![Page 22: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/22.jpg)
idae Response Planning
• Acknowledge the issue• Be open and forthrightBe open and forthright• Analyze the risk• Develop a mitigation planDevelop a mitigation plan• Responsibly notify customers
![Page 23: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/23.jpg)
idae
Recommended Strategy for End-Users
![Page 24: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/24.jpg)
idae THE 7 THINGS
1. ASSESSMENT2. POLICY & PROCEDURE3 AWARENESS & TRAINING3. AWARENESS & TRAINING4. NETWORK SEGMENTATION5. ACCESS CONTROL 6. SYSTEM HARDENING7. MONITOR & MAINTAIN
© Copyright 2010 exida 25
![Page 25: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/25.jpg)
idaeASSESS EXISTING SYSTEMS
• Perform control system security assessments of existing systems
• Identify critical control system assets• Compare current control system design, architecture,
policies and practices to standards & best practicespolicies and practices to standards & best practices• Identify risks, gaps and provide recommendations for
closure• Benefits:
– Provides management with solid understanding of i i d h f dcurrent situation, gaps and path forward
– Helps identify and prioritize investmentsFirst step in developing a security management– First step in developing a security management program
© Copyright 2010 exida 26
![Page 26: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/26.jpg)
idae
![Page 27: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/27.jpg)
idaePOLICY & PROCEDURE
• Establish control system security policies & procedures
S– Scope– Management Support– Roles & Responsibilities– Roles & Responsibilities– Specific Policies
• Remote access• Portable media• Patch mgmt • Anti-virus managementAnti virus management• Change Management• Backup & Restore
I id t R• Incident Response
– References© Copyright 2010 exida 28
ANSI/ISA S99.02.01-2009Establishing an IACS Security Program
![Page 28: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/28.jpg)
idaeAWARENESS & TRAINING
• Make sure personnel are aware of the importance of security and companyimportance of security and company policies
• Provide role-based training – Visitors – Contractors
N hi– New hires – Operations
Maintenance– Maintenance – Engineering – ManagementManagement
© Copyright 2010 exida 29
![Page 29: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/29.jpg)
idae NETWORK SEGMENTATION
• Defense-in-Depth strategy• Partition the system into distinctPartition the system into distinct
security zones– Logical grouping of assets sharing common
security requirementsy q– There can be zones within zones, or subzones,
that provide layered security– Zones can be defined physically and/or logically
• Define security objectives and strategy for each zone– Physical– Logical
• Create secure conduits for zone-to-zone communications
– Install boundary or edge devices where communications enter or leave a zone y gto provide monitoring and control capability over which data flows are permitted or denied between particular zones.
© Copyright 2010 exida 30
![Page 30: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/30.jpg)
idae ACCESS CONTROL
• Control and monitor access to control system resources
• Logical & Physical• AAA
Ad i i t ti– Administration– Authentication– Authorization
• Review– Who has access?
To what resources?
• Zone-by-zone•Asset-by-Asset
•Role-by-Role– To what resources?– With what privileges?– How is it enforced?
y•Person-by-Person
© Copyright 2010 exida 31
![Page 31: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/31.jpg)
idae SYSTEM HARDENING
• Remove or disable unused i ti tcommunication ports
• Remove unnecessary applications and services
• Apply patches when and pp y pwhere possible
• Consider ‘whitelisting’ toolsConsider whitelisting tools• Use ISASecure™ certified
productsproducts
© Copyright 2010 exida 32
![Page 32: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/32.jpg)
idae MONITOR & MAINTAIN
• Install vendor recommended anti-virus and update signaturesvirus and update signatures regularly
• Review system logs periodically• Review system logs periodically• Consider Intrusion Detection (IDS)
or Host Intrusion Prevention (HIPS)or Host Intrusion Prevention (HIPS)• Pen testing (offline only)• Periodic assessments• Periodic assessments
© Copyright 2010 exida 33
![Page 33: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/33.jpg)
idae
We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems
Copyright © 2010 - exida
![Page 34: Security Vulnerabilities: Stay One Step Ahead](https://reader038.vdocument.in/reader038/viewer/2022102710/541175c27bef0ad2678b5992/html5/thumbnails/34.jpg)
idae Exida Security Services
Supplier Services• Certifications
End User Services• Control System Security
– ISASecure™ EDSA Certification– Achilles Certified Communications™
Certification
• Gap Analysis
Assessments• Security Policy / Procedure
DevelopmentFAT/SAT S i A
Gap Analysis– Software Development Security
Assurance Assessment
• Training & WorkshopsS S ft D l t f ICS
• FAT/SAT Security Assessments• Training & Workshops
– Secure Software Development for ICS Products
– Threat Modeling Workshop– Secure Coding Workshop
S it I t ti T ti– Security Integration Testing