Tom Good - DuPont

Automation and Process Control Engineering Consultant

November 5, 2010

Addressing the Security

of Industrial Automation

and Control Systems

Pa

Speaker - Tom Good

� DuPont Engineering Department (Automation and Process Control

Engineering Consultant - BS Chemical Engineering Lehigh University, 1974)

� Work Experience –

� 30 years of experience with systems integration projects.

� For the past 9 years, emphasis has been on the security ICS.

� Currently leading DuPont’s internal process control security initiatives and

compliance to DHS CFATS regulations

� Industry Activities –

� Participant in several current ISA99 Working Groups

� Past chair and major author of ANSI/ISA-99.02.01(Security for Industrial

Automation and Control Systems Security Program.

� Member of the Chemical Sector Cyber Security Program

3

Agenda

Life cycle cost model challenge – risk impact

Sources of guidance

New security recommendations – additional layers of protection

Robust but not hardened – expectation of performance: reliable, robust, and hardened

Industrial Control Systems are a target

Changing threat landscape

� 2001 – 2011 “Carpet Bombing” attacks� Botnets, scams, scareware� Organized Crime dominated the news

� Russian Mafia

� Short term $ gain� Identity theft

� Financial transfers

� Credit card information

� Extortion

� Occasional news of an ICS (Industrial Control System) incident� Most often collateral damage

4

Changing threat landscape – cont’d

� 2009 – 2011 Sophisticated, focused, “targeted attack” with a clear

objective

� Rise of political activism� Wikileaks - 2010� LulzSec - 2011

� Sony hack

� CIA - Took CIA website offline

� Anonymous – 2011� Announced capability to attack ICS using

internally developed tools , power grid

� Rise of cyber warfare� Cyber attack on Estonia paralyzed the country’s Internet

infrastructure5

Changing threat landscape – cont’d

� ? – Present “Surgical precision” stealth attacks� Spear Phishing� Social Engineering� Stolen security certificates

� 2010 Stuxnet a wake-up to process control practitioners� Fully automated � ICS are a target, attacks can be successful

� 2010 – Present APT (Advanced Persistent Threat) have been a wake-up� Industry is now learning how much proprietary information has been

pilfered over the last several years by the APT� RSA SecurID token algorithms stolen

6

Stuxnet – A game changer (June 2010)

� Fully automated worm designed to go after air-gapped process control assets

� Most sophisticated malicious code discovered to-date

� Took 20 mo. for someone to discover its presence

� Infected around 100,000 hosts (60% located in Iran, India very high)

� Target – Iran’s uranium enrichment centrifuges

� Creator – According to NY Times – Israel and US Govt.

Stuxnet – propagation details

� Initial delivery –

� USB drive to Russian systems integrator

� Exploited 1st zero-day vulnerability to launch app even if auto-run is disabled

� 2nd variant 1Q2010 using 2nd zero day vulnerability (.lnk file)

� Established foothold in PC

� Used valid stolen certificate from a chip manufacturer to avoid detection

� Hid itself inside valid Windows files (encrypted code)

� Code contains over 4000 functions

� Propagate – 4 different manners

� Uncovers all user accounts and uses them to gain access to other computers via

Shares

� Spreads to computers offering print sharing (3rd zero-day exploit)

� Spreads using 4th zero-day vulnerability of Server Service

Stuxnet – propagation details cont’d

� Propagate cont’d

� Looked for Siemens WinCC based code (WinCC and PCS7)

� Used Siemens internal system password that cannot be changed to log into SQL

server, transfer a version of Stuxnet and then executed it locally

� Imbedded itself into Siemens Step7 projects and auto executes whenever the

infected project file is opened

� Uses peer-to-peer networking to update itself when phone home doesn’t work

� Deliver payload

� Secretly writes 40 blocks of code to Siemens PLCs

Stuxnet - payload

� Stuxnet targets specific frequency-converter drives, intercepts commands sent to the drives from

the Siemens SCADA software, and replaces them with malicious commands to control the speed of

a device, varying it wildly, but intermittently. Reported to playback normal state information to

operators.

� It inventories a plant’s network and only springs to life if the plant has at least 33 frequency

converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

� If the number of drives from the Iranian firm exceeds the number from the Finnish firm,

Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones,

a different sequence is initiated.

� Stuxnet targets only frequency drives running at high speeds — between 807 Hz and 1210

Hz. (Such high speeds are used only for select applications. “Frequency converter drives that

output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory

Commission as they can be used for uranium enrichment.”)

Stuxnet - payload cont’d

� “Stuxnet changes the output frequency for short periods of time to 1410Hz and then to

2Hz and then to 1064Hz. “Modification of the output frequency essentially sabotages the

automation system from operating properly. Other parameter changes may also cause

unexpected effects.” Recent article hints of physical damage to the centrifuge.

� There is a long wait time between different stages of malicious processes initiated

by the code — in some cases more than three weeks — indicating that the attackers

were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.

Exploit discovery in ICS

12

From Sean McBride – S4 Conference 2012

215

149

Recent actions targeting ICS

� Stuxnet exploit mechanisms published 2010

� Duqu malware (2011)

� Specialized search engines

� ERIPP and SHODAN developed to find PLC and DCS systems

� The GLEG Agora SCADA+ Exploit pack for Immunity’s CANVAS system is a collection of

exploits written and compiled for industrial control system (ICS) products.

� Phishing campaign targeting Energy Sector and Gas Pipeline Sector (Sept – Oct. 2012)

13

Target not known - Shamoon malware wipes boot sector and disk of 30,000 PCs at Aramco in August 2012

So what should we do?

14

Making systems more secure

� Supplier responsibility� Certifications facilitate

common measures of security but are expensive

� Suppliers should start with “system hardening”

� User responsibility� New security

recommendations

� Users should adopt appropriate layers of security

15

What is ICS robustness?

� The ability of the industrial control system to continue to perform its

intended function under perturbations or unusual conditions.

� Examples:

� Maintain control when the multiple alarms are tripped and annunciated.

� Maintain control when switching to the redundant operating device.

� Maintain control when the communications data packet is longer than expected

(buffer overflow)

� Maintain control when the operator console is receiving and logging many failed

login requests (denial of service)

� Maintain control when a server is receiving many “Ping” messages (Ping of death)

� Refers to reducing the industrial control system’s operating

system surface of vulnerability.

� Vulnerabilities are constantly being found and fixed in software

� Until fixed (security hotfixes) security vulnerabilities are avenues for exploit

� Removing non-essential software, unnecessary user accounts, disable

or removal of unnecessary services, change default system accounts

and passwords, etc.� Reduces risk

� Well recognized IT Industry Best Practice

What is ICS hardening?

Comparison – current situation

� Hardened� Different end use cases

may require more or less software and services running

� ICS Supplier does not necessarily feel accountable

� Supplier should sell products already hardened

� Provide guidance how to

harden installed devices

� Robust� Common expectations of

performance to circumstances

� User expects robustness

� ICS Supplier feels accountable and delivers this as part of standard product

New security recommendations for ICS

� Changing threats are requiring additional mitigation

strategies beyond the well recognized “layers of protection”

Adobe Acrobat

Document

New layers – Detection & Response

ICS-CERT Recommendation Current industry layers of protection

Patching Accepted – practice is mixed

Role based access control Accepted - general practice

Strong logon credential management Accepted – extensive use of shared accts.

Network segmentation Accepted - general practice

Increased use of logging Not valued – minimally used

Audit network hosts for suspicious files Not practiced

Preserve forensic data Not practiced – recovery focused

Incident response Recovery focused – from backups

Application Whitelisting Early introduction

Intrusion detection Very early introduction

20

Detection - Whitelisting

� New mindset� Anything new is suspect and requires investigation

� “Guilty until proven innocent”� New file added to the device� Change in file size of a base-lined file

� Anti virus� “Innocent until proven guilty”

� Pros - Addresses zero day vulnerabilities/exploits

� Cons - False positives are likely � All alerts require follow-up action� Resources needed for follow-up

Detection – Intrusion Detection/Prevention

� Employed at the Host and Network level

� Any change from a defined baseline could be

an indication of unwanted malicious activity� New communication source and destination� Higher than normal communication volume� New file added to the device� Change in file size of a base-lined file� New process started� Etc.

Detection – Intrusion Detection/Prevention

� Pros - Addresses zero day vulnerabilities/exploits and unauthorized use by

an authenticated user

� Cons - False positives are likely � All alerts require follow-up action� Resources needed for follow-up

Data mining logged information

� Proactive - looking for something unusual in

device logs, correlation of separate

events that indicate unwanted activity

� Reactive – incident occurred, follow-up forensics investigation

� Pros –� You can’t fix what you don’t know is happening� Can provide the chain of events leading to the incident/exploit

� Cons –� Logging consumes additional device resources� Data must be aggregated (additional $ for analysis devices,

increased network load)� Need skilled resources to analyze information

Incident response team

� Trained individuals ready to respond to alerts/incidents and determine

the proper course of action� Preserve forensic data� Assessment of alerts� Mitigation actions, remediation actions� Work with law enforcement agencies

� Team must integrate network, IT, and ICS skills

� Pros –� Leveraged skilled team reduces $ for the corporation

� Cons –� Skilled team costs $, new expenditure

Need our ICS Suppliers to step up

� Embrace the new security technology tools� Whitelisting� Intrusion Detection/Prevention� Test compatibility� Offer services to support introduction and sustained security

� Design the systems to incorporate increased logging

� CERT Service - skilled incident response team to lead corrective action

engagement

26

Where do we get guidance?

27

Sources of guidance

� US-CERT Control Systems Security Program (CSSP)

� ICS-CERT – Industrial Control Systems Cyber Emergency Response

Team

� ISA99 Industrial Automation and Control Systems Security

� DHS Chemical Sector Industrial Control System Security Resource� CDs available

� Roadmap to Secure Control Systems in the Chemical Sector

� Roadmap to Secure Control Systems in the Water Sector

� Roadmap to Secure Control Systems in the Energy Sector

28

Addressing the functional and security life cycle of ICS

29

ICS life cycle challenge

Usable life cycle as defined by the IT organization

ICS life cycle challenge

Functional life cycle practice by Operations

Examples: Windows 2000, Windows XP 1Q2014

ICS life cycle challenge

ICS Supplier and End-user must work together to develop an acceptable compromise on $

Must understand and make a risk based decision balancing the cost of refreshing the ICS devices to the cost of a potential consequence .

One option: Whitelisting as a compensating security measure.

Questions

Tom Good - DuPont

Automation and Process Control Engineering Consultant

November 5, 2010

Addressing the Security of ICS devices