cybersecurity in industrial control systems (ics)

Juan Figueras, CISA

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS

AGENDA

• Introduction to Industrial Control Systems

• Security Concerns (Cyber Incidents, CERT)

• Threats and Vulnerabilities (ICS Exploitation, SHODAN)

• IT/OT Convergence (Security Principles, Countermeasures)

• Best Practices, Guidelines and Frameworks

Juan Figueras, CISA

Security & Privacy Consultant


ICS INTRODUCTION

Industrial processes

• Manufacturing

• Smart Grid

• Utilities

• Oil & Gas

• Transport

• Telecomm

• Chemicals


ICS DEFINITION

Industrial Control Systems

(ICS) are command and control

network and systems designed

to support industrial processes[1]

[1] ENISA “Protecting Industrial Control Systems. Recommendations for Europe and Member States” (2011)


ICS COMPONENTS

• IED – Intelligent Electronic Device

• RTU – Remote Terminal Units

• PLC – Programmable Logic Controllers

• DCS – Distributed Control Systems

• HMI – Human-Machine Interfaces

• SCADA – Supervisory Control and Data Acquisition


ICS COMPONENTS

SCADA

DCS

RTU

PLC HMI

IED


SECURITY CONCERNS

• Weak communication protocols

– Lack of authentication in most cases

– Lack of encryption

• Weak passwords

– Default passwords

– Insecure password management

• Poor QoS (Quality of Service)

– DoS “friendly”

• Internet connected web servers without protection

• Difficult or nonexistent patching

– “If it isn’t broke, don’t fix it”

– Extensive use of Windows XP


CYBER INCIDENTS

Attack Year Description Vector Outcome Motivation

German Steel

Mill Cyber Attack2014

Malware to gain access to

the corporate network an

then moved into the plant

network

Spear Phishing

emailPhysical damage Unknown

DragonFly 2014Campaign against energy

companies compromising

ICS equipment

SQL Injection &

Remote Access

Trojan

SabotageEspionage /

Sabotage

Telvent Canada

attack2012

Access to SCADA Admin

ToolsMalware

New project files

stolenInformation Thief

Stuxnet 2010Rootkit to take control of

ICS of nuclear power

plants

Infected USB

flash driveSystems stop Sabotage

Baku – Tbilisi -

Ceyhan (BTC)

pipeline attack

2009

Access to the pipeline’s

control System to supress

alarms ans manipulate

the process

Physical access

to network

Temporary

disruption in

pipeline transfers

Geopolitics (?)


ICS-CERT MONITOR

245 incidents received by ICS-CERT in 2014 [2]

[2] ICS-CERT Monitor, September 2014 - February 2015, NCCIC


ICS-CERT MONITOR

245 incidents received by ICS-CERT in 2014

• Unauthorized access and exploitation of Internet facing ICS/Supervisory

Control and Data Acquisition (SCADA) devices

• Exploitation of zero-day vulnerabilities in control system devices and

software

• Malware infections within air-gapped control system networks

• SQL injection via exploitation of web application vulnerabilities

• Network scanning and probing

• Lateral movement between network zones

• Targeted spear-phishing campaigns


ICS-CERT MONITOR


ICS EXPLOITATION: SHODAN DEMO (I)

Gathering information


ICS EXPLOITATION

Project SHINE, uncovered that over 1 million SCADA / ICS systems

are connected to the internet with unique IPs, and this figure is

growing by between 2000 – 8000 per day.


ICS EXPLOITATION: SHODAN DEMO (II)

Common ICS ports

port 102 Siemens S7

port 502 Modbus

port 789 Red Lion

port 20000 DNP3

port 34980 EtherCAT

port 34962 PROFINET

port 44818 EtherNet/IP

port 47808 BACnet/IP


ICS EXPLOITATION

Open Sourced Vulnerability Database (http://www.osvdb.org)


IT/OT CONVERGENCE

«The purpose of ENTERPRISE security is to protect the data

residing in the servers from attack.

The purpose of ICS security is to protect the ability of the facility to

safely and securely operate, regardless of what may befall the rest

of the network» [3]

[3] Weiss, Joe; “Assuring Industrial Control Systems (ICS) Cyber Security”


SECURITY PRINCIPLES (IT vs. OT)

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

IT Systems OT Systems

(Business) (ICS)

+ importance - - importance +


ISA95: ENTERPRISE – CONTROL SYSTEM INTEGRATION


ISA95: ENTERPRISE – CONTROL SYSTEM INTEGRATION

Level 0

Level 1 I/O, Devices and Sensors

Production Process

Device

Networks

Level 2 HMI, SCADA

Level 3 MES, Batch, Historian

Level 4 ERP. CRM, BIBusiness Planning

& Logistics

Manufacturing

Operations

Manufacturing

Control and

Monitoring

Automation

Networks

Operations

Networks

Business

Networks

PLCs, DCS


COUNTERMEASURES [4]

1. Assess existing systems: Understand risk and prioritize vulnerabilities

2. Document policies and procedures: Determine position regarding ICS

and develop company-specific policies

3. Train personnel and contractors: Develop and institute policy awareness

and training programs

4. Segment the control system network: Create distinct network segments

and isolate critical parts of the system using a “zone and conduit” model

5. Control access to the system: Provide physical and logistical access

controls to both your zones and equipment

6. Harden the components of the system: Lock down the functionality of

components

7. Monitor and maintain the system: Update antivirus signatures, install

patches, and monitor the system for suspicious activity

[4] Byres, Eric; “The Industrial Cybersecurity Problem” – ISA White Paper


BEST PRACTICES & GUIDELINES

• ISA99/IEC 62443Security for Industrial Automation and Control Systems

• NIST SP 800-82Guide to Industrial Control Systems (ICS) Security

• ENISA Report (2011)Protecting Industrial Control Systems. Recommendations

for Europe and Member States

• IIC Technical Paper (2015)Industrial Internet Reference Architecture


FRAMEWORK: COBIT 5

Implementing NIST Cybersecurity

Framework Using COBIT 5


ICS SECURITY FRAMEWORK

[5] Alcoforado, Ivan; “Leveraging Industrial Standards to Address Industrial Cybersecurity Risk”;

ISACA Journal, Volume 4, 2016

Standards Leveraged for IACS

Cybersecurity Framework Example [5]


THANK YOU!

Juan Figueras, CISA

Security & Privacy Consultant

@JoanFiguerasT

cybersecurity in industrial control systems (ics)

Technology