"What? You didn't know Computers Control you? / ICS and SCADA"
"What? You didn't know Computers Control you? / ICS and SCADA"
1
March 2, 2015Start Time: 9am US Pacific /12 noon US Eastern/ 5pm
London Time
TT
Sponsored by:Sponsored by:
2
#ISSAWebConf
WelcomeConference Moderator
WelcomeConference Moderator
3
March 2, 2015Start Time: 9am US Pacific
12pm US Eastern/5pm London Time
CISSPProgram Manager, NERC CIP, Siemens
James McQuiggan
Speaker IntroductionSpeaker Introduction
• Del Rodillas- ICS & SCADA Solution Lead, Palo Alto Networks
• Mario Chiock - CISSP, CISM & CISA, API Chair Security Sub-Committee
• Dr. Stefano Zanero, PhD - International Director, ISSA,Chairman, Secure Network
• Remember to type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
• Del Rodillas- ICS & SCADA Solution Lead, Palo Alto Networks
• Mario Chiock - CISSP, CISM & CISA, API Chair Security Sub-Committee
• Dr. Stefano Zanero, PhD - International Director, ISSA,Chairman, Secure Network
• Remember to type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
4
Exposing Common Myths Around Cyberthreats to SCADA and ICS
Exposing Common Myths Around Cyberthreats to SCADA and ICS
Del RodillasICS & SCADA Solution Lead
Palo Alto Networks
Del RodillasICS & SCADA Solution Lead
Palo Alto Networks
6
Webinar GoalsWebinar Goals
• Shed light on prevailing ICS cybersecurity myths– Real-world examples to highlight the real risks
• Present some good practices and technologies to better secure ICS– Basic block-and-tackle concepts– Next-generation technologies for better defense-in-depth
• Shed light on prevailing ICS cybersecurity myths– Real-world examples to highlight the real risks
• Present some good practices and technologies to better secure ICS– Basic block-and-tackle concepts– Next-generation technologies for better defense-in-depth
7
Myth #1
ICS cyber incidents haven’t damaged critical infrastructure
• ~ 400 incidents world-wide– Most unintentional– Some malicious attacks– Impacts range from trivial to
major outages to equipment damage to deaths
– Most not identified as cyber
8
German Steel Factory CyberattackGerman Steel Factory Cyberattack
Involved spear phishing and sophisticated social engineering techniques to access business network then pivot into the plant
Evidence of attacker’s strong knowledge of IT security and industrial control systems
After the attack, individual components or even entire systems started to fail frequently
One of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant.”
Involved spear phishing and sophisticated social engineering techniques to access business network then pivot into the plant
Evidence of attacker’s strong knowledge of IT security and industrial control systems
After the attack, individual components or even entire systems started to fail frequently
One of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant.”
Blast Furnace
9
Myth #2
You can air-gap industrial control systems
Industrial Control System
Business Network
Partners
Other Plants/Faciliti
es
3rd Party Support
10
Myth #3
External, malicious threats are the only concern
Industrial Control System
Malicious Insider Attacks
Unintended Cyber Incidents
The Real World ViewThe Real World View
• Examples– Insider attack – Maroochyshire wastewater spill– Nation-state cyber attack – Stuxnet– Unintended cyber incident – San Bruno natural gas pipeline
rupture
• Key Points– Visibility and segmentation are key– Both for external and internal traffic
• Examples– Insider attack – Maroochyshire wastewater spill– Nation-state cyber attack – Stuxnet– Unintended cyber incident – San Bruno natural gas pipeline
rupture
• Key Points– Visibility and segmentation are key– Both for external and internal traffic
11
Security ChecklistSecurity Checklist
Create security zones vs. just having a single, flat network
Apply a zero-trust approach with all sources of traffic, external or internal
Assume a least-privilege approach to network access control
Audit all traffic to ensure proper use or to detect anomalous use
Use technologies that allow you to have the proper visibility and control
Create security zones vs. just having a single, flat network
Apply a zero-trust approach with all sources of traffic, external or internal
Assume a least-privilege approach to network access control
Audit all traffic to ensure proper use or to detect anomalous use
Use technologies that allow you to have the proper visibility and control
12
13
Myth #4
Firewalls are all you need to be secure
ICSBusiness Network
Partners
Other Plants/Faciliti
es
3rd Party Support
14
Myth #5
VPN/Encryption technology makes me secure
ICSBusiness Network
Partners
Other Plants/Faciliti
es
3rd Party Support
VP
N
VP
N
The Real World ViewThe Real World View
• Telvent breach– Many asset owners had VPN connection to Telvent putting
their ICS networks at risk
• Legacy firewalls are no longer adequate for the new threat landscape– Port & IP based access controls– No deep packet inspection
• VPNs give you a false sense of security
• Telvent breach– Many asset owners had VPN connection to Telvent putting
their ICS networks at risk
• Legacy firewalls are no longer adequate for the new threat landscape– Port & IP based access controls– No deep packet inspection
• VPNs give you a false sense of security
15
Security checklistSecurity checklist
Employ appliances with must-have capabilities, e.g. Next-generation firewalls Protocol and Application control Intrusion Detection/Prevention Anti-virus and Anti-spyware User / User-group based controls Ability to inspect and secure traffic within VPNs
Pick a platform that provides sufficient throughput/performance when security functions are turned on
Select a platform that also simplifies the administration of these capabilities and analysis of the information Single-pane of glass management Single-policy for all capabilities
Employ appliances with must-have capabilities, e.g. Next-generation firewalls Protocol and Application control Intrusion Detection/Prevention Anti-virus and Anti-spyware User / User-group based controls Ability to inspect and secure traffic within VPNs
Pick a platform that provides sufficient throughput/performance when security functions are turned on
Select a platform that also simplifies the administration of these capabilities and analysis of the information Single-pane of glass management Single-policy for all capabilities
16
ICS-specific
17
Myth #6
Securing IT is the same as securing OT
Industrial Control System
Security Admin
???
• Availability & safety trump cybersecurity• Infrequent patching & AV updates• Industrial control protocols• HMIs, DCS, PLC, RTU• Default passwords• No port/vulnerability scanning
18
Myth #7
We know what threats to ICS look like
Stuxnet
Exploits Siemens Vulnerability
Energetic Bear
Trojan in ICS Software;Utilizes ICS protocols
Black Energy
Exploits multiple ICS vendor products
T
Capability
The Real World ViewThe Real World View
• Unpatched/Unpatchable systems– ICSs are very vulnerable to malware and exploits due to
infrequent updating of patches and AV/Exploit signatures– Need a better way to to secure these systems
• Advanced Threats– Threats are constantly evolving and it is difficult to predict
what the next advanced will do as far as attack methodologies
– It is important to be able to have technologies to detect and stop zero day threats at the network and endpoints (HMI, Server, Workstation)
• Unpatched/Unpatchable systems– ICSs are very vulnerable to malware and exploits due to
infrequent updating of patches and AV/Exploit signatures– Need a better way to to secure these systems
• Advanced Threats– Threats are constantly evolving and it is difficult to predict
what the next advanced will do as far as attack methodologies
– It is important to be able to have technologies to detect and stop zero day threats at the network and endpoints (HMI, Server, Workstation)
19
Security ChecklistSecurity Checklist
Deploy a defense-in-depth approach to protect unpatched systems
Apply Network IPS/AV to stop known exploits & malware
Apply network sandboxing to detect & stop network-borne, zero-day malware Make sure solution supports local creation of protections (AV, URL/DNS
signatures)
At the endpoint themselves, use a non-signature based approach to stop zero-day exploits & malware Consider the more effective “technique” based approach
Develop clear ICS usage policies and utilize granular traffic visibility to detect anomalies, if technologies do not detect threats
Deploy a defense-in-depth approach to protect unpatched systems
Apply Network IPS/AV to stop known exploits & malware
Apply network sandboxing to detect & stop network-borne, zero-day malware Make sure solution supports local creation of protections (AV, URL/DNS
signatures)
At the endpoint themselves, use a non-signature based approach to stop zero-day exploits & malware Consider the more effective “technique” based approach
Develop clear ICS usage policies and utilize granular traffic visibility to detect anomalies, if technologies do not detect threats
20
Other MythsOther Myths
• Myth #8 - Compliance to cyber regulations equals security
• Myth #9 – Each industry requires a different approach
• Myth #10 – If we keep our heads down, they won’t find us
• Myth #8 - Compliance to cyber regulations equals security
• Myth #9 – Each industry requires a different approach
• Myth #10 – If we keep our heads down, they won’t find us
21
Palo Alto Networks Security Platform
22 | ©2014, Palo Alto Networks
Next-Generation Firewall
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile & virtual networks
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known & unknown malware
Traps - Advanced Endpoint Protection
Threat Intelligence Cloud
Gathers potential threats from network and endpoints
Analyzes and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
Palo Alto Networks Security Platform
23 | ©2014, Palo Alto Networks
Next-Generation Firewall
Control ICS Protocols and Applications
Apply role-based access control
Stop ICS protocol and product exploits, ICS-specific malware and CNC traffic
High-performance, high-availability
Protect unpatched endpoints from malware and
exploits, even zero-days
Prevent unauthorized installation of software at
endpoints
Traps - Advanced Endpoint Protection
Threat Intelligence Cloud
Available as a local-cloud which sandboxes threats and generates protections onsite
Identify, network-borne, zero-day attacks in as little as 5-minutes
Learn MoreLearn More• Whitepapers
– Defining the 21st Century ICS Cybersecurity Platform• https
://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-protection-platform-ics.html
– Palo Alto Networks Security Platform for ICS• https://www.paloaltonetworks.com/resources/whitepapers/enterprise-security-platfo
rm-critical-infrastructure.html
• Webinars– Network Segmentation for ICS
• http://connect.paloaltonetworks.com/scada – Grid Security/NERC CIP
• http://connect.paloaltonetworks.com/energy-sec-ondemand
• Whitepapers– Defining the 21st Century ICS Cybersecurity Platform
• https://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-protection-platform-ics.html
– Palo Alto Networks Security Platform for ICS• https://www.paloaltonetworks.com/resources/whitepapers/enterprise-security-platfo
rm-critical-infrastructure.html
• Webinars– Network Segmentation for ICS
• http://connect.paloaltonetworks.com/scada – Grid Security/NERC CIP
• http://connect.paloaltonetworks.com/energy-sec-ondemand
24
Question and AnswerQuestion and AnswerDel Rodillas
ICS & SCADA Solution LeadPalo Alto Networks
To ask a question,type your question in the Chat area of your screen.
You may need to click on the double arrowsto open this function.
#ISSAWebConf
Del RodillasICS & SCADA Solution Lead
Palo Alto Networks
To ask a question,type your question in the Chat area of your screen.
You may need to click on the double arrowsto open this function.
#ISSAWebConf
25
26
Thank you!
Del RodillasICS & SCADA Solution Lead
Palo Alto Networks
"What? You didn't know Computers Control you?
ICS and SCADA""What? You didn't know Computers Control you?
ICS and SCADA"
Mario Chiock,
CISSP, CISM & CISAAPI Chair Security Sub-Committee
Mario Chiock,
CISSP, CISM & CISAAPI Chair Security Sub-Committee
Webinar GoalsWebinar Goals
• ICS & SCADA have no security by default
• ICS & SCADA Challenges
• Recommendations to reduce Risk
• ICS & SCADA have no security by default
• ICS & SCADA Challenges
• Recommendations to reduce Risk
28
Where do we use ICS and SCADA ?Where do we use ICS and SCADA ?
29
Why do we need Control Systems ?Why do we need Control Systems ?
Think Automation !
Manages, Commands, Directs or regulate behavior of devices or systems.
• What is ICS ?– Industrial Control Systems -> Automation for physical
process
• What is SCADA ?– Supervisory Control and Data Acquisition
• What is DCS ?– Distributed Control System
Think Automation !
Manages, Commands, Directs or regulate behavior of devices or systems.
• What is ICS ?– Industrial Control Systems -> Automation for physical
process
• What is SCADA ?– Supervisory Control and Data Acquisition
• What is DCS ?– Distributed Control System
30
SCADA systemsSCADA systems
31
Human-Machine Interfaces (HMI)(Touch screens or panel with buttons for people)
Programmable Logic Controllers (PLC)(watching system and making routine decisions)
Remote Terminal Units (RTU)(reading sensors and controlling valves and switches)
Sensors – Valves - Switches(reading sensors and
controlling valves and switches)
Common protocols and portsCommon protocols and ports• Modbus (port 502)
• Bacnet (port 47808) – HVAC – PACS - CCTV
• DNP3 (port 20000)
• EtherNet/IP (port TCP 44818/UDP 2222)
• Niagara Fox (ports 1911 and 4911)
• (IEC 60870-5-104) (port 2404)
• Red Lion (port 789)
• Siemens S7 (port 102)
• KNXnet/IP (port 3671)
• Modbus (port 502)
• Bacnet (port 47808) – HVAC – PACS - CCTV
• DNP3 (port 20000)
• EtherNet/IP (port TCP 44818/UDP 2222)
• Niagara Fox (ports 1911 and 4911)
• (IEC 60870-5-104) (port 2404)
• Red Lion (port 789)
• Siemens S7 (port 102)
• KNXnet/IP (port 3671)
32
ModbusModbus• Oldest ICS Protocol
• Controls I/O Interfaces (MOSTLY!!!!)
• No authentication or encryption! (Surprise!!!)
• No broadcast suppression
• Vulnerabilities are published
• Oldest ICS Protocol
• Controls I/O Interfaces (MOSTLY!!!!)
• No authentication or encryption! (Surprise!!!)
• No broadcast suppression
• Vulnerabilities are published
33
BACnetBACnet
• Commonly used for Building Automation
• No authentication
• No encryption
• No access rights
• Commonly used for Building Automation
• No authentication
• No encryption
• No access rights
34
DNP3- Distributed Network ProtocolDNP3- Distributed Network Protocol
• DNP3 has no security
• Secure DNP3 adds :– user & device authentication– Integrity protection– Spoofing protection– Replay protection– Eavesdropping - on exchanges of cryptographic keys only,
not on other data.– It does not encrypt the messages, but does use a share key
encryption to keep session keys secure.
• DNP3 has no security
• Secure DNP3 adds :– user & device authentication– Integrity protection– Spoofing protection– Replay protection– Eavesdropping - on exchanges of cryptographic keys only,
not on other data.– It does not encrypt the messages, but does use a share key
encryption to keep session keys secure.
35
KNX Building Control SystemKNX Building Control System
36
Learn How to Control Every Room at a Luxury Hotelhttps://www.blackhat.com/us-14/speakers/Jesus-Molina.html
ToolsTools• Shodan - http://www.shodanhq.com/
• Redpoint - Digital Bond's ICS Enumeration Tools– https://github.com/digitalbond/Redpoint
• Snort-Quickdraw– http://www.digitalbond.com/tools/quickdraw/download/
• Nessus – SCADA Plugins – – http://www.tenable.com/plugins/index.php?view=all&family=SCADA– http://www.digitalbond.com/tools/the-rack/nessus/
• Wireshark -
• Shodan - http://www.shodanhq.com/
• Redpoint - Digital Bond's ICS Enumeration Tools– https://github.com/digitalbond/Redpoint
• Snort-Quickdraw– http://www.digitalbond.com/tools/quickdraw/download/
• Nessus – SCADA Plugins – – http://www.tenable.com/plugins/index.php?view=all&family=SCADA– http://www.digitalbond.com/tools/the-rack/nessus/
• Wireshark -
37
Map of Industrial Control Systems on the InternetMap of Industrial Control Systems on the Internet
38
ICS & SCADA ChallengesICS & SCADA Challenges• Design with No Security
• Clear text transmissions
• Patching (Firmware Update)
• Remote locations
• Remote access requirements
• Vulnerability tracking
• Standardization
• Downtime for maintenance
• Unsupported OS
• Design with No Security
• Clear text transmissions
• Patching (Firmware Update)
• Remote locations
• Remote access requirements
• Vulnerability tracking
• Standardization
• Downtime for maintenance
• Unsupported OS
39
• Exposed to public networks
• Unable to pen-test in production
• No time for remediation
• Share accounts or no authentication
• Connecting IT & OT
• Skill set – Proficiency
• Exposed to public networks
• Unable to pen-test in production
• No time for remediation
• Share accounts or no authentication
• Connecting IT & OT
• Skill set – Proficiency
Ingredients to attack SCADA systemsIngredients to attack SCADA systems
40
Access
Know the process & facility
Skills andExpertise
Recommendations to reduce riskRecommendations to reduce risk• Network Segmentation & NGFW filtering
• Application White listing
• Data Diodes
• Incident response preparedness
• Build SCADA/ICS Cyber-Security Skill set
• NIST Framework
• Network Segmentation & NGFW filtering
• Application White listing
• Data Diodes
• Incident response preparedness
• Build SCADA/ICS Cyber-Security Skill set
• NIST Framework
41
Network segmentation & Protocol Filtering ( Zero-trust )Network segmentation & Protocol Filtering ( Zero-trust )
• Isolate the ICS network– Sensors– Control– Processing
• Use a NGFW to filter protocols as well as users / devices
• Use site to site VPN to tunnel traffic (encrypt traffic)
• VPN to access ICS / SCADA network
• Isolate the ICS network– Sensors– Control– Processing
• Use a NGFW to filter protocols as well as users / devices
• Use site to site VPN to tunnel traffic (encrypt traffic)
• VPN to access ICS / SCADA network
42
Reduce Attack Surface
Application White Listing (AWL)Application White Listing (AWL)• AWL is a protection mechanism for servers / stations
that prevents that non-authorized executables are started.
• It acts at the moment an executable is started, either by a user, another program or malware. So it blocks malware to download code and initiate it.
• Some AWL solutions have enhanced their products with resource and device protection functions. Such as memory protection, registry protection and USB device protection.
• AWL is a protection mechanism for servers / stations that prevents that non-authorized executables are started.
• It acts at the moment an executable is started, either by a user, another program or malware. So it blocks malware to download code and initiate it.
• Some AWL solutions have enhanced their products with resource and device protection functions. Such as memory protection, registry protection and USB device protection.
43
Data DiodesData Diodes
• Also known as a unidirectional network or unidirectional security gateway.
• Data diodes ensure the safety of sensitive information within a network By creating a physical barrier that only allows data transfers in one direction (hence the “uni” in unidirectional) we can enhance security in one of two ways:– Write only– Read only
• Also known as a unidirectional network or unidirectional security gateway.
• Data diodes ensure the safety of sensitive information within a network By creating a physical barrier that only allows data transfers in one direction (hence the “uni” in unidirectional) we can enhance security in one of two ways:– Write only– Read only
44
Incident response preparedness & DrillsIncident response preparedness & Drills
45
Prepare for the worse
Perform Drills
Update plan
Build SCADA/ICS Cyber-Security Skill setBuild SCADA/ICS Cyber-Security Skill set
• Most technical staff is train to insure resiliency not security
• Add security to the technical competency
• SANS - ics.sans.org
• Exchange with Network Security & End-point security
• Training Available Through ICS-CERT– https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
• Most technical staff is train to insure resiliency not security
• Add security to the technical competency
• SANS - ics.sans.org
• Exchange with Network Security & End-point security
• Training Available Through ICS-CERT– https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
46
ICS-CERT & ToolsICS-CERT & Tools
• Join ICS-CERT - https://ics-cert.us-cert.gov/• Use the Cyber Security Evaluation Tool (CSET)
– https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
• Cybersecurity Tabletop Exercise– http://www.chemicalcybersecurity.org/Cybersecurity-Tabletop-Exercise.zip
• Procurement Language– http://
energy.gov/sites/prod/files/oeprod/DocumentsandMedia/SCADA_Procurement_Language.pdf
• Training Available Through ICS-CERT– https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
• Join ICS-CERT - https://ics-cert.us-cert.gov/• Use the Cyber Security Evaluation Tool (CSET)
– https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
• Cybersecurity Tabletop Exercise– http://www.chemicalcybersecurity.org/Cybersecurity-Tabletop-Exercise.zip
• Procurement Language– http://
energy.gov/sites/prod/files/oeprod/DocumentsandMedia/SCADA_Procurement_Language.pdf
• Training Available Through ICS-CERT– https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
47
Cyber Threat - EssentialsCyber Threat - EssentialsInformation Sharing
ICS-ISAC ES-ISAC
ONG-ISAC
InfraGard (US)
Engage with FBI – DHS
Incident Response
Invest on Preparedness
Prepare for the worse
Desktop exercise
Lessons learned
Everyone must be Responsible & Accountable for cyber-security
Adopt the Safety Culture into Cyber-Security
IT & OT need to work together
Build Cyber-Security Skill set
Training
Network with peers
Adopt Best Practices
Network Segmentation & Application white
listing are key
Summary
Additional Documentation / ReferencesAdditional Documentation / References
• NIST - Guide to Industrial Control Systems (ICS) Security - Special Publication 800-82 – http://
csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
• https://scadahacker.com/library/
• http://www.digitalbond.com/
• NIST - Guide to Industrial Control Systems (ICS) Security - Special Publication 800-82 – http://
csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
• https://scadahacker.com/library/
• http://www.digitalbond.com/
49
Question and AnswerQuestion and Answer
#ISSAWebConf #ISSAWebConf
50
Mario ChiockCISSP, CISM & CISA
API Chair Security Sub-Committee
To ask a question,type your question in the Chat area of your screen.
You may need to click on the double arrowsto open this function.
51
Thank you!
Mario ChiockCISSP, CISM & CISA
API Chair Security Sub-Committee
Security Testingthe SCADA/ICS World
Security Testingthe SCADA/ICS World
Dr. Stefano Zanero, PhD International Director, ISSA
Chairman, Secure Network
53
SCADA-ICS SecurityThe original sin
54
SCADA/ICS SecuritySCADA/ICS Security
For years SCADA/ICS systems relied on security through obscurity
Industrial systems, which have been designed and intended to be alone, became magically connected to the world
No perception of modern security threats and risks, from both SCADA vendors and end consumers
55
SCADA/ICS Assessment - The EcosystemSCADA/ICS Assessment - The Ecosystem
56
Security Assessment with SCADA/ICSSecurity Assessment with SCADA/ICS
Still, pentesting goal is data: SCADA/ICS environments include critical assets and information Project plans, chemicals secret formulas, etc.
“Slight” differences with IT networks and systems modus operandi Most of the time no testing or quality environments are
available Need of testing methodologies that minimize (nullify)
Interruptions for the industrial production process Damages on industrial plant’s process raw materials Disasters that may affect people safety
57
Security Assessment with SCADA/ICSSecurity Assessment with SCADA/ICS
Opting for a white or grey box assessment strategy Horizontal security analysis is completed with vertical
exploiting on pre-defined targets
Generalizing, we still have to Hack into web interfaces Exploit application or network services issues Bypass authorization/authentication mechanisms Reverse engineer embedded devices firmware
58
Step 1 - Attacking the Corporate NetworkStep 1 - Attacking the Corporate Network
59
Corporate Network
Attacking the Corporate NetworkAttacking the Corporate Network Scenario-driven attacks
Corporate networks are likely to have been assessed before but... context-specific attack scenarios should be carefully evaluated Verify proper network segregation between the corporate and
SCADA network - can we jump into the SCADA network from the corporate one?
Network attacks against corporate employees that are authorized to access SCADA network or systems e.g. abusing “whitelisted” workstations as a bridge to the SCADA
network
Generalizing: can we gain somehow an unauthorized access to the SCADA network?
60
Step 2 - Attacking the SCADA NetworkStep 2 - Attacking the SCADA Network
61
SCADA Network
Attacking the SCADA NetworkAttacking the SCADA Network
Again, scenario-driven attacks Simulating attacks from malicious employees Simulating attacks against legitimate employees
Vulnerability research on adopted software solutions
Production systems testing should be carefully supervised by personnel or operators A Point of Contact (PoC) should be available in order to
handle any incidents Vulnerabilities exploiting must be specifically authorized and
monitored by the Customer
62
Step 3 - PLC/RTU Devices TestingPLC/RTU Devices
Step 3 - PLC/RTU Devices TestingPLC/RTU Devices
63
PLC/RTU Devices TestingPLC/RTU Devices Testing
In-lab devices testing (if available) Devices are often considered out of scope, despite being
critical element in the ICS ecosystem
Custom protocols reversing and fuzzing
Testing on production environment is usually avoided or explicitly denied A “crash” or generic “fault” on production systems could have
unpredictable impact on people safety
64
Step 4 – Policies and Procedures ReviewStep 4 – Policies and Procedures Review
Targeting non-technological issues
Identify process-related security weakness
Focus on SCADA/ICS systems management
65
SCADA Top 10 Security RisksSCADA Top 10 Security Risks Security through obscurity
Unpatched or unsupported (operating) systems
Authentication and authorization issues
Transport layer insecurity
Input validation issues
Lack of proper security policies
Network isolation and/or segregation
Default or weak configuration
Lack of accountability
Availability issues – Denial of Service (DoS)
66
Statistics from the TrenchesStatistics from the Trenches
67
Obscu r it
y
Unpa tched / unsu
ppor ted O
S
Transp
o r t se
cu r ity
I npu t v
a lida t io
n
Secu r ity po lic
ies iss
ues
N e two rk
iso la t io
n / segre
ga t ion
Weak con figu ra
t ion
Lack o f accoun ta
b il i ty
DoS0
102030405060708090
100
80
65
90
55
25
80
65
90
45
% Vu lne rab le system s
ConclusionsConclusions
ICS are critical, vulnerable, exposed
Identifying their weaknesses is paramount
Security testing can be done safely
Specific methodologies and expertise are needed
Thanks for your attention! Get in touch: @raistolo or [email protected]
68
Question and AnswerQuestion and Answer
International Director, ISSA
Chairman, Secure Network
To ask a question, typeyour question in the Chat area of your screen.
You may need to click on the double arrowsto open this function.
#ISSAWebConf
International Director, ISSA
Chairman, Secure Network
To ask a question, typeyour question in the Chat area of your screen.
You may need to click on the double arrowsto open this function.
#ISSAWebConf
69
Dr. Stefano Zanero, PhD
70
Thank you!
Dr. Stefano Zanero, PhDInternational Director, ISSAChairman, Secure Network
• Del Rodillas ICS & SCADA Solution Lead
Palo Alto Networks
• Mario ChiockCISSP, CISM & CISA
• API Chair Security Sub-Committee
• Dr. Stefano Zanero, PhD International Director, ISSA
Chairman, Secure Network
• Del Rodillas ICS & SCADA Solution Lead
Palo Alto Networks
• Mario ChiockCISSP, CISM & CISA
• API Chair Security Sub-Committee
• Dr. Stefano Zanero, PhD International Director, ISSA
Chairman, Secure Network
71
#ISSAWebConf
Open Panel with Audience Q&ATo ask a question,
type your question in the Chat area of your screen.You may need to click on
the double arrowsto open this function.
I would like to thank Del, Mario and Stefano for lending their time and expertise to this ISSA Educational Program. Thank you to Palo Alto Networks for sponsoring this webinar.
Thank you Citrix for donating the Webcast service.
I would like to thank Del, Mario and Stefano for lending their time and expertise to this ISSA Educational Program. Thank you to Palo Alto Networks for sponsoring this webinar.
Thank you Citrix for donating the Webcast service.
72
#ISSAWebConf
Closing Remarks
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link• http://
www.surveygizmo.com/s3/2032246/ISSA-Web-Conference-Mar-2-2015-What-You-didn-t-know-Computers-Control-you-ICS-and-SCADA
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link• http://
www.surveygizmo.com/s3/2032246/ISSA-Web-Conference-Mar-2-2015-What-You-didn-t-know-Computers-Control-you-ICS-and-SCADA
73
#ISSAWebConf
CPE Credit