industrial control systems 101 - why hack the network if you can shut down the data center?
DESCRIPTION
Industrial Control Systems (ICS) refer to various types of technology that control physical infrastructure ranging from industrial production - like valves in a manufacturing plant, to environment controls - like lighting and cooling systems in an office building. Think you don't have ICS on your network? Think again. Data centers, offices and corporate campuses rely on Industrial Control Systems to operate. In fact, virtually every modern building, and corporate campus around the world plays host to environmental controls, building entry systems, safety systems, and many other automation systems that are considered ICS. As with any system, ICS have known vulnerabilities, which now that they are network-accessible represent a tantalizing target for attackers. Why bother trying to defeat carefully constructed network security measures if you can more easily turn on the sprinkler system and bring down the entire data center? This webinar will review ICS basics and then detail their various security risks. It will also recommend general do's and don'ts when dealing with ICS. Our featured speakers for this timely webinar are: - Billy Rios, Technical Director at Cylance. Billy is seasoned security professional whose background spans both the military and the private sector. He is a noted expert in ICS security. -Ted Julian, Chief Marketing Officer at Co3 Systems. Ted is a serial entrepreneur who has launched four companies during his ~20 years in the security / compliance industry.TRANSCRIPT
Industrial Control Systems 101
Why Hack The Network If You Can
Shut Down The Data Center?
Page 2
Agenda
• Introductions
• What are Industrial Control Systems (ICS)?
• Security Risks associated with ICS
• Do’s & Don’ts of ICS
• Q&A
Page 3
Remembering Boston – 4/15/13
http://onefundboston.org/
Page 4
Introductions: Today’s Speakers
• Ted Julian – Chief Marketing Officer, Co3 Systems
Ted is a serial entrepreneur who has launched four
companies during his ~20 years in the security /
compliance industry.
• Billy Rios – Technical Director, Cylance
Billy is seasoned security professional whose
background spans both the military and the private
sector. He is a noted expert in ICS security.
Page 5
Co3 Automates Breach Management
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion
Page 6
• Cyber Services &
Technology
• Led by Stuart McClure,
former CTO McAfee &
founder of Foundstone
Vulnerability Mgmt Co.
• 55 employees
• Irvine, CA HQ
Cylance, Inc. – Secures the Unsecurable
Page 7
ICS Expertise
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-02.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-02.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-195-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-243-02.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-244-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-273-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-03.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-03A.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-024-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-039-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-047-01A.pdf
Page 8
ICS Expertise
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-062-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-083-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-095-01.pdf
• https://ics-cert.us-cert.gov/pdf/ICS-ALERT-12-195-01.pdf • http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-343-01.pdf
• http://ics-cert.us-cert.gov/pdf/ICS-ALERT-11-343-01A.pdf
• https://ics-cert.us-cert.gov/pdf/ICSA-12-228-01.pdf
• http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf
Page 9
You might have ICS…
Page 10
Unoccupied building, Saturday night
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
Examples of ICS
Page 11
11
Scott swipes card at main entrance, works on 4th floor South
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
Examples of ICS
Page 12
Video system needs to verify and record Scott’s entrance
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
Examples of ICS
Page 13
Alarm system armed, need to disarm 4th floor intrusion zone
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
LEGACY
Examples of ICS
Page 14
Allow access to 4th floor
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
LEGACY
Examples of ICS
Page 15
15
It is hot in Scott’s office, turn on AC
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
“Zone 4 Occupied”
LEGACY
Examples of ICS
Page 16
Scott needs light on 4th floor hallway and office
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
“Zone 4 Occupied”
“Circuit 1, 2 ON”
MODBUS®
LEGACY
Examples of ICS
Page 17
Lights and AC for Scott used 50 kWH
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
“Zone 4 Occupied”
“Circuit 1, 2 ON”
MODBUS®
“Totalize light and
HVAC for Zone
4”
LEGACY
Examples of ICS
Page 18
Invoice Scott for $150 of after hours energy usage
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
LEGACY
“Floor 3 Enable”
XML
“Zone 4 Occupied”
“Circuit 1, 2 ON”
MODBUS®
“Totalize light and
HVAC for Zone
4”
“Generate / email
Invoice for Sat”
SMTP
Examples of ICS
Page 19
We can work without AC
Page 20
We can work without AC
Page 21
We can work without AC
Page 22
But Billy… who would do such a thing?
Page 23
But Billy… who would do such a thing?
Page 24
We need to move quickly
Page 25
We need to move quickly
Page 26
We need to move quickly
Page 27
We need to move quickly
POLL
Page 29
ICS Security – Current State
• Software:
• Extremely poor, Windows XP
• Vulnerable to common, unsophisticated attacks
(remote/local)
• Lack of industry standard exploit mitigations (DEP/ASLR)
• Deployment:
• Extremely poor
• Be wary of remote access
• Poor guidance from vendors
• Impossible/unreasonable deployment architectures
• Lack of automated verification
Page 30
ICS Security – Current State
• Vulnerability Management:
• Extremely poor
• Lack of managed awareness
• Lack of managed patch management
• Lack of vulnerability detection
• Lack of mature reporting
• Lack of awareness
• Inability to scale limited expertise
Page 31
ICS Security – Current State
• Detection and Enumeration:
• Foundation for all ICS security operations
• Safety is a priority
• Differentiate between ICS deployments
• Manual processes are common
• Expertise is limited
POLL
Page 33
ICS Dos and Don’ts
• Don’ts
• Run a traditional vulnerability scanner on ICS
devices/software
• Expect traditional tools to identify vulnerabilities with ICS
software
• Expect notification of vulnerabilities
• Expect centralized patch management from vendors
Page 34
ICS Dos and Don’ts
• Do
• Identify where your ICS is on the network
• Identify the paths to reaching ICS
• Monitor paths to ICS devices
• Identify users/engineers that work with ICS
QUESTIONS
Page 36
Next Webinar
“Introducing the Co3 Security Module”
• IR for security incidents: malware, system
intrusion, DDoS, etc.
• Wednesday, May 1 @ 1 PM ET
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“…an invaluable weapon when responding
to security incidents.”
GOVERNMENT COMPUTER NEWS – APRIL 2013
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages
for privacy look like.”
GARTNER
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
Billy Rios
Technical Director
Cylance
www.cylance.com