the hole in control system security · –scope is to identify iec62443 standards that address, or...

The Hole in Control System SecurityPresented by: Mr. Joe Weiss PE CISM CRISC ISA Fellow

HACKNYC When: May 8th 2018Where: Times Square, New York CityWebsite:www.hacknyc.com Todays Webinar Co-Sponsored by:

The Critical Infrastructure Association of America, Inc. is a 501(c)6 Not for Profit. The mission of Critical Infrastructure Association of America is to create a membership-based, trade association of like-minded cybersecurity and closely related industry professionals that work in the field of cybersecurity. The goal is to share best practices, establish and maintain high operational standards and to educate and interact with those in the cybersecurity community within public, private and governmental sectors.

http://www.hacknyc.com

Joe Weiss PE, CISM, CRISC, ISA Fellow

Managing PartnerApplied Control Solutions, LLC

[email protected]

©Applied Control Solutions, LLC 2

Joe Weiss• >40 years experience• Managing Director ISA67, 77, 99, ISA S&P

Board, ISA Fellow• Database of >1,000 actual ICS cyber

incidents• Patents on control systems• Author – Protecting Industrial Control

Systems from Electronic Threats• Featured in Chapter 14 of Richard Clarke’s

book: Warnings Finding Casandra’s to Stop Catastrophes

©Applied Control Solutions 3

3-Legged Stool of Security

• Physical security – Guns, gates, and guards

• IT security– Windows, networks, etc.

• Control system security– Sensors, actuators, drives, controllers,

analyzers, intelligent electronic devices, etc.


Physical Security

IT Security

Control System Security

Confusing Definitions• Security• Cyber Incident• Edge Device• SCADA• Risk• End-to-End Security


Why Care About Control System Cyber Security

• Primary focus is reliability, availability, productivity, and safety– Cyber is simply another threat to these requirements– Process sensors, actuators, and drives directly affect all 4, have no security,

and can be hacked with minimal forensics

• Adequately maintaining these requirements also maintains security; however, the converse may not be true

• If cyber can’t impact the 4 key requirements, cyber is not important for control system cyber security!


Physical Processes can be Dangerous


What we don’t worry about

What we worry about

©Applied Control Solutions, LLC

Control System Security Expertise Lacking

IT Security

Control System Security Experts

Control SystemEngineering

8

Comparison of IT and Control Systems


Attribute IT Control Systems

Confidentiality (Privacy) Very High Low

Message Integrity Low-Medium Very High

System Availability Low-Medium Very High

Authentication Medium-High High

Non-Repudiation High Low-Medium

Safety Low Very High

Determinism (Timing) Low Very High

System Downtime Tolerated Not Acceptable

Security Skills/Awareness Usually Good Usually Poor

Network Monitoring Most Important Important

Patching Expeditious, Generic Patch Deferred, ICS Vendor Patch

Field Devices (Process Sensors) Not Important Very Important

System Knowledge Usually Poor Very Good

System Lifecycle 3-5 Years 15-25 Years

Interoperability Not Critical Critical

Computing Resources “Unlimited” Very Limited

Applicable Standards ISO27000 ISA/IEC62443


SIS 3

Safety Instrumented System (SIS)PT 1

PC 1

PT 2

PI 2

PT 3

RV

Feed

Heat

“Boiling Oil”

Transmitter

BPCS

SIS

CV 1

CV 2

Per David Bennett


Cyber Attack Impact on Failure Rates (MTBF Applies)

• Unintentional Failure

• CV1 1/10 years• CV2 1/10 years• RV1 1/10 years• Total 1/1000 years• Assuming 100 tanks - 1/100 years

• Cyber Attack Against DCS• CV1 And CV2 1/10 years• RV1 1/10 years

• Total 1/100 years• Assuming 100 tanks – 1/year

Honeypots Detecting Attempts to do Kinetic Damage

• TrendMicro - small rural water facility– “Rural water system” hacked in December 2012– Between March and June 2013, 12 honeypots deployed across eight different countries – 74 intentional attacks, 10 wrested complete control of the dummy control system– Attacks came from 16 different countries. Most of the noncritical attacks, 67 percent, originated in Russia, and a

handful came from the U.S. – About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and

Japan

• Water pump to a wellhead for a local municipality– Device placed online 14-Oct-2014 and taken out of service 27-Dec-2014 – 140,000 hits with ~90% from China

• PwC - Rail– In 2015, Koramis GmbH and Sophos created a simulated rail infrastructure called “Project HoneyTrain” – The project was online for six weeks - 2,745,267 attacks were recorded– Approximately 10% reached industrial components

.


https://www.sophos-events.com/honeytrain/downloads/Sophos_HoneyTrain_WP_EN.pdf

Control System Cyber Incidents Are Real

• >1,000 incidents to date

• Impacts ranged from significant discharges to significant equipment damage to major electric outages to deaths

>1,000 deaths to date

>$60 Billion in direct impacts

• Very few ICS-specific cyber security technologies, training, and policies

• >2 million ICS devices directly connected to the Internet (and counting)

– Many are gateways

• Resilience and recovery need to be addressed

Proprietary Information©Applied Control Solutions, LLC 13

Control Systems Basics

Support Systems

ERPMESData Ware house

Internet

Internet


Serial-to-Ethernet Convertor Network Monitoring

PROCESS

What Are ICS-Unique Cyber Threats?• Cyber-physical, Not just the network• Persistent Design Vulnerabilities, Not just Advanced Persistent Threats• Want undetected control of the process, not denial-of-service

Gap in protection of the process (Level 0)– eg, Aurora

Compromise of the measurement (Level 1)– eg, HART vulnerability

Compromise design features of the controller (Level 2)– eg, Stuxnet


Aurora Vulnerability Demonstration


Level 0 –The Process

Aurora Vulnerability – What is it?


Aurora Vulnerability Impacts


Aurora Vulnerability - Impacts


ICS Cyber Security Culture Issues • Level 1 viewed as engineering systems – no security• IT views cyber security as the network – not looking at the sensor

and field devices before becoming packets• IOT/IIOT generally ignoring “edge ICS” (Level 1) devices• Vulnerability assessments assume there is some level of security

– Gap analysis – infinite for Level 1• ICS CERT 2016 ICS Cyber Incidents

– 290 ICS Incidents• Spear phishing (26%), • Network scanning and probing (12%)

– No mention of Level 1 issues


Level 1 Cyber Security Issues• Communications are not native IP• I/O (remote communications) allows the instruments to communicate

bidirectionally– Engineers can no longer simply measure the output analog signal – they need to

be able to communicate with the transmitter and read the digital signal• Obviously no air-gap

• Level 1 devices have minimal cyber security, forensics, or authentication

• Sensor protocols, networks, and sensor collection devices are cyber vulnerable– Wired/wireless HART, Profibus, Fieldbus, serial Modbus, asset managers, RTUs

• Iran publicly knows


Serial Gateway Vulnerability Disclosures


• Serial-to-Ethernet Convertors (gateways) convert analog sensor measurements to Ethernet for Windows HMIs– Large number of gateways connected to Internet– Path into Level 1 devices

• Gateways have been compromised– Gateways used to compromise US grids in 2014 -

May/June 2015 ICS Monitor– Moxa gateways compromised and “bricked” in the

2015 Ukrainian cyber attack– Other vendors’ serial gateways with ICS CERT

vulnerability disclosures


Olympic Pipeline Rupture

• Broadcast storm shutdown SCADA and Delayed Leak Detection– Loss of View, Loss of Control

• All sensors set to average values and safety systems didn’t actuate – Loss of Safety

• Requires revisiting cyber security and safety standards

Sample Sensor-Related Incidents• RPM sensor on hydro turbine hacked preventing turbine from operating.• Dam failure when sensors pulled away from wall providing erroneous low readings

resulting in pumps overfilling the reservoir• A sensor on a valve malfunctioned and resulted in the release of 10 million gallons

of untreated wastewater • A pressure transmitter sensing line clogged causing a plant trip in a fossil power

plant.• A safety relief valve in a nuclear plant did not lift because the pressure sensor

never reached its setpoint.• PLC automatically opened the reject bin chute door based on faulty sensor data

dropping10 tons of material on the truck cab resulting in a fatality.• The level sensor in a tank failed resulting in 250 000 litres of gasoline spilling

injuring more than 40. The ensuing fire engulfed over 20 fuel tanks on the tank farm and adjacent sites and burned for several days.


Sensor/Process Noise(Back to the Future)


- Process noise indicates process and sensor performance - Process noise filtered out before the serial-to-Ethernet convertor- Consequently, the information about the nuances of the processes and the sensors are not available for network anomaly detection- Therefore, the network anomaly detection ASSUMES the sensor packets are correct and cannot tell if the sensor has already been compromised!

What is Being Done

• Demonstrations of hacking process sensors – it’s real• Proof-of-concept testing of sensor monitoring technology and its benefits • ISA99 has established new Task Group to address Level 1 devices –

ISA99WG4TG7– Scope is to identify IEC62443 standards that address, or should address, Level 1

devices for adequacy – Also looking at the definition of “Level 0,1” , “sensors”, etc.



WATER TREATMENTEarly detection of pending fault unseen by SCADA system

Solution:Sensor monitoring identifies changes in real time in electric signals directly from the reservoir pumps and related sensors

Challenge:The Water Authority’s SCADA system filters electric signals as they are converted from analog to digital, thus missing importantinformation about process health and equipment status

Location: Main pumps in large water reservoir

Productivity Results:Signal spikes in (in blue) are not visible to the SCADA system (in orange) indicating a pending fault with a pump

Use Case 1 – Resilience and Redundancy

Security Results:Sensor monitoring continued even when Windows-based SCADA was unavailable providing resilience and redundancy


Use Case 2 – Improved Maintenance ELECTRICITY GENERATIONAccurate location of fault avoids turbine downtime

Results:Sensor monitoring precisely identified the exact location and character of the fault by cross-correlating sensor readings enabled an immediate resolution and the successful activation of the turbine, avoiding costly downtime

Solution:The Chief Engineer examined the readout from sensor monitoring, which showed an activation cross-fire that was not visible in theSCADA system

Challenge:During activation attempts, the turbine failed to stabilize and deactivated upon fuel feed. Even after replacing a control card on the main controller, the situation could not be remedied

Location: Gas turbine at power station

Applied Control Solutions 30

PETROCHEMICAL PROCESSImmediate identification of production anomaly

Results:Early identification of the pH process failure enabled immediate correction, avoiding the waste of raw materialsand saving vital process time

Solution:Sensor monitoring deployed inside the reactor quickly identified a previously unidentified and unreported anomaly at the source, showing that a critical process exceeded the norm, changing pH values and decreasing production parameters

Challenge:Bromide manufacturing reactor processes are characterized by regular production doses; anomalies in pH values have a direct impact on production quality and volumes

Location: Bromide manufacturing reactor

Use Case 3 - Improved Productivity

The Holy Grail – Correlating Malware to Physical Impacts


Process anomaly detection Network anomaly detection

What Needs to be Done

• Get the engineers involved! • Take reliability and safety at least as seriously as confidentiality• Address supply chain issues for Level 1 • Need cyber risk methodology for Level 1• Need ICS cyber security training for Level 1• Have vendors address cyber security of Level 1 devices• Coordinate process anomaly detection with network anomaly detection


the hole in control system security · –scope is to identify iec62443 standards that address, or...

Documents